Week 1 Passive Recon (SEC 335) - Chromosom3/TechNotes GitHub Wiki
Reflection
This was the first week in the Ethical Hacking and Penetration Testing course. We haven’t gotten into too much hands on work but I expect that to change this following week. Right now we are just setting up our environments and learning the foundation of ethical hacking, which makes sense. The main things we discussed this week was the rules surrounding ethical hacking and then passive recon. For more information see the section below on passive recon.
Kali Setup
For this class, we will be using a Kali Linux virtual machine to access the target network. To access the Kali system we will be using Chrome Remote Desktop to connect directly to the VM. This means there is no need for a VPN, VMware Horizon, or VMware vCenter. Installing and configuring Chrome Remote Desktop is relatively simple and all that is required is a Google account. Once you have your Google account and Chrome setup navigate to remotedesktop.google.com/access. From here you will select the blue download button under the “Set up remote access” section. From here you will add the extension from the Chrome Web Store and a install file should be automatically downloaded. This is the same process for Windows and Linux. Once the installer downloads run it and install the program. Finally, name your system in Chrome Remote Desktop and set a pin. Once complete you should see a page similar to the one below.
Now that we have remote access to the virtual machine we need to configure it to access the target network. To do this we will be using Wireguard, a VPN solution. To install Wireguard simply run sudo apt install wiregaurd -y
. With Wireguard installed you can now begin to configure it. To do so we will copy the per-provided Wiregaurd configuration file to /etc/wiregaurd
. The file should look something like the image below.
Now that the configuration file is in the correct location we can run sudo wg-quick up wg0
to create the interface and set up the connection to the target network.
Passive Recon
Passive recon is using publicly available information to obtain intelligence on a target. This can also be know as Open Source Intelligence (OSINT). The following items are included in passive recon.
- Domain Registration: You can see the owners of a domain to get some information on the individual or organization. This includes things like their email, phone number, and mailing address. You can either use the command line utility
whois
or ICANN lookup online [link]. - IP Address Registration: Similar to domain registrations you can look up the owner of an IP address. You can use DNS Check [link] online to get a lot of information on the organization that own the IP address space.
- Google Hacking: Google hacking, also referred to as Google dorking is the process of using search engine operators to refine a search. You can use operators such as
"
,site:
, andinurl:
to define your search with stricter parameters. Google Hacking Database [link] is a great resource to see a large variety of google dorks. - Shodan: Shodan [link] is an internet of things search engine. This lets you enter an IP address and see what services might be running there or what kind of device is there. The website even has filters for you to find routers, ftp servers, cameras, etc. This tool also allows you to distance yourself from the target in your recon. The target doesn’t see that you scanned them, they see that Shodan scanned them.
- TheHarvester: This is a command line utility to query multiple search engine at once and is available on GitHub [link] and comes preinstalled on Kali [link].
- Netcraft: This is a company that provides cybercrime disruption services. You can use their site to obtain technical reports on other website.
- Metagoofil: Similar to TheHarvester Metagoofil is a command line utility that allows you to do passive recon. This tool is used to preform metadata analysis of public files. This is also available on GitHub [link] and comes preinstalled on Kali [link].
- IntelTechniques: Michael Bazzell, the author of the book titiled “Open Source Intelligence Techniques”, has provided a lot of the tools he has created for OSINT on his website [link]. These tools are free of charge and can be used to collect information on domains, IP addresses, names, telephone numbers, images, vehicles, and social media accounts.