1
00:00:03,100 --> 00:00:08,440
There are a couple of terms that you'll hear when you're talking about Retime as an ethical hacker.

2
00:00:08,980 --> 00:00:13,570
The first one is a numeration and the other is scanning where we're going to see how to do scanning

3
00:00:13,570 --> 00:00:15,190
the active recon in just a moment.

4
00:00:15,700 --> 00:00:21,220
But there are lots of types of a numeration we can do passively, like we might want to enumerate the

5
00:00:21,340 --> 00:00:23,910
email accounts inside an organization.

6
00:00:24,010 --> 00:00:29,410
So if I were trying to research an organization like a an attacker would, I would want to know who

7
00:00:29,410 --> 00:00:32,500
works in that organization and how I could get in touch with them.

8
00:00:33,200 --> 00:00:37,840
This you can see how this would be immediately useful for a phishing campaign like we learned how to

9
00:00:37,840 --> 00:00:39,370
do back in the previous section.

10
00:00:39,790 --> 00:00:45,520
But the harvester is one of the tools built into Kalli that will help us enumerate those e-mail accounts.

11
00:00:45,550 --> 00:00:48,820
It'll help you see for your organization as an ethical hacker.

12
00:00:49,270 --> 00:00:52,630
How many people's contact information is freely available out there?

13
00:00:52,930 --> 00:00:54,790
Of course, you can do a regular Web search.

14
00:00:55,120 --> 00:01:00,570
You can do a LinkedIn search to see who is posting one information about your organization.

15
00:01:00,820 --> 00:01:05,410
But the harvester is a really handy tool built into Caleigh that will automatically compile results

16
00:01:05,410 --> 00:01:10,240
from LinkedIn, from Google, from Twitter, from dozens of other sources out on the Internet.

17
00:01:10,540 --> 00:01:15,500
So let's switch back over to Caleigh and FUBU, the Kelly up fresh.

18
00:01:15,520 --> 00:01:17,950
We're going to go Kalli as the user name.

19
00:01:18,040 --> 00:01:19,300
And Kelly is the password.

20
00:01:19,630 --> 00:01:25,700
If you're on an older version of Caleigh Linux, you may use the username route and the password tours

21
00:01:25,870 --> 00:01:27,100
t double o r.

22
00:01:27,490 --> 00:01:32,060
I'm running a 20-20 a newer version of Caleigh after 2020 dot two.

23
00:01:32,090 --> 00:01:39,880
It's Caleigh, Caleigh, everything 20-20 dot one and earlier will be route and tour.

24
00:01:39,910 --> 00:01:41,950
Just roup spelled backwards as the username.

25
00:01:42,400 --> 00:01:43,060
So Kalli.

26
00:01:46,190 --> 00:01:49,130
And I'm going to click on the Caleigh menu at the top.

27
00:01:51,260 --> 00:01:53,750
And find information gathering.

28
00:01:55,180 --> 00:02:03,490
And I want to do some o cent analysis or open source intelligence analysis.

29
00:02:03,940 --> 00:02:07,030
That means it's freely available, publicly available information.

30
00:02:07,450 --> 00:02:09,700
And I'm going to use the tool called the Harvester.

31
00:02:10,070 --> 00:02:12,490
Now, the harvester can also be run from the command line.

32
00:02:14,920 --> 00:02:20,590
But the nice thing is when we run the harvester from the command line, from the Caleigh menu option,

33
00:02:20,950 --> 00:02:24,040
it automatically gives us a help page for the harvester.

34
00:02:24,580 --> 00:02:26,440
We can increase the size here just a bit.

35
00:02:27,310 --> 00:02:28,030
There we go.

36
00:02:28,990 --> 00:02:33,910
So you can see that the harvester has a help option and it gives us some information.

37
00:02:33,940 --> 00:02:37,570
It takes a few options dash D for the domain.

38
00:02:38,020 --> 00:02:43,090
So if I wanted to search information about the University of North Georgia, I would say dash d n g

39
00:02:43,090 --> 00:02:43,900
Dudi to you.

40
00:02:44,560 --> 00:02:47,500
We can limit the number of results if we only want a certain number.

41
00:02:47,500 --> 00:02:50,320
So if you're at a big organization, you might do a dash l.

42
00:02:50,410 --> 00:02:52,450
That's a lowercase L a 50.

43
00:02:53,620 --> 00:02:56,180
And then we can use various sources.

44
00:02:56,200 --> 00:02:58,870
We see the dash B right down here.

45
00:02:59,440 --> 00:03:05,750
So with this information, we know just enough to be able to do a quick the harvester search.

46
00:03:05,860 --> 00:03:08,890
I'll do a control l to clear the screen.

47
00:03:08,920 --> 00:03:19,850
I'm going to say the harvester, the H-E Harvester and it's a capital H and the harvester dash d u n

48
00:03:20,010 --> 00:03:21,130
g Dudi to you.

