Recon-ng is an invaluable tool for performing information gathering. It is modeled on the Metasploit framework, so the interface and functionality are pretty similar.
Recon-ng core commands
With the help menu, you can get an overview of what commands are available:
12345678910111213141516171819202122232425
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
You can already see the similarity with Metasploit. Let’s focus on what’s exclusive to to Recon-ng, the powerful recon capabilities. You can leverage different search engines and social media for information gathering. To leverage the most of this functionality, you will need to use API keys. Below you can see the available APIs:
In addition to the well known APIs of the main search engines and social media, there are the following:
the BuiltWith Domain API, which provides XML and JSON access to the technology information of a website
FullContact lets you easily query by email, phone number, or Twitter username. Results include publicly- available social profiles, photos, basic demographics, job titles, company stats, and over 100 other public data points.
IPInfoDB, which provides free access to IP geolocation tools
Jigsaw is an online directory of free, downloadable Company information and more than 11 million business Contacts. Every Jigsaw business Contact is complete with hard-to-find direct dials and email addresses, while each Company record gives the low down on Company size, location, and industry.
PwnedList is designed for consumers to check if their email address has been found on commonly circulating lists of stolen accounts and passwords (this has been shut down at the time of this writing)
If you were to add a new API key, you could do it like this:
12345678
[recon-ng][default] > keys add bing_api 007007
[*] Key 'bing_api' added.
[recon-ng][default] > keys list
+----------------------------+
| Name | Value |
+----------------------------+
| bing_api | 007007 |
To delete an API key, you can use the keys delete command.
To see what items are available in the framework, use the show command:
1234
[recon-ng][default] > show
Shows various framework items
Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|schema|vulnerabilities]
This should give you an idea of the kinds of data you can look for. Again, this should feel similar to Metasploit. In fact, like in the msfconsole, the modules are what you will use to perform different tasks. Let’s take a look at all the currently available modules. Oh, and did I mention there is tab completion as well? :D
You can select a module via the load or use commands. Once in a module’s context, you can see information about it with the show info command. Similarly, you can see the required options for a module with the show options command, and change them with set. Let’s look at each module and see some usage examples
Discovery
DNS Cache Snooper – Uses the DNS cache snooping technique to check for visited domains
Interesting File Finder – Checks hosts for interesting files in predictable locations
[recon-ng][default][interesting_files] > show info
Name: Interesting File Finder
Path: modules/discovery/info_disclosure/interesting_files.py
Author: Tim Tomes (@LaNMaSteR53), thrapt (thrapt@gmail.com), Jay Turla (@shipcod3), and Mark Jeffery
Description:
Checks hosts for interesting files in predictable locations.
Options:
Name Current Value Required Description
-------- ------------- -------- -----------
DOWNLOAD True yes download discovered files
PORT 80 yes request port
PROTOCOL http yes request protocol
SOURCE default yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
Comments:
* Files: robots.txt, sitemap.xml, sitemap.xml.gz, crossdomain.xml, phpinfo.php, test.php, elmah.axd,
server-status, jmx-console/, admin-console/, web-console/
* Google Dorks:
- inurl:robots.txt ext:txt
- inurl:elmah.axd ext:axd intitle:"Error log for"
- inurl:server-status "Apache Status"
I found this a bit confusing at first, but the SOURCE is the equivalent of the target you do recon on. I ran this on my own blog for a demo. When setting a target, keep in mind not to include the http or https (the protocol setting handles that), and also to exclude the trailing slash (I got errors until I did that).
You can see recon-ng found 2 interesting files and it downloaded them to my machine
Exploitation
Remote Command Injection Shell Interface – Provides a shell interface for remote command injection flaws in web applications
Xpath Injection Brute Forcer – Exploits XPath injection flaws to enumerate the contents of serverside XML documents
Import
Advanced CSV File Importer – Imports values from a CSV file into a database table.
List File Importer – Imports values from a list file into a database table and column
Recon
Facebook Contact Enumerator – Harvests contacts from Facebook.com. Updates the ‘contacts’ table with the results
Jigsaw – Point Usage Statistics Fetcher – Queries the Jigsaw API for the point usage statistics of the given account.
Jigsaw – Single Contact Retriever – Retrieves a single complete contact from the Jigsaw.com API using points from the given account
Jigsaw Contact Enumerator – Harvests contacts from the Jigsaw.com API. Updates the ‘contacts’ table with the results
Jigsaw Authenticated Contact Enumerator – Harvests contacts from Data.com using an authenticated user account. Updates the ‘contacts’ table
with the results. Use ‘keys’ to set your jigsaw username and password before use.
LinkedIn Authenticated Contact Enumerator – Harvests contacts from the LinkedIn.com API using an authenticated connections network. Updates the
‘contacts’ table with the results.
Whois Data Miner – Uses the ARIN Whois RWS to harvest companies, locations, netblocks, and contacts associated with the
given company search string. Updates the respective tables with the results.
[recon-ng][default][whois_miner] > run
[*] URL: http://whois.arin.net/rest/orgs;name=yahoo
-----
YAHOO
-----
[*] Location: 701 First Avenue, Sunnyvale, CA 94089
[*] URL: http://whois.arin.net/rest/org/YAHOO-1/nets
[*] Netblock: 8.3.34.0/23
[*] Netblock: 216.34.77.0/25
[*] Netblock: 8.8.178.0/24
[*] Netblock: 64.209.232.0/24
[*] Netblock: 64.39.38.208/28
[*] Netblock: 204.71.177.0/24
[*] Netblock: 204.71.188.0/24
[*] Netblock: 216.136.220.128/25
[*] Netblock: 64.56.197.208/28
[*] Netblock: 67.72.118.0/23
[*] URL: http://whois.arin.net/rest/org/YAHOO-1/pocs
[*] Contact: Netblock Admin (netblockadmin@yahoo-inc.com) - Whois contact (Admin) (Sunnyvale, CA - United States)
[*] Contact: Netblock Admin (netblockadmin@yahoo-inc.com) - Whois contact (Tech) (Sunnyvale, CA - United States)
[*] Contact: Network Abuse (abuse@yahoo-inc.com) - Whois contact (Abuse) (Sunnyvale, CA - United States)
-----
YAHOO
-----
[*] Location: 325 Geri St, Lawrenceburg, TN 38464
[*] URL: http://whois.arin.net/rest/org/YAHOO-10/nets
[*] Netblock: 12.23.247.176/29
[*] URL: http://whois.arin.net/rest/org/YAHOO-10/pocs
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Admin) (Lawrenceburg, TN - United States)
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Abuse) (Lawrenceburg, TN - United States)
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Tech) (Lawrenceburg, TN - United States)
[*] URL: http://whois.arin.net/rest/customers;name=yahoo
-----
YAHOO
-----
[*] Location: 225 Broadway, San Diego, CA 92101
[*] URL: http://whois.arin.net/rest/customer/C00146168/nets
[*] Netblock: 209.132.98.0/29
[*] URL: http://whois.arin.net/rest/customer/C00146168/pocs
[*] No POCS found.
-----
YAHOO
-----
[*] Location: 225 Broadway, San Diego, CA 92101
[*] URL: http://whois.arin.net/rest/customer/C00146169/nets
[*] Netblock: 209.132.98.8/29
[*] URL: http://whois.arin.net/rest/customer/C00146169/pocs
[*] No POCS found.
-----
YAHOO
-----
[*] Location: 624 S Grand, Los Angeles, CA 90017
[*] URL: http://whois.arin.net/rest/customer/C01196389/nets
[*] Netblock: 65.91.7.80/29
[*] URL: http://whois.arin.net/rest/customer/C01196389/pocs
[*] No POCS found.
-------
SUMMARY
-------
[*] 5 total (2 new) companies found.
[*] 5 total (4 new) locations found.
[*] 14 total (14 new) netblocks found.
[*] 6 total (6 new) contacts found.
Bing Linkedin Profile Harvester – Harvests contacts from linkedin.com by querying Bing for Linkedin pages related to the given
companies, parsing the profiles, and adding them to the ‘profiles’ table
MailTester Email Validator – Leverages MailTester.com to validate email addresses
Contact Name Mangler – Applies a mangle pattern to all of the contacts stored in the database, creating email addresses or
usernames for each harvested contact. Updates the ‘contacts’ table with the results.
Contact Name Unmangler – Applies a regex or unmangle pattern to all of the contacts stored in the database, pulling out the
individual name components. Updates the ‘contacts’ table with the results.
Have I been pwned? Breach Search – Leverages the haveibeenpwned.com API to determine if email addresses are associated with breached
credentials. Adds compromised email addresses to the ‘credentials’ table.
Have I been pwned? Paste Search – Leverages the haveibeenpwned.com API to determine if email addresses have been published to various
paste sites. Adds compromised email addresses to the ‘credentials’ table.
PwnedList Validator – Leverages PwnedList.com to determine if email addresses are associated with leaked credentials. Adds
compromised email addresses to the ‘credentials’ table.
Contacts to Domains Data Migrator – Adds a new domain for all the hostnames associated with email addresses stored in the ‘contacts’
table.
FullContact Contact Enumerator – Harvests contact information and profiles from the fullcontact.com API using email addresses as
input. Updates the ‘contacts’ and ‘profiles’ tables with the results.
Adobe Hash Cracker – Decrypts hashes leaked from the 2013 Adobe breach. First, the module cross references the leak ID to
identify Adobe hashes in the ‘password’ column of the ‘creds’ table, moves the Adobe hashes to the
‘hash’ column, and changes the ‘type’ to ‘Adobe’. Second, the module attempts to crack the hashes
by comparing the ciphertext’s decoded cipher blocks to a local block lookup table (BLOCK_DB) of
known cipher block values. Finally, the module updates the ‘creds’ table with the results based on
the level of success.
PyBozoCrack Hash Lookup – Searches Google for the value of a hash and tests for a match by hashing every word in the resulting
page using all hashing algorithms supported by the ‘hashlib’ library. Updates the ‘credentials’
table with the positive results.
Hashes.org Hash Lookup – Uses the Hashes.org API to perform a reverse hash lookup. Updates the ‘credentials’ table with the
positive results.
leakdb Hash Lookup – Uses the leakdb hash database to perform a reverse hash lookup. Updates the ‘credentials’ table with
the positive results.
PGP Key Owner Lookup – Searches the MIT public PGP key server for email addresses of the given domain. Updates the
‘contacts’ table with the results
SalesMaple Contact Harvester – Harvests contacts from the SalesMaple API using domains as input. Updates the ‘contacts’ table with
the results.
Whois POC Harvester – Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the
‘contacts’ table with the results.
PwnedList – Account Credentials Fetcher – Queries the PwnedList API for credentials associated with the given usernames. Updates the
‘credentials’ table with the results.
PwnedList – API Usage Statistics Fetcher – Queries the PwnedList API for account usage statistics
PwnedList – Pwned Domain Credentials Fetcher – Queries the PwnedList API to fetch all credentials for a domain. Updates the ‘credentials’ table
with the results
PwnedList – Pwned Domain Statistics Fetcher – Queries the PwnedList API for a domain to determine if any associated credentials have been
compromised. This module does NOT return any credentials, only a total number of compromised
credentials.
PwnedList – Leak Details Fetcher (leak_lookup.py) – Queries the local database for information associated with a leak ID. The ‘leaks_dump’ module must
be used to populate the local database before this module will execute successfully.
PwnedList – Leak Details Fetcher (leaks_dump.py) – Queries the PwnedList API for information associated with all known leaks. Updates the ‘leaks’ table with the results.
DNS Public Suffix Brute Forcer – Brute forces TLDs and SLDs using DNS. Updates the ‘domains’ table with the results
Baidu Hostname Enumerator – Harvests hosts from Baidu.com by using the ‘site’ search operator. Updates the ‘hosts’ table with
the results
Bing API Hostname Enumerator – Leverages the Bing API and “domain:” advanced search operator to harvest hosts. Updates the ‘hosts’
table with the results.
Bing Hostname Enumerator – Harvests hosts from Bing.com by using the ‘site’ search operator. Updates the ‘hosts’ table with the
results.
DNS Hostname Brute Forcer – Brute forces host names using DNS. Updates the ‘hosts’ table with the results
BuiltWith Enumerator – Leverages the BuiltWith API to identify hosts, technologies, and contacts associated with a domain
Google CSE Hostname Enumerator – Leverages the Google Custom Search Engine API to harvest hosts using the ‘site’ search operator.
Updates the ‘hosts’ table with the results.
Google Hostname Enumerator – Harvests hosts from Google.com by using the ‘site’ search operator. Updates the ‘hosts’ table with
the results
Netcraft Hostname Enumerator – Harvests hosts from Netcraft.com. Updates the ‘hosts’ table with the results
Shodan Hostname Enumerator – Harvests hosts from the Shodan API by using the ‘hostname’ search operator. Updates the ‘hosts’
table with the results.
SSL SAN Lookup – Uses the ssltools.com site to obtain the Subject Alternative Names for a domain. Updates the ‘hosts’
table with the results.
