Passive Reconnaissance

  Kali Username: cisco    Password: cisco

Exercise 1a

Let’s do a quick refresher using the Recon-NG tool and perform a quick recon on h4cker.org. This exercise will be a guided exercise, but then you will perform reconnaissance of an organization called SecretCorp (secretcorp.org).

Note: Omar Santos owns secretcorp.org and this is not a real company. However, you will use it to practice your skills. Based on the information about that company you will find out more information about the different targets you will interact with in the labs for the next two days.

• Start Recon-NG with by opening up a terminal and running recon-ng.

• Recon-NG has numerous modules that can be installed and activated from the “market place”. You can search all the modules by using the “marketplace search” command.

The D and the K in the last two columns of the table shown above indicate that the module has dependencies or that it requires an API key.

• Try searching the marketplace for whois by running marketplace search whois.

Search again for dns. Notice that this is simply a keyword search– there are tools (e.g. Netcraft) that use DNS, and don’t show up in the results.

Netcraft

• Install the Netcraft module by using the following command: marketplace install recon/domains-hosts/netcraft

• You can search your installed modules with modules search. Run modules search netcraft.

Next, load netcraft by running modules load recon/domains-hosts/netcraft. Run info to see the module information and options.

• Set SOURCE to any domain you would like to identify subdomains. Be creative and use any domain you would like to get subdomains and additional information.

NOTE: You are NOT hacking anyone here, the tool is just using public DNS records to perform these actions.

Did you get any results? If not, why do you think this is the case? Sometimes these tools are not reliable. As an ethical hacker, it’s imperative not to become overly reliant on any single tool or set of tools for security assessments and penetration testing. Hacking, at its core, is about adopting the methodology and mindset of an attacker, which requires a deep understanding of the underlying principles of cybersecurity, the intricacies of network architectures, and the vulnerabilities that can be exploited. Tools, while invaluable for efficiency and automating certain tasks, can sometimes obscure the broader picture, limiting one’s ability to think creatively and adaptively about potential security threats.

A tool-centric approach may lead to a false sense of security, as these tools can only identify vulnerabilities they are programmed to find, potentially missing novel or complex attack vectors. Additionally, reliance on tools can hinder the development of critical problem-solving skills and the intuitive understanding needed to anticipate and counteract sophisticated cyber threats. Ethical hackers should use tools as aids, not crutches, complementing their technical acumen with a strategic mindset that prioritizes comprehensive security assessments over the convenience of automated scans. This balanced approach, combining deep technical knowledge with a broad strategic perspective, is essential for identifying and mitigating the full spectrum of cybersecurity threats.

• You can navigate back to the main menu by typing the word back.

bing_domain_web

• Install the bing_domain_web module.

• Load the module and show the options.

• Set the SOURCE to the domain(s) you entered before (when you were running the Netcraft module). Then, run the module using run.

• Did you find more information and subdomains?

• Install and load the brute_hosts module.

• This module uses wordlists. You can use any wordlist of your choosing. WebSploit comes with dozens of wordlists (the ones that come with Kali/Parrot and several under the /root/SecLists directory. If you can’t find one, you can use /root/.recon-ng/data/hostnames.txt.

• Set the SOURCE to the target domain, then use run to start the module.

• You should be able to see the tool going through the wordlist to enumerate additional hosts. Did you find anything new?

• Now that you’ve ran multiple tools, recon-ng has been collecting the results. Run dashboard to see your results in some tables.

• Run show hosts to list all enumerated hosts and respective information.

• Install the interesting_files module, and look at the info.

• Set PORT to 443, SOURCE to your domain of choice, and PROTOCOL to https, then run the module.

Did you find anything interesting?

Exercise 1b: Certificate Transparency

Certificate Transparency (CT) is a security standard and set of protocols that aims to increase transparency and accountability in the digital certificate issuance process. It is designed to make it more difficult for attackers to obtain fraudulent certificates for domain names, and to make it easier to detect and revoke such certificates if they are issued. This is achieved by creating a public, append-only log of all digital certificates issued by a certificate authority (CA), which can be audited by anyone. CT logs are used to verify that a certificate was properly issued by a CA and has not been revoked.

CT can be used for passive reconnaissance and OSINT. There are several websites that provide information and tools related to certificate transparency:

• crt.sh - This website allows you to search for certificates in various CT logs and view the details of each certificate.
• CertSpotter - This website allows you to monitor certificate transparency logs for new certificates issued for a specific domain name.
• CT Logs - This website is operated by Google and provides a list of all CT logs that are currently in operation, as well as information on how to submit certificates to the logs.
• SSLMate - This website provides a list of CT logs that SSLMate supports and also gives the user the ability to monitor the logs.
• CT Log Viewer - This website is a tool that allows you to view the contents of CT logs and search for specific certificates.
• CertStream - This website provides a real-time feed of all certificates seen by publicly trusted CT logs.

These are just a few examples of websites that provide information and tools related to certificate transparency.

Go to https://crt.sh and try to find additional hosts in the secretcorp.org domain. Alternatively, you can also use Recon-ng to pull the same data using the certificate_transparency module.

Exercise 2: Recon of SecretCorp

Use the tools you just practiced to perform detailed passive reconnaissance of SecretCorp.org. Find as many of the following as you can:

• What SecretCorp.org subdomains were you able to find? There should be at least 4 subdomains.
• Were you able to find the web mail portal?
• Based on your findings. Who is the contact person for IT Support?
• Who is the CEO of the company?
• Who is the sales executive?
• What types of products were they selling recently?
• What email addresses were you able to find?
• Did you find any interesting files?
• Were you able to decode the encoded message in one of the pages you found?
• How about their Cloud offer? Did you find information about their customers? What about the hints within their cloud page about other OSINT tools?
• Did you find information about “knock” within the page that has information about SecretCorp’s cloud offer?