Hello. This is Dean Pompilio, and in this demo
you're going to be looking at re Kon en G.
We can't Angie's pretty interesting
framework, very similar to medicine Point that is used for
So first we'll go ahead and look at the Kelly Tools website
and under the tools listing,
this is an information gathering tool.
So red brick Web reconnaissance framework
So if you're familiar with with medicine Lloyd, you should adapt to recount. Angie fairly easily
has a familiar looking feel.
Anyway, This tool is already built into Callie, so you don't need to worry about installing it.
Well, go ahead, launch a command shell
and under user share,
we're in the recount and
So first we'll have a look at the help
menu. We can see that
you can specify a workspace. That's an interesting future,
and I'll show you how to create a work space. And then it helps you keep your
your data organized.
And there's also another useful feature this. No check
to make sure that the version checking is not done,
because if you're if you're in need of an update, you might get some errors. So this lets you just use the version that you're currently running with.
Okay, so there's our menu. Let's look at the help inside the tool
and you can see we've got a lot of choices here.
We're just gonna cover a few of these options. Since this is just a introduction to recon Angie
the first, the first thing we're going to do is
hit the workspaces command. We can see we can list them. We can add, select or delete. So we're going to add one.
You can just use up arrow
and you'll see that automatically switches us to that workspace.
I could run the workspaces list, command. I've got a default workspace. And now I've got one called target company,
and you can create quite a few of these and makes it easy to switch back and forth
once you're in a workspace.
You could just use the back. Command
actually took me all the way out. It's not what I wanted.
So, workspaces select
target company dot Come.
All right now we're back where we were.
I have to be in a different contacts, not just the work space itself to use the back command.
The next thing we want to do is to show our modules.
So we're going to run the show command.
And as you can see, we've got a lot of choices here.
But in particular, we want to look at our modules because that lets us know
activities we can we can use towards a domain name or an I P address or an email address or a location
so scrolling back up to the top. We can see we've got some discovery modules,
some modules, related exploits,
being able to import different files
and then lots of reconnaissance. Facebook linked a kn
email phoned list. Adobe. There's all kinds of possibilities here
being brute forest. Google Net craft show Dan
All right, so we'll have a look at a few of these. I recommend that you you try them all
separately and see what they're about because you can learn a great deal about your target by using a framework such asses. It's especially nice if you are very
so we looked at her modules list,
first thing I want to do is
load the Net craft module,
so I'm gonna run the use Net Craft Command.
If you do a partial match, you'll get a list of modules that match.
You can also use the load command instead of use. They're interchangeable,
and you can see that it's asking me to specify a source,
so I'll set the source.
I think about the fact that you're trying to target an organization for a social engineering audit. We could use something
that's likely to have some good information for us to look at. Like a news website.
We could use CNN dot com
Once the source is selected, Weaken just select are used the run command,
and this will go out and find
all hosts that a can that have CNN in their name.
This might take a minute to run.
And as you'd expect, CNN has many websites that operate in different countries all around the world.
So we should get a pretty large list here.
I'm gonna go ahead and pause until this is completed.
Okay, So that finished with We've on 68 hosts
now what we can do is look at that list by typing show.
Well, I'll bring back the menu again,
and one of our options, as we can see, is hosts.
And it tells us the tool
that was used, the model that was used in order to generate this list.
These are all entries in the data base, essentially.
So the role I D is just what it sounds like. It's.
Each item in a in a table has its own unique row I D.
And you can use, add and delete commands to get rid of some of the rose. If you don't want them,
we can look at that menu later
anyway. So now I have a list of hosts. If if the target of your
social engineering audit is is a large company like this, or if it's some individuals that work there,
this is your your foundational layer of
of informational gathering. You've got a nice, nice list,
but you might want to do some other things like
show the neighbors that might be using
that is shared by these systems.
So if I type use I p
you know that I get a few of these. Um,
the one I really want to look at his i p info D B.
Okay, So now well, we like to resolve these I p addresses.
So we'll just tell you is resolved to see what we have options here.
And this is the one that we want.
And again, we see that you can specify the source. So we're just gonna go ahead and run this
and this will find all the I P addresses for that host list we just generated.
We show our host again
can see these are all resolved.
Almost all of them are resolved.
thing to think about is if you if you're targeting all these different sites, of course, that's
you want to narrow this activity down as much as possible
for Europe for your social engineering, audio or pen testing activity.
