Recon - NG Lab | Cybrary

Video Activity

Create Free Account

In this lab, Subject Matter Expert Dean Pompilio provides an introduction to Recon-NG, which is an interesting framework similar to Metasploit. Recon-NG is used for gathering information that is accessed through the Kali Tools Web site. It is already built into Kali, so there is no need to worry about launching it. SME Pompilio demonstrates how to ...

Sign up with

Or

Already have an account? Sign In »

Time

3 hours 55 minutes

Difficulty

Advanced

CEU/CPE

5

Create Free Account

In this lab, Subject Matter Expert Dean Pompilio provides an introduction to Recon-NG, which is an interesting framework similar to Metasploit. Recon-NG is used for gathering information that is accessed through the Kali Tools Web site. It is already built into Kali, so there is no need to worry about launching it. SME Pompilio demonstrates how to launch a command shell to use the tool. He shows how to create a workspace to keep data organized, and he demonstrates an Interesting feature of Recon-NG: the "no check" feature that turns off version checking to avoid flagging errors because of lack of updating. There are lots of options inside the tool. SME Pompilio discusses and demonstrates the following:

creating and using a workspace -- you can create workspaces to organize your activities on a case-by-case basis, which increases the tool's functionality
how to show modules by running the Show Command (he recommends that you try all of the modules separately to learn a great deal about your target)
using the netcraft command
using the run command
using the load command
using the resolve command
using the add and delete commands to configure lists

Examples are given of using different modules to get information and to narrow it to reflect what you are looking for. You can look for sites that have interesting types of files -- such as a robots.txt file -- to narrow your list of targets for a Social Engineering audit. There is a discussion of the importance of having permission to use a tool like this and of knowing that some services are paid services. SME Pompilio looks at possible types of reports generated by using the available options and shows the various exporting options.

00:05

Hello. This is Dean Pompilio, and in this demo

00:10

you're going to be looking at re Kon en G.

00:14

We can't Angie's pretty interesting

00:17

framework, very similar to medicine Point that is used for

00:22

gathered information.

00:25

So first we'll go ahead and look at the Kelly Tools website

00:33

and under the tools listing,

00:37

this is an information gathering tool.

00:43

And there we go.

00:47

So red brick Web reconnaissance framework

00:50

already in python.

00:55

So if you're familiar with with medicine Lloyd, you should adapt to recount. Angie fairly easily

01:02

has a familiar looking feel.

01:04

Anyway, This tool is already built into Callie, so you don't need to worry about installing it.

01:11

Well, go ahead, launch a command shell

01:18

and under user share,

01:23

we're in the recount and

01:23

and G directory.

01:32

So first we'll have a look at the help

01:34

menu. We can see that

01:37

you can specify a workspace. That's an interesting future,

01:42

and I'll show you how to create a work space. And then it helps you keep your

01:47

your data organized.

01:51

And there's also another useful feature this. No check

01:55

to make sure that the version checking is not done,

02:00

because if you're if you're in need of an update, you might get some errors. So this lets you just use the version that you're currently running with.

02:10

Okay, so there's our menu. Let's look at the help inside the tool

02:15

and you can see we've got a lot of choices here.

02:20

We're just gonna cover a few of these options. Since this is just a introduction to recon Angie

02:27

the first, the first thing we're going to do is

02:31

hit the workspaces command. We can see we can list them. We can add, select or delete. So we're going to add one.

02:38

You can just use up arrow

02:40

and we'll call this

02:42

target

02:44

company

02:46

dot com

02:49

and you'll see that automatically switches us to that workspace.

02:53

I could run the workspaces list, command. I've got a default workspace. And now I've got one called target company,

03:00

and you can create quite a few of these and makes it easy to switch back and forth

03:06

once you're in a workspace.

03:07

You could just use the back. Command

03:09

actually took me all the way out. It's not what I wanted.

03:16

So, workspaces select

03:22

target company dot Come.

03:24

All right now we're back where we were.

03:30

I have to be in a different contacts, not just the work space itself to use the back command.

03:38

Okay,

03:46

The next thing we want to do is to show our modules.

03:49

So we're going to run the show command.

03:52

And as you can see, we've got a lot of choices here.

03:57

But in particular, we want to look at our modules because that lets us know

04:00

what types of

04:02

activities we can we can use towards a domain name or an I P address or an email address or a location

04:12

so scrolling back up to the top. We can see we've got some discovery modules,

04:17

some modules, related exploits,

04:20

being able to import different files

04:24

and then lots of reconnaissance. Facebook linked a kn

04:28

email phoned list. Adobe. There's all kinds of possibilities here

04:33

being brute forest. Google Net craft show Dan

04:39

VPN Hunter.

