Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio provides an introduction to Recon-NG, which is an interesting framework similar to Metasploit. Recon-NG is used for gathering information that is accessed through the Kali Tools Web site. It is already built into Kali, so there is no need to worry about launching it. SME Pompilio demonstrates how to launch a command shell to use the tool. He shows how to create a workspace to keep data organized, and he demonstrates an Interesting feature of Recon-NG: the "no check" feature that turns off version checking to avoid flagging errors because of lack of updating. There are lots of options inside the tool. SME Pompilio discusses and demonstrates the following:

  • creating and using a workspace -- you can create workspaces to organize your activities on a case-by-case basis, which increases the tool's functionality
  • how to show modules by running the Show Command (he recommends that you try all of the modules separately to learn a great deal about your target)
  • using the netcraft command
  • using the run command
  • using the load command
  • using the resolve command
  • using the add and delete commands to configure lists

Examples are given of using different modules to get information and to narrow it to reflect what you are looking for. You can look for sites that have interesting types of files -- such as a robots.txt file -- to narrow your list of targets for a Social Engineering audit. There is a discussion of the importance of having permission to use a tool like this and of knowing that some services are paid services. SME Pompilio looks at possible types of reports generated by using the available options and shows the various exporting options.

Video Transcription

00:05
Hello. This is Dean Pompilio, and in this demo
00:10
you're going to be looking at re Kon en G.
00:14
We can't Angie's pretty interesting
00:17
framework, very similar to medicine Point that is used for
00:22
gathered information.
00:25
So first we'll go ahead and look at the Kelly Tools website
00:33
and under the tools listing,
00:37
this is an information gathering tool.
00:43
And there we go.
00:47
So red brick Web reconnaissance framework
00:50
already in python.
00:55
So if you're familiar with with medicine Lloyd, you should adapt to recount. Angie fairly easily
01:02
has a familiar looking feel.
01:04
Anyway, This tool is already built into Callie, so you don't need to worry about installing it.
01:11
Well, go ahead, launch a command shell
01:18
and under user share,
01:23
we're in the recount and
01:23
and G directory.
01:32
So first we'll have a look at the help
01:34
menu. We can see that
01:37
you can specify a workspace. That's an interesting future,
01:42
and I'll show you how to create a work space. And then it helps you keep your
01:47
your data organized.
01:51
And there's also another useful feature this. No check
01:55
to make sure that the version checking is not done,
02:00
because if you're if you're in need of an update, you might get some errors. So this lets you just use the version that you're currently running with.
02:10
Okay, so there's our menu. Let's look at the help inside the tool
02:15
and you can see we've got a lot of choices here.
02:20
We're just gonna cover a few of these options. Since this is just a introduction to recon Angie
02:27
the first, the first thing we're going to do is
02:31
hit the workspaces command. We can see we can list them. We can add, select or delete. So we're going to add one.
02:38
You can just use up arrow
02:40
and we'll call this
02:42
target
02:44
company
02:46
dot com
02:49
and you'll see that automatically switches us to that workspace.
02:53
I could run the workspaces list, command. I've got a default workspace. And now I've got one called target company,
03:00
and you can create quite a few of these and makes it easy to switch back and forth
03:06
once you're in a workspace.
03:07
You could just use the back. Command
03:09
actually took me all the way out. It's not what I wanted.
03:16
So, workspaces select
03:22
target company dot Come.
03:24
All right now we're back where we were.
03:30
I have to be in a different contacts, not just the work space itself to use the back command.
03:38
Okay,
03:46
The next thing we want to do is to show our modules.
03:49
So we're going to run the show command.
03:52
And as you can see, we've got a lot of choices here.
03:57
But in particular, we want to look at our modules because that lets us know
04:00
what types of
04:02
activities we can we can use towards a domain name or an I P address or an email address or a location
04:12
so scrolling back up to the top. We can see we've got some discovery modules,
04:17
some modules, related exploits,
04:20
being able to import different files
04:24
and then lots of reconnaissance. Facebook linked a kn
04:28
email phoned list. Adobe. There's all kinds of possibilities here
04:33
being brute forest. Google Net craft show Dan
04:39
VPN Hunter.
04:42
All right, so we'll have a look at a few of these. I recommend that you you try them all
04:46
separately and see what they're about because you can learn a great deal about your target by using a framework such asses. It's especially nice if you are very
04:57
good a typing.
