1
00:00:00,060 --> 00:00:01,620
Let's go over some tools.

2
00:00:03,070 --> 00:00:09,070
The first tool for passive reconnaissance that I recommend that we're going to look at is recon and

3
00:00:09,670 --> 00:00:15,730
now we of is one of the most powerful tools for conducting passive reconnaissance, using open source

4
00:00:15,730 --> 00:00:16,320
intelligence.

5
00:00:16,360 --> 00:00:20,170
So this is normally one of the first tools that you want to run when you're doing reconnaissance for

6
00:00:20,170 --> 00:00:25,210
like a penetration test, because I'm going to let you gather a lot of different information and you

7
00:00:25,210 --> 00:00:30,550
can learn stuff like, you know, IP addresses, how companies name their accounts.

8
00:00:30,550 --> 00:00:35,560
So, you know, do these first initial and then last name is a first name, DOT, last name, stuff

9
00:00:35,560 --> 00:00:42,220
like that for all locations like where the servers are located, where businesses are located, you

10
00:00:42,220 --> 00:00:47,080
can actually figure out, you know, users like what users are on the network, you know, and you can

11
00:00:47,080 --> 00:00:50,810
combine that, you know, with IP addresses or account naming conventions.

12
00:00:50,830 --> 00:00:52,450
I can actually get user names.

13
00:00:52,820 --> 00:00:56,230
You can also get email addresses because those are typically publicly available.

14
00:00:56,590 --> 00:01:01,750
Or if you just know the naming convention and you know the name of the company's domain, you can make

15
00:01:01,750 --> 00:01:06,070
a list of email addresses and you can also you can find passwords because there's plenty of password

16
00:01:06,070 --> 00:01:09,700
breached databases online that I probably have that have been released to the public.

17
00:01:09,700 --> 00:01:12,460
And you'll see that a lot of people use passwords.

18
00:01:12,490 --> 00:01:17,110
They might have had one of their accounts in the past breached before and their password has been out

19
00:01:17,110 --> 00:01:17,260
there.

20
00:01:17,260 --> 00:01:18,880
And they might use that password everywhere else.

21
00:01:18,880 --> 00:01:19,330
You never know.

22
00:01:19,340 --> 00:01:23,680
So you can get a list of passwords and then there's just a ton more of information that we can get from

23
00:01:23,680 --> 00:01:24,240
Recology.

24
00:01:24,250 --> 00:01:29,560
So it's a very, very useful and robust tool for conducting passive reconnaissance without even being

25
00:01:29,560 --> 00:01:30,160
detected.

26
00:01:30,220 --> 00:01:34,150
OK, so if we actually want to go about installing we kind of energy with somebody just going to run

27
00:01:34,150 --> 00:01:35,290
these commands really quick.

28
00:01:35,470 --> 00:01:40,510
So you're going to get Klown on the recon energy get repository and we're going to paste it into that

29
00:01:40,510 --> 00:01:43,480
folder right this up reconning.

30
00:01:43,510 --> 00:01:51,280
So it's going to create that kind of energy directory inside this directory and then that's what it's

31
00:01:51,280 --> 00:01:51,670
going to be.

32
00:01:51,700 --> 00:01:55,210
And then if we want to execute it, what is going to change to that directory?

33
00:01:55,510 --> 00:02:00,040
And then we're going to do a slash reconning and then we're going to be good to go.

34
00:02:00,090 --> 00:02:01,280
We could check out the user interface.

35
00:02:01,280 --> 00:02:02,210
So let's go ahead and try that out.

36
00:02:02,230 --> 00:02:03,990
So back in the colonics machine.

37
00:02:04,000 --> 00:02:05,930
So let's go ahead and run reconning kind of.

38
00:02:06,310 --> 00:02:10,300
And when you run it, you're going to see this nice little Simmi picture pop up.

39
00:02:10,300 --> 00:02:13,930
The first thing you might want to do is type in help is going to give you a list of all the different

40
00:02:13,930 --> 00:02:15,490
commands that you can do right now.

