Recon-ng is a reconnaissance tool that is used to provide a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. It is based on Open Source Intelligence (OSINT), which is the easiest and useful tool for reconnaissance.
Recon-ng is written in Python. Complete with database interaction, independent modules, interactive help, command completion, and built-in convenience functions.
- what is Recon-ng?
- Using recon-ng.
What is Recon-ng?
Recon-ng is a full-featured reconnaissance framework that has a similar interface to that of Metasploit(which comes in handy and easy to use).
Recon-ng has the command-line interface which you can run on Kali Linux, also you enter a shell-like environment where you can configure options, perform recon, and output results to different report types.
The interactive console provides several helpful features, such as command completion and contextual help.
- The free and open-source tool and can be downloaded and used for free.
- One of the easiest and useful tools for performing reconnaissance.
- Used for vulnerability assessment of web applications.
- Uses the Shodan search engine to scan IoT devices.
- Easily find loopholes in the code of website & web applications.
- Recon-ng has the following modules GeoIP lookup, Banner grabbing, DNS lookup, port scanning, These modules make this tool so powerful.
- Recon-ng can target a single domain and can find all the subdomains of that domain making work easy for pen-testers.
Uses of Recon-ng
- Recon-ng can be used to find the IP Addresses of a target.
- Recon-ng can be used to look for error-based SQL injections.
- Recon-ng can be used to find sensitive files such as robots.txt.
- Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup.
- Recon-ng can be used to detects Content Management Systems (CMS) in the use of a target web application.
Step 1: Installing Module.
Syntax to install is
marketplace install whois_pocs as seen below.
[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs [*] Module installed: recon/domains-contacts/whois_pocs [*] Reloading modules... [recon-ng][default] >
Step 2: Loading Modules.
modules loadrecon/domains-contacts/whois_pocs[recon-ng][default][hackertarget] >
Step 3: Set source.
Now set the
source. Currently set at default (see below)
show options/ options list
options set SOURCE hacksheets.in
options set SOURCE hacksheets.inSOURCE => hacksheets.in
Step 3: Run The Module.
run to execute the module.
The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.
This help menu brings additional commands such as:
- options: Manages the global context options
- reload: Reloads the loaded module
- run: Runs the loaded module
- script: Records and executes command scripts.
[recon-ng][default][hacksheet]> help Commands (type [help|?] ): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework options Manages the global context options help Displays this menu info Shows details about the loaded module input Shows inputs based on the source option keys Manages third-party resource credentials modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) reload Reloads the loaded module run Runs the loaded module script Records and executes command scripts shell Executes shell commands show Shows various framework items spool Spools output to a file