Reconnaissance

00:00

Hey, everyone, welcome back to the course. So in the last module, we wrapped up our discussion on incident response and in this much, and we're going to start talking about reconnaissance.

00:09

So a quick pre assessment question here, Sarah's preparing a presentation to her boss on Oh, Sint.

00:14

So she knows that Oh, send stands for which one of these. So what is Oh, sent Stand for?

00:21

All right. Yes, this one was pretty easy. So if you guessed answer bur correct. So open source Intelligence is what ocean stands for.

00:31

So innocent as the name kind of implies, right? It's free or its public, you know? So if I go to ah, you know, searching Google, for example on something the company house Maybe if I check their social media accounts, if I look at their job postings. If I do look who is query,

00:47

you know, so those types of things that, like anybody can do without having to pay for it or, you know, without having it behind

00:53

You know, that requires some kind of an access s O that those are the types of things that we can do with Joseph,

01:00

who is as I mentioned, and we're gonna actually have a lab on this a little later on. But who is is a way we can query the domain so we can take a look. In some cases, it's not really relevant for, like, a big company like a Google, but maybe smaller companies. That might be relevant thing we can use to get information about the domain registrant,

01:18

potentially some contact information as well a CZ, you know.

01:21

And most importantly, I guess the name server information again, the larger companies gonna have some type of third party in, generally speaking, some type of third party that handles all of that so you probably won't get any really good information. But it's not a bad, you know, free type of thing to do real quick. See if you get any type of valuable information off of it.

01:42

Also, you know, I mentioned Website so as an example, if we were targeting Microsoft, we would certainly go to Microsoft dot com. We were number one. Take a look at their management. So their executive management team, any type of mid level managers that gives us some you know, targets we can use in the social media aspect of it of going out and trying to connect with those people and figure out if we can

02:00

get information about the different technologies and use or

02:04

find out about different events that they might be doing.

02:06

Mentioning events that a lot of companies will also listen on a website as well as on social media. So just keep be mindful of that. That might be a good opportunity for you to get out there and start talking to people trying to do the social engineering aspect of it and gain information about the organization's technology and use.

02:23

Sometimes they also list on the website different technology. A lot of times that's just related to like new products, that sort of stuff you may not get the juicy details of like, Hey, we're using this type of operating system on our servers. But

02:37

if you're if you're really good and you understand your technology, if you see a certain product, you might know that that product can only run on,

02:44

you know, maybe a Windows server, right? Or maybe, ah, older version of you know, Apache or something like that. So just keep that in mind if you're that maybe another beneficial thing for you.

02:53

You'll see the sales aspects of one thing I found that's actually very helpful. Is reaching out to sales for a company and just kind of pretending like You just want to take a look at the products, right? So a lot of times you can get a good demo from them or their they'll even give you, like a free trial. That's a good way to check out the technology and be able to play around and tested on different operating systems.

03:15

So you kind of get a better idea of Okay, well,

03:16

how did you know? And even in some cases, maybe even take a look at the source code, but but definitely taking a look at houses functioning. And where does it function the best, right? So where would the Enterprise B Using it would be more window systems would be Maybe enterprise using Mac systems, you know, kind of wears this

03:37

particular

03:38

solution they're offering relevant.

03:39

You could get contact information a lot times. That's just a generalized email address, but sometimes no list contact information for the management team, so definitely take a look at that again It's a free resource. It's not a bad idea, as I mentioned already. Social media

03:54

um, Jill Jill on the website, the list or social media like links so you can just click a link and go straight to the page to you. Make sure you have the correct page job boards, air Another big thing that I like to do. Ah, specifically to look at the technology they're asking about because that tells you generally speaking, what they're using at that company,

04:13

um, lengthen its okay indeed dot com is probably the

04:15

best one on this list here for that. That's the primary one that I'll go to take a look at the job postings there but also again on the company's Web site. A lot of times ill if you start pretending like you're going through the interview, the application process for a job. A lot of times you can get good information just by

04:33

pretending you're applying for a job or even just applying for a job with a fake. You know, your resume and stuff.

04:40

Social media, as I mentioned, you know, different things. Instagram, etcetera. Facebook is actually Facebook, and LinkedIn are probably my two primary ones. Facebook, because people like love to share

04:49

information like I get email addresses I get, you know, phone numbers again, all sorts of like photos that you probably should not be posting on Facebook s. Oh, that's probably the primary one. And that linked. It's good if your guy like fake profiles and you kind of go out there and just try to make those business connections with your fake profile, people will share a lot of information

05:09

about their company.

