Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,230 --> 00:00:01,948
Instructor: In this lesson,
2
00:00:01,948 --> 00:00:03,930
I'm gonna show you how to use a couple of the open source
3
00:00:03,930 --> 00:00:06,090
intelligence tools specifically.
4
00:00:06,090 --> 00:00:08,400
We're gonna take a quick look at metagoofil,
5
00:00:08,400 --> 00:00:11,100
the Harvester and Recon NG.
6
00:00:11,100 --> 00:00:13,500
Now first let's look at metagoofil.
7
00:00:13,500 --> 00:00:14,580
Let's say for example,
8
00:00:14,580 --> 00:00:17,190
I want to search Udemy's website for any Word,
9
00:00:17,190 --> 00:00:19,874
PowerPoint and PDF files,
10
00:00:19,874 --> 00:00:21,660
and I wanna limit that search to the first 50 documents
11
00:00:21,660 --> 00:00:24,360
found, download up to 25 of those files,
12
00:00:24,360 --> 00:00:25,800
put them into a working directory,
13
00:00:25,800 --> 00:00:28,530
and then I can save those 25 files in there and output the
14
00:00:28,530 --> 00:00:31,710
results to a file that tells me everything we found.
15
00:00:31,710 --> 00:00:34,563
I can do that pretty easily by using metagoofil.
16
00:00:35,608 --> 00:00:36,610
Now first though,
17
00:00:36,610 --> 00:00:38,790
we have to install metagoofil because it's not installed by
18
00:00:38,790 --> 00:00:41,190
default in our version of Cali Linux,
19
00:00:41,190 --> 00:00:45,270
which at the time of this recording is 2021.4A.
20
00:00:45,270 --> 00:00:46,103
To do that,
21
00:00:46,103 --> 00:00:48,840
you can try to just run metagoofil and will ask if you wanna
22
00:00:48,840 --> 00:00:51,480
install it or you can use pseudo app,
23
00:00:51,480 --> 00:00:53,940
get install metagoofil.
24
00:00:53,940 --> 00:00:56,490
I'm gonna do it the easy way and just type in metagoofil
25
00:00:56,490 --> 00:00:58,170
first, now, if it's installed,
26
00:00:58,170 --> 00:01:00,360
it would give me the usage and syntax of what I would have
27
00:01:00,360 --> 00:01:01,799
to do.
28
00:01:01,799 --> 00:01:02,801
If it's not,
29
00:01:02,801 --> 00:01:04,410
it's gonna gimme an error message and in this case it's not
30
00:01:04,410 --> 00:01:07,080
installed, but Cali Linux is smart to say,
31
00:01:07,080 --> 00:01:08,490
Would you like me to install it?
32
00:01:08,490 --> 00:01:09,323
In this case,
33
00:01:09,323 --> 00:01:11,070
I'm gonna say yes and let them do all the hard work of
34
00:01:11,070 --> 00:01:12,240
installing it for me,
35
00:01:12,240 --> 00:01:14,670
you do need to put in your password for the pseudo user,
36
00:01:14,670 --> 00:01:15,960
which is the root user,
37
00:01:15,960 --> 00:01:18,540
and the case of the default virtual machine that comes from
38
00:01:18,540 --> 00:01:19,680
cali.org.
39
00:01:19,680 --> 00:01:22,830
It's just gonna be KALI or Kali.
40
00:01:22,830 --> 00:01:25,170
It's gonna go through, it's gonna install, it's gonna say,
41
00:01:25,170 --> 00:01:26,190
Would you like to install it?
42
00:01:26,190 --> 00:01:28,440
Say yes, and there we go.
43
00:01:28,440 --> 00:01:33,183
It's downloading it and off it goes, installing it,
44
00:01:35,100 --> 00:01:37,740
and in about another 10 seconds, boom, we're done.
45
00:01:37,740 --> 00:01:39,540
Okay, we're back to the command prompt.
46
00:01:39,540 --> 00:01:42,120
So at this point we can now use this tool.
47
00:01:42,120 --> 00:01:44,430
Now, just to bring myself back up to the top of the screen,
48
00:01:44,430 --> 00:01:46,650
I'm just gonna type in the word clear and in a Linux
49
00:01:46,650 --> 00:01:48,840
terminal that just brings you right back to the top of your
50
00:01:48,840 --> 00:01:49,710
screen.
51
00:01:49,710 --> 00:01:52,350
Now what I wanna do is go ahead and do that Udemy search
52
00:01:52,350 --> 00:01:53,550
that I was talking about.
53
00:01:53,550 --> 00:01:56,550
We're gonna go ahead and type in metagoofil,
54
00:01:56,550 --> 00:02:00,270
then dash D for the domain Udemy.com is the domain.
55
00:02:00,270 --> 00:02:03,390
We're gonna be searching dash T for the file type,
56
00:02:03,390 --> 00:02:05,190
and then the file types we wanna search for.
57
00:02:05,190 --> 00:02:09,120
I'm gonna do a doc, a, docx, a PowerPoint,
58
00:02:09,120 --> 00:02:11,220
or PPT, a PPTX,
59
00:02:11,220 --> 00:02:13,080
which is the newer version of PowerPoint,
60
00:02:13,080 --> 00:02:16,110
and let's go ahead and throw PDF in there for good measure.
61
00:02:16,110 --> 00:02:19,680
Then we're gonna do dash L for limiting the number we want,
62
00:02:19,680 --> 00:02:22,710
and I'm just gonna go ahead and make it up to 50 of each.
63
00:02:22,710 --> 00:02:24,300
And then I'm gonna do dash N,
64
00:02:24,300 --> 00:02:26,010
which is the number I wanna download,
65
00:02:26,010 --> 00:02:27,780
and I'm gonna do up to 25.
66
00:02:27,780 --> 00:02:30,870
And then I wanna put dash O for my output directory.
67
00:02:30,870 --> 00:02:31,703
And in this case,
68
00:02:31,703 --> 00:02:34,170
I'm just gonna go ahead and call it Udemy files and it'll
69
00:02:34,170 --> 00:02:36,510
make a new directory in the directory I'm currently in
70
00:02:36,510 --> 00:02:37,950
called Udemy files.
71
00:02:37,950 --> 00:02:41,730
And then dash F and dash F is gonna be to say I want to
72
00:02:41,730 --> 00:02:44,760
create a file that gives me the results in one combined
73
00:02:44,760 --> 00:02:46,260
HTML file.
74
00:02:46,260 --> 00:02:47,250
Now once I do this,
75
00:02:47,250 --> 00:02:49,530
I'm just gonna go ahead and hit enter and it's gonna go off
76
00:02:49,530 --> 00:02:50,970
and start that search.
77
00:02:50,970 --> 00:02:53,400
You could see here that it is gonna go ahead and download
78
00:02:53,400 --> 00:02:54,233
those files.
79
00:02:54,233 --> 00:02:56,700
It's gonna save them into that new file folder that I just
80
00:02:56,700 --> 00:02:58,710
created, which is called Udemy files.
81
00:02:58,710 --> 00:03:01,770
It created the folder and now we're out there searching for
82
00:03:01,770 --> 00:03:05,010
50 doc files and we're gonna wait 30 seconds and then it's
83
00:03:05,010 --> 00:03:06,744
gonna try the next search,
84
00:03:06,744 --> 00:03:08,340
and it's gonna continue to do this through each of those
85
00:03:08,340 --> 00:03:09,780
five file types.
86
00:03:09,780 --> 00:03:12,030
Now I'm gonna go ahead and fast forward through this search
87
00:03:12,030 --> 00:03:13,740
because it does take a little bit of time to do all the
88
00:03:13,740 --> 00:03:16,170
searching and we're gonna come back once the search is
89
00:03:16,170 --> 00:03:21,170
complete, Okay, our search is complete, or in this case,
90
00:03:22,350 --> 00:03:24,120
our search actually failed.
91
00:03:24,120 --> 00:03:25,440
Now why did it fail?
92
00:03:25,440 --> 00:03:26,273
Well,
93
00:03:26,273 --> 00:03:28,200
Google actually will block you if you're making too many
94
00:03:28,200 --> 00:03:30,270
requests because it detects that you're a bot,
95
00:03:30,270 --> 00:03:32,640
and in this case it did just that.
96
00:03:32,640 --> 00:03:33,870
To be able to overcome this,
97
00:03:33,870 --> 00:03:36,330
you can actually install something like tour into your Linux
98
00:03:36,330 --> 00:03:38,610
machine and then you'll route all your traffic through tour.
99
00:03:38,610 --> 00:03:40,890
So you're coming from different IP addresses between each
100
00:03:40,890 --> 00:03:42,390
and every one of your searches.
101
00:03:42,390 --> 00:03:44,250
But for the purposes of this demonstration,
102
00:03:44,250 --> 00:03:46,500
this gives us the idea of what we were trying to do.
103
00:03:46,500 --> 00:03:48,308
Now, notice here at the top, we did search
104
00:03:48,308 --> 00:03:50,250
not just udemy.com,
105
00:03:50,250 --> 00:03:51,990
but all of its Sub domains as well.
106
00:03:51,990 --> 00:03:53,580
So we found that they were actually trying to find some
107
00:03:53,580 --> 00:03:56,070
files and the about.udemy.com site,
108
00:03:56,070 --> 00:03:59,820
the investors.udemy.com site and other things like that.
109
00:03:59,820 --> 00:04:00,900
All right, now that we did that,
110
00:04:00,900 --> 00:04:02,460
I'm gonna go ahead and clear my screen to bring me to the
111
00:04:02,460 --> 00:04:03,540
top again.
112
00:04:03,540 --> 00:04:04,860
Okay, once we clear the screen,
113
00:04:04,860 --> 00:04:06,570
I'm just gonna do the LS command,
114
00:04:06,570 --> 00:04:08,820
which will list out the files and you'll see there there is
115
00:04:08,820 --> 00:04:12,090
a text file with the HTML links based on what it found from
116
00:04:12,090 --> 00:04:13,560
all the metadata it was searching,
117
00:04:13,560 --> 00:04:15,900
and you'll also see there is one called Udemy Files,
118
00:04:15,900 --> 00:04:18,930
which is a folder, and if I go into the Udemy files,
119
00:04:18,930 --> 00:04:21,750
you're gonna see that we do have a couple of files here that
120
00:04:21,750 --> 00:04:25,081
were downloaded as part of our reconnaissance
121
00:04:25,081 --> 00:04:25,914
using metagoofil
122
00:04:25,914 --> 00:04:28,530
and we can go through those files to look at what we found.
123
00:04:28,530 --> 00:04:31,470
The next tool we're gonna use is known as the Harvester,
124
00:04:31,470 --> 00:04:35,400
and the harvester is spelled as one word with a capital H.
125
00:04:35,400 --> 00:04:37,950
Now the harvester is a wonderful tool and it's used to
126
00:04:37,950 --> 00:04:41,320
gather emails, subdomains, hosts, employee names,
127
00:04:41,320 --> 00:04:43,980
email addresses, PGP key entries,
128
00:04:43,980 --> 00:04:47,010
open ports and service banners off of the servers.
129
00:04:47,010 --> 00:04:47,843
Now again,
130
00:04:47,843 --> 00:04:50,280
the Harvester is another command line tool and it's pretty
131
00:04:50,280 --> 00:04:52,500
easy to use once you learn the syntax.
132
00:04:52,500 --> 00:04:56,070
It's very similar to what we just used with metagoofil.
133
00:04:56,070 --> 00:04:57,900
Now when we wanna use this command,
134
00:04:57,900 --> 00:05:00,930
we can just type in the harvester and then hit enter and
135
00:05:00,930 --> 00:05:03,060
it's gonna tell us how to use it.
136
00:05:03,060 --> 00:05:04,920
Here you can see the usage on the screen.
137
00:05:04,920 --> 00:05:06,120
So to use the tool,
138
00:05:06,120 --> 00:05:09,690
we're just gonna go ahead and type in the harvester dash D,
139
00:05:09,690 --> 00:05:11,100
the domain name that we wanna search.
140
00:05:11,100 --> 00:05:12,579
In this case,
141
00:05:12,579 --> 00:05:15,270
I'm gonna use udemy.com dash L to limit the number of
142
00:05:15,270 --> 00:05:16,830
searches we wanna return.
143
00:05:16,830 --> 00:05:19,470
I'm gonna use five as the number of things I wanna return,
144
00:05:19,470 --> 00:05:22,260
and then I want to go ahead and enter in dash B and this
145
00:05:22,260 --> 00:05:24,240
search engine I want to use, for instance,
146
00:05:24,240 --> 00:05:25,590
I'm gonna use Google.
147
00:05:25,590 --> 00:05:28,410
I could just as easily use something like LinkedIn or Bing
148
00:05:28,410 --> 00:05:30,450
or something else if I wanted to as well.
149
00:05:30,450 --> 00:05:31,283
Once you're done with that,
150
00:05:31,283 --> 00:05:33,840
go ahead and hit enter and it's gonna run off and run that
151
00:05:33,840 --> 00:05:34,673
command.
152
00:05:34,673 --> 00:05:36,960
You'll see here we see the banner for the harvester,
153
00:05:36,960 --> 00:05:39,120
we see the fact that it's going in, searching Google,
154
00:05:39,120 --> 00:05:41,940
we're getting zero results, no IP's, no emails,
155
00:05:41,940 --> 00:05:44,880
and one host that was found with two IP addresses.
156
00:05:44,880 --> 00:05:46,080
Now, why is that?
157
00:05:46,080 --> 00:05:46,913
Well, again,
158
00:05:46,913 --> 00:05:49,830
I just did the scan from this computer when I was using
159
00:05:49,830 --> 00:05:50,790
metagoofil,
160
00:05:50,790 --> 00:05:54,000
and so Google at this point is already blocking me because
161
00:05:54,000 --> 00:05:56,460
they think that I am a bot or I'm doing something bad,
162
00:05:56,460 --> 00:05:58,290
and so therefore they're blocking me.
163
00:05:58,290 --> 00:06:00,870
Again, if you go ahead and change your IP addresses,
164
00:06:00,870 --> 00:06:02,370
you go ahead and do something like Tour.
165
00:06:02,370 --> 00:06:04,980
It's gonna keep you from having this same problem.
166
00:06:04,980 --> 00:06:07,410
Let me go ahead and clear the screen.
167
00:06:07,410 --> 00:06:09,750
The next thing we're gonna go ahead and do is work with
168
00:06:09,750 --> 00:06:11,280
Recon NG.
169
00:06:11,280 --> 00:06:13,890
Now, Recon NG is a great tool,
170
00:06:13,890 --> 00:06:17,370
but it is a little bit more complicated than the two I just
171
00:06:17,370 --> 00:06:18,300
showed you.
172
00:06:18,300 --> 00:06:19,680
So to start up Recon NG,
173
00:06:19,680 --> 00:06:22,680
you just type in Recon NG and hit enter.
174
00:06:22,680 --> 00:06:23,513
When you do that,
175
00:06:23,513 --> 00:06:26,010
it's gonna load up and now you're in a special command
176
00:06:26,010 --> 00:06:28,590
prompt within the recon NG environment.
177
00:06:28,590 --> 00:06:31,890
Notice here we're in Recon NG and we are in the default
178
00:06:31,890 --> 00:06:33,030
workspace.
