Look Ma, No Exploits! — The Recon-ng Framework

we'll talk about this here in a little while and making an intriguing question to those i'm a christian father husband and veteran in that order which is why i'm no longer active duty all right for those of you that are active duty know that i definitely take a goal on family i'm a senior security consultant and developer part-time developer for black hills information security specializing in web application security it's on their main website i also do some sans instruction uh with security 532 which is sam's web application penetration it doesn't course for those of you that are doing the same institute do some security vlogging on my blog client messages.com i also kind of do

some moonlighting over there at call.com for once in a while you've seen all my stuff over there and i consider myself

before we even get started on anything else i want to give some shout outs to folks i don't know that any of these folks are here raise your hand if you are i'd like to know um yeah i've seen these folks basically what we're talking about today is a framework a framework that's modular and in that case the ukraine finally good as the modules that you have for it and even though i'm the sole developer of the framework itself all of these folks are responsible for about 80 of the modules that actually make the tools useful all right the only guy that's actually contributing code to the framework itself is he's a growth she's a

co-worker of mine but the rest of these folks in order have contributed anywhere from about 15 these guys the tool would not be functional would not be useful without those folks but i definitely want to give another shout out so reconnaissance reconstance is an important part of our methodology whether we're doing network penetration testing or whether we're doing web applications um it can also be important if we're just in the social engineering world right things like that but in either case it's the first step within those methodologies so we should be executing reconnaissance during any either type of those tests so what does what is replaces defined so merriam-webster defines it as a preliminary survey to gain information

okay that's a pretty general definition i think from a penetration testing perspective we can expand that to say that we're using open resources open sources of information and without making direct contact with our target that's very very key this lack of direct contact is something we're going to touch on traditionally the way that we've done our costs and penetration tests has followed kind of this platform here these are the type of actions that we've taken right selection verification verification's most important thing of our targets that could be both systems and people so how many people here do penetration testing you scope your own engagement chance well those of you that do penetration testing or know anything about it

when you are scoping an engagement somebody gives you a list of ip addresses that's your target you validate them legitimately their their id addresses we've been on tests for folks who said hey we need your arrangement before we get started or scoping the engagement then come back to us give us a list of id addresses we need to do some research still only to find out because i have some of those ideas don't even want it real live story we're working out on the vegas trip doing some work we gain access to a uh administrative console on an appliance and the host name has nothing to do with the company in fact it has to do with the competitors

we go back to our client and say hey we've got access to a box and the front here has the host name of those two and so i thought you said this is your space and then come back and say our ips are on that space we don't necessarily own the whole state so it's incredibly important

are they giving us everything that they own right so we can do some reconnaissance to actually validate that they've given us their entire space because the guy that you're talking to your point of contact when you're scoping these engagements he's just a third he's just the middle man right he's going to the network engineers to ask these questions he doesn't know the information he's giving you is is gospel or not so you have to go and you got to validate this stuff so that's kind of one of the first things you do we're also looking for lists of users employees and organizational information this community for social engineering this community for capital preset stuff you want to have to analyze any trust

relationships that we may be able to leverage further along in the process we want to look for information about technology it's the costly configurations of those technologies you can find stuff like that on news groups in resumes things of that sort code snippets that's another place we find youtube how do you guys develop code and i'm not talking about like programmer level just throw together scripts and stuff like that how often do you go to the website and cut and paste i mean there are just a ton of code out there you cannot believe how many internal developers will go to some news group somewhere post a bunch of code that's going to be going into a

production application saying look i've got this security scanner is throwing sql injection stuff at me and i don't know how to fix it and then you see that code it belongs to the target that you're assessing that you can take and find live vulnerabilities in a running application i wouldn't be saying it if it hasn't happened all right it happens so things like that we can find and obviously then also we can find a weakness in the physical security so this is kind of what traditional has been made of but there's a problem right it takes time uh the single most the single most prescription that we have to penetration testers this time the real front has a

lot more time than we got people are only willing to pay for somewhere between they were doing five to ten days reporting so we don't have a lot of time therefore penetration testing starts cutting stuff out and in most cases the excuses i hear from internal folks are i already know everything about my network all right we'll talk about that in a second external meditation techniques like myself we just don't have enough time to do this we need to jump right into discovery start finding vulnerabilities start mapping the network my argument is this as an intern i mean from a phone that has experience doing this stuff if you're an internal team you don't know

everything just about every single test that i do from an external perspective i present the customer with a machine they have no idea what that would fix happens every single time using these reconstants techniques we're going to talk about from an external perspective a lot of times you end up going back to this information anyway you find a huge name emergency vulnerability what are you going to use if you don't have a list of usernames party partners somewhere else just to attempt to validate it right so you're going to do this stuff anyway and it's always i mean it's not just good to know you have to know what the rest of the world knows

either about you or about your target that's your duty so the solution is pretty easy the problem in the solutions automation in some cases it's automating better because there are some tools out there to help you with with automated reconnaissance but some of them are one optional and some of them just aren't as good as they could be right so we're going to automate sometimes in some places we'll all make even better so black does information security we've taken this on in our efforts over the past year we've talked a dirty pond about this we're talking hackathon multiple issa gatherings to sans conferences all over the globe of knowledge we have all over the country about reconnaissance the

importance of this as a part of our methodology we've released some scripts uh a year ago like next week was recon energy the script uh the derbython and a tool called bushman and i started to mention i talked about building a framework right it wasn't real serious at the time but i kind of talked about wanting to do something like that but i really didn't think i had it in me and then as things kind of continued on and i started to massage this idea of a framework i started stumbling on some really really cool stuff and that's the fact that there are resources out there there are third parties that are doing that are

executing all these other phases and methodologies for us and making that information searchable and queryable for us through third-party resources neat things that came across as far as server-side enumeration goes there's there's websites out there that are constantly checking out your servers looking at the server-side technologies trying to animate what's running in the background looking at your client-side stuff making determinations on the technologies you're using and you create those resources there's the internet sentence 2012 how many of you guys are familiar with the internet since the 7th 2012. some guy had scanned the scan the internet for a bunch of embedded devices that default threads turned into a button to scan the entire ipv4 space

all that data is queryable you can download and use it yourself or query your third-party api and actually import scans without ever touching the network so you've got that kind of stuff you can get you keep your hands on vulnerability discovery a safer web so not net obligation it does a quick scan to see if there's any glaringly obvious vulnerabilities you got headaches xss pump spider two resources that are sold that to sole purpose is to report on on legitimate live exploits or vulnerabilities in websites okay now we're getting into discovery phase credential harvesting there are companies out there who their entire business is is based on going out pulling down information from third-party third-party breach dumps you

know like stratfor and stuff like that harvesting using the passwords information about the breaches and then selling that data people including the clear text password so we'll talk about how we can use that and then there's contact scoping we can take that a little bit further namecheck is actually a website you can go to and you're supposed to put your username in people come back and say well here's all the places your username is not taking but we can use that the other way right and if we're trying to find information about somebody we know their username we go there we know the resources that we can go to to actually scope data on our

particular part so tons of really really interesting resources and it got me thinking the process has changed right we still have all this traditional stuff that we need to do but now we get a new brain service like technology start discovering vulnerabilities harvesting credentials we're digging deep into the methodology without sending a single packet or an exploit to the target so leveraging these resources habits has this caveat number one we're using third-party websites right so we're at some level we're disclosing the fact that we are actually have a contract with some sort of connection with our target through that third party so we could be in violations of non-disclosure agreements and contracts at blackbeard's information security we

have that built into our contracting process where we tell a client hey we want to do some really in-depth promises on you are you okay with this using these three-part third-party resources they sign off on it that they're okay with it we've got to go ahead and do what we need to do don't move without it because you can be violated there's also active versus passive discovery passive discovery is is a lot of times also referred to as response right we're not actually reaching out to the network i mean i mean uh passing reconnaissance active reconnaissance is more discovery we're actually touching dns things of that sort stuff where our fact exactly refers to the target network where we want to

focus on passive reconnaissance when we talk about pre-financing and the last thing not all data is free so some of these resources that we use uh cost money right they've got apis and the api has ranged anywhere from zero dollars to twenty five thousand dollars and these apis can get very expensive but the data is obviously ranging as useful so the data is not free sometimes it costs a little bit of money but in some cases you just see the money is more of it so we got all these resources that we want to leverage but it doesn't sound like it would take an incredible amount of time to actually go out to all of the

websites and do the work that it would take to gather that information but we've got a tool to help us out and it's a refund and it's the only one you're going to do it's the only one you're going to need for a couple of reasons let's talk about exactly what it is answer those questions so it's interactive which means it's not a menu driven you up when it pops up and you see some numbers next to some some uh module types that's not a menu you say hey click 63 it's going to show me all the recon modules no it's interactive which means it's a lot like metasploit you type in help there's different

commands you load modules you set options you run these modules it's completely interactive it's modular which means that you've got a core framework with a bunch of functionality in it and then you write modules 10 20 30 lines of code to take advantage of all that built-in functionality to actually reach out to the resources and parts of the data you're looking for it's data-driven everything is stored in the database each module does one of two different things it either stores data in a database or it pulls data from the database manipulates it and writes back to it so it's completely data driven it's scriptable those of you that are using that have you set or metasploit

you're familiar with resource scripts simply a text file that has a list of commands in it and you can run this resource script within the framework also as of black cat 2013 i released recon cli which is a command line interface for the framework so that you no longer have to use resource scripts you can use bash you can use cmd.exe whatever you want batch files to create strips that you leverage recon's complementary kind of use modules it's got the look and feel of that split framework you've got some black on this you're like well why didn't you create something to look just like this boy both because i wanted a short learning curve i wanted those that have used no

exploit before to be able to pick this thing up and use it immediately all most of the commands are the same the way it works is very very familiar if you've used metasploit before you can open the recon engine framework and know how to maneuver around it it's documented out there on the wiki at the website www.kennedy.com complete documentation on how to use the framework how to interact with the ui and how to develop modules for it with examples it's developer friendly because of the wiki and it's written in python that's probably the single most greatest thing about it am i right yes and the other probably the second greatest thing about it no third party

library is required how many people are sick and tired of installing third-party software to use the tool you don't have because they'll want to contribute a module using some third-party library and i'll tell them and go figure out what they do with data it makes them a better get over it makes the framework more lightweight and in most cases all those third-party lives are written and native python should you figure out a way to do it yourself and usually usually they're able to find a way to do it and there's the website of where you can get it so one of my key one of my key design goals for this was not to overlap with

other frameworks this is not a replacement this doesn't do what set does it doesn't do what metasploit does it's not designed to overlap with those it's designed to fit into the methodology with those so you can easily take the output for recon ng use it with the social engineering toolkit use it as input the different notification modules it fits into the methodology it doesn't overlap and it doesn't replace any of your existing frameworks it has its niche in the market so to speak okay so i'm not going to go and i'm not going to actually get in the ui and show you all the different things it does because some videos out there that do that but i want

to explain some ui highlights and i'll cover some ui highlight real quick first there's command and completion everywhere if the framework can anticipate a value you want to give it hit tab it'll complete it for you smart loading module names can be like 60 characters long and it's typically a path right to the module if the module path has a unique name in it like tone list or something like that you type in load phone and it's going to load that module so there's no need to type in these long module names or you can use tactically to get through them that's something i certainly would suggest to play with into it because it would make things so

much easier module switching you can load modules from older modules it's a new feature that wasn't there before direct data access you can query the database underlying database directly from the framework you don't have to go through current modules to do that it's built under the concept of workspaces so you can work with multiple clients multiple targets at the same time right without your data intermixing or overlapping you have separate sets of settings for each one as well it has also got various verbosity and debugging options so that you could have an issue with a particular module and you need to send me a bug report you can just turn the bugging on run it copy paste and

