Documents
Using XKS to Enable TAO
Jul. 1 2015 — 9:52 a.m.

?rial-h-i?i-I'alIIHal-.Usin KEYSCOE
to Enable TAO
Ban: Allen Hamiltnn SIDS Analyst
16 July EDGE
. I
I ?5{-47
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER,

. TDP SEGHETHGUMIHTHRELTD
burpose show 82 how to use XKS to
enable TAO operations
. The material covers some of the more
common searches in XKS, and shows you
how to retrieve valuable SIGINT data that
finds useful to eXploit a target
. It?s NOT designed to teach you about TAO
(there are many other briefings for that)
TDP TD USA, ALIS, CAN, GER, MEL

SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL
a What TAO needs from
a TELNET Sessions in XKS
a Identifying Browers
a Web Forum Logins Passwords
a Webmail Logins Passwords
TUP TD USA, ALIS. DAN, GER, MEL

TDP TD USA, AUS. DAN, GER, NZL
'Aend
I I What TAO needs from
TDP TD USA, AUS. DAN, GER, MEL

TUP SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL
TA need? a;
Network Information
- Logins and Passwords
- Router configuration information
Software Information
- Browser
- Version Numbers
- Operating Systems
- NOTE: If target device is under a satellite hop, please
consult your TAO Liaison on how to proceed.
TUP TD USA, ALIS. DAN, GER, MEL

SECRETHGOMINTHHEL To USA. nus, BAH. can, HZL .
We et at?
Network Information
- We target TELNET, FTP, etc for logins and passwords
. Use a LOGIN and PASSWORD QUERY ports of interest
(21, 23, 110, 69, etc)
- WEBMAIL logins and passwords
. Use LOGIN and PASSWORD QUERY ports of interest
(80, 3000, 8080) DO NOT use the loginfpassword you find to
log in as your target in Airgap. Ever. Just record them and pass
to TAO.
- Router configuration information
. Use ?Full Log DNI query" FROM port 23 and ?From? IP of
interest
TDP TD USA, ALIS, DAN, GER, MEL

TD USA. nus, BAH, GBFI. HZLSoftware Information
- Browsers
. Use HTTP Activity Query and results are in the
?browser? field
- Servers
. Use HTTP Activity: HTTP "Response" traffic
contains web server information
- Operating Systems or Version Numbers
. Using FULL LOG DNI we can do ?Banner Grabbing?
on content FROM port 23 and FROM the target's IP
address
TDP TD USA, ALIS, DAN, GER, MEL

TDP TD USA, AUS, DAN, GER, NZL
'Aenda
.
. TELNET Sessions in XKS
TDP TD USA, AUS. DAN, GER, NIL

TDP SECRETHGUMINTHHEL TD USA. AUS. GBH,
Understand en
Administrator attempts to reach remote host using Telnet
From Port 3434 ?Telnet 202-, To Port 23
4?
To Port 3434 ?Welcome to router,
Apache 2.0 - Please
enter Login 3 Password?
From Port 3434 To Port 23
?Username: Admin
Password: Admin"
To Port 3434 ?Here?s your router
configuration information
TDP TD USA, ALIS, DAN, GER, MEL
From Port 23

To USA. thus, cm, can, HZL. -
e- rsta Te en
Administrator attempts to reach remote host using Telnet
5T: {01" if? 23
From Port 23 it
I.
To Port 3434 ?Welcome to router, I
Apache 2.0 - Please
enter Login Password?
From Port 3434 To Port 23
?Username: Admin
Password: Admin"
Let's make a query
and target this traffic!
To Port 3434 ?Here?s your router
configuration information
TDP TD USA, ALIS, DAN, GER, MEL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
'BnerGrbing
I Search: Full Lia-1;;
Query Marne:
mail server
Jugtificatinn:
?dditi-z-Hal Jugti?catin?: 1"
Miranda Number:
Datetime: 1 week ?w Start: gang?Drag Iluzuzmzuzn $7 St?p: [EmaUsername:
address for
i attribute In?j: [p?pulate with
trying to gain
access (mail IF 213- Pm
TDP TD USA, ALIS. CAN, GER, MEL