179
00:06:33,030 --> 00:06:35,700
Now, recon NG is a wonderful web reconnaissance
180
00:06:35,700 --> 00:06:36,690
framework and it
181
00:06:36,690 --> 00:06:39,270
works a lot like meta exploit does for exploits,
182
00:06:39,270 --> 00:06:41,640
and this social engineer toolkit works for social
183
00:06:41,640 --> 00:06:42,480
engineering.
184
00:06:42,480 --> 00:06:45,210
It brings a lot of tools and a lot of capabilities into one
185
00:06:45,210 --> 00:06:46,620
place, but because of that,
186
00:06:46,620 --> 00:06:49,080
it is a little bit more complicated.
187
00:06:49,080 --> 00:06:49,913
Now also,
188
00:06:49,913 --> 00:06:51,480
the other thing to note is a lot of the things you're gonna
189
00:06:51,480 --> 00:06:54,960
find online for recon NG are gonna be wrong and they're not
190
00:06:54,960 --> 00:06:55,800
gonna work.
191
00:06:55,800 --> 00:06:57,960
The reason for that is there was a switch in a lot of the
192
00:06:57,960 --> 00:07:01,590
syntax going between version four and version five.
193
00:07:01,590 --> 00:07:03,983
You could see here I'm operating with version 5.1.2,
194
00:07:04,830 --> 00:07:07,290
which is the latest at the time of this recording.
195
00:07:07,290 --> 00:07:09,210
So all the things I'm gonna show you now are based
196
00:07:09,210 --> 00:07:10,530
on that version.
197
00:07:10,530 --> 00:07:13,020
These will not work in the older version four,
198
00:07:13,020 --> 00:07:15,390
and the old version four commands will not always work in
199
00:07:15,390 --> 00:07:16,770
the newer version five.
200
00:07:16,770 --> 00:07:17,603
So keep that in mind.
201
00:07:17,603 --> 00:07:20,400
If you're looking at any tutorials online or YouTube videos,
202
00:07:20,400 --> 00:07:22,320
if they're older than about 2020,
203
00:07:22,320 --> 00:07:24,510
you may run into some issues there.
204
00:07:24,510 --> 00:07:25,800
Now to use this,
205
00:07:25,800 --> 00:07:29,070
we're gonna launch into Recon NG just like we did here and
206
00:07:29,070 --> 00:07:32,460
now I like to personally set up my own workspace instead of
207
00:07:32,460 --> 00:07:34,140
using the default workspace.
208
00:07:34,140 --> 00:07:37,080
This gives me almost a place to store and save all my
209
00:07:37,080 --> 00:07:40,230
different commands and tools and information that I find in
210
00:07:40,230 --> 00:07:41,130
one area.
211
00:07:41,130 --> 00:07:42,599
And so to do this,
212
00:07:42,599 --> 00:07:44,340
we are gonna use the workspaces command.
213
00:07:44,340 --> 00:07:46,500
Now, if you don't know any of the commands in recon NG yet,
214
00:07:46,500 --> 00:07:47,880
which you probably don't,
215
00:07:47,880 --> 00:07:49,890
you might wanna first type in help.
216
00:07:49,890 --> 00:07:51,030
When you type in help,
217
00:07:51,030 --> 00:07:53,250
it'll list out all the commands you can use,
218
00:07:53,250 --> 00:07:56,010
and you'll see there that we have one called workspaces at
219
00:07:56,010 --> 00:07:57,120
the bottom of the list,
220
00:07:57,120 --> 00:07:59,520
and this is used to manage workspaces.
221
00:07:59,520 --> 00:08:02,190
A workspace is just a defined area to keep your different
222
00:08:02,190 --> 00:08:04,620
information from different engagements into different
223
00:08:04,620 --> 00:08:07,110
buckets so they're not mixing between clients.
224
00:08:07,110 --> 00:08:08,880
So what I'm gonna do is I'm just gonna type in the word
225
00:08:08,880 --> 00:08:12,420
workspaces, and then from workspaces, if I hit enter,
226
00:08:12,420 --> 00:08:15,180
it's gonna tell me I didn't give enough syntax because we
227
00:08:15,180 --> 00:08:16,775
didn't know what to do with it.
228
00:08:16,775 --> 00:08:19,890
Yet here we can do a create list load or remove.
229
00:08:19,890 --> 00:08:22,590
In our case, we can see if there's any workspaces already,
230
00:08:22,590 --> 00:08:24,330
and there shouldn't be because this is a brand new
231
00:08:24,330 --> 00:08:25,890
installation, but by doing that,
232
00:08:25,890 --> 00:08:29,040
we do workspaces space list and hit enter.
233
00:08:29,040 --> 00:08:31,260
And you see we only have the default one.
234
00:08:31,260 --> 00:08:33,450
I'm gonna go ahead and create one called Dion,
235
00:08:33,450 --> 00:08:37,530
and to do that, we're just gonna type in workspaces, create,
236
00:08:37,530 --> 00:08:40,604
and then I'm gonna use the folder name of Dion.
237
00:08:40,604 --> 00:08:44,190
Now, if I go ahead and do workspaces list,
238
00:08:44,190 --> 00:08:47,490
you're gonna see two Default and Dion.
239
00:08:47,490 --> 00:08:48,795
All right.
240
00:08:48,795 --> 00:08:49,628
Now that we've done that,
241
00:08:49,628 --> 00:08:51,837
we can go ahead and select that workspace to work in it.
242
00:08:51,837 --> 00:08:54,450
And in this case, because I just created that workspace,
243
00:08:54,450 --> 00:08:57,330
it automatically put me into the Dion Workspace.
244
00:08:57,330 --> 00:08:59,730
But let's say I had another one because I was gonna do
245
00:08:59,730 --> 00:09:02,613
workspaces create, Udemy.
246
00:09:04,260 --> 00:09:06,270
Now I'm gonna have three different workspaces.
247
00:09:06,270 --> 00:09:07,680
Oh, I actually type that wrong,
248
00:09:07,680 --> 00:09:09,420
so make sure you type it correctly.
249
00:09:09,420 --> 00:09:13,050
Everything in Linux is case sensitive and obviously spelling
250
00:09:13,050 --> 00:09:13,883
sensitive.
251
00:09:13,883 --> 00:09:16,740
I forgot the S on workspace and that's why I got that error.
252
00:09:16,740 --> 00:09:17,573
So here we go.
253
00:09:17,573 --> 00:09:19,290
I listed it out and you see there are three workspaces.
254
00:09:19,290 --> 00:09:21,633
Now, Dion, Udemy, and default.
255
00:09:22,510 --> 00:09:23,343
When you create a new workspace,
256
00:09:23,343 --> 00:09:26,070
by default it moves you into that workspace.
257
00:09:26,070 --> 00:09:29,148
So you'll notice when I created Dion right next to recon NG,
258
00:09:29,148 --> 00:09:31,798
there was this thing that said bracket, Dion bracket,
259
00:09:32,775 --> 00:09:34,440
and that told me that I was in the Dion space,
260
00:09:34,440 --> 00:09:37,762
and you could see that just below the first table where I
261
00:09:37,762 --> 00:09:39,060
entered workspaces create Dion,
262
00:09:39,060 --> 00:09:41,130
it moved me into that Dion workspace.
263
00:09:41,130 --> 00:09:43,650
Then when I created the Udemy workspace,
264
00:09:43,650 --> 00:09:46,050
it then changed me from Dion into Udemy.
265
00:09:46,050 --> 00:09:47,940
But let's say I wanted to go back into Dion,
266
00:09:47,940 --> 00:09:48,930
how would I do that?
267
00:09:48,930 --> 00:09:49,770
Well, to do that,
268
00:09:49,770 --> 00:09:52,110
we're just gonna type in workspaces load,
269
00:09:52,110 --> 00:09:53,460
and then the name of the workspace.