we'll be on our way so one of the probably the most common questions i get about this other than you know how do i use the framework i'll show you the rtfdm on the wiki one of the most common questions i get is how do you use the framework how does it like where do you how does it fit in your methodology what how do you step through the process of using it what are your favorite modules so that's what i basically saw from this point on forward i'm going to walk you through how i would use it on a penetration test i won't run every module but i'll at least show you every module that i use so if

you want the temp tone certified route to using great img you're going to see it okay the first thing i do is i do contact harvesting i do think these three these three actions information gathering data manipulation and context so for information gathering we've got a couple different options that i think are are the best for doing this number one is link check so linkedin social networking for professionals right how many people have to link that account did any of you guys use a nickname on your linkedin account nobody uses your nickname we use our real names that's why we like make data stuff like facebook twitter and things like that people put real information on there you know sometimes

they may and they may say they work for somebody that they don't um things of that sort but for the most part the day we put on linkedin is real because we want to connect with other professionals those professionals are going to validate that information about us so we like linkedin as a resource for gathering information about context the single probably greatest resource for doing this is jigsaw how many people are familiar with jigsaw so jigsaw is formerly a customer relationship management software is bought out by salesforce in 2010 for i think 150 million dollars but basically it's a repository of contacts okay now jigsaw has kind of a an interesting business business concept it is crowd sourced meaning that um

people that want contacts if i collect business cards i can go to jigsaw and say hey jigsaw here's a bunch of information about people and jigsaw for every every single card every single piece of contact information they can validate will give you access to then go download the contact they currently have in your database all right what do they consider a contact you got to have phone number email address full name email address and they will call that person email that person and validate the information but you've got to call project report i have i rarely get an answer but i've got the call from jicama where they were trying to validate my information you

say they don't actually quit the database and then that person doesn't get credit for it but it's crowdsourced in that it's also crowdsourcing the effect that they've got this kind of like achievement thing going on where you can go like they have this month's top contributors of contacts in the top three containers right they're distributing contacts mostly if you contribute the most in a month you get like a check for 300 bucks right and you get some sort of like fake metal achievement or something like that right so they've got a kind of a brilliant concept in how they do this but the information that the way they entice salesmen to come buy this stuff

you can also just purchase access and stuff without getting to it the way they entice you is you can go there and you can search and you can get back first names last names and job titles and the location of where they're at for every single person in this database doesn't that sound like some information we would want very compact person first name last name and job title i can essentially create email addresses and know where you work what you do for any person i can harvest for your organization so the information we want is free okay and we can go we can scrape that from the web or we can use their api the api costs 150 bucks a year but

it's a heck of a lot faster there's no rate limiting and we've got this counting cap and mouse game going on with jigsaw right now where every time i break they're like their mechanism for stopping me from scraping their website they do something else and then i break it again and they do something else and then they break it again the funny thing is i know the developer is there and we've talked about doing work together to keep this thing right but right now it works until they break it again but api is better because it's faster there's no right limit and as you're going to see you can pull down a thousand contacts in just a few seconds

the other base we can get information about folks is pgp key servers how many pgps you host it on the server most people have not on servers like my company mandates that we put them on a whole server so our customers can go get them well all you have to do is to the mit pgp search engine just search for the domain and you'll see all the email addresses as well people that feature awesome stuff so we've got a lot of places that we can go gather information about people so the two modules i use are jigsaw and linkedin all and let's go ahead and demo the jigsaw module so who thinks the fbi is a good target

okay we're gonna we're gonna target the fbi anybody here you're not gonna raise anything you're just a fun target to pick on considering you just released all that information about what are they what are they doing happening back themselves and get quite some information about people so here's recon engine can you guys see that okay yeah that's what it was that's what it was that was actually a noble problem all right so i'll give it to you but whatever privacy violation so this is reconnaissance is what it looks like when you log in so do not type 63 thinking you're going to see because then you're going to do something like this you're going to get some random message

that launches all right so so there's all kinds of silly messages in there that's kind of an easter egg i put in there because i had some i had some guys that are like fairly prominent in the community and they're like you know 63 and all i'm getting is like there's no command so what's to do with your framework question mark maybe you know does that look like it's in chronological order don't you think recon modules would be like one but anyway so this is the poke fun of some buddies but yeah so it's interactive if i felt you see everything i'm not gonna go through all these but i'm gonna go straight to the jigsaw

module actually we can't do that yet show options in our global options we need to set our company and domain we said fbi right so let's set the company federal bureau of investigation i want to go with yes you can't see that

there we go okay so federal here we go investigation sets domain uh fbi.gov i'm pretty sure and alice jigsaw smart loading says oh wait a second we've got more than one module of jigsaw on it so this is the smart loading i was telling you about but if i type in load search contacts then it will find a unique string and load that module pretty cool right most of your most of your global global options are going to be imported into the modules that use them so you don't have to do a whole lot of module level configuration in most cases but once we have it we just set it we click run we go and jigsaw is going to go out

it's going to say hey i found information about about these companies right it's got a couple different companies that reported federal investigation the one we want is probably this one so let's go ahead and pull down this information hit enter because the top one's always the default and

you might see some stuff in here that you know like just float disclaimer here if you see something that offends you i'm sorry i can't help people stuff that password that we do the power dump here in a little while um you're gonna see some stuff in there because i saw some stuff in there but i don't condone the use of passwords with those words in them okay so so we still show contacts here we get a nice view of the database it looks it looks bad right now because all the columns are being smushed with all the data in there but if you zoom out like but if you zoom out then you'll see it

all data all nice and pretty show dashboard this is kind of a neat command actually kind of a summary of what you got going on right now we've seen that we've got 1029 contacts in there but we've only got first name last name and uh jot title and location okay so we're missing and still have the information for really long usernames and email addresses we'll get to that now

christian what do we have we've got these top four items here but what we really want is in usernames so we've got to build our contacts and the first thing we have to do is get the email domain now we already know the domain we probably already know what email domain is right but we need to validate that information uh we can do that using mx records we can do that looking at who's in who is contacts but probably the most important thing is trying to find out what the naming convention or the email addresses are first name got last name first initial dot last name first last name got to figure out what that naming convention

is and there's a couple ways we can do that we can go to their websites try to find the publicly exposed email address and hit the naming convention from there we can use we can look at who is contacts because those are normally associated with uh with the target organization someone within the organization we can also go back to that pgp key search again we can use the search engine now most searches don't let you search for the app sign google will cut that out because spammers were exploiting that however baidu which is the chinese search engine the chinese google actually lets you search by a character still so you can go to baidu search for

that right there and in many cases you'll get legitimate email address hits so that's a place you can go his trial and error and just guess or we could use the jigsaw api so another another benefit of having that jigsaw api key is you get access to 350 full contacts which includes your email addresses and everything you go you use one of those photo to pull down an actual contact from jigsaw and you have their email address but you do hold the name connection and then once we have that information we can create email addresses by mangling the first and last name that we already have attending into the domain and creating email addresses and we'll

have a pretty good product so let's look at some of those modules the first one here we're going to look at is the who is pocs once again not much to fill out here so it goes through and starts pulling out the plc's all right we can go back and look at these and you can kind of see that the first name got last name here first name dot last name again that looks like the first initial last name so it looks like they made there's some different naming schemes in there but we're starting to get an idea what that looks like and in the process we've harvested 20 new contacts it was able to determine that

20 of these 21 contacts that were shown actually belong to that domain and are not already in the database so that's kind of nice so we've got some information to work with the next one we want to leverage is the pt most research stuff so let's go over here and look for the look at that i don't guess it's over there smart load works for me run this one it's not going to do the same thing it's going to go out it's going to use pgp search search uh searching engines right and so you see some things here right this looks like first name last name last name first initial last name all right we're

gonna hold over the map here tell me the truth i don't know what the heck out of the baby convention here i would probably end up going out and purchasing one of the legitimate contacts what's really going on here field offices may have maybe controlling their own email servers possibly use different naming conventions so you've got some you got some with fbi.gov you're going to have some issues there but with a normal corporation you're pretty much going to have a solid convention but these are some ways that we can go get some of that information and then you see that we got let's see we already select first

and if you ever if you don't know what the schema looks like just type just game that you can look at it just definitely

