1
00:00:06,282 --> 00:00:10,415
- So we discussed manually how
to perform searches in order

2
00:00:10,415 --> 00:00:13,027
to find information on an organization.

3
00:00:13,027 --> 00:00:17,153
That's an essential piece of
your reconnaissance phase.

4
00:00:17,153 --> 00:00:20,564
But why not use some tools to
actually speed up the process?

5
00:00:20,564 --> 00:00:22,037
It is still important to understand how

6
00:00:22,037 --> 00:00:23,667
to do all this work manually.

7
00:00:23,667 --> 00:00:26,004
A lot of these tools are just
doing all your manual work

8
00:00:26,004 --> 00:00:28,338
faster and sometimes the tools fail.

9
00:00:28,338 --> 00:00:30,361
And sometime you need
to actually do more work

10
00:00:30,361 --> 00:00:32,187
than the tools can actually do.

11
00:00:32,187 --> 00:00:34,026
So it's still really important for you to

12
00:00:34,026 --> 00:00:36,409
understand how to do
all of the manual work

13
00:00:36,409 --> 00:00:39,152
that we did in the previous lesson.

14
00:00:39,152 --> 00:00:40,787
But let's take a look
at some tools that can

15
00:00:40,787 --> 00:00:43,036
actually help speed up your time

16
00:00:43,036 --> 00:00:44,749
and make you more efficient

17
00:00:44,749 --> 00:00:47,441
during your reconnaissance process.

18
00:00:47,441 --> 00:00:50,360
Spiderfoot, that is the first
tool we're going to look at

19
00:00:50,360 --> 00:00:51,428
and basically it's an

20
00:00:51,428 --> 00:00:54,515
Open Source Intelligence Automation tool.

21
00:00:54,515 --> 00:00:56,817
This is a github website and

22
00:00:56,817 --> 00:01:00,171
basically this tool can be
used to automate a lot of the

23
00:01:00,171 --> 00:01:03,023
searches that we performed.

24
00:01:03,023 --> 00:01:05,479
theHarvester, this is a really neat tool

25
00:01:05,479 --> 00:01:08,021
for actually finding
email addresses belonging

26
00:01:08,021 --> 00:01:09,785
to an organization.

27
00:01:09,785 --> 00:01:10,804
All you have to do is

28
00:01:10,804 --> 00:01:13,071
put in the domain name and it'll pop up a

29
00:01:13,071 --> 00:01:14,977
whole bunch of email addresses through

30
00:01:14,977 --> 00:01:18,030
public searches that it performs.

31
00:01:18,030 --> 00:01:20,510
Discover, this takes several tools,

32
00:01:20,510 --> 00:01:21,888
puts them all together

33
00:01:21,888 --> 00:01:24,693
and performs an automated attack,

34
00:01:24,693 --> 00:01:28,231
which basically searches
for email addresses

35
00:01:28,231 --> 00:01:32,308
and usernames and other
websites that could

36
00:01:32,308 --> 00:01:34,339
belong to this organization

37
00:01:34,339 --> 00:01:38,172
and it puts it all into
a nice report for you.

38
00:01:39,365 --> 00:01:43,078
Recon-ng, this is my favorite tool that

39
00:01:43,078 --> 00:01:44,674
is used for reconnaissance.

40
00:01:44,674 --> 00:01:46,506
It combines a lot of these tools.

41
00:01:46,506 --> 00:01:50,412
It does have some manual
work that you can manually

42
00:01:50,412 --> 00:01:51,489
go through this.

43
00:01:51,489 --> 00:01:53,505
It's also fully scriptable so you can

44
00:01:53,505 --> 00:01:55,926
program it to do whatever you want.

45
00:01:55,926 --> 00:01:59,450
But basically this tool kind
of combines all of the others

46
00:01:59,450 --> 00:02:01,979
into a really nice framework for

47
00:02:01,979 --> 00:02:05,393
performing all of your
reconnaissance phases.

