Red Team Reconnaissance Techniques

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] you can register for part two of this series by clicking on the link in the description part two covers advanced techniques that will be expanding upon the techniques we covered in the first part on youtube so i will take a look at windows red team defensive agent techniques how to evade antivirus detection with powershell and shelter as well i will also move on and take a look at windows red team privilege escalation techniques uh linux privilege escalation techniques as well and then we'll move on to uh you know essentially taking a look at linux defensive agent how we can hide linux processors and you know the various linux rootkits available that you can utilize and then finally we'll touch upon our windows red team lateral movement technique so if you want to actually go through these pieces of content just register by using the link in the description it's absolutely free all you need to do is provide your you know your details and your email and you'll be able to get the videos and you can watch them on demand so uh let's move on to today's video hey guys hackersploit here back again with another video welcome back to the red team training series in this video we're going to be taking a look at red team reconnaissance techniques um so we've already you know taken a look at adversary emulation now it's time to get started with the uh the mighty attack framework tactic uh or tactics rather and the first one that we're starting off with is reconnaissance right so what we will be covering in this video number one what is reconnaissance uh number two will you know then this is the practical aspect of the video we'll take a look at passive recon techniques active recon techniques and then we'll take a look at how to automate uh all of these techniques uh using frameworks like sniper uh like you know using tools like a mass or you know performing reconnaissance with shodan and we'll take a look at how to use uh you know a ton of other tools so you know this is going to be quite extensive and again reconnaissance is quite a lengthy uh a lengthy segment or tactic and you know it involves the utilization of various data sources various tools and again i'll try and i'll try my best to cover as many techniques as possible with as many tools as possible so that i can give you the most comprehensive overview uh that being said what is reconnaissance well reconnaissance is essentially involves the techniques that adversaries will you will utilize either you know actively or passively to gather information uh that can be used to support targeting or the initial exploitation phase right so information willing you know the information gathered uh during reconnaissance will uh include details of the victim organization uh the infrastructure staff or personal information you know and you know this information is very useful because again it can be leveraged by the adversary to aid in other phases of the adversary life cycle such as uh you know initial exploitation or getting an initial foothold or to scope and prioritize post compromise objectives or to drive and lead further reconnaissance efforts right now when we talk about reconnaissance reconnaissance is typically split up into two categories based on the interaction with the target or the type of interaction with the target right number one we have active recon which involves actively engaging or interacting with the target network hosts employees etc so this will typically involve techniques like port scanning vulnerability scans web application scans and the key thing to note here is that active reconnaissance you know you're actually interacting with the target you're actually interacting with the hardware uh with the web application and given that that is the case you need to be very very careful in regards to what you do and of course if you're performing a legal red team operation uh you need to get permission to actually uh you know perform your scans on the um on the company's hardware or the company's infrastructure and secondly we have passive recon right so passive recon essentially involves utilizing publicly available information so you know information like who is uh dns information or utilizing uh search engine docs or you know performing search engine hacking to find what you're looking for and again in this particular case it's passive because you're not interacting with the target you're simply finding information that uh that is already out there using uh openly available uh you know information or openly available sources right so now that you have an idea of what reconnaissance is let's move on to the next step right which is again to take a look at the tactics that are used or the recon tactics that are used in the miter attack framework right so again if you navigate to the miter attack framework website you can see that the reconnaissance tactic utilizes 10 techniques and all of them are you know relatively important based on the type of target you're dealing with and of course you can utilize if you're performing uh you know adversary emulation you can take a look at the techniques that have been used by other apt groups or by other groups and in our case we'll be focusing on the key techniques that are pertinent to uh you know the other the other stages that i'll be demonstrating so the key techniques or the key pieces of information that we're trying to look for are going to be ip address information dns information domain information we'll be utilizing you know publicly available databases and we'll also be looking for network information right so all of this is uh quite important and of course we'll all play into our next tactic or the next stage which is uh resource development and initial access and of course you have execution so on and so forth right um that being said that's pretty much all that i want to cover in the you know theoretical side of things let's actually get started with the practical aspect of this video all right so i'm back on calais linux and let's get started with passive intelligence gathering or passive reconnaissance right um so we're gonna start off from a very uh simple starting point and that is that you know we have a domain that we're testing uh for a company and we're going to use that domain to you know try and enumerate as much information as possible or to search for as much information as possible and as i said we're going to get started firstly uh with passive techniques right or you know with passive tools etc so the first thing we want to do is we want to identify the ip address of the website right now we'll utilize the host command and again we'll specify the uh the domain in my case i'll be switching you know from different domains again just to show you how dynamic the process can get so i'll use my own website which is hackersploit.org right and this will provide me with the ip addresses both ipv4 and ipv6 addresses as well as my mail server address and again this information in itself is quite useful but again you can see that the site has two ipv4 addresses as well as you know two ipv6 addresses so that you know we have something going on here uh so let's try and perform a bit more uh in terms of information gathering uh so let's use ns lookup uh to find out what else we can gather here so uh nslookup hackersplay.org and again it gives us the same information that we were expecting and you know you know we utilized my default dns server here which is fine but you can also utilize another dns server another a command that you pretty much want to run is going to be the traceroute command and that of course will uh will display the route uh you know that your actual request takes as it as it goes through all the various uh segments or networks in order to reach the target so for example i can say hacksploit.org so traceroute hackersploit.org so you can see it goes through my router my primary router and then my secondary router and then it goes through the following um through the following systems or gateways if you will and then finally we can see that it actually reaches its destination with the ip here but as i said we have two ips so there's something going on here so what if we wanted to enumerate um some dns information uh regarding this particular website right uh well to do that we would utilize a tool like dns recon right so dns recon comes pre packaged or pre pre-installed with kelly so we say dns recon d for the domain and then we say hackersploit.org sorry about that let me type that in correctly there we are it's going to start enumerating all dns records and again dns recon can be used both in a passive sense or in an active sense in this case we're using passive right um so we can see from the um from the records here that that this website is protected by cloudflare that's why we had two ip addresses right and we can essentially see that the the other records we get are the mail server records as well as the ipv6 records and we have some txt records which again gives us an idea of whether you know for example we have services or protection services like dkim set up in this case we can see that there's a google site verification a txt record that's used to verify a domain when it's set up with google but again we don't get any indication that we're using any uh you know any g suite email email servers or we're not using g suite on this particular domain right uh so now that we have uh we have essentially been able to determine that a cloudflare is protecting the site you can also get a confirmation of that uh by identifying whether the website is being protected by a firewall or some sort of proxying system and to do that we can use waffle and again with waffles you simply need to just type in the um the site