41
00:02:15,640 --> 00:02:17,820
You can kind of explore and play with these yourself.

42
00:02:17,830 --> 00:02:19,640
We're not going to go over all of these.

43
00:02:19,720 --> 00:02:20,200
Go ahead.

44
00:02:20,200 --> 00:02:24,220
The first thing we want to do is look at the bottom, where you see it as workspaces so you can create

45
00:02:24,220 --> 00:02:29,020
different workspaces to kind of logically separate things and have some structure.

46
00:02:29,020 --> 00:02:30,940
Like maybe you're looking at two different domains.

47
00:02:30,940 --> 00:02:36,160
You might want one workspace for each one and you can work inside of each one, you know, kind of keep

48
00:02:36,160 --> 00:02:38,050
things separated in your own space.

49
00:02:38,230 --> 00:02:39,310
We can create one.

50
00:02:39,310 --> 00:02:44,730
So workspaces create ethical hacking.

51
00:02:45,190 --> 00:02:52,450
So now we're inside of the ethical hacking workspace now where the power of reconned energy comes from

52
00:02:52,450 --> 00:02:58,270
is from all the modules, these modules, we can look at them with the marketplace come in.

53
00:02:58,600 --> 00:03:02,740
So Marketplace Search is going to give us a list of all the different modules.

54
00:03:02,740 --> 00:03:08,500
So it has links to a lot of different things you can do that can look for stuff on Twitter, GitHub,

55
00:03:08,500 --> 00:03:14,890
Shodan, IO virus, total, all kinds of different stuff being Google, all kinds of stuff is on here.

56
00:03:14,890 --> 00:03:16,450
So it's very, very powerful tool.

57
00:03:16,450 --> 00:03:19,650
You can really gather a lot of information from it.

58
00:03:19,660 --> 00:03:23,950
OK, so one we're going to use right now is called Hacker Target.

59
00:03:23,960 --> 00:03:26,080
So we're going to load we're going to install that module.

60
00:03:26,290 --> 00:03:28,540
So what we can do is marketplace.

61
00:03:30,560 --> 00:03:33,750
Install hacker target.

62
00:03:35,270 --> 00:03:44,180
So now that module is downloaded and now we can do modules, load hacker target and is actually going

63
00:03:44,180 --> 00:03:47,600
to, you know, open it, open up that module and take us into there.

64
00:03:47,810 --> 00:03:52,220
So one thing we could do is type in info and it's going it's just going to give us info about it.

65
00:03:52,230 --> 00:03:57,980
So uses Hacker to target dotcom API, different host names for our target area for our source.

66
00:03:58,220 --> 00:04:04,550
So right now I had this set before for Google dot com, but if you you can do options list and it'll

67
00:04:04,550 --> 00:04:06,680
show the different things that you can actually set.

68
00:04:06,920 --> 00:04:11,000
So right now I have a set of Google dot com, but if you want to change it to something else, you two

69
00:04:11,000 --> 00:04:17,780
options, set source, maybe like Facebook dot com or something, you know.

70
00:04:17,900 --> 00:04:19,460
So now the source is set to that.

71
00:04:19,470 --> 00:04:23,870
So let's actually go back to Google dot com just because that's what I wanted to do, keep it nice and

72
00:04:23,870 --> 00:04:24,470
neutral.

73
00:04:24,890 --> 00:04:26,280
So Google dot com.

74
00:04:27,170 --> 00:04:32,780
So now we have our source set to Google dot com so we can actually go ahead and run this and it's going

75
00:04:32,780 --> 00:04:34,130
to gather information for us.

76
00:04:34,440 --> 00:04:36,410
So run and enter.

77
00:04:36,650 --> 00:04:42,950
So now I found this finding all kinds of stuff on the Internet, IP addresses, host names of different

78
00:04:43,370 --> 00:04:46,330
things related to Google dot com.

79
00:04:46,340 --> 00:04:49,980
So we found a total of five hundred and one different hosts.

80
00:04:50,010 --> 00:04:52,120
OK, and these are public shows.

81
00:04:52,130 --> 00:04:55,460
And of course, Google has thousands of servers, probably.

