Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio demonstrates a tool called Creepy. The Web site www.geocreepy.com provides a useful tool that allows you to do geolocation for a target by using various social networking platforms to track individuals. Creepy works with Twitter, Flickr, Instagram, and Google Plus. Creepy is available to use within Kali, but Windows is used for this demonstration. SME Pompilio demonstrates a person-based geolocation using himself as the target. (You need to be aware when using this tool that a target may have disabled geolocation). In this lesson you will learn:

  • how to launch the tool
  • the need to configure the plug-ins for the Web sites you want to use
  • the need to create accounts on the platforms you want to use
  • how to log in and get a pin number that authorizes sites to allow Creepy read-only access
  • how to select multiple targets and select a project
  • the available options such as including re-tweets and including replies in the information Creepy returns
  • that the program sends the geolocation data to Google Maps
  • that a map is returned showing the target's tweet locations and showing the tweets with a date and time stamp
  • how to use the analysis link, which will give other statistics and further information about the tweets
  • other things you can do such as filter by location, date, or position (distance from the point of interest) to narrow things down
  • how to remove your filters

SME Pompilio states that Creepy is one tool to add to your bag of tricks to correlate information and to use with the built-in features of many social networking sites to get information about your target. He also says that the information returned by Creepy may not be 100 percent correct and may need to be correlated with other information to verify it.

