hacksheets > Bug-Bounty > Recon-ng

Recon-ng

Recon-ng is a reconnaissance tool that is used to provide a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. It is based on Open Source Intelligence (OSINT), which is the easiest and useful tool for reconnaissance.

Recon-ng is written in Python. Complete with database interaction, independent modules, interactive help, command completion, and built-in convenience functions.


Contents

  • what is Recon-ng?
  • Features.
  • Uses.
  • Using recon-ng.
  • Help.
  • Examples.

What is Recon-ng?

Recon-ng is a full-featured reconnaissance framework that has a similar interface to that of Metasploit(which comes in handy and easy to use). 

Recon-ng has the command-line interface which you can run on Kali Linux, also you enter a shell-like environment where you can configure options, perform recon, and output results to different report types.

The interactive console provides several helpful features, such as command completion and contextual help.


Features

  • The free and open-source tool and can be downloaded and used for free.
  • One of the easiest and useful tools for performing reconnaissance.
  • Used for vulnerability assessment of web applications.
  • Uses the Shodan search engine to scan IoT devices.
  • Easily find loopholes in the code of website & web applications.
  •  Recon-ng has the following modules GeoIP lookup, Banner grabbing, DNS lookup, port scanning, These modules make this tool so powerful.
  •  Recon-ng can target a single domain and can find all the subdomains of that domain making work easy for pen-testers.

Uses of Recon-ng 

  • Recon-ng can be used to find the IP Addresses of a target.
  • Recon-ng can be used to look for error-based SQL injections.
  • Recon-ng can be used to find sensitive files such as robots.txt.
  • Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup.
  • Recon-ng can be used to detects Content Management Systems (CMS) in the use of a target web application.

Using Recon-ng

Step 1: Installing Module.

Syntax to install is marketplace install whois_pocs as seen below.

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...
[recon-ng][default] > 

Step 2: Loading Modules.

Syntax:

[recon-ng][default] > modules loadrecon/domains-contacts/whois_pocs

[recon-ng][default][hackertarget] >

Step 3: Set source.

Now set the source. Currently set at default (see below)

Syntax:

[recon-ng][default][whois_pocs] > show options/ options list

.

Syntax options set SOURCE hacksheets.in

[recon-ng][default][whois_pocst] > options set SOURCE hacksheets.in
SOURCE => hacksheets.in

Step 3: Run The Module.

Type run to execute the module.

Syntax:

[recon-ng][default][whois_pocs] > run

Help

The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.

This help menu brings additional commands such as:

  • options: Manages the global context options
  • reload: Reloads the loaded module
  • run: Runs the loaded module
  • script: Records and executes command scripts.
[recon-ng][default][hacksheet]> help
Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
options        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third-party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file

Leave a Reply

hacksheets > Bug-Bounty > Recon-ng

Recon-ng

Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. 


root@kali:~# recon-ng –help
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [–no-check]                [–no-analytics]
recon-ng – Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com

optional arguments:
  -h, –help      show this help message and exit
  -v, –version   show program’s version number and exit
  -w workspace    load/create a workspace
  -r filename     load commands from a resource file
  –no-check      disable version check
  –no-analytics  disable analytics reporting


Using recon-ng

From the console it is easy to get help and get started with your recon.

[recon-ng][default] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
help            Displays this menu
index           Creates a module index (dev only)
keys            Manages third party resource credentials
marketplace     Interfaces with the module marketplace
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
workspaces      Manages workspaces

On your first load of recon-ng note the message below. You begin with an empty framework.

[*] No modules enabled/installed.

As shown in the help menu the Marketplace: Interfaces with the module marketplace to pick and choose modules you want.

How to:

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

Install module

Syntax to install is marketplace install hackertarget as seen below.

[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] > 

Load module

[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] > 

Set source

Now set the source. Currently set at default (see below)

[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

Syntax options set SOURCE tesla.com

[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com

I am using tesla.com as an example domain because they have a published bug bounty program and Tesla’s are cool.