here or you know just type in the domain so waffle hack exploit.org and that will tell us uh whether we have a firewall here so again you can see the site is behind cloudflare right so uh in that case we really can't identify you know the ip address unless the ip address has been leaked somehow and i'll get to that in a second um we can also use the dig utility so for example let me just display uh the what is command uh or you know just display the information regarding the dig utility uh the dig utility is a dns lookup utility and we can use it again similar to dns recon to enumerate you know dns records so for example i can say dig and then hackersploit.org and that'll tell me i'll actually provide me with the the addresses here so you can see these are the a addresses which are ipv4 addresses as you can see here and again we've been able to identify that it's behind cloudflare um right so what if we wanted to use our own name server so for example we could use a dig with a our own name server or a name server that you want to specify like for example 1.1.1.1 which is cloudflare and then hackersploit.org right and again it displays the same results because that really doesn't change anything there we will get to um zone transfers in a second but again with dig you can also limit the results to specific records so for example if i wanted to limit the dig results to so i can say dig hackersplay.org and i can limit it to the name server so i hit enter and you can see it now gives me the name servers here which again we can see it's d dot dns.cloudflare.com and gym.net.cloudflare.com so we get the actual name service name and that performs the uh reverse dns resolution right you know from the actual ips that we got earlier and now we have the actual name servers here um right we can also again display all the records with dig similar to um similar to dns recon and to do that we simply type in any so that will display all the dns records so i'm just going to let that complete running there that's going to take a few seconds um so it looked like it timed out and that's probably to do with cloudflare but we can try another website here for example or another domain uh we can try bbc.com and that is the news service as opposed to any of the other sites that you guys are thinking of so again i'm just gonna again let this complete and uh let's see what records we can enumerate alternatively we can also utilize the zone transfer dot me service uh so zone trans zone transfer dot me is a website that is used to train people or is used to train um you know users in dns enumeration and zone transfers as you can guess um so let's see yep so that tells us again that is no service could be reached um so let's try that with zone transfer dot me because it'll be much more useful so zone transfer dot me we hit enter and i'll give that a few seconds there all right so i ran that and i specified the google the name i specified the google dns servers there for my lookup and again you can see the records that it was able to identify so of course it discovered the name servers the two name servers here and the a address which again is the website ip address and again we can also use waffle here to identify whether zone transfer dot me is behind a uh any particular firewall so again if we type that in let's see if we're able to identify anything there uh if if that's not the case then that means we have a an ip address for the server and you can see there is no f and we can probably start performing some port scans on it but before we do that again are still on passive reconnaissance we can also use dig to identify other types of dns records as i mentioned so instead of using any or searching for any we can also look for mx records which are mail server uh mail server records and yeah that's pretty much it when it comes down to using digg now when it comes down to the site or domain information uh and you know i'm simply referencing who is information here uh the key information that we're trying to gather in the context of red teaming is the domain registrar and again trying to identify uh the hosting provider right and of course there's multiple ways we can do this number one is by using the who is utility so for example we can say who is zone trans zone transfer dot me right and uh let's try and identify the information here the key information so we can see that the registrar is mesh digital uh it was created on uh or it was actually registered initially in 2011 and it expires at the end of this year in december right so that gives us a bit of an idea there uh the registrant organization is called digit ninja so we have now have an organization name in this case it's digi ninja and we have the name servers and dns sec is not set up so that means we can pretty much get all this useful information that way alternatively we can also use the netcraft site or the netcraft service to again identify what a website is running and simply enumerate information regarding that particular site so for example uh if i just reload this here there we are and we can also use the zone transfer dot me site uh zone transfer dot me and we can perform a look up here and let's see what information we can get from netcraft so again firstly we get the site uh title it was first seen in march 2019 uh there's no site rank as for the site network information you can see that the net block owner is ovh static ip uh the hosting countries in the uk the ip address we get here again appears to be the server ip we also don't we we don't get any ipv6 address but we get the name server the domain registrar the organization again and we also get the dns admin uh right over here right let's take a look at the ip delegation we can see uh how the the actual ip range is actually delegated and you know to the point where it reaches the ovh static ip net block over there we also get the ssl tls information so again a key piece of information that you're trying to identify here is whether the ssl certificate is valid uh whether it's expired so on and so forth and that information can be quite useful um right let's see what else we can identify we get the signed certificate timestamps which tells us that the the ssl certificate uh authority is let's encrypt uh it also checks whether the site is vulnerable to hot lead uh and the hosting history for the site it doesn't have dmark for emails here which is great and uh no dkim so uh email spoop email spoofing might be an option here when we are trying to perform our phishing attacks i will take a look at that in the next video and then we get the server side technology and the client set technology so again this site displays quite a bit of information here and again you can utilize it to find more information regarding a particular site another website we can use is dnsdumpster.com which is extremely extensive and again we can run it for uh zone trans zone transfer dot me right and we can just hit search and that's going to look for uh it's going to look up for dns records and again we get the dns servers we get the mail service or the mail records the mx records and we can see that it utilizes g suite or google mail right over here and we get the mail server addresses we get a google google site verification txt record as well as the the host records here and of course it gives you a mapping of the domain you can download the xlsx or the spreadsheet for the hosts and you can also view the graph which is quite useful so dns stomps the graph and it takes you through this and from this we can see that the names the dns is being uh is actually set up on amazon uh or well not really amazon but uh we also get the asn information and we can see we get a few banners here so we can see that the target is running open ssh 2.0 um let's see whether we can see any other information right so it's pretty much the mx information on the mail server information right so dns dumpster can be very very useful when trying to you know perform dns enumeration or dns recon as it were and it's extremely helpful now in the context of identifying web technologies for a particular domain or a website you can use the what web utility that again comes pre-packaged with kelly so i can say whatweb hackersploit.org that'll give me an idea of what what stack is being used whether there's a cms in place etc etc so let's try this with hackersploit.org you can see there is a redirect here so 301 redirect it goes through cloudflare and we get the redirect location uh as for the um let's look at the uh the technologies here we can see we have php 7.4.22 so you can pretty much uh you know start identifying vulnerabilities if that version of php is vulnerable uh we can obviously tell that it's using a lamp stack because um again we're able to tell uh quite simply uh that it's using some some sort of caching system so again from this header we can tell that it's using the wordpress uh cloudflare super cache plugin and that tells me again uh it tells me two things number one uh we have the site is running wordpress and number two uh it's using a particular plugin of course we're able to identify that from this particular banner here so we know it's running wordpress and of course this can be used to identify vulnerabilities with cms tools like uh wordpress can uh to of course identify uh the plugins and users and themes and then of course identify whether any of them are vulnerable to any particular exploit so all of this information as you can see is very useful in staging the attack we can also utilize a we can also run this on the zone transfer dot me website and let's see what we can get there i spelled that incorrectly um zone transfer dot me let's see what um what this particular site is utilizing um right so there is a redirect and we can see we get the email we get our first email