Video Transcription

00:05
Hello. This is Dean Pompey, Leo and we are in the social engineering class.
00:10
I'm going to be demo ing a tool called creepy,
00:15
and this tool is
00:17
pretty useful. It's
00:20
We can go to the website really quick as geo creepy dot com.
00:25
This tool allows you to do geo location.
00:29
So by using various social networking,
00:33
uh,
00:34
platforms weaken
00:36
track and individual or individuals
00:39
to see what they're doing and where they're doing it.
00:43
And this will work for Twitter,
00:48
instagram, flicker and Google, Plus
00:53
creepy is available to, uh, to use from within. Cali.
01:00
I'm I decided to install it on windows to make a little bit easier instead of having to boot up the V m. But
01:07
go ahead and, uh, use it through through Callie if you wish.
01:11
There's the windows download here
01:14
and we can see that there's also *** downloads and then you can get it from Run it from source code.
01:23
There's a YouTube video,
01:25
and we do get some quick start instructions.
01:29
Some instructions for installing on your Debian Destro's such as Callie.
01:42
Okay, so I'm gonna go ahead and launch the tool,
01:51
and when this comes up, we should see a map.
01:57
It takes a couple seconds to load.
02:00
And this basically is sending the geo location data
02:04
to Google maps.
02:06
So this is actually a Google Maps. Uh, ap I interface.
02:10
Speaking of AP eyes,
02:13
you do need to configure
02:15
your plug ins.
02:16
I have only configured the Twitter plug in.
02:21
So when you try to run the configuration wizard
02:25
for any of the other,
02:28
uh,
02:29
plug ins as well,
02:30
it will basically
02:32
ask you to connect
02:37
to that particular website
02:40
and should give me the the window here in a moment.
02:45
And so you log in as your normal account and then you'll get a pin number of which then you'll paste
02:49
into this window that you see here
02:53
and what you're doing is authorizing Twitter to allow creepy to do to have read only access to your Twitter account.
03:02
So in order to use this tool to interrogate the other social networking sites, you do need to create accounts on all those platforms.
03:15
Anyway, I've already configured this and we're gonna go ahead and cancel out,
03:20
and what I'd like to do is create a new person based project,
03:23
and I'm going to actually just use myself as the target
03:30
you may find when you're searching for
03:35
information about a target that
03:38
in some cases they are maybe somewhat security minded.
03:44
So if you use a tool like this, it it may have limited results because that
03:49
that target may have disabled geo location,
03:53
which any any smart person would. D'oh. Unless Unless that's something that is, ah, part of your your twitter
04:00
feed and you want that to be visible to people.
04:05
All right, so I'm gonna go ahead and tighten my my twitter handle, which is my first and last name together. As we see it
04:12
off select Twitter.
04:14
You can go ahead and figure these others when you when you need to. We're just gonna do a simple demonstration here
04:19
and I can click the search button
04:21
and there I am.
04:24
So pop me up pretty quickly Now, Once I see my search results, I still have to click the add two targets button
04:30
that puts my
04:32
Twitter account in the target's window
04:35
and you can select
04:39
multiple targets. It doesn't have to be just one.
04:43
So now that my target is here, I can go ahead and click next,
04:47
and I have some options. I can include retweets, I can exclude replies.
04:54
I just keep those at the default setting, Click next and finish.
04:59
So now my
05:00
project name is here. I could expand this, and I can see
05:03
that there's a suction for locations and some other analysis.
05:09
What I need to do first, though, is,
05:12
uh, select the project and then click the analyzed current project. But
05:17
you'll notice that the bottom
05:19
it'll give you an update here that's analyzing,
05:23
looking for locations, looking for other information.
05:27
And we see that
05:29
it did find some locations. And this window here,
05:31
I can see three different
05:33
three different tweets.
05:35
I'm gonna go ahead and zoom out
05:42
a little bit more
05:47
and just a little bit more. Okay, so
05:51
these are three sample tweets that I that I created just for the demonstration purposes.
06:00
So if I click on
06:02
my first
06:03
location, you can see that it tells me my
06:09
my date and time stamp here tells me the location
06:13
and I've got my
06:15
my, uh,
06:15
contacts, which is the actual tweet that I sent.
06:18
He's actually reverse order.
06:21
Let's look at the Chicago one first. Chicago one.
06:25
I was just doing a simple test testing. 123
06:29
Sorry about that. Interruption testing 123
06:34
And when you twitter in particular,
06:39
it's very easy for the person doing the tweeting
06:43
to either use an automatic
06:45
geo location future or you just type the location in.
06:49
So
06:51
that means that this information is that you're getting here may not be completely reliable,
06:58
but for the purposes of trying to uncover
07:02
where someone might be, where they where they've been recently, what kind of messages they're sending,
07:09
we'll just assume that that that the information is most likely correct.
07:13
And you can always try to correlate this information later with with something else.
07:19
Anyway, I can see
07:21
this location was Chicago,
07:25
another tweet in San Francisco, which is my second test
07:29
and then another one,
07:33
another one in Washington.
07:42
Another feature that the tool has is to click the analysis link
07:46
double click this,
07:48
and this will tell
07:49
when the account was created. How many tweets have been created,
07:54
what time zone is?
07:56
It shows that I've
07:58
allowed geo location of my tweets,
08:03
and then it gives some other stats on,
08:07
uh, the different hours of the day. We're the tweeting happened
08:11
so If you were to
08:13
put in a another person based project and you were looking to,
08:20
you know, follow a celebrity, let's say, or a politician
08:24
or someone else. That's part of a social engineering
08:30
effort,
08:31
you know, as part of a pen test, Let's say,
08:33
then you'd have to find out first. Of course, if if that target is using any of these social engineering
08:41
social networking platforms,
08:43
a lot of people use Twitter and flicker on Instagram and Google, plus, so
08:50
trying to do simple searches for an individual on those websites pretty easy. You could just use their first and last name.
08:58
And if they have a profile, that profile should come up, and you should be able to
09:03
get their Twitter handle that way or their handle for some other service.
09:09
So, yeah, it's pretty pretty useful. I just put in the names of cities when I did these tweets, so it basically tries to center you
09:20
geographically in that city.
09:22
If you don't give in this a specific address,
09:31
some other things you can do are too filter
09:35
by location, date or position
09:39
so you can do this by time, days, the weak and months of the year. Internet narrow things down a little bit.
09:46
And the filter buttons were also here. So I can
09:50
filter by specific date
09:56
by a location,
09:58
and you can even give a distance from the point of interest.
10:03
So, for instance, if you were trying thio
10:07
determined or to correlate information showing where someone
10:11
was on a certain date in time,
10:15
geographically, you could piece some of this information together.
10:22
And then this heat map will then show
10:26
a, uh indication of how close
10:28
the individual was to that area.
10:33
Uh,
10:33
when particular events happen and made my case when particular tweets happened.
10:41
And then you can click this red bar to remove all those filters.
10:46
She didn't remove the filter. The heat map.
10:48
Okay, so that's the basic idea of the creepy tool.
10:52
This is just, ah
10:54
wanted one tool to adhere to your bag of tricks
10:58
in order to correlate information and to be able to use
11:03
the built in features of many social networking tools to get more information about your target.
11:09
All right, that concludes the demo.
11:11
See you on the next time. L thank you

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor