1 00:00:06,270 --> 00:00:08,240 - [Instructor] Now, there are thousands of tools 2 00:00:08,240 --> 00:00:11,240 for pen testing and hundreds of tools 3 00:00:11,240 --> 00:00:13,220 for Passive Reconnaissance. 4 00:00:13,220 --> 00:00:15,500 And as you know, you know, Passive Reconnaissance 5 00:00:15,500 --> 00:00:18,400 involves attempting to gather information 6 00:00:18,400 --> 00:00:22,350 about a victim using open source intelligence 7 00:00:22,350 --> 00:00:24,710 and using public information on records 8 00:00:24,710 --> 00:00:29,710 but not sending any packets to the actual victim, right? 9 00:00:30,460 --> 00:00:32,570 We went over, you know, several tools before 10 00:00:32,570 --> 00:00:34,580 but I'm gonna actually highlight a few 11 00:00:34,580 --> 00:00:36,150 that you can actually take advantage of, 12 00:00:36,150 --> 00:00:38,230 you know, from tools that are already 13 00:00:38,230 --> 00:00:40,330 in Linux systems and windows systems 14 00:00:40,330 --> 00:00:44,050 like NS lookup, the host command dig, right? 15 00:00:44,050 --> 00:00:46,690 So you can actually use those DNS-based tools 16 00:00:46,690 --> 00:00:50,320 to of course perform some type of 17 00:00:50,320 --> 00:00:52,800 you know, a Passive Reconnaissance. 18 00:00:52,800 --> 00:00:54,640 You can use Whois as well 19 00:00:54,640 --> 00:00:57,710 and Whois actually now because of GDPR, 20 00:00:57,710 --> 00:00:59,780 is been restricted in some environments, right? 21 00:00:59,780 --> 00:01:01,910 But you know, again, you can probably 22 00:01:01,910 --> 00:01:03,990 use with some limitations you know, 23 00:01:03,990 --> 00:01:05,273 of course a tool as well. 24 00:01:06,180 --> 00:01:09,550 You can also use a tools that are specialized, 25 00:01:09,550 --> 00:01:11,810 like FOCA, FOCA stands for 26 00:01:11,810 --> 00:01:15,180 Fingerprint Organizations with Collected Archives. 27 00:01:15,180 --> 00:01:16,830 And is basically a tool that is designed 28 00:01:16,830 --> 00:01:20,970 to find Meta data and hiding information in documents. 29 00:01:20,970 --> 00:01:22,680 You can actually download these two 30 00:01:22,680 --> 00:01:25,580 from the website that I'm actually, 31 00:01:25,580 --> 00:01:27,040 or the github repository 32 00:01:27,040 --> 00:01:28,930 that I'm highlighting in this screen. 33 00:01:28,930 --> 00:01:31,090 There's another tool that is also very popular 34 00:01:31,090 --> 00:01:35,360 for extracting exchangeable image file formats 35 00:01:35,360 --> 00:01:39,860 or exif and the actual tool is called ExifTool, right? 36 00:01:39,860 --> 00:01:42,250 And is actually a standard 37 00:01:43,160 --> 00:01:46,420 or rather Exif is a standard that defines 38 00:01:46,420 --> 00:01:49,690 the format of images, sound files 39 00:01:49,690 --> 00:01:52,460 and all their other tags that are used 40 00:01:52,460 --> 00:01:54,630 by digital equipment like cameras, 41 00:01:54,630 --> 00:01:56,853 mobile phones and tablets. 42 00:01:57,700 --> 00:01:59,510 Another tool that can be used to enumerate 43 00:01:59,510 --> 00:02:02,290 DNS information about a given, you know, 44 00:02:02,290 --> 00:02:04,650 victim is called theHarvester, 45 00:02:04,650 --> 00:02:06,520 and actually provides a different 46 00:02:06,520 --> 00:02:10,087 a query sources like Baidu, Google, LinkedIn 47 00:02:10,087 --> 00:02:13,760 and PGP servers, Twitter and many others. 48 00:02:13,760 --> 00:02:17,550 The harvester, it comes by default in Kali 49 00:02:17,550 --> 00:02:20,400 and many other Penetration testing Linux distribution. 50 00:02:20,400 --> 00:02:22,580 In this case actually I'm just using 51 00:02:22,580 --> 00:02:24,810 theHarvester to show information about 52 00:02:24,810 --> 00:02:27,230 the hacker.org domain using 53 00:02:27,230 --> 00:02:30,493 all the different sources that are available. 54 00:02:31,560 --> 00:02:32,920 Now another very popular tool 55 00:02:32,920 --> 00:02:35,000 that I already covered 56 00:02:35,000 --> 00:02:37,320 and it's actually I guess a tool and a service, right? 