82
00:04:55,640 --> 00:04:57,210
So that's probably what a lot of these are.

83
00:04:57,320 --> 00:05:01,880
So you can already see like kind of the power behind this tool, especially if you're working with a

84
00:05:01,880 --> 00:05:04,750
very specific domain for a very specific company.

85
00:05:04,970 --> 00:05:09,280
So this can be something where if you're on a princess and you're trying to figure out, you know,

86
00:05:09,290 --> 00:05:15,440
maybe there is a server out there that, you know, that they're not really monitoring very closely.

87
00:05:15,440 --> 00:05:20,240
If you can get a list of all of them, like maybe 10 servers, you can go ahead and look into them and

88
00:05:20,240 --> 00:05:25,830
maybe find weaknesses on one, you know, just from this open source intelligence right here.

89
00:05:25,850 --> 00:05:27,570
So very, very useful tool.

90
00:05:27,590 --> 00:05:29,990
There's also other modules that we can use.

91
00:05:29,990 --> 00:05:32,780
So if you want to extract this module, you just type in back.

92
00:05:33,020 --> 00:05:35,650
And we're still inside of the ethical hacking workspace.

93
00:05:35,650 --> 00:05:40,310
So another one that we can install is marketplace install.

94
00:05:40,700 --> 00:05:42,200
We can install the Google one.

95
00:05:42,200 --> 00:05:45,850
So Google UniSuper site on the Web.

96
00:05:46,250 --> 00:05:48,680
So we're going to install that and then we're going to load it.

97
00:05:48,710 --> 00:05:52,640
So modules load Google.

98
00:05:53,840 --> 00:05:54,340
There we are.

99
00:05:54,530 --> 00:05:55,920
You don't have to finish this.

100
00:05:55,930 --> 00:06:00,470
You just hit internal autocomplete and go to the right one.

101
00:06:00,710 --> 00:06:03,590
So what we can do here once again is just type in info.

102
00:06:03,770 --> 00:06:08,600
So this harvest host from Google dot com using the site search operator.

103
00:06:09,020 --> 00:06:12,350
If you know some Google hacking, then you know what that means.

104
00:06:12,650 --> 00:06:18,440
You're just going to find PREDACIOUS, find it, use Google to search the entire Web script web for,

105
00:06:18,440 --> 00:06:19,460
you know, the different hosts.

106
00:06:19,700 --> 00:06:25,190
And then it's going to, you know, update the host table with whatever results that it finds we can

107
00:06:25,190 --> 00:06:27,220
do options list again, even though it's right there.

108
00:06:27,230 --> 00:06:29,060
So options list, so source.

109
00:06:29,060 --> 00:06:31,070
So we can change that if we want.

110
00:06:31,080 --> 00:06:34,820
So options said source.

111
00:06:35,540 --> 00:06:39,910
Let's say we want to do Amazon.com or something.

112
00:06:40,250 --> 00:06:40,930
There we go.

113
00:06:41,100 --> 00:06:41,530
Cool.

114
00:06:41,780 --> 00:06:43,160
So now we can run.

115
00:06:44,150 --> 00:06:49,730
And it's going to find it's going to go on Google is great, Google for all the different sites linked

116
00:06:49,730 --> 00:06:53,660
to emphasize it was finally a bunch of different subdomains, all kinds of stuff.

117
00:06:53,660 --> 00:06:55,550
So it's finding lots.

118
00:06:55,890 --> 00:07:01,440
OK, so of course, these are gigantic companies that have thousands and thousands of pages and such.

119
00:07:01,460 --> 00:07:04,010
So it's going to fill it's going to fill up that database.

120
00:07:04,020 --> 00:07:05,820
So a lot of different things that it is finding.

121
00:07:05,840 --> 00:07:06,490
So it's pretty cool.

122
00:07:06,800 --> 00:07:10,890
So right here actually says it found 20, 20 hosts.

123
00:07:10,910 --> 00:07:12,320
So that's pretty neat.

