People, the biggest vulnerability in the whole process of cybersecurity. Attacks against people often have surprising effects. To exploit human weaknesses, it is important to collect and understand information about the target. This article documents some of the common techniques used to collect identity information about people. These techniques are often used in traceability forensics, social worker attacks.
0x00 Identity Information Collection in Social Work Analysis
There are many dimensions of information that deserve attention in social work analysis about people. But in any case, identity social work often begins with some of the most basic information about the person, and the process of collecting identity information is a process of correlating other information using as much limited information as possible.
Here, information about people is divided into two simple categories.
First category, basic information. Such as:name and surname,term of endearment,mobile telephone number,E-mail address,various documents,social account. This type of information can help identify the person in traceability. It is information that is inevitably used by a person in the process of socialization, used to identify him in society and is a business card for living in society.
Category II, other information. Such as:current address、take pleasure in、family situation、marital status、careers.. This type of information helps us to better understand a person's habits and living conditions and represents the characteristics of the person. It is useful in generating customized social worker dictionaries.
The following is a description of commonly used information gathering methods.
1 Search engine keyword search
The silliest, but often the most effective way, is the keyword search. But to achieve better results, it relies on quite a few conditions:
1. Keywords can not be too too popular, you can choose more than one combination of keywords related to the target;
2. The target must be active on the Internet.
3. Try to use google, duckduckgo and other foreign search engines. Their shielded pages and results are less.
2 Registered site search
There exists a category of websites on the Internet that are designed to collect and store information about various user activities for the purpose of constructing a user profile or collecting databases from previous breaches. Without discussing the motives and validity of such sites, they do provide a way for others to obtain more information about their targets. A pan-social worker database query can be used to obtain information on social networking sites that the target has registered with, or even old passwords.
2.1 REG007
consult (a document etc)inbox、cell phone numberWhat social platforms are registered:
2.2 Manual queries
Use the registration function of a website to enter the target's e-mail address or cell phone number, and check whether the page indicates that the e-mail address or cell phone number is occupied.
3 Social Worker Pool Enquiry
It is against the law to build a bank of social workers to leak private user data. It is difficult to find social worker libraries on the public web that provide details of leaked data, and if they do, their motives are highly questionable, and it is highly likely that the information entered when using them will be recorded and used for traceability and hacking. More common is a class of desensitized websites that help users check whether their information has been leaked. Both of these can help determine if the target has registered an account on a particular platform.
3.1 Leak check queries
website name | address | Searchable items |
---|---|---|
Firefox Monitor | inbox | |
HaveIBeenPwned | inbox | |
Aleph | / | Name, cell phone number, email address |
snusbase | / | Email, name, IP, phone, hash, password |
checkusernames | / | name (of a thing) |
Intelligence X | / | Email, IP, CIDR, Bitcoin address |
dehashed | / | Email, Username, IP |
IsLeaked | / | inbox |
KnowEm | / | name (of a thing) |
3.2 Social Worker Pool Search
4 Name Recognition Technique
4.1 Determination of name by cell phone number
1> Alipay
When the cell phone number is bound to Alipay and complete real-name authentication, you can find out the name of the other party through the Alipay transfer function.
If the other person's name is only two words, simply guess the last name by hand.
If the other person's first name is more than two characters long, the last first name can be known and determined to the last name by enumerating the last names.
By doing the above, you can ensure that you get the vast majority of your name without actually transferring the money. If using paypal usingIndustrial and Commercial Bank of China/online bankingMake a transfer and the transfer is successful, then the full name can be seen in the search details of the bank app.
ps: WeChat's "Bank card or cell phone number transfer"It has the same effect, but very few people have opened the WeChat mobile number to transfer money.
2> Nails
If the target has used pinning, you can use a search using your cell phone number within pinning to find out the username directly.
3> Social Work Bank
4.2 Frequency tables for all family names
Given the need to use name guessing sometimes, it's still quite useful to have a frequency statistic table on surnames to help us guess the correct surname as quickly as possible from high to low frequency.
Li Wang Zhang Liu Chen Yang Zhao Huang Zhou Wu Xu Sun Hu Zhu Gao Lin He Guo Ma Luo Liang Song Zheng Xie Han Tang Feng Yu Dong Xiao Cheng Cao Yuan Deng Xu Fu Shen Zeng Peng Lv Su Lu Jiang Cai Jiang Ding Cai Wei Xue Ye Yan Yu Pan Du Dai Xia Zhong Wang Wang Tian Ren Jiang Fan Fang Shi Tan Liao Zou Xiong Jin Lu Hao Kong Bai Cui Kang Mao Qiu Qin Jiang Shi Gu Hou Shao Meng Meng Wan Duan Cao Qian Qian Wan Tang Lai Yi Chang Wu Qiao He Lai Gong Wen Pang Fan Lan Yin Shi Tao Hong Zha An Yan Ni Yan Niu Wen Yu Yu Zhang Lu Ge Wu Wei Shen Yi Yi Nie Cong Jiao Xiang Liu Xing Lu Yue Qi along Mei Mo Zhuang Xin Guan Zhu Zhu Zuo Tu Gu Qi Shi Shu Geng Mou Bu Lu Zhan Guan Miao Ling Fei Ji Jin Sheng Tong O Zhen Xiang Qu Cheng You Yang Pei Xi Wei Zha Bao Bit Qin Huo Weng Sui Phyllis Gan Jing Bo Bo Shan Bao Si Bai Bai Ning Ke Nguyen Gui Min Ouyang Xie Qiang Chai Hua Che Ran Fann Bian Teng Jin Yuan Wu Zang Chang Gong Gou Lai Gu Chuan Chu Lian Jian Luk Xi Xi Fu Guy Wu Mu Dang Yan Lang Diji Ti Ti Ti Ti Ti Tu Lien Tu Gao Yan Luan Yu Shameng Yu Yu Ge Li Dou Dou O O Yanyan Len Zhuo Hua Huan Chou Ai Du Lan Dugong Gong Kou Qi Jing Zhong Liao Yue Bian Feng Zhu, Xian, Yuan, Chu, Tong, Chestnut, Kuang, Zong, Yingtai, Wu, Ju, Mon, San, Jing, Chen, Yin, Yang.
5 Social Account Social Work Techniques
5.1 WeChat, Alipay
WeChat, Alipay directly in the add friends in the search cell phone number
5.2 QQ, Shutterbug, Jitterbug, Baidu Cloud, Jingdong, Pulse, Netease Cloud, Weibo
Put your phone number in your address book, then turn on address book synchronization within the following social accounts, tapAdd/Discover Friends, get each other's social accounts. (Need to enable app access to address book permission)
5.3 Search Engine Keyword Search
Search for cell phone numbers on google, duckduckgo
5.4 Social Worker Pool
6 Location information
6.1 Time zones
Inferring the target's approximate time zone by the person's social time, language, and sharing dynamics.
6.2 Precise position
loser (Internet slang):Various files with geolocation metadata、keep、walker、circle of friendsShared location records
hacker-grade: Tricking users into installing an app that can obtain GPS coordinates in real time, and inducing users to click on a link to obtain their location.
government level: Positioning using cellular base stations, positioning using signaling loopholes
6.3 Geolocation by IP
IP Geolocation Lookup:/?activeKey=SEARCH_IP
IP address localization:
7 Mailbox information collection
Obviously, the Tencent line of mailboxes basically starts with a number, exposing the QQ number.
Some NetEase 126, 163 mailboxes are named after cell phone numbers, exposing them.
Some mailboxes are named with name + number, revealing the name.
7.1 Recipient backtracking to sender's address
View the email letter code with the sender's address information visible in the header.
If the email table header contains the key value of "X-Originating-IP:", the value value is the IP of the sender, the more common QQ mailbox, 126 mailbox, all have this field.
If that field is not present, consider the Received field within the header. (Consider the bottom one when there are multiple Received fields, not always available and not always accurate)
7.2 Sender Write Mail Probe
The principle is that by embedding dynamically loaded external images in the email content, when the recipient clicks on the email it leaves the IP on the image server.
The specific way is to write an email in source code or text mode, and embed a link to the image in html format in the body of the email. You can set the size of the image itself to be very small and set the img field to be invisible. This way, the attacker can't open the email and realize it.
<img src="/sinacn04/787/w440h347/20180725/" w="440" h="347" wh="1.27" alt="A set of cute kitten emoticons">
8 Desensitization recovery
8.1 Identity card number desensitization recovery
There is a certain pattern to the arrangement of the ID number. In addition to the last bit is the check digit, the rest of the bit with the place of birth, date of birth, gender, birth number system related, so even after the desensitization of the identity card number, can still be filtered out through the program analysis of the possible identity card sequence combinations.
Here's a writeup of theDesensitized ID Recovery ToolIt supports the blasting of the last 4 or 6 digits of the ID card and the birthday in the ID card.
8.2 Cell phone number desensitization recovery
Introducing how to recover all the digits of your cell phone number as much as possible, but before that you need to be introduced to certain knowledge.
There is a pattern to the 11 digits of a cell phone number.
1-3 positions | 4-7 bits | 8-11 bits |
---|---|---|
Mobile Access Code | area code | subscriber number |
Mobile Access Code
Type of operator | Mobile Access Code |
---|---|
telecommunicate | 133 149 153 173 174 177 180 181 189 191 199 |
abbr. China Unicom or Unicom | 130 131 132 145 146 155 156 166 167 171 175 176 185 186 |
mobility | 134 135 136 137 138 139 147 148 150 151 152 157 158 159 172 178 182 183 184 187 188 195 198 |
virtual operator (of a power station, transport network etc) | 162 165 167 170 171 |
The mobile access code is applied by the operator to the Ministry of Industry and Information Technology (MIIT), and is issued by MIIT. Every time it is issued, a Certificate of Telecommunication Network Number Resource Use is issued. By downloading the certificates of the past years we can get the description of the allocation of different number segments. There is a problem here, the country has been pushing the number portability over the years, the original intention is to help users to be able to independently switch the number of operators, if the full-scale implementation of the real push to start, and everyone's use of the high degree of motivation, then the mobile access code can no longer accurately distinguish between the cell phone number is which operator's, but from the results of the current point of view, through the mobile access code to determine the operator belongs to is still a highly effective method.
area code
The assignment of specific values to area codes is managed by each operator, so it is difficult to give a generalized composition of the structure. Fortunately, there are people on the Internet who have collected a database of operators' area codes specifically through crawlers and other means. It is shown below:
/dannyhu926/phone_location
8.2.1 Known target cell phone number first 3 and last 4 digits + city
Use the following shell command to simply analyze the following, you can find that, if the mobile access code is fixed, the possibility of a city's first 7 digits (mobile access code + area code) is not more than 5000, the more common case can be controlled within 500.
array=( 134 135 136 137 138 139 147 148 150 151 152 157 158 159 172 178 182 183 184 187 188 195 198 130 131 132 145 146 155 156 166 167 171 175 176 185 186 133 149 153 173 174 177 180 181 189 191 199 )
for i in ${array[@]}; do cat phone_location.sql |grep "'$i'"|awk '{print $8}'|sort -nr | uniq -c|sort -nr|head -n 1; done
Therefore, at this point, if the first 3 and last 4 digits of the cell phone number are known, if the location where the target is located will be able to greatly narrow down the possible range of the target number. The possible number of results <= 5000.
8.2.2 Known target cell phone number last 4 digits + city
A simple analysis using the shell command below shows that the first 7 digits are no more than 20,000 likely if only the city where the target is located is known.
clear;cat phone_location.sql |awk '{print $8}'|sort -nr|uniq -c |sort -nr|head -n 10
So, in total the number of cell phone numbers to be traversed in this case is probably not more than 20,000.
8.2.3 Known last 4 digits
If you only know the last 4 digits and nothing else, it will take 482049 attempts to ensure that the correct target number is traversed.
clear;cat phone_location.sql |grep "INSERT"|grep "phone_location"|wc -l
9 Other
Around the basic information obtained, further information can be mined within the social account for additional information.
9.1 Dictionary Customization
Ideally a person's internet account would have to fulfill the login password needs to meet the requirements of length, complexity, meaninglessness, and uniqueness, but in practice this is virtually impossible.
The selection of passwords in practical scenarios often revolves around the user's own and surrounding characteristics. If the information is collected thoroughly enough, we can generate keyword roots based on the following information, and fill in the combinations between the roots, and then generate a customized dictionary.
{
"person":{
"pinyin full name 1": "chuanjianguo",
"Pinyin FullName2": "ChuanJianguo",
"Pinyin full name 3": "jianguo"
},
"Birthday":{
"Full Birthday 1": "20210512",
"Birthday Part": "0512"
},
"phone": {
"Last 6 digits of cell phone number": "123456",
"Last 4 digits of cell phone number": "3456"
},
"School":{
"School Number": "123456",
"Year of graduation or enrollment": "2021"
},.
"sfz":{
"6 digits after sfz": "654321", "sfz".
"4 digits after sfz": "4321"
},
"Hobbies/Pets":{
"Keywords": "xiuer"
},
"company":{
"name1": "Google",
"name2": "GG"
},
"Other":{
"Generic word suffixes": "Slightly"
}
}
9.2 Password hash reverse lookups
Online ciphertext password lookup sites can sometimes help us get plaintext passwords.
/
9.3 Image Search
Baidu's online tool for reading maps, baidu.com:/?fr=shitu
Google Maps:/