 Greetings. Today I'd like to talk a little bit about a feature within ReconNG that I find very, very interesting, at times entertaining and also at times pretty scary. And that is the feature set of pushpins, the location to pushpins modules or the integration of the tool formally known as pushpin. So some quick background information on this. It was originally an idea that was created by John Strand a couple years back. And then a POC was originally written by Ethan Robish that essentially took geotagged data from different resources and then plotted them on a map so that you could conduct an analysis of where these pieces of data were created. So this is kind of interesting. The POC was caught a little bit of attention and John pretty much came to me and said, hey, I want you to perfect this. So I created the pushpin script out of it and then eventually migrated that into ReconNG and that's what we're going to cover today. But basically this is all made possible because of something called geotagging. So what is geotagging? Well, very quickly, geotagging is when a piece of media is created by a device that is capable of determining its own location. It will tag that particular piece of media with that location, with the location of when it was created within that media's metadata. And then what happens is when you tweet or when you take a picture and upload it somewhere or a video or whatnot, that metadata, that location, that geotag gets sent to the resource or to that third party resource with your piece of media. And what a lot of these resources do is they will strip out that location data, that geotag, and they will actually store it in the database with the other information about that particular media and make it searchable through a web interface, through an API, or any number of locations. So basically what Pushpin does is it says, hey, here's all these different resources that actually make their information searchable by geotags. And so what we've done is we've tapped into these APIs. We've written parsers to scrape the web pages so that we can go out, search according to location, and then bring back and map all of this media on a map for you so that you can kind of see where these things came about. So it's got to obviously have some nefarious use cases. It's very stalker-ish if it's the first time you've ever been exposed to it. However, that's not the reason why it was built. There was two purposes why it was built. Number one was to introduce the possibility that we may be able to conduct some physical reconnaissance or some level of physical reconnaissance whatever we're actually having to be on the ground at the particular location. The second purpose for this was to build associations through geographical relationships. So two individuals say you've got a person outside, you've got a person that's tweeting in the parking lot of the National Security Agency, something along the lines of, well, going to work today. Well, you now have identified that that person is probably an employee of the National Security Agency. So it allows us to begin to build associations based on these geographical relationships between the pieces of media. So today we're going to demo this functionality, and I want to cover a couple different modules in ReconNG that do this. But the first thing we need is the location of a target. Well, let's go out here. Let's say we're going to target the NSA today. So let's go to Google and ask it for NSA's address. So address, National Security Agency, and Google is nice enough to give it to us right on this really big banner at the top of the screen. So let's go ahead and copy that. Let's come back here, and let's actually select our NSA workspace. There we go. And now let's, if we've looked at the locations table before in the last video, if we look at the locations table, I actually show schema. Come up here, look at the locations table. You'll see that the street address is a column within the locations table. So that's a piece of data that we can use as input for a module. So let's take that street address we have, and let's add it. So remember the add command, add locations. We'll go past latitude, past latitude, paste in the address, and hit enter. And now we have a street address. So how do we get the latitude and longitude from this? Well, let's load a geocode module. So I've got a couple of geocode modules in here. The first one is just geocode. The other one's reverse geocode. So what geocode does is it takes an address and it turns it into latitude and longitude. Reverse geocode takes latitude and longitude and turns it into an address. So we have an address. So let's go ahead and use this module right here. It's our standard geocode module. And let's run it. Well, first I'll show you the options. Not much going on there. We run it, and it brings back and gives us our latitude and our longitude. So now what can we do with this latitude and longitude? We now have a location. And if we do a search for things that start with location, actually, dash has got to be on the other side, right? We'll see that you have these geocode modules, but then you also have all of these pushpin modules. And this is what we're going to cover today. So we have these pushpin modules, and these are essentially the resources that are parsing out that geotag data and making their content, so to speak, searchable according to that particular data. So that's exactly what we're going to do. We're going to search each one of these resources according to the location that we harvested, and then we're going to pull down those pieces of media that are associated with that. So let's go ahead and start loading some of these up. We'll load Flickr first. And just to kind of show you an option, most