04:42

All right, so we'll have a look at a few of these. I recommend that you you try them all

04:46

separately and see what they're about because you can learn a great deal about your target by using a framework such asses. It's especially nice if you are very

04:57

good a typing.

04:59

Okay,

05:00

so we looked at her modules list,

05:02

and

05:03

first thing I want to do is

05:09

load the Net craft module,

05:13

so I'm gonna run the use Net Craft Command.

05:15

If you do a partial match, you'll get a list of modules that match.

05:21

You can also use the load command instead of use. They're interchangeable,

05:27

so sure my options

05:30

and you can see that it's asking me to specify a source,

05:33

so I'll set the source.

05:36

I think about the fact that you're trying to target an organization for a social engineering audit. We could use something

05:44

that's likely to have some good information for us to look at. Like a news website.

05:50

We could use CNN dot com

05:54

Once the source is selected, Weaken just select are used the run command,

06:00

and this will go out and find

06:03

all hosts that a can that have CNN in their name.

06:11

This might take a minute to run.

06:14

And as you'd expect, CNN has many websites that operate in different countries all around the world.

06:19

So we should get a pretty large list here.

06:30

I'm gonna go ahead and pause until this is completed.

06:32

There it is.

06:34

Okay, So that finished with We've on 68 hosts

06:40

now what we can do is look at that list by typing show.

06:45

Well, I'll bring back the menu again,

06:48

and one of our options, as we can see, is hosts.

06:57

And it tells us the tool

06:59

that was used, the model that was used in order to generate this list.

07:04

These are all entries in the data base, essentially.

07:08

So the role I D is just what it sounds like. It's.

07:11

Each item in a in a table has its own unique row I D.

07:16

And you can use, add and delete commands to get rid of some of the rose. If you don't want them,

07:23

we can look at that menu later

07:26

anyway. So now I have a list of hosts. If if the target of your

07:30

social engineering audit is is a large company like this, or if it's some individuals that work there,

07:35

this is your your foundational layer of

07:39

of informational gathering. You've got a nice, nice list,

07:43

but you might want to do some other things like

07:46

show the neighbors that might be using

07:50

I P addresses

07:53

that is shared by these systems.

07:59

So if I type use I p

08:01

you know that I get a few of these. Um,

08:05

the one I really want to look at his i p info D B.

08:11

Okay, So now well, we like to resolve these I p addresses.

08:20

So we'll just tell you is resolved to see what we have options here.

08:22

And this is the one that we want.

08:35

And again, we see that you can specify the source. So we're just gonna go ahead and run this

08:39

and this will find all the I P addresses for that host list we just generated.

08:46

We show our host again

08:50

can see these are all resolved.

08:52

Almost all of them are resolved.

08:58

Another interesting

09:00

thing to think about is if you if you're targeting all these different sites, of course, that's

09:05

you want to narrow this activity down as much as possible

09:09

for Europe for your social engineering, audio or pen testing activity.

09:13

So one of the things you can d'oh

09:16

is look for

09:20

sites have interesting files. And I knew the shortcut there. But if I used on there's something a little bit shorter,

09:28

get a couple choices. But this is the module

09:31

Discovery info, disclosure, interesting files.

09:33

We can run this,

09:37

actually, that's looking at the wrong source.

09:45

It did find a robot start text file

09:48

and, uh,

09:48

in this website. However, tools callie dot org's

09:52

and robots, not text, is used to tell search engines, which directories not to search or not to crawl.

10:01

So that's some sometimes interesting content to look at,

10:05

and you can see this is where it it's stored. That file.

10:11

But the one we really want is to

10:15

set our sources CNN,

10:18

and we'll run this, see if we get anything.

10:20

And as I would expect, we did not. So it's good thing that this other site was selected.

10:26

Now we can do

10:28

is copy that

10:31

I'm gonna use control shift T to open a new tab.

10:37

Always remember shortcuts,

10:39

and I'm gonna go to this directory.

10:45

Look at our most recent files. We can see we've got

10:50

robots don't text file.

10:58

So just allowing these particular directories and certain regular expression matches for other kinds of characters.

11:07

This information doesn't try not to be too useful, but it might be for a different type of audit or different target.

11:16

And another thing to try for a list

11:20

is to use the brute hosts.

11:24

Modules is kind of interesting.

11:31

And again, just try. Try a bunch of these, uh, modules that are available here. Don't be afraid, Thio

11:39

Experiment.

11:43

Always do the show options command to see

11:46

And what this will try to do is, um,

11:52

try to do a brute force log, and I have it set for my for a website that I controls. That's that's safe to d'oh.

12:00

But make sure you have permission if you're gonna use a tool like this.

12:07

Okay, so another one to try

12:11

is

12:13

I. P info

12:20

took me right to it. I p info d B.

12:24

And it gives me some

12:26

information about the main hope host.

12:31

So if I look at my hosts file,

12:33

hopefully put that

12:35

information in there.

12:35

All right? Did not put it in the file,

12:37

but we can see that's the host. It was referencing.

12:52

Okay, so now that we've got a nice Lousteau work with,

12:56

let's use the P g P module,

13:03

says the PDP search, looking for a pretty good privacy email

13:07

public key,

13:09

we can run that against our host

13:13

in this case, we have our source said to kayak dot com.

13:20

Uh, let's change it back to CNN dot com

13:24

I'm running to get

13:26

All right. So we found

13:28

nice list of people. You'll notice that we're We also have the kayak dot com

13:35

persons as well.

13:37

So be careful when you're running these commands so that you don't accidentally put a bunch of records into your contacts database that you don't want.

13:45

If I look at

13:46

my contacts,

13:48

I can see I've got twice as many as I really need.

13:52

I've got all of these

13:54

kayak dot com

13:56

entries here.

14:05

I think this might work,

14:07

So delete host one through 12.

14:11

Now, if I show hosts again, hopefully it only has.

14:18

Sorry, not show show contacts.

14:22

I deleted hosts. Wrong wrong file. No problem.

14:30

I can generate that information again.

14:35

All right, now we've got rid of the kayak addresses.

14:39

So we've got a first in the last name, possibly a middle name and an email address.

14:45

If you were trying to identify someone that works at the organization or they've associated with it, this is a great

14:52

way to gather that kind of information within just a few minutes of typing in some commands is pretty powerful. And we've really only scratched the surface of what this tool can actually. D'oh.

15:05

If you subscribe to certain

15:09

things like Capone List,

15:11

you might be able to find

15:13

certain credentials that are

15:18

that our associate with an account.

15:22

This one is free. The other ones, I believe you have to actually pay for the for the service,

15:31

so we'll go. Having use this,

15:35

this will try to find,

15:37

um,

15:39

email accounts that might be on a list of known

15:43

correct

15:43

passwords known credentials.

15:46

So as we can see many of these air safe,

15:52

it looks like one email address has been pone

15:54

and it's a test email address. It probably was used for testing so

16:00

it might have a weak password.

16:03

Now we can look at her show credentials,

16:07

and we see that we've got

16:07

now. It didn't actually pick up the password or hash or anything. Obviously, if you're, um,

16:14

if you're able to do that as part of your penthouse, that's ideal.

16:19

But some of the service's, as I mentioned are

16:23

are actually paid service is so if you want access to that kind of information,

16:29

that that's what I've. That's what I've seen

16:33

anyway.

16:36

So at this point,

16:41

we can still see that our test

16:45

account is here, but it is associated with a person.

16:47

Strangely enough

16:48

of this was your target. You could then try to probe further

16:55

and try to go to the next step, which is to establish some kind of a trust relationship. Or maybe send them a,

17:02

uh,

17:03

une male with a malicious link.

17:06

There's lots of techniques which will talk about Maur in the advanced

17:10

pen testing through social engineering course.

17:14

So let's move on to the next section of the editorial. We're gonna look at some of the reports

17:21

that are possible. So let's look at our modules again.

17:25

As you can see at the bottom, we have several options.

17:27

HTML is nice and easy to use and understand. So well,

17:33

start with that one

17:36

shore options.

17:38

So my name is there.

17:41

I you could designate a customer,

17:44

you designate where the file will go.

17:48

So I want to set

17:49

the customer

17:52

thio

17:52

pen test dot or ge

17:56

and we're gonna suck the

18:00

notice. This the sanitized option. Let's use mask things like password. Hash is in another.

18:07

I'm gonna be clear. Tox passwords

18:10

anyway, So we're gonna go ahead and copy this path name.

18:17

We're gonna run the report

18:19

Actually, it would copy this path.

18:23

And now if we open a browser,

18:33

there's a report.

18:36

So 120 host 16 contacts. And we can expand these, as you can see.

18:41

And this is a really nice feature.

18:45

Ah, you can You can export into XML, C S V, whatever you wish.

18:52

So it's quick demonstration to see what the possibilities are. And the fact that you can

18:57

create work spaces

19:00

to organize your activities on a case by case basis really adds a lot of functionality to this.

19:08

All right, so I hope you've enjoyed the demonstration of recount and G. See you in the next video.

19:14

Thank you.

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

CEO of SteppingStone Solutions