Recon-ng
Post

Recon-ng

To get started, let’s simply run recon-ng:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kali@kali:~$ recon-ng
[*] Version check disabled.

                                          /\
                                         / \\ /\
    Sponsored by...               /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                  ____   ____   ____   ____ _____ _  ____   ____  ____
                 |____] | ___/ |____| |       |   | |____  |____ |
                 |      |   \_ |    | |____   |   |  ____| |____ |____
                                   www.practisec.com

                      [recon-ng v5.0.0, Tim Tomes (@lanmaster53)]                       

[*] No modules enabled/installed.

[recon-ng][default] > 

According to the output, we need to install various modules to use recon-ng.

We can add modules from the recon-ng “Marketplace” We’ll search the marketplace from the main prompt with marketplace search, providing a search string as an argument.

Search for modules that contain the term github:

1
2
3
4
5
6
7
8
9
10
11
12
13
recon-ng][default] > marketplace search github
[*] Searching module index for 'github'...
|            Path                      | Version |     Status    | D | K |
|--|--|--|--|--|
| recon/companies-multi/github_miner              | 1.0     | not installed |   | * |
| recon/profiles-contacts/github_users            | 1.0     | not installed |   | * |
| recon/profiles-profiles/profiler                | 1.0     | not installed |   |   |
| recon/profiles-repositories/github_repos        | 1.0     | not installed |   | * |
| recon/repositories-profiles/github_commits      | 1.0     | not installed |   | * |
| recon/repositories-vulnerabilities/github_dorks | 1.0     | not installed |   | * |

D = Has dependencies. See info for details.
K = Requires keys. See info for details.

Notice that some of the modules are marked with an asterisk in the “K” column. These modules require credentials or API keys for third-party providers. The recon-ng wiki maintains a short list of the keys used by its modules. Some of these keys are available to free accounts, while others require a subscription.

We can learn more about a module by using marketplace info followed by the module name. Since the GitHub modules require API keys, let’s use this command to examine the recon/domains-hosts/google_site_web module:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[recon-ng][default] > marketplace info recon/domains-hosts/google_site_web

| path          | recon/domains-hosts/google_site_web                          |
|--|--|
| name          | Google Hostname Enumerator                                   |
| author        | Tim Tomes (@lanmaster53)                                     |
| version       | 1.0                                                          |
| last_updated  | 2019-06-24                                                   |
| description   | Harvests hosts from Google.com by using the 'site' operator. |
| required_keys | []                                                           |
| dependencies  | []                                                           |
| files         | []                                                           |
| status        | not installed                                                |
+------------------------------------------------------------------------------+

According to its description, this module searches Google with the “site” operator and it doesn’t require an API key. Let’s install the module with marketplace install:

1
2
3
4
[recon-ng][default] > marketplace install recon/domains-hosts/google_site_web
[*] Module installed: recon/domains-hosts/google_site_web
[*] Reloading modules...
[recon-ng][default] > 

After installing the module, we can load it with module load followed by its name. Then, we’ll use info to display details about the module and required parameters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[recon-ng][default] > modules load recon/domains-hosts/google_site_web

[recon-ng][default][google_site_web] > info

      Name: Google Hostname Enumerator
    Author: Tim Tomes (@lanmaster53)
   Version: 1.0

Description:
  Harvests hosts from Google.com by using the 'site' search operator. Updates the 
  'hosts' table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][default][google_site_web] > 

Notice that the output contains additional information about the module now that we’ve installed and loaded it. According to the output, the module requires the use of a source, which is the target we want to gather information about.

In this case, we will use options set SOURCE megacorpone.com to set our target domain:

1
2
[recon-ng][default][google_site_web] > options set SOURCE megacorpone.com
SOURCE => megacorpone.com

Finally, we run the module:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[recon-ng][default][google_site_web] > run

---------------
MEGACORPONE.COM
---------------
[*] Searching Google for: site:megacorpone.com
[*] [host] www.megacorpone.com (<blank>)
[*] [host] vpn.megacorpone.com (<blank>)
[*] [host] www2.megacorpone.com (<blank>)
[*] [host] siem.megacorpone.com (<blank>)
[*] Searching Google for: site:megacorpone.com -site:www.megacorpone.com -site:vpn.megacorpone.com -site:www2.megacorpone.com -site:siem.megacorpone.com

-------
SUMMARY
-------
[*] 4 total (4 new) hosts found.