04:59
Okay,
05:00
so we looked at her modules list,
05:02
and
05:03
first thing I want to do is
05:09
load the Net craft module,
05:13
so I'm gonna run the use Net Craft Command.
05:15
If you do a partial match, you'll get a list of modules that match.
05:21
You can also use the load command instead of use. They're interchangeable,
05:27
so sure my options
05:30
and you can see that it's asking me to specify a source,
05:33
so I'll set the source.
05:36
I think about the fact that you're trying to target an organization for a social engineering audit. We could use something
05:44
that's likely to have some good information for us to look at. Like a news website.
05:50
We could use CNN dot com
05:54
Once the source is selected, Weaken just select are used the run command,
06:00
and this will go out and find
06:03
all hosts that a can that have CNN in their name.
06:11
This might take a minute to run.
06:14
And as you'd expect, CNN has many websites that operate in different countries all around the world.
06:19
So we should get a pretty large list here.
06:30
I'm gonna go ahead and pause until this is completed.
06:32
There it is.
06:34
Okay, So that finished with We've on 68 hosts
06:40
now what we can do is look at that list by typing show.
06:45
Well, I'll bring back the menu again,
06:48
and one of our options, as we can see, is hosts.
06:57
And it tells us the tool
06:59
that was used, the model that was used in order to generate this list.
07:04
These are all entries in the data base, essentially.
07:08
So the role I D is just what it sounds like. It's.
07:11
Each item in a in a table has its own unique row I D.
07:16
And you can use, add and delete commands to get rid of some of the rose. If you don't want them,
07:23
we can look at that menu later
07:26
anyway. So now I have a list of hosts. If if the target of your
07:30
social engineering audit is is a large company like this, or if it's some individuals that work there,
07:35
this is your your foundational layer of
07:39
of informational gathering. You've got a nice, nice list,
07:43
but you might want to do some other things like
07:46
show the neighbors that might be using
07:50
I P addresses
07:53
that is shared by these systems.
07:59
So if I type use I p
08:01
you know that I get a few of these. Um,
08:05
the one I really want to look at his i p info D B.
08:11
Okay, So now well, we like to resolve these I p addresses.
08:20
So we'll just tell you is resolved to see what we have options here.
08:22
And this is the one that we want.
08:35
And again, we see that you can specify the source. So we're just gonna go ahead and run this
08:39
and this will find all the I P addresses for that host list we just generated.
08:46
We show our host again
08:50
can see these are all resolved.
08:52
Almost all of them are resolved.
08:58
Another interesting
09:00
thing to think about is if you if you're targeting all these different sites, of course, that's
09:05
you want to narrow this activity down as much as possible
09:09
for Europe for your social engineering, audio or pen testing activity.
09:13
So one of the things you can d'oh
09:16
is look for
09:20
sites have interesting files. And I knew the shortcut there. But if I used on there's something a little bit shorter,
09:28
get a couple choices. But this is the module
09:31
Discovery info, disclosure, interesting files.
09:33
We can run this,
09:37
actually, that's looking at the wrong source.
09:45
It did find a robot start text file
09:48
and, uh,
09:48
in this website. However, tools callie dot org's
09:52
and robots, not text, is used to tell search engines, which directories not to search or not to crawl.
10:01
So that's some sometimes interesting content to look at,
10:05
and you can see this is where it it's stored. That file.
10:11
But the one we really want is to
10:15
set our sources CNN,
10:18
and we'll run this, see if we get anything.
10:20
And as I would expect, we did not. So it's good thing that this other site was selected.
10:26
Now we can do
10:28
is copy that
10:31
I'm gonna use control shift T to open a new tab.
10:37
Always remember shortcuts,
10:39
and I'm gonna go to this directory.
10:45
Look at our most recent files. We can see we've got
10:50
robots don't text file.
10:58
So just allowing these particular directories and certain regular expression matches for other kinds of characters.
11:07
This information doesn't try not to be too useful, but it might be for a different type of audit or different target.
11:16
And another thing to try for a list
11:20
is to use the brute hosts.
11:24
Modules is kind of interesting.
11:31
And again, just try. Try a bunch of these, uh, modules that are available here. Don't be afraid, Thio
11:39
Experiment.
11:43
Always do the show options command to see
11:46
And what this will try to do is, um,
11:52
try to do a brute force log, and I have it set for my for a website that I controls. That's that's safe to d'oh.
12:00
But make sure you have permission if you're gonna use a tool like this.
12:07
Okay, so another one to try
12:11
is
12:13
I. P info
12:20
took me right to it. I p info d B.
