How to incorporate social engineering into investigations, OSINT & IPLogger?
This article is about IPLogger and other little tricks that you can use to get data like, geolocation of your search target, IP, number, mail. Many OSINT'ers think that IPLogger and social engineering is unethical and not at all OSINT. I believe that social engineering really has nothing to do with OSINT and such software as IPLogger is relevant to use in cases when you just can't find anything. But I assure you that this article will be useful for you and will be useful to you again.
Traps - A trap can be a link, a file, an external site, or a bot. Traps are used to obtain sensitive information that your target will unknowingly pass on to
IPLogger, CanaryTokens and similar services.
Yes, IPLogger is quite trivial, even those who are not at all familiar with investigations on the Internet know about this service. This service really has an amazing functionality. Service is able to mask its traps in the formats of links, videos, torrents, photos, word, exel, iso, exe, pdf, zip, etc. And also, with the help of iplogger.com, you can calculate the location of a person with an error of 10 meters using geologger. The functionality of geologger is very similar to Seeker and TrackUrl, they both work using HTML5 Geo API. In order to get a person's location, you need your search object to give access to your .
In addition, there is a more advanced service, as it seems to us, called canarytokens. It's the same logger that can be disguised as a QR code, SQL server, etc. We think it is, one of the most interesting is called "unique email address", when you send an email to "your токена@canarytokens.org number" you will see the IP address of the poisoner. And if you connect your domain to canarytokens, no one will think you are trying to identify them. You can do this by using a ready-made image for Doker. You will need to edit the frontend.env and switchboard.env files as follows:
The domain(s) that will be used to generate trigger addresses
they must point to the IP address of the server where Docker is running. An SSL certificate will need to be issued for these same domains. CANARY_DOMAINS=example1.com,example2.com
This domain is only needed if you are going to use the trigger as a PDF file
in which case the NS records for this domain should point to the domain in the previous paragraph.
In other words example3.com must be delegated to example1.com and example2.com CANARY_NXDOMAINS=example3.com
I would also like to mention a utility called Trape, the name speaks for itself, because Trape from English translates as a trap. After clicking on the link generated by Trape, we will see the IP, location and the main feature of this utility is that, we will see the client sessions of the user in the browser. Trape is able to detect open tabs with the following services.
➜ Amazon
➜ Dropbox
➜ Gmail
➜ Tumblr
➜ Tumblr
And this is just one such service, you can find tons more of them on the internet.
An example of how trape works.
The google doc trick.
You've probably heard about all these google id tricks and other google holes, but this one is very interesting, it allows you to pull email and google id through a link to Google Drive, Google Docs, Google Spreadsheets, Google Slides, Google Drawning, Google My Maps, Google Apps Script, Google Jamboard. You can ask the attacker to upload the document to google drive for example and send you the link. After he sends you the link, you can identify the person using xeuldoc. After sending a link to the document to this tool, you will know the email and google ID of the attacker, the date the document was created and the date the document was last edited.
Through the bell.
This is a rather atypical way of trapping, I think you will not need it, but it would be good to know it. The idea is that the user dials you and the call is saved. Then you can set up a page in Whatsapp object of your search or social network. To do this you will need to design the site, and make your object want to click on the button. The HTML code of the button will look like this:
WhatsApp:
Button text
After the attacker presses the button, he will make a call, or write a message in WhatsApp. I am not sure if this method works.
How do you mask loggers?
First I will tell you about telegraph, yes, that telegra.ph. The first security hole in this service is that it does not warn you about clicking on links. Therefore, you will be able to disguise IPLogger there, passing off the logger link as a harmless link.
And these are not all telegraph holes. In order to implement the next hole, you will need to create an invisible logger with jpg, or png, jpeg extension. Copy the link and click on the icon to paste the code "<>". Once clicked, paste the link and press enter. After that you will have a 1x1 image that will collect all the IP addresses that followed the link to telegraph.
There is also a way to disguise the logger as a youtube link using websolver.
There is absolutely nothing complicated in creating a logger. You just need to click the "Generate" button to create your own logger with the domain yȯutube.com.
The same links can be created for other resources, here's a look:
➜ https://www.google.com/url?q=itsnotalogger.xyz
➜ http://instagram.com.xsph.ru?u=itsnotalogger.xyz
➜ https://www.youtube.com/redirect?q=itsnotalogger.xyz
Bottom line.
Of course, these are not all the traps that exist, there are more. But these are the most basic options, if you are interested in more, we will gladly share other methods of catching scammers.
Thank you for reading the article, I hope you found it useful and these techniques will be useful to you in your future searches.
https://www.advisor-bm.com/post/social_engineering_iplogger_osint