@lanmaster53 | tim.tomes@practisec.com Tim Tomes Tim Tomes @lanmaster53 Jesus Freak Husband, Father, and Veteran Coder, Breaker, Teacher, Entrepreneur, and Sharer PortSwigger Preferred Training Partner "Burp Suite master and king of making HTTP requests tremble." https://www.lanmaster53.com
@lanmaster53 | tim.tomes@practisec.com What do I know about recon? What do I know about recon? Former Army Red Teamer Senior Leader, 2008-2010 NSA Certified Full Spectrum CNA Wireless Physical Psychological OSINT General Penetration Tester, 2010-2014 Web Application Penetration Tester, 2014-Present Author of Recon-ng
@lanmaster53 | tim.tomes@practisec.com Why does this talk matter? Why does this talk matter? Recon is a part of every attack methodology. Hardware, software, physical, physchological, etc. Typically the first step. Automation increases the benefit-cost ratio. The benefit is largely unknown. Automation reduces the cost. Automate what you can. Recon-ng is just fun to play with.
@lanmaster53 | tim.tomes@practisec.com Reconnaissance (1/2) Reconnaissance (1/2) Gathering information about the target from external sources. The most underutilized step. Findings here allow you to start building assumptions to test. Provides key information needed for later steps. Advanced techniques blur the methodology. Considerations: Possible disclosure of client relationship Active vs. Passive reconnaissance
@lanmaster53 | tim.tomes@practisec.com Reconnaissance (2/2) Reconnaissance (2/2) Objectives: Selection and verification (most important) of targets Information about technologies used and configurations Lists of users, employees, and organization info Password reset information and contact information Trust relationships to exploit (friends, managers, partnerships, etc.) Code snippets with vulnerabilities and authentication information Port scans and service enumeration Technology enumeration Dynamic vulnerabilities Credentials Without engaging the target environment.
@lanmaster53 | tim.tomes@practisec.com Recon-ng Recon-ng Framework written by Tim (lanmaster53) Tomes. Modules written by a community of developers. Completely modular reconnaissance framework. Automates full scope open source reconnaissance. Built around the idea of transforming data. Written in Python 3. Recon-ng Notes: Well documented Module Marketplace http://recon-ng.com
@lanmaster53 | tim.tomes@practisec.com Demo Time! Demo Time! Enough talk. Let's do it! Recon-ng v5.1.1 The last few steps require several API keys (all free). Censys FullContact Google (Maps Geocode, Maps JavaScript, and YouTube Data APIs enabled) Twitter Flickr Our target is...
@lanmaster53 | tim.tomes@practisec.com Get the Root Domain (seed) Get the Root Domain (seed) 1. Google "Clemson University". 2. Grab the domain of the main home page from the Google results. 3. Grab the mail domain from an email address in the "Contact Us" page. 4. Manually add these domains to the database.
@lanmaster53 | tim.tomes@practisec.com Transform Domains to Companies Transform Domains to Companies 1. Search the marketplace/modules for company transforms. marketplace|modules search -companies 2. Use the following module(s) to transform known domains to companies. recon/domains-companies/pen 3. Derive other company names from the results. 4. Manually add derived company names to the database. What other company names should we consider?
@lanmaster53 | tim.tomes@practisec.com Transform Domains to Hostnames Transform Domains to Hostnames 1. Search the marketplace/modules for hostname transforms. marketplace|modules search -hosts 2. Use the following module(s) to transform known domains to hosts. recon/domains-hosts/bing_domain_web recon/domains-hosts/brute_hosts 3. Use the following module(s) to transform hostnames to IP addresses. recon/hosts-hosts/resolve What interesting hosts stand out from the others?
@lanmaster53 | tim.tomes@practisec.com Transform Companies to Netblocks+ Transform Companies to Netblocks+ 1. Search the marketplace/modules for netblock transforms. There are currently no modules that transform data exclusively into netblocks+. marketplace|modules search -multi 2. Use the following module(s) to transform known companies to multiple objects. recon/companies-multi/whois_miner Which netblock is significant based on our discoveries thus far?
