Securing the public eye

In today’s world, the information an objective shares publicly is more than just news or updates; it’s also a potential goldmine for cybercriminals. Simple things like contact details or product announcements can be twisted and used in phishing scams or ransomware attacks. This means managing your public info isn’t just about good PR – it’s crucial to keeping your business safe from online threats.

Passive reconnaissance is collecting public information and is a part of the reconnaissance phase in ethical hacking.

Different free ways to obtain public information

Google Hacking/Google Dorks

Google hacking involves using search operators to obtain specific information from the Google search engine.

One example is using the search query ‘Index of’ intext:’php’ site:.com. to find open website directories. More examples of Google Hacking can be found at https://www.exploit-db.com/google-hacking-database.

Here an article from INCIBE: https://www.incibe.es/ciudadania/blog/google-dorks-te-ayuda-encontrar-informacion-sobre-ti-en-la-red

theHarvester

TheHarvester is a tool that helps collect emails, names, subdomains, IPs, and URLs from public sources such as search engines and social networks.

I have a distribution of Linux, Kali Linux, installed on a virtual machine which includes many ethical hacking tools. One of these tools is TheHarvester.

In this example we are searching from the domain kali.org (-d kali.org) in duckduckgo (-b duckduckgo) limiting the results to 500 (-l 500).

The result can be saved to a file with the option -f path/file.

WHOIS

Although the WHOIS tool is commonly used to obtain information about internet domain ownership, it can also be used to gather security-relevant information such as contact details, which can be used for social engineering and identifying potential targets, expiration dates to identify newly registered domains, and IP changes.

Recon-ng

As I detailed in my blog post, Recon-ng is an exceptionally powerful and versatile framework designed for passive information gathering on a target. It excels in aggregating data from various open-source intelligence (OSINT) sources without directly engaging or alerting the target. This makes it an ideal tool for cybersecurity professionals and penetration testers who must discretely collect detailed information about an organization, network, or individual.

Nuria.

Ethical hacking: Recon-ng for target information gathering

Recon-ng stands out as a formidable tool for gathering information about a target. Key aspects:

  1. Command-Line Interface: Recon-ng features a streamlined command-line interface that provides efficient interaction with its functionalities.
  2. Modules and Plugins: The framework offers the option to install various modules that aid in information gathering from multiple online sources, including social networks, public databases, and search engines.
  3. Automation: Recon-ng allows for the automation of tasks, streamlining the data collection and analysis process.
  4. API Integration: The tool integrates APIs from several online services, enhancing its data-gathering capabilities.
  5. Flexibility: Users can write their own modules, offering a high degree of customization to tailor the tool to specific needs.
  6. Web interface: To easily see database data and export it.

Its efficient deployment through Docker enhances its accessibility and ease of use. For installation instructions via Docker, refer to this comprehensive guide on GitHub.

I’ve just finished a course about Recon-ng in Pluralsignt, which is recommended before use.

And here’s a summary of what we’ve covered in the course.

Setting Up and Navigating Recon-ng

Upon successful installation and execution, Recon-ng greets you with a command-line interface. An important note for first-time users: the tool doesn’t include any pre-installed modules. This modular approach allows for a tailored experience based on individual needs.

Web interface

We can the database and the tables in a Web if we launch the recon-web with the command:

And access to the Web at http://localhost:5000.

We can see the information in each table and export tables or the entire database.

Data Organization and Workspace Management

Recon-ng organizes data through ‘workspaces.’ This feature enables users to create dedicated workspaces for each target under investigation.

For instance, if you’re probing into ‘puertasdipep,’ you would initiate a workspace specifically for it.

Within this workspace, the preliminary step involves populating initial data.

This is done by inserting the target company’s name into the companies table: db insert companies. For our example, we would insert ‘puertasdipep’.

Module Management and Exploration

To manage and explore modules, Recon-ng offers the marketplace command. This command allows users to view available modules and install them as needed. To view all modules, use marketplace search.

It’s important to note that the symbols ‘D’ and ‘K’ alongside the modules indicate the need for additional Python library installations and API keys, or user-password, respectively.

Understanding the Path and Data Transformation

The path in Recon-ng offers insights into data transformations across different tables. For example, for companies-hosts, the transition from ‘companies’ to ‘hosts’ involves gathering information from the companies table and transforming it into data stored in the hosts table.

Module Installation and Execution

For example, let’s consider installing and loading the ‘whois-miner’ module.

The command for this is marketplace install whois_miner. After installation, the next step is to load the module with the command: modules load whois-miner.

Configuring Module Options

Each module in Recon-ng comes with a set of configurable options. To view and set these options for optimal module performance, use options list. In our example with ‘whois-miner,’ it is essential to specify the source.

We can obtain more information with the command info inside the loaded module.

For example, we see that if no source is set, the module will be processed for each company in the table companies:

If we add the company Pluralsight as in the example of the course, we see whois information and the statistics of the results found:

To see the contacts, write the command: show contacts

Note that this is a possible tool for the passive information-gathering phase on a target. I will soon create another blog entry with other available tools.

Nuria.

Cyberintelligence in Cybersecurity Master

I have concluded the Cyber Intelligence module in the Master’s in Cybersecurity at Deloitte.

This module has been a great experience, and I’d like to share some highlights of what I’ve learned:

Attacker Techniques: I delved into the strategies and tactics used by cyber attackers, which are crucial for building robust defenses.

Underground Forums: I explored the enigmatic underground forums, gaining valuable insights into the type of information shared in these hidden spaces.

We learned how to create a secret identity, which is necessary to access these forums.

The Onion Router (TOR): I acquired a detailed understanding of how TOR works, recognizing its role in protecting online anonymity.

Phishing: I investigated the different types of phishing attacks, developing skills to identify and mitigate these threats.

Malware Campaigns: I studied how malware campaigns are developed, analyzing practical cases and understanding the strategies behind these attacks.

The Deloitte workshops have also been an essential part of my learning, providing me with a practical and realistic perspective on cybersecurity. These workshops have allowed me to apply theory in real situations, thus enhancing my understanding and skills in this dynamic field.

Now that I am more aware of the various attacks, I notice that many people fall victim to scams because attackers can spoof the caller ID or SMS sender number.

Interesting publication about that: https://www.incibe.es/ciudadania/blog/el-agente-bancario-que-te-ayuda-robar-tu-dinero-por-telefono

You can follow this INCIBE (Instituto Nacional de Ciberseguridad de España) channel on WhatsApp: INCIBE-017

Nuria

New online tool to analyze Windows Log

In September, I began a new Master’s in Cybersecurity with Deloitte.

As part of the first module, Forensic Analysis, I was tasked with investigating an issue that a company experienced involving a ransomware attack. Among the points to analyze, the first was to review the Windows logs to determine, among other things, how access was obtained.

As a Mac user, I couldn’t find any suitable tools, and even looking at the logs on Windows, navigating through all of them was not very user-friendly. For this reason, I have created an online tool for event log uploading to handle them comfortably.

The way to obtain the logs is to export them in CSV format and then upload them to the website.

As a note, I must say that I still need to obtain more information on the status and sub status codes, which I find challenging to locate. Additionally, I would like to be able to establish some patterns, but that requires much more practice and information.

This is the actual URL: http://35.195.87.88/; it will be available depending on the final costs :).

Here is a demo: