Reconnaissance Tools | Part 1 | TryHackMe Red Team Recon

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign what's going on guys welcome back to this video today we're doing try hack me and we're going to carry over with the red teaming pathway so so far so forth we have finished the first model which is red team fundamentals today's video we're going to start with initial access and specifically we're going to do red team reconnaissance so basically here in this task I will divide the task into or the room into two videos in this video we're going to talk about the first five tasks and the upcoming video we're going to dedicate that you get it alone for using multigo and Recon NG as prominent tools for performing reconnaissance now first let's talk about the concept of reconnaissance so basically here a red team performs reconnaissance as a first step in a routine engagement or also as part of a fantastic engagement so basically you should get yourself familiar with two terms the passive reconnaissance and the active reconnaissance so in passive reconnaissance we don't actually communicate with the targets that's why it's called passive right we don't communicate with the target we don't set end map scans we don't send banners we just gather information active reconnaissance is collecting information by interacting with the target just as uh just for example such as nmap so in nmap we launch a scan against the target to gather information it's a form of reconnaissance but using nmap entails we are interacting with the Target now Pacific residence example could be using Google or publicly available information to gather information we're going to touch on tools that can be used to perform passive reconnaissance as you can see there are two types of active reconnaissance the external and internal dexterra is when you reside outside the target Network for example if you are doing pen testing for a client of viewers an external reconnaissance will means that you will perform the reconnaissance when you are disconnected from their Network you will be connected to the public internet outside the network interior reconnaissance is when you connect to their Network by being physically on site or using a VPN so let's now talk about the built-in tools that can be used for activity chronosis so basically before I show you guys tasks so basically here I have these commands in this sheet so basically to perform an economists we get a start with DNS so we perform DNS enumeration we gather information about your domains the subdomains DNS records in addition to email addresses there are multiple tools to achieve this purpose one of them is NS lookup so so with nslookup we can gather information about the DNS records or we can query specific dnf records by declaring the type if we say nslookup Dash type equal MX and the domain Target we will gather information about this type of DNS records in the target so generally we can say Dash tab equal and specify the DNS records could be a could be fourth A's could be MX could be text records so on and so forth let's take an example so this is the docker machine and let's look up and the domain example here was let's scroll down to the questions so THM red team.com THM red team.com so here we are asking this server okay to get us information about THM red team as you can see we don't have answer because this Server doesn't have information about dhm reaching so in case the DNA server we are connected to doesn't have information about the domain it's going to give you non-authoritative answer and you cannot find the information there is no answer um if you ask say Google as you can see here we get answer from the DNS server about the IP addresses as you can see the Google uses so we have one two three four five six so we have six addresses Google is using ipv4 and we have one two three four four IPv6 addresses so this is domain right THM red team.com yes I was saying maybe the domain I type the domain wrong okay so as you can see in this lookup this query gives us information about how many IPS the server is using and now let's disconnect it okay so the machine disconnected I just turned it on again okay so let's go back to the output of Venus lookup and let's try this domain cafe.thm red team.com again guys as you can see we get the IP addresses the domain is using we have two ipv4 and two IPv6 now if you want to apply this if you want to ask about specific record we can definitely try that so type equal MX Dash type equal let's say text records Amazon information about 8X records if we ask about Google definitely it should have text records as you can see we get the text records of google.com now this information are tremendously important when you are doing actively passive records as you can see this is a form of passive reconnaissance we are not interacting with the target we are relying on Public Information who is database the public DNS records all of these uh are considered public information now additionally there is another tool called dick so dig can also be used to extract DNS records from public records for example if you try dig on txm red team.com as you can see we get all there is publicly available information about the HMR team for example let's see here um question section record let's say as you can see let's see here this is the hostname but we don't didn't get the IP address let's see maybe it wasn't the intended domain we should ask so built-in tools so we can ask about this domain cafe.13 so I go back I will say Cafe and as you can see here guys we get the information about this subdomain as you can see we get the a records as specified in the query now we can also specify that we want to get all records so what we can do here we can specify the any switch so again and we type any and we get all public availability information for example as you can see the a records and if fourth a records additionally guys we can add specific name servers about a specific domain for example if you want to ask a public a server like cloudflare you can specify the server like that at and the name server this will query cloudflare for the DNS records of Cafe as you can see we get that Cafe has two IP addresses we can get as you can see guys we got similar output to what we what was shown here using uh uh nslookup because both tools nslookup dig who is also we can type who is cafe.phm red team.com this will get us information about the domain registration now I guess this one doesn't have let's run the query again what against THM red team as you can see this will get you guys the information about the domain registration date who created The Domain sometimes it comes with additional information like names email address it depends on the property settings of the domain name now you might be telling me that we can enable privacy secure a privacy feature on a domain and hide the author information that's correct unless you are subscribed to who is premium which will enable you to inspect the What's called the history of the domain before enabling the privacy and after you limit the Privacy all of this information are stored in the who is public database so even if you enabled privacy on a domain your information or registration information that will be publicly available before you enable privacy will be retrievable using who is history feature review history feature this