This OSINT tutorial demonstrates the “RECON-NG tool” on Kali Linux. It discovers the type of Anti-Virus software (AV) the victim is running on their internal network.
It’s impossible to circumvent every Anti-Virus, yet an experienced attacker knows it is possible to avoid a specific AV software for a sufficient period. If an attacker discovers which Anti-Virus the victim is running, the attacker develops their virus undetectable by that Anti-Virus.
The Recon-NG is a robust tool for performing automatic data collection and network footprinting. One can access a variety of websites to get passive data or aggressively investigate the victim for details. It offers several functionalities that enable the attacker to capture user data for social engineering, network traffic for network analysis, and more.
Consider it a data-gathering version of Metasploit. Anybody aware of Metasploit will feel at ease with this GUI, which looked and feel like Metasploit.
RECON-NG relies on sending repetitive requests to a DNS server to determine whether the DNS server has a cache containing the Anti-Virus supplier’s website. If that runs, it means that the victim at an organization is using that particular Anti-Virus program. As a result, viewing the website requires upgrading the antivirus signatures. When the DNS server does not have a cache of the AV company’s website, one can assume that nobody inside the company has asked for the Anti-Virus company’s website.
Let us get rolling!
In this OSINT tutorial, we will look into two different websites to verify the results. In the Linux terminal, use the dig command with the nameserver (ns) switch to discover both websites’ nameservers.
Syntax
dig <domain name> ns
Ping the VictimIt’s best practice to ping your victim once to know if the server is live or not. Ping also discovers the IP address of the domain name.
Here, ping both victims to check their availability and discover IP addresses for future use.
Select the nameserver from the previous dig command results and ping it using the Kali Linux terminal.
Notice that ping results show the ICMP and transmitted packets detail. That means the victim domain is alive or running.
Type ‘recon-ng’ in the Kali Linux terminal. A screen that details the many modules available through the handy web reconnaissance greets us.
RECON-NG comes pre-install in Kali Linux, but if you are using any different distro and don’t have recon-ng pre-installed, you can install it from Github.
To discover the different categories of modules, type ‘show modules’ into the terminal.
Identifying the names and directory locations for individual sections in different categories demonstrates their involvement in footprinting. We will use the cache snoop module from the discovery group, also known as DNS Cache Snooping.
As per Sciencedirect DNS reconnaissance,
If an attacker could observe all the DNS requests coming out of an organization, they could learn very interesting information. A simple way to retrieve it is to query the organization’s caching DNS server for a given domain and see if the answer is returned directly from the cache. If it is, then someone within the organization has recently visited that domain. These techniques are DNS cache snooping.
Type ‘use discovery/info_disclosure/cache_snoop’ to start the snooping process. Once entered discovery group, type ‘show info’ to check the requirements for the process.
Two required options are:
Recon-ng comes with a preset collection of Anti-Virus software domains that may see if the victim is using some of the specified AVs.
Let’s check Recon-ng’s list as it will surely assist with familiarising with the many AV vendors involved in the snooping procedure.
Type ‘more /usr/share/recon-ng/data/av_domains.lst’ into the new tab of Linux terminal to read the file.
If you want to add extra domains to the list, you can navigate to the folder and update the document.
To see if a DNS server contains any information about the company using antivirus software from the list. Set Nameserver IP using ‘set NAMESERVER <IP Address>’ and run the process.
Recon-ng will notify whether any of the AV software install by an organization once the run command executes effectively.
Recon-ng will display a “Snooped!” beside the AV domain if it discovers an entry for the AV application from the list.
Recon-ng will display a “Not Found” beside the Anti-Virus domain if it cannot discover an entry for the Anti-Virus software from the list. It implies that the company is probably using Anti-Virus software that isn’t included in the Recon-ng list. Or every virus detected by one of the AV software vendors on the list might not identify the victim’s AV program.
Recon-ng is a web reconnaissance tool that shouldn’t use as a lone tool. It’s best if it’s used with other technologies and tools.
Industrial Cybersecurity
September 28, 2023
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
The internet is making the world a much smaller place over the period, allowing millions of users throughout the globe to interact and share digital
Introduction The use of open-source code has been increasing since developers generally use community-built code according to the application functionality and use content-security policies and
On the online platform, we frequently run upon publicly shared documents. The public is mostly unaware of the document’s data. Initial creation timeline, Last modification
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