'Banner
TD USA, AUG. DAN, GER, NZL
Grabbing i
?i3 I. .
-
To Port (?3334 From Port 23
?Welcome to router,
Apache 2.0 - Please
enter Login 8: PasswordDatetin'ie Case Hetatien Frem ?3 Te Frern F'erl: Te Perl: ?retest
2222?22?11 Saudi .?irahiaj 212 Lehanenj
I Hessian Header Meta I I
Iir'ii'? I I 5' Enterte?i? search
app_id= terminalftelnetffrem_server{ pnrt23} viewer= AZECII fermatter. Infc=i
Find traf?c en
iCiscd Eduter and Eecuritv ?evice Manager is installed an this device.
. . . SDH
Find ennesite side e1? sess i i
iThis feature requires the cne?time use df the username "ciscd"
313-133 '2 Edith the passI-Itird "ciscc". The default username and have a privilege level cf 15
:12
gPlease chan
publicly lui credentials using SDH er the IDS CLI.
the Ciscc IDS ccmmands.
gusername imyuser}
End userhame ciscd
privilege 15 secret smvpassucrd}
Find
i
gheplaee {mvuser} and with the username ah
. . . vdu want re use.
Find Fingerprint
Find email address
.
EFdr ash-jut EDH please nstructidns in the START
EGUIDE fer renter er ge te http:HH sce.cemfgefsdm
ACCESS LIEU: 1'31].
iUsername: . . . . ..isp
TDP TD USA, AUS. CAN, GER, MEL

TGP TD USA, AUS, BAN, GER, NZL
. Ber Grabbi (another example)
- .
I 5' To Port 3434 t0 XYZ router, From Port 23
Apache 2.0 - Please
enter Login 8: Password"
3 Datetime Ceae Hetetiur?l Frern TEI Frem F'Ijr?l: Te Perl:
5 2222?22?11 24:22:45 lea?{I china:- Cuba] 2122
WW Iv
.an Eear'uz'l EntertEII-Ettu EE
I
AUTEI FDHMATFEH: Uiewer= ASCII ferma?t
DH
Quick CliEkS I??r'I?'l
I ill-
Fin-:1 I: Side 21? SEESS
Integrated Device
2 I
Find tra?ic?? Cepyright. Huemei Teehnelegy. Ce?. Ltd.
Meme:
Phene Number:
125?
Find agglicatign User name (2:15 ehere):
terminal?telnet?fmmje
TDP TD USA, AUS. CAN, GER, MEL

TDP Te USA, AUS. DAN, GER, NZL
I Detetime Hetetien Frem Te Frem F'ert Te F'ert
33:33:33 r51._ (- China} Cuba? _3541
Meta
AUTD nter ?[Ell-Meleume Le ETE Full Service Aeneas Platfurm
Fin-:1 side
Press Return te get eterted
Copyright, ETE
Fin-:1 trefl?ieer'l if?
Elm-
Legin:
El_
Fin-:1
terminelftelnetffrernje
TDP TD USA, AUS. DAN, GER, NIL

Te USA. ALIS, DAN, een, NZL
. Bner Grbbig (another example)
Detetime Caee Hetetie? Frem Te Frern F'ert Te F'ert Fret:
19:35:52 Le; gnu?[E Cuba] Elm-(I China)
.
33 44FID TCP
0? I
Bessie-n Header Meta
Iv Eieruj te: F-"IEnje: Full - - - reh Centent: search
FDRMATFEFL: epp_il:l= Viewer: fermetter.
Cepyright[e} Huemei Teehuelegiee Ce., Ltd. All rights reserved.
Fin-:1 5 le ef sees . . . . 1,
Hltheut the ewner 3 print written :eneent,
I EDD 123?3 nu er reveree?engineering ehell he ellewed.
I
Fin-:1 fineererint
eigdevfhuewei
Legi? euthentieetien
mleefnetwerkJ-?een?gure'
Fin-:1 trafficUserneme:
20'1- magma
Fin-:1
terminel?tel?etffremje
TDP TD USA, AUS. DAN, GER, NIL

SECRETHGUMINTHHEL To qujij]
elp me nd 9 rstan Teller
ll . Administrator attempts to reach remote host using Telnet
From Port 3434 ?Telnet 202--, To Port 23
Halli.
To Port 3434 ?Welcome to router,
Apache 2.0 - Please
Let?s make a query enter Login 3 Password"
and target this traffic!
From Port 3434 To Port 23
Username: Admin
Password: Admin"
I
From Port 23
To Port 3434 ?Here?s your router
configuration information
TDP TD USA, ALIS, DAN, GER, MEL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
gins and Passwords
I'Tet
I
Search: and
nuan- wamm
telnet admin
I Justificatiun:
Additianal Juati?catinr?l:
i Miranda Number:
i Datetime: 1 Day" it? Start: E. StunName:
i router?s IP
5 address for
2 . I
you re
3 ?ddregg: FrDr?r?I
ESE- Tc:
I Fran?I
I Part: 23 TD
TDP TD USA, ALIS. CAN, GER, MEL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
I'Tlnet
senames and PW
I l-I From Port 3 To Port
Username: Admin
I Password: Admin"
Datetime Cage Mutatinn 1P TI: F'Ijrt TEI
gang?0113 1-35? Yemen} Eng?(I China} 1:14?
Hessian Header (3) Metaidr] I
5 Quick CliEkS
Find traffic on
Find
terminalftelnetftn_59rm
TDP TD USA, ALIS. CAN, GER, MEL