so that is a customer service email so that uh is uh service customer service that zone transfer.me pipa zone transfer dot me and these are emails you pretty much want to be saving because we've gathered them already so again we're just going to say zone transfer emails we'll just save it in a file and let me type that in correctly there we are and we'll just paste them in here right so these are all the emails for the zone transfer dot me website now of course you can see that this is quite cumbersome because we're doing it manually and we'll take a look at how to automate all of this with various frameworks but there we are we're able to identify that's running apache web server and uh we get what appears to be an author so a user or a person that we can actually start performing ocean on and you know identify various other aspects uh you know of them so again i don't i don't really recommend doing that in this particular case because uh again i don't have permission here but we get a user here or a person or uh pretty much an employee so robin wood and yeah so we've been able to gather quite a bit of info already now there are a few other plugins that you can use for your browser so for example if i search for mozilla add-ons let me just open that up here one really useful add-on is the wapalizer add-on if i just search for it there we are wapalizer i said this essentially will identify technologies on the website so it'll tell you whether the site is using acms what frameworks it's utilizing so again if i add it here i'll give that a few seconds to add it there we are it's going to add wapalyzer and now if i go to zonetransfer.me and again i can just open up wapalizer and you can see right over here it displays the font scripts the programming languages the web server technology in this case we can see it's using apache and then of course the miscellaneous javascript libraries if it is using any uh but again it doesn't give us much information here as for more information you can purchase a plan here the pro plan and get your api key and that will give you a detailed overview another plug-in that i like using is built with right and many of you may have heard of built with before again it's a site profiler tool and again it will display a list of all technologies that are used on that website or web page if you will so i'll open up build with here on the zone transfer dot me website and you can see that it gives us a much more of uh much more of a detailed report and again for the payment system we can see pretty much uh it looks like it's uh well it doesn't give us information as yeah so buy me a coffee that's the the payment or donation system rss um let's look for any other useful information we can gather here we get the http headers there which is again quite useful and you can do this straight from your browser right so that is how to essentially get you know information for a particular website using you know various publicly available uh sources and databases now the next step of course is to start gathering information pertaining to particular employees right and that of course will will depend on various things number one is uh you know are you targeting an organization and is your entry vector or your access point a an organization name or their domain right so if you already have the organization name like for example digi ninja we can use that and the tool we'll be using is the harvester now the harvest comes pre-packaged with kelly and i can just demonstrate how this works i'll just bring up the help menu here and that gives you a very very good overview of how to use the tool so it's essentially used to gather open source intelligence on a company or domain and in this case what we can do is um we can essentially utilize what whatever information we have and try and uh you know find information regarding that particular company so if we start off with the domain or the company name digit ninja let's try and find out whether we can identify any information from google and of course the sources here are provided you can specify more than one source so let's use maybe google linkedin let's see what else we can use bing is quite helpful being the search engine you can specify multiple sources uh using using the comma separator and you can use any of the sources provided here so let's try and see whether we can find any information regarding digi ninja as an organization from bing you know google linkedin etc alternatively you can also use the domain name so we'll also try that so again i'm just going to let this complete alright so we can see that we get quite a few results in regards to employees or individuals that are in some some form associated uh with digi ninja but of course we can't confirm that and these are pretty much i'm guessing all coming from linkedin there we are but if we take a look at all the results here um let's see whether we can actually they're quite a bit of results in regards to individuals uh we can see that linkedin users found are 317 right and of course their names or their linkedin profile titles in this case don't really give much in regards to uh their role at digi ninja if at all they work for digi ninja but as i said um we can pretty much again identify them manually by sifting through this and you can use the the grep utility to identify any matches for digi ninja so for example in this case um again let's see if we can identify there we are so we can see that ict trainee uh digi ninja and we get a a um a match there but in terms of the company we can't get any employees with a solid confirmation that they work there so you pretty much will have to resort to manual searching of these people on linkedin to identify whether you know indeed they actually work at digi ninja in in some form and of course the next step will be tr will be to try and identify emails now in this case we aren't able to identify any emails as i can see here we just we just simply uh we've simply been able to identify the users themselves but no emails and no hosts found there now alternatively as i said we can also use the site zone transfer the domain and we'll specify the source as google alternatively you can also use the all sources but some of the sources require an api key so again we can use google and there are a few others like uh that i like utilizing uh one of them is of course uh google let's see what else twitter linkedin so twitter um sorry don't want to space that out linkedin we can also use bing as well that also works yahoo is also quite useful in that sense uh we can also use the sublist tool so sublister and i'll get to using sublist in a second but there's various other sources that you can use and let's see whether we're able to identify any information from these sources and again as you can see it's a matter of again testing and knowing what you're trying to find so what you're trying to find so again i'm just going to let this complete searching all right so we aren't able to get any results on this front which is perfectly fine and it's uh it is actually what i was expecting as i said in this particular case it looks like it would be much more useful to utilize a the the organization name to give you a much wider gamut of results to work with as this domain uh you know and you you've seen this multiple times with companies they may have domains that are not you know related or don't have the company name uh within the domain name so again that's something that you need to take into consideration um right so again we can also change this uh in you know we can utilize for example my domain here so what i'll do is i'll just change the domain to hacksploy.org and this is the last this is the last one i'm going to run here because i want to cover a few other techniques that are quite important right so we can say hackersplay.org we can also limit results to 500 that's also very useful and then we for the sources i'll just use google uh sorry google and we'll then specify maybe yahoo bing linkedin and yeah that's i think that's a good starting point you can also perform dns lookup if you want that can be done by using the n flag we can hit enter and let's see what we're able to enumerate from this particular domain right so i'm just again going to let this complete all right so in this case again we get uh zero results which is fine as i said uh we can also switch that up with the company name so for example hack exploit and that'll give you as i said the wide gamut of results right so let's move on to the next technique that i wanted to highlight and remember we're still in the passive uh information gathering or reconnaissance phase and that is of course subdomain enumeration and we're looking at the passive way of doing this which again will involve you know utilizing various uh databases or you know publicly available databases uh like google or uh you know utilizing google docs uh is one of them and we will get to that in a second but the tool we'll be utilizing is sub-lister and sub-lister can be installed on cali by simply saying apt-get install sublister and then of course i can just run the command here so sub-lister let's see if it actually will work whether i have it installed there we are sub-lister and again it's very simple if you want to start performing sub domain enumeration you can open up the help menu if you want as well there are various sources or engines that you can use one of them of course is going to be google you can also utilize uh other sources if you want in this case let's just run the default command which again simply involves typing in sublist and then the name of the domain so hackersploit.org and that's going to use all the engines so baidu yahoo google bing ask netcraft and you can see we have a block request here which pretty much means we're