12:24
And it gives me some
12:26
information about the main hope host.
12:31
So if I look at my hosts file,
12:33
hopefully put that
12:35
information in there.
12:35
All right? Did not put it in the file,
12:37
but we can see that's the host. It was referencing.
12:52
Okay, so now that we've got a nice Lousteau work with,
12:56
let's use the P g P module,
13:03
says the PDP search, looking for a pretty good privacy email
13:07
public key,
13:09
we can run that against our host
13:13
in this case, we have our source said to kayak dot com.
13:20
Uh, let's change it back to CNN dot com
13:24
I'm running to get
13:26
All right. So we found
13:28
nice list of people. You'll notice that we're We also have the kayak dot com
13:35
persons as well.
13:37
So be careful when you're running these commands so that you don't accidentally put a bunch of records into your contacts database that you don't want.
13:45
If I look at
13:46
my contacts,
13:48
I can see I've got twice as many as I really need.
13:52
I've got all of these
13:54
kayak dot com
13:56
entries here.
14:05
I think this might work,
14:07
So delete host one through 12.
14:11
Now, if I show hosts again, hopefully it only has.
14:18
Sorry, not show show contacts.
14:22
I deleted hosts. Wrong wrong file. No problem.
14:30
I can generate that information again.
14:35
All right, now we've got rid of the kayak addresses.
14:39
So we've got a first in the last name, possibly a middle name and an email address.
14:45
If you were trying to identify someone that works at the organization or they've associated with it, this is a great
14:52
way to gather that kind of information within just a few minutes of typing in some commands is pretty powerful. And we've really only scratched the surface of what this tool can actually. D'oh.
15:05
If you subscribe to certain
15:09
things like Capone List,
15:11
you might be able to find
15:13
certain credentials that are
15:18
that our associate with an account.
15:22
This one is free. The other ones, I believe you have to actually pay for the for the service,
15:31
so we'll go. Having use this,
15:35
this will try to find,
15:37
um,
15:39
email accounts that might be on a list of known
15:43
correct
15:43
passwords known credentials.
15:46
So as we can see many of these air safe,
15:52
it looks like one email address has been pone
15:54
and it's a test email address. It probably was used for testing so
16:00
it might have a weak password.
16:03
Now we can look at her show credentials,
16:07
and we see that we've got
16:07
now. It didn't actually pick up the password or hash or anything. Obviously, if you're, um,
16:14
if you're able to do that as part of your penthouse, that's ideal.
16:19
But some of the service's, as I mentioned are
16:23
are actually paid service is so if you want access to that kind of information,
16:29
that that's what I've. That's what I've seen
16:33
anyway.
16:36
So at this point,
16:41
we can still see that our test
16:45
account is here, but it is associated with a person.
16:47
Strangely enough
16:48
of this was your target. You could then try to probe further
16:55
and try to go to the next step, which is to establish some kind of a trust relationship. Or maybe send them a,
17:02
uh,
17:03
une male with a malicious link.
17:06
There's lots of techniques which will talk about Maur in the advanced
17:10
pen testing through social engineering course.
17:14
So let's move on to the next section of the editorial. We're gonna look at some of the reports
17:21
that are possible. So let's look at our modules again.
17:25
As you can see at the bottom, we have several options.
17:27
HTML is nice and easy to use and understand. So well,
17:33
start with that one
17:36
shore options.
17:38
So my name is there.
17:41
I you could designate a customer,
17:44
you designate where the file will go.
17:48
So I want to set
17:49
the customer
17:52
thio
17:52
pen test dot or ge
17:56
and we're gonna suck the
18:00
notice. This the sanitized option. Let's use mask things like password. Hash is in another.
18:07
I'm gonna be clear. Tox passwords
18:10
anyway, So we're gonna go ahead and copy this path name.
18:17
We're gonna run the report
18:19
Actually, it would copy this path.
18:23
And now if we open a browser,
18:33
there's a report.
18:36
So 120 host 16 contacts. And we can expand these, as you can see.
18:41
And this is a really nice feature.
18:45
Ah, you can You can export into XML, C S V, whatever you wish.
18:52
So it's quick demonstration to see what the possibilities are. And the fact that you can
18:57
create work spaces
19:00
to organize your activities on a case by case basis really adds a lot of functionality to this.
19:08
All right, so I hope you've enjoyed the demonstration of recount and G. See you in the next video.
19:14
Thank you.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor