1
00:00:00,360 --> 00:00:01,080
All right, everybody.

2
00:00:01,110 --> 00:00:07,830
Welcome back to the official third Cup series, the certified Kelly Lennox ten testing.

3
00:00:08,370 --> 00:00:10,830
This is the information gathering module.

4
00:00:11,400 --> 00:00:16,470
We've gone through all the basics for Lennox, and we're now into the part where we're going to start

5
00:00:16,470 --> 00:00:24,660
our first foray into the offensive arts or the offensive gathering of information.

6
00:00:25,590 --> 00:00:29,310
So this is going to cover reconnaissance for printing and enumeration.

7
00:00:32,310 --> 00:00:34,140
So this is our outline.

8
00:00:34,150 --> 00:00:39,240
We're going to cover several topics, including what is information gathering, what information is

9
00:00:39,240 --> 00:00:39,890
being gathered.

10
00:00:39,900 --> 00:00:44,970
You can we're going to talk about the different types of information that can be gathered on a target.

11
00:00:46,000 --> 00:00:50,970
Well, look at the open source reconnaissance framework where I look at the various tools provided with

12
00:00:50,970 --> 00:00:55,140
Cowboy Linux, like in a scanned directory, buster and map.

13
00:00:55,680 --> 00:01:05,610
We'll get into Recon and G and even some MALTEGO and Google Hacking or Google Dorking as it's called.

14
00:01:10,980 --> 00:01:15,150
So this is going to be our chapter flow based on the tools.

15
00:01:18,920 --> 00:01:20,300
So it is information gathering.

16
00:01:20,300 --> 00:01:26,900
It's often referred to as the predatory phase where we collect as much information as possible about

17
00:01:26,900 --> 00:01:29,640
the target of evaluation or toea.

18
00:01:30,260 --> 00:01:36,170
We usually collect information about three groups the network, the hosts and the people involved.

19
00:01:36,950 --> 00:01:43,730
And there are essentially two main types of information gathering, passive or active, and then there's

20
00:01:43,730 --> 00:01:45,170
also semi passive.

21
00:01:45,170 --> 00:01:52,730
So if we're talking about information gathering or foot printing as it's known, active information

22
00:01:52,730 --> 00:01:58,310
gathering means directly interacting with the target, such as using it and maps, or to scan the target

23
00:01:58,730 --> 00:02:03,080
or confronting the target there some type of social engineering attack.

24
00:02:04,370 --> 00:02:10,280
And then there's the more passive options where we try to collect information about the target without

25
00:02:10,280 --> 00:02:11,630
directly accessing it.

26
00:02:12,350 --> 00:02:19,910
So this is things like social media, public websites and many of the tools we're going to discuss today.

27
00:02:22,550 --> 00:02:24,200
So what information is being gathered?

28
00:02:24,200 --> 00:02:34,320
Well, of course, there's domain names, IP addresses, namespaces, DNS servers, authoritative servers,

29
00:02:34,520 --> 00:02:40,940
records that makes all kinds of stuff, employee information like phone numbers, Social Security numbers,

30
00:02:41,630 --> 00:02:49,940
personally identifiable information, anything that can link you to your organization or potentially

31
00:02:49,940 --> 00:02:56,270
paint a picture of what you might be holding or what also.

32
00:02:58,120 --> 00:03:03,070
Based on this information that's being gathered, attackers will figure out what to do in the next phase

33
00:03:03,070 --> 00:03:06,190
of their attack and what kind of targets they might want to go after.

34
00:03:10,000 --> 00:03:12,850
This could also include things like job portals.

35
00:03:15,720 --> 00:03:16,800
Job listings.

36
00:03:18,090 --> 00:03:18,930
All that kind of stuff.

37
00:03:18,960 --> 00:03:21,540
LinkedIn indeed.

38
00:03:22,140 --> 00:03:23,460
Monster, CareerBuilder.

39
00:03:23,460 --> 00:03:26,430
These are all targets of information gathering.

40
00:03:27,930 --> 00:03:30,450
So for tools of the trade, there's lots of different tools.

41
00:03:30,450 --> 00:03:31,760
These are just a few of the tools.

42
00:03:31,770 --> 00:03:39,000
If you want a complete list, you can go to the tools Dot California website and you can see the very,

43
00:03:39,990 --> 00:03:50,130
very lengthy list of tools with respect to information gathering so that we would be here for essentially

44
00:03:50,130 --> 00:03:54,120
weeks and weeks if we tried to cover every single tool that was in just this one category alone.

45
00:03:58,880 --> 00:04:01,040
So we have these tools.

46
00:04:01,040 --> 00:04:02,390
We also have social media.

47
00:04:02,850 --> 00:04:04,090
Now we'll look at who has as well.

48
00:04:04,160 --> 00:04:05,880
First, we're going to talk about the US.

49
00:04:06,260 --> 00:04:07,370
Our framework.

50
00:04:10,610 --> 00:04:12,110
The also our framework is.

51
00:04:18,980 --> 00:04:24,500
So that was our framework as a set of libraries to perform open source intelligence tasks.

52
00:04:25,250 --> 00:04:31,100
They include references to a bunch of different applications related to looking for usernames, DNS,

53
00:04:31,670 --> 00:04:36,470
deep web searches as well as ad hoc maltego transforms.

54
00:04:37,350 --> 00:04:43,760
Essentially, it's a way of making queries graphically as well as having lots of different interfaces.

55
00:04:43,800 --> 00:04:49,070
So this is the GitHub page, and if you want to look at the different tools that are included with the

56
00:04:49,070 --> 00:04:54,080
open source framework, there's a tool called us, you f f y.

57
00:04:54,620 --> 00:05:02,210
It's a Python script that goes out and looks for a user profile in up to 290 different platforms.

58
00:05:05,390 --> 00:05:07,310
Online tools there are.

59
00:05:08,890 --> 00:05:10,420
Different arguments, you can pass it.

60
00:05:10,420 --> 00:05:16,510
There's a tool for checking for the existence of a given mail from as many, many, many different tools

61
00:05:16,510 --> 00:05:20,530
here, which you can use to gather that information.

62
00:05:30,340 --> 00:05:32,470
This is what the OCR framework looks like.

63
00:05:32,770 --> 00:05:37,630
Let's go ahead and jump in to our next distro.

64
00:05:56,060 --> 00:06:03,020
So we go to our file menu and look at information gathered as a whole section.

65
00:06:03,020 --> 00:06:06,830
And Kelly, that will gather a lot of this information for you as well.

66
00:06:07,850 --> 00:06:09,140
So all the tools are here.

67
00:06:09,890 --> 00:06:17,240
There's open source, intelligence analysis of all the tools come prebuilt in order for you to find

68
00:06:17,240 --> 00:06:18,080
information.

69
00:06:24,920 --> 00:06:26,810
So we want to install the open source.

70
00:06:28,150 --> 00:06:28,660
Framework.

71
00:06:33,140 --> 00:06:35,990
We can go to GitHub and look at its repository.

72
00:06:36,650 --> 00:06:37,430
This is the.

73
00:06:39,610 --> 00:06:43,000
L i3 Visio repository.

74
00:06:43,000 --> 00:06:44,050
So it's got a description.

75
00:06:44,050 --> 00:06:46,150
So it's JNU GPL licensing.

76
00:06:48,210 --> 00:06:53,400
And if you don't have it, you can do it with PIP to install the framework.

77
00:07:06,290 --> 00:07:11,180
I need to probably install PIP online, so if you don't have pip,

78
00:07:17,090 --> 00:07:17,960
there's a way to get it.

79
00:07:17,960 --> 00:07:20,510
And I have to go back real quick.

80
00:07:20,510 --> 00:07:21,770
So that's one of those prerequisites.

81
00:07:22,370 --> 00:07:28,730
Sometimes tools have special ways to download them and it can be in these things can change all the

82
00:07:28,730 --> 00:07:29,060
time.

83
00:07:36,430 --> 00:07:38,110
Area, Python, dash pips.

84
00:07:38,110 --> 00:07:44,350
We have to have a few things in the library before we can be able to get the PIP command to get the

85
00:07:44,350 --> 00:07:47,950
latest and greatest version of the open source framework.

86
00:07:59,620 --> 00:07:59,920
Oops.

87
00:08:02,580 --> 00:08:03,010
That's right.

88
00:08:04,200 --> 00:08:04,440
All right.

89
00:08:04,440 --> 00:08:05,100
So that's done.

90
00:08:13,510 --> 00:08:13,900
There it goes.

91
00:08:13,900 --> 00:08:19,930
The pep is being evoked by our script, so which means we need to run the later.

92
00:08:22,240 --> 00:08:23,470
So you're going to run it with Python.

93
00:08:23,470 --> 00:08:26,290
So we got to a small error here and that's okay.

94
00:08:27,100 --> 00:08:32,050
This has to do with the fact that Kali updated to Python three.

95
00:09:02,070 --> 00:09:05,490
You are going to install the OS AR framework.

96
00:09:06,270 --> 00:09:14,040
We first had to do an install of PIP three, which is the Python based installer program.

97
00:09:18,740 --> 00:09:20,510
So it's downloading some updates here.

98
00:09:20,960 --> 00:09:28,530
So because of the updates to Python and the old 2.7 version being deprecated, we now have to make sure

99
00:09:28,530 --> 00:09:30,140
we're on the latest and greatest version.

