Advanced Reconnaissance with Recon-ng (Part IV)

Now the goal is to gather information about the network infrastructure and not about the users.

Network reconnaissance

• Create a new workspace

workspace create SANS

• Now you have two workspaces:

• To insert the company, you can use an alternative way:

db insert companies SANS~SANS Institute

• To insert the domain, type

db insert domains sans.org

• And repeat to add a second domain.

Now we are going to use different modules because we want to reach a different goal.

• Let’s start trying to get the Private Enterprise Numbers (PEN)

This doesn’t seem to be really useful. Let’s delete all these new domains.

• List the rows on the domains table and delete the useless ones

Let’s try to use the given domains to find hosts.

• There are a number of modules capable of doing that:

Not all of them return results for every scenario so I’ll just list the ones that produce something for the given domains:

Bing Hostname Enumerator

Certificate Transparency Search

Google Hostname Enumerator

HackerTarget Lookup

Mail eXchange (MX) and Sender Policy Framework (SPF) Record Retriever

ThreatCrowd DNS lookup

ThreatMiner DNS lookup

We can also try to brute force the discovery of new hosts. This is done using a provided wordlist and checking each new combination against the default DNS server.

• Load the module and check the default options

As you can see, the application is using the file /root/.recon-ng/data/hostnames.txt as a source of strings to be added to the given domain name. You can use other files if you want to.

• Check the ones available in /usr/share/wordlists

• Check the global options (recon-ng environment) to identify the configured DNS server

goptions list

The choice of the DNS server is important because you’ll probably be blocked before the end of the wordlist due to the excess number of requests.

To change the DNS server you have to exit he current loaded module.

• Just type:

back

• Then set the proper option

options set NAMESERVER 1.1.1.1

Run the module with the default configuration

• Maybe now is a good time to take a snapshot before moving on to the next set of modules

snapshots take

We have now 302 hosts but only two domains.

Let’s populate the domains table with info from the host table

• Load and run the migrate_host module

As you can see, a number of useless domains are added to the database.

If you don’t like the results, load the previous database from the snapshot

• List the available snapshots

snapshots list

• Load the desired snapshot

snapshots load <snapshot name>

Let’s try to use the “hosts to hosts” modules:

• List them

Again, not all modules return useful information or can be used due to the lack of proper API keys

Hostname Resolver

Reverse Resolver

Now it’s time to evaluate the quality of the information gathered so far. In the previous post I showed how to query the database and how to clean the data.

In this case, try the following queries:

• Let’s delete al hosts outside the desired domain

db query DELETE FROM hosts WHERE host NOT LIKE "%sans.org"

db query DELETE FROM hosts WHERE host LIKE "*%"

• Let’s also delete the unwanted domains

db query DELETE FROM domains WHERE domain NOT LIKE "%sans.org"

Repeating the use of the previously used “domain to hosts” modules will add another handful of hosts to the database.

There are many repeated entries in the hosts table. However, this is not conclusive because several services can run in the same host and due to the distributed nature of these services, the same service can have more than one IP address.

Let’s get additional info about each host

Geolocation via IPStack

Open ports via Binary Edge

Open ports via Censys

Final result: 494 hosts with 510 open ports. Nod bad

All this information was gathered without any direct interacting with any of the target machines/domains.

If you decide to use the discovery or the exploitation modules be very careful before doing so because you will be in direct contact with the target machines and that is something that should always be done with the proper authorization.

Exporting and analyzing information

Lets’ export the information in html format

• Load the proper module

• Setting the options

• Opening the output file

If you prefer, you can access all available data in recon-ng in a web-based user interface

• Exit the application and type

recon-web

The major advantage of this analytics engine is the possibility to access all workspaces easily and to have all the info very well organized.

Final conclusion: Recon-ng v5.0.1 is one of the best free tools currently available to conduct an initial analysis on a potential target. With more APIs the results will be even better.

Next post: Advanced Footprinting with Maltego (Part I)

Advanced Reconnaissance with Recon-ng (Part III)

Now is a good time to filter all those unwanted contacts from unwanted domains. This can be done using SQL statements on the SQLite database.

