1 00:00:00,060 --> 00:00:01,620 Let's go over some tools. 2 00:00:03,070 --> 00:00:09,070 The first tool for passive reconnaissance that I recommend that we're going to look at is recon and 3 00:00:09,670 --> 00:00:15,730 now we of is one of the most powerful tools for conducting passive reconnaissance, using open source 4 00:00:15,730 --> 00:00:16,320 intelligence. 5 00:00:16,360 --> 00:00:20,170 So this is normally one of the first tools that you want to run when you're doing reconnaissance for 6 00:00:20,170 --> 00:00:25,210 like a penetration test, because I'm going to let you gather a lot of different information and you 7 00:00:25,210 --> 00:00:30,550 can learn stuff like, you know, IP addresses, how companies name their accounts. 8 00:00:30,550 --> 00:00:35,560 So, you know, do these first initial and then last name is a first name, DOT, last name, stuff 9 00:00:35,560 --> 00:00:42,220 like that for all locations like where the servers are located, where businesses are located, you 10 00:00:42,220 --> 00:00:47,080 can actually figure out, you know, users like what users are on the network, you know, and you can 11 00:00:47,080 --> 00:00:50,810 combine that, you know, with IP addresses or account naming conventions. 12 00:00:50,830 --> 00:00:52,450 I can actually get user names. 13 00:00:52,820 --> 00:00:56,230 You can also get email addresses because those are typically publicly available. 14 00:00:56,590 --> 00:01:01,750 Or if you just know the naming convention and you know the name of the company's domain, you can make 15 00:01:01,750 --> 00:01:06,070 a list of email addresses and you can also you can find passwords because there's plenty of password 16 00:01:06,070 --> 00:01:09,700 breached databases online that I probably have that have been released to the public. 17 00:01:09,700 --> 00:01:12,460 And you'll see that a lot of people use passwords. 18 00:01:12,490 --> 00:01:17,110 They might have had one of their accounts in the past breached before and their password has been out 19 00:01:17,110 --> 00:01:17,260 there. 20 00:01:17,260 --> 00:01:18,880 And they might use that password everywhere else. 21 00:01:18,880 --> 00:01:19,330 You never know. 22 00:01:19,340 --> 00:01:23,680 So you can get a list of passwords and then there's just a ton more of information that we can get from 23 00:01:23,680 --> 00:01:24,240 Recology. 24 00:01:24,250 --> 00:01:29,560 So it's a very, very useful and robust tool for conducting passive reconnaissance without even being 25 00:01:29,560 --> 00:01:30,160 detected. 26 00:01:30,220 --> 00:01:34,150 OK, so if we actually want to go about installing we kind of energy with somebody just going to run 27 00:01:34,150 --> 00:01:35,290 these commands really quick. 28 00:01:35,470 --> 00:01:40,510 So you're going to get Klown on the recon energy get repository and we're going to paste it into that 29 00:01:40,510 --> 00:01:43,480 folder right this up reconning. 30 00:01:43,510 --> 00:01:51,280 So it's going to create that kind of energy directory inside this directory and then that's what it's 31 00:01:51,280 --> 00:01:51,670 going to be. 32 00:01:51,700 --> 00:01:55,210 And then if we want to execute it, what is going to change to that directory? 33 00:01:55,510 --> 00:02:00,040 And then we're going to do a slash reconning and then we're going to be good to go. 34 00:02:00,090 --> 00:02:01,280 We could check out the user interface. 35 00:02:01,280 --> 00:02:02,210 So let's go ahead and try that out. 36 00:02:02,230 --> 00:02:03,990 So back in the colonics machine. 37 00:02:04,000 --> 00:02:05,930 So let's go ahead and run reconning kind of. 38 00:02:06,310 --> 00:02:10,300 And when you run it, you're going to see this nice little Simmi picture pop up. 39 00:02:10,300 --> 00:02:13,930 The first thing you might want to do is type in help is going to give you a list of all the different 40 00:02:13,930 --> 00:02:15,490 commands that you can do right now. 41 00:02:15,640 --> 00:02:17,820 You can kind of explore and play with these yourself. 42 00:02:17,830 --> 00:02:19,640 We're not going to go over all of these. 43 00:02:19,720 --> 00:02:20,200 Go ahead. 44 00:02:20,200 --> 00:02:24,220 The first thing we want to do is look at the bottom, where you see it as workspaces so you can create 45 00:02:24,220 --> 00:02:29,020 different workspaces to kind of logically separate things and have some structure. 46 00:02:29,020 --> 00:02:30,940 Like maybe you're looking at two different domains. 47 00:02:30,940 --> 00:02:36,160 You might want one workspace for each one and you can work inside of each one, you know, kind of keep 48 00:02:36,160 --> 00:02:38,050 things separated in your own space. 49 00:02:38,230 --> 00:02:39,310 We can create one. 50 00:02:39,310 --> 00:02:44,730 So workspaces create ethical hacking. 51 00:02:45,190 --> 00:02:52,450 So now we're inside of the ethical hacking workspace now where the power of reconned energy comes from 52 00:02:52,450 --> 00:02:58,270 is from all the modules, these modules, we can look at them with the marketplace come in. 53 00:02:58,600 --> 00:03:02,740 So Marketplace Search is going to give us a list of all the different modules. 54 00:03:02,740 --> 00:03:08,500 So it has links to a lot of different things you can do that can look for stuff on Twitter, GitHub, 55 00:03:08,500 --> 00:03:14,890 Shodan, IO virus, total, all kinds of different stuff being Google, all kinds of stuff is on here. 56 00:03:14,890 --> 00:03:16,450 So it's very, very powerful tool. 57 00:03:16,450 --> 00:03:19,650 You can really gather a lot of information from it. 58 00:03:19,660 --> 00:03:23,950 OK, so one we're going to use right now is called Hacker Target. 59 00:03:23,960 --> 00:03:26,080 So we're going to load we're going to install that module. 60 00:03:26,290 --> 00:03:28,540 So what we can do is marketplace. 61 00:03:30,560 --> 00:03:33,750 Install hacker target. 62 00:03:35,270 --> 00:03:44,180 So now that module is downloaded and now we can do modules, load hacker target and is actually going 63 00:03:44,180 --> 00:03:47,600 to, you know, open it, open up that module and take us into there. 64 00:03:47,810 --> 00:03:52,220 So one thing we could do is type in info and it's going it's just going to give us info about it. 65 00:03:52,230 --> 00:03:57,980 So uses Hacker to target dotcom API, different host names for our target area for our source. 66 00:03:58,220 --> 00:04:04,550 So right now I had this set before for Google dot com, but if you you can do options list and it'll 67 00:04:04,550 --> 00:04:06,680 show the different things that you can actually set. 68 00:04:06,920 --> 00:04:11,000 So right now I have a set of Google dot com, but if you want to change it to something else, you two 69 00:04:11,000 --> 00:04:17,780 options, set source, maybe like Facebook dot com or something, you know. 70 00:04:17,900 --> 00:04:19,460 So now the source is set to that. 71 00:04:19,470 --> 00:04:23,870 So let's actually go back to Google dot com just because that's what I wanted to do, keep it nice and 72 00:04:23,870 --> 00:04:24,470 neutral. 73 00:04:24,890 --> 00:04:26,280 So Google dot com. 74 00:04:27,170 --> 00:04:32,780 So now we have our source set to Google dot com so we can actually go ahead and run this and it's going 75 00:04:32,780 --> 00:04:34,130 to gather information for us. 76 00:04:34,440 --> 00:04:36,410 So run and enter. 77 00:04:36,650 --> 00:04:42,950 So now I found this finding all kinds of stuff on the Internet, IP addresses, host names of different 78 00:04:43,370 --> 00:04:46,330 things related to Google dot com. 79 00:04:46,340 --> 00:04:49,980 So we found a total of five hundred and one different hosts. 