In this recon-ng v5 tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.
What is recon-ng?
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience.
Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.
The interactive console provides a number of helpful features such as command completion and contextual help.
Recon-ng 5 comes without modules, which is also one of the major differences. Also the parameters, commands, etc. have changed a bit to the previous versions.
recon-ng usage example based on Kali Linux
root@kali:~# recon-ng
[*] Version check disabled.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.0.0, Tim Tomes (@lanmaster53)]
[*] No modules enabled/installed.
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
[recon-ng][default] >
The command options list displays the current settings and with options set the parameters (e.g. NameServer, Proxy, User-Agent) can be changed.
[recon-ng][default] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.4.4 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v5 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
[recon-ng][default] >
Since version 5 no modules are available by default, we add them using the command marketplace.
But first, the module list should be updated with the command marketplace refresh.
[recon-ng][default] > marketplace refresh
[*] Marketplace index refreshed.
[recon-ng][default] >
With the command marketplace info all all modules including description can be displayed.
You can search for example “hackertarget” with the command marketplace search hackertarget.
[recon-ng][default] > marketplace search hackertarget
[*] Searching module index for 'hackertarget'...
+---------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------+
| recon/domains-hosts/hackertarget | 1.0 | not installed | 2019-06-24 | | |
+---------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
[recon-ng][default] >
To install the module “hackertarget” the command marketplace install recon/domains-hosts/hackertarget or marketplace install hackertarget can be used.
[recon-ng][default] > marketplace install recon/domains-hosts/hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >
To use a module the syntax is modules load recon/domains-hosts/hackertarget and the command info to display the options as seen below.
[recon-ng][default] > modules load recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.0
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][default][hackertarget] >
To change the “SOURCE” option use the command options set SOURCE for example options set SOURCE rapid7.com to display the hosts of rapid7.com.
Type run to execute the module.
[recon-ng][default][hackertarget] > options set SOURCE rapid7.com
SOURCE => rapid7.com
[recon-ng][default][hackertarget] > run
----------
RAPID7.COM
----------
[*] [host] rapid7.com (13.249.47.238)
[*] [host] scanner1.labs.rapid7.com (71.6.233.2)
[*] [host] scanner2.labs.rapid7.com (71.6.233.129)
[*] [host] scanner3.labs.rapid7.com (31.24.231.211)
[*] [host] scanner4.labs.rapid7.com (31.24.231.223)
[*] [host] sonar.labs.rapid7.com (34.236.82.205)
...
Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.
Add API keys to recon-ng
It is a simple matter to add API keys to recon-ng. Shodan with a Membership account is a highly recommended option.
Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.
[recon-ng][default] > keys add shodan_api <insert shodan api key here>
[recon-ng][default] > marketplace search shodan
[*] Searching module index for 'shodan'...
+------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+------------------------------------------------------------------------------------+
| recon/companies-multi/shodan_org | 1.0 | not installed | 2019-06-26 | | * |
| recon/domains-hosts/shodan_hostname | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-hosts/shodan_net | 1.0 | not installed | 2019-06-24 | | * |
+------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
[recon-ng][default] > marketplace install recon/netblocks-hosts/shodan_net
[*] Module installed: recon/netblocks-hosts/shodan_net
[*] Reloading modules...
[recon-ng][default] > modules load recon/netblocks-hosts/shodan_net
[recon-ng][default][shodan_net] > options set SOURCE 71.6.233.0/24
SOURCE => 71.6.233.0/24
[recon-ng][default][shodan_net] > run
-------------
71.6.233.0/24
-------------
[*] Searching Shodan API for: net:71.6.233.0/24
[*] [port] 71.6.233.99 (23/<blank>) - scanners.labs.rapid7.com
[*] [host] scanners.labs.rapid7.com (71.6.233.99)
[*] [port] 71.6.233.99 (80/<blank>) - scanners.labs.rapid7.com
...
In this example, the Rapid7 Project Sonar internet-wide scanner IP addresses is displayed, for example to block them on the firewall to make passive reconnaissance harder. Of course, there are other scanners, for example Shodan, Censys, University of Michigan, Shadow Server, Cybergreen, Errata, etc. A list can be found at the following URL Scan.io.
Conclusion
Recon-ng is a powerful tool that can be further explored by looking through the list of modules. The help within the console is very clear and with a bit of playing around it won’t take long to become an expert.
Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.
The rise of bug bounties allows you to play with new tools and explore organizations internet-facing footprint. Have fun and don’t break the rules.
Source: https://github.com/lanmaster53/recon-ng
YouTube: Tim Tomes (lanmaster53) recon-ng v5 Intro
Disclaimer
Use this only for research purposes and ethical hacking, do not break any laws by exploiting weaknesses of companies!