Look Ma, No Exploits! - The Recon-ng Framework

Transcript

1. Tim Tomes (@LaNMaSteR53) Look Ma, No Exploits! The Next Generation

   of Open Source Reconnaissance:! The Recon-ng Framework!

2. §  Tim Tomes (LaNMaSteR53) §  Christian/Father/Husband/Veteran §  Black Hills Information

   Security §  SANS Instructor §  Security Blogger –  lanmaster53.com / pauldotcom.com §  "Coder" Me

3. Credits §  Ethan Robish (@EthanRobish) §  Micah Hoffman (@WebBreacher) § 

   Thrapt §  Brendan Coles §  Jay Turla (@shipcod3) §  Robert Frost (@frosty_1313) §  Drumm §  Dan Woodruff (@dewoodruff) §  John Babio (@3vi1john) §  Kenan Abdullahoglu (@kyabd) §  Matteo Cantoni (nothink.org) §  Mike Siegel §  Anthony Miller-Rhodes (@_s1lentjudge) §  Eric Gragsone

4. Disclaimer Due to the dynamic nature of the demos, offensive

   material is possible. While I don’t condone it, I can’t prevent it.

5. Reconnaissance Defined §  Merriam-Webster - “A preliminary survey to gain

   information.” §  ...using open sources and without making direct contact.

6. Pentest Methodologies §  Network 1.  Information Gathering 2.  Scanning and

   Enumeration 3.  Exploitation 4.  Analysis and Reporting §  Web App 1.  Reconnaissance 2.  Mapping 3.  Discovery 4.  Exploitation 5.  Reporting

7. Traditional Recon §  Select and verify scope §  Gather info

   for: –  authentication testing –  social engineering §  Learn of implemented technologies and configurations §  Search for vulnerable code snippets –  GitHub dorks §  Identify weaknesses in physical security

8. The Problem §  Often overlooked or skipped –  Internal –

   "I already know everything about my..." –  External – Not enough time §  My argument –  Internal - You never know everything –  External - You end up going back for it anyway –  Isn’t it good to know what the rest of the world knows?

9. The Solution Automation

10. Web Resources §  Server-side Enumeration –  BuiltWith –  WhatWeb – 

    2012 Internet Census –  Project Sonar §  Vulnerability Discovery –  ASafaWeb –  XSSed –  punkSPIDER §  Credential Harvesting –  PwnedList –  ShouldIChangeMyPassword.com §  Contact Scoping –  NameChk

11. Advanced Recon §  Efficiently develop storylines §  Enumerate server-side technologies

    §  Discover live vulnerabilities §  Harvest full credentials §  Conduct remote physical security analysis Who  has  the  )me?  

12. You do. Recon-ng “Recon,  in  about  an  hour.”  

13. Caveats §  Using 3rd party websites may violate Nondisclosure Agreements

    (NDA) and contracts. – Anonymizing proxies – Authorization §  Active recon vs. Passive recon – Active ~ Discovery §  Not all data is free – $0 to > $60k

14. The Recon-ng Framework §  Interactive §  Look and feel of

    MSF §  Modular §  Data driven §  Scriptable (recon-cli) §  Documented (wiki) §  Developer friendly §  Python (native) §  http://www.recon-ng.com

15. Framework Methodology Social Engineering Web Attack Network Attack Recon Discovery

    Exploitation Post-exploitation Mapping Metasploit SET Meterpreter Recon-ng Info. Gather Scanning & Enumeration Exploitation Post-exploitation Burp

16. UI Highlights §  Interactive help §  Command completion everywhere § 

    Smart loading §  Module switching §  Direct data access §  Workspaces §  Verbose / Debugging

17. Host Harvesting §  Scope Selection / Validation §  Server-side Enumeration

    – Port Scanning §  Vulnerability Discovery

18. Scope Selection / Validation §  Whois §  AdSense/Analytics lookup – 

    ewhois.com §  Search Engine "site" directive §  Shodan "hostname" (more than web) §  DNS brute force –  DNSRecon, Fierce §  IP neighbor lookups –  Bing "ip:" –  my-ip-neighbors.com §  Geolocation –  ipinfodb.com