Use command – info – which shows “Current Value” has changed to tesla.com

[recon-ng][default][hackertarget] > info

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  tesla.com      yes       source of input (see 'info' for details)

Source Options:
  default      SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  string       string representing a single input
  path         path to a file containing a list of inputs
  query sql    database query returning one column of inputs

If we use input we can see

econ-ng][default][hackertarget] > input

  +---------------+
  | Module Inputs |
  +---------------+
  | tesla.com     |
  +---------------+

Run the module

Type run to execute the module.

---------------
[recon-ng][default][hackertarget] > run

---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)
[*] [host] sso-dev.tesla.com (209.133.79.66)

-------
SUMMARY
-------
[*] 21 total (0 new) hosts found.

Show hosts

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

[recon-ng][default][hackertarget] > show hosts

  +------------------------------------------------------------------------------------------------------------+
  | rowid |           host           |   ip_address   | region | country | latitude | longitude |    module    |
  +------------------------------------------------------------------------------------------------------------+
  | 1     | tesla.com                | 209.133.79.61  |        |         |          |           | hackertarget |
  | 2     | sjc04d1rsaap02.tesla.com | 205.234.27.206 |        |         |          |           | hackertarget |
  | 3     | model3.tesla.com         | 205.234.27.221 |        |         |          |           | hackertarget |
  | 4     | marketing.tesla.com      | 13.111.47.196  |        |         |          |           | hackertarget |
  | 5     | email.tesla.com          | 136.147.129.27 |        |         |          |           | hackertarget |
  | 6     | mta2.email.tesla.com     | 13.111.4.231   |        |         |          |           | hackertarget |
  | 7     | mta.email.tesla.com      | 13.111.14.190  |        |         |          |           | hackertarget |
  | 8     | xmail.tesla.com          | 204.74.99.100  |        |         |          |           | hackertarget |
  | 9     | comparison.tesla.com     | 64.125.183.133 |        |         |          |           | hackertarget |
  | 10    | na-sso.tesla.com         | 209.133.79.81  |        |         |          |           | hackertarget |
  | 11    | edr.tesla.com            | 209.133.79.33  |        |         |          |           | hackertarget |
  | 12    | mta2.emails.tesla.com    | 13.111.88.1    |        |         |          |           | hackertarget |
  | 13    | mta3.emails.tesla.com    | 13.111.88.2    |        |         |          |           | hackertarget |
  | 14    | mta4.emails.tesla.com    | 13.111.88.52   |        |         |          |           | hackertarget |
  | 15    | mta5.emails.tesla.com    | 13.111.88.53   |        |         |          |           | hackertarget |
  | 16    | mta.emails.tesla.com     | 13.111.62.118  |        |         |          |           | hackertarget |
  | 17    | click.emails.tesla.com   | 13.111.48.179  |        |         |          |           | hackertarget |
  | 18    | view.emails.tesla.com    | 13.111.49.179  |        |         |          |           | hackertarget |
  | 19    | events.tesla.com         | 13.111.47.195  |        |         |          |           | hackertarget |
  | 20    | shop.eu.tesla.com        | 205.234.27.221 |        |         |          |           | hackertarget |
  | 21    | sso-dev.tesla.com        | 209.133.79.66  |        |         |          |           | hackertarget |
  +------------------------------------------------------------------------------------------------------------+

[*] 21 rows returned
[recon-ng][default][hackertarget] > 

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api < insert shodan api key here > 

.recon-ng configuration files

When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.

test@test-desktop:~/.recon-ng$ ls

keys.db  
modules  
modules.yml  
workspaces

test@test-desktop:~/.recon-ng$ 

Recon-ng Marketplace and Modules

Typing marketplace search will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > marketplace search