@lanmaster53 | tim.tomes@practisec.com Transform Netblocks to Ports Transform Netblocks to Ports 1. Search the marketplace/modules for port transforms. marketplace|modules search -ports 2. Use the following module(s) to transform an interesting netblock to ports. recon/netblocks-ports/censysio 3. Narrow the input scope to an interesting netblock. options set SOURCE <interesting_netblock> What can we do with this information?
@lanmaster53 | tim.tomes@practisec.com Transform Domains to Contacts Transform Domains to Contacts 1. Search the marketplace/modules for contact transforms. marketplace|modules search -contacts 2. Use the following module(s) to transform known domains to contacts. recon/domains-contacts/whois_pocs recon/domains-contacts/pgp_search What is significant about these contacts?
@lanmaster53 | tim.tomes@practisec.com Transform Contacts to Profiles Transform Contacts to Profiles 1. Search the marketplace/modules for profile transforms. marketplace|modules search -profiles 2. Use the following module(s) to transform known contacts to profiles. recon/contacts-profiles/fullcontact 3. Use the following module(s) to transform known profiles to other profiles. recon/profiles-profiles/profiler What good are a bunch of profiles?
@lanmaster53 | tim.tomes@practisec.com Transform Domains to Credentials+ Transform Domains to Credentials+ 1. Search the marketplace/modules for credential transforms. marketplace|modules search -credentials 2. Use the following module(s) to transform known domains to credentials. recon/domains-credentials/scylla What is the key issue behind this information?
@lanmaster53 | tim.tomes@practisec.com Transform Hashes to Passwords (Credentials) Transform Hashes to Passwords (Credentials) 1. Search the marketplace/modules for credential transforms. marketplace|modules search -credentials 2. Use the following module(s) to transform hashes into cleartext passwords. recon/credentials-credentials/hashes_org 3. Narrow the input scope to remove Bcrypt and SHA1 hashes. options set SOURCE query select distinct hash from credentials where password is null and type is not null and type != 'SHA1' and type != 'bcrypt' What is Bcrypt and why should we avoid it?
@lanmaster53 | tim.tomes@practisec.com Transform Addresses to Coordinates (Locations) Transform Addresses to Coordinates (Locations) 1. Search the marketplace/modules for location transforms. marketplace|modules search -locations 2. Use the following module(s) to transform addresses to coordinates. recon/locations-locations/geocode Why are coordinates important?
@lanmaster53 | tim.tomes@practisec.com Transform Coordinates to Pushpins Transform Coordinates to Pushpins 1. Search the marketplace/modules for Pushpin transforms. marketplace|modules search -pushpins 2. Use the following module(s) to transform coordinates to pushpins while narrowing the scope accordingly. recon/locations-pushpins/(flickr|youtube) options set SOURCE 34.6741454,-82.8345164 options set RADIUS 0.1 recon/locations-pushpins/twitter options set SOURCE 34.6741454,-82.8345164 How is this even possible?
@lanmaster53 | tim.tomes@practisec.com Analyze the Data Analyze the Data 1. launch Recon-web from the command line. ./recon-web 2. Visit the Recon-web interface. 3. Analyze and export data as needed. http://127.0.0.1:5000/
@lanmaster53 | tim.tomes@practisec.com Conclusion Conclusion Lots of potential Many things that use to require risk can now be done: Remotely With little or no attribution
@lanmaster53 | tim.tomes@practisec.com Cyber Masterminds Cyber Masterminds Professional development and networking program. Might change the industry. Will change careers/lives. Twitter: @CyberMasterminds Website: Promo: . Sign up today! http://cybermasterminds.com/ https://youtube.com/watch?v=TAChhON3Zxo
lanmaster53
rmw
edds
jcasabona
davidbonilla
sstephenson
lara
colly
jmmastey
chriscoyier
jacobian
maggiecrowley
destraynor