SECRETHGUMINTHHEL To qujij]
elp me nd 9 rstan Teller
ll - . Administrator attempts to reach remote host using Telnet
From Port 3434 ?Telnet 202?, To Port 23
Halli.
To Port 3434 ?Welcome to router,
Apache 2.0 - Please
enter Login 3 Password?
From Port 3434 ?Usemame: Admin To Port 23
Lars make a query Password: Admin
and target this traffic!
To Port 3434 ?Here?s your router I
configuration information
TDP TD USA, ALIS, DAN, GER, MEL

I
I
I
I
TGP TD USA, AUS. DAN, GER, NZL
Rter on
. Search: Full Log
Query Marne:
Ju5tificatinn:
?dditional Juati?catior?lz
Miranda Number:
Datetirne:
Client 1P:
U?err?lame:
r-Httributo Info:
ID ?ddrESS:
?ddregsz
Data Length:
F'Ul'tl
i5
iranian telnet traffic
[mot-om "r
Start:
Er
21m Stop:
From your target?s IP
From Port 23
Greater than 500 bytes
IE-
To ?r
23 From
FEED
TDP TD USA, AUS. CAN, GER, MEL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
I'Ruter Con
Datetime
Case Notation
FFDH1IP
Tia-i: Ire-Hi
Tc In F'crl:
Iran? a
Hessian Headari3i MetaiEi I
I: 'i
Enit
I
i cl: 5 if:
Find Finnernrint
Fin-:l traf?c an
35
33
Find application
terminalftelnetffram_se
interface EthernetD
no ip address
interface Serial?
nc ip address
ahutdemn
clack rate 3315333
no fair-queue
interface Seriali
nc ip address
clack rate 3015333
no fair?queue
no ip address
clack rate 3315333
nc fair?queue
interface Serial?
no ip address
shutdown
clack rate 3315333
nc fair?queue
interface 5eriall:15
ip unnumbered FaetEtnernet?
encapsulation
iadn switch?type primary?netE
interface Serial3:15
ip unnumbered FaetEthernet?
encapeulaticn
?Thanks for the router config?
-TAO
??HcreSeria13
Many times will contain
Access Control Lists (ACLs)
VERY important pieces of
Intel. Copy/{Paste out full
Config. ..

TDP TD USA, AUS, DAN, GER, NZL
'Aenda
I Identifying Browsers
TDP TD USA, AUS. DAN, GER, NIL

TD USA, AUG, DAN, GER, HZL -
Browsers
"dtifyi
Why?
. TAO can exploit the browsers that lack
strong security
TDP TD USA, ALIS. CAN, GER, MEL

TD USA, AUS, BAN, GER, HZL
nt (Browser) pull
9
This query targets foreign-based targets visiting known Jihadi
web forums to learn about what browsers they use.
Search: HTTP rinsti'urib,r
Query.I Marne: web ferurn hrewsers
tergete vieiting knewn jihedi
Justifieetien: we}: fdrume
additidnal Justi?catidn:
Miranda Number:
Er i; Etep: 21:sa
Datetirne: [lust-em Etart:
HTTP Type:
ler *haneininie er *ansarinet erl'ansarnetinie Dpulate with URL Field Builder]
CeuntryUSA, ALIS. DAN, GER, MEL

get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
DJ
5D
PH
HT
ID
LE
1111
PH
DJ
PH
PH
DJ
1'11
b' For
T1155 F111 0501 F111
Heet
5 t i 11 115 11151
lieneinjnfe
01010131131013.1010
105-
205-
50-
119._ 11511111511511.1010
01011131151015.1010
mun" 9 igl?ig infn
55- m?
To use. AUS. new. GBFI. Hz
um Visitor protJiI
0
I [m lair-h:
I. I
..
Breweer
111521111010 {eeln ieti ile; 1.0; 1111005115 111 1115.1; 5111} .11ET
Heleie2550s-2110101.01}
111021111050 111 5.1; 5?01; 5.510554}
111521115110 {eeln ieti ile; 1.0; 1111015015 111 5.0; .11ET 2.0.50121; Metlie i-Center PC 5.0; .11ET 10.01505;
111021111050 011111110115; 111 5.0; ell?115; 01:15.51 1} 5ee11012005050215 menu-05.0.1 1
11102111111110 {eeln ietilile; 111 5.1; 501; Media Center Pt?: 5.0; .HET 5L5 1.0.5105; Creethte 501011011111
111021111010 $001135! DH it it
111021115140 {eelii iatilile; we 111 5.1;
5 ierei5.25 {1151010115 111 5.1; en}
1110211110110 [eengietilile; M5IE 111 5.0; .11E1 CLH 2.0.50121; Metlie ICenter P5 5.0; .11E1 5L5 5.001505;
1115211111110 {eeln ieti ile; 111 5.1; 501; .1-1ET 20.50121}
1110211111150 111111110015; 0511110115115 111 5.1; ell-LIE} H i ileWeliH1115251El Iii-1e ?eet-:5} 13111011112110.15135 511111111525.
111521111050 {Meeinteslg Intel 11111:: 05 1t 10_5_5; en-us} H i iIeWeliHitt525151 Iii-te 5eeI-te} Uersienm .2 511110115
1115211111510 ieemgetilile; 5.0; Wintlews 111 5.1; 511 1; .1-1ET 1.1.1322; .11ET 2.0.50121; mege5lteelt Teellier
111021111040 10151E 5.0; 1151010015 willie
05:11:10.0 ieemgetilile; 1115155595 uo'5eeue51ee5rrweue
111021111040 10151E 0113 #5111015'11 311110-115 111 5.This displays the From Country (where target is
.
located), their IP, the website they visited, AND their
browser
.HET ELH
TDP TD ALIS. DAN. GER. MEL