48
00:02:05,393 --> 00:02:07,343
The first reconnaissance
tool that we're going to

49
00:02:07,343 --> 00:02:09,176
look at is Spiderfoot.

50
00:02:10,301 --> 00:02:14,290
So if you run Spiderfoot,
this starts a web server

51
00:02:14,290 --> 00:02:17,078
and you just need a browse to that website

52
00:02:17,078 --> 00:02:18,411
on your computer

53
00:02:19,723 --> 00:02:23,973
and up pops this nice
interface that you can use to

54
00:02:23,973 --> 00:02:26,282
basically scan an organization

55
00:02:26,282 --> 00:02:29,282
for some reconnaissance information.

56
00:02:30,980 --> 00:02:33,819
So, many of the things
that we did manually

57
00:02:33,819 --> 00:02:35,904
in the previous lessons,

58
00:02:35,904 --> 00:02:38,571
this tool automates the process.

59
00:02:39,866 --> 00:02:42,952
You can see here things
that it can look for

60
00:02:42,952 --> 00:02:44,995
and search for accounts

61
00:02:44,995 --> 00:02:46,859
belonging to the organization that

62
00:02:46,859 --> 00:02:50,692
on sites such as eBay
and Slashdot and Reddit.

63
00:02:51,617 --> 00:02:55,784
It can look do perform Bing
searches for the organization,

64
00:02:56,740 --> 00:02:59,841
look on an archive.org
for previous versions

65
00:02:59,841 --> 00:03:04,655
of files and pages belonging
to the organization.

66
00:03:04,655 --> 00:03:07,409
Performs DNS lookups and email lookups

67
00:03:07,409 --> 00:03:10,326
for the organization, Google searches.

68
00:03:10,326 --> 00:03:12,019
So some of the Google searches that we

69
00:03:12,019 --> 00:03:16,092
were performing using the
Google hacking database

70
00:03:16,092 --> 00:03:18,316
this tool does some of those for you.

71
00:03:18,316 --> 00:03:20,516
Still very important to
understand how to do that

72
00:03:20,516 --> 00:03:23,794
manually because you can do more

73
00:03:23,794 --> 00:03:27,008
targeted searches, perform
your own manual searches but

74
00:03:27,008 --> 00:03:30,016
tools like this are
essential for speeding up

75
00:03:30,016 --> 00:03:33,796
the reconnaissance process
and helping you out.

76
00:03:33,796 --> 00:03:36,993
I'll look for Pay Spin
like we searched for

77
00:03:36,993 --> 00:03:39,068
for the organization.

78
00:03:39,068 --> 00:03:43,235
Look for phishing sites that
could be targeting your client

79
00:03:44,948 --> 00:03:49,058
and it can also perform
searches for malicious websites

80
00:03:49,058 --> 00:03:51,742
that could've been on the organization

81
00:03:51,742 --> 00:03:54,036
so it'll look for blacklists and

82
00:03:54,036 --> 00:03:57,395
see if any of the organization
IP addresses are on those

83
00:03:57,395 --> 00:04:00,640
so perhaps one of the IP
address belonging to the

84
00:04:00,640 --> 00:04:03,235
organization has been infected and that'll

85
00:04:03,235 --> 00:04:07,006
appear in blacklist and so
this will list that as well.

86
00:04:07,006 --> 00:04:09,796
But it'll also gather
a list of phone numbers

87
00:04:09,796 --> 00:04:13,963
and contacts and software
for your client as well.

88
00:04:15,478 --> 00:04:16,646
All you have to do is pick which

89
00:04:16,646 --> 00:04:18,345
test you want to run,

90
00:04:18,345 --> 00:04:20,667
hit Scan, it'll start scanning.

91
00:04:20,667 --> 00:04:21,786
If you run all the tests,

92
00:04:21,786 --> 00:04:23,699
it can take a very long time but you

93
00:04:23,699 --> 00:04:26,605
can see how it'll quickly pop up a list

94
00:04:26,605 --> 00:04:29,272
of results for the organization.

