Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance.
root@kali:~# recon-ng –help
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [–no-check]
[–no-analytics]
recon-ng – Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com
optional arguments:
-h, –help show this help message and exit
-v, –version show program’s version number and exit
-w workspace load/create a workspace
-r filename load commands from a resource file
–no-check disable version check
–no-analytics disable analytics reporting
Using recon-ng
From the console it is easy to get help
and get started with your recon.
[recon-ng][default] > help
Commands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
On your first load of recon-ng note the message below. You begin with an empty framework.
[*] No modules enabled/installed.
As shown in the help
menu the Marketplace: Interfaces with the module marketplace
to pick and choose modules you want.
How to:
Firstly lets use the hackertarget
module to gather some subdomains. This uses the hackertarget.com API and hostname search.
Install module
Syntax to install is marketplace install hackertarget
as seen below.
[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >
Load module
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >
Set source
Now set the source
. Currently set at default (see below)
[recon-ng][default][hackertarget] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Syntax options set SOURCE tesla.com
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com
I am using tesla.com as an example domain because they have a published bug bounty program and Tesla’s are cool.
Use command – info
– which shows “Current Value” has changed to tesla.com
[recon-ng][default][hackertarget] > info
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputs
If we use input
we can see
econ-ng][default][hackertarget] > input
+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+
Run the module
Type run
to execute the module.
---------------
[recon-ng][default][hackertarget] > run
---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)
[*] [host] sso-dev.tesla.com (209.133.79.66)
-------
SUMMARY
-------
[*] 21 total (0 new) hosts found.
Show hosts
Now we have begun to populate our hosts. Typing show hosts
will give you a summary of the resources discovered.
[recon-ng][default][hackertarget] > show hosts
+------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 209.133.79.61 | | | | | hackertarget |
| 2 | sjc04d1rsaap02.tesla.com | 205.234.27.206 | | | | | hackertarget |
| 3 | model3.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 4 | marketing.tesla.com | 13.111.47.196 | | | | | hackertarget |
| 5 | email.tesla.com | 136.147.129.27 | | | | | hackertarget |
| 6 | mta2.email.tesla.com | 13.111.4.231 | | | | | hackertarget |
| 7 | mta.email.tesla.com | 13.111.14.190 | | | | | hackertarget |
| 8 | xmail.tesla.com | 204.74.99.100 | | | | | hackertarget |
| 9 | comparison.tesla.com | 64.125.183.133 | | | | | hackertarget |
| 10 | na-sso.tesla.com | 209.133.79.81 | | | | | hackertarget |
| 11 | edr.tesla.com | 209.133.79.33 | | | | | hackertarget |
| 12 | mta2.emails.tesla.com | 13.111.88.1 | | | | | hackertarget |
| 13 | mta3.emails.tesla.com | 13.111.88.2 | | | | | hackertarget |
| 14 | mta4.emails.tesla.com | 13.111.88.52 | | | | | hackertarget |
| 15 | mta5.emails.tesla.com | 13.111.88.53 | | | | | hackertarget |
| 16 | mta.emails.tesla.com | 13.111.62.118 | | | | | hackertarget |
| 17 | click.emails.tesla.com | 13.111.48.179 | | | | | hackertarget |
| 18 | view.emails.tesla.com | 13.111.49.179 | | | | | hackertarget |
| 19 | events.tesla.com | 13.111.47.195 | | | | | hackertarget |
| 20 | shop.eu.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 21 | sso-dev.tesla.com | 209.133.79.66 | | | | | hackertarget |
+------------------------------------------------------------------------------------------------------------+
[*] 21 rows returned
[recon-ng][default][hackertarget] >
Add API keys to Recon-ng
It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.
keys add shodan_api < insert shodan api key here >
.recon-ng configuration files
When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db
. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.
test@test-desktop:~/.recon-ng$ ls
keys.db
modules
modules.yml
workspaces
test@test-desktop:~/.recon-ng$
Recon-ng Marketplace and Modules
Typing marketplace search
will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.
[recon-ng][default] > marketplace search
+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.0 | not installed | 2019-06-24 | | |
| discovery/info_disclosure/interesting_files | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.0 | not installed | 2019-06-24 | | |
| import/nmap | 1.0 | not installed | 2019-06-24 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.0 | not installed | 2019-08-08 | | |
| recon/companies-multi/github_miner | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-multi/shodan_org | 1.0 | not installed | 2019-06-26 | | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-domains/migrate_contacts | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.3 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-domains/brute_suffix | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/certificate_transparency | 1.1 | not installed | 2019-09-16 | | |
| recon/domains-hosts/findsubdomains | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/shodan_hostname | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/xssposed | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-domains/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipinfodb | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.1 | not installed | 2019-10-15 | | * |
| recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.1 | not installed | 2019-10-08 | | * |
| recon/profiles-contacts/dev_diver | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | not installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | not installed | 2019-06-24 | | |
| reporting/xml | 1.1 | not installed | 2019-06-24 | | |
+---------------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
Here again the help comes in handy marketplace help
shows commands for removing modules, how to find more info, search, refresh and install.
[recon-ng][default] > marketplace help
Interfaces with the module marketplace
Usage: marketplace info|install|refresh|remove|search [...]
Help
The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.
This help menu brings additional commands such as:
- goptions: Manages the global context options
- reload: Reloads the loaded module
- run: Runs the loaded module
- script: Records and executes command scripts
[recon-ng][default][hackertarget] > help
Commands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
goptions Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source option
keys Manages third party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a file
Related