SECRETHGUMINTHHEL Te USA. AUS. BAH. GBHrowsl
Type Fm Ceu Heet Ereweer 4
get EH metegwir Melina-4.3 HT 5.11i
get 23-: Melina-4.3 {eellt tatiltle; ME Here's another example where we
get ta rgeted the people Visi ng *govl {eel-Immune; Ma
get weaJmehrlaethIJ-mir {eeln :latil1le; MEIE NT 5.1; .HET 1.1.4322}
get IH Melina-4.3 {eeln }etil}le; MEIE 33; NT 5.1; .HET 3334533343; .HET I
pest 313?: Melina-4.3 MSIE 3.3; NT 5.1; 531}
get wwa-methgw.? {eeln }atil}le; MEIE HT 1.3.3235; .HET
get PH MEIE NT 5.1; 3?31; .HET 1.1.4322}
get 3E {eelnuetiltle; MEIE NT 5.1; 3'31; .HET
get Melina-4.3 {eeln tatil1le; MEIE NT 5.1; 531; .HET [13 1.1.4322; .HET
get EH Melina-4.3 {eeln }atil}le; MEIE 3.3;Wntlewe HT 1.1.4322; .HET
get Famine-4.3 {eenu-mtihle; MEIE 3.3;Wntlewe NT 5.1; 3'31; .HET ELH 2.II
get ELI tee-Immune; MSIE NT 5.1; 3'31; .HET ELH 2.IE
get transgertjrieageer Melina-4.3 {eellt tatiltle; MEIE HT 1.1.4322; lltfePatlt.2}
get PH Melina-4.3 {eeln latil1le; MEIE 3.3;Wntlews HT 2.353222]:
get {eeln 1etil1le; MEIE 3.3;Wntlewe HT ELFI. 2.353222; .HET ELH 1
net MEIE HT 2.353222; .HET ELH 1
iZ: HT CLH 2.3.53222; .HET 1
{eeln 1etil1le; MEIE NT 5.1; 3'31; .HET 2.353222; .HET 3
Which browser are we seei 1.24.1] {eeln tetil1le; MSIE NT 5.1; 531; .HET 2.3.53222; .HET 3
get 324.3 {ee n }atiltle; MEIE 3.3; Wittlewe HT 2.353222; .HET ELF: 3
get l3 {eelltl-mtiltle; MEIE NT 5.1; 3'31; .HET 1132353222;
tun-1 iiti?ll nnuir i'I I'u'l'lilF I-T.. 53H- Fl' 2 fl IITl'nDr-ttlt ?2'h
bl:th IHL-UMIH IU Liz-A, EH, HEL

