1
00:00:06,699 --> 00:00:09,444
- [Instructor] Let's look
at the Recon-ng tool.

2
00:00:09,444 --> 00:00:11,984
This is my all time
favorite reconnaissance tool

3
00:00:11,984 --> 00:00:15,613
you can use it to find
a wealth of information.

4
00:00:15,613 --> 00:00:18,425
Really every now and then you get one tool

5
00:00:18,425 --> 00:00:20,460
that combines all of
your resources into one

6
00:00:20,460 --> 00:00:23,643
and this is exactly what this tool does.

7
00:00:23,643 --> 00:00:27,187
It's also modular so you
can add to the tool as well

8
00:00:27,187 --> 00:00:30,191
you can submit your information
for other people to use

9
00:00:30,191 --> 00:00:33,596
as well and this tool is
constantly being updated

10
00:00:33,596 --> 00:00:36,082
so more and more people
are contributing to it

11
00:00:36,082 --> 00:00:39,375
and making it a much better product.

12
00:00:39,375 --> 00:00:40,958
So we run Recon-ng.

13
00:00:42,881 --> 00:00:46,753
And you can see it looks almost
like a Metasploit interface

14
00:00:46,753 --> 00:00:49,438
if you've used Metasploit
before and it has

15
00:00:49,438 --> 00:00:52,331
many different options if
you type in the question mark

16
00:00:52,331 --> 00:00:55,861
or you type in help, you
get a whole list of commands

17
00:00:55,861 --> 00:00:58,051
that you can type in.

18
00:00:58,051 --> 00:01:00,474
They have this thing
called workspaces where,

19
00:01:00,474 --> 00:01:02,984
if you're working on
multiple organizations,

20
00:01:02,984 --> 00:01:05,107
you could separate them
into different workspaces.

21
00:01:05,107 --> 00:01:07,896
So at the bottom where
it has Recon-ng default,

22
00:01:07,896 --> 00:01:10,833
so here in the default
workspace but we can create

23
00:01:10,833 --> 00:01:14,432
our own workspace which
is a separate environment.

24
00:01:14,432 --> 00:01:18,271
So often times you'll work
with multiple websites

25
00:01:18,271 --> 00:01:20,567
or multiple domains and
you wanna separate them

26
00:01:20,567 --> 00:01:23,523
into workspaces, this tool
does really good job with that.

27
00:01:23,523 --> 00:01:26,262
So we're just gonna type
workspaces add example

28
00:01:26,262 --> 00:01:30,583
and it's going to create
the example workspace

29
00:01:30,583 --> 00:01:32,571
so you can see down at the bottom,

30
00:01:32,571 --> 00:01:35,866
recon-ng switched from default to example.

31
00:01:35,866 --> 00:01:39,449
You see a whole bunch
of red text down here

32
00:01:41,286 --> 00:01:44,989
and this is basically
saying there are certain

33
00:01:44,989 --> 00:01:48,053
API keys that are not
set, this tool has a lot

34
00:01:48,053 --> 00:01:50,573
of functionality and you can add API keys

35
00:01:50,573 --> 00:01:52,622
for certain sub tools that this runs,

36
00:01:52,622 --> 00:01:54,600
we'll get into that in a minute.

37
00:01:54,600 --> 00:01:57,157
Once again, if you're ever stuck,

38
00:01:57,157 --> 00:01:59,244
you can hit the question
mark and it'll give you

39
00:01:59,244 --> 00:02:01,856
a list of commands you can
type, this tool also has

40
00:02:01,856 --> 00:02:04,839
command completion so if
you hit the tab button,

41
00:02:04,839 --> 00:02:07,862
it'll help you complete
certain commands as well.

42
00:02:07,862 --> 00:02:11,529
So we're gonna type add
domains, example.com

43
00:02:13,862 --> 00:02:17,490
so basically when we
typed in the add command,

44
00:02:17,490 --> 00:02:21,593
we hit space and hit
tab, and when we hit tab,

45
00:02:21,593 --> 00:02:23,891
it popped up a list of
things that you can add

46
00:02:23,891 --> 00:02:27,030
so we can add company
names, contact names,

47
00:02:27,030 --> 00:02:31,635
credentials, domains, hosts,
locations, vulnerabilities

48
00:02:31,635 --> 00:02:34,253
but we decided to add in domain.

49
00:02:34,253 --> 00:02:38,148
So we're gonna base all of
our recon resource based off

50
00:02:38,148 --> 00:02:40,481
the head domain example.com.

51
00:02:42,467 --> 00:02:44,269
Of course you would use

52
00:02:44,269 --> 00:02:47,723
whatever organization you're working with.

53
00:02:47,723 --> 00:02:49,812
So what type of information
can we use from here?

54
00:02:49,812 --> 00:02:53,412
The search command can be used to search

55
00:02:53,412 --> 00:02:56,245
for available modules in recon-ng.

56
00:02:57,221 --> 00:02:59,887
So if you just type search domains,

57
00:02:59,887 --> 00:03:02,708
it'll pop up a list of
anything that you can use

58
00:03:02,708 --> 00:03:07,014
to populate a domain or
use domains to actually

59
00:03:07,014 --> 00:03:10,053
find additional information.

60
00:03:10,053 --> 00:03:12,179
Or typing in search domains
with a minus sign after it

61
00:03:12,179 --> 00:03:15,633
which means we're gonna
use the domain example.com

62
00:03:15,633 --> 00:03:19,163
and populate other information from that.

63
00:03:19,163 --> 00:03:22,496
So, let's look at some of these modules,

64
00:03:25,607 --> 00:03:27,599
you type in the load command
to load a particular module.

65
00:03:27,599 --> 00:03:30,818
We're loading PGP search so we can look

66
00:03:30,818 --> 00:03:35,377
for any type of PGP keys
that have been issued

67
00:03:35,377 --> 00:03:39,207
to this organization, if
you type the show command

68
00:03:39,207 --> 00:03:42,405
or the question mark
command, you see any types of

69
00:03:42,405 --> 00:03:47,104
things to help you out
so the show info command

70
00:03:47,104 --> 00:03:51,007
shows particular
information for this module.

71
00:03:51,007 --> 00:03:53,312
You can see at the very bottom it changes

72
00:03:53,312 --> 00:03:56,858
to recon-ng example which is our workspace

73
00:03:56,858 --> 00:03:59,916
and PGP search, this is a
module we're looking within,

74
00:03:59,916 --> 00:04:03,508
and we typed in show
info while we were within

75
00:04:03,508 --> 00:04:06,280
the PGP search module and
that allows us to look at

76
00:04:06,280 --> 00:04:08,802
what this particular module does.

77
00:04:08,802 --> 00:04:11,752
So we can see that this particular module

78
00:04:11,752 --> 00:04:13,839
searches the MIT public PGP key server

79
00:04:13,839 --> 00:04:18,043
for any email addresses
associated with the domain.

80
00:04:18,043 --> 00:04:21,622
And it updates the context
table with the results.

81
00:04:21,622 --> 00:04:24,522
So it'll basically search this web server

82
00:04:24,522 --> 00:04:28,711
for any type of PGP keys
that have been issued

83
00:04:28,711 --> 00:04:31,933
for that domain, it'll let
you go who the PGP keys

84
00:04:31,933 --> 00:04:35,350
were issued to, only thing about recon-ng

85
00:04:36,687 --> 00:04:40,626
is it's all open source so you
can look at the source code

86
00:04:40,626 --> 00:04:43,329
behind this and see exactly
how it was programed.

87
00:04:43,329 --> 00:04:47,162
So if you type show
source you can see exactly

88
00:04:48,002 --> 00:04:50,054
how this particular module was programed.

89
00:04:50,054 --> 00:04:54,434
The next module we're gonna
look at is the who is module.

90
00:04:54,434 --> 00:04:57,794
So if you type in load who is_POCS,

91
00:04:57,794 --> 00:05:02,635
we type in show info, we
can see that it's searching

92
00:05:02,635 --> 00:05:05,635
Erin who is database for information

93
00:05:06,630 --> 00:05:09,833
to this particular
domain, it's gonna update

94
00:05:09,833 --> 00:05:11,954
the context table with any results.

95
00:05:11,954 --> 00:05:16,496
So we type in run to
actually run the command

96
00:05:16,496 --> 00:05:20,163
and when we do we can
see that it is finding

97
00:05:21,587 --> 00:05:23,569
certain contacts for example.com.

98
00:05:23,569 --> 00:05:27,069
It's finding many contacts for this domain

99
00:05:27,993 --> 00:05:30,326
just from looking up who is.

100
00:05:32,434 --> 00:05:35,639
62 new contacts, 114 in total.

101
00:05:35,639 --> 00:05:39,306
So if you do show
contacts, we can see here,

102
00:05:40,897 --> 00:05:44,910
all of the individuals that
have found a part of this domain

103
00:05:44,910 --> 00:05:48,763
of course this is example
information we're looking at

104
00:05:48,763 --> 00:05:51,907
so you would use the actual organization

105
00:05:51,907 --> 00:05:53,657
in your real testing.

106
00:05:55,905 --> 00:05:58,052
But it's really interesting 'cause you see

107
00:05:58,052 --> 00:06:00,402
their first name, their last
name, their email address,

108
00:06:00,402 --> 00:06:03,031
you can see their location as well,

109
00:06:03,031 --> 00:06:06,417
just from looking at the
public who is information.

110
00:06:06,417 --> 00:06:09,475
If you type in the show dashboard command

111
00:06:09,475 --> 00:06:12,413
within recon-ng it'll
show you all the tools

112
00:06:12,413 --> 00:06:15,878
that you have run so you
can see activity summary,

113
00:06:15,878 --> 00:06:19,275
we've run the metacrawler,
we've run PGP search,

114
00:06:19,275 --> 00:06:22,224
we've also run the who is module,

115
00:06:22,224 --> 00:06:25,715
and then down below you
can see results summary.

116
00:06:25,715 --> 00:06:29,858
You can see that we have one
domain that we're looking up,

117
00:06:29,858 --> 00:06:33,775
that is populated and we
also have 62 contacts,

118
00:06:34,683 --> 00:06:38,115
going into this organization
so these 62 individuals

119
00:06:38,115 --> 00:06:42,060
are really good phishing
targets but they're also

120
00:06:42,060 --> 00:06:44,562
individuals that could be used

121
00:06:44,562 --> 00:06:47,294
for a password guessing attack as well.

122
00:06:47,294 --> 00:06:49,846
What else can we find from domains.

123
00:06:49,846 --> 00:06:52,513
You can see there's quite a few.

124
00:06:53,642 --> 00:06:56,954
We're gonna try to do a bing search,

125
00:06:56,954 --> 00:07:00,569
so basically we're gonna
use recon-ng to perform

126
00:07:00,569 --> 00:07:02,040
a bing search for this domain and see

127
00:07:02,040 --> 00:07:04,562
if there's any additional
hosts that we could find.

128
00:07:04,562 --> 00:07:08,229
Recon-ng didn't find
any additional websites

129
00:07:09,419 --> 00:07:14,174
for this domain, you'll
most likely find many more

130
00:07:14,174 --> 00:07:17,519
for an organization that
you're doing this work for.

131
00:07:17,519 --> 00:07:22,020
We're gonna load group
host for this next example.

132
00:07:22,020 --> 00:07:24,381
Basically what group
host does is it performs

133
00:07:24,381 --> 00:07:28,103
the NS lookup that we discussed
previously where you can

134
00:07:28,103 --> 00:07:31,626
try doing an NS lookup for
hundreds of different host names

135
00:07:31,626 --> 00:07:35,263
and hopefully you'll find
one belonging to this domain.

