Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Look Ma, No Exploits! - The Recon-ng Framework

lanmaster53
November 04, 2013
440

Look Ma, No Exploits! - The Recon-ng Framework

lanmaster53

November 04, 2013
Tweet

Transcript

  1. Tim Tomes (@LaNMaSteR53) Look Ma, No Exploits! The Next Generation

    of Open Source Reconnaissance:! The Recon-ng Framework!
  2. §  Tim Tomes (LaNMaSteR53) §  Christian/Father/Husband/Veteran §  Black Hills Information

    Security §  SANS Instructor §  Security Blogger –  lanmaster53.com / pauldotcom.com §  "Coder" Me
  3. Credits §  Ethan Robish (@EthanRobish) §  Micah Hoffman (@WebBreacher) § 

    Thrapt §  Brendan Coles §  Jay Turla (@shipcod3) §  Robert Frost (@frosty_1313) §  Drumm §  Dan Woodruff (@dewoodruff) §  John Babio (@3vi1john) §  Kenan Abdullahoglu (@kyabd) §  Matteo Cantoni (nothink.org) §  Mike Siegel §  Anthony Miller-Rhodes (@_s1lentjudge) §  Eric Gragsone
  4. Disclaimer Due to the dynamic nature of the demos, offensive

    material is possible. While I don’t condone it, I can’t prevent it.
  5. Reconnaissance Defined §  Merriam-Webster - “A preliminary survey to gain

    information.” §  ...using open sources and without making direct contact.
  6. Pentest Methodologies §  Network 1.  Information Gathering 2.  Scanning and

    Enumeration 3.  Exploitation 4.  Analysis and Reporting §  Web App 1.  Reconnaissance 2.  Mapping 3.  Discovery 4.  Exploitation 5.  Reporting
  7. Traditional Recon §  Select and verify scope §  Gather info

    for: –  authentication testing –  social engineering §  Learn of implemented technologies and configurations §  Search for vulnerable code snippets –  GitHub dorks §  Identify weaknesses in physical security
  8. The Problem §  Often overlooked or skipped –  Internal –

    "I already know everything about my..." –  External – Not enough time §  My argument –  Internal - You never know everything –  External - You end up going back for it anyway –  Isn’t it good to know what the rest of the world knows?
  9. Web Resources §  Server-side Enumeration –  BuiltWith –  WhatWeb – 

    2012 Internet Census –  Project Sonar §  Vulnerability Discovery –  ASafaWeb –  XSSed –  punkSPIDER §  Credential Harvesting –  PwnedList –  ShouldIChangeMyPassword.com §  Contact Scoping –  NameChk
  10. Advanced Recon §  Efficiently develop storylines §  Enumerate server-side technologies

    §  Discover live vulnerabilities §  Harvest full credentials §  Conduct remote physical security analysis Who  has  the  )me?  
  11. Caveats §  Using 3rd party websites may violate Nondisclosure Agreements

    (NDA) and contracts. – Anonymizing proxies – Authorization §  Active recon vs. Passive recon – Active ~ Discovery §  Not all data is free – $0 to > $60k
  12. The Recon-ng Framework §  Interactive §  Look and feel of

    MSF §  Modular §  Data driven §  Scriptable (recon-cli) §  Documented (wiki) §  Developer friendly §  Python (native) §  http://www.recon-ng.com
  13. Framework Methodology Social Engineering Web Attack Network Attack Recon Discovery

    Exploitation Post-exploitation Mapping Metasploit SET Meterpreter Recon-ng Info. Gather Scanning & Enumeration Exploitation Post-exploitation Burp
  14. UI Highlights §  Interactive help §  Command completion everywhere § 

    Smart loading §  Module switching §  Direct data access §  Workspaces §  Verbose / Debugging
  15. Scope Selection / Validation §  Whois §  AdSense/Analytics lookup – 

    ewhois.com §  Search Engine "site" directive §  Shodan "hostname" (more than web) §  DNS brute force –  DNSRecon, Fierce §  IP neighbor lookups –  Bing "ip:" –  my-ip-neighbors.com §  Geolocation –  ipinfodb.com
  16. Server-side Enumeration §  Response headers –  Server –  Cookie names

    §  Error responses §  Browser, Tamper Data, Burp, Netcat §  Nmap, Zmap §  But this would require contact? –  builtwith.com –  whatweb.net –  2012 Internet Census
  17. Vulnerability Discovery §  Enumeration + Research = Discovery §  No

    validation! §  Manual research or... – asafaweb.com – xssed.com – punkspider.hyperiongray.com
  18. Information Gathering §  LinkedIn –  Social Networking for professionals – 

    Accurate and precise §  Jigsaw –  Cloud based CRM –  Owned by Sales Force –  Crowd sourced –  Scraping is free, API is better §  PGP Key Servers –  RedIRIS –  MIT
  19. Data Manipulation §  What we have – First Name – Last Name

    – Job Title – Location §  What we want – Email Address – Username
  20. Building Contacts §  Get email domain –  MX record lookup

    –  Whois Contacts §  Naming Convention –  Websites –  Whois Contacts / PGP Key Search –  Search Engine "@domain.com" (Baidu) –  Trial and Error –  Jigsaw API §  Email = Mangled Info + Domain
  21. Storyline Development §  Google, Baidu §  Social Networks §  Code

    Repositories §  The usual... §  Namechk.com?
  22. Credential Harvesting §  Harvested credential dumps – ShouldIChangeMyPassword.com – Pwnedlist.com •  API

    •  Expensive, but worth it §  The problem? Hashes! – md5.noisette.ch – crackstation.net – leakdb.abusix.com (formerly goog.li)
  23. Beyond Recon §  Discovery – Exploitable pages – DNS cache snooping • 

    AV detection (Scrape-DNS) •  Rob Dixon (@304geek) – Backup files – Interesting files §  Exploitation – XPath brute forcer – Command injector
  24. Reporting §  Analysis – CSV - reporting/csv_file – PushPin – reporting/pushpin § 

    Compatibility – List - reporting/list §  Deliverable – HTML - reporting/html_report