270
00:09:53,460 --> 00:09:55,560
In my case, it's Dion.
271
00:09:55,560 --> 00:09:58,770
Now you can see I am back into Recon NG inside the
272
00:09:58,770 --> 00:10:00,480
workspace Dion.
273
00:10:00,480 --> 00:10:01,313
All right,
274
00:10:01,313 --> 00:10:03,420
the next thing we have to do is we have to have some modules
275
00:10:03,420 --> 00:10:06,240
installed to be able to do some functionality inside of
276
00:10:06,240 --> 00:10:07,350
Recon NG.
277
00:10:07,350 --> 00:10:08,183
Now, by default,
278
00:10:08,183 --> 00:10:12,150
there is no modules installed when you first get Recon NG,
279
00:10:12,150 --> 00:10:13,470
and this is a brand new install,
280
00:10:13,470 --> 00:10:15,450
and if you just loaded up your virtual machine,
281
00:10:15,450 --> 00:10:16,707
you have a brand new install as well.
282
00:10:16,707 --> 00:10:19,080
And so these are things we have to work through.
283
00:10:19,080 --> 00:10:20,730
So what we're gonna do is we're actually gonna go into the
284
00:10:20,730 --> 00:10:23,610
module section, which is another one of those key words.
285
00:10:23,610 --> 00:10:25,230
Again, if you get lost at any time,
286
00:10:25,230 --> 00:10:28,140
just type in help and you'll notice there we have a modules
287
00:10:28,140 --> 00:10:30,210
command and it says that it interfaces with
288
00:10:30,210 --> 00:10:31,470
installed modules.
289
00:10:31,470 --> 00:10:33,420
So to check if there's any installed modules,
290
00:10:33,420 --> 00:10:36,300
I'm just gonna type in modules and then I would use the
291
00:10:36,300 --> 00:10:37,560
command search.
292
00:10:37,560 --> 00:10:39,360
Now, if you don't know any of the commands for modules,
293
00:10:39,360 --> 00:10:41,820
again, just type in modules and hit enter.
294
00:10:41,820 --> 00:10:43,050
There is your different options.
295
00:10:43,050 --> 00:10:44,400
You can load, reload,
296
00:10:44,400 --> 00:10:45,270
or search.
297
00:10:45,270 --> 00:10:47,370
Search is essentially like listing,
298
00:10:47,370 --> 00:10:48,690
but you can list all of them.
299
00:10:48,690 --> 00:10:50,580
If you just type in search and hit enter,
300
00:10:50,580 --> 00:10:53,610
or you can actually search for a keyword because there are
301
00:10:53,610 --> 00:10:56,550
many modules and maybe you just want a specific module for a
302
00:10:56,550 --> 00:10:58,050
specific use case.
303
00:10:58,050 --> 00:10:59,940
If I go ahead and hit search and hit enter,
304
00:10:59,940 --> 00:11:02,910
you're gonna see that I have no modules found and it has a
305
00:11:02,910 --> 00:11:03,990
red error there.
306
00:11:03,990 --> 00:11:06,390
That's because I haven't installed anything yet.
307
00:11:06,390 --> 00:11:09,120
And so now we need to go and find some modules.
308
00:11:09,120 --> 00:11:10,200
How do you do that?
309
00:11:10,200 --> 00:11:11,790
Well, looking back up at the help area,
310
00:11:11,790 --> 00:11:14,340
you'll see a command called Marketplace.
311
00:11:14,340 --> 00:11:16,800
This interface is with the module marketplace,
312
00:11:16,800 --> 00:11:19,260
and this is where you can search for and download a single
313
00:11:19,260 --> 00:11:21,300
module or all the modules.
314
00:11:21,300 --> 00:11:23,700
Now, some modules you're gonna find are gonna require you
315
00:11:23,700 --> 00:11:27,120
to get an API key to be able to associate with the service.
316
00:11:27,120 --> 00:11:30,090
For example, there's a module to be able to search Twitter,
317
00:11:30,090 --> 00:11:32,220
and Twitter requires you to register with them as a
318
00:11:32,220 --> 00:11:35,310
developer to get an API key so you can then make that API
319
00:11:35,310 --> 00:11:38,550
connection from Recon NG into Twitter and start searching
320
00:11:38,550 --> 00:11:39,510
their stuff.
321
00:11:39,510 --> 00:11:41,850
Now, to make things easy for our demonstration,
322
00:11:41,850 --> 00:11:44,430
we're not gonna go into that and I'm gonna pick a module
323
00:11:44,430 --> 00:11:46,770
that does not require API keys.
324
00:11:46,770 --> 00:11:49,650
If you're gonna use Recon NG for real, go online,
325
00:11:49,650 --> 00:11:51,600
look at the Recon NG manual.
326
00:11:51,600 --> 00:11:53,670
You'll be able to walk through how to do all of those things
327
00:11:53,670 --> 00:11:56,250
because there's a lot of capability in this tool
328
00:11:56,250 --> 00:11:57,300
for the exam.
329
00:11:57,300 --> 00:11:59,850
You do not need to know how to use Recon NG.
330
00:11:59,850 --> 00:12:01,800
I just wanted to show you so you can get comfortable
331
00:12:01,800 --> 00:12:03,075
with it,
332
00:12:03,075 --> 00:12:04,470
so you can use it in the real world a little bit and then
333
00:12:04,470 --> 00:12:05,700
take it from there.
334
00:12:05,700 --> 00:12:08,370
Now, what we wanna do first is we wanna find a module
335
00:12:08,370 --> 00:12:09,360
that we can use.
336
00:12:09,360 --> 00:12:12,450
The one I'm gonna use is known as recon slash domain
337
00:12:12,450 --> 00:12:15,033
contacts slash WHOIS POCs.
338
00:12:16,130 --> 00:12:16,980
I know this one doesn't require an API,
339
00:12:16,980 --> 00:12:20,040
and the purpose of this is for us to be able to use this to
340
00:12:20,040 --> 00:12:23,070
look up the WHOIS data for different domain names.
341
00:12:23,070 --> 00:12:23,903
Now, to do this,
342
00:12:23,903 --> 00:12:27,150
we're just gonna use the command marketplace and then we're
343
00:12:27,150 --> 00:12:29,100
gonna use the term install.
344
00:12:29,100 --> 00:12:30,210
Now, just like before,
345
00:12:30,210 --> 00:12:31,890
if you don't know how to do something,
346
00:12:31,890 --> 00:12:34,290
you can simply type in marketplace and enter and it will
347
00:12:34,290 --> 00:12:35,580
give you the syntax,
348
00:12:35,580 --> 00:12:37,410
and then you're gonna put the one that you're looking for.
349
00:12:37,410 --> 00:12:39,990
In my case, I know exactly which one I'm looking for.
350
00:12:39,990 --> 00:12:42,300
It's recon slash domains,
351
00:12:42,300 --> 00:12:47,300
dash contacts slash WHOIS underscore POCs.
352
00:12:47,700 --> 00:12:50,790
Hit enter and it's gonna go ahead and install that module.
353
00:12:50,790 --> 00:12:51,623
You'll see right here,
354
00:12:51,623 --> 00:12:54,150
it installed the module and then it reloaded it.
355
00:12:54,150 --> 00:12:56,610
If I wanna validate that actually happened,
356
00:12:56,610 --> 00:13:00,120
I can do that by using the module search command like I did
357
00:13:00,120 --> 00:13:02,430
before to show there was no modules found.
358
00:13:02,430 --> 00:13:04,350
So let's go ahead and do that.
359
00:13:04,350 --> 00:13:06,540
And now instead of no modules being found,
360
00:13:06,540 --> 00:13:08,550
I see that I have one module found.
361
00:13:08,550 --> 00:13:10,470
It's under the recon category,
362
00:13:10,470 --> 00:13:12,720
and it is the one I just installed.
363
00:13:12,720 --> 00:13:14,820
Now, if you wanted to install all of the modules,
364
00:13:14,820 --> 00:13:16,440
and there are a lot of them out there,
365
00:13:16,440 --> 00:13:17,370
if you wanna see them all,
366
00:13:17,370 --> 00:13:20,370
just type in marketplace and then hit search,
367
00:13:20,370 --> 00:13:21,660
and then hit enter.
368
00:13:21,660 --> 00:13:22,920
And you'll see there is a bunch,
369
00:13:22,920 --> 00:13:25,980
there are so many that is actually going off of my screen.
370
00:13:25,980 --> 00:13:28,020
And so if you wanted to actually scroll up here,
371
00:13:28,020 --> 00:13:30,990
you can go through and see that there are a ton of different
372
00:13:30,990 --> 00:13:33,870
modules, and all of these have different functionality.
373
00:13:33,870 --> 00:13:35,580
If you wanna know what each one does,
374
00:13:35,580 --> 00:13:39,480
you can actually look them up inside of Recon NG using the
375
00:13:39,480 --> 00:13:40,590
info command,
376
00:13:40,590 --> 00:13:42,480
and you'll be able to learn more about those particular
377
00:13:42,480 --> 00:13:43,313
tools.
378
00:13:43,313 --> 00:13:44,580
Or again, go online,
379
00:13:44,580 --> 00:13:48,685
go ahead and Google or Bing or Duck Duck Go or whatever your
380
00:13:48,685 --> 00:13:50,340
favorite search engine or choice is and look up those and
381
00:13:50,340 --> 00:13:52,080
you'll figure out which ones they are, what they do,
382
00:13:52,080 --> 00:13:54,660
and which ones may be helpful in your reconnaissance.
383
00:13:54,660 --> 00:13:57,690
Now, if you wanna install all of these, you certainly can,
384
00:13:57,690 --> 00:14:02,287
and to do that, you just type in marketplace install all,
385
00:14:03,930 --> 00:14:04,980
and if I hit enter right now,
386
00:14:04,980 --> 00:14:07,650
it's gonna go and install every single one of those.
387
00:14:07,650 --> 00:14:09,930
Now, the reason I'm not gonna do that is because it's gonna
388
00:14:09,930 --> 00:14:10,920
clutter up our screen.
389
00:14:10,920 --> 00:14:13,200
It's gonna throw a bunch of errors because we haven't set up
390
00:14:13,200 --> 00:14:16,890
all the API keys for all 40 or 50 different recon modules,
391
00:14:16,890 --> 00:14:18,930
and so I'm gonna not do that right now.
392
00:14:18,930 --> 00:14:20,670
But if you wanna do that and you wanna set up your
393
00:14:20,670 --> 00:14:21,690
system fully,
394
00:14:21,690 --> 00:14:24,840
you can install all and then go find API keys for every
395
00:14:24,840 --> 00:14:26,310
single one of those modules.
396
00:14:26,310 --> 00:14:28,770
Now, the next thing we need to do is actually take
397
00:14:28,770 --> 00:14:30,570
that module and load it.
398
00:14:30,570 --> 00:14:33,300
Now again, if I type in modules search,
399
00:14:33,300 --> 00:14:35,940
you're gonna see that I have installed that module,
400
00:14:35,940 --> 00:14:38,340
but it doesn't mean it's loaded and ready for me to go
401
00:14:38,340 --> 00:14:40,740
because you can see where I am inside of the recon
402
00:14:40,740 --> 00:14:41,573
structure.
403
00:14:41,573 --> 00:14:44,970
I'm at Recon NG, Dion, I'm not inside a module,
404
00:14:44,970 --> 00:14:46,290
I'm not inside any of the options.
405
00:14:46,290 --> 00:14:48,000
I'm just inside the workspace.
406
00:14:48,000 --> 00:14:48,833
So again,
407
00:14:48,833 --> 00:14:51,000
we're just gonna type in modules and hit enter.
408
00:14:51,000 --> 00:14:52,110
You're gonna see the syntax.
409
00:14:52,110 --> 00:14:52,943
We have load,
410
00:14:52,943 --> 00:14:54,360
reload and search.
411
00:14:54,360 --> 00:14:57,510
I'm gonna go ahead and type in modules load,
412
00:14:57,510 --> 00:15:00,720
and then I want to use the WHOIS Underscore POCs,
413
00:15:00,720 --> 00:15:03,120
which is the short name for the module I loaded.
414
00:15:03,960 --> 00:15:04,793
There we go.
415
00:15:04,793 --> 00:15:06,150
Notice how my prompt change.
416
00:15:06,150 --> 00:15:08,700
Now I'm inside this module.
417
00:15:08,700 --> 00:15:09,810
Now that we're in the module,
418
00:15:09,810 --> 00:15:11,667
we need to specify the options that we want to use with
419
00:15:11,667 --> 00:15:12,690
the module,
420
00:15:12,690 --> 00:15:15,480
and we're gonna do that by entering information into our
421
00:15:15,480 --> 00:15:16,410
database.
422
00:15:16,410 --> 00:15:17,730
Now, inside of Recon NG,
423
00:15:17,730 --> 00:15:19,920
there's actually a database installed with it and you're
424
00:15:19,920 --> 00:15:21,960
able to put information into the database,
425
00:15:21,960 --> 00:15:24,720
both things you want to search for and information that's
426
00:15:24,720 --> 00:15:27,150
gonna come back when you do those searches.
427
00:15:27,150 --> 00:15:29,250
Now, to do this and work with the database,
428
00:15:29,250 --> 00:15:31,140
we need to use the DB command.
429
00:15:31,140 --> 00:15:32,602
And again,
430
00:15:32,602 --> 00:15:34,290
if you get lost at any time, just type in help.
431
00:15:34,290 --> 00:15:35,123
You'll notice there.
432
00:15:35,123 --> 00:15:37,320
The third line down is db,
433
00:15:37,320 --> 00:15:40,200
which interfaces with the workspaces database.
434
00:15:40,200 --> 00:15:42,210
Each workspace has its own database,
435
00:15:42,210 --> 00:15:44,640
and that's another reason you wanna have a workspace
436
00:15:44,640 --> 00:15:47,040
dedicated to whatever engagement you're working on.
437
00:15:47,040 --> 00:15:50,550
So we're gonna go ahead and use db, and then again,
438
00:15:50,550 --> 00:15:53,520
we can hit enter and it'll tell us what things we can do
439
00:15:53,520 --> 00:15:54,750
with the database.
440
00:15:54,750 --> 00:15:56,010
We can delete a database,
441
00:15:56,010 --> 00:15:57,630
we can insert a line in a database,
442
00:15:57,630 --> 00:15:59,190
we can add notes to a database.
443
00:15:59,190 --> 00:16:01,470
We can query it using SQL commands,
444
00:16:01,470 --> 00:16:03,660
or we can look at the database schema.
445
00:16:03,660 --> 00:16:05,460
Now, if I wanted to see the schema of the database,
446
00:16:05,460 --> 00:16:08,910
I can just type in DB schema and hit enter.
447
00:16:08,910 --> 00:16:10,020
And when I do that, again,
448
00:16:10,020 --> 00:16:12,570
it scrolls off the screen a little bit, but as we scroll up,
449
00:16:12,570 --> 00:16:14,520
you can see the different tables that we're using,
450
00:16:14,520 --> 00:16:17,073
I'm going to go up here to the top.
451
00:16:21,030 --> 00:16:21,870
There we go.
452
00:16:21,870 --> 00:16:23,670
So the first one we have is domains,
453
00:16:23,670 --> 00:16:25,320
and this will hold domains notes.
