If you are on the offensive side, part of your strategy encompasses reconnaissance at some point. If you are on the defensive side, there is still reconnaissance to be done in order to see what is available about you. Well, a great tool to add to your tool bag is Recon-ng as it makes the recon process simple and seamless. An awesome feature of the program is Pushpin. Pushpin allows you to utilize APIs and grid coordinates in order to display any postings within a designated area. This capability is incredible and could be used for a number of reasons. In any case, a list of the currently released APIs can be found at https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide. In most cases, you will have to register with the site in which you are trying to get an API for. Some of the APIs include Twitter, YouTube, LinkedIn, and Instagram. Also, the program has a Metasploit type feel so if you are comfortable with that, you will do just fine. The source code can be found at https://bitbucket.org/LaNMaSteR53/recon-ng/src.
To give you a feel for how simple it is, I’ll walk through running the program with Twitter APIs and we will use the Georgia Dome in Atlanta as our area of interest. We will start at the point following installation.
In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light on the system and not a pain to setup. Below are the steps to get you going. I will be shipping the logs using the json format. There are many formats available, one just has to do research on which one satisfies their needs. The configuration we will use transports the logs over port 3515, so you will need to ensure that the port is open.
1. Navigate to http://nxlog.org/products/nxlog-community-edition/download and download the .msi version for Windows.
2. Install the downloaded .msi using the default options.
3. After installation is complete, open the configuration file located at C:\program files (x86)\nxlog\conf\nxlog.conf.
4. Replace the contents of the file with the below. The only thing you need to change IP address 184.108.40.206 with the IP of your Logstash server.
Installation of ELK is not too bad. There are a few guides online that walk through the processes but you will be hard pressed to find one to covers it all the way through. Some great links to help with this endeavor are:
For those who are inclined to install ELK in Windows, these sites are pretty useful.