49
00:03:21,580 --> 00:03:25,940
And here you should put the organization you're interested in gathering more information about whether

50
00:03:25,960 --> 00:03:31,180
that CNN dot com, whether that's a company that's hired you, whether it's your school.

51
00:03:31,840 --> 00:03:35,980
That's a really good place to get started, to gather some publicly available free information.

52
00:03:36,670 --> 00:03:38,830
Everything that you're doing here is still passive.

53
00:03:38,860 --> 00:03:40,180
You're not scanning their network.

54
00:03:40,210 --> 00:03:43,990
You're looking at Google results and Twitter results and LinkedIn results.

55
00:03:44,350 --> 00:03:46,290
In fact, let's do a LinkedIn search first.

56
00:03:46,300 --> 00:03:47,200
So we'll do a dash.

57
00:03:47,210 --> 00:03:49,300
B, LinkedIn.

58
00:03:51,930 --> 00:03:54,640
And let's just see what the harvester gets for us.

59
00:03:55,100 --> 00:03:59,140
Now, it may take just a few moments to run a harvester surge, depending on the source, depending

60
00:03:59,140 --> 00:04:00,610
on the size of your organization.

61
00:04:02,070 --> 00:04:02,500
All right.

62
00:04:02,530 --> 00:04:08,040
And for my organization, the University of North Georgia, you can see it covered a lot of results

63
00:04:08,040 --> 00:04:09,330
in very little time.

64
00:04:09,930 --> 00:04:15,640
So we found 61 candidates here that had some connection to UMG.

65
00:04:17,670 --> 00:04:23,890
But in our case, you can see we had several people who have a last name of UMG or own.

66
00:04:24,390 --> 00:04:29,540
So we do have some actual people who'd work at UMG.

67
00:04:29,580 --> 00:04:31,650
You'll find that by University of North Georgia.

68
00:04:32,430 --> 00:04:35,190
So get some information inside organization.

69
00:04:35,190 --> 00:04:40,320
But because you engy is also a last name, we didn't get a lot of information that we could use there.

70
00:04:40,320 --> 00:04:42,120
So let's try our next search.

71
00:04:42,810 --> 00:04:44,710
Let's run the harvester on you and.

72
00:04:45,000 --> 00:04:50,120
I'm going to do control l to clear the screen and the up arrow and I'm just going to change the source.

73
00:04:50,130 --> 00:04:51,720
And now go to B Google.

74
00:04:54,000 --> 00:04:57,620
And once again, this may take just a little bit of time to run, but it's worth the wait.

75
00:04:59,170 --> 00:05:03,450
And we can see the harvester gathered a little bit of information on our organization.

76
00:05:03,490 --> 00:05:05,710
I can see Professor Yang's information.

77
00:05:06,130 --> 00:05:08,620
I can see a help desk e-mail that may be useful.

78
00:05:08,620 --> 00:05:14,770
In fact, if I were doing a social engineering campaign and had the permission of the organization,

79
00:05:15,280 --> 00:05:18,420
I might send as an e-mail pretending to be help desk.

80
00:05:18,580 --> 00:05:20,650
Uesugi to Professor Yang.

81
00:05:21,400 --> 00:05:25,080
So that Dr. Yang might be tempted to click through that e-mail.

82
00:05:25,080 --> 00:05:25,370
Dr.

83
00:05:25,790 --> 00:05:30,580
Dr. Yang's a really good computer science professor, so I don't think he's going to do do that.

84
00:05:30,610 --> 00:05:32,530
But this is a really good example.

85
00:05:32,780 --> 00:05:35,740
How would you quickly gather just a little bit of information?

86
00:05:36,150 --> 00:05:40,590
Now, if we want a full the harvest to report on an organization, we can do that as well.

87
00:05:42,030 --> 00:05:47,480
Let's clear the screen and I'm going to type the harvester dash d.

88
00:05:47,970 --> 00:05:50,340
N g dash B all.

89
00:05:51,380 --> 00:05:53,240
And I'm going to say dash f.

90
00:05:54,230 --> 00:05:57,370
Report dot astm.

91
00:05:58,130 --> 00:06:04,790
So this F is a file and output file where we can store all of the information that the harvester gathers

92
00:06:04,790 --> 00:06:05,890
about the organization.

93
00:06:06,020 --> 00:06:06,460
Now, I just.

94
00:06:06,490 --> 00:06:10,580
You chose you, Angie, because it happens to be the university where I teach you the day.

95
00:06:10,940 --> 00:06:17,720
But that's a place where in the Dashty you put whatever organization you were looking out for as an

96
00:06:17,720 --> 00:06:18,500
ethical hacker.

97
00:06:21,350 --> 00:06:28,340
So if we give this command a run with a Dashty of your organization, the Dash B of all and the dash

98
00:06:28,430 --> 00:06:31,100
F of report, it'll take several minutes to complete.

99
00:06:31,370 --> 00:06:38,120
But when we come back, we'll be able to see that report and see what information is publicly available

100
00:06:38,240 --> 00:06:41,960
about our organization using just a couple of quick search results.

