Look Ma, No Exploits! - The Recon-ng Framework

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=47 lanmaster53
November 04, 2013
180

Look Ma, No Exploits! - The Recon-ng Framework

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=128

lanmaster53

November 04, 2013
Tweet

Transcript

  1. Tim Tomes (@LaNMaSteR53) Look Ma, No Exploits! The Next Generation

    of Open Source Reconnaissance:! The Recon-ng Framework!
  2. §  Tim Tomes (LaNMaSteR53) §  Christian/Father/Husband/Veteran §  Black Hills Information

    Security §  SANS Instructor §  Security Blogger –  lanmaster53.com / pauldotcom.com §  "Coder" Me
  3. Credits §  Ethan Robish (@EthanRobish) §  Micah Hoffman (@WebBreacher) § 

    Thrapt §  Brendan Coles §  Jay Turla (@shipcod3) §  Robert Frost (@frosty_1313) §  Drumm §  Dan Woodruff (@dewoodruff) §  John Babio (@3vi1john) §  Kenan Abdullahoglu (@kyabd) §  Matteo Cantoni (nothink.org) §  Mike Siegel §  Anthony Miller-Rhodes (@_s1lentjudge) §  Eric Gragsone
  4. Disclaimer Due to the dynamic nature of the demos, offensive

    material is possible. While I don’t condone it, I can’t prevent it.
  5. Reconnaissance Defined §  Merriam-Webster - “A preliminary survey to gain

    information.” §  ...using open sources and without making direct contact.
  6. Pentest Methodologies §  Network 1.  Information Gathering 2.  Scanning and

    Enumeration 3.  Exploitation 4.  Analysis and Reporting §  Web App 1.  Reconnaissance 2.  Mapping 3.  Discovery 4.  Exploitation 5.  Reporting
  7. Traditional Recon §  Select and verify scope §  Gather info

    for: –  authentication testing –  social engineering §  Learn of implemented technologies and configurations §  Search for vulnerable code snippets –  GitHub dorks §  Identify weaknesses in physical security
  8. The Problem §  Often overlooked or skipped –  Internal –

    "I already know everything about my..." –  External – Not enough time §  My argument –  Internal - You never know everything –  External - You end up going back for it anyway –  Isn’t it good to know what the rest of the world knows?
  9. The Solution Automation

  10. Web Resources §  Server-side Enumeration –  BuiltWith –  WhatWeb – 

    2012 Internet Census –  Project Sonar §  Vulnerability Discovery –  ASafaWeb –  XSSed –  punkSPIDER §  Credential Harvesting –  PwnedList –  ShouldIChangeMyPassword.com §  Contact Scoping –  NameChk
  11. Advanced Recon §  Efficiently develop storylines §  Enumerate server-side technologies

    §  Discover live vulnerabilities §  Harvest full credentials §  Conduct remote physical security analysis Who  has  the  )me?  
  12. You do. Recon-ng “Recon,  in  about  an  hour.”  

  13. Caveats §  Using 3rd party websites may violate Nondisclosure Agreements

    (NDA) and contracts. – Anonymizing proxies – Authorization §  Active recon vs. Passive recon – Active ~ Discovery §  Not all data is free – $0 to > $60k
  14. The Recon-ng Framework §  Interactive §  Look and feel of

    MSF §  Modular §  Data driven §  Scriptable (recon-cli) §  Documented (wiki) §  Developer friendly §  Python (native) §  http://www.recon-ng.com
  15. Framework Methodology Social Engineering Web Attack Network Attack Recon Discovery

    Exploitation Post-exploitation Mapping Metasploit SET Meterpreter Recon-ng Info. Gather Scanning & Enumeration Exploitation Post-exploitation Burp
  16. UI Highlights §  Interactive help §  Command completion everywhere § 

    Smart loading §  Module switching §  Direct data access §  Workspaces §  Verbose / Debugging
  17. Host Harvesting §  Scope Selection / Validation §  Server-side Enumeration

    – Port Scanning §  Vulnerability Discovery
  18. Scope Selection / Validation §  Whois §  AdSense/Analytics lookup – 

    ewhois.com §  Search Engine "site" directive §  Shodan "hostname" (more than web) §  DNS brute force –  DNSRecon, Fierce §  IP neighbor lookups –  Bing "ip:" –  my-ip-neighbors.com §  Geolocation –  ipinfodb.com
  19. Demo §  recon/hosts/gather/http/web/bing_domain §  recon/hosts/gather/http/web/netcraft §  *recon/hosts/gather/http/api/shodan_hostname §  recon/hosts/enum/dns/resolve § 

    recon/hosts/gather/http/web/ip_neighbor §  recon/hosts/gather/http/api/bing_ip §  recon/hosts/geo/http/api/ipinfodb
  20. Server-side Enumeration §  Response headers –  Server –  Cookie names

    §  Error responses §  Browser, Tamper Data, Burp, Netcat §  Nmap, Zmap §  But this would require contact? –  builtwith.com –  whatweb.net –  2012 Internet Census
  21. Vulnerability Discovery §  Enumeration + Research = Discovery §  No

    validation! §  Manual research or... – asafaweb.com – xssed.com – punkspider.hyperiongray.com
  22. Demo §  recon/hosts/enum/http/api/builtwith §  recon/hosts/enum/http/api/punkspider §  recon/hosts/gather/http/web/census_2012 §  recon/hosts/gather/http/api/sonar_cio

  23. Contact Harvesting §  Information Gathering §  Data Manipulation §  Storyline

    Development
  24. Information Gathering §  LinkedIn –  Social Networking for professionals – 

    Accurate and precise §  Jigsaw –  Cloud based CRM –  Owned by Sales Force –  Crowd sourced –  Scraping is free, API is better §  PGP Key Servers –  RedIRIS –  MIT
  25. Demo §  recon/contacts/gather/http/api/jigsaw/ search_contacts §  recon/contacts/gather/http/api/linkedin_auth

  26. Data Manipulation §  What we have – First Name – Last Name

    – Job Title – Location §  What we want – Email Address – Username
  27. Building Contacts §  Get email domain –  MX record lookup

    –  Whois Contacts §  Naming Convention –  Websites –  Whois Contacts / PGP Key Search –  Search Engine "@domain.com" (Baidu) –  Trial and Error –  Jigsaw API §  Email = Mangled Info + Domain
  28. Demo §  recon/contacts/gather/http/api/whois_pocs §  recon/contacts/gather/http/web/pgp_search §  recon/contacts/support/mangle

  29. Storyline Development §  Google, Baidu §  Social Networks §  Code

    Repositories §  The usual... §  Namechk.com?
  30. Demo §  recon/contacts/enum/http/web/namechk

  31. Credential Harvesting §  Harvested credential dumps – ShouldIChangeMyPassword.com – Pwnedlist.com •  API

    •  Expensive, but worth it §  The problem? Hashes! – md5.noisette.ch – crackstation.net – leakdb.abusix.com (formerly goog.li)
  32. Demo §  recon/creds/gather/http/api/pwnedlist/ domain_ispwned §  recon/contacts/enum/http/web/pwnedlist §  recon/creds/gather/http/api/pwnedlist/ domain_creds § 

    recon/creds/enum/http/api/leakdb
  33. All of this with... no exploits

  34. Physical Reconnaissance §  PushPin §  Geotagged media aggregator – Twitter – Picasa

    – *YouTube – Flickr – Shodan – <your module here>
  35. Media tab

  36. Mapping tab

  37. Realistically? TARGET: Apple HQ, Cupertino, CA

  38. Entry Control Points

  39. None
  40. None
  41. None
  42. Security Forces

  43. None
  44. None
  45. Badging

  46. None
  47. ...without setting foot on the ground.

  48. Beyond Recon §  Discovery – Exploitable pages – DNS cache snooping • 

    AV detection (Scrape-DNS) •  Rob Dixon (@304geek) – Backup files – Interesting files §  Exploitation – XPath brute forcer – Command injector
  49. Reporting §  Analysis – CSV - reporting/csv_file – PushPin – reporting/pushpin § 

    Compatibility – List - reporting/list §  Deliverable – HTML - reporting/html_report
  50. http://recon-ng.com http://lanmaster53.com Want more free tools and webcasts? Send me

    your contact information! @LaNMaSteR53 tim@blackhillsinfosec.com Thank You!