So one of the things you can d'oh
sites have interesting files. And I knew the shortcut there. But if I used on there's something a little bit shorter,
get a couple choices. But this is the module
Discovery info, disclosure, interesting files.
actually, that's looking at the wrong source.
It did find a robot start text file
in this website. However, tools callie dot org's
and robots, not text, is used to tell search engines, which directories not to search or not to crawl.
So that's some sometimes interesting content to look at,
and you can see this is where it it's stored. That file.
But the one we really want is to
set our sources CNN,
and we'll run this, see if we get anything.
And as I would expect, we did not. So it's good thing that this other site was selected.
I'm gonna use control shift T to open a new tab.
Always remember shortcuts,
and I'm gonna go to this directory.
Look at our most recent files. We can see we've got
robots don't text file.
So just allowing these particular directories and certain regular expression matches for other kinds of characters.
This information doesn't try not to be too useful, but it might be for a different type of audit or different target.
And another thing to try for a list
is to use the brute hosts.
Modules is kind of interesting.
And again, just try. Try a bunch of these, uh, modules that are available here. Don't be afraid, Thio
Always do the show options command to see
And what this will try to do is, um,
try to do a brute force log, and I have it set for my for a website that I controls. That's that's safe to d'oh.
But make sure you have permission if you're gonna use a tool like this.
Okay, so another one to try
took me right to it. I p info d B.
And it gives me some
information about the main hope host.
So if I look at my hosts file,
information in there.
All right? Did not put it in the file,
but we can see that's the host. It was referencing.
Okay, so now that we've got a nice Lousteau work with,
let's use the P g P module,
says the PDP search, looking for a pretty good privacy email
we can run that against our host
in this case, we have our source said to kayak dot com.
Uh, let's change it back to CNN dot com
All right. So we found
nice list of people. You'll notice that we're We also have the kayak dot com
So be careful when you're running these commands so that you don't accidentally put a bunch of records into your contacts database that you don't want.
I can see I've got twice as many as I really need.
I've got all of these
I think this might work,
So delete host one through 12.
Now, if I show hosts again, hopefully it only has.
Sorry, not show show contacts.
I deleted hosts. Wrong wrong file. No problem.
I can generate that information again.
All right, now we've got rid of the kayak addresses.
So we've got a first in the last name, possibly a middle name and an email address.
If you were trying to identify someone that works at the organization or they've associated with it, this is a great
way to gather that kind of information within just a few minutes of typing in some commands is pretty powerful. And we've really only scratched the surface of what this tool can actually. D'oh.
If you subscribe to certain
things like Capone List,
you might be able to find
certain credentials that are
that our associate with an account.
This one is free. The other ones, I believe you have to actually pay for the for the service,
so we'll go. Having use this,
this will try to find,
email accounts that might be on a list of known
passwords known credentials.
So as we can see many of these air safe,
it looks like one email address has been pone
and it's a test email address. It probably was used for testing so
it might have a weak password.
Now we can look at her show credentials,
and we see that we've got
now. It didn't actually pick up the password or hash or anything. Obviously, if you're, um,
if you're able to do that as part of your penthouse, that's ideal.
But some of the service's, as I mentioned are
are actually paid service is so if you want access to that kind of information,
that that's what I've. That's what I've seen
we can still see that our test
account is here, but it is associated with a person.
of this was your target. You could then try to probe further
and try to go to the next step, which is to establish some kind of a trust relationship. Or maybe send them a,
une male with a malicious link.
There's lots of techniques which will talk about Maur in the advanced
pen testing through social engineering course.
So let's move on to the next section of the editorial. We're gonna look at some of the reports
that are possible. So let's look at our modules again.
As you can see at the bottom, we have several options.
HTML is nice and easy to use and understand. So well,
So my name is there.
I you could designate a customer,
you designate where the file will go.
and we're gonna suck the
notice. This the sanitized option. Let's use mask things like password. Hash is in another.
I'm gonna be clear. Tox passwords
anyway, So we're gonna go ahead and copy this path name.
We're gonna run the report
Actually, it would copy this path.
And now if we open a browser,
So 120 host 16 contacts. And we can expand these, as you can see.
And this is a really nice feature.
Ah, you can You can export into XML, C S V, whatever you wish.
So it's quick demonstration to see what the possibilities are. And the fact that you can
to organize your activities on a case by case basis really adds a lot of functionality to this.
All right, so I hope you've enjoyed the demonstration of recount and G. See you in the next video.