00:05
Hello. This is Dean Pompey, Leo and we are in the social engineering class.
00:10
I'm going to be demo ing a tool called creepy,
00:20
We can go to the website really quick as geo creepy dot com.
00:25
This tool allows you to do geo location.
00:29
So by using various social networking,
00:36
track and individual or individuals
00:39
to see what they're doing and where they're doing it.
00:43
And this will work for Twitter,
00:48
instagram, flicker and Google, Plus
00:53
creepy is available to, uh, to use from within. Cali.
01:00
I'm I decided to install it on windows to make a little bit easier instead of having to boot up the V m. But
01:07
go ahead and, uh, use it through through Callie if you wish.
01:11
There's the windows download here
01:14
and we can see that there's also *** downloads and then you can get it from Run it from source code.
01:23
There's a YouTube video,
01:25
and we do get some quick start instructions.
01:29
Some instructions for installing on your Debian Destro's such as Callie.
01:42
Okay, so I'm gonna go ahead and launch the tool,
01:51
and when this comes up, we should see a map.
01:57
It takes a couple seconds to load.
02:00
And this basically is sending the geo location data
02:06
So this is actually a Google Maps. Uh, ap I interface.
02:10
Speaking of AP eyes,
02:13
you do need to configure
02:16
I have only configured the Twitter plug in.
02:21
So when you try to run the configuration wizard
02:25
for any of the other,
02:37
to that particular website
02:40
and should give me the the window here in a moment.
02:45
And so you log in as your normal account and then you'll get a pin number of which then you'll paste
02:49
into this window that you see here
02:53
and what you're doing is authorizing Twitter to allow creepy to do to have read only access to your Twitter account.
03:02
So in order to use this tool to interrogate the other social networking sites, you do need to create accounts on all those platforms.
03:15
Anyway, I've already configured this and we're gonna go ahead and cancel out,
03:20
and what I'd like to do is create a new person based project,
03:23
and I'm going to actually just use myself as the target
03:30
you may find when you're searching for
03:35
information about a target that
03:38
in some cases they are maybe somewhat security minded.
03:44
So if you use a tool like this, it it may have limited results because that
03:49
that target may have disabled geo location,
03:53
which any any smart person would. D'oh. Unless Unless that's something that is, ah, part of your your twitter
04:00
feed and you want that to be visible to people.
04:05
All right, so I'm gonna go ahead and tighten my my twitter handle, which is my first and last name together. As we see it
04:14
You can go ahead and figure these others when you when you need to. We're just gonna do a simple demonstration here
04:19
and I can click the search button
04:24
So pop me up pretty quickly Now, Once I see my search results, I still have to click the add two targets button
04:32
Twitter account in the target's window
04:39
multiple targets. It doesn't have to be just one.
04:43
So now that my target is here, I can go ahead and click next,
04:47
and I have some options. I can include retweets, I can exclude replies.
04:54
I just keep those at the default setting, Click next and finish.
05:00
project name is here. I could expand this, and I can see
05:03
that there's a suction for locations and some other analysis.
05:09
What I need to do first, though, is,
05:12
uh, select the project and then click the analyzed current project. But
05:17
you'll notice that the bottom
05:19
it'll give you an update here that's analyzing,
05:23
looking for locations, looking for other information.
05:29
it did find some locations. And this window here,
05:31
I can see three different
05:33
three different tweets.
05:35
I'm gonna go ahead and zoom out
05:47
and just a little bit more. Okay, so
05:51
these are three sample tweets that I that I created just for the demonstration purposes.
06:03
location, you can see that it tells me my
06:09
my date and time stamp here tells me the location
06:15
contacts, which is the actual tweet that I sent.
06:18
He's actually reverse order.
06:21
Let's look at the Chicago one first. Chicago one.
06:25
I was just doing a simple test testing. 123
06:29
Sorry about that. Interruption testing 123
06:34
And when you twitter in particular,
06:39
it's very easy for the person doing the tweeting
06:43
to either use an automatic
06:45
geo location future or you just type the location in.
06:51
that means that this information is that you're getting here may not be completely reliable,
06:58
but for the purposes of trying to uncover
07:02
where someone might be, where they where they've been recently, what kind of messages they're sending,
07:09
we'll just assume that that that the information is most likely correct.
07:13
And you can always try to correlate this information later with with something else.
07:21
this location was Chicago,
07:25
another tweet in San Francisco, which is my second test
07:29
and then another one,
07:33
another one in Washington.
07:42
Another feature that the tool has is to click the analysis link
07:49
when the account was created. How many tweets have been created,
07:58
allowed geo location of my tweets,
08:03
and then it gives some other stats on,
08:07
uh, the different hours of the day. We're the tweeting happened
08:13
put in a another person based project and you were looking to,
08:20
you know, follow a celebrity, let's say, or a politician
08:24
or someone else. That's part of a social engineering
08:31
you know, as part of a pen test, Let's say,
08:33
then you'd have to find out first. Of course, if if that target is using any of these social engineering
08:41
social networking platforms,
08:43
a lot of people use Twitter and flicker on Instagram and Google, plus, so
08:50
trying to do simple searches for an individual on those websites pretty easy. You could just use their first and last name.
08:58
And if they have a profile, that profile should come up, and you should be able to
09:03
get their Twitter handle that way or their handle for some other service.
09:09
So, yeah, it's pretty pretty useful. I just put in the names of cities when I did these tweets, so it basically tries to center you
09:20
geographically in that city.
09:22
If you don't give in this a specific address,
09:31
some other things you can do are too filter
09:35
by location, date or position
09:39
so you can do this by time, days, the weak and months of the year. Internet narrow things down a little bit.
09:46
And the filter buttons were also here. So I can
09:50
filter by specific date
09:58
and you can even give a distance from the point of interest.
10:03
So, for instance, if you were trying thio
10:07
determined or to correlate information showing where someone
10:11
was on a certain date in time,
10:15
geographically, you could piece some of this information together.
10:22
And then this heat map will then show
10:26
a, uh indication of how close
10:28
the individual was to that area.
10:33
when particular events happen and made my case when particular tweets happened.
10:41
And then you can click this red bar to remove all those filters.
10:46
She didn't remove the filter. The heat map.
10:48
Okay, so that's the basic idea of the creepy tool.
10:54
wanted one tool to adhere to your bag of tricks
10:58
in order to correlate information and to be able to use
11:03
the built in features of many social networking tools to get more information about your target.
11:09
All right, that concludes the demo.
11:11
See you on the next time. L thank you