yeah that's king of things all right and then we can see here we've got some first names and last name you want to turn these things into email addresses so if you go to here and we load this command called main or launcher called main goal let's do an info on this and i'll show you what info looks like they give you a lot more information about the module you get you get kind of some just some metadata about it you see the options you see a description but what i want you to take a look at is just pattern options on the bottom so one of the options for this is you have to set the pattern what is the

pattern first name last name first name dot last name whatever it is you set the pattern you run it it pulls all the context out of the database that doesn't already have an email address set create the email address source effective database course so let's go ahead and run this first thing about last name we'll go with that we'll just say that that's it run bam we got that information all stored in the database so now we've pretty much got our contacts table filled out right we've got firsthand class name email addresses job titles and where they're located it's a pretty good pretty good starting point for harvesting contact right we need usernames we got a place to go to get

usernames for social engineering we've got email addresses to send to and now we can also validate our targets by looking at where they're located if we're if we're going against the main office in the washington dc area well let's look at the geographic location if it's in dc area then we know we're going after somebody that's probably legitimate target obviously we want to confirm a lot of this stuff with our with our customer but we're building the information he said at this point so what do i do next quick question from bluetooth perspective do you think it would be worth just chapping out a few thousand bogus bgb keys just to confuse guys like you yeah

um all i'm going to get is a message back from your smtp server telling me that the account doesn't exist and i'm still going to push everybody that i do find right so i mean yeah you could right i mean it tastes like fbi i usually don't go against nsa but i'd like you not to do that today

account so you got to kind of sit through the garbage sometimes um it just makes for a fun presentation but yeah you could you could do that but is it is the time or is it a you know it's called defensive analysis i guess you got to conduct on no i'm thinking like honeypot start looking for people who are actually you know trying to hook to those addresses exist nowhere to these pgp keys that you throw out there like you know that's an attacker with that one yeah it could be absolutely could be if they guess if they guess a username that you put out somewhere else on your web application and you know that that's a new happening attacker

yeah that's it there are definitely some blue team uses for the framework

next thing i want to do is contact scoping here this is the part where we're actually trying to get information about the people that we've harvested we got the usual suspects here social networks search engines code repositories and we have the actual name chat module that we spoke about briefly earlier so once they've done harvesting contacts i'm going to move on to harvesting host we're going to do this for a couple reasons we want to validate our scope we want to do some surface side enumeration if we've got anti-cord scanning measures that we're dealing with well we want to try to get some sort of short scan data and we also want to try to do some

vulnerability discovery all without sending any packets or exploits to the target so for scope validation we've got some options we can use who is that's kind of one of the go-to tools for that adsensing google adsense and google analytics lookups if there's a there's an analytics server or adsense id within the page pull it no a place like who is and look and see if there's any other pages that are actually using that id because they're probably done by the same developer which means that it could have the you could have some sites there that should be in scope search engine site directive how many people are familiar with site directive you go to a search engine like google

and you say sitecolonsand.org you're going to get all this sitestance.org and on the front page you notice there's a w w dot maybe a forensics or isc.sans.org go back up to the search engine type in minus site colon www.sans.org minus site cold and iscs.sams.org the next list of results is going to be domains that aren't those you keep doing that so you have no responses and what do you have we've got a search engine based don't file transfer almost right for everything that's internet aware pattern concept so we can do that uh we can do some dns brute forcing this is more along the lines of remember now we're going through the alpha 10 and dns

server so it's more active repository ip neighbor lookups once we have an id address for our server we can see what other domains are hosted on that same server and then we can geo locate by ip address let's look at some of these

sight

because it takes a few minutes to do so we'll just pull down a couple like that and that really this thing's going to keep going and find probably 70 80 hosts that have sub domains on uh on fbi.gov all right so now i'm going to use ip load ip neighbor so this ip neighbor one does it by domain instead of ip address

let's do this one here it's going to come back and say we're finding all kinds of stuff co-located if you want to host them so we're harvesting using all those modules you saw that were white on on the demo slides instead of yellow we're going to find a ton of posts for fbi.gov final thing we want to do is i mean it's that final thing but once we're starting to select these posts well we want to start to fill out this table we want ip addresses we want your location information so let's load