exhausting all our checks there because we've been performing quite a few lookups with google but there we are we're able to identify quite a few sub domains right and i've created some of these to demonstrate this the only active one of course is forum.hackersploit.org but we can see i created at 1.8 test subdomain videos and this is very useful information so you can also output that information as well using the output option here and you can save that again that can be used again for further analysis uh or for further testing and of course again you you can be used to state your attacks right so that is how to perform uh subdomain enumeration uh using sublister uh we can also do this with a mass which i'll be covering after i've taken you through all the manual techniques and we'll take a look at how to use the automated frameworks after the fact but i wanted to take you through a few other techniques manual techniques and of course that is using google docs so for example google.com and i'll show you exactly how sublisten and all of these other passive uh you know automated recon tools like sublister perform uh you know sub domain enumeration with google so we can essentially search for subdomains for a particular domain so for example if i say you know sitebbc.com that's going to limit the results to the sitebbc.com right so you can see it's going to provide you with various results here however what if i wanted to display uh subdomains for the sitebbc.com well i can use the site uh the the site search fact uh the the the actual site specification there and um or the search filter as it were and then i can use the asterisk or the wildcard option and then i specify the so i can say wildcard.bbc.com and that will uh essentially enumerate all the subdomains that google has indexed for the topleveldomainbbc.com but in this case you can see it's still displaying bbc.com so we want to exclude the domain bbc.com to only display uh subdomains right and we can do this by saying uh site and then we can exclude bbc.com or www.bbc.com which i think would be much better so i hit enter and now we have all the subdomains here so you can see we have beta.bbc.com so it looks like bbc actually has a few beta domains we also have ws partners which is interesting let's see what that's about we also have mobile.bbc.com so that's their mobile domain which i'm guessing will redirect to bbc.com there we had redirects as expected and then it looks like we have ws partners which is an interesting subdomain they also have a a shop for a canadian shop and then account account.bbc. that's for i guess users want to sign in and then you also have what appears to be pages.topgear.bbc.com so on and so forth but you can see how you can utilize this to find uh subdomains so for example uh if i want to search for um you know subdomains for let's see if i just wanted to say b let's see if i wanted to search for subdomains for a particular site like we can also try hack exploit right so hack exploit dot org and then i want to exclude hackersploit.org [Applause] like so um let's see if that is done correctly here site dot hackersplay.org it looks like it isn't able to find any there but that should work because i'm essentially limiting it there but let's try and limit those results there we are so we limit or we get rid of results that contain hackersploit.org and you can now see we have the forum and that's pretty much the only one that is active here it looks like there are a few others let's see on the next pages and these are all the forum posts here so again in this case you can see that the only active subdomain that google has spotted for the domain accessploy.org is forum.hackersploit.org right and this is a great way of actually quickly identifying subdomains that you may not have realized are there but of course you can also utilize automated tools like sublister to find the you know the same information but this is exactly how it does it it utilizes the search uh the search engine filters uh to get exactly what it's looking for and of course i have a video that covers google hacking or google docs so you can check that uh you can check that out as well to find specific information right uh so i'll take you through a few others here what if i wanted to let's go back to google here and let's say i wanted to look for uh you know particular i can say site bbc.com and i want to limit the results to a particular file type or you know i can search for a keyword so you know i can say admin right and again you can see that doesn't give us anything useful there it simply gives us the matches for the keywords in particular posts and again to counter that what i can do is i can then say for example if i say i can say in url and then i can say admin dot and use the wild card there or i can simply say admin dot php that doesn't work there so let's try admin there we are we just we don't get anything there we can also try login there we are looks like we get a few login pages there and we can use in our in url to locate uh or identify particular login pages so for example uh let's see hack exploit dot org uh this might not be indexed by google because i disallowed it if i say word wordpress admin dot php right you can see that it doesn't give any results and that's correctly done because i disallowed wordpress admin.php from being indexed by google but if i just say in url wordpress admin.p dot php it'll actually display all the matches all the sites that that have been indexed and you can this is a great way of identifying uh wordpress websites uh alternatively uh you can also utilize various uh you know a whole slew of other search filters uh you know when it comes down to identifying particular directories but as i said i've covered that already and i just wanted to cover a few more so again i'm just going to cover this one more time so for example bbc.com and if i wanted to limit the results to only display or to look for files so for example pdfs let's see any pdfs for bbc.com again it asks me to specify traffic lights i'm just going to do that here so verify that and again that's interesting google i'm not doing anything illegal just demonstrating a few search terms here uh there we are so again we get various pdfs on bbc.com we can also change the extension to anything else so for example document files and hopefully i don't have to keep doing this hopefully as i said um let's see bicycles well that's a scooter i guess so no bicycles there uh motorcycles yeah let's see if that's correct all right so yeah that's uh that's giving me too many capture requests so i'm just gonna stop it there but you you get the idea as i said if you want to learn more about google uh dorks uh you can actually check out uh my video on that it will be linked in the description and let's move on to active um active intelligence gathering and of course as i mentioned active dns in active intelligence gathering is pretty much interacting with the target now so let's get started with dns right and the first technique i'm going to be highlighting is dns zone transfers and i'll just head back into my browser here and we'll be using zone transfer dot me as it's set up for this and the tool we'll be utilizing is dns recon right so dns recon we use the domain specifier we say that is zone transfer dot me and dns recon i'll just type it in manually so zone zone transfer dot me and then in order to perform uh or to attempt to perform a zone transfer we'll say axfr and i've already explained what zone transfers are in the past again a video for that will be added to the description so you can learn more about that particular technique but this will essentially give us a list of uh subdomains or other records that might be useful uh you know if i'm to just keep that as simple as possible and the zone transfer in this case was successful it was able to copy the dns record successfully or to transfer them and we get much more records or many more records than we were able to get from passive techniques right and in this case we get a few txt records that are interesting like robin wood we can also see something that pretty much tells us whether uh gives us an idea as to whether this site may be vulnerable to a shell shock attack it gives us the the mail records here as well as some sub domain records those are ipv6 but you can see we have we have asf db box dot zone transfer dot me can bearer office the zone transfer dot me and the ip address there dc office email home and these are extremely useful uh you know dns records here but of course as i said a key thing to note is these may be internal dns records that may only be util uh may only be useful or can only be utilized uh inside an internal network right so this may not be external so you need to check all of these uh and of course all of this information should be saved um so again as i said zone transfer was successful as you can see and we get a few other records here um yeah and that's pretty much it right so that's how to perform zone transfer we can also perform sub-domain enumeration using brute forcing with a tool like fierce so again if we don't want to rely on on publicly publicly accessible information or you know we don't utilize search engines we can also perform brute force uh we can also perform a subdomain brute forcing uh using a tool like fierce so again fierce is a fairly simple tool to use and i've covered how to use it before but what we can do is and again fierce is a very active tool so you don't want to run this passively in order to run it all you need to do is just specify the domain and in this case zone transfer dot me and it will perform a zone transfer or it will actually attempt to perform a dns zone transfer and then you simply need to provide uh you can then provide a word list so again that has a list of