454
00:16:25,320 --> 00:16:28,170
And the module that found the information under companies,
455
00:16:28,170 --> 00:16:30,477
it has company description, notes and module,
456
00:16:30,477 --> 00:16:32,580
and you're gonna see each of these are gonna interact with
457
00:16:32,580 --> 00:16:35,580
different parts of Recon, NG and different modules.
458
00:16:35,580 --> 00:16:38,160
Domains is the one we're actually gonna be working with here
459
00:16:38,160 --> 00:16:41,490
because I'm using the WHOIS point of contacts module.
460
00:16:41,490 --> 00:16:43,020
So let me go ahead and get back here to the bottom.
461
00:16:43,020 --> 00:16:44,790
I'm just gonna hit internal, drop me right down.
462
00:16:44,790 --> 00:16:46,250
Okay,
463
00:16:46,250 --> 00:16:47,730
and now what we wanna do is go back to our database command,
464
00:16:47,730 --> 00:16:50,940
and what we wanna do is insert information into that
465
00:16:50,940 --> 00:16:51,773
database,
466
00:16:51,773 --> 00:16:54,750
specifically the domain names that we wanna look at.
467
00:16:54,750 --> 00:16:57,630
Now what I'm gonna do is I'm just gonna type in db,
468
00:16:57,630 --> 00:16:59,790
insert and then domains,
469
00:16:59,790 --> 00:17:02,520
which is the field that I want to insert information in.
470
00:17:02,520 --> 00:17:04,859
And at that point I hit enter and it's gonna say,
471
00:17:04,859 --> 00:17:06,780
What do you want to enter in here?
472
00:17:06,780 --> 00:17:09,089
Well, the thing I wanna enter is the domain name,
473
00:17:09,089 --> 00:17:12,030
so if I wanted to search Diontraining.com,
474
00:17:12,030 --> 00:17:13,230
I can enter that in.
475
00:17:13,230 --> 00:17:14,670
If there's any notes I wanna put in,
476
00:17:14,670 --> 00:17:16,050
I could put them here in too.
477
00:17:16,050 --> 00:17:17,609
I'm just gonna hit enter and make that blank,
478
00:17:17,609 --> 00:17:19,980
and it's gonna insert that into one row.
479
00:17:19,980 --> 00:17:21,930
Now, if I want to enter another domain to search,
480
00:17:21,930 --> 00:17:23,310
I can do that here as well.
481
00:17:23,310 --> 00:17:25,950
Let's go ahead and do insert domains,
482
00:17:25,950 --> 00:17:28,323
and in this case I'm gonna use udemy.com.
483
00:17:29,790 --> 00:17:31,290
Another one I want to enter,
484
00:17:31,290 --> 00:17:34,800
let's go ahead and do DB insert and we'll do domains,
485
00:17:34,800 --> 00:17:39,660
and I'm gonna use tesla.com and again, no notes.
486
00:17:39,660 --> 00:17:41,214
All right,
487
00:17:41,214 --> 00:17:42,630
we have now inserted three different domain names,
488
00:17:42,630 --> 00:17:44,367
Diontraining.com, udemy.com,
489
00:17:44,367 --> 00:17:47,400
and tesla.com into our database.
490
00:17:47,400 --> 00:17:50,220
Now, if we wanna see that and verify it took,
491
00:17:50,220 --> 00:17:53,340
we can use the command show and then the name of the table
492
00:17:53,340 --> 00:17:54,750
in this case domains.
493
00:17:54,750 --> 00:17:56,820
So show domains,
494
00:17:56,820 --> 00:17:58,530
and here is our table.
495
00:17:58,530 --> 00:18:02,310
Boom, we have three rows, Diontraining.com, udemy.com,
496
00:18:02,310 --> 00:18:04,740
tesla.com, no notes on any of them,
497
00:18:04,740 --> 00:18:08,070
and the module was user defined because I manually enter
498
00:18:08,070 --> 00:18:09,450
that information.
499
00:18:09,450 --> 00:18:11,580
All right, now that we have loaded our module,
500
00:18:11,580 --> 00:18:14,310
now that we have entered our information into the database,
501
00:18:14,310 --> 00:18:17,040
we are ready to start searching the WHOIS Database for
502
00:18:17,040 --> 00:18:18,652
these points of contact.
503
00:18:18,652 --> 00:18:21,720
Now, what we're gonna do is we are gonna use this WHOIS
504
00:18:21,720 --> 00:18:22,553
POC module.
505
00:18:22,553 --> 00:18:24,630
If you don't know what that module is,
506
00:18:24,630 --> 00:18:25,920
well we're inside of it now,
507
00:18:25,920 --> 00:18:29,280
so we can just type in the command info, by typing info,
508
00:18:29,280 --> 00:18:31,770
it's gonna tell me about the module I'm currently in.
509
00:18:31,770 --> 00:18:34,260
Notice when I typed info for WHOIS POCs,
510
00:18:34,260 --> 00:18:37,890
it tells me this is the WHOIS POC Harvester who wrote it,
511
00:18:37,890 --> 00:18:40,050
the version and a short description of it.
512
00:18:40,050 --> 00:18:42,420
It's gonna use the air and WHOIS database to be able to
513
00:18:42,420 --> 00:18:45,690
harvest POC data from the WHOIS queries for the given
514
00:18:45,690 --> 00:18:47,017
domain.
515
00:18:47,017 --> 00:18:49,020
This is also gonna update our contacts table with the
516
00:18:49,020 --> 00:18:52,410
results inside of our workspace so that data we get back is
517
00:18:52,410 --> 00:18:55,170
gonna fill part of our database in the workspace so we can
518
00:18:55,170 --> 00:18:57,270
go back and look at that information later.
519
00:18:57,270 --> 00:18:59,460
Now we have some options that we have to have.
520
00:18:59,460 --> 00:19:02,280
We have a source, we have the value of default,
521
00:19:02,280 --> 00:19:03,480
it's required field,
522
00:19:03,480 --> 00:19:05,820
and the description is the source of input.
523
00:19:05,820 --> 00:19:07,560
Now, by default,
524
00:19:07,560 --> 00:19:10,050
that means it's gonna go and grab it from the table.
525
00:19:10,050 --> 00:19:12,840
Those three domain names we just put in in row one, two,
526
00:19:12,840 --> 00:19:15,210
and three using the domains table.
527
00:19:15,210 --> 00:19:18,060
If I wanted to do this from a file, I could do that as well.
528
00:19:18,060 --> 00:19:21,630
By changing this default value from default to the file
529
00:19:21,630 --> 00:19:22,890
name, in our case,
530
00:19:22,890 --> 00:19:24,330
we're gonna do it right from the database.
531
00:19:24,330 --> 00:19:25,200
It keeps it nice,
532
00:19:25,200 --> 00:19:28,140
it keeps it clean, and that's the way we're gonna do it.
533
00:19:28,140 --> 00:19:29,640
Now, if I wanted to change that,
534
00:19:29,640 --> 00:19:34,020
I could do that by changing that by saying options set
535
00:19:34,020 --> 00:19:36,420
because I'm changing the options in this case,
536
00:19:36,420 --> 00:19:38,610
I wanna set the value of that from default
537
00:19:38,610 --> 00:19:39,660
to something else.
538
00:19:39,660 --> 00:19:41,310
Now, in our case, I don't wanna do that,
539
00:19:41,310 --> 00:19:42,840
so I'm gonna go ahead and delete that,
540
00:19:42,840 --> 00:19:44,760
but you could do that if you wanted to go ahead and read it
541
00:19:44,760 --> 00:19:47,970
from a file, read it from an SQL query or something else.