124
00:07:12,500 --> 00:07:20,990
So these are there's a lot of different modules that we can use to find information, like maybe we

125
00:07:20,990 --> 00:07:22,340
want to gather a list of those.

126
00:07:22,470 --> 00:07:25,760
OK, so another module I want to show you guys is the Nekrasov module.

127
00:07:25,770 --> 00:07:32,960
So we're just going to install that one and then do modules load net craft and then let's do a quick

128
00:07:32,960 --> 00:07:35,180
info's so we can figure out, you know, what it is.

129
00:07:35,390 --> 00:07:42,110
So it's going to harvest host from that crap dot com and then update the host table as well.

130
00:07:42,110 --> 00:07:43,550
And we'll look at that shortly.

131
00:07:43,580 --> 00:07:45,470
So you set the source here as well.

132
00:07:45,470 --> 00:07:56,360
So the options search source, let's say we want to do do hackers dot com.

133
00:07:56,360 --> 00:07:56,860
There we go.

134
00:07:56,910 --> 00:07:57,260
Cool.

135
00:07:57,740 --> 00:07:59,330
See what we can find from this.

136
00:07:59,340 --> 00:07:59,720
Right.

137
00:07:59,810 --> 00:08:00,420
Here we go.

138
00:08:01,160 --> 00:08:05,390
That was actually pretty quick because there's a little bit more specific and probably a much smaller

139
00:08:05,390 --> 00:08:05,840
site.

140
00:08:05,850 --> 00:08:10,340
So we using that craft to actually, you know, get us some different hosts.

141
00:08:10,610 --> 00:08:16,250
So it didn't pull out IP, IP addresses or anything, but it did pull out some different, like subdomains

142
00:08:16,460 --> 00:08:17,810
that maybe we can look at.

143
00:08:17,810 --> 00:08:21,160
It could, you know, some of them could be have some vulnerabilities.

144
00:08:21,350 --> 00:08:27,710
So there's different ways that we can gather this, you know, open source intelligence and really get

145
00:08:27,710 --> 00:08:28,900
a lot of hosts together.

146
00:08:29,060 --> 00:08:35,510
So if we have, you know, free range to try to hack into a network, the best way to do it is to figure

147
00:08:35,510 --> 00:08:37,620
out, you know, what holes are actually out there.

148
00:08:38,030 --> 00:08:42,850
OK, so there's another one that we can actually use to say we want to gather some email addresses,

149
00:08:42,860 --> 00:08:46,500
OK, or some, you know, just gather some users or something.

150
00:08:46,550 --> 00:08:49,460
One that we can use the Who is Peel's CS module.

151
00:08:49,670 --> 00:08:51,920
So let's do that and then let's load it.

152
00:08:51,930 --> 00:08:57,800
So modules load who is and you just hit enter and then we can do info.

153
00:08:58,010 --> 00:09:02,960
So it's going to start searching the Internet and Harvest's p.l.c..

154
00:09:02,960 --> 00:09:06,610
Your point of contact data from, you know, who is queries for a given domain.

155
00:09:06,950 --> 00:09:11,440
So let's actually set it equal just to not put people's personal information out there.

156
00:09:11,490 --> 00:09:13,450
See if you can find anything on my domain.

157
00:09:13,880 --> 00:09:20,100
So let's do options source and then its numbers are.

158
00:09:20,120 --> 00:09:24,290
Com, they would go and then run and see what we can find.

159
00:09:24,650 --> 00:09:25,730
No contacts found.

160
00:09:25,730 --> 00:09:26,150
Great.

161
00:09:26,300 --> 00:09:28,080
They can't find any of my stuff on the Internet.

162
00:09:28,080 --> 00:09:28,750
That's perfect.

163
00:09:28,760 --> 00:09:32,390
So let's try to set the source to.

164
00:09:34,020 --> 00:09:35,010
Google.

165
00:09:35,970 --> 00:09:38,680
Or let's try it, hub dotcom.

166
00:09:38,700 --> 00:09:39,340
There you go.

167
00:09:39,450 --> 00:09:43,890
So it's all open source, so it's all you know, it's legal.

