Hunting Cyber Criminals by Vinny Troia

Author:Vinny Troia
Language: eng
Format: epub
ISBN: 9781119540991
Publisher: Wiley
Published: 2020-01-29T00:00:00+00:00

The Pushpin modules in Recon‐NG look for files that have been geotagged, or that have geolocation metadata saved within them. The name is derived from the pushpins that are pinned to maps showing locations. In this case, these modules are designed to do exactly that—to pinpoint the exact location from which the files were posted.

With the level of security included in most social media and online sites, stumbling upon an online image or file with embedded location data is akin to hitting the lotto—it is extremely rare and will probably only happen under the right circumstances. Nevertheless, plenty of scenarios exist where this could be a common find, such as during the direct examination of a phone's archive, so you should always try.

The Pushpin module searches Flickr, Shodan, Twitter, and YouTube for media with embedded geolocation data. The Pushpin module will not tell you where a specific piece of media was published. Instead, you can enter an address or specific coordinates and the module will return all media published around that location.

Annoyingly, each of those sites has its own module, so you need to search them individually.

To search for the location of the Pushpin modules, type the following:

search pushpin [recon-ng][default]> search pushpin [*] Searching for 'pushpin'… Recon ----- recon/locations-pushpins/flickr recon/locations-pushpins/shodan recon/locations-pushpins/twitter recon/locations-pushpins/youtube Reporting --------- reporting/pushpin

Each module has its own set of parameters and descriptions, which you can view by loading the module and using the show info command. Let's get info on the Flickr module:

[recon-ng][default]> use flickr [recon-ng][default][flickr]> show info Name: Flickr Geolocation Search Path: modules/recon/locations-pushpins/flickr.py Author: Tim Tomes (@LaNMaSteR53) Keys: flickr_api Description: Searches Flickr for media in the specified proximity to a location. Options: Name Current Value Required Description ------ ------------- -------- ----------- RADIUS 1 yes radius in kilometers SOURCE default yes source of input (see 'show info' for details) Source Options: default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs Comments: * Radius must be greater than zero and less than 32 kilometers.

We can see from the module's information page that we need to have the coordinates of an address as well as the address itself before we can use the module.

Plenty of free tools are available online to do this. One example is https://www.mapdevelopers.com/geocode_tool.php. After visiting the website, enter your desired address, and it will return your latitude and longitude coordinates.

For this example, I am using the coordinates of St. Louis, MO. The MapDeveloper.com website returned the following info:

Latitude 38.6337716 Longitude -90.2416548

Now that we have location coordinates, let's see what kind of information we can find in the Pushpin module.

First, we need to add the location to Recon‐NG using the add locations command:

[recon-ng][default][geocode]> add locations latitude (TEXT): 38.6337716 longitude (TEXT): -90.2416548 street_address (TEXT):

This is where things can get really fun. The latitude and longitude of St. Louis have been entered as location data—now let's see if anyone from this area has tweeted recently.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.