Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,230 --> 00:00:01,948 Instructor: In this lesson, 2 00:00:01,948 --> 00:00:03,930 I'm gonna show you how to use a couple of the open source 3 00:00:03,930 --> 00:00:06,090 intelligence tools specifically. 4 00:00:06,090 --> 00:00:08,400 We're gonna take a quick look at metagoofil, 5 00:00:08,400 --> 00:00:11,100 the Harvester and Recon NG. 6 00:00:11,100 --> 00:00:13,500 Now first let's look at metagoofil. 7 00:00:13,500 --> 00:00:14,580 Let's say for example, 8 00:00:14,580 --> 00:00:17,190 I want to search Udemy's website for any Word, 9 00:00:17,190 --> 00:00:19,874 PowerPoint and PDF files, 10 00:00:19,874 --> 00:00:21,660 and I wanna limit that search to the first 50 documents 11 00:00:21,660 --> 00:00:24,360 found, download up to 25 of those files, 12 00:00:24,360 --> 00:00:25,800 put them into a working directory, 13 00:00:25,800 --> 00:00:28,530 and then I can save those 25 files in there and output the 14 00:00:28,530 --> 00:00:31,710 results to a file that tells me everything we found. 15 00:00:31,710 --> 00:00:34,563 I can do that pretty easily by using metagoofil. 16 00:00:35,608 --> 00:00:36,610 Now first though, 17 00:00:36,610 --> 00:00:38,790 we have to install metagoofil because it's not installed by 18 00:00:38,790 --> 00:00:41,190 default in our version of Cali Linux, 19 00:00:41,190 --> 00:00:45,270 which at the time of this recording is 2021.4A. 20 00:00:45,270 --> 00:00:46,103 To do that, 21 00:00:46,103 --> 00:00:48,840 you can try to just run metagoofil and will ask if you wanna 22 00:00:48,840 --> 00:00:51,480 install it or you can use pseudo app, 23 00:00:51,480 --> 00:00:53,940 get install metagoofil. 24 00:00:53,940 --> 00:00:56,490 I'm gonna do it the easy way and just type in metagoofil 25 00:00:56,490 --> 00:00:58,170 first, now, if it's installed, 26 00:00:58,170 --> 00:01:00,360 it would give me the usage and syntax of what I would have 27 00:01:00,360 --> 00:01:01,799 to do. 28 00:01:01,799 --> 00:01:02,801 If it's not, 29 00:01:02,801 --> 00:01:04,410 it's gonna gimme an error message and in this case it's not 30 00:01:04,410 --> 00:01:07,080 installed, but Cali Linux is smart to say, 31 00:01:07,080 --> 00:01:08,490 Would you like me to install it? 32 00:01:08,490 --> 00:01:09,323 In this case, 33 00:01:09,323 --> 00:01:11,070 I'm gonna say yes and let them do all the hard work of 34 00:01:11,070 --> 00:01:12,240 installing it for me, 35 00:01:12,240 --> 00:01:14,670 you do need to put in your password for the pseudo user, 36 00:01:14,670 --> 00:01:15,960 which is the root user, 37 00:01:15,960 --> 00:01:18,540 and the case of the default virtual machine that comes from 38 00:01:18,540 --> 00:01:19,680 cali.org. 39 00:01:19,680 --> 00:01:22,830 It's just gonna be KALI or Kali. 40 00:01:22,830 --> 00:01:25,170 It's gonna go through, it's gonna install, it's gonna say, 41 00:01:25,170 --> 00:01:26,190 Would you like to install it? 42 00:01:26,190 --> 00:01:28,440 Say yes, and there we go. 43 00:01:28,440 --> 00:01:33,183 It's downloading it and off it goes, installing it, 44 00:01:35,100 --> 00:01:37,740 and in about another 10 seconds, boom, we're done. 45 00:01:37,740 --> 00:01:39,540 Okay, we're back to the command prompt. 46 00:01:39,540 --> 00:01:42,120 So at this point we can now use this tool. 47 00:01:42,120 --> 00:01:44,430 Now, just to bring myself back up to the top of the screen, 48 00:01:44,430 --> 00:01:46,650 I'm just gonna type in the word clear and in a Linux 49 00:01:46,650 --> 00:01:48,840 terminal that just brings you right back to the top of your 50 00:01:48,840 --> 00:01:49,710 screen. 51 00:01:49,710 --> 00:01:52,350 Now what I wanna do is go ahead and do that Udemy search 52 00:01:52,350 --> 00:01:53,550 that I was talking about. 53 00:01:53,550 --> 00:01:56,550 We're gonna go ahead and type in metagoofil, 54 00:01:56,550 --> 00:02:00,270 then dash D for the domain Udemy.com is the domain. 55 00:02:00,270 --> 00:02:03,390 We're gonna be searching dash T for the file type, 56 00:02:03,390 --> 00:02:05,190 and then the file types we wanna search for. 57 00:02:05,190 --> 00:02:09,120 I'm gonna do a doc, a, docx, a PowerPoint, 58 00:02:09,120 --> 00:02:11,220 or PPT, a PPTX, 59 00:02:11,220 --> 00:02:13,080 which is the newer version of PowerPoint, 60 00:02:13,080 --> 00:02:16,110 and let's go ahead and throw PDF in there for good measure. 61 00:02:16,110 --> 00:02:19,680 Then we're gonna do dash L for limiting the number we want, 62 00:02:19,680 --> 00:02:22,710 and I'm just gonna go ahead and make it up to 50 of each. 63 00:02:22,710 --> 00:02:24,300 And then I'm gonna do dash N, 64 00:02:24,300 --> 00:02:26,010 which is the number I wanna download, 65 00:02:26,010 --> 00:02:27,780 and I'm gonna do up to 25. 66 00:02:27,780 --> 00:02:30,870 And then I wanna put dash O for my output directory. 67 00:02:30,870 --> 00:02:31,703 And in this case, 68 00:02:31,703 --> 00:02:34,170 I'm just gonna go ahead and call it Udemy files and it'll 69 00:02:34,170 --> 00:02:36,510 make a new directory in the directory I'm currently in 70 00:02:36,510 --> 00:02:37,950 called Udemy files. 71 00:02:37,950 --> 00:02:41,730 And then dash F and dash F is gonna be to say I want to 72 00:02:41,730 --> 00:02:44,760 create a file that gives me the results in one combined 73 00:02:44,760 --> 00:02:46,260 HTML file. 74 00:02:46,260 --> 00:02:47,250 Now once I do this, 75 00:02:47,250 --> 00:02:49,530 I'm just gonna go ahead and hit enter and it's gonna go off 76 00:02:49,530 --> 00:02:50,970 and start that search. 77 00:02:50,970 --> 00:02:53,400 You could see here that it is gonna go ahead and download 78 00:02:53,400 --> 00:02:54,233 those files. 79 00:02:54,233 --> 00:02:56,700 It's gonna save them into that new file folder that I just 80 00:02:56,700 --> 00:02:58,710 created, which is called Udemy files. 81 00:02:58,710 --> 00:03:01,770 It created the folder and now we're out there searching for 82 00:03:01,770 --> 00:03:05,010 50 doc files and we're gonna wait 30 seconds and then it's 83 00:03:05,010 --> 00:03:06,744 gonna try the next search, 84 00:03:06,744 --> 00:03:08,340 and it's gonna continue to do this through each of those 85 00:03:08,340 --> 00:03:09,780 five file types. 86 00:03:09,780 --> 00:03:12,030 Now I'm gonna go ahead and fast forward through this search 87 00:03:12,030 --> 00:03:13,740 because it does take a little bit of time to do all the 88 00:03:13,740 --> 00:03:16,170 searching and we're gonna come back once the search is 89 00:03:16,170 --> 00:03:21,170 complete, Okay, our search is complete, or in this case, 90 00:03:22,350 --> 00:03:24,120 our search actually failed. 