It’s impossible to circumvent every Anti-Virus, yet an experienced attacker knows it is possible to avoid a specific AV software for a sufficient period. If an attacker discovers which Anti-Virus the victim is running, the attacker develops their virus undetectable by that Anti-Virus.
The Recon-NG is a robust tool for performing automatic data collection and network footprinting. One can access a variety of websites to get passive data or aggressively investigate the victim for details. It offers several functionalities that enable the attacker to capture user data for social engineering, network traffic for network analysis, and more.
Consider it a data-gathering version of Metasploit. Anybody aware of Metasploit will feel at ease with this GUI, which looked and feel like Metasploit.
RECON-NG relies on sending repetitive requests to a DNS server to determine whether the DNS server has a cache containing the Anti-Virus supplier’s website. If that runs, it means that the victim at an organization is using that particular Anti-Virus program. As a result, viewing the website requires upgrading the antivirus signatures. When the DNS server does not have a cache of the AV company’s website, one can assume that nobody inside the company has asked for the Anti-Virus company’s website.
Let us get rolling!
OSINT Tutorial: Dig Up the Victim
In this OSINT tutorial, we will look into two different websites to verify the results. In the Linux terminal, use the dig command with the nameserver (ns) switch to discover both websites’ nameservers.
dig <domain name> ns
Ping the Victim
It’s best practice to ping your victim once to know if the server is live or not. Ping also discovers the IP address of the domain name.
Here, ping both victims to check their availability and discover IP addresses for future use.
Select the nameserver from the previous dig command results and ping it using the Kali Linux terminal.
Notice that ping results show the ICMP and transmitted packets detail. That means the victim domain is alive or running.
Fire Up the RECON-NG
Type ‘recon-ng’ in the Kali Linux terminal. A screen that details the many modules available through the handy web reconnaissance greets us.
RECON-NG comes pre-install in Kali Linux, but if you are using any different distro and don’t have recon-ng pre-installed, you can install it from Github.
To discover the different categories of modules, type ‘show modules’ into the terminal.
Identifying the names and directory locations for individual sections in different categories demonstrates their involvement in footprinting. We will use the cache snoop module from the discovery group, also known as DNS Cache Snooping.
As per Sciencedirect DNS reconnaissance,
If an attacker could observe all the DNS requests coming out of an organization, they could learn very interesting information. A simple way to retrieve it is to query the organization’s caching DNS server for a given domain and see if the answer is returned directly from the cache. If it is, then someone within the organization has recently visited that domain. These techniques are DNS cache snooping.
Type ‘use discovery/info_disclosure/cache_snoop’ to start the snooping process. Once entered discovery group, type ‘show info’ to check the requirements for the process.
Two required options are:
- Domains (A file of the Anti-Virus software domains present in the recon-ng data folder.)
- Nameserver IP (Found IP from ping results)
Recon-ng comes with a preset collection of Anti-Virus software domains that may see if the victim is using some of the specified AVs.
Let’s check Recon-ng’s list as it will surely assist with familiarising with the many AV vendors involved in the snooping procedure.
Type ‘more /usr/share/recon-ng/data/av_domains.lst’ into the new tab of Linux terminal to read the file.
If you want to add extra domains to the list, you can navigate to the folder and update the document.
To see if a DNS server contains any information about the company using antivirus software from the list. Set Nameserver IP using ‘set NAMESERVER <IP Address>’ and run the process.
Recon-ng will notify whether any of the AV software install by an organization once the run command executes effectively.
Recon-ng will display a “Snooped!” beside the AV domain if it discovers an entry for the AV application from the list.
Recon-ng will display a “Not Found” beside the Anti-Virus domain if it cannot discover an entry for the Anti-Virus software from the list. It implies that the company is probably using Anti-Virus software that isn’t included in the Recon-ng list. Or every virus detected by one of the AV software vendors on the list might not identify the victim’s AV program.
Recon-ng is a web reconnaissance tool that shouldn’t use as a lone tool. It’s best if it’s used with other technologies and tools.