Recon-ng v5 Tutorial

In this recon-ng v5 tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is recon-ng?

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience.

Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.

The interactive console provides a number of helpful features such as command completion and contextual help.

Recon-ng 5 comes without modules, which is also one of the major differences. Also the parameters, commands, etc. have changed a bit to the previous versions.

recon-ng usage example based on Kali Linux

root@kali:~# recon-ng 

[*] Version check disabled.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    


                                          /\
                                         / \\ /\
    Sponsored by...               /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                  ____   ____   ____   ____ _____ _  ____   ____  ____
                 |____] | ___/ |____| |       |   | |____  |____ |
                 |      |   \_ |    | |____   |   |  ____| |____ |____
                                   www.practisec.com

                      [recon-ng v5.0.0, Tim Tomes (@lanmaster53)]                       

[*] No modules enabled/installed.

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
help            Displays this menu
index           Creates a module index (dev only)
keys            Manages third party resource credentials
marketplace     Interfaces with the module marketplace
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
workspaces      Manages workspaces

[recon-ng][default] > 

The command options list displays the current settings and with options set the parameters (e.g. NameServer, Proxy, User-Agent) can be changed.

[recon-ng][default] > options list

  Name        Current Value  Required  Description
  ----------  -------------  --------  -----------
  NAMESERVER  8.8.4.4        yes       default nameserver for the resolver mixin
  PROXY                      no        proxy server (address:port)
  THREADS     10             yes       number of threads (where applicable)
  TIMEOUT     10             yes       socket timeout (seconds)
  USER-AGENT  Recon-ng/v5    yes       user-agent string
  VERBOSITY   1              yes       verbosity level (0 = minimal, 1 = verbose, 2 = debug)

[recon-ng][default] >

Since version 5 no modules are available by default, we add them using the command marketplace.
But first, the module list should be updated with the command marketplace refresh.

[recon-ng][default] > marketplace refresh
[*] Marketplace index refreshed.
[recon-ng][default] > 

With the command marketplace info all all modules including description can be displayed.
You can search for example “hackertarget” with the command marketplace search hackertarget.

[recon-ng][default] > marketplace search hackertarget
[*] Searching module index for 'hackertarget'...

  +---------------------------------------------------------------------------------+
  |               Path               | Version |     Status    |  Updated   | D | K |
  +---------------------------------------------------------------------------------+
  | recon/domains-hosts/hackertarget | 1.0     | not installed | 2019-06-24 |   |   |
  +---------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

[recon-ng][default] > 

To install the module “hackertarget” the command marketplace install recon/domains-hosts/hackertarget or marketplace install hackertarget can be used.

[recon-ng][default] > marketplace install recon/domains-hosts/hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] > 

To use a module the syntax is modules load recon/domains-hosts/hackertarget and the command info to display the options as seen below.

[recon-ng][default] > modules load recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > info

      Name: HackerTarget Lookup
    Author: Michael Henriksen (@michenriksen)
   Version: 1.0

Description:
  Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE                 yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][default][hackertarget] >

To change the “SOURCE” option use the command options set SOURCE for example options set SOURCE rapid7.com to display the hosts of rapid7.com.
Type run to execute the module.

[recon-ng][default][hackertarget] > options set SOURCE rapid7.com
SOURCE => rapid7.com
[recon-ng][default][hackertarget] > run

----------
RAPID7.COM
----------
[*] [host] rapid7.com (13.249.47.238)
[*] [host] scanner1.labs.rapid7.com (71.6.233.2)
[*] [host] scanner2.labs.rapid7.com (71.6.233.129)
[*] [host] scanner3.labs.rapid7.com (31.24.231.211)
[*] [host] scanner4.labs.rapid7.com (31.24.231.223)
[*] [host] sonar.labs.rapid7.com (34.236.82.205)
...

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

Add API keys to recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a Membership account is a highly recommended option.
Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

[recon-ng][default] > keys add shodan_api <insert shodan api key here>
[recon-ng][default] > marketplace search shodan
[*] Searching module index for 'shodan'...

  +------------------------------------------------------------------------------------+
  |                 Path                | Version |     Status    |  Updated   | D | K |
  +------------------------------------------------------------------------------------+
  | recon/companies-multi/shodan_org    | 1.0     | not installed | 2019-06-26 |   | * |
  | recon/domains-hosts/shodan_hostname | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-ports/shodan_ip         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/shodan     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-hosts/shodan_net    | 1.0     | not installed | 2019-06-24 |   | * |
  +------------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

[recon-ng][default] > marketplace install recon/netblocks-hosts/shodan_net
[*] Module installed: recon/netblocks-hosts/shodan_net
[*] Reloading modules...
[recon-ng][default] > modules load recon/netblocks-hosts/shodan_net
[recon-ng][default][shodan_net] > options set SOURCE 71.6.233.0/24
SOURCE => 71.6.233.0/24
[recon-ng][default][shodan_net] > run

-------------
71.6.233.0/24
-------------
[*] Searching Shodan API for: net:71.6.233.0/24
[*] [port] 71.6.233.99 (23/<blank>) - scanners.labs.rapid7.com
[*] [host] scanners.labs.rapid7.com (71.6.233.99)
[*] [port] 71.6.233.99 (80/<blank>) - scanners.labs.rapid7.com
...

In this example, the Rapid7 Project Sonar internet-wide scanner IP addresses is displayed, for example to block them on the firewall to make passive reconnaissance harder. Of course, there are other scanners, for example Shodan, University of Michigan, Shadow Server, Cybergreen, Errata, etc. A list can be found at the following URL Scan.io.

Conclusion

Recon-ng is a powerful tool that can be further explored by looking through the list of modules. The help within the console is very clear and with a bit of playing around it won’t take long to become an expert.

Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and explore organizations internet-facing footprint. Have fun and don’t break the rules.

Source: https://github.com/lanmaster53/recon-ng
YouTube: Tim Tomes (lanmaster53) recon-ng v5 Intro