tivity to find Brows
.
.
SECRETHCUMINTHHEL TD USA, AUS, HZL
Type Fm Gnu Heet ..
get 5? Illefe.gw.ir Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1}
if.
.HET ll'ILFl 1.1.4322; .HET CLFL 2.II
.HET CLH 1.1.4322; .HET
.HET CLH 1.1.4322; .HET CLFL
.HET CLH 1.1.4322; .HET
.HET 1.1.4322; .HET CLFL 2i
.HET 1.1 .4322;
.HET CLH 2.5.55222}
.HET 2.5.55222; IELI-11
.HET 2.5.55222; .HET CLFL1
.HET CLH 2.5.55222; IELI-111
.HET 2.5.55222; .HET CLFL 3
.HET CLH 2.5.55222; .HET 3
.HET 2.5.55222; .HET CLFL 3
.HET
get 51-: Mezillaf4.5u[ MEIE little-we NT 5.1; .HET CLH 1.1.4322}
get lFr. Me:illef4.5i[ enmetihle M5IE 5.5; little-we NT 5.1; .HET CLR 1.1.4322; .HET 2.5.5514:
get AE Mezillaf4.5llj empatilrrle MEIE 5.5; Intlewe NT 5.1; .HET CLH 2.5.552221
get Me:illef4.5i[ elnuetihle M5IE 5.5; Imlewe HT
get Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; .HET 1.1.4322}
get IF. Me:illef4.5qf elnuetihle M5IE I
pest mm it.helulasl1t.ge5.ir Mezillar4.5u[ empatihle MEIEI The browser is I 6
get IF. Me:illef4.5i[ enmetihle M5IEI Internet Explorer
get PH mns.n?a.ge5.ir Mezillaf4.5l[ empatilrrle -- . I - . . :u I.
get .EIE Me:illef4.5{ elnuetihle M5IE 5.5; IIHIDWS NT 5.1; 551;
get 15. Mezillaf4.5I[ empetihle MEIE 5.5; Intlewe NT 5.1; 551;
get 5H Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1; 551;
get Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; 551;
get ELI Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1; 551;
get 15. transnertjrieagemir Mezillaf4.5u[ empatilrrle MEIE 5.5; little-we NT 5.1; 551;
get Me:illef4.5i[ enmetihle M5IE 5.5; little-we NT 5.1; 551;
get 15. Mezillaf4.5llj empatilrrle MEIE 5.5; Intlewe NT 5.1; 551;
get lFr. Me:illef4.5i[ elnuetihle M5IE 5.5; Imlewe NT 5.1; 5?51;
get PH Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; 551;
get It]! Me:illef4.5qf elnuetihle M5IE 5.5; NT 5.1; 5?51;
get Mezillaf4.5:[ empetihle MEIE 5.5; "1.115555 NT 5.1; 551;
get Me:illef4.5i[ enluetihle M5IE 5.5; "It'll-WE NT 5.1; 5?51;
get empatilrrle MEIE 5.5; Intlewe NT 5.1; 551;
nan-t lu'l'5IF 5 n- Imlnwe HT 5 1- 5?51-
TD USA, ALIS. DAN, GER, MEL
l"l Fl' fl 5112'??- Illfn?nth Th

Acti vi ty
HR
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
uni
Ft'r'I DEILI H551
mine.miltl.gev.ir
wemenmilthgeteir
11115551155151
intl.ntint.gee.ir
wwmnetegetnir
miningettategy.mint.gee.ir
mpeJ-zjgeeir
IHWDITI EEJ IE .geejr
net-Inner I'Iil'l'l .rlmr ir
TDP SEGHETHGUMINTHREL Te uee. AUS. 1:511. GEE.
to find ro_
--
Me I illefil? {eelnpeti e; [551.11
1.0;
1152115515
Meeillei??
1115311515.!) {eeltt }etil}le;
{eelnuetilrle; Hengtleren??; Lime-1} l[lil1e ?eeke} {E1111Iret?Tltumlnmile}
1115511515.!) {eellt 1etil}le; 111.1 121151511 2.5;
{eenmetilrle; Itteltitie.eeln - free meniteriltg
]1
{en-gel I[l1HTlulLl lil1e Heel-1e; Geegle Wireless 351515525. 1 3
[115211151511 "115511115511; Intel Mac 1215 11 {Hun-1L; lilte 555115; 551115515255
111531151551 151515111551]; Intel lulae IDS it lr-fr} [l1HTlu'lLl il1e ?eel-ze} 3515151525
1115311515.!) {1115511115515 Mm: 155 11 it-il} 51mm, lilte 5551-51.; 11551511551 55151115511 1:
Mezille."5.l] {M?eiltteele Intel lulae I35 31:; Ill?Ell]! AgeleWeltltit.I'525.15.1 i 1e Eelari."525.15
111521115151] {Mean-teen; PPC 311 a
1111321115151] I Hit.
Mezillei?? Ll; HeHieH?? _3 1313.13 1 1 5; Pre?le??lDP-EJ]
luleeille."5.l] NT 5.1; er; [111.51.11.11} . 15 515155.555 1
Mezille?? l_l; NT 5.1; [tutti-1.0.9} Heel-15125595453 1 Firefee?lt?
1115311515.!) W?lttlewe; ?u'lu'ilttlewe NT 5.1; tle; m1.?.1.13} 5555551005551 ICLH 3.5.3111'25}
1115511555 (1111155115; 1151155155 NT 5.1; 511-515; [1.11.55.11} 5551-1551555 55215 1
11155115151] M'ilttlewe; NT 5.1; 5 1 lleWeltliitI525.1Q i 1e Geeke] Safari-T525.
1155115155 5111155115; 1151155155 NT 5.1; mus; lt 1 tleWeltltitI5E?? I L, lil-te 555115} 13151115955551 Satan-525.5
[1152111555 (1151155115; u; NT 5.1; en-US} H 1 1leWelliltitI53Il1T {11 i 1e 5551-15; eersmmam Safarix55o.1t
h?neill?al'? i'l II-ll?l?lulrumrn HT 4: an "'21 HI Iikn Eur-Ira} 1'1 EH Q?f?ril'E'Il'l
1 .1 . A 1- tleWenl
TDP TD ALIS, MEL