sub-domains that you want to test so for example use sub-domains but if you leave it as is it'll it'll start performing a brute force with its own word list so for example if i hit enter you can see it performs the um the zone transfer there now again if you want to uh if you want to perform a uh a sub domain brute force again you can say subdomains uh so again i can just type that in there subdomains dns servers right we pretty much can provide the dns server subdomain file i can provide that here um so let me just set that up um right so i'm just going to perform this on hackersploit.org because i just remembered that it performed the zone transfer successfully which means it doesn't need to perform brute forcing right or subdomain brute forcing and that was quite redundant uh but uh again i can say hackersploit.org and again that's going to then uh it's going to provide us with the name service um and then test a zone transfer that's a failure wildcard failure so now you want to give it a few seconds to a few minutes and it's then going to begin the subdomain brute force and of course uh there are various other tools one of them will actually check out in a few seconds that does the same thing and that of course is uh knock pi and i'll get to that in a second but of course this will take quite a while so again you can use fierce to do the same thing but i personally recommend using nokpi pie you can install noc pie by typing in nokpi and that should install it and to run it all you need to do is type in nokpai and i'll just type it in here and then you simply we can open up the help options here and again to perform a subdomain brute force you can simply just run a fast scan or a full scan which i recommend and you can also set a timeout if your requests are being blocked so for example we can say nokpi and then we say zone transfer dot me and we hit enter it's going to get the word list you can also specify your own word list there we are using the w option if you have generated one already so you can see it's going to begin the brute force process uh you also can change let me just see the option that i wanted to highlight here right i've also uh yeah i actually went through that uh you can also set the timeout that's what i wanted to cover or i wanted to explain uh right so it's going to go through the subdomain brute force and uh let's see whether we're able to identify any subdomains this way if for example we weren't able to um you know to perform the zone transfer right so it's uh it's going on and again i just wanted to highlight one more tool or resource that's extremely helpful here so i'm just going to terminate that when using nokpai as i said you can also utilize a word list your custom word list and i recommend using or downloading the sec list word list and within set lists uh you have the ability to uh again uh you uh there there are some very useful uh subdomain prefixes that you can utilize so in this case i'll just use a custom word list so user share sec lists and i can use discovery and we're looking for dns right and we have the fierce list the word list that fierce uses here as well you also have a dns word list by jason haddix which is extremely useful so for example we can use uh subs sub domains just as an example and of course you have sub domains top 1 million and you can also use that's quite a large one in this case i'll just use this one here right so it's going to utilize that word list again so you want to give it a few seconds and let's see whether we're able to identify them for some reason it's actually displaying it in ascii here which is actually not giving us the results correctly but we should be able to actually identify a few here that being said uh that's how to perform subdomain uh brute forcing with fierce and knock pi let's move on to the next technique all right so the next active reconnaissance technique we're going to be exploring which i've explored quite extensively on this channel is port scanning now of course port scanning is going to depend on whether you've been able to identify servers or hosts that you can you can actually scan uh and that are actually valid so again if you're able to identify the ip so for example if we use the example of um the zone transfer dot me records here the dns records you can see where we've been able to identify uh the ip address for the zone transfer dot me site and of course we can perform an nmap scan on that which i already have done and i'm not going to be covering how to use nmap in this video because i have a very extensive playlist on how to do the same but if i display the results here you can see that i performed a fast scan a very simple scan here and you can see that we can actually run a scan we can run the same scan here and let's try and identify the service versions just so that we can do that live so i can you know we can actually take you through the process of performing port scanning with nmap but again in this particular case what i'm doing is or should be considered illegal but again i'm just going to do it really quickly here but you can see that i'm using the the syn scan here which is much more stealthy of course i can also use the timing options or the timing templates with nmap to slow down the scan uh or i can also speed it up but again you have to be cognizant of the target and uh whether or not it can actually withstand now we withstand you know high traffic secondly uh you can also utilize other tools like mass scan or rust scan although i don't recommend using rust scan if you don't know how to use it because again it's a it's a very very intensive scanner that sends a lot of packets uh so again that's something that i want you to refrain from using unless you know exactly what you're doing and the environment you're working in i would recommend using nmap as i said you can follow my videos on nmap it's i'm quite extensive on that but again we can again i'm just going to let this nmap scan complete here because uh you know i'm not performing service version detection all right so the service version scan is complete and you can see as i said the reason i'm using zone transfer dot means because it's set up to teach you things in this case we have the uh we have the web server on your port 80 and 443 so that's uh you know with uh ssl or a tls certificate and you can see that they've actually modified the apache banner that's been displayed and you can see it says instead of giving us the service version number it says sparkles so that's actually quite useful um alternatively you know you can also use netcat to also grab banners and to identify service versions uh that's also a great technique as i said you can also utilize any other any other scanners that you or any other port scanners that you want to utilize but i also want to touch upon one other technique which is very very important in this in in the reconnaissance in the reconnaissance stage which is vulnerability scanning now as i as i've said before vulnerability scanning will depend uh you know will depend heavily on what your target is running so on and so forth whether it's running a web server whether it's using a cms so for example let's start off with nmap scripts there's tons of nmap scripts that again can help you with vulnerability scanning or enumeration so for example if you're trying to identify whether a particular site is vulnerable to a shell shock or hot blade so for example i'll just say use the share nmap uh nmap and scripts and then i'll grip for hearts blade like so you can see we have the hot bleed script here and you can utilize that script in your scan so for example i can just specify it here um we can also search for the shell shock script but you can use nmap as a vulnerability scanner it's quite useful that way in this case i'll just specify uh port 443 there and we do we need to specify anything else i'll specify the script option the nmap script option and then of course i say ssl hot bleed and we hit enter and again that will help us identify whether the site is vulnerable to hot blade attacks but you can see that this is quite useful now of course you can also utilize other tools like search exploit to identify vulnerabilities for particular for particular services that are running on the target um let's see whether this is actually completed uh it doesn't give us any results so that is inconclusive but you can also utilize various metasploit auxiliary modules if you wish but again you need to be cognizant of your target so again uh for example if if the target is vulnerable to search split you can then start identifying uh particular vulnerability vulnerabilities or exploits here we're using search exploit and search fluid is simply a command line utility that allows you to search for exploits on exploitdb.com and you can see that you have the exploit code here that you can then copy and utilize and you know the most common one of course is going to be the memory disclosure exploit which allows you to dump the memory from the web server and you know that can give you you know various important bits of information um right so again as i said vulnerability scanning is going to be highly dependent on your target another tool that i like using is nikto uh so for example let me just open up the nikto help menu and i have a video again that covers how to use necto it allows you to scan for vulnerabilities on a particular web server website so in this case we can run it again on zone transfer dot me and as i said uh what i'm doing i'm pretty sure is uh illegal but again this site was set for set up for educational purposes so again you want to run the scan and you can also specify the target port that you want to use uh so for example if i wanted to use the port um i can use the port port 443 so on and so forth uh but nikto is a