other

FOCA: The metadata recon tool for pentesters and red teamers

Gabriel Haab

2 min read
FOCA: The metadata recon tool for pentesters and red teamers

In the world of penetration testing and red teaming, reconnaissance is the foundation of every successful operation. Understanding the target's landscape is critical, and FOCA (Fingerprinting Organizations with Collected Archives) stands out as a robust tool designed to streamline and elevate the recon process. Developed by ElevenPaths, FOCA specializes in gathering metadata from publicly available documents, helping security professionals uncover valuable information about their targets.

https://github.com/ElevenPaths/FOCA

What is FOCA?

FOCA is an open-source tool primarily used to extract metadata from documents available on the internet, such as PDFs, Word files, Excel spreadsheets, and more. This metadata often contains hidden information, such as:

  • Usernames
  • File paths
  • Software versions
  • System information
  • Network shares

By analyzing this metadata, FOCA enables security professionals to map the target organization's structure and identify potential attack vectors.

Key Features of FOCA

  • Metadata extraction: FOCA automates the process of collecting metadata from documents.
  • File crawling: The tool searches for files uploaded to websites or indexed in search engines like Google and Bing.
  • Advanced analysis: It identifies patterns in the extracted data, such as user roles or internal IP structures.
  • Compatibility: FOCA supports multiple file formats, including DOC, XLS, PPT, PDF, and more.

How to Use FOCA for Reconnaissance

Using FOCA is straightforward and efficient. Follow these steps to get started:

1. Setup and Installation

FOCA is available on GitHub. You can download it from FOCA's GitHub repository. Install it on a compatible Windows machine. Ensure you have administrative privileges, as some features might require them.

2. Configuring Targets

  • Launch FOCA and enter the domain or URL of the target organization.
  • Specify search parameters to limit the scope or expand to capture more results.

3. File Harvesting

  • FOCA crawls the web for files associated with the target.
  • You can also upload your own document set if you have specific files to analyze.

4. Metadata Extraction

  • Once the files are identified, FOCA extracts metadata from them. This step reveals user details, software versions, and file creation timestamps.

5. Analysis and Reporting

  • Use FOCA's built-in analysis tools to identify valuable insights.
  • Export the results for further investigation or documentation.

Benefits of FOCA for Pentesters and Red Teamers

FOCA is not just another recon tool—it is a reconnaissance multiplier that offers several distinct advantages:

1. Time Efficiency

Manual metadata extraction from documents can be tedious. FOCA automates the process, saving time and effort.

2. Comprehensive Data Collection

FOCA can uncover non-obvious information such as:

  • Outdated software in use
  • Internal network structures (e.g., IP ranges)
  • Usernames and group memberships

These insights provide a clearer picture of the target’s infrastructure.

3. Target Prioritization

By identifying outdated or vulnerable software, FOCA helps prioritize high-value targets for further exploitation.

4. Versatility

FOCA supports numerous document formats, making it adaptable to various recon scenarios.

5. Enhanced Attack Planning

The metadata extracted by FOCA can be used for:

  • Phishing campaigns
  • Password spraying
  • Exploiting exposed vulnerabilities

This significantly enhances the attack surface and success rate of penetration tests and red team operations.

Example: FOCA in Action

Imagine you are tasked with assessing a company’s security posture. Using FOCA, you discover:

  • Several PDF files on the company's website.
  • Metadata revealing the software versions of PDF creation tools.
  • Internal usernames embedded in document properties.

You notice that one of the extracted usernames matches a potential email address format. This information could be instrumental in launching a phishing attack or brute-force attempt during the engagement.

Conclusion

FOCA is a powerful ally for pentesters and red teamers looking to gain an edge in the reconnaissance phase. Automating metadata extraction and revealing hidden insights, simplifies the process of mapping out a target’s infrastructure and identifying potential weaknesses.