136
00:07:35,263 --> 00:07:38,519
So for example we'll
look up see if there's a

137
00:07:38,519 --> 00:07:43,171
www.example.com we'll try
looking for a vpn.example.com

138
00:07:43,171 --> 00:07:47,950
we'll look for a
webmail.example.com and many others

139
00:07:47,950 --> 00:07:52,025
until we find some that actually exist.

140
00:07:52,025 --> 00:07:55,949
You can see that this is
basically brute forcing host names

141
00:07:55,949 --> 00:07:58,387
using DNS, it's just
looking at the DNS records

142
00:07:58,387 --> 00:08:02,247
for these entries, it's
gonna update the host table

143
00:08:02,247 --> 00:08:04,675
with the results, so you'll
wanna really build out

144
00:08:04,675 --> 00:08:06,996
and find out what additional
systems are belonging

145
00:08:06,996 --> 00:08:08,746
to this organization.

146
00:08:10,006 --> 00:08:12,847
You can see it's searching
hundreds of different

147
00:08:12,847 --> 00:08:16,654
potential sites for this
organization, so you can see

148
00:08:16,654 --> 00:08:20,262
it's looking for consumer.example.com,
contact.example.com

149
00:08:20,262 --> 00:08:23,915
content.example.com and hundreds of others

150
00:08:23,915 --> 00:08:28,759
and you can see that it found
one new host from there.

151
00:08:28,759 --> 00:08:32,176
So you can see all of those, we found out

152
00:08:33,542 --> 00:08:36,979
there is a www.example.com,
if you were working

153
00:08:36,979 --> 00:08:39,845
for a larger organization
then you'll probably find

154
00:08:39,845 --> 00:08:43,595
a host of more servers,
which is really neat.

155
00:08:45,316 --> 00:08:47,167
'cause you find there's www.example.com

156
00:08:47,167 --> 00:08:50,478
it shows the IP address belonging to that

157
00:08:50,478 --> 00:08:54,645
and you can also populate
some geographical fields

158
00:08:55,480 --> 00:08:57,813
for this IP address as well.

159
00:08:58,760 --> 00:09:02,260
Let's try loading certificate transparency

160
00:09:03,288 --> 00:09:05,380
like we did before using

161
00:09:05,380 --> 00:09:07,229
the Google certificate
transparency report.

162
00:09:07,229 --> 00:09:10,937
So we ran that and we found some new sites

163
00:09:10,937 --> 00:09:13,588
that belong to the organization and see

164
00:09:13,588 --> 00:09:17,171
that we found
dev.example.com as a new one.

165
00:09:18,115 --> 00:09:21,538
Support.example.com, so
we found these new systems

166
00:09:21,538 --> 00:09:24,233
belong to the organization
without even attacking

167
00:09:24,233 --> 00:09:28,676
the organization, something
like dev.example.com

168
00:09:28,676 --> 00:09:31,310
would probably be a good
target because it looks

169
00:09:31,310 --> 00:09:33,514
like it's a development
system that may not be

170
00:09:33,514 --> 00:09:38,076
protected as well as something
like the www.example.com.

171
00:09:38,076 --> 00:09:41,576
We're gonna load netcraft, see if it finds

172
00:09:43,581 --> 00:09:46,904
any information, we
didn't get any real useful

173
00:09:46,904 --> 00:09:49,299
information from there, but
we can also load showden

174
00:09:49,299 --> 00:09:52,266
and see what types of
information you could find

175
00:09:52,266 --> 00:09:55,389
from showden like we did
on the showden website.

176
00:09:55,389 --> 00:09:58,623
This is one of the searches
that actually does require

177
00:09:58,623 --> 00:10:01,593
an API key so you can go
to showden and actually

178
00:10:01,593 --> 00:10:05,865
get an API key that you
can use within recon-ng

179
00:10:05,865 --> 00:10:10,114
and we can see that it found
two ports that are open

180
00:10:10,114 --> 00:10:14,976
for that particular host, we
can see 80 and 443 are open

181
00:10:14,976 --> 00:10:18,143
for this host so 80 http and 443 https

182
00:10:21,435 --> 00:10:25,542
are both listening in on
that particular IP address

183
00:10:25,542 --> 00:10:28,243
that we have, so you
can imagine if we have

184
00:10:28,243 --> 00:10:30,836
a whole list of IP addresses
belonging to an organization

185
00:10:30,836 --> 00:10:33,480
and we run this command it's gonna find

186
00:10:33,480 --> 00:10:36,107
a lot of different ports that are open

187
00:10:36,107 --> 00:10:38,971
and are doing all this
without actually scanning

188
00:10:38,971 --> 00:10:41,602
the organization ourselves.

189
00:10:41,602 --> 00:10:43,057
If you do the show ports command,

190
00:10:43,057 --> 00:10:45,106
you can see that IP address and the ports

191
00:10:45,106 --> 00:10:48,939
that are associated with
this particular host.

192
00:10:53,661 --> 00:10:56,521
And while we're looking at this host table

193
00:10:56,521 --> 00:10:58,413
by using the show host command,

194
00:10:58,413 --> 00:11:00,466
we could see the host that we found,

195
00:11:00,466 --> 00:11:03,363
the IP addresses that are
associated with those hosts,

196
00:11:03,363 --> 00:11:05,397
we could also see the modules that we used

197
00:11:05,397 --> 00:11:08,164
to actually find those
particular hosts so,

198
00:11:08,164 --> 00:11:11,952
we found the www by using brute host,

199
00:11:11,952 --> 00:11:14,053
we found the others using

200
00:11:14,053 --> 00:11:15,669
the certificate transparency module.

201
00:11:15,669 --> 00:11:19,002
So we can resolve the host also in here.

202
00:11:20,313 --> 00:11:23,646
If there are any kind of DNS resolutions

203
00:11:25,011 --> 00:11:26,763
there will be for an actual domain,

204
00:11:26,763 --> 00:11:29,853
of course we're using example.com here

205
00:11:29,853 --> 00:11:31,540
so you're not gonna find
any, but we're going

206
00:11:31,540 --> 00:11:32,732
to resolve the host and it'll tell you

207
00:11:32,732 --> 00:11:37,142
what the IP addresses are
associated with that domain.

208
00:11:37,142 --> 00:11:40,991
hacker target is another
module that we can run.

209
00:11:40,991 --> 00:11:44,122
We ran hacker target and it found another

210
00:11:44,122 --> 00:11:47,372
example host, there's tvmig.example.com

211
00:11:49,400 --> 00:11:52,817
so as you see all these different modules

212
00:11:52,817 --> 00:11:56,452
can really build off each
other and you can find out

213
00:11:56,452 --> 00:11:58,577
a host of information for an organization

214
00:11:58,577 --> 00:12:00,910
just by using this one tool.

215
00:12:01,760 --> 00:12:04,565
Another neat thing is, with
recon-ng it's fully scriptable

216
00:12:04,565 --> 00:12:06,854
so if you find yourself
doing the same thing

217
00:12:06,854 --> 00:12:10,310
over and over again for
your security engagements

218
00:12:10,310 --> 00:12:14,591
you can program it so
it'll automatically run

219
00:12:14,591 --> 00:12:16,858
all the necessary modules
for you through recon-ng

220
00:12:16,858 --> 00:12:20,207
and you'll get your results met.

221
00:12:20,207 --> 00:12:24,883
So we're loading ssl sans
which is another tool

222
00:12:24,883 --> 00:12:27,924
and looks like we found even more hosts.

223
00:12:27,924 --> 00:12:30,246
What is ssl sans actually doing?

224
00:12:30,246 --> 00:12:32,515
Let's look at show info,

225
00:12:32,515 --> 00:12:35,515
we can see it uses ssl tools.com API

226
00:12:36,421 --> 00:12:39,141
to obtain the subject
alternative names for domain

227
00:12:39,141 --> 00:12:41,587
and it's updating our host
table with the results.

228
00:12:41,587 --> 00:12:44,587
So what can we do knowing the hosts.

229
00:12:45,957 --> 00:12:49,073
So now that we have our
host table populated

230
00:12:49,073 --> 00:12:51,573
we can run bing IP on the host

231
00:12:54,095 --> 00:12:56,073
which basically finds other systems

232
00:12:56,073 --> 00:12:58,706
that are using that IP address,

233
00:12:58,706 --> 00:13:02,206
we can also form some geographic locations

234
00:13:03,423 --> 00:13:06,367
on those IP addresses
using the free geo IP

235
00:13:06,367 --> 00:13:10,272
and that will pinpoint
the location on a map

236
00:13:10,272 --> 00:13:13,204
where that IP address belongs

237
00:13:13,204 --> 00:13:16,081
or where the IP address
is actually located.

238
00:13:16,081 --> 00:13:19,178
So if we look at the dashboard again,

239
00:13:19,178 --> 00:13:21,085
we can see that we're
starting to build out

240
00:13:21,085 --> 00:13:22,524
some good information
for this organization.

241
00:13:22,524 --> 00:13:26,468
We have one domain, we know a
couple of ports that are open

242
00:13:26,468 --> 00:13:29,471
we have 14 hosts now
that are on the domain

243
00:13:29,471 --> 00:13:33,050
and we have 62 contacts
belonging to that organization.

244
00:13:33,050 --> 00:13:35,643
So let's look at these contacts.

245
00:13:35,643 --> 00:13:38,722
So now that we have a
list of people's names

246
00:13:38,722 --> 00:13:40,678
and email addresses and locations,

247
00:13:40,678 --> 00:13:43,669
there's some really neat things
that we can do with that.

248
00:13:43,669 --> 00:13:47,669
Let's look and see if any
of these organizations

249
00:13:49,589 --> 00:13:54,162
have ever been in a public
breach that we know about.

250
00:13:54,162 --> 00:13:56,995
If we load the HIPB_breach module,

251
00:13:59,285 --> 00:14:01,594
that's the have I been pwned site,

252
00:14:01,594 --> 00:14:04,648
so if you ever go to haveibeenpowned.com,

253
00:14:04,648 --> 00:14:08,634
you type in your email
address you can find out

254
00:14:08,634 --> 00:14:10,605
if your email address has been associated

255
00:14:10,605 --> 00:14:14,489
in any public breach and
it'll pop back results

256
00:14:14,489 --> 00:14:17,355
and tell you that your email
address was in this breach.

257
00:14:17,355 --> 00:14:21,692
What's neat about this is we
have a list of 62 individuals

258
00:14:21,692 --> 00:14:26,245
we can see in our example
some of the email addresses

259
00:14:26,245 --> 00:14:29,819
are repeating but we can still
run all those email addresses

260
00:14:29,819 --> 00:14:32,902
against the have I been pwned website

261
00:14:34,468 --> 00:14:37,311
and see if any of them
show up in public breaches.

262
00:14:37,311 --> 00:14:38,728
So let's hit run.

263
00:14:39,955 --> 00:14:44,122
We can instantly see
you@example.com was in 17 breaches

264
00:14:45,079 --> 00:14:48,179
it was an adobe breach,
it was in many others,

265
00:14:48,179 --> 00:14:52,765
there's Myspace breach,
there's some torrent breaches

266
00:14:52,765 --> 00:14:56,416
and it'll give the
dates for those as well.

267
00:14:56,416 --> 00:15:00,272
So now you know that
you have you@example.com

268
00:15:00,272 --> 00:15:04,066
that's in 17 of these breaches,
you can search the internet

269
00:15:04,066 --> 00:15:07,795
for these breaches and
you can probably find

270
00:15:07,795 --> 00:15:10,795
the password for that email address.

271
00:15:12,114 --> 00:15:15,694
If you can find the password
for that email address

272
00:15:15,694 --> 00:15:18,039
in several of these breaches,
you can probably get

273
00:15:18,039 --> 00:15:22,730
a good idea of how this individual
formatted their password

274
00:15:22,730 --> 00:15:25,897
most likely this person
used similar passwords

275
00:15:25,897 --> 00:15:29,319
in all of these locations and if they did,

276
00:15:29,319 --> 00:15:32,950
then they probably used the same password

277
00:15:32,950 --> 00:15:36,622
for their company as well
so once you understand

278
00:15:36,622 --> 00:15:40,795
the person's password format
from these public breaches,

279
00:15:40,795 --> 00:15:43,950
you can try to log into
their corporate email account

280
00:15:43,950 --> 00:15:46,533
or VPN with that same password.

281
00:15:49,114 --> 00:15:51,614
You can see nobody@example.com

282
00:15:52,641 --> 00:15:54,332
of course these are just tests but,

283
00:15:54,332 --> 00:15:58,884
you can see that that email
address was associated

284
00:15:58,884 --> 00:16:01,747
in several different breaches as well.

285
00:16:01,747 --> 00:16:05,247
Unknown@example.com was in an Adobe breach

286
00:16:08,315 --> 00:16:11,815
and many other breaches, we could also see

287
00:16:13,919 --> 00:16:16,925
that me@example.com was
associated in many breaches

288
00:16:16,925 --> 00:16:21,299
as well, some of the same and
some new breaches as well.

289
00:16:21,299 --> 00:16:25,514
Also has the dates for
each of the breaches

290
00:16:25,514 --> 00:16:29,760
so we can see that if we
can find their password

291
00:16:29,760 --> 00:16:32,134
in some of the more recent breaches,

292
00:16:32,134 --> 00:16:35,753
that might also mean that they
are still using that password

293
00:16:35,753 --> 00:16:39,437
as well, so we can see
there are some 2017 breaches

294
00:16:39,437 --> 00:16:43,604
that occurred, one in May
of 2017, so if you can find

295
00:16:45,974 --> 00:16:48,134
the password associated with that breach

296
00:16:48,134 --> 00:16:51,116
in that email address, chances are,

297
00:16:51,116 --> 00:16:54,899
they are still using that
password in other areas as well.

298
00:16:54,899 --> 00:16:59,217
So we can see that we
found four email addresses

299
00:16:59,217 --> 00:17:01,143
that were used in breaches.

300
00:17:01,143 --> 00:17:04,688
Another neat thing about
recon-ng is you can have

301
00:17:04,688 --> 00:17:08,219
full reporting so you
can take all your results

302
00:17:08,219 --> 00:17:10,256
and put it into an html document or a csv,

303
00:17:10,256 --> 00:17:13,173
and you can find information there.

304
00:17:14,928 --> 00:17:17,928
We're gonna export it to a html find

305
00:17:19,614 --> 00:17:23,620
so we type in load
reporting/html and we type in run

306
00:17:23,620 --> 00:17:27,620
and you can see it pops
up an error and it says,

307
00:17:29,313 --> 00:17:34,012
framework exception, value
required for the customer option.

308
00:17:34,012 --> 00:17:38,012
So it looks like this
module is actually looking

309
00:17:39,264 --> 00:17:42,142
for us to configure something
before we can run it.

310
00:17:42,142 --> 00:17:45,318
So if we type in show
options, we can see that,

311
00:17:45,318 --> 00:17:48,408
there are two fields at
the top that are required,

312
00:17:48,408 --> 00:17:50,638
there's the creator that's
required, and customer.