95
00:04:30,674 --> 00:04:33,048
So with theHarvester
tool we can find out a

96
00:04:33,048 --> 00:04:36,215
list of email addresses
belonging to the organization.

97
00:04:36,215 --> 00:04:38,675
This is an essential
piece of performing any

98
00:04:38,675 --> 00:04:41,581
type of phishing attack
or looking at email

99
00:04:41,581 --> 00:04:44,260
addresses that are probably
the most likely targets

100
00:04:44,260 --> 00:04:46,684
of a phishing attacks
so you can notify your

101
00:04:46,684 --> 00:04:49,455
organization about that.

102
00:04:49,455 --> 00:04:51,618
So you can run theHarvester Python script

103
00:04:51,618 --> 00:04:53,375
and it basically says

104
00:04:53,375 --> 00:04:56,645
tells you exactly the type
of switches you should run.

105
00:04:56,645 --> 00:04:58,933
So we're gonna run python, space,

106
00:04:58,933 --> 00:05:02,288
theHarvester, dot, py, to run the tool.

107
00:05:02,288 --> 00:05:06,695
Dash, D and the domain
belonging to the organization.

108
00:05:06,695 --> 00:05:09,171
We're just using example.com here.

109
00:05:09,171 --> 00:05:13,870
We're listing out the top 200
results for the organization.

110
00:05:13,870 --> 00:05:16,135
We're gonna do all the checks

111
00:05:16,135 --> 00:05:20,429
and we're gonna output the
results to an html file.

112
00:05:20,429 --> 00:05:22,649
You can see it's performing the searches,

113
00:05:22,649 --> 00:05:24,149
searching PGP keys

114
00:05:25,893 --> 00:05:27,310
and Bing results.

115
00:05:28,578 --> 00:05:31,037
And it's performing all
of this work for you

116
00:05:31,037 --> 00:05:32,089
so you don't have to manually

117
00:05:32,089 --> 00:05:34,910
look for the email addresses yourself.

118
00:05:34,910 --> 00:05:36,739
And you can see at the end it pops

119
00:05:36,739 --> 00:05:39,282
up a whole list of email
addresses that it found

120
00:05:39,282 --> 00:05:41,365
belonging to example.com.

121
00:05:42,238 --> 00:05:46,617
You can use these for your
future phishing attack

122
00:05:46,617 --> 00:05:49,536
or you can also use these email addresses

123
00:05:49,536 --> 00:05:52,712
or the usernames to try
to log into the website.

124
00:05:52,712 --> 00:05:56,450
So perhaps you'll have a
webmail site belonging to

125
00:05:56,450 --> 00:05:59,242
the organization or a VPN site

126
00:05:59,242 --> 00:06:02,573
or an Office 365 portal
for the organization

127
00:06:02,573 --> 00:06:05,109
and you can use these addresses

128
00:06:05,109 --> 00:06:08,437
as potential targets for
maybe a password attack

129
00:06:08,437 --> 00:06:11,132
against the organization
and hopefully you'll

130
00:06:11,132 --> 00:06:13,403
get lucky and get credentials
that you can use to

131
00:06:13,403 --> 00:06:16,472
actually log into an organization.

132
00:06:16,472 --> 00:06:19,288
One popular attack that individuals

133
00:06:19,288 --> 00:06:23,601
use is to try one
password against all these

134
00:06:23,601 --> 00:06:27,277
individuals so instead
of trying to brute force

135
00:06:27,277 --> 00:06:30,854
a password for a single person which will

136
00:06:30,854 --> 00:06:33,265
probably lock out the account,

137
00:06:33,265 --> 00:06:35,717
you'll guess one password
across all of them

138
00:06:35,717 --> 00:06:39,352
so instead of guessing a hundred passwords

139
00:06:39,352 --> 00:06:41,769
for you.example.@example.com,

140
00:06:42,916 --> 00:06:46,727
you will try using the
password, let's say,

141
00:06:46,727 --> 00:06:49,882
password against all
hundred passwords that were

142
00:06:49,882 --> 00:06:53,232
all potential email addresses
that were discovered.

143
00:06:53,232 --> 00:06:56,603
So chances are one
person had that password

144
00:06:56,603 --> 00:06:59,663
and you'll be able to
log into their account.

145
00:06:59,663 --> 00:07:01,291
Let's look at the
Discover tool to find out

146
00:07:01,291 --> 00:07:05,515
more information that we can
pull from reconnaissance.

147
00:07:05,515 --> 00:07:08,249
So the Discover tool is pretty neat.

148
00:07:08,249 --> 00:07:09,292
All you have to do is

149
00:07:09,292 --> 00:07:11,868
type in the domain belonging
to the organization

150
00:07:11,868 --> 00:07:14,362
and you could find out
really useful information.

151
00:07:14,362 --> 00:07:17,265
It can actually do active testing as well

152
00:07:17,265 --> 00:07:18,733
on the organization.

153
00:07:18,733 --> 00:07:20,549
Right now we're just
looking at the passive

154
00:07:20,549 --> 00:07:22,856
information but as you
can see from some off the

155
00:07:22,856 --> 00:07:26,101
other options you can run some scans.

156
00:07:26,101 --> 00:07:30,195
So there's web scans, nikto
scans against the organization.

157
00:07:30,195 --> 00:07:33,359
You can crack wifi passwords as well.

158
00:07:33,359 --> 00:07:35,606
You can start Metasploit

159
00:07:35,606 --> 00:07:39,274
but for us we're going to look
at some of the passive tools.

160
00:07:39,274 --> 00:07:40,523
So you can see you can choose between

161
00:07:40,523 --> 00:07:43,107
passive and active testing.

162
00:07:43,107 --> 00:07:46,040
We're just gonna do the passive recon.

163
00:07:46,040 --> 00:07:50,878
So all you have to do is
type in the organization name

164
00:07:50,878 --> 00:07:52,045
and the domain

165
00:07:53,370 --> 00:07:55,639
and it'll start searching
for email addresses,

166
00:07:55,639 --> 00:07:59,912
names, a lot of information
belonging to the organization

167
00:07:59,912 --> 00:08:02,082
and afterwards you'll have a

168
00:08:02,082 --> 00:08:04,665
list of contact, emails, names.

169
00:08:05,517 --> 00:08:09,065
You'll have a list of hosts
belonging to the organization

170
00:08:09,065 --> 00:08:12,103
so you'll have a list
of servers and networks.

171
00:08:12,103 --> 00:08:16,466
It even performs Netcraft like
we did in earlier lessons.

172
00:08:16,466 --> 00:08:19,716
It can see the squatting section is for

173
00:08:20,744 --> 00:08:23,213
it'll look at the
organization's domain name

174
00:08:23,213 --> 00:08:25,917
and switch some characters around to find

175
00:08:25,917 --> 00:08:27,968
out similar domains.

176
00:08:27,968 --> 00:08:30,144
A lot of times attackers will use that for

177
00:08:30,144 --> 00:08:32,722
phishing where they'll
pick, they'll register a

178
00:08:32,722 --> 00:08:35,256
name that's really close
to the organization's

179
00:08:35,256 --> 00:08:37,737
name and use that for
phishing so this tool helps

180
00:08:37,737 --> 00:08:40,534
discover some of those
so you can help notify

181
00:08:40,534 --> 00:08:43,025
the organization you're working for that

182
00:08:43,025 --> 00:08:47,050
here are potential phishing
domains and you can see which

183
00:08:47,050 --> 00:08:50,877
ones are actually being in use or not.

184
00:08:50,877 --> 00:08:53,304
It could also pull files
belonging to the organization

185
00:08:53,304 --> 00:08:55,309
like we discussed, it can get

186
00:08:55,309 --> 00:08:59,309
really important metadata
from the organization.

187
00:09:00,276 --> 00:09:04,407
And it puts it in a nice,
pretty report for you as well.

188
00:09:04,407 --> 00:09:06,574
That is the Discover tool.