80 00:04:50,010 --> 00:04:52,120 OK, and these are public shows. 81 00:04:52,130 --> 00:04:55,460 And of course, Google has thousands of servers, probably. 82 00:04:55,640 --> 00:04:57,210 So that's probably what a lot of these are. 83 00:04:57,320 --> 00:05:01,880 So you can already see like kind of the power behind this tool, especially if you're working with a 84 00:05:01,880 --> 00:05:04,750 very specific domain for a very specific company. 85 00:05:04,970 --> 00:05:09,280 So this can be something where if you're on a princess and you're trying to figure out, you know, 86 00:05:09,290 --> 00:05:15,440 maybe there is a server out there that, you know, that they're not really monitoring very closely. 87 00:05:15,440 --> 00:05:20,240 If you can get a list of all of them, like maybe 10 servers, you can go ahead and look into them and 88 00:05:20,240 --> 00:05:25,830 maybe find weaknesses on one, you know, just from this open source intelligence right here. 89 00:05:25,850 --> 00:05:27,570 So very, very useful tool. 90 00:05:27,590 --> 00:05:29,990 There's also other modules that we can use. 91 00:05:29,990 --> 00:05:32,780 So if you want to extract this module, you just type in back. 92 00:05:33,020 --> 00:05:35,650 And we're still inside of the ethical hacking workspace. 93 00:05:35,650 --> 00:05:40,310 So another one that we can install is marketplace install. 94 00:05:40,700 --> 00:05:42,200 We can install the Google one. 95 00:05:42,200 --> 00:05:45,850 So Google UniSuper site on the Web. 96 00:05:46,250 --> 00:05:48,680 So we're going to install that and then we're going to load it. 97 00:05:48,710 --> 00:05:52,640 So modules load Google. 98 00:05:53,840 --> 00:05:54,340 There we are. 99 00:05:54,530 --> 00:05:55,920 You don't have to finish this. 100 00:05:55,930 --> 00:06:00,470 You just hit internal autocomplete and go to the right one. 101 00:06:00,710 --> 00:06:03,590 So what we can do here once again is just type in info. 102 00:06:03,770 --> 00:06:08,600 So this harvest host from Google dot com using the site search operator. 103 00:06:09,020 --> 00:06:12,350 If you know some Google hacking, then you know what that means. 104 00:06:12,650 --> 00:06:18,440 You're just going to find PREDACIOUS, find it, use Google to search the entire Web script web for, 105 00:06:18,440 --> 00:06:19,460 you know, the different hosts. 106 00:06:19,700 --> 00:06:25,190 And then it's going to, you know, update the host table with whatever results that it finds we can 107 00:06:25,190 --> 00:06:27,220 do options list again, even though it's right there. 108 00:06:27,230 --> 00:06:29,060 So options list, so source. 109 00:06:29,060 --> 00:06:31,070 So we can change that if we want. 110 00:06:31,080 --> 00:06:34,820 So options said source. 111 00:06:35,540 --> 00:06:39,910 Let's say we want to do Amazon.com or something. 112 00:06:40,250 --> 00:06:40,930 There we go. 113 00:06:41,100 --> 00:06:41,530 Cool. 114 00:06:41,780 --> 00:06:43,160 So now we can run. 115 00:06:44,150 --> 00:06:49,730 And it's going to find it's going to go on Google is great, Google for all the different sites linked 116 00:06:49,730 --> 00:06:53,660 to emphasize it was finally a bunch of different subdomains, all kinds of stuff. 117 00:06:53,660 --> 00:06:55,550 So it's finding lots. 118 00:06:55,890 --> 00:07:01,440 OK, so of course, these are gigantic companies that have thousands and thousands of pages and such. 119 00:07:01,460 --> 00:07:04,010 So it's going to fill it's going to fill up that database. 120 00:07:04,020 --> 00:07:05,820 So a lot of different things that it is finding. 121 00:07:05,840 --> 00:07:06,490 So it's pretty cool. 122 00:07:06,800 --> 00:07:10,890 So right here actually says it found 20, 20 hosts. 123 00:07:10,910 --> 00:07:12,320 So that's pretty neat. 124 00:07:12,500 --> 00:07:20,990 So these are there's a lot of different modules that we can use to find information, like maybe we 125 00:07:20,990 --> 00:07:22,340 want to gather a list of those. 126 00:07:22,470 --> 00:07:25,760 OK, so another module I want to show you guys is the Nekrasov module. 127 00:07:25,770 --> 00:07:32,960 So we're just going to install that one and then do modules load net craft and then let's do a quick 128 00:07:32,960 --> 00:07:35,180 info's so we can figure out, you know, what it is. 129 00:07:35,390 --> 00:07:42,110 So it's going to harvest host from that crap dot com and then update the host table as well. 130 00:07:42,110 --> 00:07:43,550 And we'll look at that shortly. 131 00:07:43,580 --> 00:07:45,470 So you set the source here as well. 132 00:07:45,470 --> 00:07:56,360 So the options search source, let's say we want to do do hackers dot com. 133 00:07:56,360 --> 00:07:56,860 There we go. 134 00:07:56,910 --> 00:07:57,260 Cool. 135 00:07:57,740 --> 00:07:59,330 See what we can find from this. 136 00:07:59,340 --> 00:07:59,720 Right. 137 00:07:59,810 --> 00:08:00,420 Here we go. 138 00:08:01,160 --> 00:08:05,390 That was actually pretty quick because there's a little bit more specific and probably a much smaller 139 00:08:05,390 --> 00:08:05,840 site. 140 00:08:05,850 --> 00:08:10,340 So we using that craft to actually, you know, get us some different hosts. 141 00:08:10,610 --> 00:08:16,250 So it didn't pull out IP, IP addresses or anything, but it did pull out some different, like subdomains 142 00:08:16,460 --> 00:08:17,810 that maybe we can look at. 143 00:08:17,810 --> 00:08:21,160 It could, you know, some of them could be have some vulnerabilities. 144 00:08:21,350 --> 00:08:27,710 So there's different ways that we can gather this, you know, open source intelligence and really get 145 00:08:27,710 --> 00:08:28,900 a lot of hosts together. 146 00:08:29,060 --> 00:08:35,510 So if we have, you know, free range to try to hack into a network, the best way to do it is to figure 147 00:08:35,510 --> 00:08:37,620 out, you know, what holes are actually out there. 148 00:08:38,030 --> 00:08:42,850 OK, so there's another one that we can actually use to say we want to gather some email addresses, 149 00:08:42,860 --> 00:08:46,500 OK, or some, you know, just gather some users or something. 150 00:08:46,550 --> 00:08:49,460 One that we can use the Who is Peel's CS module. 151 00:08:49,670 --> 00:08:51,920 So let's do that and then let's load it. 152 00:08:51,930 --> 00:08:57,800 So modules load who is and you just hit enter and then we can do info. 153 00:08:58,010 --> 00:09:02,960 So it's going to start searching the Internet and Harvest's p.l.c.. 154 00:09:02,960 --> 00:09:06,610 Your point of contact data from, you know, who is queries for a given domain. 155 00:09:06,950 --> 00:09:11,440 So let's actually set it equal just to not put people's personal information out there. 156 00:09:11,490 --> 00:09:13,450 See if you can find anything on my domain. 157 00:09:13,880 --> 00:09:20,100 So let's do options source and then its numbers are. 158 00:09:20,120 --> 00:09:24,290 Com, they would go and then run and see what we can find. 159 00:09:24,650 --> 00:09:25,730 No contacts found. 160 00:09:25,730 --> 00:09:26,150 Great. 161 00:09:26,300 --> 00:09:28,080 They can't find any of my stuff on the Internet. 162 00:09:28,080 --> 00:09:28,750 That's perfect. 163 00:09:28,760 --> 00:09:32,390 So let's try to set the source to. 164 00:09:34,020 --> 00:09:35,010 Google. 165 00:09:35,970 --> 00:09:38,680 Or let's try it, hub dotcom. 166 00:09:38,700 --> 00:09:39,340 There you go. 167 00:09:39,450 --> 00:09:43,890 So it's all open source, so it's all you know, it's legal. 