05:10

The other ones on the list could be helpful as well. But primarily Facebook and Lincoln are kind of my top choices.

05:15

We've got Google hacking s so this is basically using different types of queries on Google itself on. So that way, if I want to find, like, you know, if I if I'm just looking at kind of generalized targets, for example, I can look through and find, you know, maybe some vulnerable some spreadsheets tohave, you know, like some user names and passwords in them.

05:33

You don't generally find that too often, but sometimes you can

05:38

ah, And then also I can search this particular company so I can find documents really to that company that maybe they've got out there that they forgot to secure. So that's just another way we can do it again. These are all just kind of tools in the arsenal. So to speak on, we would go through different ones of these based off the type of attack were doing or the type of pen tests that were doing.

05:58

Showdown is known as a hacker search engine. This is really, really good resource if I want to go find, like, potentially vulnerable devices. So if I want to find devices that maybe are using the same you know, the default user name and password, this is a great website to go. Do so Plus getting the i p address of those devices

06:15

now, they've got a Freeman paid version. The paid version.

06:17

Ah, they usually run a special special. I think it normally

06:21

on the specials, like 50 or $60 U. S. Dollars. I forget what the normal prices. It might even be that low nowadays, but they also the free version that kind of limits you based off how much you concert and that sort of stuff. But the pay version kind of opens up. You know all sorts of stuff for you, so I'm not gonna try to sell you on show, Dan, you know, just go check out the side. If you feel like

06:42

doing the page version, if you feel it's beneficial than definitely, you know, I recommend it.

06:46

The harvest. Here's another tool we can use. S O. The harvester

06:50

is good for getting things like, you know, some domain names, maybe employee names, email addresses, even, you know, in some cases, open ports or even banner grabbing. So, you know, a lot of different things were primarily like email addresses or ah, sub domains are kind of what we're looking at. With that,

07:08

we've got recon a re kon Excuse me and G, that is essentially think of it kind of like a bucket of tools. You know, it's a tool, but it's got a lot of different modules in it that you allow us to do things, you know, like uh, like who is query right, for example, or, you know, grabbing email addresses so searching,

07:28

you know, email addresses in the India. Have I been pawned?

07:30

If you're not familiar with that, it's basically a database you could search and see if you've actually you know, your your email addresses associated with any breaches. We can also do things, you know, like it allows us. Thio do associations with social media profiles. You know, Dian Dian s records get, you know, get basically enumerates

07:50

what's called the numerator d N s records.

07:53

Ah, and that sort of stuff.

07:55

So very, very awesome, tool. We actually use it for many parts of a pen test. This is just one avenue insider doing reconnaissance.

08:03

We won't melt Melt a ge, which I I'm a huge fan of just cause I like the visualization, the mapping of it, um and so that allows you to basically correlate like if I searched Microsoft. If I search like Bill Gates, you know, it will pull a lot of good data for me. Unlike email addresses, maybe associated servers associated accounts, that sort of stuff.

08:24

We've also got foca, which stands for the fingerprinting organizations with collected archives. So that's ah, beautiful fancy name. Basically wanted it allows you to do is to try to discover metadata, so file metadata and it allows you to basically searched the web to try to find that information So, you know, specifically,

08:43

um, generally speaking, related to Microsoft office documents because it runs on Windows

08:48

s O. You know, things like your you know, your word Dr Excels, etcetera. And then also, you know, things in the open document format. So the dot OD t that you might be familiar with, depending on the operating system you're using a CZ. Well, those things like pdf files. So it's actually ah, pretty decent

09:07

tool you can grab it from. Actually, that the the, uh uh

09:11

That that website there. I don't want to say that Link is that's not actually the link to download it. But if you got 11 past website, then you'll see anon option to go ahead and down the the open source version of the tool. Definitely recommend you check that out, especially if you decide you want to, like dive into pen testing as a career.

09:28

Definitely recommend you check out this tool and especially if you decide to go for

09:31

certification exams like C E. H or Prentiss Plus, they normally will test you on this particular tool. Eso. In this video, we just take a kind of a high level overview of reconnaissance in the next video, we're gonna go ahead and just kind of do some demos, so they're not actually labs in the next video. I'm just gonna kind of show you

09:50

like job boards from actually and go to it. Indeed.

09:54

Certainly. I'll search for a job and then kind of show you what I'm looking for in different profiles as I looked through those on. And then we'll also take a look at, like, Microsoft Eyes, Microsoft website and just kind of look at, like, the management, that sort of stuff, just kind of analyzing the website. And then we'll move into our actual labs for this particular module