313
00:17:50,638 --> 00:17:53,296
So if you're creator you
can put in your own name,

314
00:17:53,296 --> 00:17:56,175
customer is whatever
customer you're working for

315
00:17:56,175 --> 00:18:00,341
so if you type in set and
then the name of the section

316
00:18:00,341 --> 00:18:04,131
that you're actually
setting the value for.

317
00:18:04,131 --> 00:18:06,778
So we're trying to set
the value of creator,

318
00:18:06,778 --> 00:18:10,540
we type set, space, creator
and we can put our own name

319
00:18:10,540 --> 00:18:13,610
in there, I'm just gonna
say My Name for this one,

320
00:18:13,610 --> 00:18:15,788
and then you can set customer.

321
00:18:15,788 --> 00:18:19,038
To the trainee, and now let's run that,

322
00:18:25,165 --> 00:18:27,580
and it says the report has been generated.

323
00:18:27,580 --> 00:18:30,401
And now we can see basically
everything we found

324
00:18:30,401 --> 00:18:32,803
in a nice html document.

325
00:18:32,803 --> 00:18:36,162
And we can see all the
hosts that we found,

326
00:18:36,162 --> 00:18:38,462
we can see how we found these hosts,

327
00:18:38,462 --> 00:18:41,452
and get that nice list
of contacts as well.

328
00:18:41,452 --> 00:18:45,930
You know, several of them
are in public breaches,

329
00:18:45,930 --> 00:18:49,521
and now we can also see that
these four email addresses

330
00:18:49,521 --> 00:18:54,304
were in public breaches,
and some of the modules

331
00:18:54,304 --> 00:18:57,584
you can use to actually
pull back passwords

332
00:18:57,584 --> 00:19:01,341
that are in the breaches and
we can also look on the web

333
00:19:01,341 --> 00:19:05,459
to find some of these passwords as well.

334
00:19:05,459 --> 00:19:08,571
And you can look at
ports that are available.

335
00:19:08,571 --> 00:19:12,441
You see that 80 and 443 are
available for this post.

336
00:19:12,441 --> 00:19:15,192
So we did an overview of recon-ng,

337
00:19:15,192 --> 00:19:19,191
there are many more
modules out there for it,

338
00:19:19,191 --> 00:19:23,163
once you find the location
for some of these servers

339
00:19:23,163 --> 00:19:26,404
you can also trigger some of the modules

340
00:19:26,404 --> 00:19:30,321
such as some of the
picture modules you can use

341
00:19:31,245 --> 00:19:34,376
to actually see if anybody took
pictures in these locations

342
00:19:34,376 --> 00:19:37,038
so maybe the location that you find

343
00:19:37,038 --> 00:19:41,340
for one of these systems that
maybe this IP address here

344
00:19:41,340 --> 00:19:44,065
was located in a server in a data center,

345
00:19:44,065 --> 00:19:47,066
and you can run some modules to say,

346
00:19:47,066 --> 00:19:50,034
show me any pictures that
were taken within half a mile

347
00:19:50,034 --> 00:19:54,426
of this IP address and maybe
somebody took some pictures

348
00:19:54,426 --> 00:19:58,744
that had their geo
setting tagged on there,

349
00:19:58,744 --> 00:20:01,967
and they posted it to
some of these websites,

350
00:20:01,967 --> 00:20:04,540
and they released pictures
containing some sensitive

351
00:20:04,540 --> 00:20:07,092
information that they took
pictures of in the data center.

352
00:20:07,092 --> 00:20:10,134
So there are many many more
modules, I encourage you

353
00:20:10,134 --> 00:20:14,237
to experiment with different
modules within recon-ng,

354
00:20:14,237 --> 00:20:17,875
once again we ran these
tests without touching

355
00:20:17,875 --> 00:20:22,285
the organization at all,
and so it's pretty neat,

356
00:20:22,285 --> 00:20:25,379
you can do all this
information without actually

357
00:20:25,379 --> 00:20:28,442
attacking the organization
just using completely free

358
00:20:28,442 --> 00:20:30,775
information on the internet.