91 00:03:24,120 --> 00:03:25,440 Now why did it fail? 92 00:03:25,440 --> 00:03:26,273 Well, 93 00:03:26,273 --> 00:03:28,200 Google actually will block you if you're making too many 94 00:03:28,200 --> 00:03:30,270 requests because it detects that you're a bot, 95 00:03:30,270 --> 00:03:32,640 and in this case it did just that. 96 00:03:32,640 --> 00:03:33,870 To be able to overcome this, 97 00:03:33,870 --> 00:03:36,330 you can actually install something like tour into your Linux 98 00:03:36,330 --> 00:03:38,610 machine and then you'll route all your traffic through tour. 99 00:03:38,610 --> 00:03:40,890 So you're coming from different IP addresses between each 100 00:03:40,890 --> 00:03:42,390 and every one of your searches. 101 00:03:42,390 --> 00:03:44,250 But for the purposes of this demonstration, 102 00:03:44,250 --> 00:03:46,500 this gives us the idea of what we were trying to do. 103 00:03:46,500 --> 00:03:48,308 Now, notice here at the top, we did search 104 00:03:48,308 --> 00:03:50,250 not just udemy.com, 105 00:03:50,250 --> 00:03:51,990 but all of its Sub domains as well. 106 00:03:51,990 --> 00:03:53,580 So we found that they were actually trying to find some 107 00:03:53,580 --> 00:03:56,070 files and the about.udemy.com site, 108 00:03:56,070 --> 00:03:59,820 the investors.udemy.com site and other things like that. 109 00:03:59,820 --> 00:04:00,900 All right, now that we did that, 110 00:04:00,900 --> 00:04:02,460 I'm gonna go ahead and clear my screen to bring me to the 111 00:04:02,460 --> 00:04:03,540 top again. 112 00:04:03,540 --> 00:04:04,860 Okay, once we clear the screen, 113 00:04:04,860 --> 00:04:06,570 I'm just gonna do the LS command, 114 00:04:06,570 --> 00:04:08,820 which will list out the files and you'll see there there is 115 00:04:08,820 --> 00:04:12,090 a text file with the HTML links based on what it found from 116 00:04:12,090 --> 00:04:13,560 all the metadata it was searching, 117 00:04:13,560 --> 00:04:15,900 and you'll also see there is one called Udemy Files, 118 00:04:15,900 --> 00:04:18,930 which is a folder, and if I go into the Udemy files, 119 00:04:18,930 --> 00:04:21,750 you're gonna see that we do have a couple of files here that 120 00:04:21,750 --> 00:04:25,081 were downloaded as part of our reconnaissance 121 00:04:25,081 --> 00:04:25,914 using metagoofil 122 00:04:25,914 --> 00:04:28,530 and we can go through those files to look at what we found. 123 00:04:28,530 --> 00:04:31,470 The next tool we're gonna use is known as the Harvester, 124 00:04:31,470 --> 00:04:35,400 and the harvester is spelled as one word with a capital H. 125 00:04:35,400 --> 00:04:37,950 Now the harvester is a wonderful tool and it's used to 126 00:04:37,950 --> 00:04:41,320 gather emails, subdomains, hosts, employee names, 127 00:04:41,320 --> 00:04:43,980 email addresses, PGP key entries, 128 00:04:43,980 --> 00:04:47,010 open ports and service banners off of the servers. 129 00:04:47,010 --> 00:04:47,843 Now again, 130 00:04:47,843 --> 00:04:50,280 the Harvester is another command line tool and it's pretty 131 00:04:50,280 --> 00:04:52,500 easy to use once you learn the syntax. 132 00:04:52,500 --> 00:04:56,070 It's very similar to what we just used with metagoofil. 133 00:04:56,070 --> 00:04:57,900 Now when we wanna use this command, 134 00:04:57,900 --> 00:05:00,930 we can just type in the harvester and then hit enter and 135 00:05:00,930 --> 00:05:03,060 it's gonna tell us how to use it. 136 00:05:03,060 --> 00:05:04,920 Here you can see the usage on the screen. 137 00:05:04,920 --> 00:05:06,120 So to use the tool, 138 00:05:06,120 --> 00:05:09,690 we're just gonna go ahead and type in the harvester dash D, 139 00:05:09,690 --> 00:05:11,100 the domain name that we wanna search. 140 00:05:11,100 --> 00:05:12,579 In this case, 141 00:05:12,579 --> 00:05:15,270 I'm gonna use udemy.com dash L to limit the number of 142 00:05:15,270 --> 00:05:16,830 searches we wanna return. 143 00:05:16,830 --> 00:05:19,470 I'm gonna use five as the number of things I wanna return, 144 00:05:19,470 --> 00:05:22,260 and then I want to go ahead and enter in dash B and this 145 00:05:22,260 --> 00:05:24,240 search engine I want to use, for instance, 146 00:05:24,240 --> 00:05:25,590 I'm gonna use Google. 147 00:05:25,590 --> 00:05:28,410 I could just as easily use something like LinkedIn or Bing 148 00:05:28,410 --> 00:05:30,450 or something else if I wanted to as well. 149 00:05:30,450 --> 00:05:31,283 Once you're done with that, 150 00:05:31,283 --> 00:05:33,840 go ahead and hit enter and it's gonna run off and run that 151 00:05:33,840 --> 00:05:34,673 command. 152 00:05:34,673 --> 00:05:36,960 You'll see here we see the banner for the harvester, 153 00:05:36,960 --> 00:05:39,120 we see the fact that it's going in, searching Google, 154 00:05:39,120 --> 00:05:41,940 we're getting zero results, no IP's, no emails, 155 00:05:41,940 --> 00:05:44,880 and one host that was found with two IP addresses. 156 00:05:44,880 --> 00:05:46,080 Now, why is that? 157 00:05:46,080 --> 00:05:46,913 Well, again, 158 00:05:46,913 --> 00:05:49,830 I just did the scan from this computer when I was using 159 00:05:49,830 --> 00:05:50,790 metagoofil, 160 00:05:50,790 --> 00:05:54,000 and so Google at this point is already blocking me because 161 00:05:54,000 --> 00:05:56,460 they think that I am a bot or I'm doing something bad, 162 00:05:56,460 --> 00:05:58,290 and so therefore they're blocking me. 163 00:05:58,290 --> 00:06:00,870 Again, if you go ahead and change your IP addresses, 164 00:06:00,870 --> 00:06:02,370 you go ahead and do something like Tour. 165 00:06:02,370 --> 00:06:04,980 It's gonna keep you from having this same problem. 166 00:06:04,980 --> 00:06:07,410 Let me go ahead and clear the screen. 167 00:06:07,410 --> 00:06:09,750 The next thing we're gonna go ahead and do is work with 168 00:06:09,750 --> 00:06:11,280 Recon NG. 169 00:06:11,280 --> 00:06:13,890 Now, Recon NG is a great tool, 170 00:06:13,890 --> 00:06:17,370 but it is a little bit more complicated than the two I just 171 00:06:17,370 --> 00:06:18,300 showed you. 172 00:06:18,300 --> 00:06:19,680 So to start up Recon NG, 173 00:06:19,680 --> 00:06:22,680 you just type in Recon NG and hit enter. 174 00:06:22,680 --> 00:06:23,513 When you do that, 175 00:06:23,513 --> 00:06:26,010 it's gonna load up and now you're in a special command 176 00:06:26,010 --> 00:06:28,590 prompt within the recon NG environment. 177 00:06:28,590 --> 00:06:31,890 Notice here we're in Recon NG and we are in the default 178 00:06:31,890 --> 00:06:33,030 workspace. 179 00:06:33,030 --> 00:06:35,700 Now, recon NG is a wonderful web reconnaissance 180 00:06:35,700 --> 00:06:36,690 framework and it 181 00:06:36,690 --> 00:06:39,270 works a lot like meta exploit does for exploits, 182 00:06:39,270 --> 00:06:41,640 and this social engineer toolkit works for social 183 00:06:41,640 --> 00:06:42,480 engineering. 