I
.e
I
TDP SECRETHGUMINTHHEL Te USA. Aus. GBFI. I121, .l l'
FOWSG rs
I I j"
EL Ee??ssending
P11 .51] Eeries? l' .1 .1 I
?ll. 3:111
Minimum-ELI] [sellm?tllri-le; MSIE Senes?. 12.3 1 Fre?leilullDP?l?
{ti-Inlmtili-le; l'i'lSlE Series?. 92.1] Eelmgur?ti?ni?DC-L? FH'terg p.
[sm11pstil1le; MSIE 5.1.1; Series?' Emr?gurmieniCLDC-Hi]
MSIE 3.3.11.1
115;?on "1135.13? 5.3.3.1 If you have thousands Of 1 .
Mezilhi'il? uni-I11 J?till-le; MSIE . 1min: es; "10.5.0? 5.4.0.1 i
i I 51" results, try to Group By .,
MSIE swims: ?SH-lel-{ia "11115.0? 11101dedupe rest-"ts FiuntDats li-
[smnp?tIIJ-le; MSIE 3.0; Heine 1.4.0.1
rCirid
Mezillai'??i {Syl11llial133.l'3.2;
Mummies [Synhian??i?? u; Serieesms.
[Eganhi?n??i?? Series?i??.
Me?llai??l Eeries??l?.
Mezillai'??i {Syl11llial133.l'3.2;
[55.111l1i?l1?5i92; u; Seriessms.
[Emul?sn??i??
Eeries??l?.
Mezillai'?? {33111111ial133."3.2;
Mezillsi?? U;EeriesEiE 13-
Apple?u?u?ehl?tr?d?
Cm1?guratim1iCLlIIE-1J [11 HTML,
1; Fi ll A 1 ileWelil1itM13
Mel-1mm 1 [111111113111 I
Hehia? 1 Ellie-3.33;
H?l'li??
HeHisE 1201351 1;
PH Aura-Fir Column Width
Celr?gur?tieni?LDC- 1.1 1 A 1 1leWel111itiIl13 I I11L. uecmi 3-. 1 3
CelmguratieniCLDC-1.1 Apple?u'u'elil?iitr'tl? like Geek-1} Safari-413
Watch for Mobile
ems-MID iHHTlulL, IiHe Heel-m} Safaris! 13
like Geeks} Safari-HE
Hehi?? 123133.111; . like Heel-m} SafariM 13
Mel-H113 1 Elle-3.31; . like Geek-1} Safari-413
Cen?gursiieni?LDE??l .1 3 Esfsrii-i'l 3
browsers!
luluIillai'?? Series?lil?.
Muzillai??
II.
Ii 5; Eell?gllr Di:- 1 . 1 13 TrulL, like Geek-n] Safarim 1 3
Hehi?E? 1493111134 -. Pre?leMlDP-E? Cen?gur atimm-?EL 1 . 1 i 13 TML. Iii-:e Geeks] Eafarii-El13
nr- .I .I ITIJI
-
rli.-
TDP TD USA, ALIS. DAN, GER, MEL

TDP TD USA, AUS. DAN, GER, NZL
'Aend
I
I
I
I Web Forum Logins Passwords
TDP TD USA, AUS. DAN, GER, MEL

TDP TD USA, AUS. DAN, GER, NZL
lb Foru ogins/ PW
- Search: L?gins and Pasawnrda
anew
faralgn {jugglal?lg}. welt:- I: 1.1111 Ila-21:3
Ju 5t ificat i a ?aggaa 1: aa awar-?a
?dditiar?lal Juati?catian:
I Miranda Number:
aatatima; 25.3% a Start: St?p:
USEF
?ddreaa: Tc]
F'ar't: From
F'Drt: Ta
TDP TD USA, AUS. DAN, GER, MEL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
Datetime Cage HEIt-Eltiljr'l FrEIrn ?3 TI: FrEIrn F'Drt TI: Far
I
gang?0115 11:2?:11 1951mm lag?'1: Iran] United 9253
Seaainn Header Meta (11} attachments (19}
EUTD .393m?
Quick Clickg IEI ALITIDI app_id= mailfwehmailfuhulletin Infn=
1
:IEKxiattachrnentS Di?play
ur'lkr'lcuwn
2 tEHt ?Web Farm Dl?pl?f
I 11"
. embedded_base? Fun? FEMS
embedded_base?
embedded_base? 5
i embeddecLI-Ja?e?
111embedded_bage? 1 1
embeddedjjage?
embedded ba?a? passwm?chd?
embeddedjasea
[j
I embeddecLbaseE. ?m?th
i embedded_baze?
F?m
i embedded_base? usm??mn-z
embeddEdeaSEEI? passwm?d
. pasnvm?dcml??u
3 embedded_ba?Find mg m: SE _@yalmu.m1u
I g: 925: 1111:] ge stamp (13 32
- g?ha 511 1.39715 a4 a?c43 349 3 {1291599 5 3::1
TDP TD USA, ALIS. CAN, GER, MEL