100
00:09:31,070 --> 00:09:37,730
And for following the official instructions from the Open Source Framework Repository.

101
00:09:39,360 --> 00:09:40,230
This is the process.

102
00:09:40,230 --> 00:09:44,550
So it's downloading all of the prerequisites it needs to be able to install.

103
00:09:50,570 --> 00:09:53,360
I know right now we can do the SRF command.

104
00:09:53,850 --> 00:09:54,240
Dash.

105
00:09:54,240 --> 00:09:54,630
Dash.

106
00:09:55,020 --> 00:09:55,380
Help!

107
00:09:57,570 --> 00:10:03,480
We can see the opensource framework command line interface collection of tools that are included in

108
00:10:03,480 --> 00:10:04,200
this framework.

109
00:10:04,740 --> 00:10:10,590
So there's check find which will verify an email address given a pattern.

110
00:10:10,920 --> 00:10:13,440
There's domain file to check whether domain names.

111
00:10:14,460 --> 00:10:16,680
Using certain words and nicknames are available.

112
00:10:17,040 --> 00:10:20,280
You can look for information linked to spam by a phone number.

113
00:10:21,740 --> 00:10:26,660
There's also Yusuf why where you can look for accounts with given nicknames.

114
00:10:40,510 --> 00:10:46,030
So in our framework this is the description, the licensing, and then there's the commands.

115
00:10:46,030 --> 00:10:47,740
PIP three install, what's our framework?

116
00:10:48,130 --> 00:10:50,650
So let's take a look at that process briefly.

117
00:10:55,990 --> 00:10:56,300
Sorry.

118
00:11:04,120 --> 00:11:10,450
So for us, our framework to work, you have to install PIP three because it does not come with.

119
00:11:11,570 --> 00:11:13,190
Cali 2020 by default.

120
00:11:13,940 --> 00:11:15,620
And then there's the command to install it.

121
00:11:15,950 --> 00:11:22,490
Once you get there, then you can be able to interact with the open source account.

122
00:11:23,360 --> 00:11:26,900
Now let's look into how we actually use the as our framework.

123
00:11:31,100 --> 00:11:34,520
So first we're going to do the OCR Dash Dash Health Command.

124
00:11:35,630 --> 00:11:38,510
There's a couple of sample commands, so we're going to go ahead and look for.

125
00:11:40,430 --> 00:11:42,710
A few things with this framework.

126
00:11:43,910 --> 00:11:45,370
Let me go ahead and to the screen.

127
00:11:46,460 --> 00:11:54,140
We're going to do Yusuf Wai Dash and we're going to use the repository name.

128
00:12:03,340 --> 00:12:07,260
I look for similar things on Twitter and Facebook.

129
00:12:09,570 --> 00:12:10,500
And there we go.

130
00:12:13,070 --> 00:12:16,100
There's this free software, so there's the creators.

131
00:12:16,100 --> 00:12:17,780
This is the warranty information.

132
00:12:18,140 --> 00:12:20,360
It's starting the search on the two platforms.

133
00:12:20,360 --> 00:12:22,300
And now all we have to do is wait.

134
00:12:34,170 --> 00:12:34,400
Now.

135
00:12:34,400 --> 00:12:35,750
We'll take a little bit of time.

136
00:12:37,180 --> 00:12:37,870
To come back.

137
00:12:42,070 --> 00:12:43,660
So we'll wait on that to finish.

138
00:12:44,950 --> 00:12:49,870
And that is it came back with some results from Twitter and with Facebook for that particular username.

139
00:12:50,230 --> 00:12:53,260
It even tells us where we can find the profiles.

140
00:12:54,310 --> 00:13:02,560
So if we want to look for different things, we can use different modules as needed.

141
00:13:03,100 --> 00:13:12,610
Again, it's a great tool for just looking at what's out there and finding credentials, even a starting

142
00:13:12,610 --> 00:13:12,970
point.

143
00:13:13,990 --> 00:13:20,740
So if we want to upgrade this, we can do OCR upgrade.

144
00:13:23,070 --> 00:13:27,810
And I will go out and try to update for us and notice we're on the latest and greatest version.

145
00:13:27,840 --> 00:13:28,620
That's fine.

146
00:13:30,390 --> 00:13:33,300
If you forget how to use it, you can use the dash help command.

147
00:13:36,880 --> 00:13:39,610
You look for certain domains, certain phone numbers.

148
00:13:45,430 --> 00:13:46,780
And so on and so forth.

149
00:13:55,210 --> 00:13:58,100
Now let's look at a program called Uni Scan.

150
00:13:58,120 --> 00:14:04,300
So Uni scan is a open source tool capable of scanning web applications for critical vulnerabilities

151
00:14:04,300 --> 00:14:11,350
like SQL Injection Y and SQL injection, cross-site scripting, remote file inclusion, web shell vulnerabilities,

152
00:14:11,770 --> 00:14:13,600
hidden backdoors, and many others.

153
00:14:14,020 --> 00:14:19,990
Besides vulnerability assessments, your scan can also do Bing and Google searches for domains on shared

154
00:14:19,990 --> 00:14:20,830
IP addresses.

155
00:14:21,340 --> 00:14:22,960
It's a tool that's written in Perl.

156
00:14:25,530 --> 00:14:31,530
And if we want to install it, this is the process.

157
00:14:31,530 --> 00:14:35,430
Although keep in mind, sometimes these tools, the process is do change.

158
00:14:36,200 --> 00:14:37,140
They have to be root.

159
00:14:42,340 --> 00:14:45,610
And so we're going to go ahead and get our updates.

160
00:14:47,530 --> 00:14:48,520
For this program.

161
00:14:50,270 --> 00:14:51,350
I'm going to say yes.

162
00:14:53,600 --> 00:14:59,330
And it's going to go out to the CORLEY Rolling Repository, and it's going to pull in some information,

163
00:15:00,020 --> 00:15:04,070
pulling out some additional Perl libraries and things like that.

164
00:15:06,430 --> 00:15:07,540
And once it's complete.

165
00:15:11,570 --> 00:15:12,410
And there we go.

166
00:15:19,140 --> 00:15:22,920
So we can look at the help scale help file for the unit scan.

167
00:15:23,520 --> 00:15:26,400
So you can put different options together.

168
00:15:27,780 --> 00:15:29,940
You can try and fingerprint Web services.

169
00:15:29,940 --> 00:15:32,280
So they even give you a few examples.

170
00:15:39,350 --> 00:15:40,310
Let's go ahead and.

171
00:15:42,050 --> 00:15:43,220
Run this tool on.

172
00:15:45,750 --> 00:15:50,370
Example, XCOM will run the unit scan that knows it's the dot pl.

173
00:15:50,730 --> 00:15:53,400
So that's p l for perl and the u.

174
00:15:53,400 --> 00:15:54,510
As for the URL.

175
00:15:54,540 --> 00:15:57,240
And then we want it to do stress checks.

176
00:16:00,790 --> 00:16:06,220
In some cases, you may have to enable the appropriate.

177
00:16:10,330 --> 00:16:11,950
Library to run with the program command.

178
00:16:16,050 --> 00:16:16,560
There we go.

179
00:16:22,310 --> 00:16:24,080
That's going out to example adcom.

180
00:16:24,080 --> 00:16:26,930
It's running many stress tests looking for.

181
00:16:29,010 --> 00:16:29,820
Best cast.

182
00:16:33,650 --> 00:16:36,220
Of course, this is all just reconnaissance.

183
00:16:36,230 --> 00:16:36,830
This is not.

184
00:16:39,250 --> 00:16:40,900
Actively interacting with the system.

185
00:16:45,540 --> 00:16:45,980
You know.

186
00:16:48,480 --> 00:16:51,990
So if you want to install it from GitHub, that's another way you can do it as well.

187
00:16:52,390 --> 00:16:55,650
It'll go out to the latest and greatest version.

188
00:16:57,820 --> 00:17:00,640
So if you want to use it, you got the help file.

189
00:17:01,480 --> 00:17:02,980
It's also has a gooey.

190
00:17:03,820 --> 00:17:05,650
So let's go ahead and open the gooey.

191
00:17:18,510 --> 00:17:19,620
And zoom in here.

192
00:17:36,240 --> 00:17:37,350
And there's the good.

193
00:17:37,380 --> 00:17:44,070
So if you want to work from the goalie versus the command line, just start a scandal on our local hosts

194
00:17:44,070 --> 00:17:48,450
since we do have a web server running.

195
00:17:48,840 --> 00:17:52,380
Actually, let's make sure that our service is still in fact running.

196
00:18:02,160 --> 00:18:03,210
I make sure we root.

197
00:18:10,710 --> 00:18:12,510
The Patriot Server is, in fact running.

198
00:18:14,710 --> 00:18:19,770
Let's go and go back to our tool here and it's running directory checks on localhost.

199
00:18:20,820 --> 00:18:22,530
We can see that it's an Apache server.

200
00:18:24,630 --> 00:18:25,920
I'm going to write a file check.

201
00:18:25,920 --> 00:18:29,820
It's going to look for the pages that are running.

202
00:18:29,820 --> 00:18:32,910
And it's this is all of the stuff that it's crawling.

203
00:18:33,540 --> 00:18:35,130
It's looking for back doors.