we're going to do this against google's it this can give us the id address for all those and from here on out we can go we can do bing ip to do the ip reversing and finding out what we're doing from the same ips we can load the ip info db module run it and it's going to go and pull down geo location for every ip that's found and we'll see very very quickly

all right so show post you see that we got a lot of information about these hosts now so we've definitely got enough information to do some scope validation here we've also got some targets some possible targets that are uh that are hosted by our by our actual client okay so let's move on with what we're doing with these hosts so now we've harvested them as part of our traditional reconnaissance let's move on to some of the advanced stuff we've got server side enumeration you do service on enumeration typically we've got to do some sort of response header analysis looking at server headers and cookie names you can look at different error responses by giving by

giving by making requests that we know don't work and analyzing those responses we can analyze all of that data through grout through uh browsers and interception proxies right we can do an end map scan but all this stuff is making direct content all this stuff is reaching out and touching the servers we don't want to do that so we're going to use these other these other resources that's built with what web in the 2012 internet census but once we do brady we want to move on to vulnerability discovery and typically typically once we know something about the network even if we're doing a network contest and we're not beyond reconnaissance at this point once we know what services are running

we know the versions and things like that we know we do research right we do research we look at the cbes we try to find out are there any vulnerabilities associated with this version this enumeration plus research kind of gives us a hint as to what discovery or what vulnerabilities are out there now obviously if we're doing this during the reconnaissance process if we're doing research based on what we've enumerated using these third-party resources we can't do any validation validation is reaching out to us and it's hard but we're not doing that yet and uh rather than rather than doing manual research we could do things like using a safer web xss home spider who's

really a punch fighter this new con basically they've got a scanning engine that's scanning the entire.com space for uh for web vulnerabilities single injection blind people adjusting whether it's legal uh i don't know but that information is out there a few queries it's pretty cool i'm running low on time so i'm not going to demo either of those uh but please go out and take a look at those modules pretty awesome because this one is kind of like the mac id of them all credential harvesting once we harvested hosts we've already said contacts the next thing we want to do is try to go find out if we can find any passwords for the users that we've enumerated all

right there's a couple places we can do that should i change my password.com it's very similar to the home list and that they mine that data they're mining those public those publicly brief credentials and making them searchable should i change my password does not provide password information they just validate your username homeless.com will provide the password if you're willing to pay for a 25 000 api key all right if you happen to have access once i'm gonna just show you what this looks like in real time right so what's the problem with some of this some of those breaches security folks are doing it right and they're only and they're only uh their passwords are stored in cash

format so we've got hashes that we have to deal with sometimes they're softened there's not a whole lot we can do about that sometimes they're not and we can use these three resources right here to actually look up hashes and hack things okay and try to reverse those so we know hatchets aren't reversible but we can hook them up to see if they've been solved at one time before so let's take a look at that really quickly load homeless now normally i would go and i would use the web the web slash codeless module first that uses the web front end and it violates the terms of service by scraping the data submits the username it's great for the response i

prefer to use the api but before i really do anything i would like to know if this domain's ever been reached before before i waste a bunch of time doing some enumeration so i load with the his phone module and i run that against fbi.gov and it says yes there's been 179 point accounts and the latest one was like a couple days ago which is meaningful to us right because those could be legit threads still today even with the 30-day password we're very interested in this sometimes it's like it was two years ago i'm not worried about my friends and the reason why the reason why this date matters is because the next module we're going to

use is domain threads and when i go to dump all the credentials it says hey this is going to cost you 10 000 queries and when you're paying five thousand dollars for an api key you only get four million queries a year ten thousand three years a lot so you gotta determine whether this information is that meaningful to you because it's like sixty five dollars the time you run right sixty five bucks on top of your sucker but we're gonna run it and we're gonna harvest 179 credentials okay so we go here we show threads we've got some stuff in here let's query username password

should have select in there somewhere okay lots of stuff all right so we've got some hashes in there too though as you can see well you can't see them in here but if i do show threads there's