TDP TD USA, AUS. DAN, GER, NZL
'Aend
Webmail Logins Passwords
TDP TD USA, AUS. DAN, GER, MEL

SECRETHCUMINTHHEL Tn USA, nus. cm, can, HZL
Logins Wth-?
giWebmail
Masquerade as user and read mail
- Useful, but secondary
Potentially use Login/PW to get full access
to web server itself
- Port 80 is useful,
- Port 3000 has XDaemon traffic (woo hoo! Let?s
take a look)
TDP TD USA, ALIS. DAN, GER, MEL

XKEYSC
arr"
-
w":I .
- Search: LEI-gins and
TD USA, AUG, DAN, GER, HZL -
rm
Iranian baSEd webmaii
Eti? cati IJ r1 111 err} .
USBFS
Targeting foreign-based
Iranian
government webmail her:
inn:
mag?Dena Webmail Ports
me: 1 Week: Start:
Users in and
out of Iran
User Name:
F'asewurd:
Tr:
Part: Fr-err'l
Partl'l'rj VI
TDP TD USA, ALIS. CAN, GER, MEL

TDP SECRETHCUMINTHHEL TD USA, AUS. DAN, GER, HZL
EEC 5355inn Viewer
Purl: Td Pdr?l:
Td
2 Iran)
Datetin'ie C355
11:54:00
Session Header Meta {En}
HJTD 5555 Sean: 1 ian'itant: Entertain fl:- 5 earth
[urn?latter: nti nn-s.
ann_id= Viewer= fnrn'iatter. [nfn=
Quick Clicks lifll
3K SE55idn
33K [Zine
Find 5ide nf 5555
1913?33423
Display Send tn ?dilitai Rea
2 EC Accept: ?llagcf 1-1113ch jpeg, npp?ca?m?x-shn CI-iWHVE-?frl?ill,
Find traffic nn applje ?11351, Htim?mswm?d, ff"
2 1 Ref-5151': 111115 :ff'im'is 5.111111. gens. ii'?Find EFCIHE ha5h
503355?5
Find H-fnrwardEd-fnr
gzip, (In?ate
hinz?la?? (cn?lpatib-lc; Brig-IE Will-:lnws NT 5.1;
wa-?is 3.111fa . gut-1:. 51?
Ace
User-agent:
CWl??i -- -
?si?gjii
111111315 51?
115' EFTHR
1.15: 131113111 - -
placc=dcl?t?d
fa111il=d?lcte c1
_11t1113=23313 51544.23 ??ggl 123937?47?22124325 542D.
_11t1112=2 3 31 3 cmulutmc c11={rn:
fafp-a 541-111-155 .1311]:-
1.1 5131133128
1?Tia:
K-meard?d-Fnr:

TDP TD USA, AUS. DAN, GER, NZL
'bmal
I I More webmail
TDP TD USA, AUS. DAN, GER, MEL

TDP TD USA, AUS, DAN, GER, NZL
. Chinese wemail users
.7, Search: L?gins and
i
Tara}; k2
Justifi E?ti an:
?dditinr'lal Jugti?catin?: 1r?
Number:
I Datetime: Start: IE1 2115"] Etc-p:
Dumam:
?ddr'ESS!
?ddrESS:
Part: I:er
I
Part: El] Dr TD 3"
EN Fran-l
TDP TD USA, AUS. DAN, GER, NIL

SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL
Lgins webmail
Datatima Case Mutatian ?3 F'Ijr?l: Tu part
I
I .s shins) sun?(E Cuba] 13445 sass
I Hasslarliajl MatsIIE-jl attachmentsl??lif? EH3 aria-raj si= I Hi is u'Fls? Isa-ii s? "Iii gas}; Eli :3th-
.- Ia: ""E'Ia'ap' .. search
QuicstIicss gig!
Wf??
:Iz??ttashmants
unknuwn
I ??tast
unkn?wn_621?_ww' ID: sas [Incument type: Elsts
Display . Raw Data
Find aggasita aid-a sass
51' 13445 Ducument Infurm?tiun: Esgand all
i
. Cnntents I11) 53-4} all
Fin-2 traf?c an . . . I
Farm F1: is. attachment;
rjl- 9'
CCDF
Fin asnlisatisn
Sand 1:0
Display-I rmatiun: HTFF
Farm
sums-ems Ls ?uts ?rms
Us er
Pa 5 sward
Ants ?rms
TDP TD USA, ALIS. CAN, GER, MEL

