$30 off During Our Annual Pro Sale. View Details »

Look Ma, No Exploits! - The Recon-ng Framework

lanmaster53
November 04, 2013
0
380

Look Ma, No Exploits! - The Recon-ng Framework

lanmaster53

November 04, 2013
Tweet

More Decks by lanmaster53

See All by lanmaster53
Rapid Recon for Red Teams
lanmaster53
1
340
Ermahgerd Werb Verlns
lanmaster53
0
230
OSINT for AppSec: Recon-ng and Beyond
lanmaster53
0
490

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
511
38k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
The Invisible Customer
myddelton
113
12k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.7k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Designing the Hi-DPI Web
ddemaree
274
33k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
The Cult of Friendly URLs
andyhume
71
5.4k
It's Worth the Effort
3n
180
27k
What's new in Ruby 2.0
geeforr
336
30k

Transcript

  1. Tim Tomes
    (@LaNMaSteR53)
    Look Ma,
    No Exploits!
    The Next Generation of Open
    Source Reconnaissance:!
    The Recon-ng Framework!

    View Slide

  2. §  Tim Tomes (LaNMaSteR53)
    §  Christian/Father/Husband/Veteran
    §  Black Hills Information Security
    §  SANS Instructor
    §  Security Blogger
    –  lanmaster53.com / pauldotcom.com
    §  "Coder"
    Me

    View Slide

  3. Credits
    §  Ethan Robish (@EthanRobish)
    §  Micah Hoffman (@WebBreacher)
    §  Thrapt
    §  Brendan Coles
    §  Jay Turla (@shipcod3)
    §  Robert Frost (@frosty_1313)
    §  Drumm
    §  Dan Woodruff (@dewoodruff)
    §  John Babio (@3vi1john)
    §  Kenan Abdullahoglu (@kyabd)
    §  Matteo Cantoni (nothink.org)
    §  Mike Siegel
    §  Anthony Miller-Rhodes (@_s1lentjudge)
    §  Eric Gragsone

    View Slide

  4. Disclaimer
    Due to the dynamic nature of the
    demos, offensive material is possible.
    While I don’t condone it, I can’t
    prevent it.

    View Slide

  5. Reconnaissance Defined
    §  Merriam-Webster - “A preliminary
    survey to gain information.”
    §  ...using open sources and without
    making direct contact.

    View Slide

  6. Pentest Methodologies
    §  Network
    1.  Information
    Gathering
    2.  Scanning and
    Enumeration
    3.  Exploitation
    4.  Analysis and
    Reporting
    §  Web App
    1.  Reconnaissance
    2.  Mapping
    3.  Discovery
    4.  Exploitation
    5.  Reporting

    View Slide

  7. Traditional Recon
    §  Select and verify scope
    §  Gather info for:
    –  authentication testing
    –  social engineering
    §  Learn of implemented technologies and
    configurations
    §  Search for vulnerable code snippets
    –  GitHub dorks
    §  Identify weaknesses in physical security

    View Slide

  8. The Problem
    §  Often overlooked or skipped
    –  Internal – "I already know everything
    about my..."
    –  External – Not enough time
    §  My argument
    –  Internal - You never know everything
    –  External - You end up going back for it
    anyway
    –  Isn’t it good to know what the rest of the
    world knows?

    View Slide

  9. The Solution
    Automation

    View Slide

  10. Web Resources
    §  Server-side Enumeration
    –  BuiltWith
    –  WhatWeb
    –  2012 Internet Census
    –  Project Sonar
    §  Vulnerability Discovery
    –  ASafaWeb
    –  XSSed
    –  punkSPIDER
    §  Credential Harvesting
    –  PwnedList
    –  ShouldIChangeMyPassword.com
    §  Contact Scoping
    –  NameChk

    View Slide

  11. Advanced Recon
    §  Efficiently develop storylines
    §  Enumerate server-side technologies
    §  Discover live vulnerabilities
    §  Harvest full credentials
    §  Conduct remote physical security
    analysis
    Who  has  the  )me?  

    View Slide

  12. You do.
    Recon-ng
    “Recon,  in  about  an  hour.”  

    View Slide

  13. Caveats
    §  Using 3rd party websites may violate
    Nondisclosure Agreements (NDA)
    and contracts.
    – Anonymizing proxies
    – Authorization
    §  Active recon vs. Passive recon
    – Active ~ Discovery
    §  Not all data is free
    – $0 to > $60k

    View Slide

  14. The Recon-ng Framework
    §  Interactive
    §  Look and feel of MSF
    §  Modular
    §  Data driven
    §  Scriptable (recon-cli)
    §  Documented (wiki)
    §  Developer friendly
    §  Python (native)
    §  http://www.recon-ng.com

    View Slide

  15. Framework Methodology
    Social Engineering
    Web Attack
    Network Attack
    Recon Discovery Exploitation Post-exploitation
    Mapping
    Metasploit
    SET
    Meterpreter
    Recon-ng
    Info.
    Gather
    Scanning &
    Enumeration
    Exploitation Post-exploitation
    Burp

    View Slide

  16. UI Highlights
    §  Interactive help
    §  Command completion everywhere
    §  Smart loading
    §  Module switching
    §  Direct data access
    §  Workspaces
    §  Verbose / Debugging

    View Slide

  17. Host Harvesting
    §  Scope Selection / Validation
    §  Server-side Enumeration
    – Port Scanning
    §  Vulnerability Discovery

    View Slide

  18. Scope Selection / Validation
    §  Whois
    §  AdSense/Analytics lookup
    –  ewhois.com
    §  Search Engine "site" directive
    §  Shodan "hostname" (more than web)
    §  DNS brute force
    –  DNSRecon, Fierce
    §  IP neighbor lookups
    –  Bing "ip:"
    –  my-ip-neighbors.com
    §  Geolocation
    –  ipinfodb.com

    View Slide

  19. Demo
    §  recon/hosts/gather/http/web/bing_domain
    §  recon/hosts/gather/http/web/netcraft
    §  *recon/hosts/gather/http/api/shodan_hostname
    §  recon/hosts/enum/dns/resolve
    §  recon/hosts/gather/http/web/ip_neighbor
    §  recon/hosts/gather/http/api/bing_ip
    §  recon/hosts/geo/http/api/ipinfodb

    View Slide

  20. Server-side Enumeration
    §  Response headers
    –  Server
    –  Cookie names
    §  Error responses
    §  Browser, Tamper Data, Burp, Netcat
    §  Nmap, Zmap
    §  But this would require contact?
    –  builtwith.com
    –  whatweb.net
    –  2012 Internet Census

    View Slide

  21. Vulnerability Discovery
    §  Enumeration + Research = Discovery
    §  No validation!
    §  Manual research or...
    – asafaweb.com
    – xssed.com
    – punkspider.hyperiongray.com

    View Slide

  22. Demo
    §  recon/hosts/enum/http/api/builtwith
    §  recon/hosts/enum/http/api/punkspider
    §  recon/hosts/gather/http/web/census_2012
    §  recon/hosts/gather/http/api/sonar_cio

    View Slide

  23. Contact Harvesting
    §  Information Gathering
    §  Data Manipulation
    §  Storyline Development

    View Slide

  24. Information Gathering
    §  LinkedIn
    –  Social Networking for professionals
    –  Accurate and precise
    §  Jigsaw
    –  Cloud based CRM
    –  Owned by Sales Force
    –  Crowd sourced
    –  Scraping is free, API is better
    §  PGP Key Servers
    –  RedIRIS
    –  MIT

    View Slide

  25. Demo
    §  recon/contacts/gather/http/api/jigsaw/
    search_contacts
    §  recon/contacts/gather/http/api/linkedin_auth

    View Slide

  26. Data Manipulation
    §  What we have
    – First Name
    – Last Name
    – Job Title
    – Location
    §  What we want
    – Email Address
    – Username

    View Slide

  27. Building Contacts
    §  Get email domain
    –  MX record lookup
    –  Whois Contacts
    §  Naming Convention
    –  Websites
    –  Whois Contacts / PGP Key Search
    –  Search Engine "@domain.com" (Baidu)
    –  Trial and Error
    –  Jigsaw API
    §  Email = Mangled Info + Domain

    View Slide

  28. Demo
    §  recon/contacts/gather/http/api/whois_pocs
    §  recon/contacts/gather/http/web/pgp_search
    §  recon/contacts/support/mangle

    View Slide

  29. Storyline Development
    §  Google, Baidu
    §  Social Networks
    §  Code Repositories
    §  The usual...
    §  Namechk.com?

    View Slide

  30. Demo
    §  recon/contacts/enum/http/web/namechk

    View Slide

  31. Credential Harvesting
    §  Harvested credential dumps
    – ShouldIChangeMyPassword.com
    – Pwnedlist.com
    •  API
    •  Expensive, but worth it
    §  The problem? Hashes!
    – md5.noisette.ch
    – crackstation.net
    – leakdb.abusix.com (formerly goog.li)

    View Slide

  32. Demo
    §  recon/creds/gather/http/api/pwnedlist/
    domain_ispwned
    §  recon/contacts/enum/http/web/pwnedlist
    §  recon/creds/gather/http/api/pwnedlist/
    domain_creds
    §  recon/creds/enum/http/api/leakdb

    View Slide

  33. All of this with...
    no exploits

    View Slide

  34. Physical Reconnaissance
    §  PushPin
    §  Geotagged media aggregator
    – Twitter
    – Picasa
    – *YouTube
    – Flickr
    – Shodan
    – 

    View Slide

  35. Media tab

    View Slide

  36. Mapping tab

    View Slide

  37. Realistically?
    TARGET:
    Apple HQ, Cupertino, CA

    View Slide

  38. Entry Control Points

    View Slide

  39. View Slide

  40. View Slide

  41. View Slide

  42. Security Forces

    View Slide

  43. View Slide

  44. View Slide

  45. Badging

    View Slide

  46. View Slide

  47. ...without setting foot on the
    ground.

    View Slide

  48. Beyond Recon
    §  Discovery
    – Exploitable pages
    – DNS cache snooping
    •  AV detection (Scrape-DNS)
    •  Rob Dixon (@304geek)
    – Backup files
    – Interesting files
    §  Exploitation
    – XPath brute forcer
    – Command injector

    View Slide

  49. Reporting
    §  Analysis
    – CSV - reporting/csv_file
    – PushPin – reporting/pushpin
    §  Compatibility
    – List - reporting/list
    §  Deliverable
    – HTML - reporting/html_report

    View Slide

  50. http://recon-ng.com
    http://lanmaster53.com
    Want more free tools and webcasts?
    Send me your contact information!
    @LaNMaSteR53
    [email protected]
    Thank You!

    View Slide