Skip to content

Penetration Testing Lab

Offensive Techniques & Methodologies

  • Methodologies
    • Red Teaming
      • Persistence
  • Resources
    • Papers
      • Web Application
    • Presentations
      • Defcon
      • DerbyCon
      • Tools
    • Videos
      • BSides
      • Defcon
      • DerbyCon
      • Hack In Paris
  • Contact
    • About Us
Posted on February 20, 2013

Extracting Metada From Files

by Administrator.In Information Gathering.3 Comments on Extracting Metada From Files

Penetration testers must be able to think outside of the box and to use whatever method is necessary in order to discover information about their targets.Malicious attackers will not stop in the conventional tactics and this should apply and to the penetration tester.Many organizations are uploading in their websites word documents and excel files without been aware that they expose sensitive information.This information is hidden in the metadata of the files.Also in application assessments (web or mobile) it is a good practice except of the common vulnerabilities to check and the metadata in order to see if this information can be used in a malicious way.In this article we will examine some of the tools that we can use for metadata extraction and what kind of information can unveil.

Exiftool

One of the tools that can extract Metadata information is the exiftool.This tool is found in Backtrack distribution and can extract information from various file types like DOC,XLS,PPT,PNG and JPEG.Typically the information that we would look for are:

  • Title
  • Subject
  • Author
  • Comments
  • Software
  • Company
  • Manager
  • Hyperlinks
  • Current User

Below is the information that we have obtained from an image and the metadata from a doc file.

Extracting metadata of an image - exiftool
Extracting metadata of an image – exiftool
Metadata of a doc file
Metadata of a doc file
Metadata of a doc file 2
Metadata of a doc file 2

FOCA

FOCA is another great tool for analyzing metadata in documents.It is a GUI based tool which make the process a lot of easier.The only thing that we have to do is to specify the domain that we want to search for files and the file type (doc,xls,pdf) and FOCA will perform the job for us very easily.Below you can see a screenshot of the metadata that we have extracted from a doc file.As you can see we have obtained a username an internal path and the operating system that the file has created.

FOCA - Metadata
FOCA – Metadata

 

Conclusion

As we have seen in this article metadata can unveil important information which can be used in conjunction with other attacks.Companies should be aware about this exposure of information that exist in their documents and before they upload something on public domain must use the appropriate tools first in order to remove the metadata from their files and to mitigate the risk.

Rate this:

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
  • Tumblr
  • Skype
  • WhatsApp
  • Telegram
  • Pinterest
  • Pocket
  • Email

Like this:

Like Loading...

Related

backtrackexiftoolFOCAMetadata

3 Comments

  1. MikeW says:
    February 20, 2013 at 2:52 pm

    As always, great article, thanks.
    Could you give examples as to how the hidden metadata could be used maliciously?
    Say for example, am I right in saying a hidden hyperlink url may accidently be linking to an open web address/folder, or an exposed author name could give the pen tester a name to social engineer etc?
    Are there any other common uses / examples of metadate being used?

    Reply
  2. netbiosX says:
    February 20, 2013 at 3:25 pm

    These data can be used in social engineering attempts as you mentioned correctly but it is not only that.If for example you obtain a user account as the last image indicates then you already have a valid username to play with and you need to discover the password in an infrastructure penetration test.If you find an internal path this is considered an information disclosure vulnerability so you should mention it on your report and you could potentially use this information as soon as you got access to the company’s network in order to discover and other valid paths or network shares.

    Reply
  3. daronwolff says:
    February 7, 2014 at 10:11 pm

    Great Article!!!!!!!
    Many thanks..
    Will be usefull

    Reply

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Post navigation

Previous Previous post: Metasploit – Storing Pen Test Results
Next Next post: SQL Injection Authentication Bypass With Burp

Search Topic

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,493 other subscribers

Recent Posts

  • Unconstrained Delegation
  • Persistence – Notepad++ Plugins
  • Shadow Credentials
  • Domain Escalation – Machine Accounts
  • Domain Persistence – Machine Account

Categories

  • Coding (10)
  • Exploitation Techniques (19)
  • External Submissions (3)
  • General Lab Notes (22)
  • Information Gathering (12)
  • Infrastructure (2)
  • Maintaining Access (4)
  • Mobile Pentesting (7)
  • Network Mapping (1)
  • Post Exploitation (13)
  • Red Team (116)
    • Credential Access (3)
    • Defense Evasion (22)
    • Domain Escalation (5)
    • Domain Persistence (4)
    • Lateral Movement (2)
    • Man-in-the-middle (1)
    • Persistence (28)
    • Privilege Escalation (17)
  • Reviews (1)
  • Social Engineering (11)
  • Tools (7)
  • VoIP (4)
  • Web Application (14)
  • Wireless (2)

@ Twitter

  • @Carlos_Perez same feeling with my first articles when I started blogging. Apparently the more you do it, the more… twitter.com/i/web/status/1… 4 days ago
  • RT @D1rkMtr: Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid openi… 4 days ago
  • certsync - Dump NTDS with golden certificates and UnPAC the hash github.com/zblurx/certsync #redteam 5 days ago
  • PSpersist - Dropping a powershell script at %HOMEPATH%Documents\windowspowershell\ , that contains the implant's pa… twitter.com/i/web/status/1… 6 days ago
  • RT @jorgeorchilles: Nice write up on Hunting Evil with the MITRE Engenuity Calculator, Atomic Red Team and Sysmon medium.com/@simone.kraus/…… 1 week ago
Follow @netbiosX

Pentest Laboratories Discord

  • Discord

Pen Test Lab Stats

  • 6,705,192 hits

Facebook Page

Facebook Page
Blog at WordPress.com.
  • Methodologies
    • Red Teaming
      • Persistence
  • Resources
    • Papers
      • Web Application
    • Presentations
      • Defcon
      • DerbyCon
      • Tools
    • Videos
      • BSides
      • Defcon
      • DerbyCon
      • Hack In Paris
  • Contact
    • About Us
  • Follow Following
    • Penetration Testing Lab
    • Join 2,191 other followers
    • Already have a WordPress.com account? Log in now.
    • Penetration Testing Lab
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: