Open-source intelligence (OSINT) is essentially the collection and analysis of data gathered from publicly available data sources. In the context of information security, OSINT is used as the stepping stone for most red team assessments. It is also extensively used by adversaries to collect and analyse data about their targets so that weaknesses can be quickly identified and subsequently exploited.
Over the years I have personally seen many tools that help with the task of gathering and analysing data although none of them really stuck with me. The key challenges for me were almost always related to either unsupported or poorly coded tools or price. So, in the true spirit of SecApps, I am very excited to announce a new tool arriving for basic and pro users, which fixes both of these problems and delivers more.
Recon is a tool and a framework for gathering and analysing data using various public and some private databases and APIs to help you understand the attack surface of a given target. With Recon, you can find out weaknesses very rapidly. But let's not dwell on details right now and let me show you a picture because as the saying goes, a picture is worth more than a thousand words. So, here it is:
What does it do
Recon help you analyse data using visualisation tools and some solid graph theory applied in practice. Each node from the graph represents a piece of information that is of some interest. For example, a node could be a hostname, a URL, IP address, a person, sting and so on. There are many different data types. Each node in the graph is also linked to other nodes which are related in some way. We call these relationships transformations. In other words, for a node to have an edge with another node, you must run a transformation.
There are many different types of transformations. For example, if we start with a node representing a domain, we might want to find out if there are some known subdomains related to that domain. We run one of the offered transformations which achieves the task and as a result of that, we produce more nodes in the graph linking back to the original node. This process is illustrated in the screenshot below.
As we go deeper into the graph we can discover more related information. For example, starting from a domain we can find subdomains which point us to web services, which in turn points us to software versions and as a result we can quickly understand the software estate of the target. Here is one I did for Uber. It is evident from the graph the type of tech the company is using. Moreover, we can see all the internal naming conventions, potential internal systems that could be of our interest and so on.
Solid Foundations
I mentioned earlier that Recon is based on visualisation tools and solid graph theory. For example, working with large datasets could be a daunting task so we have added support for groups. A number of nodes can be grouped into a single node, which means that although individually they are connected to their corresponding nodes, together they are also connected to those nodes. So querying the data can be established by the strong connection of the group. Visually, of course, a group helps you organise your workspace.
Groups and nodes can also be locked so that they do not move around. You can also edit the label for groups and nodes so that you can provide a custom name. Just because the label is custom does not mean that it has different data. In fact, each node can be inspected in the inspector which gives you all the details you need.
There are also a number of organisational and sorting tools. You can organise a bunch of nodes in a specific way. For example, you can organise as a grid or a circle or maybe complete random. It is up to you and it depends on what you are planning to achieve with the graph.
Last but not least, we also offer a table view. In this view, you can see the nodes and groups as a list, which will help you find particular nodes of interest quickly rather then searching for them inside the graph itself, which could be challenging especially if you work with huge graphs.
SecApps Integrations
What makes all of the SecApps tools great is not just the functionalities but we can also reuse platform features. I am not going to cover all of them but I will cover the most useful one in terms of Recon. I love this feature so much so that I use it constantly and in fact, we are currently building a great resource for bug bounty hunters based on this feature which I think you will find very useful.
I am talking about fiddles. We have launched fiddles some time ago and essentially this feature allows you to share your work by saving it on our servers and then providing with a friendly URL you can post around. The reason this is great for Recon is that I can quickly research something and then I can share the graph with you. You may find my graph useful but also you extend the work by forking it, making the desired changes and then creating a new fiddle out of it which of course can be shared and it goes on and on.
If you have an account with SecApps your name and bio will appear under the fiddle which means that if you make something useful, the community will reward you with attention which is great for building up your profile.
Present and Future
At present, Recon is available is in Beta. The tool is functional and although you may encounter some minor bugs that we have failed to detect, I am sure that you will be surprised by the amount of information and flexibility you will get by using the tool. Recon is now also part of our Pro plan which means that if you are a pro user you get not only the tool commercially licensed for you but also a tone of other pro features, including the rest of the SecApps toolkit.
The future is bright, I think. We have planned for more many more features that will come in the upcoming weeks including the ability to write your own transforms and share them with the rest of the information security community. That will certainly make Recon into a hell of a useful tool and I just cannot wait to see what you will do with it. I am sure I will be blown away.
Of course, feedback is always welcome. In fact, we really appreciate when someone gives us feedback even if negative because that is how we learn. We often reward such feedback as well. So reach to us on twitter or just email using the contact form in case you want to send us your feedback.