great way of identifying vulnerabilities uh the next tactic or the next technique that you can utilize uh is to of course perform directory brute forcing and again i've covered this quite extensively uh you can use derb uh you know to you know perform directory brute forcing and you can also use go buster you also have dirt buster and then of course there's the whole aspect of using fuzzing i recommend using doubly fuzz wfaz is a great fuzzer that allows you of course to identify uh you can do uh you know quite a few things with it and again you can check out the video that covers how to use it in depth but of course i'm not going to be doing this because i don't have any targets to test here but once you've identified your target you can utilize all of these tools to of course identify vulnerabilities now it comes down to wordpress or cmss you can utilize tools like cms map so for example if i let me just search for it so see a cms map here and we also have wordpress scan which again is used to scan for wordpress vulnerabilities so wordpress can i'll just search for the github repository here there we are so cms map allows you to again detect security security flaws in the most popular content management systems like wordpress joomla drupal and moodle as it says here so this is a great way of identifying vulnerabilities i will be making a video that covers how to use cms map and wordpress scan in the future uh well i have already covered how to use wordpress scan but a lot has changed uh since then so i'll be making a video now to do that but yeah that's pretty much how to again identify vulnerabilities within content management systems that being said we've taken a look at how to perform all the both passive and active reconnaissance techniques manually uh let's take a look at how to automate all of these tests using automated recon frameworks like a recon ng a mass sniper etc right so let's move on to uh how to use the sniper framework so i'll see you there then all right so the sniper framework is a fantastic reconnaissance framework as you can see it's the ultimate all-in-one offensive security framework uh it allows you to of course you know perform various um various forms of reconnaissance both active and passive and i'll be taking you through both and i'm not going to be going through the um through the web interface because i think it's very important to actually go through how to use it uh using the command line but what you can do to use it is simply you know just clone the repository the github link for this framework or this tool will be in the description section and i'm just going to clone um clone it here in my into my recon directory that i created for this video so it's going to clone it's going to clone it and again based on your internet connection it's going to take a few seconds to a few minutes so that is done i'm just going to head over into the directory here and now you need to install it so to install it all you need to do is simply type in sudo bash and because it has issues with z shell if you are using z shell and just use the install.sh or bash script and hit enter and it's going to tell you that it's going to install it under user share sniper that is okay so do i want to continue i'm going to hit enter it's going to then install the various dependencies that it requires so again i'm just going to let this go through the installation process all right so sniper is done installing all its dependencies and it says done so you know to get started just type in sniper and we should be good to go so as i said uh sniper is quite an extensive framework and you know that is of course demonstrated by uh or you know on the github repository so it gives you you know the usage instructions here and we're primarily going to be focused on um on stealth uh or you know passive recon with sniper and active recon so for example uh we can again if i let me just to minimize this we can uh you know start our first scan with sniper uh so again if it's installed we should be able to access it directly from here so let me just type in sniper let's see if that works that must be run as root all right so i'm going to say sudo sniper all right so that's working that's fantastic uh all right so let's open up the help menu here or let's display the various help options uh now as i said the tool is quite extensive we uh let's start off by performing um an active uh reconnaissance with sniper and we're gonna be targeting a domain right um so again a simple scan that we can run is we specify the target with the dt option but we can say sniper t hack exploit.org and let me just run that with as root so there we are scanning hackersploit.org and it's going to check for it's going to run various checks so it's going to gather dns information it's going to ping the host and it's going to check for open ports http port so it's going to run a wide variety of scans here and the great thing is that the results are going to be stored for us and then we can you know of course analyze the results to determine uh or to identify any important information so again i'm just going to let this complete and as you can see it's utilizing techniques that we did manually which is great uh but it's automating all of it so that's fantastic you can see it's around the what web command here so again i'm just going to let this complete uh the scan alright so the scans are done and i've run the scans for both um zone transfer.me and hackersploit.org and that is how to run the uh how to perform active reconnaissance with sniper now again the reason why i'm not taking through the results right now is because i actually want to take you through uh the passive reconnaissance phase and then of course i'll then this i'll show you how to access the results and the reports so that again you can you can then identify the information that's pertinent to you uh so in order to perform a stealth scan or uh you know passive reconnaissance we simply again type in sniper let me just make sure to add the prefix sudo there and again we specify the target in this case we can just say zone transfer dot me and then in in this case we're running a stealth scan so we change the mode now to stealth right and if we want uh to perform uh osint and recon mode we use the o and re flags and that is again going to perform recon uh recon from all uh sources so we hit enter and again as i said this is now a passive uh this is passive reconnaissance so again it's not going to interact with the target which is something that you want to be very careful with because uh if you're performing active recon with sniper it's going to do it's going to perform a lot of checks it's going to actively engage with the target so perform nmap scans directory brute forcing so on and so forth so again i'm just going to again wait for this to complete and then we'll take a look at how to how to access and and then of course analyze the reports and then after that's done we're going to move on to the next tool that i wanted to cover which is a mass and yeah so again i'm just gonna let this complete the scan all right so the scan is complete uh that was the passive scan and again it's going to tell you uh when you complete the scan uh that the reports are going to be saved in user share sniper loot workspace and under the domain so again if you have multiple domains they're going to be separated which is great so again you can access it by opening that particular folder it also creates the shortcut to the sniper directory so you can access it instead of navigating into the user share directory um so that's great um so again what we need to do is head over into loot and then workspaces uh so or workspace rather and then zone transfer dot me and then you can click on reports and it's going to generate or it's going to have all your reports for you so for example the stealth scan that i ran this is an html report so if i double click on that you can see again give that a few seconds and it gives you the report here in sort of a raw raw format of course it exported it into xml and then html so you get a fairly readable report here that again gives you the results and it categorizes them so for example um you know for the uh for example if we take a look at the the harvester results here you can see that it gives us the ips uh an email here so pippa zone transfer dot me and then the various sub domains here and then it runs meta goofy and uh let's see what else it also runs url scan and a few other tools so there's quite a few utilities and tools that it uses and it automates this entire process and gives you a comprehensive results or comprehensive results therefore uh that are actionable and you can go through them and analyze them and of course this was the passive scan right so that's essentially how to um how to perform reconnaissance both active and passive with uh with snipers i said uh they're much more advanced options that allow you to also target web applications uh but again as i said it's fairly the what it's doing really is just automating all the manual processes that we did earlier and giving them to you in a um in a format that's understandable so again definitely check that out as i said i will be making a video uh on how to use sniper and i'll be taking a look at all the options uh all the advanced options uh that being said let's move on to the next tool that i wanted to cover which was a mass all right so this is the github repository for a mass the link to it will be in the description section you can check it out um so again just a brief description here the osp mass project uh performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance technique so this is a a list of all techniques that can be utilized and we'll be taking a a look at how to use it so again on kali linux you can install