Introduction
In this blog, we continue to discuss reconnaissance. This is the third part of the reconnaissance series. You can read here Part 1 and Part 2.
In this article, we will discuss –
- OSINT Framework
- Recon-ng
- Metadata – ExifTool
- Strings command
Asking a lot of precise inquiries of different search engines and frameworks to concentrate on potentially sensitive information that might assist in the process of a pentest is the outcome of open source intelligence gathering against a customer’s corporation.
When you’re just starting out in the world of pentesting, it might be difficult to know what questions to ask.
OSINT Framework
The OSINT Framework (https://osintframework.com) is a static web page that directs people to relevant information from a variety of public and commercial sources.
Each route is a connection that increases data collection tactics for a certain topic, such as usernames, e-mail addresses, IP addresses, company records, public records, phone numbers, and so on.
Consider the case when you were able to get e-mail addresses from the target organization’s website during a pentest.
Whether you wanted to see if any of those e-mail addresses had previously been included in breach reports, you could use the OSINT Framework to figure out which sites to search for that information.
Click Email Address from the OSINT Framework home page, then Breach Data from the pathways available. This will bring up a list of websites where you may query breach data for e-mail addresses.
This framework is not a panacea, but it will send you in the right direction if you know what you’re looking for.
Recon-ng
Recon-ng (https://github.com/lanmaster53/recon-ng) is a Python-based online reconnaissance platform that brings together a variety of data collecting features.
All of the data collected by Recon-ng is stored in a back-end database.
Recon-ng employs separate modules and built-in methods to aid automate some collection approaches, similar to the prominent penetration testing framework Metasploit (https://www.metasploit.com/).
Modules in the following categories are supported by the Recon-ng framework:
- Discovery modules
- Exploitation modules
- Import modules
- Recon modules
- Reporting modules
Recon-ng is an open-source tool that comes pre-installed with Kali Linux.
To investigate two reconnaissance modules in the Recon-ng v5.0.1 framework, open a terminal window on Kali and follow the procedures in the following experiment.
To complete this task, you’ll need access to the Internet. This exercise uses WHOIS queries to gather point-of-contact information and DNS queries to brute force top-level domains and second-level domains (i.e., subdomains) for the example.com domain.
Refer to this article for more details on how to use Recon-ng.
Metadata Analysis
Metadata is data about data in the sense that it summarises information and characteristics about the content of a particular item.
A picture file, for example, may have information that identifies the image’s orientation and size, as well as the location where it was made.
A Microsoft Word document may include metadata that describes the file’s attributes, such as the author’s name, the date the document was created, and so on.
Finally, as a pentester, you’ll go through documents for information that may help you find usernames, e-mail addresses, and other information buried in a file’s hidden properties.
These informative bits may take the shape of comments inside source code or simply the hostname where the file was written, and are not always meant to be visible to the user.
ExifTool for Metadata Analysis
ExifTool is a suite of customisable Perl modules with a command-line tool for reading and writing meta-information in a variety of files.
Over 100 different file types are supported by the programme. Rather than listing them all, we recommend checking out the developer’s GitHub website for more information: https://github.com/exiftool/exiftool
The following example demonstrates how to use ExifTool to examine the contents of a JPG file in order to uncover hidden information. There are a number of command choices in the exiftool command-line application.
Instead of downloading the exiftool-master.zip file, you can also use the apt-get package manager to install the programme under Kali Linux.
Simply type apt-get install libimage-exiftool-perl as root at the command line.
In Kali Linux, open a new terminal window.
Type below command to download the zip file –
wget https://sourceforge.net/projects/exiftool/files/Image-ExifTool-12.16.tar.gz
Change directory (cd) to the exiftool-master directory after unzipping the file:
# cp exiftool-master.zip /root
# cd /root
# unzip exiftool-master.zip
# cd exiftool-master
To see a list of all the sample photos that came with the download, use the following command:
# ls t/images -al
Execute exiftool against the ExifTool.jpg file in the pictures directory, then save the findings to a file for future analysis:
# ./exiftool t/images/ExifTool.jpg >/root/exif.out
Examine the output in /root/exif.out, which reveals that you were able to recover the Author’s name as well as the original filename, which reveals the absolute file path of JPG.
Based on the absolute file location supplied in the file, you may deduce that the author is most likely a corporate employee and that the operating system he created the file on is Windows if this were a file retrieved from a firm’s website.
FOCA is a metadata analysis programme that has comparable functionality to ExifTool (Fingerprinting Organizations with Collected Archives).
FOCA is a metadata finding programme for Microsoft Windows that automates the process. The newest version of FOCA may be downloaded from the developer’s GitHub website at https://github.com/ElevenPaths/FOCA.
FOCA searches for and analyses popular document formats such as Microsoft Office, Apache OpenOffice, and Adobe PDF using the Google, Bing, and DuckDuckGo search engines.
Strings Command
The command-line programme Strings is used to output character sequences. The strings software is mostly used to figure out what’s in nontext files.
The GNU version of strings (i.e., Unix/Linux) searches for printable ASCII strings of at least four characters followed by an unprintable character and outputs them to standard output.
The -n command option may be used to adjust the default minimum string length. In most circumstances, though, the default of four characters is adequate.
The Windows Sysinternals version of strings defaults to checking for ASCII (8-bit character representation), big-endian Unicode (16-bit character representation), and little-endian Unicode strings in files (https://docs.microsoft.com/en-us/sysinternals/).
Strings in Windows search for three or more characters and, like the GNU version, allow you to alter the length of the search with the -n command option.
The next experiment demonstrates how to use Kali Linux’s GNU version of the strings programme to examine an Adobe PDF file stored in the same pictures directory as the ExifTool exercise.
The terms big-endian and little-endian relate to two different techniques of storing multiple-byte data types in binary form.
The “big end,” or most important value in a series, is saved first in big-endian ordering, while the “small end,” or least significant value in a sequence, is stored first in little-endian ordering.
Check out the following Wikipedia article for further information: https://en.wikipedia.org/wiki/Endianness.
Change the directory to exiftool-master in a terminal window in Kali Linux (locations may vary depending on where you extracted the directory):
# cd /root/exiftool-master
To print the line numbers without output, run the strings command against the PDF.pdf file in the pictures directory and feed the result to the less command with the -N option.
This will make it easier for you to analyse the 312 lines of printable characters that the strings command generates.
# strings t/images/PDF.pdf | less -N
Using the spacebar, scroll through the output. Press the q key to exit the software after you’ve completed evaluating the paper.
There are 14 informative objects (e.g., 1 0 obj) with matching object closure tags (e.g., endobj) in the PDF file. During a pentest, the meta-content inside these PDF objects might give important information.
The version of Adobe Photoshop used to generate the document, the creation date, and the producer can all be found in object 4, which indicates that the version of Adobe was run on an Apple Mac.
You may then compare the time/date of the document’s creation to the current time/date to see whether the discovery is still relevant.
You could also figure out if the company that made the file uses Apple computers and look into client-side vulnerabilities with Adobe Photoshop 7.0, or create a phishing campaign for Adobe Photoshop or Apple product discounts to make the campaign more relevant and increase your chances of success when targeting the company.
Conclusion
The OSINT Framework (https://osintframework.com) is a static web page that directs people to relevant information from a variety of public and commercial sources.
Recon-ng employs separate modules and built-in methods to aid automate some collection approaches, similar to the prominent penetration testing framework Metasploit.
ExifTool is a command-line tool for reading and writing meta-information in a variety of files. Over 100 different file types are supported by the programme. Use ExifTool to examine the contents of a JPG file in order to uncover hidden information.
FOCA is a metadata analysis programme that has comparable functionality to ExifTool. Strings is used to output character sequences.
FOCA searches for popular document formats such as Microsoft Office, Apache OpenOffice, and Adobe PDF using the Google, Bing, and DuckDuckGo search engines.