Creepy Geolocation

Geographic Information Theory

There are two main types of geographic information found in files. Geotagging is the information placed in a file with the GPS coordinates of the location. EXIF (Exchangable Image File Format) contains the geotagging information as well as device type and speed. EXIF contains more information and is normally limited by the capabilities of the device creating the file.

What are the common weaknesses? Data leakage from the geographic information can pin point the exact location of where a file created. This information can be used to find detailed maps using software such as Google Earth or create detailed patterns of movement.

What are you trying to do? We are going to connect to Twitter and do geolocation on the @FIFAWorldCup account. Why the FIFAworldcup account? We know where the world cup is happening so it is easy to see if the information is correct.

Getting Started

Get creepy from here: http://ilektrojohn.github.io/creepy/

Ready to Go

For this tutorial it is installed in a Windows 7 virtual machine. The Kali apt-get repositories was not the latest version when this was written. Besides, the OS is just a tool we don’t need to get caught up in an ideological battle about how somebody has to use a certain tool to be a ‘real’ hacker. Being effective is more important than being a zealot.

Edit the configuration: Edit -> Plugins Configuration then select Twitter Plugin -> Run Configuration Wizard -> Next. Enter your Twitter ID and password to authorize creepy by clicking Authorize APP.

Wouldn’t this also be a great time to follow us @SecureNM? I’m not trying to make you feel guilty but you are here reading our stuff. Copy the PIN that Twitter generates into the text box at the bottom of the window and click the finish button.

Creepy should now be authorized but just to be sure select Twitter Plugin and then click the Test Plugin Configuration button. Yay, we are ready to get started. Click OK a few times to get back to the main screen.

From the file menu select Creepy -> New Project -> Person Based Project. This will start the project wizard. Fill in the information as you see fit.

Add the information and select the proper plugin then select Search. In this case we used @FIFAWorldCup.

Click the ID or IDs that you want to creep on, see what I did there? Then select Add to Targets. I added all of the IDs that were found to ensure data for this tutorial.

Select Next -> Next -> Finish.

Analyze the project by selecting the project and clicking the Analyze button

Sao Paulo, Rio de Janeiro, and the Maldives are all among the locations of texts sent by the twitter IDs that creepy analyzed. Select one of these locations on the map and through the power of google and GPS you can see the location and possibly a street view. In the immortal words of Keanu Reeves, Whoa!

I know what you’re thinking, wow that was cool but so what. So what you say? This is how you would use it on a real life security engagement. You get a black box test with nothing but a URL. You find the companies twitter account on the website. Feeding this information into creepy gives you locations that are potential targets for social engineering, physical infiltration, and WiFi attacks. See how just a little information can turn the tide in an assessment?