184 00:06:42,480 --> 00:06:45,210 It brings a lot of tools and a lot of capabilities into one 185 00:06:45,210 --> 00:06:46,620 place, but because of that, 186 00:06:46,620 --> 00:06:49,080 it is a little bit more complicated. 187 00:06:49,080 --> 00:06:49,913 Now also, 188 00:06:49,913 --> 00:06:51,480 the other thing to note is a lot of the things you're gonna 189 00:06:51,480 --> 00:06:54,960 find online for recon NG are gonna be wrong and they're not 190 00:06:54,960 --> 00:06:55,800 gonna work. 191 00:06:55,800 --> 00:06:57,960 The reason for that is there was a switch in a lot of the 192 00:06:57,960 --> 00:07:01,590 syntax going between version four and version five. 193 00:07:01,590 --> 00:07:03,983 You could see here I'm operating with version 5.1.2, 194 00:07:04,830 --> 00:07:07,290 which is the latest at the time of this recording. 195 00:07:07,290 --> 00:07:09,210 So all the things I'm gonna show you now are based 196 00:07:09,210 --> 00:07:10,530 on that version. 197 00:07:10,530 --> 00:07:13,020 These will not work in the older version four, 198 00:07:13,020 --> 00:07:15,390 and the old version four commands will not always work in 199 00:07:15,390 --> 00:07:16,770 the newer version five. 200 00:07:16,770 --> 00:07:17,603 So keep that in mind. 201 00:07:17,603 --> 00:07:20,400 If you're looking at any tutorials online or YouTube videos, 202 00:07:20,400 --> 00:07:22,320 if they're older than about 2020, 203 00:07:22,320 --> 00:07:24,510 you may run into some issues there. 204 00:07:24,510 --> 00:07:25,800 Now to use this, 205 00:07:25,800 --> 00:07:29,070 we're gonna launch into Recon NG just like we did here and 206 00:07:29,070 --> 00:07:32,460 now I like to personally set up my own workspace instead of 207 00:07:32,460 --> 00:07:34,140 using the default workspace. 208 00:07:34,140 --> 00:07:37,080 This gives me almost a place to store and save all my 209 00:07:37,080 --> 00:07:40,230 different commands and tools and information that I find in 210 00:07:40,230 --> 00:07:41,130 one area. 211 00:07:41,130 --> 00:07:42,599 And so to do this, 212 00:07:42,599 --> 00:07:44,340 we are gonna use the workspaces command. 213 00:07:44,340 --> 00:07:46,500 Now, if you don't know any of the commands in recon NG yet, 214 00:07:46,500 --> 00:07:47,880 which you probably don't, 215 00:07:47,880 --> 00:07:49,890 you might wanna first type in help. 216 00:07:49,890 --> 00:07:51,030 When you type in help, 217 00:07:51,030 --> 00:07:53,250 it'll list out all the commands you can use, 218 00:07:53,250 --> 00:07:56,010 and you'll see there that we have one called workspaces at 219 00:07:56,010 --> 00:07:57,120 the bottom of the list, 220 00:07:57,120 --> 00:07:59,520 and this is used to manage workspaces. 221 00:07:59,520 --> 00:08:02,190 A workspace is just a defined area to keep your different 222 00:08:02,190 --> 00:08:04,620 information from different engagements into different 223 00:08:04,620 --> 00:08:07,110 buckets so they're not mixing between clients. 224 00:08:07,110 --> 00:08:08,880 So what I'm gonna do is I'm just gonna type in the word 225 00:08:08,880 --> 00:08:12,420 workspaces, and then from workspaces, if I hit enter, 226 00:08:12,420 --> 00:08:15,180 it's gonna tell me I didn't give enough syntax because we 227 00:08:15,180 --> 00:08:16,775 didn't know what to do with it. 228 00:08:16,775 --> 00:08:19,890 Yet here we can do a create list load or remove. 229 00:08:19,890 --> 00:08:22,590 In our case, we can see if there's any workspaces already, 230 00:08:22,590 --> 00:08:24,330 and there shouldn't be because this is a brand new 231 00:08:24,330 --> 00:08:25,890 installation, but by doing that, 232 00:08:25,890 --> 00:08:29,040 we do workspaces space list and hit enter. 233 00:08:29,040 --> 00:08:31,260 And you see we only have the default one. 234 00:08:31,260 --> 00:08:33,450 I'm gonna go ahead and create one called Dion, 235 00:08:33,450 --> 00:08:37,530 and to do that, we're just gonna type in workspaces, create, 236 00:08:37,530 --> 00:08:40,604 and then I'm gonna use the folder name of Dion. 237 00:08:40,604 --> 00:08:44,190 Now, if I go ahead and do workspaces list, 238 00:08:44,190 --> 00:08:47,490 you're gonna see two Default and Dion. 239 00:08:47,490 --> 00:08:48,795 All right. 240 00:08:48,795 --> 00:08:49,628 Now that we've done that, 241 00:08:49,628 --> 00:08:51,837 we can go ahead and select that workspace to work in it. 242 00:08:51,837 --> 00:08:54,450 And in this case, because I just created that workspace, 243 00:08:54,450 --> 00:08:57,330 it automatically put me into the Dion Workspace. 244 00:08:57,330 --> 00:08:59,730 But let's say I had another one because I was gonna do 245 00:08:59,730 --> 00:09:02,613 workspaces create, Udemy. 246 00:09:04,260 --> 00:09:06,270 Now I'm gonna have three different workspaces. 247 00:09:06,270 --> 00:09:07,680 Oh, I actually type that wrong, 248 00:09:07,680 --> 00:09:09,420 so make sure you type it correctly. 249 00:09:09,420 --> 00:09:13,050 Everything in Linux is case sensitive and obviously spelling 250 00:09:13,050 --> 00:09:13,883 sensitive. 251 00:09:13,883 --> 00:09:16,740 I forgot the S on workspace and that's why I got that error. 252 00:09:16,740 --> 00:09:17,573 So here we go. 253 00:09:17,573 --> 00:09:19,290 I listed it out and you see there are three workspaces. 254 00:09:19,290 --> 00:09:21,633 Now, Dion, Udemy, and default. 255 00:09:22,510 --> 00:09:23,343 When you create a new workspace, 256 00:09:23,343 --> 00:09:26,070 by default it moves you into that workspace. 257 00:09:26,070 --> 00:09:29,148 So you'll notice when I created Dion right next to recon NG, 258 00:09:29,148 --> 00:09:31,798 there was this thing that said bracket, Dion bracket, 259 00:09:32,775 --> 00:09:34,440 and that told me that I was in the Dion space, 260 00:09:34,440 --> 00:09:37,762 and you could see that just below the first table where I 261 00:09:37,762 --> 00:09:39,060 entered workspaces create Dion, 262 00:09:39,060 --> 00:09:41,130 it moved me into that Dion workspace. 263 00:09:41,130 --> 00:09:43,650 Then when I created the Udemy workspace, 264 00:09:43,650 --> 00:09:46,050 it then changed me from Dion into Udemy. 265 00:09:46,050 --> 00:09:47,940 But let's say I wanted to go back into Dion, 266 00:09:47,940 --> 00:09:48,930 how would I do that? 267 00:09:48,930 --> 00:09:49,770 Well, to do that, 268 00:09:49,770 --> 00:09:52,110 we're just gonna type in workspaces load, 269 00:09:52,110 --> 00:09:53,460 and then the name of the workspace. 