542
00:19:47,970 --> 00:19:48,810
As you can see here,
543
00:19:48,810 --> 00:19:52,830
the default is to select distinct domain from domains where
544
00:19:52,830 --> 00:19:54,390
domain is not null,
545
00:19:54,390 --> 00:19:56,400
which just basically means go into the database,
546
00:19:56,400 --> 00:19:57,780
look for the domains table,
547
00:19:57,780 --> 00:20:00,390
and any domain inside of the domains table.
548
00:20:00,390 --> 00:20:02,490
I want to grab each one that's not blank and we're gonna
549
00:20:02,490 --> 00:20:03,323
test it.
550
00:20:03,323 --> 00:20:05,190
So this is gonna allow me test all three of them with one
551
00:20:05,190 --> 00:20:06,180
command.
552
00:20:06,180 --> 00:20:08,790
Now that we know that our options are good to run this
553
00:20:08,790 --> 00:20:12,840
command, we are just gonna simply type run and hit enter.
554
00:20:12,840 --> 00:20:13,673
When we do that,
555
00:20:13,673 --> 00:20:16,380
it's gonna go off and it is pulling that information and
556
00:20:16,380 --> 00:20:18,270
it's grabbing all that information and it dumps it
557
00:20:18,270 --> 00:20:19,200
to the screen.
558
00:20:19,200 --> 00:20:20,370
Now, that's helpful,
559
00:20:20,370 --> 00:20:22,800
but the screen makes it pretty hard to read cause I'd have
560
00:20:22,800 --> 00:20:25,620
to scroll up and look at that because we just found 16 new
561
00:20:25,620 --> 00:20:28,710
records and 12 of those were new contacts that were either
562
00:20:28,710 --> 00:20:31,560
not duplicated or were new things that we wanted to add.
563
00:20:31,560 --> 00:20:33,870
Those all got put into our database.
564
00:20:33,870 --> 00:20:35,100
Now, if you remember back,
565
00:20:35,100 --> 00:20:37,710
I said we can show things from the database using the show
566
00:20:37,710 --> 00:20:41,580
command before we used show with Domains to show the three
567
00:20:41,580 --> 00:20:42,600
domains.
568
00:20:42,600 --> 00:20:46,500
Now I wanna go ahead and use show with contacts to see the
569
00:20:46,500 --> 00:20:47,940
contacts table.
570
00:20:47,940 --> 00:20:48,900
Here it is.
571
00:20:48,900 --> 00:20:52,200
So we have those 12 entries going from row one all the way
572
00:20:52,200 --> 00:20:53,310
down to row 12.
573
00:20:53,310 --> 00:20:55,770
Now my screen is a little bit zoomed in to make it easier
574
00:20:55,770 --> 00:20:57,030
for you to read in the video.
575
00:20:57,030 --> 00:20:57,990
If I was zoomed out,
576
00:20:57,990 --> 00:21:00,840
it would all fit in one nice table here you could see that
577
00:21:00,840 --> 00:21:01,890
three columns,
578
00:21:01,890 --> 00:21:05,370
the phone notes and module row went to the second line.
579
00:21:05,370 --> 00:21:07,710
Now let's go ahead and read the first line.
580
00:21:07,710 --> 00:21:10,500
The first line we have is based on Udemy.
581
00:21:10,500 --> 00:21:13,200
You could see here that we found no first name,
582
00:21:13,200 --> 00:21:16,290
no middle name, the last name was Operations Architect.
583
00:21:16,290 --> 00:21:19,530
The email was netops+aaronudemy.com.
584
00:21:19,530 --> 00:21:22,260
The title was WHOIS Contact because that's the type of
585
00:21:22,260 --> 00:21:23,580
information we got.
586
00:21:23,580 --> 00:21:25,680
The region, San Francisco, California,
587
00:21:25,680 --> 00:21:29,640
the country, United States, and then phone, blank,
588
00:21:29,640 --> 00:21:33,300
notes blank, module, WHOIS POCs,
589
00:21:33,300 --> 00:21:35,850
which is the module we use to find this information.
590
00:21:35,850 --> 00:21:38,880
Now there is lots of modules in Recon NG.
591
00:21:38,880 --> 00:21:41,520
You might be finding contacts by doing Twitter searches,
592
00:21:41,520 --> 00:21:44,160
LinkedIn searches, Google searches, whatever it is,
593
00:21:44,160 --> 00:21:46,890
all that will go into this database to create our table
594
00:21:46,890 --> 00:21:47,910
of people.
595
00:21:47,910 --> 00:21:50,970
But this tells us which module found that information and
596
00:21:50,970 --> 00:21:52,710
which type of information it was.
597
00:21:52,710 --> 00:21:54,840
In this case A WHOIS Contact.
598
00:21:54,840 --> 00:21:56,880
Next, we have lines two through 12,
599
00:21:56,880 --> 00:21:58,740
and these are all based on Tesla.
600
00:21:58,740 --> 00:22:01,080
Now you'll notice Dion training didn't show up.
601
00:22:01,080 --> 00:22:03,480
The reason for that is we actually have our WHOIS records
602
00:22:03,480 --> 00:22:04,740
set up with privacy,
603
00:22:04,740 --> 00:22:07,680
and so those are not gonna be shared in the WHOIS database.
604
00:22:07,680 --> 00:22:09,510
It just says this is a private record.
605
00:22:09,510 --> 00:22:11,640
So there was no way to grab that information and add it to
606
00:22:11,640 --> 00:22:12,480
the table.
607
00:22:12,480 --> 00:22:14,070
That's why we have the one for Udemy,
608
00:22:14,070 --> 00:22:15,450
which is a very common way of doing it.
609
00:22:15,450 --> 00:22:18,810
For a large organization, they actually have a group email,
610
00:22:18,810 --> 00:22:21,270
not a person's email, but if we look at Tesla,
611
00:22:21,270 --> 00:22:22,740
they chose not to do that.
612
00:22:22,740 --> 00:22:25,440
Tesla actually has individual people's names.
613
00:22:25,440 --> 00:22:26,520
Now as I look at them,
614
00:22:26,520 --> 00:22:28,680
what is this information that's gonna be useful?
615
00:22:28,680 --> 00:22:32,040
Well, for one, I have names of people and emails I can use.
616
00:22:32,040 --> 00:22:33,420
That's the obvious one.
617
00:22:33,420 --> 00:22:34,680
But in addition to that,
618
00:22:34,680 --> 00:22:36,900
I might be able to figure out what naming scheme that
619
00:22:36,900 --> 00:22:38,070
company uses.
620
00:22:38,070 --> 00:22:38,910
For example,
621
00:22:38,910 --> 00:22:41,040
maybe you can't find everybody's email when you're doing
622
00:22:41,040 --> 00:22:42,360
your open source research,
623
00:22:42,360 --> 00:22:44,850
but you found their first and last name on LinkedIn.
624
00:22:44,850 --> 00:22:47,490
Well, if you know that the company uses first name
625
00:22:47,490 --> 00:22:51,000
dot last name like Elon.musk@tesla.com,
626
00:22:51,000 --> 00:22:52,980
then you could put that in for everybody you find on
627
00:22:52,980 --> 00:22:55,470
LinkedIn and now you have their email.
628
00:22:55,470 --> 00:22:56,370
Conversely though,
629
00:22:56,370 --> 00:22:58,560
we actually don't see that here with Tesla.
630
00:22:58,560 --> 00:23:01,230
I am seeing multiple different naming schemes.
631
00:23:01,230 --> 00:23:03,810
The first one, Anna actually shows up as Anne,
632
00:23:03,810 --> 00:23:06,150
which is three letters from her first name and then her full
633
00:23:06,150 --> 00:23:08,970
last name, martinez@tesla.com.
634
00:23:08,970 --> 00:23:11,550
The next one is just an abbreviation for the name Cameron,
635
00:23:11,550 --> 00:23:14,220
and they called it cam@tesla.com.
