1
00:00:03,100 --> 00:00:09,010
The first passive reconnaissance or recon that we're going to perform is something called open source

2
00:00:09,010 --> 00:00:14,650
intelligence or O.S., There's a terrific framework out there, a really nice graphical representation

3
00:00:14,950 --> 00:00:18,630
with a lot of tools linked in its O.S. framework dot com.

4
00:00:18,970 --> 00:00:22,270
Specifically, we're going to look at a tool called Domain Dossier.

5
00:00:22,580 --> 00:00:27,850
And it's going to let us gather some information about a company without scanning the company, without

6
00:00:27,970 --> 00:00:29,740
using intrusive network tools.

7
00:00:30,100 --> 00:00:33,520
We're just gonna gather some information passively that's publicly available.

8
00:00:33,850 --> 00:00:35,230
So let's see how to do that.

9
00:00:37,000 --> 00:00:43,420
You can use your Kalli computer, your VM for this, or you can actually use just your regular desktop

10
00:00:43,420 --> 00:00:43,840
computer.

11
00:00:43,870 --> 00:00:46,170
This one is actually safe to run from your desktop.

12
00:00:46,180 --> 00:00:51,280
It's open source, but you can run this from your VM as well, whichever one you prefer.

13
00:00:52,680 --> 00:00:58,650
The Web site you can see here has, oh, sent framework dot com, and it's a graphical user interface.

14
00:00:58,650 --> 00:01:00,300
It's like a mind map.

15
00:01:00,480 --> 00:01:06,420
It allows us to see under the Osip framework, we've got the ability to look for user names, email

16
00:01:06,420 --> 00:01:08,100
addresses, domain names.

17
00:01:08,580 --> 00:01:16,250
And every time you expand one of these options, you get more tools that you can use to find email addresses.

18
00:01:16,260 --> 00:01:20,910
For example, we might want to use something like the harvester, which will actually use in just a

19
00:01:20,910 --> 00:01:21,780
couple of lessons.

20
00:01:22,170 --> 00:01:24,900
And we want to gather information on a domain name.

21
00:01:25,020 --> 00:01:27,150
We might want to use the who is records.

22
00:01:27,690 --> 00:01:31,110
And one quick, easy way to do that is with domain dossier.

23
00:01:31,440 --> 00:01:36,060
You can see there are literally hundreds of tools linked here in the open source framework.

24
00:01:36,060 --> 00:01:37,980
Some of them you have to install locally.

25
00:01:38,280 --> 00:01:40,950
Some of them we have access to for a Web search.

26
00:01:41,310 --> 00:01:44,400
Some of them are already installed in Caleigh Linux.

27
00:01:44,730 --> 00:01:49,350
The harvester that we use to find some e-mail addresses in a couple of lessons is one of those that

28
00:01:49,350 --> 00:01:51,480
you can use directly from inside Kalli.

29
00:01:51,810 --> 00:01:57,420
But domain dossier is one of the free, open source web tools that we can access through a regular browser.

30
00:01:57,750 --> 00:02:03,090
So click domain dossier and then pick an IP address that you want to research.

31
00:02:03,390 --> 00:02:09,930
So I mentioned if we wanted to find out more information about CNN dot com, let's say that CNN has

32
00:02:09,930 --> 00:02:16,290
hired us to do a little information gathering to help them know what kind of information is being shared

33
00:02:16,290 --> 00:02:17,100
out on the Internet.

34
00:02:17,550 --> 00:02:21,660
We can enter CNN dot com and domain dossier and scroll down a little bit.

35
00:02:23,580 --> 00:02:28,950
And you can see some information like you might get one or two good e-mail addresses, this is kind

36
00:02:28,950 --> 00:02:29,580
of small.

37
00:02:31,260 --> 00:02:31,770
There we go.

38
00:02:33,280 --> 00:02:36,220
So the Turner Media Group at Turner dot com.

39
00:02:36,250 --> 00:02:40,930
If you didn't know this, CNN was run by Turner Media or Turner Broadcasting.

40
00:02:41,350 --> 00:02:44,770
That would help you gather a little bit more information about them.

41
00:02:45,340 --> 00:02:50,380
You might get some other information about a particular contact and then you'll get some information

42
00:02:50,380 --> 00:02:53,530
about various services that are set up for their network.

43
00:02:54,070 --> 00:02:58,690
Well, we didn't get any good names with Turner, but I'll actually tried against my own university.

44
00:02:59,080 --> 00:03:02,530
This is all passive information that's publicly available.

45
00:03:02,530 --> 00:03:05,740
So there's nothing illegal about searching for this information.

46
00:03:06,360 --> 00:03:07,540
UMG Daddy to you.

47
00:03:07,570 --> 00:03:09,880
Happens to be the cool university I teach at.

48
00:03:11,760 --> 00:03:15,660
And if I scroll down a little bit, I've got some actual contacts here.

49
00:03:16,170 --> 00:03:20,260
I have the chief information officer or the CIO over all of I.T..

50
00:03:20,760 --> 00:03:25,470
I have a technical contact who's a server administrator and an email address.

51
00:03:25,500 --> 00:03:31,380
So I've already got some information that I could use if our trying to gather information about an organization

52
00:03:31,380 --> 00:03:33,660
to let them see what's publicly available.

53
00:03:34,050 --> 00:03:40,530
Or if I were trying to run a phishing campaign to test the users in this organization to see if I click

54
00:03:40,560 --> 00:03:47,460
through emails, I might want to send Justin Torbert an email from Steve McCleod, because Steve is

55
00:03:47,460 --> 00:03:53,400
actually Justin's boss, too, to try to get him to click through and give me his username and password.

56
00:03:53,430 --> 00:03:58,110
Now, of course, we're not going to do that in a real situation unless we're being paid and we have

57
00:03:58,110 --> 00:04:01,800
the explicit written permission and a legal contract with the company.

58
00:04:01,830 --> 00:04:08,130
But this is one way that hackers gather information free and completely open source online.

59
00:04:08,460 --> 00:04:13,710
And it's good for you to know in your organization or for your own personal use if there's information

60
00:04:13,710 --> 00:04:16,860
out there that a hacker could use to target you.

61
00:04:17,250 --> 00:04:22,680
At the very least, this gives us some users that we need to make sure I understand the importance of

62
00:04:23,010 --> 00:04:24,930
checking e-mails before they click through.

63
00:04:25,230 --> 00:04:30,780
They need a lot of phishing training because they're public information is out there for anybody to

64
00:04:30,780 --> 00:04:31,200
see.

65
00:04:31,530 --> 00:04:38,280
Thank goodness our team has some pretty good fishing training, but the Osam framework has hundreds

66
00:04:38,280 --> 00:04:43,620
of other tools that go along with domain dossier that allow you to look for everything from phone numbers

67
00:04:43,620 --> 00:04:45,420
to, well, you name it.

68
00:04:45,450 --> 00:04:50,130
You can find businesses on the map and see that, you know, their physical locations, et cetera.

69
00:04:50,640 --> 00:04:53,010
So I hope this is a useful tool for you.

70
00:04:53,370 --> 00:04:55,980
In the next section, we're going to start a little deeper.

71
00:04:56,010 --> 00:04:58,770
Passive recon using a couple of tools in Caleigh.