Tweet
Tweet

Slide 1

Slide 1 text

Tim Tomes (@LaNMaSteR53) Look Ma, No Exploits! The Next Generation of Open Source Reconnaissance:! The Recon-ng Framework!

Slide 2

Slide 2 text

§  Tim Tomes (LaNMaSteR53) §  Christian/Father/Husband/Veteran §  Black Hills Information Security §  SANS Instructor §  Security Blogger –  lanmaster53.com / pauldotcom.com §  "Coder" Me

Slide 3

Slide 3 text

Credits §  Ethan Robish (@EthanRobish) §  Micah Hoffman (@WebBreacher) §  Thrapt §  Brendan Coles §  Jay Turla (@shipcod3) §  Robert Frost (@frosty_1313) §  Drumm §  Dan Woodruff (@dewoodruff) §  John Babio (@3vi1john) §  Kenan Abdullahoglu (@kyabd) §  Matteo Cantoni (nothink.org) §  Mike Siegel §  Anthony Miller-Rhodes (@_s1lentjudge) §  Eric Gragsone

Slide 4

Slide 4 text

Disclaimer Due to the dynamic nature of the demos, offensive material is possible. While I don’t condone it, I can’t prevent it.

Slide 5

Slide 5 text

Reconnaissance Defined §  Merriam-Webster - “A preliminary survey to gain information.” §  ...using open sources and without making direct contact.

Slide 6

Slide 6 text

Pentest Methodologies §  Network 1.  Information Gathering 2.  Scanning and Enumeration 3.  Exploitation 4.  Analysis and Reporting §  Web App 1.  Reconnaissance 2.  Mapping 3.  Discovery 4.  Exploitation 5.  Reporting

Slide 7

Slide 7 text

Traditional Recon §  Select and verify scope §  Gather info for: –  authentication testing –  social engineering §  Learn of implemented technologies and configurations §  Search for vulnerable code snippets –  GitHub dorks §  Identify weaknesses in physical security

Slide 8

Slide 8 text

The Problem §  Often overlooked or skipped –  Internal – "I already know everything about my..." –  External – Not enough time §  My argument –  Internal - You never know everything –  External - You end up going back for it anyway –  Isn’t it good to know what the rest of the world knows?

Slide 9

Slide 9 text

The Solution Automation

Slide 10

Slide 10 text

Web Resources §  Server-side Enumeration –  BuiltWith –  WhatWeb –  2012 Internet Census –  Project Sonar §  Vulnerability Discovery –  ASafaWeb –  XSSed –  punkSPIDER §  Credential Harvesting –  PwnedList –  ShouldIChangeMyPassword.com §  Contact Scoping –  NameChk

Slide 11

Slide 11 text

Advanced Recon §  Efficiently develop storylines §  Enumerate server-side technologies §  Discover live vulnerabilities §  Harvest full credentials §  Conduct remote physical security analysis Who  has  the  )me?  

Slide 12

Slide 12 text

You do. Recon-ng “Recon,  in  about  an  hour.”  

Slide 13

Slide 13 text

Caveats §  Using 3rd party websites may violate Nondisclosure Agreements (NDA) and contracts. – Anonymizing proxies – Authorization §  Active recon vs. Passive recon – Active ~ Discovery §  Not all data is free – $0 to > $60k

Slide 14

Slide 14 text

The Recon-ng Framework §  Interactive §  Look and feel of MSF §  Modular §  Data driven §  Scriptable (recon-cli) §  Documented (wiki) §  Developer friendly §  Python (native) §  http://www.recon-ng.com

Slide 15

Slide 15 text

Framework Methodology Social Engineering Web Attack Network Attack Recon Discovery Exploitation Post-exploitation Mapping Metasploit SET Meterpreter Recon-ng Info. Gather Scanning & Enumeration Exploitation Post-exploitation Burp

Slide 16

Slide 16 text

UI Highlights §  Interactive help §  Command completion everywhere §  Smart loading §  Module switching §  Direct data access §  Workspaces §  Verbose / Debugging

Slide 17

Slide 17 text

Host Harvesting §  Scope Selection / Validation §  Server-side Enumeration – Port Scanning §  Vulnerability Discovery

Slide 18

Slide 18 text

Scope Selection / Validation §  Whois §  AdSense/Analytics lookup –  ewhois.com §  Search Engine "site" directive §  Shodan "hostname" (more than web) §  DNS brute force –  DNSRecon, Fierce §  IP neighbor lookups –  Bing "ip:" –  my-ip-neighbors.com §  Geolocation –  ipinfodb.com

Slide 19

Slide 19 text

Demo §  recon/hosts/gather/http/web/bing_domain §  recon/hosts/gather/http/web/netcraft §  *recon/hosts/gather/http/api/shodan_hostname §  recon/hosts/enum/dns/resolve §  recon/hosts/gather/http/web/ip_neighbor §  recon/hosts/gather/http/api/bing_ip §  recon/hosts/geo/http/api/ipinfodb

Slide 20

Slide 20 text

Server-side Enumeration §  Response headers –  Server –  Cookie names §  Error responses §  Browser, Tamper Data, Burp, Netcat §  Nmap, Zmap §  But this would require contact? –  builtwith.com –  whatweb.net –  2012 Internet Census

Slide 21

Slide 21 text

Vulnerability Discovery §  Enumeration + Research = Discovery §  No validation! §  Manual research or... – asafaweb.com – xssed.com – punkspider.hyperiongray.com

Slide 22

Slide 22 text

Demo §  recon/hosts/enum/http/api/builtwith §  recon/hosts/enum/http/api/punkspider §  recon/hosts/gather/http/web/census_2012 §  recon/hosts/gather/http/api/sonar_cio

Slide 23

Slide 23 text

Contact Harvesting §  Information Gathering §  Data Manipulation §  Storyline Development

Slide 24

Slide 24 text

Information Gathering §  LinkedIn –  Social Networking for professionals –  Accurate and precise §  Jigsaw –  Cloud based CRM –  Owned by Sales Force –  Crowd sourced –  Scraping is free, API is better §  PGP Key Servers –  RedIRIS –  MIT

Slide 25

Slide 25 text

Demo §  recon/contacts/gather/http/api/jigsaw/ search_contacts §  recon/contacts/gather/http/api/linkedin_auth

Slide 26

Slide 26 text

Data Manipulation §  What we have – First Name – Last Name – Job Title – Location §  What we want – Email Address – Username

Slide 27

Slide 27 text

Building Contacts §  Get email domain –  MX record lookup –  Whois Contacts §  Naming Convention –  Websites –  Whois Contacts / PGP Key Search –  Search Engine "@domain.com" (Baidu) –  Trial and Error –  Jigsaw API §  Email = Mangled Info + Domain

Slide 28

Slide 28 text

Demo §  recon/contacts/gather/http/api/whois_pocs §  recon/contacts/gather/http/web/pgp_search §  recon/contacts/support/mangle

Slide 29

Slide 29 text

Storyline Development §  Google, Baidu §  Social Networks §  Code Repositories §  The usual... §  Namechk.com?

Slide 30

Slide 30 text

Demo §  recon/contacts/enum/http/web/namechk

Slide 31

Slide 31 text

Credential Harvesting §  Harvested credential dumps – ShouldIChangeMyPassword.com – Pwnedlist.com •  API •  Expensive, but worth it §  The problem? Hashes! – md5.noisette.ch – crackstation.net – leakdb.abusix.com (formerly goog.li)

Slide 32

Slide 32 text

Demo §  recon/creds/gather/http/api/pwnedlist/ domain_ispwned §  recon/contacts/enum/http/web/pwnedlist §  recon/creds/gather/http/api/pwnedlist/ domain_creds §  recon/creds/enum/http/api/leakdb

Slide 33

Slide 33 text

All of this with... no exploits

Slide 34

Slide 34 text

Physical Reconnaissance §  PushPin §  Geotagged media aggregator – Twitter – Picasa – *YouTube – Flickr – Shodan – 

Slide 35

Slide 35 text

Media tab

Slide 36

Slide 36 text

Mapping tab

Slide 37

Slide 37 text

Realistically? TARGET: Apple HQ, Cupertino, CA

Slide 38

Slide 38 text

Entry Control Points

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

Security Forces

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Badging

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

...without setting foot on the ground.

Slide 48

Slide 48 text

Beyond Recon §  Discovery – Exploitable pages – DNS cache snooping •  AV detection (Scrape-DNS) •  Rob Dixon (@304geek) – Backup files – Interesting files §  Exploitation – XPath brute forcer – Command injector

Slide 49

Slide 49 text

Reporting §  Analysis – CSV - reporting/csv_file – PushPin – reporting/pushpin §  Compatibility – List - reporting/list §  Deliverable – HTML - reporting/html_report

Slide 50

Slide 50 text

http://recon-ng.com http://lanmaster53.com Want more free tools and webcasts? Send me your contact information! @LaNMaSteR53 [email protected] Thank You!