204
00:18:35,130 --> 00:18:39,540
It's looking for anything that it might be able to be able to enumerate.

205
00:18:43,840 --> 00:18:45,310
So a very useful tool.

206
00:18:46,600 --> 00:18:52,420
I didn't check all the boxes, but you could, in theory, check all the boxes to get all of the information.

207
00:18:52,420 --> 00:18:56,650
And it has logging capability as well.

208
00:19:00,360 --> 00:19:01,800
There's the actual log file.

209
00:19:02,550 --> 00:19:10,050
So once it finishes, finish the scan, then you can see the actual report and it even saves it as an

210
00:19:10,200 --> 00:19:10,830
HTML file.

211
00:19:10,830 --> 00:19:12,150
So you can look at that as well.

212
00:19:21,830 --> 00:19:25,130
So then we have dirt buster or a directory buster.

213
00:19:25,130 --> 00:19:32,120
This is a multi string job application to constrain indexes and document names on application servers

214
00:19:32,960 --> 00:19:33,920
to frequently.

215
00:19:35,250 --> 00:19:37,020
We have Web servers that are.

216
00:19:38,400 --> 00:19:41,070
With have default pages and default services running.

217
00:19:41,700 --> 00:19:42,180
So.

218
00:19:44,870 --> 00:19:46,850
Let's go ahead and take a look at.

219
00:19:48,320 --> 00:19:49,250
How to how to get it.

220
00:19:53,360 --> 00:19:58,580
Depending on your version of Kelly, you may not have it available by default.

221
00:19:59,550 --> 00:20:01,850
Let's go ahead and we'll let this scan run.

222
00:20:04,160 --> 00:20:04,330
So.

223
00:20:17,230 --> 00:20:20,110
So there are busters already installed.

224
00:20:20,770 --> 00:20:24,220
There's some pat packages that are no longer needed.

225
00:20:24,220 --> 00:20:29,650
So we'll go ahead and do the Otto and we command the Otto remove move command will help us keep a good

226
00:20:29,650 --> 00:20:32,080
eye on our our disk space.

227
00:20:33,960 --> 00:20:36,510
And keep things cleaned up as best as possible.

228
00:20:40,070 --> 00:20:45,940
So now that they're Buster is there, let's go ahead and look at the Help file.

229
00:20:47,880 --> 00:20:49,650
Not all programs will have these.

230
00:20:49,890 --> 00:20:53,640
But again, it's nice when they have a click help file so you can just use it.

231
00:20:54,000 --> 00:20:55,530
The Dash H command.

232
00:20:56,900 --> 00:21:03,920
And essentially these are some examples if you want to pull down the information.

233
00:21:07,720 --> 00:21:12,610
Of course, you want to run this on sites that you have permission to go after.

234
00:21:15,240 --> 00:21:18,600
So their buster also has a gooey version.

235
00:21:19,530 --> 00:21:21,150
So let's go ahead and look at that.

236
00:21:27,010 --> 00:21:28,690
This tour was put out by OWASP.

237
00:21:28,690 --> 00:21:32,350
So if you want the latest and greatest documentation, you can always go to OWASP.

238
00:21:32,710 --> 00:21:34,270
You put in your target URL.

239
00:21:41,870 --> 00:21:43,820
That's where it's going to put in our local host.

240
00:21:44,210 --> 00:21:46,640
And you can pick out how many threads you want it to do.

241
00:21:47,210 --> 00:21:49,640
Do you want to brute force directories?

242
00:21:53,330 --> 00:21:55,040
So you have a lot of different options.

243
00:21:56,090 --> 00:21:57,470
So it'll directory.

244
00:21:57,470 --> 00:22:05,380
Buster comes up with a bunch of different lists that essentially crawl the web to find hidden directories.

245
00:22:11,080 --> 00:22:13,990
So we'll just leave things as a default and we'll go ahead and click Start.

246
00:22:18,710 --> 00:22:20,800
And it'll take a little bit of time to come back.

247
00:22:22,430 --> 00:22:28,070
But it will try and enumerate any directory since we're starting with Root and we're looking for IP.

248
00:22:28,460 --> 00:22:30,440
You can change the extension if you want.

249
00:22:31,190 --> 00:22:36,470
D.R. Buster also has the ability to buzz websites as well.

250
00:22:36,470 --> 00:22:38,540
That is essentially generate random data.

251
00:22:40,290 --> 00:22:44,550
To hurl at a website to see what vulnerabilities it might spit out.

252
00:22:45,480 --> 00:22:47,220
You've got the file menu here.

253
00:22:47,430 --> 00:22:49,050
You have some different options you can set.

254
00:22:53,320 --> 00:22:54,970
So what it can do for you.

255
00:22:55,000 --> 00:23:00,190
So it'll find hidden pages and directories, thus giving you another attack vector may be an unlinked

256
00:23:00,880 --> 00:23:02,080
administration page.

257
00:23:02,320 --> 00:23:04,770
It will not actually exploit things.

258
00:23:04,780 --> 00:23:09,730
It's just the whole goal of directory browser is to find attack vectors.

259
00:23:11,860 --> 00:23:18,540
It also helps developers understand that just because you don't link to a page does not mean that it

260
00:23:18,540 --> 00:23:19,860
cannot be accessed.

261
00:23:23,980 --> 00:23:29,680
Then we have a map or the network map or as it's known, it's a free and open source utility for network

262
00:23:29,680 --> 00:23:31,540
discovery and security auditing.

263
00:23:32,170 --> 00:23:38,890
Many systems and network administrators also find it useful for tasks like inventories, managing service

264
00:23:38,890 --> 00:23:41,680
upgrades and monitoring post uptime.

265
00:23:45,440 --> 00:23:51,740
IMAP uses real IP packets in different ways to determine what hosts are available on the network.

266
00:23:53,280 --> 00:23:59,150
And so also what services and it can even enumerate different operating systems, what versions of those

267
00:23:59,160 --> 00:24:06,060
operating systems that are running, if there are any packet filters or firewalls in place and many

268
00:24:06,060 --> 00:24:12,360
other things, it was designed to rapidly scan large networks, but it works great against single host

269
00:24:12,360 --> 00:24:12,810
as well.

270
00:24:13,970 --> 00:24:20,360
And it's available on all of the major operating systems, Linux, Windows and Mac OS and also has a

271
00:24:20,360 --> 00:24:25,490
command line version which comes with most of the versions of Linux.

272
00:24:25,670 --> 00:24:28,100
But in this case, in Cali, you have and MAP.

273
00:24:28,100 --> 00:24:35,000
You also have something called Net Cat, which is can be used as a debugging tool or it can be used

274
00:24:35,000 --> 00:24:42,290
to do other things like open sockets and map is doesn't have a warranty, but it's a very popular tool.

275
00:24:42,740 --> 00:24:45,530
It's downloaded many, many times a day.

276
00:24:45,950 --> 00:24:46,730
So why?

277
00:24:46,760 --> 00:24:48,170
Because it's it's flexible.

278
00:24:48,680 --> 00:24:52,430
It has both TCP and UDP capability.

279
00:24:54,370 --> 00:24:55,900
If you want to download and map.

280
00:24:59,600 --> 00:25:00,940
And simply go to

281
00:25:04,210 --> 00:25:10,480
their website and you can download it for Windows, you can download it for Linux.

282
00:25:10,520 --> 00:25:15,340
So go to the download page and get the copy that you want.

283
00:25:15,340 --> 00:25:18,910
You will need to install a couple of dependencies.

284
00:25:18,910 --> 00:25:20,620
The NP capture library.

285
00:25:21,130 --> 00:25:25,000
If you're doing it on Windows, the Windows Installer will handle all that for you.

286
00:25:26,220 --> 00:25:29,010
You're doing other operating systems, you might have to do that.

287
00:25:29,910 --> 00:25:30,920
Here's the difference.

288
00:25:31,470 --> 00:25:33,270
Linux distribution binaries.

289
00:25:35,180 --> 00:25:35,430
First.

290
00:25:35,460 --> 00:25:37,850
In the case of Kelly, it's already there by default.

291
00:25:39,050 --> 00:25:40,640
So we're going to go ahead and.

292
00:25:46,050 --> 00:25:50,420
So if you go to Afghanistan, map and map is already the latest version.

293
00:25:50,450 --> 00:25:52,230
Notice that 7.8. out.

294
00:25:54,270 --> 00:25:55,770
So let's go look at the man page.

295
00:26:03,030 --> 00:26:03,360
Oops.

296
00:26:05,370 --> 00:26:06,210
Put a dash in there.

297
00:26:06,600 --> 00:26:09,780
So network exploitation tool and security port scanner.

298
00:26:10,200 --> 00:26:16,170
So for example, we can do and MAP scans and it will give you back things like port numbers.

299
00:26:16,530 --> 00:26:18,270
It will give you back services.

300
00:26:18,690 --> 00:26:22,230
It will try and do operating system enumeration.

301
00:26:22,240 --> 00:26:24,870
This is the common platform enumeration.

302
00:26:24,870 --> 00:26:25,680
That's CPE.

303
00:26:25,680 --> 00:26:26,250
That's what.

304
00:26:28,160 --> 00:26:29,690
And map can do for you now.

305
00:26:29,870 --> 00:26:30,980
It's not perfect.