TDP TD USA, AUS, DAN, GER, NZL
Search: L?gins and
query Name:
wahmall iagins
Justificatinn:
?dditinr?al Justi?cation: 1r-
Miranda Number:
Datetime: Gugtgr?n Start: St?l?: EDI:
Uger Ham-2:
Dumair?l:
5"
?ddrega: th it
Part: Frc-r?r?l
Part: Tc:
Cnuntry: CH 1" Fr?r?l?l
TD USA, AUS. DAN, GER, NIL

TGP TD USA, AUS. DAN, GER, NZL
l'bmaiILins PWs
Datatin'ia Case Hdtatidn Td Fram Fan: Ta F'Ell?i
DEE-3: 19 5.7} IDS-435.45 Private eddiessi 2:745
. Hessian Headerl?aj Meta [El] attachments I
Fdi'rnattei': AUTO Iv as". Eiessiar'i .: Sessidn Sears-i Eantent: Enterte?t? search
ALITDI ann_id= mailfwehmailfeeremail Uiewar=
i Quick Clielss El
I
Eessian
dgx??achmentg Deeunnent Infermatlen: File Esgar
Linknewn
IElsnterlts (1) Esgar
test
File name File IILIE File size Attachment
I I
5 3-K Esau-h ntn'il 13s a
Find deadsite side ef sess
Display Infermatien:
New UIS Web Farm Display
1034.35.45
Find analieatian
Fem] Fields
sle111ei11 1215. e111
Find email address language [1
moulds
-@126.csm
.-
TDP TD USA, AUS. CAN, GER, MEL

TDP TD USA, AUS. DAN, GER, NZL
I. -
I
Datetime Case Mntatinn Fran-I Tn Frc-rn F'uznr'l: Tu:- F's-r1:
I 2222?22?12 22:22:12 . United stab Emirates} sci?(z Iran) 2222?
Hessian Heather Meta ?ttathments
AUTO .: . FLJII 52-52mm [anticn-r; - - Search search
- app_id= Viewer= Infn=
i Quick Clicks
I
Bessie-n
5 [Incument type:
dl??ttathments
:l 3 unknown Display-
1:221: .
u?kmw?_4DEIH_Ww. It Ducument Infurmatiun: Fills EwanExganc
Find side 21? sass I:
22?22222 Fi _2tu1_e File size Attachments
152
Find traf?c: an -
F9 Display 5am
s2
- Find Emmi-stint UIS Wish Farm 111511112}.r
. mailfwehmailfvbullstin
Farm Fields
tr]: m1 sm11_us tar
tssl-t 1:255:11
11:th L2 1115]) WusH?tb A:
1 {If?bh339?3??3f33 2343 I29 sb??b?l 1
TDP TD USA, AUS. DAN, GER, MEL

TU AUS, GER, HZL
Srvers
"ldtifyi
Web Servers run particular software
- E.g. Apache, Microsoft IIS, Unix,
- TAO has exploits for particular ones
TDP TD USA, 13AMll GER, MEL

XKS query to find server
. LII-all
I . -
?l -
This targets Jihadi web forums for their
Server information
Search: HTTP
query
:Lhai? fortune
Justification:
odditional Juati?oation:
Miranda Nurnloer:
Datetime: EBaya Start: El Stop:
HTTP- Type: reeoonee 1r
Heat: erfelnuru [Pogulatemithlloi
I . -
Country: ?.15 NHJD NEE: NHJD Hie ?it-JD ?it-JD Forelgn
TDP TD USA, ALIS. CAN, GER, MEL

TDP SECRETHCUMINTHHEL TD USA, AUG, DAN, GER, HZL
we J,
Search: HTTP
ir m?l? web
Ju?ti?cati?m This is the network to
which I?m trying to gain
?dditiarlal Justi?catiarl: access
Miranda Number:
Datetime: Eugtmm 1* Start:
Type: i
?ddreza:
WE TD
TDP TD USA, ALIS. CAN, GER, MEL

TUP SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL
oServer query
In the HTTP Activity results, you see the
servers listed
SewerType .--
1 {Unix} with Eul?msin-Ijatth 1
1 {Unix} with 1
?n?thef?i? 1 {Unix} FHFFIEEJEE
{Unix} with
1 {Unix}
1 Eli-Mutt? 1
{Unix}
{Eent??}
[mm-m:
TUP TD USA, ALIS. DAN, GER, MEL

To USA. GBFI, HZL II
I
4. Many times when we task TAO we have
back/forth conversations about how to
exploit the target. These slides should help
you find the things that TAO needs from 82
It?s difficult to cover all of the
examples of how XKS can help, but this is
a good start..
. Good luck.
TDP TD USA, ALIS, DAN, GER, MEL