270 00:09:53,460 --> 00:09:55,560 In my case, it's Dion. 271 00:09:55,560 --> 00:09:58,770 Now you can see I am back into Recon NG inside the 272 00:09:58,770 --> 00:10:00,480 workspace Dion. 273 00:10:00,480 --> 00:10:01,313 All right, 274 00:10:01,313 --> 00:10:03,420 the next thing we have to do is we have to have some modules 275 00:10:03,420 --> 00:10:06,240 installed to be able to do some functionality inside of 276 00:10:06,240 --> 00:10:07,350 Recon NG. 277 00:10:07,350 --> 00:10:08,183 Now, by default, 278 00:10:08,183 --> 00:10:12,150 there is no modules installed when you first get Recon NG, 279 00:10:12,150 --> 00:10:13,470 and this is a brand new install, 280 00:10:13,470 --> 00:10:15,450 and if you just loaded up your virtual machine, 281 00:10:15,450 --> 00:10:16,707 you have a brand new install as well. 282 00:10:16,707 --> 00:10:19,080 And so these are things we have to work through. 283 00:10:19,080 --> 00:10:20,730 So what we're gonna do is we're actually gonna go into the 284 00:10:20,730 --> 00:10:23,610 module section, which is another one of those key words. 285 00:10:23,610 --> 00:10:25,230 Again, if you get lost at any time, 286 00:10:25,230 --> 00:10:28,140 just type in help and you'll notice there we have a modules 287 00:10:28,140 --> 00:10:30,210 command and it says that it interfaces with 288 00:10:30,210 --> 00:10:31,470 installed modules. 289 00:10:31,470 --> 00:10:33,420 So to check if there's any installed modules, 290 00:10:33,420 --> 00:10:36,300 I'm just gonna type in modules and then I would use the 291 00:10:36,300 --> 00:10:37,560 command search. 292 00:10:37,560 --> 00:10:39,360 Now, if you don't know any of the commands for modules, 293 00:10:39,360 --> 00:10:41,820 again, just type in modules and hit enter. 294 00:10:41,820 --> 00:10:43,050 There is your different options. 295 00:10:43,050 --> 00:10:44,400 You can load, reload, 296 00:10:44,400 --> 00:10:45,270 or search. 297 00:10:45,270 --> 00:10:47,370 Search is essentially like listing, 298 00:10:47,370 --> 00:10:48,690 but you can list all of them. 299 00:10:48,690 --> 00:10:50,580 If you just type in search and hit enter, 300 00:10:50,580 --> 00:10:53,610 or you can actually search for a keyword because there are 301 00:10:53,610 --> 00:10:56,550 many modules and maybe you just want a specific module for a 302 00:10:56,550 --> 00:10:58,050 specific use case. 303 00:10:58,050 --> 00:10:59,940 If I go ahead and hit search and hit enter, 304 00:10:59,940 --> 00:11:02,910 you're gonna see that I have no modules found and it has a 305 00:11:02,910 --> 00:11:03,990 red error there. 306 00:11:03,990 --> 00:11:06,390 That's because I haven't installed anything yet. 307 00:11:06,390 --> 00:11:09,120 And so now we need to go and find some modules. 308 00:11:09,120 --> 00:11:10,200 How do you do that? 309 00:11:10,200 --> 00:11:11,790 Well, looking back up at the help area, 310 00:11:11,790 --> 00:11:14,340 you'll see a command called Marketplace. 311 00:11:14,340 --> 00:11:16,800 This interface is with the module marketplace, 312 00:11:16,800 --> 00:11:19,260 and this is where you can search for and download a single 313 00:11:19,260 --> 00:11:21,300 module or all the modules. 314 00:11:21,300 --> 00:11:23,700 Now, some modules you're gonna find are gonna require you 315 00:11:23,700 --> 00:11:27,120 to get an API key to be able to associate with the service. 316 00:11:27,120 --> 00:11:30,090 For example, there's a module to be able to search Twitter, 317 00:11:30,090 --> 00:11:32,220 and Twitter requires you to register with them as a 318 00:11:32,220 --> 00:11:35,310 developer to get an API key so you can then make that API 319 00:11:35,310 --> 00:11:38,550 connection from Recon NG into Twitter and start searching 320 00:11:38,550 --> 00:11:39,510 their stuff. 321 00:11:39,510 --> 00:11:41,850 Now, to make things easy for our demonstration, 322 00:11:41,850 --> 00:11:44,430 we're not gonna go into that and I'm gonna pick a module 323 00:11:44,430 --> 00:11:46,770 that does not require API keys. 324 00:11:46,770 --> 00:11:49,650 If you're gonna use Recon NG for real, go online, 325 00:11:49,650 --> 00:11:51,600 look at the Recon NG manual. 326 00:11:51,600 --> 00:11:53,670 You'll be able to walk through how to do all of those things 327 00:11:53,670 --> 00:11:56,250 because there's a lot of capability in this tool 328 00:11:56,250 --> 00:11:57,300 for the exam. 329 00:11:57,300 --> 00:11:59,850 You do not need to know how to use Recon NG. 330 00:11:59,850 --> 00:12:01,800 I just wanted to show you so you can get comfortable 331 00:12:01,800 --> 00:12:03,075 with it, 332 00:12:03,075 --> 00:12:04,470 so you can use it in the real world a little bit and then 333 00:12:04,470 --> 00:12:05,700 take it from there. 334 00:12:05,700 --> 00:12:08,370 Now, what we wanna do first is we wanna find a module 335 00:12:08,370 --> 00:12:09,360 that we can use. 336 00:12:09,360 --> 00:12:12,450 The one I'm gonna use is known as recon slash domain 337 00:12:12,450 --> 00:12:15,033 contacts slash WHOIS POCs. 338 00:12:16,130 --> 00:12:16,980 I know this one doesn't require an API, 339 00:12:16,980 --> 00:12:20,040 and the purpose of this is for us to be able to use this to 340 00:12:20,040 --> 00:12:23,070 look up the WHOIS data for different domain names. 341 00:12:23,070 --> 00:12:23,903 Now, to do this, 342 00:12:23,903 --> 00:12:27,150 we're just gonna use the command marketplace and then we're 343 00:12:27,150 --> 00:12:29,100 gonna use the term install. 344 00:12:29,100 --> 00:12:30,210 Now, just like before, 345 00:12:30,210 --> 00:12:31,890 if you don't know how to do something, 346 00:12:31,890 --> 00:12:34,290 you can simply type in marketplace and enter and it will 347 00:12:34,290 --> 00:12:35,580 give you the syntax, 348 00:12:35,580 --> 00:12:37,410 and then you're gonna put the one that you're looking for. 349 00:12:37,410 --> 00:12:39,990 In my case, I know exactly which one I'm looking for. 350 00:12:39,990 --> 00:12:42,300 It's recon slash domains, 351 00:12:42,300 --> 00:12:47,300 dash contacts slash WHOIS underscore POCs. 352 00:12:47,700 --> 00:12:50,790 Hit enter and it's gonna go ahead and install that module. 353 00:12:50,790 --> 00:12:51,623 You'll see right here, 354 00:12:51,623 --> 00:12:54,150 it installed the module and then it reloaded it. 355 00:12:54,150 --> 00:12:56,610 If I wanna validate that actually happened, 356 00:12:56,610 --> 00:13:00,120 I can do that by using the module search command like I did 357 00:13:00,120 --> 00:13:02,430 before to show there was no modules found. 358 00:13:02,430 --> 00:13:04,350 So let's go ahead and do that. 359 00:13:04,350 --> 00:13:06,540 And now instead of no modules being found, 360 00:13:06,540 --> 00:13:08,550 I see that I have one module found. 361 00:13:08,550 --> 00:13:10,470 It's under the recon category, 362 00:13:10,470 --> 00:13:12,720 and it is the one I just installed. 