1
00:00:03,120 --> 00:00:08,580
There's one more passive recon tool that we're going to learn about in Caleigh, and that is recon in

2
00:00:08,580 --> 00:00:08,810
G.

3
00:00:08,840 --> 00:00:10,170
That's short for reconnaissance.

4
00:00:10,200 --> 00:00:11,370
Next generation.

5
00:00:11,820 --> 00:00:14,750
So we're going to open up recon engy and get started.

6
00:00:14,880 --> 00:00:20,450
There's been some big updates to recon in G in version five and beyond.

7
00:00:20,550 --> 00:00:24,130
We want to show you how to use the new version of recon in G.

8
00:00:25,240 --> 00:00:31,960
So we can actually use the command line to run this or we can come up to our Caleigh menu, come to

9
00:00:31,960 --> 00:00:36,490
information gathering and scroll down a little bit, you'll see Rickon in G.

10
00:00:37,750 --> 00:00:41,200
There we go and we can see that we're using the one of the newer versions.

11
00:00:41,770 --> 00:00:46,720
This is actually already a couple of versions behind the reconned version 5.1, but it didn't do a sudo

12
00:00:46,720 --> 00:00:51,340
app, get pseudo Apte update and pseudo Apte upgrade.

13
00:00:52,090 --> 00:00:55,910
So what I'm going to do is actually install some of the tools that we'll need to use.

14
00:00:55,930 --> 00:01:02,220
You'll see that it comes up now in version five and and newer with no modules enabled or installed.

15
00:01:02,220 --> 00:01:07,170
Will we need to use the marketplace command to install some of those commands into recon?

16
00:01:07,690 --> 00:01:11,860
And we're actually going to choose some specific tools for reconnaissance.

17
00:01:12,460 --> 00:01:14,810
There are tools for vulnerability analysis.

18
00:01:14,830 --> 00:01:17,140
Lots of things that recon engy can do these days.

19
00:01:17,680 --> 00:01:20,380
Terrific update from Tim Thomas.

20
00:01:20,780 --> 00:01:23,980
But so we're going to do a marketplace, install recon

21
00:01:26,450 --> 00:01:29,210
marketplace, install recon.

22
00:01:30,560 --> 00:01:36,660
And this is going to go out to the Rickon Energy Marketplace and install all of the Rickon modules,

23
00:01:36,660 --> 00:01:43,890
you can see we can gather information about companies contacts, domain's hosts, you name it, credentials.

24
00:01:44,340 --> 00:01:49,120
There may be information on people's usernames and passwords out there on the Web.

25
00:01:50,580 --> 00:01:55,200
It'll take a couple of moments to install all of those modules, and you may see some errors on your

26
00:01:55,200 --> 00:01:55,990
screen like this.

27
00:01:56,010 --> 00:01:58,620
It just says that there is no API key.

28
00:01:59,160 --> 00:02:04,800
There are a lot of these searches, like Shodan, like Twitter, where you can enter an API key if you

29
00:02:04,800 --> 00:02:05,790
have an account.

30
00:02:05,940 --> 00:02:14,430
Sometimes a paid account for some of these services, but that will give you access to even deeper searches

31
00:02:15,210 --> 00:02:17,010
within each of those platforms.

32
00:02:17,060 --> 00:02:19,530
But reconning G is great just the way it is.

33
00:02:19,830 --> 00:02:23,370
I'm actually going to look for a tool called Hack or Target.

34
00:02:23,660 --> 00:02:25,170
So I'm going to say marketplace.

35
00:02:27,350 --> 00:02:29,720
Search hacker target.

36
00:02:33,190 --> 00:02:36,710
And it's found recon domains hosted Sacher Target.

37
00:02:37,010 --> 00:02:38,060
It is installed.

38
00:02:38,120 --> 00:02:40,550
So we got that as part of our recon package.

39
00:02:40,580 --> 00:02:44,000
Just a moment ago and doesn't have dependencies.

40
00:02:44,000 --> 00:02:45,980
Doesn't require one of those API keys.

41
00:02:45,980 --> 00:02:50,580
So we can just use hacker target to gather some information about organization.

42
00:02:50,690 --> 00:02:52,370
I'm going to say module's.

43
00:02:53,570 --> 00:02:54,890
Let's clear the screen here.

44
00:02:54,920 --> 00:03:01,730
Modules load recon slash domain's dash hosts.