101
00:06:43,120 --> 00:06:47,830
And it's going to take several minutes to run all of the different skins that come in the harvester.

102
00:06:48,490 --> 00:06:53,290
But if you run across an error, just as a quick troubleshooting note, you see down here, it says

103
00:06:53,290 --> 00:06:58,070
there's no such file or directory API keys dot Yamal.

104
00:06:58,780 --> 00:07:04,570
This is because there are some paid services that you can use through the harvester.

105
00:07:04,570 --> 00:07:11,800
It integrates with paid search engines and of subscription accounts so that you can search for things

106
00:07:11,800 --> 00:07:14,830
like devices through showed and other sources.

107
00:07:15,220 --> 00:07:22,080
But all we need to do to get rid of that error is to actually create an API keys dot yaml file.

108
00:07:22,540 --> 00:07:31,660
So says there's no API keys diam on a copy so that I don't misspell that control l and I'm just going

109
00:07:31,660 --> 00:07:33,190
to say echo.

110
00:07:34,640 --> 00:07:40,550
Actually, we can just say nothing into and then paste.

111
00:07:42,390 --> 00:07:42,880
Clipboard.

112
00:07:43,420 --> 00:07:49,120
And what this will do is create an empty file called API keys, dot yaml so we won't run into that error.

113
00:07:50,260 --> 00:07:54,820
And if it's taking too long for you to do the all report, you can just blend your reports by doing

114
00:07:54,820 --> 00:07:58,540
like LinkedIn and Google.

115
00:08:00,740 --> 00:08:01,370
And press enter.

116
00:08:02,350 --> 00:08:05,510
It will do a search of just Google and LinkedIn.

117
00:08:07,160 --> 00:08:09,980
Or you can look through the help and choose any of the other sources.

118
00:08:11,480 --> 00:08:18,500
And we can see that it says it's created a report and the report name that we used was just reporting

119
00:08:18,540 --> 00:08:19,400
that ASTM Al.

120
00:08:19,880 --> 00:08:25,820
So I'm going to clear the screen and I'm going to say Firefox report that a female.

121
00:08:27,240 --> 00:08:32,170
And you can see by running Firefox from the command line with the name of the file that existed report,

122
00:08:32,170 --> 00:08:33,020
not H.T. email.

123
00:08:33,480 --> 00:08:35,770
I can see some information from the harvester.

124
00:08:35,770 --> 00:08:42,990
It not only gathered some e-mail addresses, hopefully in some names from linked in it gathered hundreds

125
00:08:43,080 --> 00:08:46,410
of servers that have been used over the years.

126
00:08:46,560 --> 00:08:47,250
Domain names.

127
00:08:47,280 --> 00:08:53,740
Now, these are old entries for the most part, but they're around 130 servers on our campus network.

128
00:08:54,300 --> 00:08:57,900
So that's a really important resource to know is out there.

129
00:08:58,710 --> 00:09:02,280
We can see some emails, some hosts.

130
00:09:03,370 --> 00:09:05,290
See some things from virus total.

131
00:09:06,130 --> 00:09:07,510
We see more hosts.

132
00:09:08,770 --> 00:09:15,070
We can do a little information down here, we can see that we got a Bat 864 e-mail addresses.

133
00:09:16,200 --> 00:09:23,370
And so if we do control F and then search for mail, we will see career services, we'll see names of

134
00:09:23,370 --> 00:09:23,940
people.

135
00:09:24,390 --> 00:09:29,700
In fact, I'm wondering, is there a Bryce and pain we can control F and search for Bryson?

136
00:09:34,500 --> 00:09:35,760
And it didn't find me in there.

137
00:09:35,790 --> 00:09:36,640
But that's OK.

138
00:09:37,500 --> 00:09:40,980
Our university does a good job of keeping old information off the Internet.

139
00:09:41,010 --> 00:09:45,640
But you can see once it's on the Internet, it may be there for forever.

140
00:09:46,170 --> 00:09:50,550
So we found lots of host information, lots of IP addresses.

141
00:09:50,670 --> 00:09:52,410
A good number of email addresses.

142
00:09:52,410 --> 00:09:54,480
We have about 4000 employees, I believe.

143
00:09:54,840 --> 00:09:57,770
So about 864 were in there in some place.

144
00:09:58,200 --> 00:10:01,830
And you can see where all of the results came from, from our all search.

145
00:10:02,310 --> 00:10:04,530
So some really useful information.

146
00:10:04,680 --> 00:10:06,480
If you have trouble using the harvester.

147
00:10:06,750 --> 00:10:07,980
Feel free to rerun it.

148
00:10:08,010 --> 00:10:10,080
Just hit the up arrow and press enter again.

149
00:10:10,450 --> 00:10:11,530
It'll give it another try.

150
00:10:11,560 --> 00:10:15,150
If you have the any of the API keys errors, we showed you how to fix that.

151
00:10:15,540 --> 00:10:20,610
And in the next lesson, we're gonna see how to use the next tool recon in G together.

152
00:10:21,000 --> 00:10:23,450
Even more information about servers on the network.