363 00:13:12,720 --> 00:13:14,820 Now, if you wanted to install all of the modules, 364 00:13:14,820 --> 00:13:16,440 and there are a lot of them out there, 365 00:13:16,440 --> 00:13:17,370 if you wanna see them all, 366 00:13:17,370 --> 00:13:20,370 just type in marketplace and then hit search, 367 00:13:20,370 --> 00:13:21,660 and then hit enter. 368 00:13:21,660 --> 00:13:22,920 And you'll see there is a bunch, 369 00:13:22,920 --> 00:13:25,980 there are so many that is actually going off of my screen. 370 00:13:25,980 --> 00:13:28,020 And so if you wanted to actually scroll up here, 371 00:13:28,020 --> 00:13:30,990 you can go through and see that there are a ton of different 372 00:13:30,990 --> 00:13:33,870 modules, and all of these have different functionality. 373 00:13:33,870 --> 00:13:35,580 If you wanna know what each one does, 374 00:13:35,580 --> 00:13:39,480 you can actually look them up inside of Recon NG using the 375 00:13:39,480 --> 00:13:40,590 info command, 376 00:13:40,590 --> 00:13:42,480 and you'll be able to learn more about those particular 377 00:13:42,480 --> 00:13:43,313 tools. 378 00:13:43,313 --> 00:13:44,580 Or again, go online, 379 00:13:44,580 --> 00:13:48,685 go ahead and Google or Bing or Duck Duck Go or whatever your 380 00:13:48,685 --> 00:13:50,340 favorite search engine or choice is and look up those and 381 00:13:50,340 --> 00:13:52,080 you'll figure out which ones they are, what they do, 382 00:13:52,080 --> 00:13:54,660 and which ones may be helpful in your reconnaissance. 383 00:13:54,660 --> 00:13:57,690 Now, if you wanna install all of these, you certainly can, 384 00:13:57,690 --> 00:14:02,287 and to do that, you just type in marketplace install all, 385 00:14:03,930 --> 00:14:04,980 and if I hit enter right now, 386 00:14:04,980 --> 00:14:07,650 it's gonna go and install every single one of those. 387 00:14:07,650 --> 00:14:09,930 Now, the reason I'm not gonna do that is because it's gonna 388 00:14:09,930 --> 00:14:10,920 clutter up our screen. 389 00:14:10,920 --> 00:14:13,200 It's gonna throw a bunch of errors because we haven't set up 390 00:14:13,200 --> 00:14:16,890 all the API keys for all 40 or 50 different recon modules, 391 00:14:16,890 --> 00:14:18,930 and so I'm gonna not do that right now. 392 00:14:18,930 --> 00:14:20,670 But if you wanna do that and you wanna set up your 393 00:14:20,670 --> 00:14:21,690 system fully, 394 00:14:21,690 --> 00:14:24,840 you can install all and then go find API keys for every 395 00:14:24,840 --> 00:14:26,310 single one of those modules. 396 00:14:26,310 --> 00:14:28,770 Now, the next thing we need to do is actually take 397 00:14:28,770 --> 00:14:30,570 that module and load it. 398 00:14:30,570 --> 00:14:33,300 Now again, if I type in modules search, 399 00:14:33,300 --> 00:14:35,940 you're gonna see that I have installed that module, 400 00:14:35,940 --> 00:14:38,340 but it doesn't mean it's loaded and ready for me to go 401 00:14:38,340 --> 00:14:40,740 because you can see where I am inside of the recon 402 00:14:40,740 --> 00:14:41,573 structure. 403 00:14:41,573 --> 00:14:44,970 I'm at Recon NG, Dion, I'm not inside a module, 404 00:14:44,970 --> 00:14:46,290 I'm not inside any of the options. 405 00:14:46,290 --> 00:14:48,000 I'm just inside the workspace. 406 00:14:48,000 --> 00:14:48,833 So again, 407 00:14:48,833 --> 00:14:51,000 we're just gonna type in modules and hit enter. 408 00:14:51,000 --> 00:14:52,110 You're gonna see the syntax. 409 00:14:52,110 --> 00:14:52,943 We have load, 410 00:14:52,943 --> 00:14:54,360 reload and search. 411 00:14:54,360 --> 00:14:57,510 I'm gonna go ahead and type in modules load, 412 00:14:57,510 --> 00:15:00,720 and then I want to use the WHOIS Underscore POCs, 413 00:15:00,720 --> 00:15:03,120 which is the short name for the module I loaded. 414 00:15:03,960 --> 00:15:04,793 There we go. 415 00:15:04,793 --> 00:15:06,150 Notice how my prompt change. 416 00:15:06,150 --> 00:15:08,700 Now I'm inside this module. 417 00:15:08,700 --> 00:15:09,810 Now that we're in the module, 418 00:15:09,810 --> 00:15:11,667 we need to specify the options that we want to use with 419 00:15:11,667 --> 00:15:12,690 the module, 420 00:15:12,690 --> 00:15:15,480 and we're gonna do that by entering information into our 421 00:15:15,480 --> 00:15:16,410 database. 422 00:15:16,410 --> 00:15:17,730 Now, inside of Recon NG, 423 00:15:17,730 --> 00:15:19,920 there's actually a database installed with it and you're 424 00:15:19,920 --> 00:15:21,960 able to put information into the database, 425 00:15:21,960 --> 00:15:24,720 both things you want to search for and information that's 426 00:15:24,720 --> 00:15:27,150 gonna come back when you do those searches. 427 00:15:27,150 --> 00:15:29,250 Now, to do this and work with the database, 428 00:15:29,250 --> 00:15:31,140 we need to use the DB command. 429 00:15:31,140 --> 00:15:32,602 And again, 430 00:15:32,602 --> 00:15:34,290 if you get lost at any time, just type in help. 431 00:15:34,290 --> 00:15:35,123 You'll notice there. 432 00:15:35,123 --> 00:15:37,320 The third line down is db, 433 00:15:37,320 --> 00:15:40,200 which interfaces with the workspaces database. 434 00:15:40,200 --> 00:15:42,210 Each workspace has its own database, 435 00:15:42,210 --> 00:15:44,640 and that's another reason you wanna have a workspace 436 00:15:44,640 --> 00:15:47,040 dedicated to whatever engagement you're working on. 437 00:15:47,040 --> 00:15:50,550 So we're gonna go ahead and use db, and then again, 438 00:15:50,550 --> 00:15:53,520 we can hit enter and it'll tell us what things we can do 439 00:15:53,520 --> 00:15:54,750 with the database. 440 00:15:54,750 --> 00:15:56,010 We can delete a database, 441 00:15:56,010 --> 00:15:57,630 we can insert a line in a database, 442 00:15:57,630 --> 00:15:59,190 we can add notes to a database. 443 00:15:59,190 --> 00:16:01,470 We can query it using SQL commands, 444 00:16:01,470 --> 00:16:03,660 or we can look at the database schema. 445 00:16:03,660 --> 00:16:05,460 Now, if I wanted to see the schema of the database, 446 00:16:05,460 --> 00:16:08,910 I can just type in DB schema and hit enter. 447 00:16:08,910 --> 00:16:10,020 And when I do that, again, 448 00:16:10,020 --> 00:16:12,570 it scrolls off the screen a little bit, but as we scroll up, 449 00:16:12,570 --> 00:16:14,520 you can see the different tables that we're using, 450 00:16:14,520 --> 00:16:17,073 I'm going to go up here to the top. 451 00:16:21,030 --> 00:16:21,870 There we go. 452 00:16:21,870 --> 00:16:23,670 So the first one we have is domains, 453 00:16:23,670 --> 00:16:25,320 and this will hold domains notes. 454 00:16:25,320 --> 00:16:28,170 And the module that found the information under companies, 455 00:16:28,170 --> 00:16:30,477 it has company description, notes and module, 456 00:16:30,477 --> 00:16:32,580 and you're gonna see each of these are gonna interact with 457 00:16:32,580 --> 00:16:35,580 different parts of Recon, NG and different modules. 