00:05
Hello. This is Dean Pompilio, and in this demo
00:10
you're going to be looking at re Kon en G.
00:14
We can't Angie's pretty interesting
00:17
framework, very similar to medicine Point that is used for
00:22
gathered information.
00:25
So first we'll go ahead and look at the Kelly Tools website
00:33
and under the tools listing,
00:37
this is an information gathering tool.
00:47
So red brick Web reconnaissance framework
00:55
So if you're familiar with with medicine Lloyd, you should adapt to recount. Angie fairly easily
01:02
has a familiar looking feel.
01:04
Anyway, This tool is already built into Callie, so you don't need to worry about installing it.
01:11
Well, go ahead, launch a command shell
01:18
and under user share,
01:23
we're in the recount and
01:32
So first we'll have a look at the help
01:34
menu. We can see that
01:37
you can specify a workspace. That's an interesting future,
01:42
and I'll show you how to create a work space. And then it helps you keep your
01:47
your data organized.
01:51
And there's also another useful feature this. No check
01:55
to make sure that the version checking is not done,
02:00
because if you're if you're in need of an update, you might get some errors. So this lets you just use the version that you're currently running with.
02:10
Okay, so there's our menu. Let's look at the help inside the tool
02:15
and you can see we've got a lot of choices here.
02:20
We're just gonna cover a few of these options. Since this is just a introduction to recon Angie
02:27
the first, the first thing we're going to do is
02:31
hit the workspaces command. We can see we can list them. We can add, select or delete. So we're going to add one.
02:38
You can just use up arrow
02:49
and you'll see that automatically switches us to that workspace.
02:53
I could run the workspaces list, command. I've got a default workspace. And now I've got one called target company,
03:00
and you can create quite a few of these and makes it easy to switch back and forth
03:06
once you're in a workspace.
03:07
You could just use the back. Command
03:09
actually took me all the way out. It's not what I wanted.
03:16
So, workspaces select
03:22
target company dot Come.
03:24
All right now we're back where we were.
03:30
I have to be in a different contacts, not just the work space itself to use the back command.
03:46
The next thing we want to do is to show our modules.
03:49
So we're going to run the show command.
03:52
And as you can see, we've got a lot of choices here.
03:57
But in particular, we want to look at our modules because that lets us know
04:02
activities we can we can use towards a domain name or an I P address or an email address or a location
04:12
so scrolling back up to the top. We can see we've got some discovery modules,
04:17
some modules, related exploits,
04:20
being able to import different files
04:24
and then lots of reconnaissance. Facebook linked a kn
04:28
email phoned list. Adobe. There's all kinds of possibilities here
04:33
being brute forest. Google Net craft show Dan
04:42
All right, so we'll have a look at a few of these. I recommend that you you try them all
04:46
separately and see what they're about because you can learn a great deal about your target by using a framework such asses. It's especially nice if you are very
05:00
so we looked at her modules list,
05:03
first thing I want to do is
05:09
load the Net craft module,
05:13
so I'm gonna run the use Net Craft Command.
05:15
If you do a partial match, you'll get a list of modules that match.
05:21
You can also use the load command instead of use. They're interchangeable,
05:30
and you can see that it's asking me to specify a source,
05:33
so I'll set the source.
05:36
I think about the fact that you're trying to target an organization for a social engineering audit. We could use something
05:44
that's likely to have some good information for us to look at. Like a news website.
05:50
We could use CNN dot com
05:54
Once the source is selected, Weaken just select are used the run command,
06:00
and this will go out and find
06:03
all hosts that a can that have CNN in their name.
06:11
This might take a minute to run.
06:14
And as you'd expect, CNN has many websites that operate in different countries all around the world.
06:19
So we should get a pretty large list here.
06:30
I'm gonna go ahead and pause until this is completed.
06:34
Okay, So that finished with We've on 68 hosts
06:40
now what we can do is look at that list by typing show.
06:45
Well, I'll bring back the menu again,
06:48
and one of our options, as we can see, is hosts.
06:57
And it tells us the tool
06:59
that was used, the model that was used in order to generate this list.
07:04
These are all entries in the data base, essentially.
07:08
So the role I D is just what it sounds like. It's.
07:11
Each item in a in a table has its own unique row I D.
07:16
And you can use, add and delete commands to get rid of some of the rose. If you don't want them,
07:23
we can look at that menu later
07:26
anyway. So now I have a list of hosts. If if the target of your
07:30
social engineering audit is is a large company like this, or if it's some individuals that work there,
07:35
this is your your foundational layer of
07:39
of informational gathering. You've got a nice, nice list,
07:43
but you might want to do some other things like
07:46
show the neighbors that might be using
07:53
that is shared by these systems.
07:59
So if I type use I p
08:01
you know that I get a few of these. Um,
08:05
the one I really want to look at his i p info D B.
08:11
Okay, So now well, we like to resolve these I p addresses.
08:20
So we'll just tell you is resolved to see what we have options here.
08:22
And this is the one that we want.
08:35
And again, we see that you can specify the source. So we're just gonna go ahead and run this
08:39
and this will find all the I P addresses for that host list we just generated.
08:46
We show our host again
08:50
can see these are all resolved.
08:52
Almost all of them are resolved.
09:00
thing to think about is if you if you're targeting all these different sites, of course, that's
09:05
you want to narrow this activity down as much as possible
09:09
for Europe for your social engineering, audio or pen testing activity.
