Metadata Analysis With FOCA 2.5

Thursday, August 19, 2010

shawn merdinger


mother foca At Defcon 18, Jose Palazon Palatko and Chema Alonso of Informatica64 presented for the second year in a row on FOCA, which bills itself as a tool for Fingerprinting Organizations with Collected Archives. 

FOCA also means "seal" in Spanish, and what this software amounts to is a very powerful tool that will use search engines to discover all types of files on a target's website, download the files, and extract the metadata for further analysis and use in other tools, such as SET (Social Engineering Toolkit).

So what's the big deal about metadata in Microsoft Office, Adobe or OpenOffice files?Well, you might be surprised to hear (again) that over the past few years several embarrassing situations have come to light (again and again) because of un-scrubbed metadata, for example, way back in 2003 and a 10 Downing Street memo on the Iraq war justification showed who edited the document. 

Another good example is from 2005 and the National Security Council's "Our National Strategy for Victory in Iraq" document.  Even the NSA published a PDF warning on the dangers of leaked metadata in their 26 page "Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures" document.

While these examples above point to disclosure issues like tracking who made edits and such, shiny new tools like FOCA go much further and provide juicy tidbits like:  email addresses, user names, software versions, operating systems, internal server names, mapped drive share information, etc.  The potential for damage that this information provides to a savvy attacker must not be overlooked.

Still not convinced?  If so, then the suggested course of action to take is running FOCA against your organization's Websites and review the output.  I think you'll be surprised, and the reulting disclosure will likely prompt you to explore some of the metadata scrubbing tools available in the marketplace, both for free and not.

At Defcon 18, Palatko and Alonso ran FOCA 2.5 against the White House's website and showed usernames, internal servers not accessible from the internet, mapped drives, etc.  One of them started it against but the other presenter closed the laptop and ended the presentation.  

Hello?  Is anyone out there paying attention?  Bueller?  Fair warning.  FOCA's English-language documentationis not very good at this point, and the best I've found so far is a 3-part series of blog posts in Spanish (tip: use a translator service like BabelFish).  In Addition, here are a few other resources to get you started: Defcon 18 slides, Defcon 17 slides, TechWorld Article on FOCA.  Still, you can be up and scanning a site in minutes and under 5 clicks.  Is that not worth it?

Possibly Related Articles:
Metadata Web Application Security
Post Rating I Like this!
Danny Lieberman Shawn
Good call - I downloaded the tool and ran it against a couple sites. The enumeration capability is good - I'm looking forward to spending some more time playing with the tool

shawn merdinger Thanks for the feedback guys. Also, to make things clear there are three versions of FOCA:

1. FOCA Website that allows for 1 file uploaded via Web and very basic metadata analysis. Not really worthwhile imho:

2. FOCA 2.5 FREE -- the free version that I covered above.

3. FOCA 2.5 PRO -- the professional, not free version

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.