Cybersecurity for Everyone! Powered by NextGen AI!

Recon-ng

Recon-ng is a reconnaissance tool that is used to provide a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. It is based on Open Source Intelligence (OSINT), which is the easiest and useful tool for reconnaissance.

Recon-ng is written in Python. Complete with database interaction, independent modules, interactive help, command completion, and built-in convenience functions.


Contents

  • what is Recon-ng?
  • Features.
  • Uses.
  • Using recon-ng.
  • Help.
  • Examples.

What is Recon-ng?

Recon-ng is a full-featured reconnaissance framework that has a similar interface to that of Metasploit(which comes in handy and easy to use). 

Recon-ng has the command-line interface which you can run on Kali Linux, also you enter a shell-like environment where you can configure options, perform recon, and output results to different report types.

The interactive console provides several helpful features, such as command completion and contextual help.


Features

  • The free and open-source tool and can be downloaded and used for free.
  • One of the easiest and useful tools for performing reconnaissance.
  • Used for vulnerability assessment of web applications.
  • Uses the Shodan search engine to scan IoT devices.
  • Easily find loopholes in the code of website & web applications.
  •  Recon-ng has the following modules GeoIP lookup, Banner grabbing, DNS lookup, port scanning, These modules make this tool so powerful.
  •  Recon-ng can target a single domain and can find all the subdomains of that domain making work easy for pen-testers.

Uses of Recon-ng 

  • Recon-ng can be used to find the IP Addresses of a target.
  • Recon-ng can be used to look for error-based SQL injections.
  • Recon-ng can be used to find sensitive files such as robots.txt.
  • Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup.
  • Recon-ng can be used to detects Content Management Systems (CMS) in the use of a target web application.

Using Recon-ng

Step 1: Installing Module.

Syntax to install is marketplace install whois_pocs as seen below.

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...
[recon-ng][default] > 

Step 2: Loading Modules.

Syntax:

[recon-ng][default] > modules loadrecon/domains-contacts/whois_pocs

[recon-ng][default][hackertarget] >

Step 3: Set source.

Now set the source. Currently set at default (see below)

Syntax:

[recon-ng][default][whois_pocs] > show options/ options list

.

Syntax options set SOURCE hacksheets.in

[recon-ng][default][whois_pocst] > options set SOURCE hacksheets.in
SOURCE => hacksheets.in

Step 3: Run The Module.

Type run to execute the module.

Syntax:

[recon-ng][default][whois_pocs] > run

Help

The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.

This help menu brings additional commands such as:

  • options: Manages the global context options
  • reload: Reloads the loaded module
  • run: Runs the loaded module
  • script: Records and executes command scripts.
[recon-ng][default][hacksheet]> help
Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
options        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third-party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file

    Leave a Reply

    Recon-ng

    Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. 


    root@kali:~# recon-ng –help
    usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [–no-check]
                    [–no-analytics]

    recon-ng – Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com

    optional arguments:
      -h, –help      show this help message and exit
      -v, –version   show program’s version number and exit
      -w workspace    load/create a workspace
      -r filename     load commands from a resource file
      –no-check      disable version check
      –no-analytics  disable analytics reporting


    Using recon-ng

    From the console it is easy to get help and get started with your recon.

    [recon-ng][default] > help
    
    Commands (type [help|?] ):
    ---------------------------------
    back            Exits the current context
    dashboard       Displays a summary of activity
    db              Interfaces with the workspace's database
    exit            Exits the framework
    help            Displays this menu
    index           Creates a module index (dev only)
    keys            Manages third party resource credentials
    marketplace     Interfaces with the module marketplace
    modules         Interfaces with installed modules
    options         Manages the current context options
    pdb             Starts a Python Debugger session (dev only)
    script          Records and executes command scripts
    shell           Executes shell commands
    show            Shows various framework items
    snapshots       Manages workspace snapshots
    spool           Spools output to a file
    workspaces      Manages workspaces
    
    

    On your first load of recon-ng note the message below. You begin with an empty framework.

    [*] No modules enabled/installed.

    As shown in the help menu the Marketplace: Interfaces with the module marketplace to pick and choose modules you want.

    How to:

    Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

    Install module

    Syntax to install is marketplace install hackertarget as seen below.

    [recon-ng][default] > marketplace install hackertarget
    [*] Module installed: recon/domains-hosts/hackertarget
    [*] Reloading modules...
    [recon-ng][default] > 
    

    Load module

    [recon-ng][default] > modules load hackertarget
    [recon-ng][default][hackertarget] > 
    

    Set source

    Now set the source. Currently set at default (see below)

    [recon-ng][default][hackertarget] > show options
    
      Name    Current Value  Required  Description
      ------  -------------  --------  -----------
      SOURCE  default        yes       source of input (see 'show info' for details)
    

    Syntax options set SOURCE tesla.com

    [recon-ng][default][hackertarget] > options set SOURCE tesla.com
    SOURCE => tesla.com
    

    I am using tesla.com as an example domain because they have a published bug bounty program and Tesla’s are cool.

    Use command – info – which shows “Current Value” has changed to tesla.com

    [recon-ng][default][hackertarget] > info
    
    Options:
      Name    Current Value  Required  Description
      ------  -------------  --------  -----------
      SOURCE  tesla.com      yes       source of input (see 'info' for details)
    
    Source Options:
      default      SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
      string       string representing a single input
      path         path to a file containing a list of inputs
      query sql    database query returning one column of inputs
    

    If we use input we can see

    econ-ng][default][hackertarget] > input
    
      +---------------+
      | Module Inputs |
      +---------------+
      | tesla.com     |
      +---------------+
    

    Run the module

    Type run to execute the module.

    ---------------
    [recon-ng][default][hackertarget] > run
    
    ---------
    TESLA.COM
    ---------
    [*] [host] tesla.com (209.133.79.61)
    [*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
    [*] [host] model3.tesla.com (205.234.27.221)
    [*] [host] marketing.tesla.com (13.111.47.196)
    [*] [host] email.tesla.com (136.147.129.27)
    [*] [host] mta2.email.tesla.com (13.111.4.231)
    [*] [host] mta.email.tesla.com (13.111.14.190)
    [*] [host] xmail.tesla.com (204.74.99.100)
    [*] [host] comparison.tesla.com (64.125.183.133)
    [*] [host] na-sso.tesla.com (209.133.79.81)
    [*] [host] edr.tesla.com (209.133.79.33)
    [*] [host] mta2.emails.tesla.com (13.111.88.1)
    [*] [host] mta3.emails.tesla.com (13.111.88.2)
    [*] [host] mta4.emails.tesla.com (13.111.88.52)
    [*] [host] mta5.emails.tesla.com (13.111.88.53)
    [*] [host] mta.emails.tesla.com (13.111.62.118)
    [*] [host] click.emails.tesla.com (13.111.48.179)
    [*] [host] view.emails.tesla.com (13.111.49.179)
    [*] [host] events.tesla.com (13.111.47.195)
    [*] [host] shop.eu.tesla.com (205.234.27.221)
    [*] [host] sso-dev.tesla.com (209.133.79.66)
    
    -------
    SUMMARY
    -------
    [*] 21 total (0 new) hosts found.
    

    Show hosts

    Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

    [recon-ng][default][hackertarget] > show hosts
    
      +------------------------------------------------------------------------------------------------------------+
      | rowid |           host           |   ip_address   | region | country | latitude | longitude |    module    |
      +------------------------------------------------------------------------------------------------------------+
      | 1     | tesla.com                | 209.133.79.61  |        |         |          |           | hackertarget |
      | 2     | sjc04d1rsaap02.tesla.com | 205.234.27.206 |        |         |          |           | hackertarget |
      | 3     | model3.tesla.com         | 205.234.27.221 |        |         |          |           | hackertarget |
      | 4     | marketing.tesla.com      | 13.111.47.196  |        |         |          |           | hackertarget |
      | 5     | email.tesla.com          | 136.147.129.27 |        |         |          |           | hackertarget |
      | 6     | mta2.email.tesla.com     | 13.111.4.231   |        |         |          |           | hackertarget |
      | 7     | mta.email.tesla.com      | 13.111.14.190  |        |         |          |           | hackertarget |
      | 8     | xmail.tesla.com          | 204.74.99.100  |        |         |          |           | hackertarget |
      | 9     | comparison.tesla.com     | 64.125.183.133 |        |         |          |           | hackertarget |
      | 10    | na-sso.tesla.com         | 209.133.79.81  |        |         |          |           | hackertarget |
      | 11    | edr.tesla.com            | 209.133.79.33  |        |         |          |           | hackertarget |
      | 12    | mta2.emails.tesla.com    | 13.111.88.1    |        |         |          |           | hackertarget |
      | 13    | mta3.emails.tesla.com    | 13.111.88.2    |        |         |          |           | hackertarget |
      | 14    | mta4.emails.tesla.com    | 13.111.88.52   |        |         |          |           | hackertarget |
      | 15    | mta5.emails.tesla.com    | 13.111.88.53   |        |         |          |           | hackertarget |
      | 16    | mta.emails.tesla.com     | 13.111.62.118  |        |         |          |           | hackertarget |
      | 17    | click.emails.tesla.com   | 13.111.48.179  |        |         |          |           | hackertarget |
      | 18    | view.emails.tesla.com    | 13.111.49.179  |        |         |          |           | hackertarget |
      | 19    | events.tesla.com         | 13.111.47.195  |        |         |          |           | hackertarget |
      | 20    | shop.eu.tesla.com        | 205.234.27.221 |        |         |          |           | hackertarget |
      | 21    | sso-dev.tesla.com        | 209.133.79.66  |        |         |          |           | hackertarget |
      +------------------------------------------------------------------------------------------------------------+
    
    [*] 21 rows returned
    [recon-ng][default][hackertarget] > 
    
    

    Add API keys to Recon-ng

    It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

    keys add shodan_api < insert shodan api key here > 

    .recon-ng configuration files

    When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.

    test@test-desktop:~/.recon-ng$ ls
    
    keys.db  
    modules  
    modules.yml  
    workspaces
    
    test@test-desktop:~/.recon-ng$ 
    

    Recon-ng Marketplace and Modules

    Typing marketplace search will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

    [recon-ng][default] > marketplace search
    
      +---------------------------------------------------------------------------------------------------+
      |                        Path                        | Version |     Status    |  Updated   | D | K |
      +---------------------------------------------------------------------------------------------------+
      | discovery/info_disclosure/cache_snoop              | 1.0     | not installed | 2019-06-24 |   |   |
      | discovery/info_disclosure/interesting_files        | 1.0     | not installed | 2019-06-24 |   |   |
      | exploitation/injection/command_injector            | 1.0     | not installed | 2019-06-24 |   |   |
      | exploitation/injection/xpath_bruter                | 1.2     | not installed | 2019-10-08 |   |   |
      | import/csv_file                                    | 1.1     | not installed | 2019-08-09 |   |   |
      | import/list                                        | 1.0     | not installed | 2019-06-24 |   |   |
      | import/nmap                                        | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/companies-contacts/bing_linkedin_cache       | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/companies-contacts/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/companies-domains/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/companies-domains/viewdns_reverse_whois      | 1.0     | not installed | 2019-08-08 |   |   |
      | recon/companies-multi/github_miner                 | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/companies-multi/shodan_org                   | 1.0     | not installed | 2019-06-26 |   | * |
      | recon/companies-multi/whois_miner                  | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/contacts-contacts/abc                        | 1.0     | not installed | 2019-10-11 | * |   |
      | recon/contacts-contacts/mailtester                 | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/contacts-contacts/mangle                     | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/contacts-contacts/unmangle                   | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/contacts-credentials/hibp_breach             | 1.2     | not installed | 2019-09-10 |   | * |
      | recon/contacts-credentials/hibp_paste              | 1.1     | not installed | 2019-09-10 |   | * |
      | recon/contacts-credentials/scylla                  | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/contacts-domains/migrate_contacts            | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/contacts-profiles/fullcontact                | 1.1     | not installed | 2019-07-24 |   | * |
      | recon/credentials-credentials/adobe                | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/credentials-credentials/bozocrack            | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/credentials-credentials/hashes_org           | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-companies/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/domains-contacts/metacrawler                 | 1.1     | not installed | 2019-06-24 | * |   |
      | recon/domains-contacts/pen                         | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/domains-contacts/pgp_search                  | 1.3     | not installed | 2019-10-16 |   |   |
      | recon/domains-contacts/whois_pocs                  | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-credentials/pwnedlist/account_creds  | 1.0     | not installed | 2019-06-24 | * | * |
      | recon/domains-credentials/pwnedlist/api_usage      | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-credentials/pwnedlist/domain_creds   | 1.0     | not installed | 2019-06-24 | * | * |
      | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-credentials/pwnedlist/leak_lookup    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-credentials/pwnedlist/leaks_dump     | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-credentials/scylla                   | 1.1     | not installed | 2019-10-15 |   |   |
      | recon/domains-domains/brute_suffix                 | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/binaryedge                     | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-hosts/bing_domain_api                | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-hosts/bing_domain_web                | 1.1     | not installed | 2019-07-04 |   |   |
      | recon/domains-hosts/brute_hosts                    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/builtwith                      | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-hosts/certificate_transparency       | 1.1     | not installed | 2019-09-16 |   |   |
      | recon/domains-hosts/findsubdomains                 | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/google_site_web                | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/hackertarget                   | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/mx_spf_ip                      | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/netcraft                       | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/shodan_hostname                | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/domains-hosts/ssl_san                        | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/threatcrowd                    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-hosts/threatminer                    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-vulnerabilities/ghdb                 | 1.1     | not installed | 2019-06-26 |   |   |
      | recon/domains-vulnerabilities/xssed                | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/domains-vulnerabilities/xssposed             | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-domains/migrate_hosts                  | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-hosts/bing_ip                          | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/hosts-hosts/ipinfodb                         | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/hosts-hosts/ipstack                          | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/hosts-hosts/resolve                          | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-hosts/reverse_resolve                  | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-hosts/ssltools                         | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-hosts/virustotal                       | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/hosts-locations/migrate_hosts                | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/hosts-ports/binaryedge                       | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/hosts-ports/shodan_ip                        | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/locations-locations/geocode                  | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/locations-locations/reverse_geocode          | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/locations-pushpins/flickr                    | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/locations-pushpins/shodan                    | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/locations-pushpins/twitter                   | 1.1     | not installed | 2019-10-17 |   | * |
      | recon/locations-pushpins/youtube                   | 1.1     | not installed | 2019-10-15 |   | * |
      | recon/netblocks-companies/whois_orgs               | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/netblocks-hosts/reverse_resolve              | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/netblocks-hosts/shodan_net                   | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/netblocks-hosts/virustotal                   | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/netblocks-ports/census_2012                  | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/netblocks-ports/censysio                     | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/ports-hosts/migrate_ports                    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/profiles-contacts/bing_linkedin_contacts     | 1.1     | not installed | 2019-10-08 |   | * |
      | recon/profiles-contacts/dev_diver                  | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/profiles-contacts/github_users               | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/profiles-profiles/namechk                    | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/profiles-profiles/profiler                   | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/profiles-profiles/twitter_mentioned          | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/profiles-profiles/twitter_mentions           | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/profiles-repositories/github_repos           | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/repositories-profiles/github_commits         | 1.0     | not installed | 2019-06-24 |   | * |
      | recon/repositories-vulnerabilities/gists_search    | 1.0     | not installed | 2019-06-24 |   |   |
      | recon/repositories-vulnerabilities/github_dorks    | 1.0     | not installed | 2019-06-24 |   | * |
      | reporting/csv                                      | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/html                                     | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/json                                     | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/list                                     | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/proxifier                                | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/pushpin                                  | 1.0     | not installed | 2019-06-24 |   | * |
      | reporting/xlsx                                     | 1.0     | not installed | 2019-06-24 |   |   |
      | reporting/xml                                      | 1.1     | not installed | 2019-06-24 |   |   |
      +---------------------------------------------------------------------------------------------------+
    
      D = Has dependencies. See info for details.
      K = Requires keys. See info for details.
     

    Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.

    [recon-ng][default] > marketplace help
    Interfaces with the module marketplace
    
    Usage: marketplace info|install|refresh|remove|search [...] 
    

    Help

    The help command from within a loaded module has different options to the global ‘help’.
    When you are ready to explore more modules use ‘back’.

    This help menu brings additional commands such as:

    • goptions: Manages the global context options
    • reload: Reloads the loaded module
    • run: Runs the loaded module
    • script: Records and executes command scripts
    [recon-ng][default][hackertarget] > help
    
    Commands (type [help|?] ):
    ---------------------------------
    back            Exits the current context
    dashboard       Displays a summary of activity
    db              Interfaces with the workspace's database
    exit            Exits the framework
    goptions        Manages the global context options
    help            Displays this menu
    info            Shows details about the loaded module
    input           Shows inputs based on the source option
    keys            Manages third party resource credentials
    modules         Interfaces with installed modules
    options         Manages the current context options
    pdb             Starts a Python Debugger session (dev only)
    reload          Reloads the loaded module
    run             Runs the loaded module
    script          Records and executes command scripts
    shell           Executes shell commands
    show            Shows various framework items
    spool           Spools output to a file
    
    Harnessing Auto-GPT for Penetration Testing with OSINT Understanding Docker Through the LEGO Analogy: A Comprehensive Guide Embracing Zero Trust Architecture: The Future of Enterprise Security A Guide to Secure Online Banking and Financial Transactions 5 Best Practices for Secure Password Management