Recon-NG Tutorial
Recon-NG Tutorial
In this recon-ng tutorial, discover open source intelligence and how to easily pivot to new results. Find targets and move to discovering vulnerabilities.
What is Recon-ng?
Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.
This article has been updated October 2019 to reflect the changes in version 5.
Recon-ng Installation
Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get update && apt-get install recon-ng. Update Kali to ensure latest dependencies installed.
For those seeking the latest code on Ubuntu, the process is nearly as simple. Make sure you have git and pip installed.
test@ubuntu:~/$ git clone https://github.com/lanmaster53/recon-ng.git test@ubuntu:~/$ cd recon-ng test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
Next to run recon-ng;
test@ubuntu:~/recon-ng/$ ./recon-ngThe Recon-NG console is now loaded.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.0.3, Tim Tomes (@lanmaster53)]
[*] No modules enabled/installed.
[recon-ng][default] >
Using recon-ng
From the console it is easy to get help and get started with your recon.
[recon-ng][default] > help Commands (type [help|?]): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework help Displays this menu index Creates a module index (dev only) keys Manages third party resource credentials marketplace Interfaces with the module marketplace modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) script Records and executes command scripts shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file workspaces Manages workspaces
On your first load of recon-ng note the message below. You begin with an empty framework.
[*] No modules enabled/installed.
As shown in the help menu the Marketplace: Interfaces with the module marketplace to pick and choose modules you want.
How to:
Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.
Install module
Syntax to install is marketplace install hackertarget as seen below.
[recon-ng][default] > marketplace install hackertarget [*] Module installed: recon/domains-hosts/hackertarget [*] Reloading modules... [recon-ng][default] >
Load module
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >
Set source
Now set the source. Currently set at default (see below)
[recon-ng][default][hackertarget] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Syntax options set SOURCE tesla.com
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com
I am using tesla.com as an example domain because they have a published bug bounty program and Tesla's are cool.
Use command - info - which shows "Current Value" has changed to tesla.com
[recon-ng][default][hackertarget] > info
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputs
If we use input we can see
econ-ng][default][hackertarget] > input
+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+
Run the module
Type run to execute the module.
---------------
[recon-ng][default][hackertarget] > run
---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)
[*] [host] sso-dev.tesla.com (209.133.79.66)
-------
SUMMARY
-------
[*] 21 total (0 new) hosts found.
Show hosts
Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.
[recon-ng][default][hackertarget] > show hosts
+------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 209.133.79.61 | | | | | hackertarget |
| 2 | sjc04d1rsaap02.tesla.com | 205.234.27.206 | | | | | hackertarget |
| 3 | model3.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 4 | marketing.tesla.com | 13.111.47.196 | | | | | hackertarget |
| 5 | email.tesla.com | 136.147.129.27 | | | | | hackertarget |
| 6 | mta2.email.tesla.com | 13.111.4.231 | | | | | hackertarget |
| 7 | mta.email.tesla.com | 13.111.14.190 | | | | | hackertarget |
| 8 | xmail.tesla.com | 204.74.99.100 | | | | | hackertarget |
| 9 | comparison.tesla.com | 64.125.183.133 | | | | | hackertarget |
| 10 | na-sso.tesla.com | 209.133.79.81 | | | | | hackertarget |
| 11 | edr.tesla.com | 209.133.79.33 | | | | | hackertarget |
| 12 | mta2.emails.tesla.com | 13.111.88.1 | | | | | hackertarget |
| 13 | mta3.emails.tesla.com | 13.111.88.2 | | | | | hackertarget |
| 14 | mta4.emails.tesla.com | 13.111.88.52 | | | | | hackertarget |
| 15 | mta5.emails.tesla.com | 13.111.88.53 | | | | | hackertarget |
| 16 | mta.emails.tesla.com | 13.111.62.118 | | | | | hackertarget |
| 17 | click.emails.tesla.com | 13.111.48.179 | | | | | hackertarget |
| 18 | view.emails.tesla.com | 13.111.49.179 | | | | | hackertarget |
| 19 | events.tesla.com | 13.111.47.195 | | | | | hackertarget |
| 20 | shop.eu.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 21 | sso-dev.tesla.com | 209.133.79.66 | | | | | hackertarget |
+------------------------------------------------------------------------------------------------------------+
[*] 21 rows returned
[recon-ng][default][hackertarget] >
Add API keys to Recon-ng
It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.
keys add shodan_api < insert shodan api key here >
.recon-ng configuration files
When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.
test@test-desktop:~/.recon-ng$ ls keys.db modules modules.yml workspaces test@test-desktop:~/.recon-ng$
Recon-ng Marketplace and Modules
Typing marketplace search will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.
[recon-ng][default] > marketplace search
+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.0 | not installed | 2019-06-24 | | |
| discovery/info_disclosure/interesting_files | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.0 | not installed | 2019-06-24 | | |
| import/nmap | 1.0 | not installed | 2019-06-24 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.0 | not installed | 2019-08-08 | | |
| recon/companies-multi/github_miner | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-multi/shodan_org | 1.0 | not installed | 2019-06-26 | | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-domains/migrate_contacts | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.3 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-domains/brute_suffix | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/certificate_transparency | 1.1 | not installed | 2019-09-16 | | |
| recon/domains-hosts/findsubdomains | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/shodan_hostname | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/xssposed | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-domains/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipinfodb | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.1 | not installed | 2019-10-15 | | * |
| recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.1 | not installed | 2019-10-08 | | * |
| recon/profiles-contacts/dev_diver | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | not installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | not installed | 2019-06-24 | | |
| reporting/xml | 1.1 | not installed | 2019-06-24 | | |
+---------------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.
[recon-ng][default] > marketplace help Interfaces with the module marketplace Usage: marketplace info|install|refresh|remove|search [...]
Help
The help command from within a loaded module has different options to the global 'help'.
When you are ready to explore more modules use 'back'.
This help menu brings additional commands such as:
- goptions: Manages the global context options
- reload: Reloads the loaded module
- run: Runs the loaded module
- script: Records and executes command scripts
[recon-ng][default][hackertarget] > helpCommands (type [help|?]): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework goptions Manages the global context options help Displays this menu info Shows details about the loaded module input Shows inputs based on the source option keys Manages third party resource credentials modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) reload Reloads the loaded module run Runs the loaded module script Records and executes command scripts shell Executes shell commands show Shows various framework items spool Spools output to a file [recon-ng][default][hackertarget] >
Conclusion
Recon-ng is a powerful tool that can be further explored by viewing through the list of modules. The help within the console is clear, and with a bit of playing around it won't take long to become an expert.
Once you start to become more familiar with the layout of the tool, you will discover options such as workspaces that allow you to segment based on organization or network.
The rise of bug bounties allows you to play with new tools and explore Organizations' Internet facing footprint. Have fun. Don't break the rules.
For a great overview on version 5 check out the you tube video by Tim Tomes.
Comentários
Postar um comentário