458 00:16:35,580 --> 00:16:38,160 Domains is the one we're actually gonna be working with here 459 00:16:38,160 --> 00:16:41,490 because I'm using the WHOIS point of contacts module. 460 00:16:41,490 --> 00:16:43,020 So let me go ahead and get back here to the bottom. 461 00:16:43,020 --> 00:16:44,790 I'm just gonna hit internal, drop me right down. 462 00:16:44,790 --> 00:16:46,250 Okay, 463 00:16:46,250 --> 00:16:47,730 and now what we wanna do is go back to our database command, 464 00:16:47,730 --> 00:16:50,940 and what we wanna do is insert information into that 465 00:16:50,940 --> 00:16:51,773 database, 466 00:16:51,773 --> 00:16:54,750 specifically the domain names that we wanna look at. 467 00:16:54,750 --> 00:16:57,630 Now what I'm gonna do is I'm just gonna type in db, 468 00:16:57,630 --> 00:16:59,790 insert and then domains, 469 00:16:59,790 --> 00:17:02,520 which is the field that I want to insert information in. 470 00:17:02,520 --> 00:17:04,859 And at that point I hit enter and it's gonna say, 471 00:17:04,859 --> 00:17:06,780 What do you want to enter in here? 472 00:17:06,780 --> 00:17:09,089 Well, the thing I wanna enter is the domain name, 473 00:17:09,089 --> 00:17:12,030 so if I wanted to search Diontraining.com, 474 00:17:12,030 --> 00:17:13,230 I can enter that in. 475 00:17:13,230 --> 00:17:14,670 If there's any notes I wanna put in, 476 00:17:14,670 --> 00:17:16,050 I could put them here in too. 477 00:17:16,050 --> 00:17:17,609 I'm just gonna hit enter and make that blank, 478 00:17:17,609 --> 00:17:19,980 and it's gonna insert that into one row. 479 00:17:19,980 --> 00:17:21,930 Now, if I want to enter another domain to search, 480 00:17:21,930 --> 00:17:23,310 I can do that here as well. 481 00:17:23,310 --> 00:17:25,950 Let's go ahead and do insert domains, 482 00:17:25,950 --> 00:17:28,323 and in this case I'm gonna use udemy.com. 483 00:17:29,790 --> 00:17:31,290 Another one I want to enter, 484 00:17:31,290 --> 00:17:34,800 let's go ahead and do DB insert and we'll do domains, 485 00:17:34,800 --> 00:17:39,660 and I'm gonna use tesla.com and again, no notes. 486 00:17:39,660 --> 00:17:41,214 All right, 487 00:17:41,214 --> 00:17:42,630 we have now inserted three different domain names, 488 00:17:42,630 --> 00:17:44,367 Diontraining.com, udemy.com, 489 00:17:44,367 --> 00:17:47,400 and tesla.com into our database. 490 00:17:47,400 --> 00:17:50,220 Now, if we wanna see that and verify it took, 491 00:17:50,220 --> 00:17:53,340 we can use the command show and then the name of the table 492 00:17:53,340 --> 00:17:54,750 in this case domains. 493 00:17:54,750 --> 00:17:56,820 So show domains, 494 00:17:56,820 --> 00:17:58,530 and here is our table. 495 00:17:58,530 --> 00:18:02,310 Boom, we have three rows, Diontraining.com, udemy.com, 496 00:18:02,310 --> 00:18:04,740 tesla.com, no notes on any of them, 497 00:18:04,740 --> 00:18:08,070 and the module was user defined because I manually enter 498 00:18:08,070 --> 00:18:09,450 that information. 499 00:18:09,450 --> 00:18:11,580 All right, now that we have loaded our module, 500 00:18:11,580 --> 00:18:14,310 now that we have entered our information into the database, 501 00:18:14,310 --> 00:18:17,040 we are ready to start searching the WHOIS Database for 502 00:18:17,040 --> 00:18:18,652 these points of contact. 503 00:18:18,652 --> 00:18:21,720 Now, what we're gonna do is we are gonna use this WHOIS 504 00:18:21,720 --> 00:18:22,553 POC module. 505 00:18:22,553 --> 00:18:24,630 If you don't know what that module is, 506 00:18:24,630 --> 00:18:25,920 well we're inside of it now, 507 00:18:25,920 --> 00:18:29,280 so we can just type in the command info, by typing info, 508 00:18:29,280 --> 00:18:31,770 it's gonna tell me about the module I'm currently in. 509 00:18:31,770 --> 00:18:34,260 Notice when I typed info for WHOIS POCs, 510 00:18:34,260 --> 00:18:37,890 it tells me this is the WHOIS POC Harvester who wrote it, 511 00:18:37,890 --> 00:18:40,050 the version and a short description of it. 512 00:18:40,050 --> 00:18:42,420 It's gonna use the air and WHOIS database to be able to 513 00:18:42,420 --> 00:18:45,690 harvest POC data from the WHOIS queries for the given 514 00:18:45,690 --> 00:18:47,017 domain. 515 00:18:47,017 --> 00:18:49,020 This is also gonna update our contacts table with the 516 00:18:49,020 --> 00:18:52,410 results inside of our workspace so that data we get back is 517 00:18:52,410 --> 00:18:55,170 gonna fill part of our database in the workspace so we can 518 00:18:55,170 --> 00:18:57,270 go back and look at that information later. 519 00:18:57,270 --> 00:18:59,460 Now we have some options that we have to have. 520 00:18:59,460 --> 00:19:02,280 We have a source, we have the value of default, 521 00:19:02,280 --> 00:19:03,480 it's required field, 522 00:19:03,480 --> 00:19:05,820 and the description is the source of input. 523 00:19:05,820 --> 00:19:07,560 Now, by default, 524 00:19:07,560 --> 00:19:10,050 that means it's gonna go and grab it from the table. 525 00:19:10,050 --> 00:19:12,840 Those three domain names we just put in in row one, two, 526 00:19:12,840 --> 00:19:15,210 and three using the domains table. 527 00:19:15,210 --> 00:19:18,060 If I wanted to do this from a file, I could do that as well. 528 00:19:18,060 --> 00:19:21,630 By changing this default value from default to the file 529 00:19:21,630 --> 00:19:22,890 name, in our case, 530 00:19:22,890 --> 00:19:24,330 we're gonna do it right from the database. 531 00:19:24,330 --> 00:19:25,200 It keeps it nice, 532 00:19:25,200 --> 00:19:28,140 it keeps it clean, and that's the way we're gonna do it. 533 00:19:28,140 --> 00:19:29,640 Now, if I wanted to change that, 534 00:19:29,640 --> 00:19:34,020 I could do that by changing that by saying options set 535 00:19:34,020 --> 00:19:36,420 because I'm changing the options in this case, 536 00:19:36,420 --> 00:19:38,610 I wanna set the value of that from default 537 00:19:38,610 --> 00:19:39,660 to something else. 538 00:19:39,660 --> 00:19:41,310 Now, in our case, I don't wanna do that, 539 00:19:41,310 --> 00:19:42,840 so I'm gonna go ahead and delete that, 540 00:19:42,840 --> 00:19:44,760 but you could do that if you wanted to go ahead and read it 541 00:19:44,760 --> 00:19:47,970 from a file, read it from an SQL query or something else. 542 00:19:47,970 --> 00:19:48,810 As you can see here, 543 00:19:48,810 --> 00:19:52,830 the default is to select distinct domain from domains where 544 00:19:52,830 --> 00:19:54,390 domain is not null, 545 00:19:54,390 --> 00:19:56,400 which just basically means go into the database, 546 00:19:56,400 --> 00:19:57,780 look for the domains table, 547 00:19:57,780 --> 00:20:00,390 and any domain inside of the domains table. 