306
00:26:31,940 --> 00:26:32,500
It is.

307
00:26:32,510 --> 00:26:33,560
There are false positives.

308
00:26:33,560 --> 00:26:39,860
But MAP does have its own scripting language as well and its own scripting engine.

309
00:26:39,860 --> 00:26:45,020
It can do traceroute, it can do ping scans and we'll get into some of the different scans you can do

310
00:26:45,380 --> 00:26:45,800
as well.

311
00:26:45,800 --> 00:26:53,450
So it can not only be used as a network scanner, but it can also be used as a vulnerability scanning

312
00:26:53,450 --> 00:26:53,720
tool.

313
00:26:54,260 --> 00:27:00,020
So let's go ahead and just do a quick ping scan of the network.

314
00:27:00,020 --> 00:27:07,850
And since we're on the Slash 24 network, that 19216870 will go ahead and run the scan.

315
00:27:09,440 --> 00:27:11,570
And it'll take a little bit of time to come back.

316
00:27:15,710 --> 00:27:18,410
We want to make sure that you're on the same network you're scanning with.

317
00:27:19,730 --> 00:27:25,130
You can also run it from Windows if you have it installed.

318
00:27:25,670 --> 00:27:27,170
You can run it from the command prompt.

319
00:27:27,170 --> 00:27:33,070
You can do and map dash s and you can run the commands pretty much the same way.

320
00:27:33,830 --> 00:27:34,970
And it will function.

321
00:27:37,050 --> 00:27:43,820
You know, generally the same way, though sometimes you may get errors on Windows, so the preferred

322
00:27:43,820 --> 00:27:45,470
method is running it on Linux.

323
00:27:46,160 --> 00:27:46,910
Let's go ahead.

324
00:27:46,910 --> 00:27:52,670
And first we want to know what our IP actually addresses so we can do.

325
00:27:52,670 --> 00:27:55,550
I have config and we see we're on the Ten Network.

326
00:28:02,850 --> 00:28:08,360
So sometimes when you want to be on the same network in VirtualBox, you may have to go into your settings.

327
00:28:08,360 --> 00:28:09,600
So it's going to do that real quick.

328
00:28:10,290 --> 00:28:13,080
This is only going to work if you're running it in VirtualBox.

329
00:28:13,440 --> 00:28:18,720
When to go into the network tab under settings, you're going to change it from being Nat.

330
00:28:19,140 --> 00:28:20,970
We're going to make it bridge adapter.

331
00:28:21,000 --> 00:28:27,780
I'm going to bridge with the Ethernet adapter, which is what I'm currently connected to or select that

332
00:28:27,780 --> 00:28:34,710
you can there's more advanced settings and you can put on promiscuous mode if you're doing traffic capturing.

333
00:28:34,710 --> 00:28:37,350
So that's important depending on the type of wireless card you have.

334
00:28:37,830 --> 00:28:38,220
So.

335
00:28:39,590 --> 00:28:40,370
I'm going to go ahead and hit.

336
00:28:40,370 --> 00:28:40,960
Okay.

337
00:28:41,600 --> 00:28:47,420
And sometimes VirtualBox will crash and that does happen and that's okay.

338
00:28:49,010 --> 00:28:51,580
So why and map why is that useful?

339
00:28:52,100 --> 00:29:01,520
Because it comes with source code that we can also modify and redistribute has many different tools.

340
00:29:03,590 --> 00:29:09,290
This is some of the sample options you can get from it, such as a thin scan, connect scan.

341
00:29:09,680 --> 00:29:16,550
And so if you want to scan a single IP, you can do in map one 9 to 1 681.1 for the IP you can do and

342
00:29:16,550 --> 00:29:25,280
map by hostname, you can scan a range of IPS, you can scan subnets with slash notation.

343
00:29:27,060 --> 00:29:30,390
You can even read in lists of IPS.

344
00:29:32,500 --> 00:29:35,650
It's a very versatile program and very useful for.

345
00:29:37,200 --> 00:29:38,420
Many different operations.

346
00:29:38,420 --> 00:29:44,130
So if you want to scan on a single port versus a range of ports, you can do PN mapped P and then the

347
00:29:44,130 --> 00:29:45,030
port range.

348
00:29:46,020 --> 00:29:50,250
You can scan the most common ports quickly.

349
00:29:51,030 --> 00:29:53,280
You can do service detection, banner grabbing.

350
00:29:55,960 --> 00:30:02,670
Let's go ahead and do some of these together, waiting on our virtual machine to power up.

351
00:30:09,920 --> 00:30:10,070
I.

352
00:30:13,030 --> 00:30:18,830
We can also do early detection with the dash, a command or the the dash upper case.

353
00:30:18,930 --> 00:30:19,300
Oh.

354
00:30:41,410 --> 00:30:43,420
And we go and have our virtual machine.

355
00:30:45,360 --> 00:30:48,270
Go ahead and make this into some scaled mode.

356
00:30:52,690 --> 00:30:52,790
Right.

357
00:30:53,020 --> 00:30:56,440
Go put in our password.

358
00:30:58,500 --> 00:31:00,420
Let's go check our IP address.

359
00:31:02,730 --> 00:31:06,150
We should be on the same network as my local network here.

360
00:31:06,180 --> 00:31:07,170
It's opened up a terminal.

361
00:31:13,550 --> 00:31:15,320
And it takes a little bit when it first boots up.

362
00:31:15,320 --> 00:31:17,960
But notice that we can see we have a connection here.

363
00:31:18,620 --> 00:31:23,090
The wired connection is in fact active when I go hand pseudo to root.

364
00:31:24,530 --> 00:31:25,070
Everyone want you.

365
00:31:25,070 --> 00:31:35,330
I have config and we're on 1921687.252 and map we're going to ping scan local network

366
00:31:39,870 --> 00:31:45,200
the slash mutation and we'll find some different hosts and we'll scan them one at a time.

367
00:31:45,200 --> 00:31:48,830
Notice we got seven hosts that are up tick all of 2 seconds.

368
00:31:49,340 --> 00:31:55,340
So let's pick a host that's up and we'll look at the 239 IP address.

369
00:31:55,700 --> 00:31:57,890
So let's do service detection.

370
00:32:05,250 --> 00:32:12,570
We did the uppercase A, which is going to try and make its best effort at detecting services.

371
00:32:13,710 --> 00:32:19,230
And it takes a little bit of time because it also do some randomised scanning.

372
00:32:21,270 --> 00:32:29,040
So while we're doing that, let's go ahead and look at the graphical version, which does not come with

373
00:32:29,040 --> 00:32:29,520
Kelly.

374
00:32:29,520 --> 00:32:35,010
But if you want to see what the graphical version of the end map looks like on Windows, maybe you're

375
00:32:35,010 --> 00:32:36,960
not as comfortable with the command line yet.

376
00:32:36,960 --> 00:32:49,440
So it's a good way to start out and do some scans very quickly, and it will also give you the actual

377
00:32:49,440 --> 00:32:49,830
command.

378
00:32:49,830 --> 00:32:54,240
So all you have to do is type in the target and this top box and it'll give you the command.

379
00:32:54,240 --> 00:32:59,370
And the nice thing about it is let's just do a ping scan first or it will do a quick scan.

380
00:32:59,370 --> 00:33:01,920
So we want to enumerate some results here.

381
00:33:02,910 --> 00:33:05,940
So go ahead and click scan and it's not open.

382
00:33:05,940 --> 00:33:08,250
The device codes are blue, it's already scanning.

383
00:33:10,140 --> 00:33:11,430
Let's try.

384
00:33:11,820 --> 00:33:14,070
So from here you can also save scans.

385
00:33:14,400 --> 00:33:16,260
You can print scans to.

386
00:33:19,360 --> 00:33:22,360
If you want a hard copy, you can save them all to a directory.

387
00:33:27,700 --> 00:33:29,370
So let's go and come back to our skin hair.

388
00:33:29,380 --> 00:33:35,470
We could see that it's going to give us kind of a progress bar.

389
00:33:35,470 --> 00:33:40,900
It says 44 seconds remaining roughly and about 66% done of one host.

390
00:33:40,900 --> 00:33:45,730
So the more detailed of a scan you do, the longer it will take.

391
00:33:45,730 --> 00:33:51,250
If you scan on all ports on even if it's a very small network, you can plan on it.

392
00:33:51,250 --> 00:33:57,370
Taking a good chunk of time and map what's open up a new tab.

393
00:33:58,520 --> 00:34:03,540
Let's go ahead and go look at the end map servers.

394
00:34:03,550 --> 00:34:05,290
And I have the comp, the capsule icon.

395
00:34:05,680 --> 00:34:10,360
When I look at the map directory, then the US, our share

396
00:34:13,120 --> 00:34:19,240
and map directory, everyone else, the different folders here we can see inside the map directory.

397
00:34:19,240 --> 00:34:25,390
We have different payloads, protocols, but look down here, we have an interesting script directory.

398
00:34:26,230 --> 00:34:35,860
So if we change into this scripts directory we can see there's a whole bunch of scripts for different

399
00:34:35,860 --> 00:34:44,440
types of vulnerabilities NF DNS, and there's even some SMB for Windows Systems.

400
00:34:45,740 --> 00:34:47,060
Maybe we will go look at.

401
00:34:49,390 --> 00:34:54,490
Microsoft Hardware, Microsoft's sequel Dump Out the Hashes.

402
00:34:58,950 --> 00:35:03,180
So these are all the different scripts that come out of the box with Kelly.

403
00:35:03,780 --> 00:35:05,290
There's SMB vulnerabilities.

404
00:35:05,290 --> 00:35:11,760
So if you want to enumerate systems that have been unpatched, there's a lot you can do with it besides

405
00:35:11,760 --> 00:35:12,750
just port scanning.

406
00:35:13,280 --> 00:35:15,330
Let's go see if we've got our port.

407
00:35:16,170 --> 00:35:20,580
Scan finish is about 85% done and it's almost complete.

408
00:35:22,050 --> 00:35:25,230
And SC stands for End Map Scripting Engine.

409
00:35:25,890 --> 00:35:31,410
So if you're wondering what that's about, notice, it also gives us just from a ping scan, we got

410
00:35:31,410 --> 00:35:33,750
a mac address and we got an IP address.

411
00:35:33,750 --> 00:35:37,860
There's other programs you can do this with like angry IP or many others.

412
00:35:37,860 --> 00:35:43,500
But MAP does a lot of functionality for you from the start, so it's almost done scanning.

413
00:35:47,220 --> 00:35:52,410
Let's open up a command prompt and we can also from end map.

414
00:35:54,400 --> 00:36:03,130
If we forget how to do it, we can get the help file on the Windows Command prompt as well.

415
00:36:03,130 --> 00:36:06,760
So you can even run it on Windows and it gives you some examples.

416
00:36:07,540 --> 00:36:11,080
Also has the scripting engine knows, it tells you the version.

417
00:36:11,500 --> 00:36:15,700
Maybe we want to scan a particular host.

418
00:36:18,190 --> 00:36:24,550
Let's scan the router that we're connected to and we'll put it into our version detection.

419
00:36:24,550 --> 00:36:30,400
So we're going to do a lowercase s, uppercase V, and so we're going to go out and we're to scan that

420
00:36:31,420 --> 00:36:36,460
and we're going to see what it gives, gives us back while we're waiting on our other scan to finish

421
00:36:36,460 --> 00:36:36,550
it.

422
00:36:36,550 --> 00:36:37,450
It's almost done.

423
00:36:37,540 --> 00:36:42,670
Notice in a VM, you're going to have a little bit slower performance in your scan than you ordinarily

424
00:36:42,670 --> 00:36:44,020
would on a physical system.

425
00:36:44,950 --> 00:36:47,860
But notice, there's lots of different tools.

426
00:36:49,990 --> 00:36:56,650
And map is in there so you can type in in the command prompt or you can type it into the search bar.

427
00:36:56,980 --> 00:36:59,440
You can also just click on the link to go ahead and start it.

428
00:37:02,070 --> 00:37:06,060
So we keep hitting enter and map or keep updating the status in real time.

429
00:37:07,620 --> 00:37:09,150
It's good to see if our other scan.

430
00:37:11,640 --> 00:37:14,460
So for some reason we're getting a failed to open device.

431
00:37:14,700 --> 00:37:17,370
Now, this does happen sometimes, so don't worry about it.

432
00:37:17,670 --> 00:37:18,510
May just be.

433
00:37:19,410 --> 00:37:21,180
Try to connect to a different interface.

434
00:37:23,550 --> 00:37:26,400
So we got our scan back and look at all the information we got.

435
00:37:26,410 --> 00:37:29,370
So we got a couple of different ports open.

436
00:37:30,780 --> 00:37:32,790
We got some SSL running.

437
00:37:33,840 --> 00:37:35,880
They have an SSL cert.

438
00:37:36,900 --> 00:37:39,870
We also have some PCP ports open.

439
00:37:42,180 --> 00:37:45,990
So we sea port, 9000, 10,000, and then down below it.

440
00:37:46,000 --> 00:37:53,490
It's running a Linux kernel and it ran a couple of scripts to try and figure out what it was and it

441
00:37:53,490 --> 00:37:54,900
also did a traceroute to it.

442
00:37:55,410 --> 00:37:59,310
So there's a lot you can do with an map and a lot of functionality you can get from and map.

443
00:38:00,650 --> 00:38:07,100
So definitely if there's a tool to spend a lot of time with and map is definitely one because the better

444
00:38:07,100 --> 00:38:10,280
you are within map, the better you will become as an ethical hacker.

445
00:38:10,280 --> 00:38:13,070
So you can do to simply connection scans.

446
00:38:13,730 --> 00:38:16,610
Essentially, all the map commands have similar syntax.

447
00:38:17,210 --> 00:38:22,160
If you want to do a send scan, which is otherwise known as a stealth scan, you can do a and map a

448
00:38:22,160 --> 00:38:23,540
dash lowercase ast.

449
00:38:23,540 --> 00:38:25,850
Notice that the lowercase s is always in the beginning.

450
00:38:26,510 --> 00:38:30,590
The uppercase letter will be the type of scan you're doing.

451
00:38:30,590 --> 00:38:37,310
So if you're doing an ACT scan, it's a dash uppercase a if it's a UDP scan, it's a uppercase U.

452
00:38:38,090 --> 00:38:44,300
If you're just doing a pen sweep that's lowercase, you can even scan as if you were scanning from another

453
00:38:44,300 --> 00:38:46,460
machine that's called the zombie scan.

454
00:38:46,910 --> 00:38:54,890
And then you have decoy scanning if you want to set up several randomized IP address to scan a target

455
00:38:54,890 --> 00:38:55,940
from, you can do that.

456
00:38:57,350 --> 00:38:58,940
Let's talk about recon engine.

457
00:38:58,970 --> 00:39:03,140
Recon engine is a full highlighted Web reconnaissance framework written in Python.

458
00:39:03,470 --> 00:39:07,490
So it has autonomous modules, database communication.

459
00:39:07,850 --> 00:39:20,600
It is very useful for keeping track of online reconnaissance efforts during the various phases of get

460
00:39:20,600 --> 00:39:26,390
the information gathering process so it looks and feels like Metasploit framework, but it's very different

461
00:39:26,390 --> 00:39:27,140
than Metasploit.

462
00:39:27,410 --> 00:39:32,570
It's not designed to look for just existing modules.

463
00:39:32,570 --> 00:39:37,550
It can be modified, it can be configured in many ways.

464
00:39:37,850 --> 00:39:40,670
So if you need to use Metasploit for Metasploit, use Metasploit.

465
00:39:40,670 --> 00:39:46,400
If you're trying to do social engineering, use the social engineer tool kit with recon and gee, you're

466
00:39:46,400 --> 00:39:56,210
actually they have quite a robust usage guide and even the Python developers can actually create new

467
00:39:56,210 --> 00:39:58,220
modules, custom modules along with that.

468
00:40:08,440 --> 00:40:10,420
So we can and does look like Metasploit.

469
00:40:13,160 --> 00:40:14,510
But it has its own flavor.

470
00:40:19,600 --> 00:40:24,490
So it's a measured system and it makes it simple to create specialized modules.

471
00:40:24,500 --> 00:40:28,060
There are basic interfaces to.

472
00:40:29,050 --> 00:40:40,060
Perform tasks and you're able to completely oversee things like API keys and the hard work has been

473
00:40:40,060 --> 00:40:40,720
done for you.

474
00:40:42,250 --> 00:40:44,200
So this is a sample of what it looks like.

475
00:40:44,200 --> 00:40:48,040
Let's go ahead and jump into our virtual machine and we'll run through our process.

476
00:40:49,430 --> 00:40:49,700
All right.

477
00:40:49,700 --> 00:40:58,280
So recon energy is if it's not installed by default and call it Linux, you can do a pseudo abs, get

478
00:40:58,280 --> 00:41:01,640
install recon and the.

479
00:41:06,210 --> 00:41:11,130
And it's currently installed the newest version 5.10.1, dash two.

480
00:41:11,670 --> 00:41:16,020
So now when you first launch it, you can just type in recon, dash energy.

481
00:41:18,410 --> 00:41:22,970
And you're going to see some red notifications and that's perfectly fine.

482
00:41:23,000 --> 00:41:26,960
This means there's some things that have not been set, and that's no problem.

483
00:41:26,990 --> 00:41:34,640
So what we're going to do, there's 85 recon modules, there's 15 disabled modules, there's eight reporting

484
00:41:34,640 --> 00:41:37,220
modules, there's even exploitation modules.

485
00:41:37,220 --> 00:41:40,310
So those is not primarily an exploit tool.

486
00:41:41,180 --> 00:41:42,920
It's just not.

487
00:41:43,070 --> 00:41:45,650
So we can do some tools here.

488
00:41:45,660 --> 00:41:46,940
We can say show.

489
00:41:50,610 --> 00:41:55,960
We can show companies and there's currently no data right now.

490
00:41:55,960 --> 00:42:03,400
So in this particular notice that we have recon engine and then we have a workspace name which is default

491
00:42:03,400 --> 00:42:04,060
in this case.

492
00:42:04,420 --> 00:42:07,750
So what we want to do is we want to go ahead and type in workspaces.

493
00:42:08,530 --> 00:42:11,650
And if you do tab complete, you can type list.

494
00:42:12,040 --> 00:42:15,130
And notice we have two workspaces that have been already created.

495
00:42:15,820 --> 00:42:20,140
There's the default one and then there's the one we created called Search Cop.

496
00:42:20,160 --> 00:42:30,370
Now, if we want to load a workspace or workspaces, we can type, workspace, load and type in the

497
00:42:30,370 --> 00:42:31,390
name of the workspace.

498
00:42:31,900 --> 00:42:40,300
And now we have that with you show companies and you can see we have some targets of interest in here.

499
00:42:41,790 --> 00:42:45,060
There's also the ability to add contacts.

500
00:42:47,010 --> 00:42:51,570
So we have added a couple of contacts just to have some individuals in here.

501
00:42:52,120 --> 00:42:53,460
You know, we can see we have.

502
00:42:56,610 --> 00:42:59,850
The John Smith or Agent Smith network admin.

503
00:43:00,270 --> 00:43:02,790
We have the the region there in.

504
00:43:04,730 --> 00:43:06,800
And let's go ahead and fix something real quick.

505
00:43:07,370 --> 00:43:11,810
Let's go ahead and fix our display setting on Kelly again.

506
00:43:11,840 --> 00:43:12,380
That way we.

507
00:43:14,740 --> 00:43:22,030
Have the the better picture and everything is on the screen as it should be.

508
00:43:23,300 --> 00:43:25,760
So let's do 1024 by 768.

509
00:43:28,320 --> 00:43:29,220
And that's better.

510
00:43:29,310 --> 00:43:34,080
So we can kind of see a little bit, but this is still slightly cut off and that's fine.

511
00:43:34,470 --> 00:43:41,670
So if you want to put the question mark, we can actually see the difference commands that there are.

512
00:43:47,230 --> 00:43:49,030
So we type in Dashboard.

513
00:43:49,930 --> 00:43:53,440
Dashboard will give us a summary of what we currently have.

514
00:43:54,850 --> 00:43:58,600
When you show domains, we have our two domains here.

515
00:43:59,380 --> 00:44:07,210
If we show, we also have credentials, vulnerabilities and the way recon engine works and it works

516
00:44:07,210 --> 00:44:08,380
with keys.

517
00:44:09,040 --> 00:44:17,240
So if we do keys list command, we can see that we have a couple of API keys loaded in here.

518
00:44:17,260 --> 00:44:23,360
Now you'll have to go to the various sites here to download your API key.

519
00:44:23,380 --> 00:44:30,790
What that means is you'll actually log in to the site and copy and paste your API key into here.

520
00:44:30,820 --> 00:44:35,790
Now, of course, these are you can put in fake keys as well.

521
00:44:35,800 --> 00:44:37,120
You don't have to put real keys.

522
00:44:37,660 --> 00:44:41,440
That's for demonstration purposes.

523
00:44:41,860 --> 00:44:43,000
That is good enough.

524
00:44:44,820 --> 00:44:48,270
So and you can also take snapshots of different workspaces.

525
00:44:51,110 --> 00:44:54,400
And many other many of the things you can deal with this framework.

526
00:45:14,810 --> 00:45:17,740
So some of the things that have changed with the new recording.

527
00:45:18,290 --> 00:45:20,870
It had a major update in June of 2019.

528
00:45:21,260 --> 00:45:24,860
From version 4.9. 6 to 5 .0.0.

529
00:45:25,550 --> 00:45:31,550
And the major differences is that recon energy is now hosted on GitHub, and that's where you obtain

530
00:45:31,550 --> 00:45:32,330
it from GitHub.

531
00:45:33,020 --> 00:45:36,170
It has the new version of Python, Python 3.6.

532
00:45:36,770 --> 00:45:39,620
The modules have been moved into a marketplace.

533
00:45:40,250 --> 00:45:47,360
And so if you do not have the environment setup, which initially you will not.

534
00:45:47,750 --> 00:45:50,060
There are a few things that you will want to do.

535
00:45:51,650 --> 00:45:53,720
So let's go and exit out and clear the screen.

536
00:45:54,110 --> 00:46:00,290
So from installing this, we have done the sudo app get install recon engine which we know it's already

537
00:46:00,290 --> 00:46:00,860
installed.

538
00:46:01,310 --> 00:46:08,570
We can do a pseudo apk dash get upgrade because you want to be on the latest and greatest version which

539
00:46:08,570 --> 00:46:09,290
we are.

540
00:46:10,070 --> 00:46:19,670
We can also do sudo apt get install dash y to get python three dash pip.

541
00:46:19,700 --> 00:46:22,910
Now if you already have this installed, that's great.

542
00:46:22,910 --> 00:46:24,950
On the new version of Kali Linux.

543
00:46:26,510 --> 00:46:32,540
The 20 .0.2, it's there so we can change into recon and G.

544
00:46:35,890 --> 00:46:43,060
Once we once we clone it we're going to get clone HD IPS.

545
00:46:45,670 --> 00:46:58,960
GitHub dot com slash land master 53 slash recon dash engine I get now this is the GitHub repository.

546
00:47:01,440 --> 00:47:02,970
So we already have the framework here.

547
00:47:03,360 --> 00:47:03,690
But.

548
00:47:07,400 --> 00:47:09,980
We can go ahead and clone the repository and.

549
00:47:13,750 --> 00:47:19,750
Once the repository is closed, then you will install some requirements.

550
00:47:22,730 --> 00:47:23,930
And you'll be ready to go.

551
00:47:48,160 --> 00:47:56,830
So now that we're done cloning the repository, what we'll want to do is go ahead and change into the

552
00:47:56,830 --> 00:47:58,150
repository directory.

553
00:47:59,380 --> 00:48:01,750
And of course, this will already be done or we've already done this.

554
00:48:01,750 --> 00:48:10,660
But for demonstration purposes we'll do PIP three install our requirements dot text.

555
00:48:14,610 --> 00:48:19,530
And that will make sure that all the appropriate requirements are installed.

556
00:48:22,180 --> 00:48:24,010
For any kind of energy to work properly.

557
00:48:38,910 --> 00:48:39,960
Typekit incorrectly.

558
00:48:40,140 --> 00:48:44,430
The a lot of the other tools require this to be installed.

559
00:48:45,090 --> 00:48:51,240
So we'll notice that if it's already satisfied, then you'll get a pop up like this.

560
00:48:52,230 --> 00:48:57,480
But now we have all the requirements and we can do a PIP three install.

561
00:49:05,260 --> 00:49:11,440
So pip three install p y pdf three.

562
00:49:13,950 --> 00:49:14,730
P, y,

563
00:49:18,300 --> 00:49:22,260
a, s, and B for some other dependencies.

564
00:49:24,150 --> 00:49:29,430
To make sure that recom energy is fully functional on the first go.

565
00:49:37,630 --> 00:49:43,240
So the first time you launch, you can actually launch and create a new workspace.

566
00:49:43,750 --> 00:49:45,580
What you can do is you can type in.

567
00:49:49,800 --> 00:49:51,060
Recon energy.

568
00:49:55,670 --> 00:49:58,220
Dash W and then we can call it a workstation.

569
00:49:58,490 --> 00:50:04,220
Workspace test and it will create us a test workspace.

570
00:50:04,220 --> 00:50:07,220
And as we launched into test.

571
00:50:07,220 --> 00:50:10,280
And so now we're going to show workspaces.

572
00:50:11,630 --> 00:50:12,480
Or worse.

573
00:50:12,710 --> 00:50:13,250
Not sure.

574
00:50:13,250 --> 00:50:16,940
Places or spaces lest.

575
00:50:17,600 --> 00:50:19,130
We now have three workspaces.

576
00:50:19,550 --> 00:50:28,340
So the first time you'll do it is you're going to use the marketplace and you're going to install all

577
00:50:29,450 --> 00:50:29,660
course.

578
00:50:29,660 --> 00:50:33,500
In our case, everything is already installed, which is fine.

579
00:50:33,500 --> 00:50:37,340
It's just going to go through and check all the different modules to make sure they're good to go.

580
00:50:37,340 --> 00:50:43,460
You're going to see some read come across the screen for certain API keys that are not loaded, but

581
00:50:43,460 --> 00:50:44,540
that is not a problem.

582
00:50:50,850 --> 00:50:58,290
So it takes a little bit of time and then we'll be done with all the modules that we can get into configuring

583
00:50:58,290 --> 00:51:01,380
some options and start adding in some data.

584
00:51:08,800 --> 00:51:12,940
So we're going to first we're going to look at the global options and we're going to change the time

585
00:51:12,940 --> 00:51:14,290
out for it.

586
00:51:14,290 --> 00:51:17,560
So basically the options are going to be in all caps.

587
00:51:18,850 --> 00:51:21,160
So we want to know that it is case sensitive.

588
00:51:21,670 --> 00:51:29,590
So we're going to do options list and we see we've got the name server, which is fine.

589
00:51:29,890 --> 00:51:33,820
We're going to do we're going to set options set.

590
00:51:37,470 --> 00:51:43,410
Five out 15 senators put time out with an arrow there.

591
00:51:43,950 --> 00:51:50,100
So we go back to Options List and we now see we have the time out, said the 15.

592
00:51:51,480 --> 00:51:54,780
If you try it, if you don't put in the right case, it will not work.

593
00:51:56,340 --> 00:51:58,620
Let's go ahead and insert another domain.

