Category: Footprinting

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about OSINT. In this article, you will learn about Recon-ng, a OSINT gathering tool.

Recon-ng is an open-source intelligence gathering tool aimed at reducing the time spent harvesting information from open sources. It is a full-featured reconnaissance framework designed to gather OSINT information very quickly.

Let’s see how this tool works. For this, we will be using Kali Linux as Recon-ng is installed by default on it. This tool can be started using command shown below.

recon-ng

If you notice the above images, the interface of Recon-ng is similar to Metasploit. It has been designed in such a way to decrease the learning curve. You can create different workspaces in Recon-ng. To create a new workspace, you have to use the command shown below.

workspaces create <name of workspace>

For example, we have created a new workspace named “hc_test”. The various framework items of Recon-ng that are useful to us can be seen using command shown below.

show

For this tutorial, let’s gather information about a domain. To do this, we need to first add a domain. This can be done using command shown below.

db insert domains

Now, you can see the domains you added using command shown below.

show domains

Similarly you can add and view other items too in similar manner. Just like Metasploit, Recon-ng has various modules each performing a specific function. You need to first add these modules to Recon-ng to be able to use them. This modules are found in ‘marketplace’ and can be viewed using command shown below.

marketplace search

This will list all available modules. Searching for the module we want can be laborious and in some cases nothing less than searching for needle in haystack. But don’t worry. You can even search for modules you want. For example, let’s search for Whois related modules. This can be done as shown below.

marketplace search <search term>

From here, you can install any module we want. This can be done using command shown below. For example, let’s install the recon/domain-contents/ whois-pocs/ module.

marketplace install <module>

Similarly, you can install other modules we want in the same way from the market place. Once they are installed, you can search for all installed modules using the command shown below.

modules search

To load a module, we use command as shown below.

modules load <module_name>

For example. let’s load the module we just installed.

Once the modules is loaded, you can view information about the module using the “info” command as shown below.

As you can read in the above module, this module retrieve poc data about a domain for Whois queries. Since we have already added a domain, all you have to do is execute the module using command “run”.

As you can see, the module retrieved contact information belonging to the domain we queried. This information contains first name, second name and email addresses of 46 contacts belonging to the domain (The retrieved data has been hidden for the purpose of privacy). This information can be useful while phishing or spear-phishing our targets.

In the same manner, we can retrieve other OSINT information using recon-ng. Next, learn how to perform OSINT using Maltego.

Hello aspiring ethical hackers. In our previous blogpost, you learnt what is OSINT and its importance in ethical hacking, different types of OSINT etc. In this blogpost, you will learn about Sherlock, a OSINT tool.

Sherlock’s role in OSINT comes while gathering information from social media. It works by hunting for a particular username across various social networks. It does this by relying on social media site’s design feature to provide a URL with the username when a user registers an account on the social network.

Sherlock queries that URL and determines if the user has an account on that particular social network. It works by querying that URL and then uses that response to determine if there is a username. Sherlock can search for users on over 300 social networks that include Apple Developer, Arduino, Docker Hub, GitHub, GitLab, Facebook, Bitcoin Forum, CNET, Instagram, PlayStore, PyPi, Scribd, Telegram, TikTok, Tinder etc.

Let’s see how this tool works. For this I will be using Kali Linux which has Sherlock in its repository. You can install sherlock on Kali as shown below.

The simplest way to query a username with sherlock is by just supplying a username.

Searching on a particular social media site

Instead of searching for a username on all the social media accounts, you can search for a username’s presence even on a single site as shown below. For example let’s search for a username on site Twitch.

Searching for similar usernames

Sometimes, a username can be slightly different to a person we are searching for. We can also search for similar usernames with this tool as shown below.

Here, {?} will be replaced with – or hyphen or period (.).

Searching for multiple usernames at once

You can even search for multiple usernames with this tool as shown below. For example, let’s search for “hackercoolmagazine” and “hackercool” on Instagram.

Using a proxy while searching

You can even route your query through a proxy to remain anonymous.

Dump the entire HTTP response

We can even see the HTTP response of the site while searching using this option.

Time to call

By default, while querying for usernames, this tool waits for 60 seconds for response to the request it made. With this timeout option, this time can be changed as shown below. The value should be set in seconds.

Print all the output

By default, Sherlock only prints out the social network where the username was found. Using the option, we can see all the social networks this tool queries for and also the reason why it was not found.

Print only positives found

This option prints out all the social networks on which the username is found.

Browse

By setting this option, we can use Sherlock to view the job result page on browser.

Search NSFW sites too

By default, sherlock doesn’t query NSFW sites while searching for a username. When we set this option, it even queries NSFW sites for the particular username.

Writing the output to a file

Like any other tool, we can use Sherlock too to save the output to a file of our choice using the “-o” option as shown below.

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about OSINT. In this blogpost, you will learn about a tool called theharvester that is used to gather open source intelligence (OSINT) on a company or domain.

Using theHavester tool, we can gather information like subdomain names, email addresses, virtual hosts, open ports, banners and employee names of an organization from different public sources like search engines, pgp key servers, IP addresses and URLs.

theHarvester is installed by default on almost all pen testing distros. For this tutorial, we will be using Kali Linux. theHarvester is very simple to use but very powerful during footprinting stage of a red team assessment or a penetration test. It can take a domain or an organization as target as shown below.

theHarvester can list a lot of entries as part of performing OSINT. You can specify the limit to the number of entries you want to be displayed.

You can even start querying from particular entry form list of entries displayed. For example, you want to start querying from the 10th entry.

–shodan

theHarvester also has a option called “–shodan” that queries the Shodan search engine for any open ports or banners from discovered hosts. However, this requires api keys.

–screenshot

This command allows theHarvester to take screenshots of subdomains that are found.

–dns-brute

As the command explains, you can brute force DNS servers using this option.

–source

theHarvester uses many public sources to collect information. Some of them are anubis, baidu, bing, brave, censys, etc. We can even ask it to use a specific source using the “–source” command.

Learn how to perform OSINT using amass or Maltego or Spiderfoot.

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about network footprinting. It is performed to discover assets of the organization that are exposed to the internet. In this blogpost, you will learn about a tool. amass that can discover majority of any organization’s exposed assets.

OWASP Amass used mainly to find assets mapped to a particular domain, perform sub-domain enumeration, autonomous system numbers (ASNs) etc. Although there are many other tools that can enumerate sub-domains etc. (for example gobuster), this tool as you can see is backed by OWASP. Let’s see how to use this tool to discover assets of an organization.

Amass is installed by default in almost all pen testing distros. For this blogpost, we will be using Kali Linux. It doesn’t have a man page yet, but we can see all the options it supports using the help option.

Amass has 5 subcommands as shown below.

Each subcommand has its own help section. For example, let’s see the “intel” subcommand first.

amass intel

The ‘intel’ subcommand is used to discover targets to perform enumeration later. We can specify an IP address, IP address range, domain etc as targets to this command.

Apart from these, even ASN can also be specified as target.

amass enum

This sub command is used to perform enumeration and network mapping of the discovered targets.

Using it, we can perform DNS enumeration too. All the findings of “amass enum” command are stored in a graph database, which is located in the amass’s default output folder. To enumerate subdomains of a domain using amass enum, this is the command.

amass enum -d owasp.org -whois

Adding, “-ip” option to the above command, we can also get IP addresses for the sub domains discovered.

Amass queries more than 80 sources to collect information. All the sources it queries can be seen using the list flag.

Learn how to perform OSINT with theharvester tool.