of them look the same. Most of them have just a radius option and then a source option. Obviously, the default for the source is going to be the latitude and longitude from the locations table, but you could pass it in a list or you could give it a single location. There's a couple of different ways to do it. However, here we're going to use the database. The radius of one is final. Let's just go ahead and run it. We see it shows us the location and it goes out and starts collecting photos from Flickr based on that location. Next, we'll load Pekasa. And we'll run it. I'll get some of those. We'll load Shodan. And we'll see there's more than one Shodan once, so let's go ahead and use our smart load features. And we'll run this. Now, Shodan is going to time out. You typically have to extend the time out for up to about 60 seconds for this to work. I talked to the developer of Shodan API and he said the Geo Searches take a good bit of time to actually go through and conduct. And so you will need to extend the time out to actually get information back from it. Now, we'll see here that the request is going to time out. But the bottom line is it's doing the same thing there. It's going out and just grabbing Geo Tagged services and systems that Shodan is aware of. So we'll go ahead and just cancel that out at timed out for us. Next is we've got Twitter. So load recon. Pushpin. Twitter is a couple of Twitter modules. So make sure I've got the right one. We'll run it. And we see we've got some new ones there. And what's the final one? YouTube. Load. YouTube. We'll run it. And we'll get it. Okay. So now if we go to Show Dashboard here, we can see we've got our summary. The one location we put in there and then we've harvested 647 pushpins associated with the one location that's in our locations table. Okay, so this is good information. Now let's see what some of these pushpins are. Oh, my goodness. This is a terrible way to view this data, right? This data looks practically unusable in an ASCII table form. We've got to have a better way to see this and this is where the pushpin reporting comes in. So here we load a reporting pushpin and we have the pushpin reporting module. Let's show the options here because there are a couple of options we need to talk about. You'll see that there is a latitude, longitude and radius option that are all required but not filled out with the default value. Now this is important. Not necessarily for the actual data that's going to go on the map but the way it looks. So the latitude and longitude is going to establish where the center of the map is on the screen when you load it and then the radius is going to be the nice little grayed out circle out from the center of the map that kind of gives you a radius from where you've searched. So let's go ahead and set these. I need to show locations because I want to get this set in the right place. So let's set latitude to this and we'll set longitude to this. Set radius to 1. I'll make sure we've got them set. We do. Let's go ahead and run it and we'll see that it has created our R2 HTML reports for us. So if we go here let's load up the media, the media one first. And you'll see you have a nice little layout here. Different columns with the data in it and it looks like it's taken a bit to load the Twitter stuff. We'll give it a minute. As you can see here now we're starting to see data in a useful format and it is sorted chronologically. So the most recent ones are at top and you've got Fligger images. You've got Picasso images. You've got Tweets and you've got YouTube videos all from the area. So that's pretty helpful, right? But it's not the best way to view this data. It's not the original purpose we created the Pushpin tool. That's what the map report was. So let's go here and let's look at the map. As you can see is now we have a nice interface with a Google map that shows us all the pieces of data that we've actually pulled down. Now if we go over here to satellite view you'll see that here's the National Security Agency and here's the headquarters and we've got various Tweets and things around in the parking lot that we can look at. All kinds of different stuff. Flicker images that appear to come from within the building itself. YouTube videos that appear to come from within the building itself. The green dot is the center. That's the epicenter of the map. That's the cross section of the latitude and longitude that you gave it when you went to report. Just lots of interesting information and you can begin to click through this information and start looking at these where the information is located where it came from where the person was at when they actually uploaded the media and begin to create associations between people and places and things. One of the really interesting things about the new version of Pushpin at least the integration into ReconNG is that now since all the information is stored in the database rather than just run the script and getting one snapshot in time for all that information you can start to create a historical record where you can actually use some of the scripting functionality within the framework to run these modules every 5, 10, 15 minutes every day, every week, whatever you want to you can have these things ran and it keeps a historical record of all the data in the database and so that when you run this report like this you'll see everything for as long as you've been collecting data from those particular locations. That is the Pushpin portion of ReconNG. Again, I hope you enjoy it and if any of you are familiar or know of other resources that allow us to search by Geotag Media please hit me up on Twitter at Landmaster53 so that we can add those modules into the framework. Enjoy and have a great day.