594
00:51:59,490 --> 00:52:05,350
We'll do DB inserts domains and we'll type in a domain.

595
00:52:05,370 --> 00:52:08,160
We'll do search first dot com.

596
00:52:09,180 --> 00:52:21,390
This is searched first and we'll type in show domains and we now have the new domain in this new workspace.

597
00:52:25,380 --> 00:52:27,370
So we have our work, we have our other workspaces.

598
00:52:27,380 --> 00:52:31,500
So you can have multiple workspaces to work from multiple companies, multiple domains.

599
00:52:31,500 --> 00:52:34,680
So it becomes a very nicely organized utility.

600
00:52:35,730 --> 00:52:37,500
So how do we run a module?

601
00:52:37,530 --> 00:52:39,000
Well, let's go ahead and run a module.

602
00:52:39,750 --> 00:52:42,630
We do modules, command load domains.

603
00:52:45,010 --> 00:52:47,110
And the hosts in this case.

604
00:52:47,110 --> 00:52:54,640
We're just going to try a example and notice that our prompt changed from our workspace and it added

605
00:52:54,640 --> 00:52:56,050
in the name of our module.

606
00:52:56,950 --> 00:53:06,280
So now we can type in run and it's going to go out to that host.

607
00:53:06,730 --> 00:53:09,460
Sometimes it may not work if there is.

608
00:53:13,710 --> 00:53:15,750
There are there can be network issues there.

609
00:53:15,780 --> 00:53:19,050
There are a host of reasons why the module might not work.

610
00:53:22,380 --> 00:53:28,590
So we have to have something in the domains table first because that particular module is going to start

611
00:53:28,590 --> 00:53:30,870
with something that's already in the domains table.

612
00:53:34,620 --> 00:53:40,140
So once we've seen how to install recon energy, how to see what models are available, you definitely

613
00:53:40,140 --> 00:53:41,430
should spend some time with it.

614
00:53:41,460 --> 00:53:46,530
There's a cheat sheet on the Black Hills InfoSec website, which you'll have the link to.

615
00:53:47,640 --> 00:53:54,630
You can take a snapshots of workspaces as well, but it's a very intuitive, very user.

616
00:53:54,780 --> 00:54:02,370
Maltego Maltego is a tool that's created by a company called Petrova that is used to perform open source

617
00:54:02,370 --> 00:54:03,540
intelligence gathering.

618
00:54:03,990 --> 00:54:06,840
And essentially, it can collect information.

619
00:54:08,880 --> 00:54:10,590
From many different locations.

620
00:54:12,760 --> 00:54:15,850
Things like real world links between groups of people.

621
00:54:15,880 --> 00:54:23,380
Organisations, websites, domain names, network blocks, IP addresses and even documents and files.

622
00:54:28,240 --> 00:54:29,290
So if you go to the.

623
00:54:35,980 --> 00:54:40,780
Information gathering portion in Copley Square and closed down our terminal here.

624
00:54:41,230 --> 00:54:45,550
Let's go to the start menu with good information gathering and we click on Maltego and it's going to

625
00:54:45,550 --> 00:54:47,290
open up the community edition.

626
00:54:49,590 --> 00:54:50,250
Of Maltego.

627
00:54:50,250 --> 00:54:51,750
You can also do it from the.

628
00:54:54,980 --> 00:54:55,790
Command line.

629
00:54:58,590 --> 00:55:03,060
And it's going to do some module setup and things and then you'll be ready to go.

630
00:55:17,470 --> 00:55:22,170
So it says memory settings optimized or require it's gotten restarted.

631
00:55:22,180 --> 00:55:23,350
Sometimes you get that error.

632
00:55:23,600 --> 00:55:24,360
It's totally an error.

633
00:55:24,370 --> 00:55:29,620
It's just just a warning just to let you know that you want to tend to heed the warnings to make sure

634
00:55:29,620 --> 00:55:34,330
you're running the program to the best setting possible.

635
00:55:35,350 --> 00:55:41,500
So when you first set up maltego, you have to set up a you can activate it with a key if you want to

636
00:55:41,500 --> 00:55:43,570
purchase the pro version or the.

637
00:55:44,740 --> 00:55:46,240
There's also a.

638
00:55:48,010 --> 00:55:49,300
Free version of their new case.

639
00:55:49,300 --> 00:55:51,070
Five, We're going to run the community edition.

640
00:55:54,430 --> 00:55:57,430
Essentially you go down, you accept the license terms and agreement.

641
00:56:06,220 --> 00:56:12,730
And if you're not registered yet, you can go register here and it'll open up a browser for you to register.

642
00:56:18,990 --> 00:56:21,630
And they give you the CAPTCHA to solve as well.

643
00:56:25,000 --> 00:56:28,450
That's going to redirect you to their website, of course, because it's doing authentication.

644
00:56:28,900 --> 00:56:30,700
It's going to ask you to unlock it.

645
00:56:30,700 --> 00:56:31,360
And Kelly.

646
00:56:34,590 --> 00:56:35,670
That's perfectly fine.

647
00:56:39,790 --> 00:56:42,160
So you put your information in here and then click register.

648
00:56:43,870 --> 00:56:44,710
I already registered.

649
00:56:44,710 --> 00:56:45,880
So I'm going to go ahead and.

650
00:56:47,170 --> 00:56:48,190
Skip this step.

651
00:57:09,960 --> 00:57:10,170
All right.

652
00:57:10,170 --> 00:57:14,490
I'm going to go ahead and put in my information and log in.

653
00:57:19,360 --> 00:57:20,290
Do the capture.

654
00:57:21,040 --> 00:57:24,870
Probably timed out considering course the capture was incorrect.

655
00:57:24,880 --> 00:57:27,220
So this happens all the time.

656
00:57:29,290 --> 00:57:30,310
There's lots of fun.

657
00:57:32,650 --> 00:57:33,790
That sent me a new one.

658
00:57:44,880 --> 00:57:45,990
And there we go.

659
00:57:46,020 --> 00:57:47,100
We're logged in.

660
00:57:53,090 --> 00:57:58,580
I want you logged in, log in or ask you to do some configuration.

661
00:58:00,050 --> 00:58:01,490
This is a summary of the.

662
00:58:02,720 --> 00:58:03,500
Install.

663
00:58:04,830 --> 00:58:07,950
What's been opened, what's been updated.

664
00:58:09,240 --> 00:58:13,860
And so I'm going to go ahead and say I want to automatically send error reports and then you pick your

665
00:58:13,860 --> 00:58:14,400
privacy.

666
00:58:14,640 --> 00:58:16,620
Do you want stealth or do you want normal?

667
00:58:18,510 --> 00:58:21,270
I'll just keep it normal because I'm not doing an investigation right here.

668
00:58:21,810 --> 00:58:23,280
So it's been successful.

669
00:58:23,790 --> 00:58:28,320
So we're going to open up an example graph so you can see what it kind of looks like.

670
00:58:28,770 --> 00:58:37,770
It's a very intuitive interface and essentially it allows you to map out websites to different organizations

671
00:58:37,770 --> 00:58:40,230
so we can click on an IP address.

672
00:58:41,570 --> 00:58:48,230
We can see different relationships and the detailed view might take a little bit of of this plane.

673
00:58:48,230 --> 00:58:49,640
This is actually from Maltego.

674
00:58:50,270 --> 00:58:52,910
We have incoming outgoing and we have a date.

675
00:58:55,560 --> 00:58:58,860
We can view things in different ways.

676
00:58:59,430 --> 00:59:02,640
If you want to change up the view, you can do that.

677
00:59:02,880 --> 00:59:06,240
If you want to buy a graph view or you want to see it buy incoming and outgoing.

678
00:59:08,100 --> 00:59:10,800
You can see your different organizations here.

679
00:59:12,150 --> 00:59:16,500
Click on different buttons to change the way.

680
00:59:17,920 --> 00:59:19,060
Things are displayed.

681
00:59:24,790 --> 00:59:26,380
And see the machines.

682
00:59:28,980 --> 00:59:29,580
Window.

683
00:59:30,610 --> 00:59:31,710
Any usernames?

684
00:59:34,550 --> 00:59:37,250
You can also import data as well into material.

685
00:59:37,250 --> 00:59:38,960
So it's a very robust program.

686
00:59:38,960 --> 00:59:41,240
Definitely spent some time with it at will.

687
00:59:41,450 --> 00:59:45,080
It will help you in your open source intelligence gathering.

688
59:56.480 --> 1:00:00.200
So now let's talk about Google hacking or Google darkening, as it's been called.

689
1:00:00.590 --> 1:00:09.230
It's utilizing a Web crawler, for example, Google, to find things that might be on the Web that you

690
1:00:09.230 --> 1:00:12.910
may not necessarily want people finding.

691
1:00:12.920 --> 1:00:17.450
Or maybe somebody was just careless and forgot to make it private.

692
1:00:17.900 --> 1:00:18.380
So.

693
1:00:19.830 --> 1:00:24.570
Google hacking or Google Dorking can give us a lot of information.

694
1:00:25.260 --> 1:00:27.600
So let's go over to the Google hacking database.

695
1:00:36.860 --> 1:00:38.300
And this is part of exploit.

696
1:00:38.330 --> 1:00:44.390
DB It actually has a lot of already added Google Docs or hacks.

697
1:00:44.780 --> 1:00:48.020
Essentially the way it works is you pick what you want to find.

698
1:00:48.500 --> 1:00:53.360
Maybe you want files containing usernames, maybe you want sensitive directories.

699
1:00:54.620 --> 1:00:57.020
Maybe you want a particular type of server log in.

700
1:00:57.500 --> 1:01:04.490
So what it's designed to do is essentially go out and crawl the web and optimize and focus your search

701
1:01:04.490 --> 1:01:05.210
process.

702
1:01:05.840 --> 1:01:08.060
So maybe you want to find servers that are vulnerable.

703
1:01:08.810 --> 1:01:09.650
So we'll see.

704
1:01:10.040 --> 1:01:12.110
We can click and copy this.

705
1:01:12.110 --> 1:01:15.620
If you click on an individual entry, you know, give you more information.

706
1:01:17.300 --> 1:01:20.760
We're just going to go ahead and open up a new tab in Google.

707
1:01:20.760 --> 1:01:24.470
You can actually paste it right in the browser or you can go to the search engine.

708
1:01:24.490 --> 1:01:27.960
These are all the different hits that it came up with to notice.

709
1:01:27.960 --> 1:01:32.160
Instead of tens of thousands of results, you get a handful.

710
1:01:33.030 --> 1:01:39.540
So let's say maybe I want let's go to Google the TAB itself.

711
1:01:42.500 --> 1:01:43.700
Let's go to Google.com.

712
1:01:45.960 --> 1:01:47.540
And we'll grab another one.

713
1:01:47.550 --> 1:01:48.720
Let's go get a different one.

714
1:01:53.460 --> 1:01:54.780
Let's say we want index.

715
1:01:55.200 --> 1:01:58.290
So everything in the title of admin slash x amount.

716
1:01:58.680 --> 1:02:01.500
Now this is essentially just using different keywords.

717
1:02:03.950 --> 1:02:11.810
So if you want to find out servers that are vulnerable to this particular setting and there's all kinds

718
1:02:11.810 --> 1:02:20.600
of lists of Google keywords, if you want to look at something all about a particular site, if you

719
1:02:20.600 --> 1:02:26.210
typed in site Cohen, CNN, AECOM, you would get all the CNN.com results.

720
1:02:28.910 --> 1:02:34.940
Same thing with Facebook, Facebook.com, you get all the Facebook results and you can use these different

721
1:02:34.940 --> 1:02:35.500
keywords.

722
1:02:35.510 --> 1:02:37.930
You can also use the advanced search.

723
1:02:37.940 --> 1:02:43.190
If you go to settings and from within Google, click on advanced search and you can actually type in

724
1:02:43.580 --> 1:02:44.960
the keywords here as well.

725
1:02:44.960 --> 1:02:48.980
You got if you want to find maybe pages that are similar to the URL.

726
1:02:59.220 --> 1:03:04.500
Maybe you want to exact words from your search or maybe you want sites that are related.

727
1:03:04.500 --> 1:03:08.580
So let's say I want related to CENTCOM.

728
1:03:10.180 --> 1:03:14.950
And it says unusual traffic because sometimes when they do this, they'll think that maybe you're doing

729
1:03:14.950 --> 1:03:15.760
it from a robot.

730
1:03:15.770 --> 1:03:20.650
But again, so it gave me all the sites that are related to CNN dot com.

731
1:03:20.660 --> 1:03:26.770
So it's a very quick way to be able to research a target and find a lot of information.

732
1:03:26.770 --> 1:03:34.540
And there's all kinds of lists of the top Google hacks or dorks that are there and they get updated

733
1:03:34.540 --> 1:03:34.900
regularly.

734
1:03:34.900 --> 1:03:36.130
So these are some sample query.

735
1:03:36.130 --> 1:03:40.660
So you could search for all certain phrases in the page.

736
1:03:41.350 --> 1:03:47.500
You can look for certain phrases in a URL, maybe you want certain types of file formats.

737
1:03:47.560 --> 1:03:53.260
So there's a lot you can do with Google Dorking if you want to do, maybe you want to find passwords.

738
1:03:55.130 --> 1:03:58.400
Or going to be display usernames for database connections.

739
1:04:01.480 --> 1:04:07.090
So since we're on the Google hacking database, this is a screenshot from the exploit DB as well.

740
1:04:09.760 --> 1:04:11.110
And so that is.

741
1:04:12.700 --> 1:04:17.920
Our summary on information gathering, open source intelligence reconnaissance footprint.

742
1:04:19.210 --> 1:04:26.740
This helps an individual and an organization figure out a way to retrieve data that would otherwise

743
1:04:26.740 --> 1:04:27.760
be harder to find.

744
1:04:27.790 --> 1:04:31.060
We talked about the different types of information gathering.

745
1:04:31.960 --> 1:04:36.970
We talked about semi passive information gathering, and we talked about passive versus active.

746
1:04:37.600 --> 1:04:41.650
So passive being you're not interacting with the target, whereas active you actually are.

747
1:04:42.970 --> 1:04:46.000
You might also hear it called open document searches.

748
1:04:46.420 --> 1:04:50.200
We talked about the open source reconnaissance framework and how to install that.

749
1:04:51.340 --> 1:05:00.010
We looked at the unit scan for remote file include detection, local file in cloud and remote command

750
1:05:00.010 --> 1:05:00.790
execution.

751
1:05:01.480 --> 1:05:03.370
We also looked at directory buster.

752
1:05:07.180 --> 1:05:13.540
And we looked at and map maltego as well.

753
1:05:15.030 --> 1:05:16.810
So now let's do some practice questions.

754
1:05:18.070 --> 1:05:19.030
Information gather.

755
1:05:19.030 --> 1:05:20.680
Information gathering helps.

756
1:05:20.680 --> 1:05:21.910
In what?

757
1:05:23.260 --> 1:05:30.910
Gathering passive and active info about the target helps in setting up a lab, helps in preventing attacks.

758
1:05:32.890 --> 1:05:35.140
Helps in alerting admins on attack.

759
1:05:38.490 --> 1:05:43.710
The answer, of course, is a gathering, passive and active information about a potential target.

760
1:05:45.320 --> 1:05:48.260
Number two, one of the two main types of information gathering.

761
1:05:50.100 --> 1:05:51.300
Active and passive.

762
1:05:51.840 --> 1:05:53.160
Pro and community.

763
1:05:54.360 --> 1:05:56.070
Proactive and reactive.

764
1:05:56.910 --> 1:05:58.050
An up or down.

765
1:06:03.940 --> 1:06:07.030
The answer is, of course, active and passive as we just discussed.

766
1:06:07.030 --> 1:06:10.330
So remember the different methods of information gathering.

767
1:06:10.360 --> 1:06:15.640
They will help you paint the biggest, broadest picture of your target.

768
1:06:16.720 --> 1:06:21.760
Number three, one of the prerequisites software needed to run the open source intelligence framework.

769
1:06:23.510 --> 1:06:30.230
And you need node JavaScript, you need python shell or ad map.

770
1:06:31.190 --> 1:06:33.260
Correct answer is of course no JavaScript.

771
1:06:39.840 --> 1:06:44.580
Number four, what does your scan do in this scan?

772
1:06:44.580 --> 1:06:47.430
Performs remote code execution vulnerability scan.

773
1:06:49.800 --> 1:06:52.260
Perform SQL injection vulnerability scans.

774
1:06:53.780 --> 1:06:58.070
Performs port scans on the target or none of the above.

775
1:07:02.230 --> 1:07:05.790
And the correct answer is a remote code execution.

776
1:07:05.800 --> 1:07:07.360
So RC.

777
1:07:09.910 --> 1:07:11.710
What is the main purpose of an app?

778
1:07:14.680 --> 1:07:22.990
A network vulnerability scans, B Web application scans, or C network troubleshooting and pen testing.

779
1:07:25.180 --> 1:07:26.680
Or man in the middle attacks.

780
1:07:32.990 --> 1:07:38.480
Correct answer is, of course, network troubleshooting and pen testing, and that can be used as a

781
1:07:38.480 --> 1:07:41.810
vulnerability scan but is not the main purpose.

782
1:07:41.810 --> 1:07:47.990
It's also not a web application scanner or a better application scanner tool would be something like

783
1:07:48.200 --> 1:07:48.650
auto.

784
1:07:50.470 --> 1:07:54.140
So these are some of the acronyms we talked about open source intelligence.

785
1:07:54.140 --> 1:07:58.490
We talked about the Google hacking database, the open source reconnaissance framework.

786
1:07:59.150 --> 1:08:01.760
The remote file include local file include.

787
1:08:02.540 --> 1:08:02.790
Okay.

788
1:08:03.620 --> 1:08:08.900
So in summary, we looked at information gathering, we looked at open source reconnaissance, look

789
1:08:08.910 --> 1:08:14.210
at some of the various tools as well as how to do Google hacking or Google Dorking.

790
1:08:17.150 --> 1:08:19.040
And I thank you very much for your attention.

791
1:08:20.210 --> 1:08:26.180
I hope you enjoyed the module when you learned a lot more now about open source intelligence gathering

792
1:08:26.570 --> 1:08:31.130
than you knew before, and we'll see you guys in the next module.

793
1:08:33.870 --> 1:08:36.420
Friendly product.