and sometimes it doesn't do for right like these right here it's not cracking a whole lot of this but then it's going to hit some fun ones here in a moment

got at 179 accounts probably got somewhere in the neighborhood of 50 to 63 to 60 that actually has their tech factors for i can we've walked into assessments twice in the past year since we've been doing this we've walked in the penetration test and logged into the vpn the instance we got we got the green light to go right credentials work doesn't always happen but sometimes it does to us if you can get a discount on the key if you can somehow work out another deal with them it may be worth the money to have this because you can walk into a print test with credentials already and there is there is no replacement for something like that that

value is important well i should say the value is probably what you're making on the mentos right so we're doing all of this with absolutely no exploits we've not sent a single packet to the target network and what we've done we've harvested all kinds of contact information we've harvested all kinds of hosts and we possibly got credentials to the environment without ever sending a signal back to the client no we don't even have to have a uh a signed contract at this point we've not even touched the target we're merely querying third-party resources right that's the power of reconnaissance at this point the additional things we can do is physical reconnaissance anybody here for a bushman before

bushman was a tool that was originally written a couple of years ago i had a compromise i did some additional work on it and released it at derbycon last year and then i stopped messing with it because i started playing with this it got broken and i decided i'm going to integrate it into recon energy okay so as a black hat 2013 this year i integrated push pins in with in with uh refinancing unless you don't know what pushpin is it's a geotagged media aggregator so every time you tweet every time you take a picture on your phone you upload the flickr picasso you take a video and you upload it to youtube if you have your phone settings

in the default um in the default settings for geo location it is most likely tagging that with your location and uploading it and making it searchable by me and anybody else that's using questions so what we do is we go out we say here's the latitude here's a long suit here's the radius it gives me all forms of media from these five different resources that are within that radius then it plots them on a map and gives you a listing of all this okay cool thing about the uh the improvements that have come from implementing it with recon ng is that i've fixed a whole bunch of bugs that accumulated at the time though during the project

um now the data is stored in a database so if you run you can run it every five minutes for the next two days and all the data for the two days that you've been running it will be there and no overlap so you can have a continuous resource of data rather than just giving one snapshot at one point in time which is actually a really really big improvement it's also extensible since it's now built into the modularity of recon ng you can easily create a new medium media module to get this information from and there's actually almost kind of a standard or api for how to actually build the data that goes into it

beyond reconnaissance if you notice there are discovery models and exploitation modules built into the framework from the discovery perspective you can query for exploitable pages these are known vulnerabilities and web application web apps dns cache poisoning for av detection this is something that rob dixon through 4g is working on you actually just you do a uh recursive query on their actual outward-facing dns server for the known domains that it uses to update and whichever ones make a hit then you know that that's what you're using for a b you search for backup files interesting files things like robot dom checks stuff like that just some pretty neat discovery modules and then something i started working on

recently is exploitation i did a video about two weeks ago where i built a line xpath injection reporter that actually enumerates the entire server side xml data source and presents it to you in real time so i'm starting to get to the point now where i've got this framework i'm doing a lot of web app stuff i don't want to write a one-off tool when i have all the sources built into it so it's growing it's getting beyond our constant if you've got ideas for having this framework please reach out let's continue to expand this tool which i think would be useful for more than just reconnaissance even though that was that was its initial inception

that's recon engineering about 45 minutes i can talk about this for two or three days all right there's a lot to it it's like 70 something modules we can cover like six of them um here's your website freecod ng for the for the tool landmaster 53 for me if you want more free tools and you want if you want to get a notice when i'm doing a webcast or something like that i can do quite a few of them for sans or black bills please leave me your business card or come write your name on something also if you're interested in learning how to hack web applications i'm going to be teaching at sam's senate security east

down in new orleans which is an awesome spot right to go to a class in january so please i'd love to have you join me other than that yeah what's that oh hey trivia question um anybody want to try to guess where my handle came from i saw your hand first i was a functionary 53 officer in the army you're absolutely right and it's followed me around ever since do you want anybody here to see the 2500