it by using the aptitude package manager as it is a package in the kali repos so again installing it should be fairly simple all you need to do is say sudo apt get install uh a mass right and you hit enter and i already have it installed so let's take a look at how to use it for reconnaissance um so we'll start off with passive reconnaissance and i'll just open up the help menu here and you can see that a mass utilizes sub commands that again you know differentiate functionality or are used to categorize functionality so for example you have the intel sub command which is used to discover targets for enumeration you also have the enum sub command which is used to perform enumeration in network mapping you then have this for visualizing enumeration results you can then track the difference between the differences between enumerations using the track sub command etc etc um right so let's take a look at um how to um enumerate some let's start off by using the intel sub command and uh the information that we're going to be uh enumerating first is going to be who is information so uh you know i can say amass and then i specify the sub uh the sub command which in this case is intel and then i say whois and i can then specify the domain so zone transfer dot me and then i can specify the output directory so output directory will will be uh we are currently working within my recon folder uh so i'll just call it uh we'll just call it zone transform uh uh we'll just call it zone transfer i think that should be fairly simple uh so that we can identify it later or we can utilize it because the output files are going to be very important as i'll be i'll be taking you through the process of um i'll be taking you through the process of of course using the visualize sub command to uh create um you know various reports but in this particular case let's see what this is able to enumerate uh so i'll hit enter and we're going to give that a few seconds here and let's see what information we can we can obtain of course i'm just that i'm taking you through a simple process firstly so you know who is uh is a fairly simple uh commander there but again if we um if we actually take a look at the zone transfer folder so i'll just list out the files within zone transfer uh you can see you have the amas dot log and a mass dot txt file there so that's how to perform a simple intel scan now in our case we want to perform enumeration right so we are going to be using the enum sub command so we're going to say a mass enum and we then specify the domain which in this case again we're just going to say zone transfer dot me hopefully i can type it in correctly and we hit enter and that's going to enumerate information for us now of course as i said this is something that you pretty much want to be outputting into uh in into the output directory so that we can actually view later on uh but again as i said let's just run this scan here and let's see the results we're able to identify because if we head over to the github repository you can see there's a user guide here that's very very useful and that'll take you through the process of utilizing the utility so again for example in this case here for the the most basic use of the tool for subdomain enumeration which is exactly what we've done uh here so again it just gives you an idea of each of the sub commands and what they do and uh all the various uh intel uh all the various commands or flags under the uh under each of these subcommands for example the intel subcommand these all the flags that you can use and uh as we just did with who and then of course you have the enum sub command so on and so forth so again you can take a look at that for more information regarding uh the various sub commands how they work and their the various options available under those sub commands all right so mass has a completed enumerating information pertaining to this particular domain which in this case is untransferred on me and you can see all the subdomains it was able to identify and then it provides us uh with the subdomain names and the network blocks here um so for example in this early on we were able to identify the network block that's used primarily and again it also it also provides us with the other ones and this information can be very useful if this server or this particular well the server that's hosting the website is part of a larger network so you can see that here this is uh the network here or the network block rather and that can be useful as i said for targeting or initial access right so that was how to perform a a simple uh enum scan with a mass now you can also run a bit more of an advanced type of scan that again will will display relevant information so for example if we wanted to uh to display sources and ip addresses uh we can also do that so we'll run the same command but in this case what we'll change is we'll also say we want the sources uh the ip addresses and we then want to output it into um so again we're saying output the output directory is just going to be uh zone transfer and again we can just hit enter and again i'm just going to wait for this to complete and then once that is done i'll take you through the viz sub sub command and how you can use that but we can also take a look at a few active active enumeration or active recon techniques with amass so again just going to let this complete all right so the scan is complete and in this case it provided us with the ip addresses as well as the sources as you can see here when it was enumerating sub domain so it gives you the source so in for example here we have the sources crt sh uh it provides us with the domain and the ip for that domain or sub domain and for example here with riddler we're able to identify a subdomain owa dots on transfer dot me and it provides us with the ip address there so again this is very very useful when you want to again display the source in ip uh the the source and ip address and again we have the this particular output saved for us um uh let's take a look at one active reconnaissance technique uh or one technique that i typically utilize with a mass and that is to perform uh directory or subdirectory subdomain brute forcing as it were and again we can do that with a mass we simply type in a mass and we say enum we're using the enum sub subtask here and we then specify the domain so we can say zone transfer dot me and we can then specify again the source and the ips that is information that's very useful and then we specify the brute option and again the output directory which in this case is going to be zone transfer and that's going to perform subdomain brute forcing and right so we can run that here and i think i got that spelled incorrectly so let me just type the zone transfer domain correctly there there we are zone transfer dot me and that's going to then begin the subdomain brute forcing right so again we can let that scan run although as i said i don't want to do that right now so we can actually take a look at uh how to use the viz um let me just head over to the github repository let's take a look at how to use the viz sub command the this sub command is used to create enlightening and network graph visualizations that add structure to the information gathered this sub command only leverages the output directory and the remote graph database settings from the configuration file right so in conjunction with the vis sub command we can output uh our results into the following formats and number one we can output it into a d3 format which is what we're going to do and that's again d3.js you can do some research on that but it essentially provides you with a very useful a graph as i'll take you through in a few seconds and then you have the gexf which is output to graph exchange xml format you can also output it to multigo if you want to import data from multigo or if you want to output data that can be used in multigo you can also export or output the results into viz.js or as it says here in the description output html that employs vsjs and it gives you the examples that you can utilize so again as i said i don't i don't want to perform any brute forcing so i'm just going to terminate that scan there and um i'm just going to clear up my terminal and if we want to again list out our reports we can utilize the database so we can say a mass db and we then specify the directory which in this case our output is also stored in the zone transfer directory and then we can simply say list and that will show us the various uh the various results or reports here so we can use these reports and we can of course generate visual reports from them so we can say a mass viz and of course we specify the directory where our reports or results are stored in this case zone transfer and we are putting it to d3 so we hit enter and now if we head over into zone we can actually see the file there so a mass d3 html and we can open that up so i'm just going to head over to that directory so desktop and recon and amasd3.html and that outputs the results for us in the d3 format so again to essentially get a an understanding of what's going on here you can see that it's quite disorganized at the moment that's primarily because we haven't performed uh you know enumeration well but uh if we can look for um the the scan that we did complete the passive scan here uh let's see those are dns so that's dns there let's see if we can find one interesting here uh the interesting results that we can actually analyze we can see we have the a records here and you can hover over it to provide you with the sub domain as i said you can you can experiment with the output formats to find one that meets your requirements i just wanted to use this example to demonstrate uh you know the various options available to you so if you if you hover over again