$30 off During Our Annual Pro Sale. View Details »

Rapid Recon for Red Teams

lanmaster53
February 14, 2020
340

Rapid Recon for Red Teams

lanmaster53

February 14, 2020
Tweet

Transcript

  1. 1
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Rapid Recon
    Rapid Recon
    for Red Teams
    for Red Teams
    Tim "lanmaster53" Tomes

    View Slide

  2. 2
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Tim Tomes
    Tim Tomes
    @lanmaster53
    Jesus Freak
    Husband, Father, and Veteran
    Coder, Breaker, Teacher, Entrepreneur, and Sharer
    PortSwigger Preferred Training Partner
    "Burp Suite master and king of making HTTP requests tremble."
    https://www.lanmaster53.com

    View Slide

  3. 3
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    What do I know about recon?
    What do I know about recon?
    Former Army Red Teamer
    Senior Leader, 2008-2010
    NSA Certified
    Full Spectrum
    CNA
    Wireless
    Physical
    Psychological
    OSINT
    General Penetration Tester, 2010-2014
    Web Application Penetration Tester, 2014-Present
    Author of Recon-ng

    View Slide

  4. 4
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Why does this talk matter?
    Why does this talk matter?
    Recon is a part of every attack methodology.
    Hardware, software, physical, physchological, etc.
    Typically the first step.
    Automation increases the benefit-cost ratio.
    The benefit is largely unknown.
    Automation reduces the cost.
    Automate what you can.
    Recon-ng is just fun to play with.

    View Slide

  5. 5
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Reconnaissance (1/2)
    Reconnaissance (1/2)
    Gathering information about the target from external sources.
    The most underutilized step.
    Findings here allow you to start building assumptions to test.
    Provides key information needed for later steps.
    Advanced techniques blur the methodology.
    Considerations:
    Possible disclosure of client relationship
    Active vs. Passive reconnaissance

    View Slide

  6. 6
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Reconnaissance (2/2)
    Reconnaissance (2/2)
    Objectives:
    Selection and verification (most important) of targets
    Information about technologies used and configurations
    Lists of users, employees, and organization info
    Password reset information and contact information
    Trust relationships to exploit (friends, managers, partnerships, etc.)
    Code snippets with vulnerabilities and authentication information
    Port scans and service enumeration
    Technology enumeration
    Dynamic vulnerabilities
    Credentials
    Without engaging the target environment.

    View Slide

  7. 7
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Recon-ng
    Recon-ng
    Framework written by Tim (lanmaster53) Tomes.
    Modules written by a community of developers.
    Completely modular reconnaissance framework.
    Automates full scope open source reconnaissance.
    Built around the idea of transforming data.
    Written in Python 3.
    Recon-ng Notes:
    Well documented
    Module Marketplace
    http://recon-ng.com

    View Slide

  8. 8
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Demo Time!
    Demo Time!
    Enough talk. Let's do it!
    Recon-ng v5.1.1
    The last few steps require several API keys (all free).
    Censys
    FullContact
    Google (Maps Geocode, Maps JavaScript, and YouTube Data APIs
    enabled)
    Twitter
    Flickr
    Our target is...

    View Slide

  9. 9
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Clemson University
    Clemson University
    Clemson University

    View Slide

  10. 10
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Get the Root Domain (seed)
    Get the Root Domain (seed)
    1. Google "Clemson University".
    2. Grab the domain of the main home page from the Google results.
    3. Grab the mail domain from an email address in the "Contact Us"
    page.
    4. Manually add these domains to the database.

    View Slide

  11. 11
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Domains to Companies
    Transform Domains to Companies
    1. Search the marketplace/modules for company transforms.
    marketplace|modules search -companies
    2. Use the following module(s) to transform known domains to
    companies.
    recon/domains-companies/pen
    3. Derive other company names from the results.
    4. Manually add derived company names to the database.
    What other company names should we consider?

    View Slide

  12. 12
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Domains to Hostnames
    Transform Domains to Hostnames
    1. Search the marketplace/modules for hostname transforms.
    marketplace|modules search -hosts
    2. Use the following module(s) to transform known domains to
    hosts.
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    3. Use the following module(s) to transform hostnames to IP
    addresses.
    recon/hosts-hosts/resolve
    What interesting hosts stand out from the others?

    View Slide

  13. 13
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Companies to Netblocks+
    Transform Companies to Netblocks+
    1. Search the marketplace/modules for netblock transforms.
    There are currently no modules that transform data exclusively into
    netblocks+.
    marketplace|modules search -multi
    2. Use the following module(s) to transform known companies to
    multiple objects.
    recon/companies-multi/whois_miner
    Which netblock is significant based on our discoveries thus far?

    View Slide

  14. 14
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Netblocks to Ports
    Transform Netblocks to Ports
    1. Search the marketplace/modules for port transforms.
    marketplace|modules search -ports
    2. Use the following module(s) to transform an interesting netblock
    to ports.
    recon/netblocks-ports/censysio
    3. Narrow the input scope to an interesting netblock.
    options set SOURCE
    What can we do with this information?

    View Slide

  15. 15
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Domains to Contacts
    Transform Domains to Contacts
    1. Search the marketplace/modules for contact transforms.
    marketplace|modules search -contacts
    2. Use the following module(s) to transform known domains to
    contacts.
    recon/domains-contacts/whois_pocs
    recon/domains-contacts/pgp_search
    What is significant about these contacts?

    View Slide

  16. 16
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Contacts to Profiles
    Transform Contacts to Profiles
    1. Search the marketplace/modules for profile transforms.
    marketplace|modules search -profiles
    2. Use the following module(s) to transform known contacts to
    profiles.
    recon/contacts-profiles/fullcontact
    3. Use the following module(s) to transform known profiles to other
    profiles.
    recon/profiles-profiles/profiler
    What good are a bunch of profiles?

    View Slide

  17. 17
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Domains to Credentials+
    Transform Domains to Credentials+
    1. Search the marketplace/modules for credential transforms.
    marketplace|modules search -credentials
    2. Use the following module(s) to transform known domains to
    credentials.
    recon/domains-credentials/scylla
    What is the key issue behind this information?

    View Slide

  18. 18
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Hashes to Passwords (Credentials)
    Transform Hashes to Passwords (Credentials)
    1. Search the marketplace/modules for credential transforms.
    marketplace|modules search -credentials
    2. Use the following module(s) to transform hashes into cleartext
    passwords.
    recon/credentials-credentials/hashes_org
    3. Narrow the input scope to remove Bcrypt and SHA1 hashes.
    options set SOURCE query select distinct hash from
    credentials where password is null and type is not
    null and type != 'SHA1' and type != 'bcrypt'
    What is Bcrypt and why should we avoid it?

    View Slide

  19. 19
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Addresses to Coordinates (Locations)
    Transform Addresses to Coordinates (Locations)
    1. Search the marketplace/modules for location transforms.
    marketplace|modules search -locations
    2. Use the following module(s) to transform addresses to
    coordinates.
    recon/locations-locations/geocode
    Why are coordinates important?

    View Slide

  20. 20
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Transform Coordinates to Pushpins
    Transform Coordinates to Pushpins
    1. Search the marketplace/modules for Pushpin transforms.
    marketplace|modules search -pushpins
    2. Use the following module(s) to transform coordinates to
    pushpins while narrowing the scope accordingly.
    recon/locations-pushpins/(flickr|youtube)
    options set SOURCE 34.6741454,-82.8345164
    options set RADIUS 0.1
    recon/locations-pushpins/twitter
    options set SOURCE 34.6741454,-82.8345164
    How is this even possible?

    View Slide

  21. 21
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Analyze the Data
    Analyze the Data
    1. launch Recon-web from the command line.
    ./recon-web
    2. Visit the Recon-web interface.
    3. Analyze and export data as needed.
    http://127.0.0.1:5000/

    View Slide

  22. 22
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Conclusion
    Conclusion
    Lots of potential
    Many things that use to require risk can now be done:
    Remotely
    With little or no attribution

    View Slide

  23. 23
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Thank you!
    Thank you!
    Any questions?
    Any questions?

    View Slide

  24. 24
    Rapid Recon for Red Teams | Tim Tomes | @lanmaster53 | [email protected]
    Cyber Masterminds
    Cyber Masterminds
    Professional development and networking program.
    Might change the industry. Will change careers/lives.
    Twitter: @CyberMasterminds
    Website:
    Promo: .
    Sign up today!
    http://cybermasterminds.com/
    https://youtube.com/watch?v=TAChhON3Zxo

    View Slide