57 00:02:37,320 --> 00:02:40,090 Is Shodan, and basically Shodan, 58 00:02:40,090 --> 00:02:41,920 is an organization that continuously 59 00:02:41,920 --> 00:02:45,090 scan the internet and basically saves the results 60 00:02:45,090 --> 00:02:47,010 of those scans in a database. 61 00:02:47,010 --> 00:02:48,740 And then you can actually query that database 62 00:02:48,740 --> 00:02:50,470 or I mean search that database 63 00:02:50,470 --> 00:02:53,390 on the UI as shown in here in the screen 64 00:02:53,390 --> 00:02:54,800 that showed on dot IO. 65 00:02:54,800 --> 00:02:56,770 But they also have an API, 66 00:02:56,770 --> 00:02:59,530 an enterprise, you know, different axes 67 00:02:59,530 --> 00:03:00,740 that you can actually perform, you know, 68 00:03:00,740 --> 00:03:02,870 more sophisticated queries 69 00:03:02,870 --> 00:03:05,280 and of course even automate some of these queries. 70 00:03:05,280 --> 00:03:08,030 So again, you're not scanning a victim in this case, 71 00:03:08,030 --> 00:03:10,490 Shodan is, and then what you do 72 00:03:10,490 --> 00:03:13,940 is you actually searching the scan results 73 00:03:13,940 --> 00:03:16,270 and you know, you can search for things like, 74 00:03:16,270 --> 00:03:18,577 insecure protocols, like Telnet, 75 00:03:19,920 --> 00:03:22,690 the smart install protocol that I mentioned to you before. 76 00:03:22,690 --> 00:03:27,250 Also they have, you know, ways that they can 77 00:03:27,250 --> 00:03:32,180 show insecure IOT devices, webcams, 78 00:03:32,180 --> 00:03:35,520 and many other systems out there on the internet. Right? 79 00:03:35,520 --> 00:03:37,260 So this is, you know, think about this, 80 00:03:37,260 --> 00:03:38,290 is actually like taking 81 00:03:38,290 --> 00:03:40,610 a selfie from the internet in, right? 82 00:03:40,610 --> 00:03:42,400 And see what is actually exposed 83 00:03:42,400 --> 00:03:44,440 out there without the need of you actually 84 00:03:44,440 --> 00:03:47,600 running these scans yourself. 85 00:03:47,600 --> 00:03:49,700 Now, another tool that I actually really like 86 00:03:49,700 --> 00:03:51,130 is called Maltego. 87 00:03:51,130 --> 00:03:52,700 It's actually one of the most popular tools 88 00:03:52,700 --> 00:03:54,570 for Passive Reconnaissance. 89 00:03:54,570 --> 00:03:56,615 They're actually a two versions of Maltego, 90 00:03:56,615 --> 00:03:58,690 a community edition, which is the one 91 00:03:58,690 --> 00:04:00,370 that I'm sharing in the screen. 92 00:04:00,370 --> 00:04:04,570 And then the other one is a commercial version, right? 93 00:04:04,570 --> 00:04:06,280 So there's a paid version for that. 94 00:04:06,280 --> 00:04:09,780 Maltego organizes all the queries 95 00:04:09,780 --> 00:04:13,740 within the tool and then in a thing called 96 00:04:13,740 --> 00:04:14,790 the entity pallet. 97 00:04:14,790 --> 00:04:18,900 Basically these entities or the type of test 98 00:04:18,900 --> 00:04:22,050 or the type of elements you can actually use 99 00:04:22,050 --> 00:04:24,540 to test like a person you can actually 100 00:04:24,540 --> 00:04:27,600 test against him, you know, website 101 00:04:27,600 --> 00:04:29,900 and organization and so on. 102 00:04:29,900 --> 00:04:32,670 You can also integrate with many different 103 00:04:32,670 --> 00:04:37,210 third party sources of information tools. 104 00:04:37,210 --> 00:04:39,390 Things like Threat Grid, 105 00:04:39,390 --> 00:04:41,380 Have I Been Pawned, Shodan, 106 00:04:41,380 --> 00:04:42,580 that's I mentioned to you before 107 00:04:42,580 --> 00:04:45,160 you can actually integrate it with Maltego 108 00:04:45,160 --> 00:04:46,700 and actually run all those tests 109 00:04:46,700 --> 00:04:49,020 and query those as sources as well, right? 110 00:04:49,020 --> 00:04:52,410 And by the way actually the actual search options 111 00:04:52,410 --> 00:04:56,069 and the test are actually called transforms. 112 00:04:56,069 --> 00:04:57,320 Another tool that can be used 113 00:04:57,320 --> 00:04:59,250 to automate the information gathering 114 00:04:59,250 --> 00:05:01,580 of you know, in Passive Reconnaissance 115 00:05:01,580 --> 00:05:04,210 or gathering OSINT 116 00:05:04,210 --> 00:05:06,420 or Open Source Intelligence Information 117 00:05:06,420 --> 00:05:07,970 is called Recon-ng. 118 00:05:07,970 --> 00:05:09,620 And basically this is a tool, 119 00:05:09,620 --> 00:05:11,210 It comes with many different 120 00:05:11,210 --> 00:05:12,720 Penetration testing distributions. 121 00:05:12,720 --> 00:05:15,900 Is very popular there and also can be integrated 122 00:05:15,900 --> 00:05:18,690 with other sources like Shodan 123 00:05:18,690 --> 00:05:20,980 and Twitter, Google, LinkedIn, 124 00:05:20,980 --> 00:05:24,583 many other you know, social media sites as well. 125 00:05:26,060 --> 00:05:27,210 Another tool that can be used 126 00:05:27,210 --> 00:05:30,250 for Passive Reconnaissance to find information 127 00:05:30,250 --> 00:05:32,470 about devices and networks on the internet 128 00:05:32,470 --> 00:05:35,150 Is called Censys, and Censys can actually 129 00:05:35,150 --> 00:05:38,120 be accessed as Censys.io 130 00:05:38,120 --> 00:05:39,830 as I'm actually showing the screen. 131 00:05:39,830 --> 00:05:43,720 And they also provide a free web and API access plan 132 00:05:43,720 --> 00:05:45,680 that basically, I mean of course they limit 133 00:05:45,680 --> 00:05:48,880 the number of queries and you can actually pay for, 134 00:05:48,880 --> 00:05:51,880 you know, allowing you to do other 135 00:05:51,880 --> 00:05:53,170 more sophisticated queries 136 00:05:53,170 --> 00:05:54,920 and of course getting more results. 137 00:05:56,340 --> 00:05:59,370 Now let's go over some tools for Active Reconnaissance. 138 00:05:59,370 --> 00:06:01,200 And as you know, Active Reconnaissance 139 00:06:01,200 --> 00:06:04,100 involve actively gathering information about a victim. 140 00:06:04,100 --> 00:06:07,710 You search using tools that can be used 141 00:06:07,710 --> 00:06:10,130 for numeration to see what protocols, 142 00:06:10,130 --> 00:06:13,180 what ports, what vulnerabilities actually are in the system. 143 00:06:13,180 --> 00:06:15,260 So in this case actually you are actively 144 00:06:15,260 --> 00:06:18,350 sending some packets and interacting 145 00:06:18,350 --> 00:06:20,160 with the victim system 146 00:06:20,160 --> 00:06:23,020 or their organization or the network. 147 00:06:23,020 --> 00:06:28,020 Now we already went over many of these tools, right? 148 00:06:28,740 --> 00:06:29,573 The one that you actually 149 00:06:29,573 --> 00:06:32,010 have to really know for the exam 150 00:06:32,010 --> 00:06:35,560 and as my fact is actually just a pretty versatile, 151 00:06:35,560 --> 00:06:37,577 a port scanner is Nmap, right? 152 00:06:37,577 --> 00:06:40,490 And we actually discuss Nmap in detail before. 153 00:06:40,490 --> 00:06:42,250 So this is kind of a refresher 154 00:06:42,250 --> 00:06:44,850 and also I want to actually highlight to you 155 00:06:44,850 --> 00:06:46,240 a lot of the other resources 156 00:06:46,240 --> 00:06:48,720 that I actually have in the gitub repository 157 00:06:48,720 --> 00:06:51,710 related to, you know, all the different options 158 00:06:51,710 --> 00:06:54,040 for Nmap and different exercises 159 00:06:54,040 --> 00:06:57,060 you can actually complete using Nmap 160 00:06:57,060 --> 00:07:00,520 and you know, using that for port enumeration 161 00:07:00,520 --> 00:07:02,620 and system, you know, scanning 162 00:07:02,620 --> 00:07:04,180 as well as actually taking advantage 163 00:07:04,180 --> 00:07:06,113 of the Nmap scripting engine. 164 00:07:09,780 --> 00:07:12,150 Now, another tool that you already learned about 165 00:07:12,150 --> 00:07:13,297 is called enum4linux, 166 00:07:13,297 --> 00:07:14,540 and it's actually a great tool 167 00:07:14,540 --> 00:07:16,420 for enumerating SMB shares 168 00:07:16,420 --> 00:07:20,100 and also vulnerable Samba implementations 169 00:07:20,100 --> 00:07:21,883 and corresponding users.