Recon-ng
Another important tool/framework for reconnaissance is Recon-ng. Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.
When invoking recon-ng you are presented with an welcome screen, where you can do a set of commands. First, lets look at the help of the tool, by entering the command "help".
[*] Version check disabled.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[1] Recon modules
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
[recon-ng][default] > We can create a new workspace for a reconnaissance project.
workspaces create PROJECTNAMENext, we can add domains to test in our project workspace.
db insert domainsAnd enter the domain name.
[recon-ng][PROJECTNAME] > db insert domains
domain (TEXT): mydomain.com
notes (TEXT):
[*] 1 rows affected.We can list the domains in the database.
show domains
And we got.
[recon-ng][PROJECTNAME] > show domains
+---------------------------------------------+
| rowid | domain | notes | module |
+---------------------------------------------+
| 1 | mydomain.com | | user_defined |
+---------------------------------------------+
[*] 1 rows returnedNow, we need to select the modules from recon-ng. There are plenty of available modules. The list is here.
Using the marketplace command, it is possible to check available modules.
marketplace searchThis produces a list.
+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | |
| discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.1 | not installed | 2019-06-24 | | |
| import/masscan | 1.0 | not installed | 2020-04-07 | | |
| import/nmap | 1.1 | not installed | 2020-10-06 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/censys_email_address | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/censys_subdomains | 2.0 | not installed | 2021-05-10 | * | * |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | |
| recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * |
| recon/companies-hosts/censys_org | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-hosts/censys_tls_subjects | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * |
| recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |We can search for a specific module to use in recon-ng.
marketplace search hackertargetAnd we can see is the module exists and the information about it.
[*] Searching module index for 'hackertarget'...
+-----------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+-----------------------------------------------------------------------------+
| recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | |
+-----------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.If the module exists, we may install it.
marketplace install recon/domains-hosts/hackertargetAfter the module is installed, we can load it.
modules load recon/domains-hosts/hackertargetIf we need to know which modules are installed, we can use:
modules searchAnd we get the list of modules.
[recon-ng][PROJECTNAME] > modules search
Recon
-----
recon/domains-hosts/hackertargetAfter selecting anf loading a module, we can run it. We can discover which are the options of the module.
infoAnd we receive all the information of the module.
[recon-ng][PROJECTNAME][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][PROJECTNAME][hackertarget] >From the information, we see that we need to set a "SOURCE" for the module. So lets do that.
options set SOURCE mydomain.comSo, lets run the module and check the results.
runAnd lets look at the results.
---------
MYDOMAIN.COM
---------
[*] Country: None
[*] Host: mydomain.com
[*] Ip_Address: X.9.66.XX
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: o7.ptr6980.mydomain.com
[*] Ip_Address: X.72.144.XX
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: vpn1.mydomain.com
[*] Ip_Address: X.45.124.XX
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: apacvpn1.mydomain.com
[*] Ip_Address: X.244.131.XX
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------Gathering information for a person
You can also look for personal information that might be present on a web-site of an organization. There are specific recon-ng modules to do that.
So, first of all lets create a new workspace.
workspaces create PROJECT-PERSONALLet us select and install the appropriate module.
marketplace install recon/domains-contacts/whois_pocsAnd load the module.
modules load recon/domains-contacts/whois_pocs
Check the options to run the module.
infoThe module options are:
[recon-ng][PROJECT-PERSONAL][whois_pocs] > info
Name: Whois POC Harvester
Author: Tim Tomes (@lanmaster53)
Version: 1.0
Description:
Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the
'contacts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs It is necessary to set the "SOURCE".
options set SOURCE gmail.comAnd run the module.
[recon-ng][PROJECT-PERSONAL][whois_pocs] > run
---------
GMAIL.COM
---------
[*] URL: http://whois.arin.net/rest/pocs;domain=gmail.com
[*] URL: http://whois.arin.net/rest/poc/XXXX
[*] Country: United States
[*] Email: XXXX@gmail.com
[*] First_Name: XXXXX
[*] Last_Name: XXXXX
[*] Middle_Name: None
[*] Notes: None
[*] Phone: None
[*] Region: Columbus, OH
[*] Title: Whois contact
[*] --------------------------------------------------
[*] URL: http://whois.arin.net/rest/poc/XXXX
[*] Country: Taiwan, Province Of China
[*] Email: XXXX@gmail.com
[*] First_Name: XXXX
[*] Last_Name: XXXX
[*] Middle_Name: None
[*] Notes: None
[*] Phone: None
[*] Region: New Taipei City
[*] Title: Whois contactExplore the multiple options and modules of recon-ng.
Last updated