22/05/15. Last Release
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages, and can be downloaded and analyzed with FOCA.
It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance.
These documents are searched for using three possible search engines: Google, Bing, and Exalead. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file.
With all data extracted from all files, FOCA matches information in an attempt to identify which documents have been created by the same team and what servers and clients may be infered from them.
FOCA includes a server discovery module, whose purpose is to automate the servers search process using recursively interconnected routines. The techniques used to this end are:
Searches for hosts and domain names through URLs associated to the main domain. Each link is analyzed to extract from it new host and domain names.
Each domain is checked to ascertain which are the host names configured in NS, MX, and SPF servers to discover new host and domain names.
Each host name is resolved by comparison to the DNS to obtain the IP address associated to this server name. To perform this task as accurately as possible, the analysis is carried out against a DNS that is internal to the organization.
To find more servers in the same segment of a determined address, IP FOCA executes a PTR logs scan.
For each IP address discovered, a search process is launched for new domain names associated to that IP address.
This module is designed to carry out dictionary attacks against the DNS. It uses a text file containing a list of common host names such as ftp, pc01, pc02, intranet, extranet, internal, test, etc.
Used for those environments where a machine name has been discovered that is reason to suspect that a pattern is used in the naming system.
The Robtex service is one of many services available on the Internet to analyze IP addresses and domain names. FOCA uses it in its attempt to discover new domains by searching the information available in Robtext on the latter.
FOCA began as a metadata analysis tool to draw a network based on said metadata. Today, it has become a reference in the computer security sector due to the many options it includes. Thanks to the aforementioned FOCA options, it is possible to undertake multiple attacks and analysis techniques such as:
- Metadata extraction.
- Network analysis.
- DNS Snooping.
- Search for common files.
- Juicy files.
- Proxies search.
- Technologies identification.
- Backups search.
- Error forcing.
- Open directories search.
In addition, FOCA has a series of plugins to increase the functionality or number of attacks that can be carried out to elements obtained during the analysis. The user will also be able to use the “Foquetta” model to generate reports with the results obtained. For this module to be available, the “Crystal Reports” program must be installed.