When we are mostly interested in our day to day job profile such as Pentesting or area of interest such as bug bounty, due to tight deadline or faster bug submission sometime we forget the important part of the process i.e reconnaissance. For lazy people like me who don't want to miss this step but also not interested in spending much time trying different tools, here is a framework recon-ng(https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide) by Lanmaster. In this presentation i will discuss about different modules of this framework, how it will automate almost everything for us and how to integrate it with other tool to complete pentesting process starting from information gathering to post exploitation.
KeepCalmAndStartReconnaissance.
This was presented at Null Bangalore Chapter (Saturday April 25 2015, 11:55 AM)
You can watch the presentation https://www.youtube.com/watch?v=VrpMSEOtaYc
1:59:03 - 2:53:12
2. Who am i?
Nutan Kumar Panda
@theosintguy
An Infosec Professional
An Osint Enthusiast
Game Of Thrones Fan
3. Disclaimer
इस डेमो का ि कसी भी साइट या
संगठन को आहत करने का इरादा नह ं
है। प्रस्तोता आपत्तिजनक सामग्री के
ि कसी भी प्रकार के उपयोग ना करने
के लिए अपने स्तर पर पूर कोलिि की
है। अगर ि कसी को भी कु छ आक्रामक
िगताहैतो हम लसर्फ संयोग के रूप में
िेंगे।
10. Recon-ng
• This is an open source tool
written in python majorly by
Tim Tomes(@Lanmaster53).
• This project was one of its
kind in terms of complete
OSINT framework.
• Using this you can do
wonders.
The tool : https://bitbucket.org/LaNMaSteR53/recon-ng
The user guide: https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide
The development guide: https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Development%20Guide
We use it in our day to day pentest or bug bounty
Google site:
Github dork
Bing ip2host
Test creditcards
Fake addresses
Email id harvest
Maltego harvester
Default credentials
Admin consoles paths
Many payloads
Its better to know the enemy and it helps us to win over
Our demo ll prove it
Interactive
Quite same as MSF
Modular
Scriptable
Well documented and well maintained
Discovery (Active recon with sending packet)
Exploitation (Using payload)
Import (to add list or prev projs)
Recon (passive recon)
Report (xml or html)
DerbyCon Look Ma No Exploits The Recon Ng Framework Tim Lanmaster53 Tomes
help
Workspaces
Workspaces list to get the lists
Workspaces add osint
Keys list to see which keys has been added
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide#!acquiring-api-keys
Add bing key fVGoRoqI5ZHSle5ZM0B3o0LSAsINFZ+l9AkA2gFiF4s
Show Modules (Take a domain and dig deeper)
recon/domains-hosts/bing_domain_api(to get whole bunch of hosts from domain)
Show info
set SOURCE fbi.gov
Run
recon/domains-hosts/bing_domain_web
use recon/domains-hosts/netcraft (to get more hosts) http://toolbar.netcraft.com/site_report
Show dashboard to see what we did so far
Show hosts host table
Lets fill the table with ips first
use recon/hosts-hosts/resolve
use recon/hosts-hosts/bing_ip
Lets look for some technology information bug bounty $$$
Use recon/domains-hosts/builtwith to get technology idea
recon/domains-vulnerabilities/punkspider to get free bugs
Show in site http://punkspider.hyperiongray.com/ race360
Lets get some contact details
Use recon/domains-contacts/whois_pocs
Show contacts
use recon/domains-contacts/pgp_search
Harvest info from a perticular place about our target
Use recon/profiles-profiles/namechk makash :P
Get credentials
use recon/contacts-credentials/hibp_paste for google@gmail.com
Check for the downloaded files for more info :P
Will get password and hashes
Now save proj
use reporting/html