09:13
So one of the things you can d'oh
09:20
sites have interesting files. And I knew the shortcut there. But if I used on there's something a little bit shorter,
09:28
get a couple choices. But this is the module
09:31
Discovery info, disclosure, interesting files.
09:37
actually, that's looking at the wrong source.
09:45
It did find a robot start text file
09:48
in this website. However, tools callie dot org's
09:52
and robots, not text, is used to tell search engines, which directories not to search or not to crawl.
10:01
So that's some sometimes interesting content to look at,
10:05
and you can see this is where it it's stored. That file.
10:11
But the one we really want is to
10:15
set our sources CNN,
10:18
and we'll run this, see if we get anything.
10:20
And as I would expect, we did not. So it's good thing that this other site was selected.
10:31
I'm gonna use control shift T to open a new tab.
10:37
Always remember shortcuts,
10:39
and I'm gonna go to this directory.
10:45
Look at our most recent files. We can see we've got
10:50
robots don't text file.
10:58
So just allowing these particular directories and certain regular expression matches for other kinds of characters.
11:07
This information doesn't try not to be too useful, but it might be for a different type of audit or different target.
11:16
And another thing to try for a list
11:20
is to use the brute hosts.
11:24
Modules is kind of interesting.
11:31
And again, just try. Try a bunch of these, uh, modules that are available here. Don't be afraid, Thio
11:43
Always do the show options command to see
11:46
And what this will try to do is, um,
11:52
try to do a brute force log, and I have it set for my for a website that I controls. That's that's safe to d'oh.
12:00
But make sure you have permission if you're gonna use a tool like this.
12:07
Okay, so another one to try
12:20
took me right to it. I p info d B.
12:24
And it gives me some
12:26
information about the main hope host.
12:31
So if I look at my hosts file,
12:35
information in there.
12:35
All right? Did not put it in the file,
12:37
but we can see that's the host. It was referencing.
12:52
Okay, so now that we've got a nice Lousteau work with,
12:56
let's use the P g P module,
13:03
says the PDP search, looking for a pretty good privacy email
13:09
we can run that against our host
13:13
in this case, we have our source said to kayak dot com.
13:20
Uh, let's change it back to CNN dot com
13:26
All right. So we found
13:28
nice list of people. You'll notice that we're We also have the kayak dot com
13:37
So be careful when you're running these commands so that you don't accidentally put a bunch of records into your contacts database that you don't want.
13:48
I can see I've got twice as many as I really need.
13:52
I've got all of these
14:05
I think this might work,
14:07
So delete host one through 12.
14:11
Now, if I show hosts again, hopefully it only has.
14:18
Sorry, not show show contacts.
14:22
I deleted hosts. Wrong wrong file. No problem.
14:30
I can generate that information again.
14:35
All right, now we've got rid of the kayak addresses.
14:39
So we've got a first in the last name, possibly a middle name and an email address.
14:45
If you were trying to identify someone that works at the organization or they've associated with it, this is a great
14:52
way to gather that kind of information within just a few minutes of typing in some commands is pretty powerful. And we've really only scratched the surface of what this tool can actually. D'oh.
15:05
If you subscribe to certain
15:09
things like Capone List,
15:11
you might be able to find
15:13
certain credentials that are
15:18
that our associate with an account.
15:22
This one is free. The other ones, I believe you have to actually pay for the for the service,
15:31
so we'll go. Having use this,
15:35
this will try to find,
15:39
email accounts that might be on a list of known
15:43
passwords known credentials.
15:46
So as we can see many of these air safe,
15:52
it looks like one email address has been pone
15:54
and it's a test email address. It probably was used for testing so
16:00
it might have a weak password.
16:03
Now we can look at her show credentials,
16:07
and we see that we've got
16:07
now. It didn't actually pick up the password or hash or anything. Obviously, if you're, um,
16:14
if you're able to do that as part of your penthouse, that's ideal.
16:19
But some of the service's, as I mentioned are
16:23
are actually paid service is so if you want access to that kind of information,
16:29
that that's what I've. That's what I've seen
16:41
we can still see that our test
16:45
account is here, but it is associated with a person.
16:48
of this was your target. You could then try to probe further
16:55
and try to go to the next step, which is to establish some kind of a trust relationship. Or maybe send them a,
17:03
une male with a malicious link.
17:06
There's lots of techniques which will talk about Maur in the advanced
17:10
pen testing through social engineering course.
17:14
So let's move on to the next section of the editorial. We're gonna look at some of the reports
17:21
that are possible. So let's look at our modules again.
17:25
As you can see at the bottom, we have several options.
17:27
HTML is nice and easy to use and understand. So well,
17:38
So my name is there.
17:41
I you could designate a customer,
17:44
you designate where the file will go.
17:56
and we're gonna suck the
18:00
notice. This the sanitized option. Let's use mask things like password. Hash is in another.
18:07
I'm gonna be clear. Tox passwords
18:10
anyway, So we're gonna go ahead and copy this path name.
18:17
We're gonna run the report
18:19
Actually, it would copy this path.
18:23
And now if we open a browser,
18:36
So 120 host 16 contacts. And we can expand these, as you can see.
18:41
And this is a really nice feature.
18:45
Ah, you can You can export into XML, C S V, whatever you wish.
18:52
So it's quick demonstration to see what the possibilities are. And the fact that you can
19:00
to organize your activities on a case by case basis really adds a lot of functionality to this.
19:08
All right, so I hope you've enjoyed the demonstration of recount and G. See you in the next video.