i'll just explain the color code really quickly orange provides you with the ip address green is the sub domain and if you hover over pink that's the net block and then dark blue is going to provide you the aans right over there and uh yeah that's uh pretty much it if you hover over red that's going to be the domain uh so there we are we can see zone transfer dot me and then we have the various sub domains here that you can explore and you can again in this particular case explore their uh their links and relationships um yeah so that is how to use a mass of uh taking you through the process of uh you know performing active and passive recon and taking a look at a few uh scenarios or techniques that you can utilize when uh performing uh you know uh reconnaissance uh let's take a look at how to uh perform uh passive recon with a recon ng now all right so i'm just gonna clear up my terminal and we are going to open up recon ng recon rng should come pre-packaged with kali linux and i have an extensive playlist that covers uh you know how to use the recon ng framework and you can check that out i'm just going to be taking you through passive reconnaissance and how to utilize the framework right right so when you hit enter you can see it's going to tell you that no modules are enabled or installed that's perfectly fine the first thing you want to do is type in the help command the help command gives you a list of commands that you can utilize so for example the dashboard database marketplace modules options the shell snapshots etc so we are going to firstly look for we're just going to type in help marketplace because we need to install modules so i'm just going to say help marketplace and it says the usage instructions are printed here so marketplace install refresh remove search so we can search for a particular for a particular module however we can also we can also leave the search we can also not provide a search keyword here and that's going to display all the modules available so they're sorted similarly to metasploit modules in the sense that you know they're sorted by functions so discovery recon and you have a few others here reporting right so for for example if we take a look at the recon modules uh like um let's see if we're if we are interested in who is information we can actually just use the marketplace search feature and say who is right and we can search for a module that meets our requirements so for example we can use the whois miner so if we want to install this module we can install it by typing in marketplace marketplace install and then we provide the module name there that's going to install the module for us and then we can then use the modules um command and then we can search for a module so for example uh we can say module search and we can see the modules that are installed or you can type in a keyword and to use this module we simply say modules modules and we then say load and paste in the module name there and you can see it's now uh it's now active as it's going to be encapsulated in brackets there and we can now list the options menu here so options we can say options list and the only option we we need to change in this case is the current value which we can set to we can say set source um or in this particular case we can open up the help menu to display the um to display the various options uh if you want to know more about a particular module you can type in info and you can see that you can uh what all the source options are used for so for example the default the default value or rather the source key that we need to change here is where we specify the uh the company details now of course we need to interact with the database to a certain degree here uh and i'll just take you through that in a second but that's the the process of searching for a module uh installing it and then loading it now of course when it comes down to using it and in this case this is a a passive reconnaissance technique because we are you know looking for um essentially trying to perform or look up who is information for a particular domain um if we list out the options here let's see uh let's take a look at uh one important option that i need to cover which is the database right so if we take a look at the database options here so database insert we can of course query the database we can delete entries from the database etc uh but in this case uh we we can essentially add a company or an organization add their domain and then have that um or actually set the the company details here and then we can run this particular module alternatively you can also create a a workspace so for example if i say workspaces let me open up the help menu here if i say we can actually yep it's the dashboard no yeah i think we have the workspace option here but you can specify the default workspace or uh you can create another one so now that that is clear as i said if you want to learn more about this framework you can check out our videos on that let's actually take a look at how to run this particular module all right so in this case we're going to be using um the zone transfer dot me domain so we're going to say options uh set and we're going to set the source uh to our domain so zone um transfer dot me and we then hit enter and if we then options list similar to metasploit you can see that the value for the source is set correctly and then we hit run and that is going to perform a who is look up there and you can see it's not going to display any information there we can also run this on another domain let's try our own domain here hackersploit.org right and we run that again so no no information found and again i just wanted to take you through uh the um the process of searching for a module installing it loading it and then setting the uh the source and then running it and now that we know how to use it let's actually search for a few modules that are useful so marketplace um we can actually exit from here and we'll just uh we'll just reload recon ng again so i'll just start it up again there and we will then say marketplace search and we can you know search for dns for example uh it's you can see these are the modules available as i said if you want to list all the modules available uh this is the way to do that but let's look for something that's interesting or a module that can provide us with useful information one of them that i really like or that's very useful is the built with module we also have brute hosts there which is an active reconnaissance module um you also have let's see you have the uh who is a pocs module which i believe also works quite well so let's try that marketplace uh install uh we'll then say modules load and we then paste that in there and then options list and we set we can actually say options set uh we set the source to zone transfer dot me and we hit enter now in some cases uh these modules may know may not work as you can see here or may not provide you with any useful information which is why we're going through some of the some of the useful ones here so you can also utilize nmap mass scan and any other results here so you can import results from any of these tools here i just wanted to explain that or so there's also the um the module the discovery module here that essentially finds interesting files pertaining to a particular source or domain but there is one that i wanted to highlight here which was a very very useful and i frequently utilize it when whenever i'm using recon ng and let me just see if i can identify it we're going to find it here uh yeah the netcraft module so we can say marketplace we can actually just take a step back here and we can say marketplace install paste in the module name there so modules load and then we paste in the name of the module there so options list and we set us option set set and uh we then say set the source to uh we can again just run zone transfer dot me we hit run and that's going to try and enumerate information from zone transfer as i said before some of the modules may not work based on changes with the you know for example apis for particular sites but in any case i wanted to take you through the process of how to utilize recon ng for a passive and active reconnaissance as i said all the functionality is limited to the to the various modules that are available here you also can create your own modules based on the functionality the functionality that you want to actually provide or that you want to have with recon ng and yeah that's essentially how to use recon ng all right so that is pretty much all that i wanted to cover in this particular video now that you have an understanding of the various ways techniques and tools that you can utilize to of course perform reconnaissance on your targets your target networks the target organization we can move on to the next video video which will actually cover the process of exploiting the target systems and we'll talk about setting up a c2 server various exploitation methods of vectors from phishing to others and we'll explore all of that in the next video so i'll see you there a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin on president michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you

Info

Channel: HackerSploit

Views: 17,462

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, red team, red team vs blue team, red team village, red team recon, red team reconnaissance, red team information gathering, information gathering, information gathering tools kali, red teaming, what is a red team, red team hacking, mitre caldera tutorial, mitre att&ck, mitre, cyber security, cybersecurity, red team hacking course, red team hacking academy, red team hacking tools, hacker, ethical hacking

Id: BWaGnsRirtU

Channel Id: undefined

Length: 87min 8sec (5228 seconds)

Published: Sat Oct 30 2021