45
00:03:01,850 --> 00:03:04,070
And you can use your tab key to autocomplete here.

46
00:03:04,520 --> 00:03:06,530
Hacker Target H.H. Tab.

47
00:03:07,970 --> 00:03:10,580
And then we need to figure out what options we need to specify.

48
00:03:10,610 --> 00:03:14,340
So a hacker target you can see is a command line driven or recon.

49
00:03:14,340 --> 00:03:18,350
Engy is a command line driven tool and hacker target requires some action.

50
00:03:18,360 --> 00:03:21,710
So we're gonna say options list.

51
00:03:22,430 --> 00:03:24,310
It says we need to set a source.

52
00:03:24,650 --> 00:03:25,850
So many say options.

53
00:03:27,140 --> 00:03:31,490
Set source analysts at the source.

54
00:03:31,790 --> 00:03:34,220
This is the domain that you want to gather more information about.

55
00:03:34,580 --> 00:03:39,470
For me, I'm using you, Daddy, to you, because that's one of the organizations I've worked with for

56
00:03:39,470 --> 00:03:40,190
a long time.

57
00:03:40,850 --> 00:03:42,020
And then I can run.

58
00:03:42,710 --> 00:03:49,340
So replace option set source you Inchy Daddy to you with CNN dot com or with the organization you want

59
00:03:49,340 --> 00:03:50,390
to learn more about.

60
00:03:50,600 --> 00:03:57,110
And then press run and you can see it found one hundred thirty four total new hosts.

61
00:03:57,560 --> 00:04:05,900
So that means that there are 134 servers listed in the hacker target open source free database out there.

62
00:04:06,470 --> 00:04:08,480
And if I say show hosts,

63
00:04:12,710 --> 00:04:18,620
show hosts, it'll give me a nice clean table with all of those machines.

64
00:04:18,980 --> 00:04:24,590
Now, in here, you might want to look for certain things like of VPN is like single sign on.

65
00:04:25,220 --> 00:04:28,070
You might find an L that or directory server.

66
00:04:28,070 --> 00:04:36,440
You might find name servers and s you might find old web servers that may not be being used or you might

67
00:04:36,440 --> 00:04:38,240
find a development server dev.

68
00:04:38,780 --> 00:04:41,510
So depending on what you're looking for in your organization.

69
00:04:41,750 --> 00:04:45,260
This is a really quick way to find out.

70
00:04:45,350 --> 00:04:50,750
Number one, if you have more servers than you realized were publicly available, it gives you the IP

71
00:04:50,750 --> 00:04:52,280
address so you can verify those.

72
00:04:52,640 --> 00:04:55,910
So it's a really handy tool as an ethical hacker.

73
00:04:56,240 --> 00:05:02,630
We want to know whether we're exposing more information down on the Internet than we mean to or if our

74
00:05:02,630 --> 00:05:07,490
client that's hired us to do some ethical hacking testing for them has information that they've forgotten

75
00:05:07,490 --> 00:05:07,850
about.

76
00:05:08,390 --> 00:05:13,820
It's also a great way on a big production network to find out if you've got some public services that

77
00:05:13,820 --> 00:05:14,840
you just forgot about.

78
00:05:15,410 --> 00:05:21,530
Maybe there used to be somebody who used a server called you in GSB, but it's not in use anymore and

79
00:05:21,560 --> 00:05:22,970
nobody knows where it's located.

80
00:05:23,210 --> 00:05:29,270
The IP address is the first step in figuring out where that service might be and what might be running

81
00:05:29,300 --> 00:05:31,310
on it, because we can do more advanced scans.

82
00:05:31,940 --> 00:05:36,650
Well, this is as far as we're going to go on a public network because we don't want to I don't have

83
00:05:36,650 --> 00:05:40,010
the permission of even my university to do a scan against them.

84
00:05:40,400 --> 00:05:44,210
But we're going to see in the next lesson how to use in MAP to take it to the next step.

85
00:05:44,240 --> 00:05:49,340
Once we found a candidate host, we might want to gather more information about that service.

86
00:05:49,370 --> 00:05:53,690
If it's a server that we've forgotten on our network, we want to figure out what's running on that

87
00:05:53,690 --> 00:05:55,790
server and whether it might have been compromised.

88
00:05:56,090 --> 00:05:57,650
We'll see how to do that within map.

89
00:05:57,740 --> 00:05:58,640
Coming up next.