168 00:09:44,190 --> 00:09:48,090 So we're getting some, you know, some good e-mail addresses here. 169 00:09:49,110 --> 00:09:53,760 First and last names, all kinds of different stuff is all publicly available information. 170 00:09:54,330 --> 00:09:59,370 And so then we can use this information for and maybe for some social engineering attempts, sending 171 00:09:59,400 --> 00:10:01,380 him a malicious link, stuff like that. 172 00:10:01,390 --> 00:10:02,190 So it's pretty neat. 173 00:10:02,700 --> 00:10:09,120 OK, so there's another module I want to show you guys again for, looking for some e-mail addresses. 174 00:10:09,120 --> 00:10:14,510 So Marketplace install PGP and of course, search so we can do that and then we can load the modules 175 00:10:14,520 --> 00:10:20,730 of modules, load PGP on the search and then we could do it in full, just learning a little bit more 176 00:10:20,730 --> 00:10:21,290 about it. 177 00:10:21,960 --> 00:10:25,600 So it pretty much searches online for email addresses for domain. 178 00:10:25,920 --> 00:10:30,450 So let's go ahead and let's see the options here are just source again. 179 00:10:30,630 --> 00:10:34,050 So options set source. 180 00:10:34,500 --> 00:10:39,080 And this time let's do Bing dot com. 181 00:10:39,090 --> 00:10:39,740 There we go. 182 00:10:39,900 --> 00:10:41,380 Cool Bing dot com. 183 00:10:41,400 --> 00:10:46,500 So now we going to run this and it's going to gather a lot of information. 184 00:10:46,500 --> 00:10:48,890 So it gathered a lot of different. 185 00:10:49,470 --> 00:10:50,670 This one is probably fake. 186 00:10:50,670 --> 00:10:53,220 Johnny Appleseed or Bong none. 187 00:10:53,460 --> 00:10:56,460 So Bing seems like they're pretty smart. 188 00:10:56,460 --> 00:10:59,360 They have like some fake addresses and stuff out there. 189 00:11:00,480 --> 00:11:03,100 So what is pretty useful? 190 00:11:03,120 --> 00:11:07,530 So there's a couple of different ways that you can actually, you know, figure out IP addresses and, 191 00:11:07,530 --> 00:11:11,670 you know, for for you to play in some aspects attacks, different things like that. 192 00:11:12,090 --> 00:11:16,580 OK, so there's another module I want to make you guys aware of just because if it can be very, very 193 00:11:16,590 --> 00:11:21,420 useful, you know, when you're actually doing a penetration test, you know, out in the real world, 194 00:11:22,110 --> 00:11:25,840 it's going to be this Hebb p underscore its module. 195 00:11:25,980 --> 00:11:31,290 So what this does it all the emoticons accounts in your database that you've gathered and compares it 196 00:11:31,290 --> 00:11:32,880 against, have I been on site? 197 00:11:33,000 --> 00:11:35,910 And it lets you know the pastors are actually leaked before. 198 00:11:36,090 --> 00:11:39,540 So you use that information to go actually find those pastors online? 199 00:11:39,780 --> 00:11:44,850 I'm not just going to show this just because of the sensitivity behind it, because, you know, kind 200 00:11:44,850 --> 00:11:48,870 of would be me assisting and compromising some people. 201 00:11:48,870 --> 00:11:50,490 So I'd rather not do that. 202 00:11:50,490 --> 00:11:54,600 But I just want you guys to know the capability, because this can be very helpful. 203 00:11:54,840 --> 00:11:58,560 You know, in the real world, you know, when you're actually doing penetration tests and trying to 204 00:11:58,560 --> 00:12:02,430 help a company protect themselves, you can let them know, hey, they've been compromised. 205 00:12:02,430 --> 00:12:06,270 And I was able to go online really quick and get their password and log into your stuff. 