168
00:09:44,190 --> 00:09:48,090
So we're getting some, you know, some good e-mail addresses here.

169
00:09:49,110 --> 00:09:53,760
First and last names, all kinds of different stuff is all publicly available information.

170
00:09:54,330 --> 00:09:59,370
And so then we can use this information for and maybe for some social engineering attempts, sending

171
00:09:59,400 --> 00:10:01,380
him a malicious link, stuff like that.

172
00:10:01,390 --> 00:10:02,190
So it's pretty neat.

173
00:10:02,700 --> 00:10:09,120
OK, so there's another module I want to show you guys again for, looking for some e-mail addresses.

174
00:10:09,120 --> 00:10:14,510
So Marketplace install PGP and of course, search so we can do that and then we can load the modules

175
00:10:14,520 --> 00:10:20,730
of modules, load PGP on the search and then we could do it in full, just learning a little bit more

176
00:10:20,730 --> 00:10:21,290
about it.

177
00:10:21,960 --> 00:10:25,600
So it pretty much searches online for email addresses for domain.

178
00:10:25,920 --> 00:10:30,450
So let's go ahead and let's see the options here are just source again.

179
00:10:30,630 --> 00:10:34,050
So options set source.

180
00:10:34,500 --> 00:10:39,080
And this time let's do Bing dot com.

181
00:10:39,090 --> 00:10:39,740
There we go.

182
00:10:39,900 --> 00:10:41,380
Cool Bing dot com.

183
00:10:41,400 --> 00:10:46,500
So now we going to run this and it's going to gather a lot of information.

184
00:10:46,500 --> 00:10:48,890
So it gathered a lot of different.

185
00:10:49,470 --> 00:10:50,670
This one is probably fake.

186
00:10:50,670 --> 00:10:53,220
Johnny Appleseed or Bong none.

187
00:10:53,460 --> 00:10:56,460
So Bing seems like they're pretty smart.

188
00:10:56,460 --> 00:10:59,360
They have like some fake addresses and stuff out there.

189
00:11:00,480 --> 00:11:03,100
So what is pretty useful?

190
00:11:03,120 --> 00:11:07,530
So there's a couple of different ways that you can actually, you know, figure out IP addresses and,

191
00:11:07,530 --> 00:11:11,670
you know, for for you to play in some aspects attacks, different things like that.

192
00:11:12,090 --> 00:11:16,580
OK, so there's another module I want to make you guys aware of just because if it can be very, very

193
00:11:16,590 --> 00:11:21,420
useful, you know, when you're actually doing a penetration test, you know, out in the real world,

194
00:11:22,110 --> 00:11:25,840
it's going to be this Hebb p underscore its module.

195
00:11:25,980 --> 00:11:31,290
So what this does it all the emoticons accounts in your database that you've gathered and compares it

196
00:11:31,290 --> 00:11:32,880
against, have I been on site?

197
00:11:33,000 --> 00:11:35,910
And it lets you know the pastors are actually leaked before.

198
00:11:36,090 --> 00:11:39,540
So you use that information to go actually find those pastors online?

199
00:11:39,780 --> 00:11:44,850
I'm not just going to show this just because of the sensitivity behind it, because, you know, kind

200
00:11:44,850 --> 00:11:48,870
of would be me assisting and compromising some people.

201
00:11:48,870 --> 00:11:50,490
So I'd rather not do that.

202
00:11:50,490 --> 00:11:54,600
But I just want you guys to know the capability, because this can be very helpful.

203
00:11:54,840 --> 00:11:58,560
You know, in the real world, you know, when you're actually doing penetration tests and trying to

204
00:11:58,560 --> 00:12:02,430
help a company protect themselves, you can let them know, hey, they've been compromised.

205
00:12:02,430 --> 00:12:06,270
And I was able to go online really quick and get their password and log into your stuff.

206
00:12:06,810 --> 00:12:11,040
So you just install that and it's going to tell you right here that will likely fail if you don't have

207
00:12:11,040 --> 00:12:18,120
the key API key for it is also you'd have to go to the website and actually get the API key and you'll

208
00:12:18,120 --> 00:12:20,130
be able to use the keys.