19. Demo §  recon/hosts/gather/http/web/bing_domain §  recon/hosts/gather/http/web/netcraft §  *recon/hosts/gather/http/api/shodan_hostname §  recon/hosts/enum/dns/resolve § 

    recon/hosts/gather/http/web/ip_neighbor §  recon/hosts/gather/http/api/bing_ip §  recon/hosts/geo/http/api/ipinfodb

20. Server-side Enumeration §  Response headers –  Server –  Cookie names

    §  Error responses §  Browser, Tamper Data, Burp, Netcat §  Nmap, Zmap §  But this would require contact? –  builtwith.com –  whatweb.net –  2012 Internet Census

21. Vulnerability Discovery §  Enumeration + Research = Discovery §  No

    validation! §  Manual research or... – asafaweb.com – xssed.com – punkspider.hyperiongray.com

22. Demo §  recon/hosts/enum/http/api/builtwith §  recon/hosts/enum/http/api/punkspider §  recon/hosts/gather/http/web/census_2012 §  recon/hosts/gather/http/api/sonar_cio

23. Contact Harvesting §  Information Gathering §  Data Manipulation §  Storyline

    Development

24. Information Gathering §  LinkedIn –  Social Networking for professionals – 

    Accurate and precise §  Jigsaw –  Cloud based CRM –  Owned by Sales Force –  Crowd sourced –  Scraping is free, API is better §  PGP Key Servers –  RedIRIS –  MIT

25. Demo §  recon/contacts/gather/http/api/jigsaw/ search_contacts §  recon/contacts/gather/http/api/linkedin_auth

26. Data Manipulation §  What we have – First Name – Last Name

    – Job Title – Location §  What we want – Email Address – Username

27. Building Contacts §  Get email domain –  MX record lookup

    –  Whois Contacts §  Naming Convention –  Websites –  Whois Contacts / PGP Key Search –  Search Engine "@domain.com" (Baidu) –  Trial and Error –  Jigsaw API §  Email = Mangled Info + Domain

28. Demo §  recon/contacts/gather/http/api/whois_pocs §  recon/contacts/gather/http/web/pgp_search §  recon/contacts/support/mangle

29. Storyline Development §  Google, Baidu §  Social Networks §  Code

    Repositories §  The usual... §  Namechk.com?

30. Demo §  recon/contacts/enum/http/web/namechk

31. Credential Harvesting §  Harvested credential dumps – ShouldIChangeMyPassword.com – Pwnedlist.com •  API

    •  Expensive, but worth it §  The problem? Hashes! – md5.noisette.ch – crackstation.net – leakdb.abusix.com (formerly goog.li)

32. Demo §  recon/creds/gather/http/api/pwnedlist/ domain_ispwned §  recon/contacts/enum/http/web/pwnedlist §  recon/creds/gather/http/api/pwnedlist/ domain_creds § 

    recon/creds/enum/http/api/leakdb

33. All of this with... no exploits

34. Physical Reconnaissance §  PushPin §  Geotagged media aggregator – Twitter – Picasa

    – *YouTube – Flickr – Shodan – <your module here>

35. Media tab

36. Mapping tab

37. Realistically? TARGET: Apple HQ, Cupertino, CA

38. Entry Control Points

39. None
40. None
41. None

42. Security Forces

43. None
44. None

45. Badging

46. None

47. ...without setting foot on the ground.

48. Beyond Recon §  Discovery – Exploitable pages – DNS cache snooping • 

    AV detection (Scrape-DNS) •  Rob Dixon (@304geek) – Backup files – Interesting files §  Exploitation – XPath brute forcer – Command injector

49. Reporting §  Analysis – CSV - reporting/csv_file – PushPin – reporting/pushpin § 

    Compatibility – List - reporting/list §  Deliverable – HTML - reporting/html_report

50. http://recon-ng.com http://lanmaster53.com Want more free tools and webcasts? Send me

    your contact information! @LaNMaSteR53 [email protected] Thank You!