The results mirror what we found from the Netcraft DNS search. However, we haven’t wasted our time here. Recon-ng stores results in a local database and these results will feed into other recon-ng modules.

We can use the show hosts command to view stored data:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[recon-ng][default][google_site_web] > back

[recon-ng][default] > show
Shows various framework items

Usage: show <companies|contacts|credentials|domains|hosts|leaks|locations|netblocks|ports|profiles|pushpins|repositories|vulnerabilities>

[recon-ng][default] > show hosts

+--------------------------------------------------------------------------------+
| rowid |         host         | ip_address | region | country |      module     |
+--------------------------------------------------------------------------------+
| 1     | www.megacorpone.com  |            |        |         | google_site_web |
| 2     | vpn.megacorpone.com  |            |        |         | google_site_web |
| 3     | www2.megacorpone.com |            |        |         | google_site_web |
| 4     | siem.megacorpone.com |            |        |         | google_site_web |
+--------------------------------------------------------------------------------+

[*] 4 rows returned
[recon-ng][default] > 

We have four hosts in our database but no additional information on them. Perhaps another module can fill in the IP addresses.

Let’s examine recon/hosts-hosts/resolve with marketplace info:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[recon-ng][default] > marketplace info recon/hosts-hosts/resolve

+-------------------------------------------------------------------------------+
| path          | recon/hosts-hosts/resolve                                     |
| name          | Hostname Resolver                                             |
| author        | Tim Tomes (@lanmaster53)                                      |
| version       | 1.0                                                           |
| last_updated  | 2019-06-24                                                    |
| description   | Resolves the IP address for a host. Updates the 'hosts' table |
| required_keys | []                                                            |
| dependencies  | []                                                            |
| files         | []                                                            |
| status        | installed                                                     |
+-------------------------------------------------------------------------------+

[recon-ng][default] > 

The module description suits our needs so we will install it with marketplace install:

1
2
3
[recon-ng][default] > marketplace install recon/hosts-hosts/resolve
[*] Module installed: recon/hosts-hosts/resolve
[*] Reloading modules...

An “Invalid command” error may indicate that we are at the wrong command level. If this happens, run back to return to the main recon-ng prompt and try the command again.

Once the module is installed, we can use it with modules load, and run info to display information about the module and its options:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[recon-ng][default] > modules load recon/hosts-hosts/resolve

[recon-ng][default][resolve] > info

      Name: Hostname Resolver
    Author: Tim Tomes (@lanmaster53)
   Version: 1.0

Description:
  Resolves the IP address for a host. Updates the 'hosts' table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL AND ip_address IS NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

Comments:
  * Note: Nameserver must be in IP form.

As is clear from the above output, this module will resolve the IP address for a host.

We need to provide the IP address we want to resolve as our source. We have four options we can set for the source: default, string, path, and query. Each option has a description alongside it as shown in Listing 14. For example, in the “google_site_web” recon-ng module, we used a string value.

However, we want to leverage the database this time. If we use the “default” value, recon-ng will look up the host information in its database for any records that have a host name but no IP address.

As shown in Listing 11, we have four hosts without IP addresses. If we select a “default” source, the module will run against all four hosts in our database automatically.

Let’s try this out by leaving our source set to “default” and then run the module:

1
2
3
4
5
[recon-ng][default][resolve] > run
[*] www.megacorpone.com => 38.100.193.76
[*] vpn.megacorpone.com => 38.100.193.77
[*] www2.megacorpone.com => 38.100.193.79
[*] siem.megacorpone.com => 38.100.193.89

Nice. We now have IP addresses for the four domains.

If we show hosts again, we can verify the database has been updated with the results of both modules:

1
2
3
4
5
6
7
8
9
10
11
12
[recon-ng][default][resolve] > show hosts

+-----------------------------------------------------------------------------------+
| rowid |         host         |   ip_address  | region | country |      module     |
+-----------------------------------------------------------------------------------+
| 1     | www.megacorpone.com  | 38.100.193.76 |        |         | google_site_web |
| 2     | vpn.megacorpone.com  | 38.100.193.77 |        |         | google_site_web |
| 3     | www2.megacorpone.com | 38.100.193.79 |        |         | google_site_web |
| 4     | siem.megacorpone.com | 38.100.193.89 |        |         | google_site_web |
+-----------------------------------------------------------------------------------+

[*] 4 rows returned