548 00:20:00,390 --> 00:20:02,490 I want to grab each one that's not blank and we're gonna 549 00:20:02,490 --> 00:20:03,323 test it. 550 00:20:03,323 --> 00:20:05,190 So this is gonna allow me test all three of them with one 551 00:20:05,190 --> 00:20:06,180 command. 552 00:20:06,180 --> 00:20:08,790 Now that we know that our options are good to run this 553 00:20:08,790 --> 00:20:12,840 command, we are just gonna simply type run and hit enter. 554 00:20:12,840 --> 00:20:13,673 When we do that, 555 00:20:13,673 --> 00:20:16,380 it's gonna go off and it is pulling that information and 556 00:20:16,380 --> 00:20:18,270 it's grabbing all that information and it dumps it 557 00:20:18,270 --> 00:20:19,200 to the screen. 558 00:20:19,200 --> 00:20:20,370 Now, that's helpful, 559 00:20:20,370 --> 00:20:22,800 but the screen makes it pretty hard to read cause I'd have 560 00:20:22,800 --> 00:20:25,620 to scroll up and look at that because we just found 16 new 561 00:20:25,620 --> 00:20:28,710 records and 12 of those were new contacts that were either 562 00:20:28,710 --> 00:20:31,560 not duplicated or were new things that we wanted to add. 563 00:20:31,560 --> 00:20:33,870 Those all got put into our database. 564 00:20:33,870 --> 00:20:35,100 Now, if you remember back, 565 00:20:35,100 --> 00:20:37,710 I said we can show things from the database using the show 566 00:20:37,710 --> 00:20:41,580 command before we used show with Domains to show the three 567 00:20:41,580 --> 00:20:42,600 domains. 568 00:20:42,600 --> 00:20:46,500 Now I wanna go ahead and use show with contacts to see the 569 00:20:46,500 --> 00:20:47,940 contacts table. 570 00:20:47,940 --> 00:20:48,900 Here it is. 571 00:20:48,900 --> 00:20:52,200 So we have those 12 entries going from row one all the way 572 00:20:52,200 --> 00:20:53,310 down to row 12. 573 00:20:53,310 --> 00:20:55,770 Now my screen is a little bit zoomed in to make it easier 574 00:20:55,770 --> 00:20:57,030 for you to read in the video. 575 00:20:57,030 --> 00:20:57,990 If I was zoomed out, 576 00:20:57,990 --> 00:21:00,840 it would all fit in one nice table here you could see that 577 00:21:00,840 --> 00:21:01,890 three columns, 578 00:21:01,890 --> 00:21:05,370 the phone notes and module row went to the second line. 579 00:21:05,370 --> 00:21:07,710 Now let's go ahead and read the first line. 580 00:21:07,710 --> 00:21:10,500 The first line we have is based on Udemy. 581 00:21:10,500 --> 00:21:13,200 You could see here that we found no first name, 582 00:21:13,200 --> 00:21:16,290 no middle name, the last name was Operations Architect. 583 00:21:16,290 --> 00:21:19,530 The email was netops+aaronudemy.com. 584 00:21:19,530 --> 00:21:22,260 The title was WHOIS Contact because that's the type of 585 00:21:22,260 --> 00:21:23,580 information we got. 586 00:21:23,580 --> 00:21:25,680 The region, San Francisco, California, 587 00:21:25,680 --> 00:21:29,640 the country, United States, and then phone, blank, 588 00:21:29,640 --> 00:21:33,300 notes blank, module, WHOIS POCs, 589 00:21:33,300 --> 00:21:35,850 which is the module we use to find this information. 590 00:21:35,850 --> 00:21:38,880 Now there is lots of modules in Recon NG. 591 00:21:38,880 --> 00:21:41,520 You might be finding contacts by doing Twitter searches, 592 00:21:41,520 --> 00:21:44,160 LinkedIn searches, Google searches, whatever it is, 593 00:21:44,160 --> 00:21:46,890 all that will go into this database to create our table 594 00:21:46,890 --> 00:21:47,910 of people. 595 00:21:47,910 --> 00:21:50,970 But this tells us which module found that information and 596 00:21:50,970 --> 00:21:52,710 which type of information it was. 597 00:21:52,710 --> 00:21:54,840 In this case A WHOIS Contact. 598 00:21:54,840 --> 00:21:56,880 Next, we have lines two through 12, 599 00:21:56,880 --> 00:21:58,740 and these are all based on Tesla. 600 00:21:58,740 --> 00:22:01,080 Now you'll notice Dion training didn't show up. 601 00:22:01,080 --> 00:22:03,480 The reason for that is we actually have our WHOIS records 602 00:22:03,480 --> 00:22:04,740 set up with privacy, 603 00:22:04,740 --> 00:22:07,680 and so those are not gonna be shared in the WHOIS database. 604 00:22:07,680 --> 00:22:09,510 It just says this is a private record. 605 00:22:09,510 --> 00:22:11,640 So there was no way to grab that information and add it to 606 00:22:11,640 --> 00:22:12,480 the table. 607 00:22:12,480 --> 00:22:14,070 That's why we have the one for Udemy, 608 00:22:14,070 --> 00:22:15,450 which is a very common way of doing it. 609 00:22:15,450 --> 00:22:18,810 For a large organization, they actually have a group email, 610 00:22:18,810 --> 00:22:21,270 not a person's email, but if we look at Tesla, 611 00:22:21,270 --> 00:22:22,740 they chose not to do that. 612 00:22:22,740 --> 00:22:25,440 Tesla actually has individual people's names. 613 00:22:25,440 --> 00:22:26,520 Now as I look at them, 614 00:22:26,520 --> 00:22:28,680 what is this information that's gonna be useful? 615 00:22:28,680 --> 00:22:32,040 Well, for one, I have names of people and emails I can use. 616 00:22:32,040 --> 00:22:33,420 That's the obvious one. 617 00:22:33,420 --> 00:22:34,680 But in addition to that, 618 00:22:34,680 --> 00:22:36,900 I might be able to figure out what naming scheme that 619 00:22:36,900 --> 00:22:38,070 company uses. 620 00:22:38,070 --> 00:22:38,910 For example, 621 00:22:38,910 --> 00:22:41,040 maybe you can't find everybody's email when you're doing 622 00:22:41,040 --> 00:22:42,360 your open source research, 623 00:22:42,360 --> 00:22:44,850 but you found their first and last name on LinkedIn. 624 00:22:44,850 --> 00:22:47,490 Well, if you know that the company uses first name 625 00:22:47,490 --> 00:22:51,000 dot last name like Elon.musk@tesla.com, 626 00:22:51,000 --> 00:22:52,980 then you could put that in for everybody you find on 627 00:22:52,980 --> 00:22:55,470 LinkedIn and now you have their email. 628 00:22:55,470 --> 00:22:56,370 Conversely though, 629 00:22:56,370 --> 00:22:58,560 we actually don't see that here with Tesla. 630 00:22:58,560 --> 00:23:01,230 I am seeing multiple different naming schemes. 631 00:23:01,230 --> 00:23:03,810 The first one, Anna actually shows up as Anne, 632 00:23:03,810 --> 00:23:06,150 which is three letters from her first name and then her full 633 00:23:06,150 --> 00:23:08,970 last name, martinez@tesla.com. 634 00:23:08,970 --> 00:23:11,550 The next one is just an abbreviation for the name Cameron, 635 00:23:11,550 --> 00:23:14,220 and they called it cam@tesla.com. 636 00:23:14,220 --> 00:23:15,840 The next one is Sherry, 637 00:23:15,840 --> 00:23:18,240 but it's abbreviated down to SHE, 638 00:23:18,240 --> 00:23:19,680 the first three letters again, 639 00:23:19,680 --> 00:23:23,130 and then her last name Lewis@tesla.com we get down to 640 00:23:23,130 --> 00:23:25,500 Elon Musk, it's first name dot last name. 641 00:23:25,500 --> 00:23:27,210 We get down to Jian Gu. 642 00:23:27,210 --> 00:23:30,120 We're seeing his full name slap together with no period, 643 00:23:30,120 --> 00:23:32,010 so it's another different convention. 