Rapid Recon for Red Teams

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=47 lanmaster53
February 14, 2020
160

Rapid Recon for Red Teams

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=128

lanmaster53

February 14, 2020
Tweet

Transcript

  1. 1 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Rapid Recon Rapid Recon for Red Teams for Red Teams Tim "lanmaster53" Tomes
  2. 2 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Tim Tomes Tim Tomes @lanmaster53 Jesus Freak Husband, Father, and Veteran Coder, Breaker, Teacher, Entrepreneur, and Sharer PortSwigger Preferred Training Partner "Burp Suite master and king of making HTTP requests tremble." https://www.lanmaster53.com
  3. 3 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com What do I know about recon? What do I know about recon? Former Army Red Teamer Senior Leader, 2008-2010 NSA Certified Full Spectrum CNA Wireless Physical Psychological OSINT General Penetration Tester, 2010-2014 Web Application Penetration Tester, 2014-Present Author of Recon-ng
  4. 4 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Why does this talk matter? Why does this talk matter? Recon is a part of every attack methodology. Hardware, software, physical, physchological, etc. Typically the first step. Automation increases the benefit-cost ratio. The benefit is largely unknown. Automation reduces the cost. Automate what you can. Recon-ng is just fun to play with.
  5. 5 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Reconnaissance (1/2) Reconnaissance (1/2) Gathering information about the target from external sources. The most underutilized step. Findings here allow you to start building assumptions to test. Provides key information needed for later steps. Advanced techniques blur the methodology. Considerations: Possible disclosure of client relationship Active vs. Passive reconnaissance
  6. 6 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Reconnaissance (2/2) Reconnaissance (2/2) Objectives: Selection and verification (most important) of targets Information about technologies used and configurations Lists of users, employees, and organization info Password reset information and contact information Trust relationships to exploit (friends, managers, partnerships, etc.) Code snippets with vulnerabilities and authentication information Port scans and service enumeration Technology enumeration Dynamic vulnerabilities Credentials Without engaging the target environment.
  7. 7 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Recon-ng Recon-ng Framework written by Tim (lanmaster53) Tomes. Modules written by a community of developers. Completely modular reconnaissance framework. Automates full scope open source reconnaissance. Built around the idea of transforming data. Written in Python 3. Recon-ng Notes: Well documented Module Marketplace http://recon-ng.com
  8. 8 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Demo Time! Demo Time! Enough talk. Let's do it! Recon-ng v5.1.1 The last few steps require several API keys (all free). Censys FullContact Google (Maps Geocode, Maps JavaScript, and YouTube Data APIs enabled) Twitter Flickr Our target is...
  9. 9 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Clemson University Clemson University Clemson University
  10. 10 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Get the Root Domain (seed) Get the Root Domain (seed) 1. Google "Clemson University". 2. Grab the domain of the main home page from the Google results. 3. Grab the mail domain from an email address in the "Contact Us" page. 4. Manually add these domains to the database.
  11. 11 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Domains to Companies Transform Domains to Companies 1. Search the marketplace/modules for company transforms. marketplace|modules search -companies 2. Use the following module(s) to transform known domains to companies. recon/domains-companies/pen 3. Derive other company names from the results. 4. Manually add derived company names to the database. What other company names should we consider?
  12. 12 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Domains to Hostnames Transform Domains to Hostnames 1. Search the marketplace/modules for hostname transforms. marketplace|modules search -hosts 2. Use the following module(s) to transform known domains to hosts. recon/domains-hosts/bing_domain_web recon/domains-hosts/brute_hosts 3. Use the following module(s) to transform hostnames to IP addresses. recon/hosts-hosts/resolve What interesting hosts stand out from the others?
  13. 13 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Companies to Netblocks+ Transform Companies to Netblocks+ 1. Search the marketplace/modules for netblock transforms. There are currently no modules that transform data exclusively into netblocks+. marketplace|modules search -multi 2. Use the following module(s) to transform known companies to multiple objects. recon/companies-multi/whois_miner Which netblock is significant based on our discoveries thus far?
  14. 14 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Netblocks to Ports Transform Netblocks to Ports 1. Search the marketplace/modules for port transforms. marketplace|modules search -ports 2. Use the following module(s) to transform an interesting netblock to ports. recon/netblocks-ports/censysio 3. Narrow the input scope to an interesting netblock. options set SOURCE <interesting_netblock> What can we do with this information?
  15. 15 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Domains to Contacts Transform Domains to Contacts 1. Search the marketplace/modules for contact transforms. marketplace|modules search -contacts 2. Use the following module(s) to transform known domains to contacts. recon/domains-contacts/whois_pocs recon/domains-contacts/pgp_search What is significant about these contacts?
  16. 16 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Contacts to Profiles Transform Contacts to Profiles 1. Search the marketplace/modules for profile transforms. marketplace|modules search -profiles 2. Use the following module(s) to transform known contacts to profiles. recon/contacts-profiles/fullcontact 3. Use the following module(s) to transform known profiles to other profiles. recon/profiles-profiles/profiler What good are a bunch of profiles?
  17. 17 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Domains to Credentials+ Transform Domains to Credentials+ 1. Search the marketplace/modules for credential transforms. marketplace|modules search -credentials 2. Use the following module(s) to transform known domains to credentials. recon/domains-credentials/scylla What is the key issue behind this information?
  18. 18 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Hashes to Passwords (Credentials) Transform Hashes to Passwords (Credentials) 1. Search the marketplace/modules for credential transforms. marketplace|modules search -credentials 2. Use the following module(s) to transform hashes into cleartext passwords. recon/credentials-credentials/hashes_org 3. Narrow the input scope to remove Bcrypt and SHA1 hashes. options set SOURCE query select distinct hash from credentials where password is null and type is not null and type != 'SHA1' and type != 'bcrypt' What is Bcrypt and why should we avoid it?
  19. 19 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Addresses to Coordinates (Locations) Transform Addresses to Coordinates (Locations) 1. Search the marketplace/modules for location transforms. marketplace|modules search -locations 2. Use the following module(s) to transform addresses to coordinates. recon/locations-locations/geocode Why are coordinates important?
  20. 20 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Transform Coordinates to Pushpins Transform Coordinates to Pushpins 1. Search the marketplace/modules for Pushpin transforms. marketplace|modules search -pushpins 2. Use the following module(s) to transform coordinates to pushpins while narrowing the scope accordingly. recon/locations-pushpins/(flickr|youtube) options set SOURCE 34.6741454,-82.8345164 options set RADIUS 0.1 recon/locations-pushpins/twitter options set SOURCE 34.6741454,-82.8345164 How is this even possible?
  21. 21 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Analyze the Data Analyze the Data 1. launch Recon-web from the command line. ./recon-web 2. Visit the Recon-web interface. 3. Analyze and export data as needed. http://127.0.0.1:5000/
  22. 22 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Conclusion Conclusion Lots of potential Many things that use to require risk can now be done: Remotely With little or no attribution
  23. 23 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Thank you! Thank you! Any questions? Any questions?
  24. 24 Rapid Recon for Red Teams | Tim Tomes |

    @lanmaster53 | tim.tomes@practisec.com Cyber Masterminds Cyber Masterminds Professional development and networking program. Might change the industry. Will change careers/lives. Twitter: @CyberMasterminds Website: Promo: . Sign up today! http://cybermasterminds.com/ https://youtube.com/watch?v=TAChhON3Zxo