Before login

You are here: Home » Metagoofil - Sensitive Information from Metadata

Metagoofil - Sensitive Information from Metadata

/ by / Mr. P / on / January 20, 2011 @ 1:22 pm
Metagoofil on Edge Security
"So - Metagoofil?? What the heck is that??" Yeah, I can hear you saying it now. It's a funny name, but names aside, it's a very useful program. One of the tools that should be included on your list of penetration testing tools - under the "Information Gathering" stage. You ever find yourself stuck with not much of an idea of the internals of a company network, and you need to know a bit more about the hardware, software, or operating systems on the inside? Ever needed to know a username/person within the company so you can perform some targeted social engineering? Metagoofil can help!
 
What is it?
Metagoofil is a program developed by Edge-Security. Metagoofil works by extracting the metadata from various file types, and displaying a related list of possible usernames, people, hardware, operating systems, and file paths - all of which gives you an idea of internal system layouts. However, the trick with Metagoofil is that it works by Googling the website of the company that you are pentesting (or individual's site), and then proceeding to download all files of a specific file type that you specify - this is all completely legitimate and legal. It then generates the aforementioned results, and records them in a HTML file for all to see.
 
How does it work?
Metagoofil basically works like this:
a) Searches Google for the specific file types in a given site, using a command not dissimilar to the following:
site:example.com filetype:doc,pdf,etc
 
b) Downloads the files to the local disk, and passes them through to "libextractor"
 
c) Compiles them into the HTML results file - simple hey?
 
 
How do I install it?
You'll need the libextractor libraries:
Debian:
In debian is easy as: apt-get install libextractor
 
Ubuntu:
apt-get install libextractor-plugins extract
Then edit metagoofil.py to have the extcommand as:
/usr/bin/extract
 
OS X:
Using Darwin ports, "port install libextractor"
 
 
Make sure 'extract' binary is in the correct path in the metagoofil.py module. If not, simply modify the path reference to the correct place. For example, the command typed in Linux:
which extract
Would return the following as a result for extract's path:
/usr/local/bin/extract
You will also need python installed - if you don't know how to, just google it. Then, proceed to run it in the terminal with either:
python metagoofil.py
Or:
sudo chmod +x metagoofil.py && ./metagoofil.py
 
Now I'm in - How do I use it?
Well, it's pretty simple. Execute the program without any parameters for a list of command options:
python metagoofil.py
That will print this:
MetaGooFil 1.4
 
usage: metagoofil options
 
        -d: domain to search
        -f: filetype to download (all,pdf,doc,xls,ppt,odp,ods, etc)
        -l: limit of results to work with (default 100)
        -o: output file, html format.
        -t: target directory to download files.
 
        Example: metagoofil.py -d microsoft.com -l 20 -f all -o micro.html -t micro-files[/quote]
So basically, you need to include all the command parameters, but they are very self explanatory, so I won't bother to explain. The only thing that needs explaining is this - the -o output.html contains the results, whereas the folder specified is where all the files will be downloaded to. I'll just give you a slightly censored example of one I did:
 
root@Mr. P-desktop:/home/Mr. P/metagoofil-1.4a# python metagoofil.py -d *****.gov -f doc -l 20 -o organisation.html -t organisation
 
*************************************
*MetaGooFil Ver. 1.4a               *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************
 
 
[+] Command extract found, proceeding with leeching
[+] Searching in ******.gov for: doc
[+] Total results in google: 3
[+] Limit:  3
[+] Searching results: 0
        [ 1/3 ] [url=http://www.******.gov/images/pages/Application%20*************Position%20Form********.doc]http://www.******.gov/images/pages/Appl ... ******.doc[/url]
        [ 2/3 ] [url=http://www.******.gov/images/pages/Application%20********************Form.doc]http://www.******.gov/images/pages/Appl ... **Form.doc[/url]
        [ 3/3 ] [url=http://www.******.gov/images/pages/Application%20***************Form.doc]http://www.******.gov/images/pages/Appl ... **Form.doc[/url]
 
 
Usernames found:
================
h*****and
Admin
 
 
Paths found:
============
 *CC\
[+] Process finished
 
So now we have our output, time to view the results in pretty HTML :)
 
Searching in ******.gov for: doc files.
 
Total available files: 3 
[url=http://www.******.gov/images/pages/Application%20**********Position%20Form_********.doc]http://www.******.gov/images/pages/Appl ... ******.doc[/url]
 
Local copy Open
 
Important metadata:
mimetype - application/msword
language - U.S. English
paragraph count - 17
line count - 60
last saved by - h*****and
character count - 7289
template - *CC- LH Black.dot
creation date - 2008-06-30T05:32:00Z
word count - 1278
page count - 4
creator - Admin
date - 2008-07-03T06:13:00Z
generator - Microsoft Office Word
 
[url=http://www.******.gov/images/pages/Application%20************%20Form.doc]http://www.******.gov/images/pages/Appl ... 20Form.doc[/url]
 
Local copy Open
 
Important metadata:
mimetype - application/msword
language - U.S. English
paragraph count - 10
line count - 35
last saved by - h*****and
character count - 4302
template - *CC- LH Black.dot
creation date - 2007-08-29T06:08:00Z
word count - 754
page count - 3
creator - Admin
date - 2008-05-23T03:30:00Z
generator - Microsoft Office Word
 
[url=http://www.******.gov/images/pages/Application%20***********%20Form.doc]http://www.******.gov/images/pages/Appl ... 20Form.doc[/url]
 
Local copy Open
 
Important metadata:
mimetype - application/msword
language - U.S. English
paragraph count - 13
line count - 48
last saved by - h*****and
character count - 5789
template - *CC- LH Black.dot
creation date - 2007-08-29T05:39:00Z
word count - 1015
page count - 4
creator - Admin
date - 2008-05-23T03:09:00Z
generator - Microsoft Office Word
 
Total results for doc: 3
 
Total authors found (potential users):
h*****and
Admin
Path Disclosure:
*CC\
 
From this, without even letting them know they've been scanned, we've gathered that h*****and is the secretary or a webmaster (with a little further investigation, its a secretary), and thus we've got an email username as well (can be bruteforced or SE'd later), we have a local username (Admin), we have the name of a probable server, seeing as it's not a local directory (*CC\), and we know their OS at least to genre - Microsoft Windows. Quite a useful program, so enjoy. This has been a mini tutorial - first of a few up-and-coming to give you guys some better software to use.
 
-Mr. P

 

/tags/