209
00:12:20,130 --> 00:12:26,700
Eckermann like if you do help, you see there's a Keys command right here.

210
00:12:26,700 --> 00:12:32,700
Let you put in just a different API keys because some modules require those keys actually be used and

211
00:12:32,700 --> 00:12:35,070
these are usually the more powerful ones like this one.

212
00:12:35,730 --> 00:12:36,360
Pretty useful.

213
00:12:36,360 --> 00:12:39,760
So there's keys and then you add your API key and you'll be good to go.

214
00:12:40,140 --> 00:12:44,790
OK, so one last module I want you guys to be aware of is the HTML module.

215
00:12:44,940 --> 00:12:51,620
So it's going to allow you to actually create a report so you can go ahead and install it.

216
00:12:51,990 --> 00:13:01,310
And what we can do is you can ignore that one right there so we can do modules, load HMO and then do

217
00:13:01,320 --> 00:13:01,980
a infocom.

218
00:13:01,990 --> 00:13:06,210
And it's going to show us the different options and it just creates an e-mail report so you can look

219
00:13:06,210 --> 00:13:07,820
at everything that you gathered so far.

220
00:13:08,280 --> 00:13:11,070
So we have to set some options here.

221
00:13:11,220 --> 00:13:12,510
Those are all required.

222
00:13:12,510 --> 00:13:15,840
So we're going to give an option for them or at least for the first two.

223
00:13:15,840 --> 00:13:18,600
So let's do options.

224
00:13:19,140 --> 00:13:21,030
Site creator.

225
00:13:21,990 --> 00:13:23,580
And here we go.

226
00:13:24,660 --> 00:13:27,530
And Options said.

227
00:13:29,130 --> 00:13:30,000
Customer.

228
00:13:33,250 --> 00:13:40,690
Udemy students, there we go, so now we can actually run this and it's going to create a report, so

229
00:13:40,690 --> 00:13:42,850
it created the report in this location.

230
00:13:43,360 --> 00:13:49,660
So we can actually just if you want to just like catch the report, you can actually go to any of your

231
00:13:49,660 --> 00:13:50,260
browser.

232
00:13:50,260 --> 00:13:51,910
So I should be able to just copy this.

233
00:13:53,510 --> 00:13:55,660
ASI is copyists.

234
00:13:57,380 --> 00:14:00,530
And let's put it in our browser and see what happens.

235
00:14:00,950 --> 00:14:05,510
So it's actually going to go ahead and load it and it says, hey, we have five hundred twenty six holes

236
00:14:05,510 --> 00:14:05,960
here.

237
00:14:06,620 --> 00:14:08,410
We found 20 contacts.

238
00:14:08,420 --> 00:14:11,000
It'll actually show us the holes that we found.

239
00:14:11,240 --> 00:14:12,110
It's pretty cool.

240
00:14:12,110 --> 00:14:16,090
Is actually, you know, organized very well, has IP addresses in there.

241
00:14:16,100 --> 00:14:19,370
If we had any other information, would fill out these other columns as well.

242
00:14:19,730 --> 00:14:21,460
And then it has the contacts.

243
00:14:21,680 --> 00:14:24,770
So we have some names, e-mail addresses, different stuff.

244
00:14:25,040 --> 00:14:26,720
These are most likely fake.

245
00:14:26,720 --> 00:14:29,420
Some could be real, some could be fake, but whatever.

246
00:14:29,660 --> 00:14:35,960
So this is pretty, pretty powerful tool, I think is very useful, especially when you do an external

247
00:14:35,960 --> 00:14:36,830
penetration testing.

248
00:14:36,830 --> 00:14:38,360
You're really trying to get in from the outside.

249
00:14:38,750 --> 00:14:41,740
Usually anything is fair game, so it's just real work.

250
00:14:41,750 --> 00:14:47,360
So I hope that you think that you think that or see the power of every kind of energy.

251
00:14:47,600 --> 00:14:51,470
And I hope that you actually play around with it more and master it, OK?