Filtering and cleaning data

• Let’s see how many contacts we have from the united.com domain

db query SELECT email FROM contacts WHERE email LIKE “%@united.com”

• But we also a lot of contacts from other domains

db query SELECT email FROM contacts WHERE email NOT LIKE “%@united.com”

• And some others don’t have an e-mail address

 db query SELECT email FROM contacts WHERE email IS NULL

• 
  

• Let’s delete all contacts from unwanted domains

db query DELETE FROM contacts WHERE email NOT LIKE “%@united.com”

Let’s try to create email addresses for the contacts only having first and last names

• This can be done using another specific module named mangle

modules load recon/contacts-contacts/mangle

• Set the proper module options

The result is not perfect but it is better than before because now all contacts have an e-mail address.

Let’s now give some attention to the credentials table.

• Let’s see how many credentials we have from unwanted domains

db query SELECT username FROM credentials WHERE username NOT LIKE “%@united.com”

• Let’s delete all this useless information

db query DELETE FROM credentials WHERE username NOT LIKE “%@united.com”

Let’s keep cleaning the information found.

• Are there duplicates in the contacts table ?

db query SELECT first_name,last_name FROM contacts WHERE rowid NOT IN (SELECT MIN(rowid) FROM contacts GROUP BY email)

• Let’s delete all duplicates

db query DELETE FROM contacts WHERE rowid NOT IN (SELECT MIN(rowid) FROM contacts GROUP BY email)

Let’s repeat the previous procedure for the credentials table

• List duplicates

db query SELECT * FROM credentials WHERE rowid NOT IN (SELECT MIN(rowid) FROM credentials GROUP BY username)

• Delete all duplicates

db query DELETE FROM credentials WHERE rowid NOT IN (SELECT MIN(rowid) FROM credentials GROUP BY username)

What about the profiles table?

• List duplicates

db query SELECT * FROM profiles WHERE rowid NOT IN (SELECT MIN(rowid) FROM profiles GROUP BY username)

• Do we have repeated urls?

db query SELECT * from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY url)

• But we have many repeated usernames pointing to different profiles. Those are all useless.

db query SELECT * from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY username)

• Let’s delete all the repeated usernames

db query DELETE from profiles WHERE rowid NOT IN(SELECT MIN(rowid) from profiles GROUP BY username)

• Another analysis of the profiles shows that some are just referring to the country or language of the profile

db query SELECT * from profiles WHERE username LIKE "__" OR username LIKE "__-__"

• Remove these profiles

db query DELETE from profiles WHERE username LIKE "__" OR username LIKE "__-__"

It might be a good idea to make another database snapshot.

Finding additional data

Now we have a set of “clean” data but many records in the credentials table only have the hashes.

• Search for credentials with no passwords.

db query SELECT * from credentials WHERE password ISNULL

There is a module that tries to find known hashes.

• Load the hashes module and run it

modules load recon/credentials-credentials/hashes_org

run

• If you want to focus on a specific group of hashes, set the module options

options set SOURCE query SELECT DISTINCT hash FROM credentials WHERE hash LIKE “__ <number of characters in the hash>_” AND password ISNULL AND leak LIKE “linkedin.com”

The result will be the discovery of almost 200 additional passwords.

Initially, we used the bing_linkedin_cache module to find contacts. That is a “companies to contacts” module.

Now we can query Linkedin directly using the Bing API via the bing_linkedin_contacts module. And that is a “profiles to contacts” modules.

NOTE: Don’t forget to make a database snapshot!

• Load and run the module

modules load recon/profiles-contacts/bing_linkedin_contacts

This module will generate a lot of duplicate data because the new information will be inserted into new records. However, you will get a lot of information about the current positions of the company’s employees. The module might crash but that is because you will probably exceed the number of allowed queries with a free Bing API…

If you are skilled in SQL you can try to merge those records. Anyway, we already have a lot of profiles but they are limited to Linkedin. We can try to get some more from a wide variety of social media and popular websites.

It will be a very slow process because each individual profile will be tested against dozens of websites.

• Load and run the profiler module

modules load recon/profiles-profiles/profiler

Once you are happy with the results, you can export them in multiple formats using one of the reporting modules.

Conclusion: With only a few free APIs, and using nothing but open-source data, it is possible to gather a huge amount of information.