  +---------------------------------------------------------------------------------------------------+
  |                        Path                        | Version |     Status    |  Updated   | D | K |
  +---------------------------------------------------------------------------------------------------+
  | discovery/info_disclosure/cache_snoop              | 1.0     | not installed | 2019-06-24 |   |   |
  | discovery/info_disclosure/interesting_files        | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/command_injector            | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/xpath_bruter                | 1.2     | not installed | 2019-10-08 |   |   |
  | import/csv_file                                    | 1.1     | not installed | 2019-08-09 |   |   |
  | import/list                                        | 1.0     | not installed | 2019-06-24 |   |   |
  | import/nmap                                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/companies-contacts/bing_linkedin_cache       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-contacts/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/viewdns_reverse_whois      | 1.0     | not installed | 2019-08-08 |   |   |
  | recon/companies-multi/github_miner                 | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-multi/shodan_org                   | 1.0     | not installed | 2019-06-26 |   | * |
  | recon/companies-multi/whois_miner                  | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-contacts/abc                        | 1.0     | not installed | 2019-10-11 | * |   |
  | recon/contacts-contacts/mailtester                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/mangle                     | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/unmangle                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-credentials/hibp_breach             | 1.2     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/hibp_paste              | 1.1     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/scylla                  | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-domains/migrate_contacts            | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-profiles/fullcontact                | 1.1     | not installed | 2019-07-24 |   | * |
  | recon/credentials-credentials/adobe                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/bozocrack            | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/hashes_org           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-companies/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/metacrawler                 | 1.1     | not installed | 2019-06-24 | * |   |
  | recon/domains-contacts/pen                         | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/pgp_search                  | 1.3     | not installed | 2019-10-16 |   |   |
  | recon/domains-contacts/whois_pocs                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-credentials/pwnedlist/account_creds  | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/api_usage      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/domain_creds   | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/leak_lookup    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-credentials/pwnedlist/leaks_dump     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/scylla                   | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-domains/brute_suffix                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/binaryedge                     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_api                | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_web                | 1.1     | not installed | 2019-07-04 |   |   |
  | recon/domains-hosts/brute_hosts                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/builtwith                      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/certificate_transparency       | 1.1     | not installed | 2019-09-16 |   |   |
  | recon/domains-hosts/findsubdomains                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/google_site_web                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/hackertarget                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/mx_spf_ip                      | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/netcraft                       | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/shodan_hostname                | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/ssl_san                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatcrowd                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatminer                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/ghdb                 | 1.1     | not installed | 2019-06-26 |   |   |
  | recon/domains-vulnerabilities/xssed                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/xssposed             | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-domains/migrate_hosts                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/bing_ip                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/ipinfodb                         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/ipstack                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/resolve                          | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/reverse_resolve                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/ssltools                         | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/virustotal                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-locations/migrate_hosts                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-ports/binaryedge                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-ports/shodan_ip                        | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/geocode                  | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/reverse_geocode          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/flickr                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/shodan                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/twitter                   | 1.1     | not installed | 2019-10-17 |   | * |
  | recon/locations-pushpins/youtube                   | 1.1     | not installed | 2019-10-15 |   | * |
  | recon/netblocks-companies/whois_orgs               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/reverse_resolve              | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/shodan_net                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-hosts/virustotal                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-ports/census_2012                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-ports/censysio                     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/ports-hosts/migrate_ports                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-contacts/bing_linkedin_contacts     | 1.1     | not installed | 2019-10-08 |   | * |
  | recon/profiles-contacts/dev_diver                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-contacts/github_users               | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/namechk                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/profiler                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-profiles/twitter_mentioned          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/twitter_mentions           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-repositories/github_repos           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-profiles/github_commits         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-vulnerabilities/gists_search    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/repositories-vulnerabilities/github_dorks    | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/csv                                      | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/html                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/json                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/list                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/proxifier                                | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/pushpin                                  | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/xlsx                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/xml                                      | 1.1     | not installed | 2019-06-24 |   |   |
  +---------------------------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.
 

Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.

[recon-ng][default] > marketplace help
Interfaces with the module marketplace

Usage: marketplace info|install|refresh|remove|search [...] 

Help

The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.

This help menu brings additional commands such as:

  • goptions: Manages the global context options
  • reload: Reloads the loaded module
  • run: Runs the loaded module
  • script: Records and executes command scripts
[recon-ng][default][hackertarget] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
goptions        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file