636
00:23:14,220 --> 00:23:15,840
The next one is Sherry,
637
00:23:15,840 --> 00:23:18,240
but it's abbreviated down to SHE,
638
00:23:18,240 --> 00:23:19,680
the first three letters again,
639
00:23:19,680 --> 00:23:23,130
and then her last name Lewis@tesla.com we get down to
640
00:23:23,130 --> 00:23:25,500
Elon Musk, it's first name dot last name.
641
00:23:25,500 --> 00:23:27,210
We get down to Jian Gu.
642
00:23:27,210 --> 00:23:30,120
We're seeing his full name slap together with no period,
643
00:23:30,120 --> 00:23:32,010
so it's another different convention.
644
00:23:32,010 --> 00:23:35,100
We go down to line nine and we see Mah Desai,
645
00:23:35,100 --> 00:23:36,900
and this is the first three letters and the
646
00:23:36,900 --> 00:23:39,090
last name @tesla.com.
647
00:23:39,090 --> 00:23:42,660
We get down to Paul Snicker and we just see Paul@tesla.com.
648
00:23:42,660 --> 00:23:46,410
We get down to Terry Chi and we see tchi@tesla.com.
649
00:23:46,410 --> 00:23:49,200
So we're seeing a little bit of differentiation here,
650
00:23:49,200 --> 00:23:53,100
but several of them I saw at least three that had the first
651
00:23:53,100 --> 00:23:54,750
three letters and then the last name,
652
00:23:54,750 --> 00:23:57,510
so I'm thinking that might be the naming convention at Tesla
653
00:23:57,510 --> 00:23:58,650
for their employees.
654
00:23:58,650 --> 00:24:00,270
Now, if I wanted to validate that,
655
00:24:00,270 --> 00:24:03,240
I could take some people's names who I find on LinkedIn and
656
00:24:03,240 --> 00:24:05,130
I know their first name and last name,
657
00:24:05,130 --> 00:24:07,260
put 'em into that format of the first three letters and
658
00:24:07,260 --> 00:24:09,180
their last name@tesla.com,
659
00:24:09,180 --> 00:24:12,000
and then see is it a valid email by checking something like
660
00:24:12,000 --> 00:24:15,360
email dossier at Central ops or other things like that.
661
00:24:15,360 --> 00:24:17,220
So hopefully you could start seeing how we put all these
662
00:24:17,220 --> 00:24:19,710
different tools together and get information from different
663
00:24:19,710 --> 00:24:20,997
places, consolidate it,
664
00:24:20,997 --> 00:24:22,710
and then we can start doing things with it,
665
00:24:22,710 --> 00:24:25,650
like spearfishing campaigns or whaling campaigns or social
666
00:24:25,650 --> 00:24:26,850
engineering in general.
667
00:24:26,850 --> 00:24:29,460
Lots of different ways to start using this information.
668
00:24:29,460 --> 00:24:30,750
Now, as I said at the beginning,
669
00:24:30,750 --> 00:24:33,207
there are a lot of different modules to Recon NG,
670
00:24:33,207 --> 00:24:35,910
and I just wanted to show you the basic usage because all
671
00:24:35,910 --> 00:24:39,540
the modules work the same way as you go into a workspace.
672
00:24:39,540 --> 00:24:40,980
And then as you go into a module,
673
00:24:40,980 --> 00:24:43,260
you're gonna keep going through the directory structure like
674
00:24:43,260 --> 00:24:47,310
you saw here, Recon NG, Dion, WHOIS POCs.
675
00:24:47,310 --> 00:24:48,720
Now, if I wanted to go back,
676
00:24:48,720 --> 00:24:51,240
I could just type in the word back and it will bring me up a
677
00:24:51,240 --> 00:24:52,230
level as well,
678
00:24:52,230 --> 00:24:55,050
and then I can go ahead and load a different workspace and
679
00:24:55,050 --> 00:24:57,180
then I can go ahead and do another assessment.
680
00:24:57,180 --> 00:24:58,230
Now remember,
681
00:24:58,230 --> 00:25:00,720
you can always use the show command to show anything you
682
00:25:00,720 --> 00:25:04,710
want, just like I did show domains or show contacts.
683
00:25:04,710 --> 00:25:07,650
You can also show companies, you can show credentials,
684
00:25:07,650 --> 00:25:11,760
you can show hosts, leaks, locations, net blocks, ports,
685
00:25:11,760 --> 00:25:15,510
profiles, push pins, repositories, and vulnerabilities,
686
00:25:15,510 --> 00:25:17,940
because all of those have tables in the database,
687
00:25:17,940 --> 00:25:20,670
as you saw when we looked at the database schema.
688
00:25:20,670 --> 00:25:23,370
Now, all of those get things from various modules
689
00:25:23,370 --> 00:25:24,810
that you may or may not install,
690
00:25:24,810 --> 00:25:25,770
so that's the important thing,
691
00:25:25,770 --> 00:25:27,690
is to have the right module for the right thing you're
692
00:25:27,690 --> 00:25:28,800
trying to grab.
693
00:25:28,800 --> 00:25:29,790
In this demonstration,
694
00:25:29,790 --> 00:25:32,940
I only used one module and I only searched for contacts,
695
00:25:32,940 --> 00:25:34,770
so that's why we saw things in this show,
696
00:25:34,770 --> 00:25:37,080
contacts to display my findings as you see here
697
00:25:37,080 --> 00:25:38,040
on the screen.
698
00:25:38,040 --> 00:25:40,800
But the great thing is if I ran other searches from other
699
00:25:40,800 --> 00:25:42,690
modules and they found contacts,
700
00:25:42,690 --> 00:25:43,797
they would also be in this table,
701
00:25:43,797 --> 00:25:46,170
and I could easily see those two.
702
00:25:46,170 --> 00:25:47,190
Now hopefully,
703
00:25:47,190 --> 00:25:48,870
you're starting to see how all of this starts coming
704
00:25:48,870 --> 00:25:50,309
together,
705
00:25:50,309 --> 00:25:51,720
and you're gonna play with it a little bit more on your own.
706
00:25:51,720 --> 00:25:52,680
As I said before,
707
00:25:52,680 --> 00:25:55,103
the thing that's gonna make you a great penetration tester
708
00:25:55,103 --> 00:25:58,620
is hands on the keyboard, practicing with this stuff,
709
00:25:58,620 --> 00:26:00,750
doing different reconnaissance evolutions,
710
00:26:00,750 --> 00:26:02,910
trying to find information that's out there.
711
00:26:02,910 --> 00:26:04,980
Now, the great thing about open source intelligence
712
00:26:04,980 --> 00:26:05,813
and learning
713
00:26:05,813 --> 00:26:08,280
how to do this is that all the information is out there.
714
00:26:08,280 --> 00:26:11,040
You don't need permission from any of these companies to go
715
00:26:11,040 --> 00:26:13,950
look up this information because it's all public information
716
00:26:13,950 --> 00:26:15,300
that's sitting online,
717
00:26:15,300 --> 00:26:17,220
and this is a great way for you to start building up your
718
00:26:17,220 --> 00:26:20,400
skills early on in the reconnaissance process because as
719
00:26:20,400 --> 00:26:22,140
long as you're doing passive reconnaissance,
720
00:26:22,140 --> 00:26:24,090
you're not touching that company servers,
721
00:26:24,090 --> 00:26:26,370
and you are not conducting any kind of hacking.
722
00:26:26,370 --> 00:26:27,960
You're just in the preparation phases,
723
00:26:27,960 --> 00:26:30,780
you're just learning information and using these tools and
724
00:26:30,780 --> 00:26:32,580
getting better at them is gonna make you a better
725
00:26:32,580 --> 00:26:34,443
penetration tester in the long run.
55298
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.