644 00:23:32,010 --> 00:23:35,100 We go down to line nine and we see Mah Desai, 645 00:23:35,100 --> 00:23:36,900 and this is the first three letters and the 646 00:23:36,900 --> 00:23:39,090 last name @tesla.com. 647 00:23:39,090 --> 00:23:42,660 We get down to Paul Snicker and we just see Paul@tesla.com. 648 00:23:42,660 --> 00:23:46,410 We get down to Terry Chi and we see tchi@tesla.com. 649 00:23:46,410 --> 00:23:49,200 So we're seeing a little bit of differentiation here, 650 00:23:49,200 --> 00:23:53,100 but several of them I saw at least three that had the first 651 00:23:53,100 --> 00:23:54,750 three letters and then the last name, 652 00:23:54,750 --> 00:23:57,510 so I'm thinking that might be the naming convention at Tesla 653 00:23:57,510 --> 00:23:58,650 for their employees. 654 00:23:58,650 --> 00:24:00,270 Now, if I wanted to validate that, 655 00:24:00,270 --> 00:24:03,240 I could take some people's names who I find on LinkedIn and 656 00:24:03,240 --> 00:24:05,130 I know their first name and last name, 657 00:24:05,130 --> 00:24:07,260 put 'em into that format of the first three letters and 658 00:24:07,260 --> 00:24:09,180 their last name@tesla.com, 659 00:24:09,180 --> 00:24:12,000 and then see is it a valid email by checking something like 660 00:24:12,000 --> 00:24:15,360 email dossier at Central ops or other things like that. 661 00:24:15,360 --> 00:24:17,220 So hopefully you could start seeing how we put all these 662 00:24:17,220 --> 00:24:19,710 different tools together and get information from different 663 00:24:19,710 --> 00:24:20,997 places, consolidate it, 664 00:24:20,997 --> 00:24:22,710 and then we can start doing things with it, 665 00:24:22,710 --> 00:24:25,650 like spearfishing campaigns or whaling campaigns or social 666 00:24:25,650 --> 00:24:26,850 engineering in general. 667 00:24:26,850 --> 00:24:29,460 Lots of different ways to start using this information. 668 00:24:29,460 --> 00:24:30,750 Now, as I said at the beginning, 669 00:24:30,750 --> 00:24:33,207 there are a lot of different modules to Recon NG, 670 00:24:33,207 --> 00:24:35,910 and I just wanted to show you the basic usage because all 671 00:24:35,910 --> 00:24:39,540 the modules work the same way as you go into a workspace. 672 00:24:39,540 --> 00:24:40,980 And then as you go into a module, 673 00:24:40,980 --> 00:24:43,260 you're gonna keep going through the directory structure like 674 00:24:43,260 --> 00:24:47,310 you saw here, Recon NG, Dion, WHOIS POCs. 675 00:24:47,310 --> 00:24:48,720 Now, if I wanted to go back, 676 00:24:48,720 --> 00:24:51,240 I could just type in the word back and it will bring me up a 677 00:24:51,240 --> 00:24:52,230 level as well, 678 00:24:52,230 --> 00:24:55,050 and then I can go ahead and load a different workspace and 679 00:24:55,050 --> 00:24:57,180 then I can go ahead and do another assessment. 680 00:24:57,180 --> 00:24:58,230 Now remember, 681 00:24:58,230 --> 00:25:00,720 you can always use the show command to show anything you 682 00:25:00,720 --> 00:25:04,710 want, just like I did show domains or show contacts. 683 00:25:04,710 --> 00:25:07,650 You can also show companies, you can show credentials, 684 00:25:07,650 --> 00:25:11,760 you can show hosts, leaks, locations, net blocks, ports, 685 00:25:11,760 --> 00:25:15,510 profiles, push pins, repositories, and vulnerabilities, 686 00:25:15,510 --> 00:25:17,940 because all of those have tables in the database, 687 00:25:17,940 --> 00:25:20,670 as you saw when we looked at the database schema. 688 00:25:20,670 --> 00:25:23,370 Now, all of those get things from various modules 689 00:25:23,370 --> 00:25:24,810 that you may or may not install, 690 00:25:24,810 --> 00:25:25,770 so that's the important thing, 691 00:25:25,770 --> 00:25:27,690 is to have the right module for the right thing you're 692 00:25:27,690 --> 00:25:28,800 trying to grab. 693 00:25:28,800 --> 00:25:29,790 In this demonstration, 694 00:25:29,790 --> 00:25:32,940 I only used one module and I only searched for contacts, 695 00:25:32,940 --> 00:25:34,770 so that's why we saw things in this show, 696 00:25:34,770 --> 00:25:37,080 contacts to display my findings as you see here 697 00:25:37,080 --> 00:25:38,040 on the screen. 698 00:25:38,040 --> 00:25:40,800 But the great thing is if I ran other searches from other 699 00:25:40,800 --> 00:25:42,690 modules and they found contacts, 700 00:25:42,690 --> 00:25:43,797 they would also be in this table, 701 00:25:43,797 --> 00:25:46,170 and I could easily see those two. 702 00:25:46,170 --> 00:25:47,190 Now hopefully, 703 00:25:47,190 --> 00:25:48,870 you're starting to see how all of this starts coming 704 00:25:48,870 --> 00:25:50,309 together, 705 00:25:50,309 --> 00:25:51,720 and you're gonna play with it a little bit more on your own. 706 00:25:51,720 --> 00:25:52,680 As I said before, 707 00:25:52,680 --> 00:25:55,103 the thing that's gonna make you a great penetration tester 708 00:25:55,103 --> 00:25:58,620 is hands on the keyboard, practicing with this stuff, 709 00:25:58,620 --> 00:26:00,750 doing different reconnaissance evolutions, 710 00:26:00,750 --> 00:26:02,910 trying to find information that's out there. 711 00:26:02,910 --> 00:26:04,980 Now, the great thing about open source intelligence 712 00:26:04,980 --> 00:26:05,813 and learning 713 00:26:05,813 --> 00:26:08,280 how to do this is that all the information is out there. 714 00:26:08,280 --> 00:26:11,040 You don't need permission from any of these companies to go 715 00:26:11,040 --> 00:26:13,950 look up this information because it's all public information 716 00:26:13,950 --> 00:26:15,300 that's sitting online, 717 00:26:15,300 --> 00:26:17,220 and this is a great way for you to start building up your 718 00:26:17,220 --> 00:26:20,400 skills early on in the reconnaissance process because as 719 00:26:20,400 --> 00:26:22,140 long as you're doing passive reconnaissance, 720 00:26:22,140 --> 00:26:24,090 you're not touching that company servers, 721 00:26:24,090 --> 00:26:26,370 and you are not conducting any kind of hacking. 722 00:26:26,370 --> 00:26:27,960 You're just in the preparation phases, 723 00:26:27,960 --> 00:26:30,780 you're just learning information and using these tools and 724 00:26:30,780 --> 00:26:32,580 getting better at them is gonna make you a better 725 00:26:32,580 --> 00:26:34,443 penetration tester in the long run. 55298