206 00:12:06,810 --> 00:12:11,040 So you just install that and it's going to tell you right here that will likely fail if you don't have 207 00:12:11,040 --> 00:12:18,120 the key API key for it is also you'd have to go to the website and actually get the API key and you'll 208 00:12:18,120 --> 00:12:20,130 be able to use the keys. 209 00:12:20,130 --> 00:12:26,700 Eckermann like if you do help, you see there's a Keys command right here. 210 00:12:26,700 --> 00:12:32,700 Let you put in just a different API keys because some modules require those keys actually be used and 211 00:12:32,700 --> 00:12:35,070 these are usually the more powerful ones like this one. 212 00:12:35,730 --> 00:12:36,360 Pretty useful. 213 00:12:36,360 --> 00:12:39,760 So there's keys and then you add your API key and you'll be good to go. 214 00:12:40,140 --> 00:12:44,790 OK, so one last module I want you guys to be aware of is the HTML module. 215 00:12:44,940 --> 00:12:51,620 So it's going to allow you to actually create a report so you can go ahead and install it. 216 00:12:51,990 --> 00:13:01,310 And what we can do is you can ignore that one right there so we can do modules, load HMO and then do 217 00:13:01,320 --> 00:13:01,980 a infocom. 218 00:13:01,990 --> 00:13:06,210 And it's going to show us the different options and it just creates an e-mail report so you can look 219 00:13:06,210 --> 00:13:07,820 at everything that you gathered so far. 220 00:13:08,280 --> 00:13:11,070 So we have to set some options here. 221 00:13:11,220 --> 00:13:12,510 Those are all required. 222 00:13:12,510 --> 00:13:15,840 So we're going to give an option for them or at least for the first two. 223 00:13:15,840 --> 00:13:18,600 So let's do options. 224 00:13:19,140 --> 00:13:21,030 Site creator. 225 00:13:21,990 --> 00:13:23,580 And here we go. 226 00:13:24,660 --> 00:13:27,530 And Options said. 227 00:13:29,130 --> 00:13:30,000 Customer. 228 00:13:33,250 --> 00:13:40,690 Udemy students, there we go, so now we can actually run this and it's going to create a report, so 229 00:13:40,690 --> 00:13:42,850 it created the report in this location. 230 00:13:43,360 --> 00:13:49,660 So we can actually just if you want to just like catch the report, you can actually go to any of your 231 00:13:49,660 --> 00:13:50,260 browser. 232 00:13:50,260 --> 00:13:51,910 So I should be able to just copy this. 233 00:13:53,510 --> 00:13:55,660 ASI is copyists. 234 00:13:57,380 --> 00:14:00,530 And let's put it in our browser and see what happens. 235 00:14:00,950 --> 00:14:05,510 So it's actually going to go ahead and load it and it says, hey, we have five hundred twenty six holes 236 00:14:05,510 --> 00:14:05,960 here. 237 00:14:06,620 --> 00:14:08,410 We found 20 contacts. 238 00:14:08,420 --> 00:14:11,000 It'll actually show us the holes that we found. 239 00:14:11,240 --> 00:14:12,110 It's pretty cool. 240 00:14:12,110 --> 00:14:16,090 Is actually, you know, organized very well, has IP addresses in there. 241 00:14:16,100 --> 00:14:19,370 If we had any other information, would fill out these other columns as well. 242 00:14:19,730 --> 00:14:21,460 And then it has the contacts. 243 00:14:21,680 --> 00:14:24,770 So we have some names, e-mail addresses, different stuff. 244 00:14:25,040 --> 00:14:26,720 These are most likely fake. 245 00:14:26,720 --> 00:14:29,420 Some could be real, some could be fake, but whatever. 246 00:14:29,660 --> 00:14:35,960 So this is pretty, pretty powerful tool, I think is very useful, especially when you do an external 247 00:14:35,960 --> 00:14:36,830 penetration testing. 248 00:14:36,830 --> 00:14:38,360 You're really trying to get in from the outside. 249 00:14:38,750 --> 00:14:41,740 Usually anything is fair game, so it's just real work. 250 00:14:41,750 --> 00:14:47,360 So I hope that you think that you think that or see the power of every kind of energy. 251 00:14:47,600 --> 00:14:51,470 And I hope that you actually play around with it more and master it, OK?