Advanced Reconnaissance with Recon-ng (Part III)

Now is a good time to filter all those unwanted contacts from unwanted domains. This can be done using SQL statements on the SQLite database.

Filtering and cleaning data

  • Let’s see how many contacts we have from the united.com domain

db query SELECT email FROM contacts WHERE email LIKE “%@united.com”

Searching for contacts from the proper domain






Total contacts from the proper domain





  • But we also a lot of contacts from other domains

db query SELECT email FROM contacts WHERE email NOT LIKE “%@united.com”

Searching for contacts from wrong domains





Total contacts from the wrong domain






  • And some others don’t have an e-mail address

 db query SELECT email FROM contacts WHERE email IS NULL

Searching for contacts without e-mail




Total contacts without e-mail






  • Let’s delete all contacts from unwanted domains

db query DELETE FROM contacts WHERE email NOT LIKE “%@united.com”

Deleting the contacts from wrong domains

Let’s try to create email addresses for the contacts only having first and last names

  • This can be done using another specific module named mangle

modules load recon/contacts-contacts/mangle

Loading the mangle module

  • Set the proper module options

Setting the mangle options

The result is not perfect but it is better than before because now all contacts have an e-mail address.

Running the mangle module

Let’s now give some attention to the credentials table.

  • Let’s see how many credentials we have from unwanted domains

db query SELECT username FROM credentials WHERE username NOT LIKE “%@united.com”

Searching for credentials from wrong domains





Total credentials from wrong domains





  • Let’s delete all this useless information

db query DELETE FROM credentials WHERE username NOT LIKE “%@united.com”

Deleting the credentials from wrong domains

Let’s keep cleaning the information found.

  • Are there duplicates in the contacts table ?

db query SELECT first_name,last_name FROM contacts WHERE rowid NOT IN (SELECT MIN(rowid) FROM contacts GROUP BY email)

Searching for duplicate contacts

Total duplicate contacts









  • Let’s delete all duplicates

db query DELETE FROM contacts WHERE rowid NOT IN (SELECT MIN(rowid) FROM contacts GROUP BY email)

Deleting duplicate contacts

Let’s repeat the previous procedure for the credentials table

  • List duplicates

db query SELECT * FROM credentials WHERE rowid NOT IN (SELECT MIN(rowid) FROM credentials GROUP BY username)

Searching for duplicate credentials

Total duplicate credentials

  • Delete all duplicates

db query DELETE FROM credentials WHERE rowid NOT IN (SELECT MIN(rowid) FROM credentials GROUP BY username)

Deleting duplicate credentials

What about the profiles table?

  • List duplicates

db query SELECT * FROM profiles WHERE rowid NOT IN (SELECT MIN(rowid) FROM profiles GROUP BY username)

Searching for duplicate profiles

  • Do we have repeated urls?

db query SELECT * from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY url)

Searching for duplicate urls

  • But we have many repeated usernames pointing to different profiles. Those are all useless.

db query SELECT * from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY username)

Searching for duplicate usernames

Repeated usernames

  • Let’s delete all the repeated usernames

db query DELETE from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY username)

Deleting repeated usernames

  • Another analysis of the profiles shows that some are just referring to the country or language of the profile

db query SELECT * from profiles WHERE username LIKE "__" OR username LIKE "__-__"

Listing some more useless profiles

  • Remove these profiles

db query DELETE from profiles WHERE username LIKE "__" OR username LIKE "__-__"

Deleting useless profiles

It might be a good idea to make another database snapshot.

Finding additional data

Now we have a set of “clean” data but many records in the credentials table only have the hashes.

  • Search for credentials with no passwords.

db query SELECT * from credentials WHERE password ISNULL

Listing credentials without password

Total number of credentials without password

There is a module that tries to find known hashes.

  • Load the hashes module and run it

modules load recon/credentials-credentials/hashes_org

run

Finding additional passwords with the hashes module

  • If you want to focus on a specific group of hashes, set the module options

options set SOURCE query SELECT DISTINCT hash FROM credentials WHERE hash LIKE “__ <number of characters in the hash>_” AND password ISNULL AND leak LIKE “linkedin.com”

Selecting a group of hashes

The result will be the discovery of almost 200 additional passwords.

Initially, we used the bing_linkedin_cache module to find contacts. That is a “companies to contacts” module.

Now we can query Linkedin directly using the Bing API via the bing_linkedin_contacts module. And that is a “profiles to contacts” modules.

NOTE: Don’t forget to make a database snapshot!

  • Load and run the module

modules load recon/profiles-contacts/bing_linkedin_contacts

Getting contacts from Linkedin

This module will generate a lot of duplicate data because the new information will be inserted into new records. However, you will get a lot of information about the current positions of the company’s employees. The module might crash but that is because you will probably exceed the number of allowed queries with a free Bing API…

If you are skilled in SQL you can try to merge those records. Anyway, we already have a lot of profiles but they are limited to Linkedin. We can try to get some more from a wide variety of social media and popular websites.

It will be a very slow process because each individual profile will be tested against dozens of websites.

  • Load and run the profiler module

modules load recon/profiles-profiles/profiler

Running the profiler module

Once you are happy with the results, you can export them in multiple formats using one of the reporting modules.

Listing the reporting modules

Conclusion: With only a few free APIs, and using nothing but open-source data, it is possible to gather a huge amount of information.

Posted by
Labels: , , ,

2 comments:

Shayzee said...

Hello Everyone !

USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

All SSN's are Tested & Verified.

**DETAILS IN LEADS/FULLZ**

->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS

*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers

->Hope for the long term business
->You can buy for your specific states too

**Contact 24/7**

Whatsapp > +923172721122

Email > leads.sellers1212@gmail.com

Telegram > @leadsupplier

ICQ > 752822040

August 24, 2020 at 8:48 PM
Mrs. Carolin Glowski said...

TESTIMONY ON HOW I GOT MY LOAN AMOUNT FROM A RELIABLE AND TRUSTED LOAN COMPANY LAST WEEK. Email for immediate response drbenjaminfinance@gmail.com

Hello everyone, My name is Mrs. Carolin Glowski, I'm from Europe, am here to testify of how i got my loan from BENJAMIN LOAN FINANCE after i applied Two times from various loan lenders who claimed to be lenders right here this forum, i thought their lending where real and i applied but they never gave me loan until a friend of mine introduce me to {Dr. Benjamin Scarlet Owen} the C.E.O of BENJAMIN LOAN FINANCE who promised to help me with a loan of my desire and he really did as he promised without any form of delay, I never thought there are still reliable loan lenders until i met {Dr. Benjamin Scarlet Owen} who really helped me with my loan and changed my life for the better. I don't know if you are in need of an urgent loan also, So feel free to contact Dr. Benjamin Scarlet Owen on his email address drbenjaminfinance@gmail.com


THANKS

January 1, 2022 at 3:25 AM

Post a Comment

Subscribe to: Post Comments (Atom)