is a premium service so let's now answer the questions when was dhm Red Team created so again guys domain information can be extracted from let's go up so it was created on 2021.09 24 24 September to how many ipv4 addresses does Clinic THM red team resolve again here we want to retrieve the DNS records of a specific domain we can use nslookup we can use dick so dig let's say let's use dig here and say clinic.thm red cu.com and say any everything so it resolves this is the question here to how many ipv4 THM red team results team result is here so it's not clear here using tick let's try to yes specify the record using a as you can see we grab the IP addresses of these post sub domains so we have two to how many IPv6 addresses now fv6 here are not shown so we're gonna have to use another tool and let's look oh clinic.com [Music] indeed we have two IPv6 addresses now these are the command line tools what about online tools online tools you have View dns.info and the most prominent feature as you can see here is reverse iplookup which will tell you what are the other the IP addresses or other domains hosted within that IP address because so many times you have upsite hosted somewhere and it is a shared hosting shared hosting means you have many upsides using the same IP address to find out you can run a test on a website the test here was let's see the test laid down by tryhack me so that was a domain name not here yeah this was conducted on this domain let's take this and perform reverse IP lookup and the output shows you there are many domains which means that the IP address here these IP addresses that resolve to Cafe also resolve to other domains which means a single IP address sometimes cannot indicate an exclusive point or reference to a website or domain because that IP address might be pointing to more than one domain because it's a shared hosting it's an example of shared hosting one IP address and multiple domains let's see my website before reverse IV lookup of my website as you can see one IP address and one domain which means that I have a dedicated hosting for my authenticated machine for my my website and evidences as that as you can see this IP address resolves only to one domain that's reverse iplookup you can also take a look at the other tools that you can use to perform or retrieve DNS records or public information about website as you can see I have ports curve who is Chinese firewall test reverse MX lookup so all of the output that we got using command line tools we can also retrieve the same using view DNS another tool was thread or threat intelligence tools what intelligence tools not only retrieve public that information from the whose database and DNS records but it also comes with additional context like the trust level the spam level so performance malvers can sometimes let's type my domain name as a test so stairs okay as you can see guys it performed a quick malware scan and they have no matter in my website let's scroll down as you can see we have visual interface or visual output main infrastructure Service as you can see it shows you guys where is my website hosted it is hosted in Google servers and there is one MX record that points to Gmail connected domains the links that I have inside my page as you can see my page has outgoing links to YouTube Facebook whether these are the links I use inside the website when I create content website analysis here you can see the URLs parsed the components the programming components potentially dangerous contents now this as you can see another discount it performs to the links you actually create to files it just checks if you have executable files or malicious executable files or other forms of malicious files that you create links to or that you have created links to inside your website SSL as you can see iOS certificate malware detection I have them out in my website and other information as you can see it's a complete list of all information that we seek to have or to seek to collect during a passive reconnaissance so third intelligence platforms are way ahead than DNS tools now let's talk about another source of grabbing information so so far so we talked about recursions specifically passive reconnaissance how to gather passive reconnaissance how to gather information using passive reconnaissance we have went over command line tools to retrieve DNS information of these records we've also gone through or covered online tools or Google tools of course in the next videos we're going to cover Recon engine and multigo but now let's turn heads towards another public tool to gather information which is Google so there is something called Google dorks so Google doors are syntaxes and quiz we can use guys to retrieve Advanced information real Advanced queries strip information about websites for example we can retrieve as you can see we talked I talked about Google Docs in previous videos but it doesn't harm to just give it another brief look for example we can perform site search if we did if we do site google.com it will retrieve all the links that contains google.com in the URL if we perform this query here or search site google.com careers it will retrieve all the links that contains google.com along with the word careers we also perform file type or file search to retrieve um files specific files and Google PDF files Excel files database files config files there's a whole slew of tools you can sorry results you can grab using Google Torx have a look at the Doors Guide if you have the street here if you're part of my channel membership you will be able to access this if you don't have let's go over the tasks here and see the questions so how would you search using Google for xlx files index for this domain so here you want to search for Excel files hosted on this domain so we have to use two operators here the file type 45 and the site operator for the domain so this will become like this make sure to put space between every operator so the first operator is file type followed by colon and the file tab you were looking for it's Excel then we have space and then the other operator concern is a domain name or the domain so site colon and the side and the website name how to search using Google for files with the word passwords for this domain so you have three parts the first part is the domain to search for results concerning this domain we're going to use the site operator now for the password we want to list all the pages that contain the word passwords so we'll just use the word passwords now other than Google there are there are other search engines such as shouldn't I have covered children in the previous videos guys you can I'm going to put the link in the video description so you can get back to it so that was a brief about passive reconnaissance how to perform positive precautions so you have Now command line tools you have online tools and lastly you have search engines now in the next video we're going to narrow down the explanation and take a look at the Recon NG and multico as [Music] comprehensive tools or holistic tools to perform passive and active reconnaissance so that was it guys for today I hope you liked the video and I'm gonna see you later

Info

Channel: Motasem Hamdan

Views: 717

Rating: undefined out of 5

Keywords:

Id: 5ANB1di_-KY

Channel Id: undefined

Length: 19min 43sec (1183 seconds)

Published: Wed Aug 16 2023