VPNHunter Lookup – Checks vpnhunter.com for SSL VPNs, remote accesses, email portals and generic login sites. Updates
the ‘hosts’ table with the results.
Yahoo Hostname Enumerator – Harvests hosts from Yahoo.com by using the ‘domain’ search operator. Updates the ‘hosts’ table with
the results.
PunkSPIDER Vulnerabilty Finder – Leverages the PunkSPIDER API to search for previosuly discovered vulnerabltiies on hosts within a
domain.
XSSed Domain Lookup – Checks XSSed.com for XSS records associated with a domain and displays the first 20 results
This is a very handy module for XSS lookup. Let’s take a look at it:
Hosts to Domains Data Migrator – Adds a new domain for all the hostnames stored in the ‘hosts’ table
Bing API IP Neighbor Enumerator – Leverages the Bing API and “ip:” advanced search operator to enumerate other virtual hosts sharing
the same IP address. Updates the ‘hosts’ table with the results.
FreeGeoIP – Leverages the freegeoip.net API to geolocate a host by IP address. Updates the ‘hosts’ table with
the results
I used this to check the location of www.google.com host (resolved the IP first):
12
[recon-ng][default][freegeoip] > run
[*] 172.217.16.100 - 37.4192,-122.0574 - Mountain View, California, United States
My-IP-Neighbors.com Lookup – Checks My-IP-Neighbors.com for virtual hosts on the same server. Updates the ‘hosts’ table with the
results.
IPInfoDB GeoIP – Leverages the ipinfodb.com API to geolocate a host by IP address. Updates the ‘hosts’ table with the
results.
Hostname Resolver – Resolves the IP address for a host. Updates the ‘hosts’ table with the results
Reverse Resolver – Conducts a reverse lookup for each IP address to resolve the hostname. Updates the ‘hosts’ table
with the results.
Address Geocoder – Queries the Google Maps API to obtain coordinates for an address. Updates the ‘locations’ table with
the results.
Let’s see this module in action with one of our favorite tech giants’ addresses xD (I leave it to you to see what’s located there):
Reverse Geocoder – Queries the Google Maps API to obtain an address from coordinates.
So we have some coordinates. Let’s see what’s there:
12345678
[recon-ng][default][reverse_geocode] > run
[*] Reverse geocoding (35.670337, 139.702573)...
[*] 1 Chome-18-20 Jingūmae, Shibuya-ku, Tōkyō-to 150-0001, Japan
-------
SUMMARY
-------
[*] 1 total (1 new) locations found.
Flickr Geolocation Search – Searches Flickr for media in the specified proximity to a location.
Instagram Geolocation Search – Searches Instagram for media in the specified proximity to a location.
Picasa Geolocation Search – Searches Picasa for media in the specified proximity to a location.
Shodan Geolocation Search – Searches Shodan for media in the specified proximity to a location.
Twitter Geolocation Search – Searches Twitter for media in the specified proximity to a location.
YouTube Geolocation Search – Searches YouTube for media in the specified proximity to a location.
Whois Company Harvester – Uses the ARIN Whois RWS to harvest Companies data from whois queries for the given netblock. Updates
the ‘companies’ table with the results.
Reverse Resolver – Conducts a reverse lookup for each of a netblock’s IP addresses to resolve the hostname. Updates the
‘hosts’ table with the results.
Shodan Network Enumerator – Harvests hosts from the Shodan API by using the ‘net’ search operator. Updates the ‘hosts’ table
with the results.
Internet Census 2012 Lookup – Queries the Internet Census 2012 data through Exfiltrated.com to enumerate open ports for a
netblock.
This will come in handy to give you an idea about hosts without directly port scanning them:
[recon-ng][default][dev_diver] > run
[*] Checking Github...
[*] Github username found - (https://api.github.com/users/chousensha)
+-------------------------------------------------------------------+
| Github |
+-------------------------------------------------------------------+
| Resource | Github |
| User Name | chousensha |
| Profile URL | https://github.com/chousensha |
| Avatar URL | https://avatars.githubusercontent.com/u/5703557?v=3 |
| Location | |
| Company | |
| Blog URL | http://chousensha.github.io/ |
| Email | |
| Bio | |
| Followers | 2 |
| ID | 5703557 |
| Joined | 2013-10-16 |
| Updated | 2016-04-29 |
+-------------------------------------------------------------------+
[*] Checking Bitbucket...
[*] Bitbucket username not found.
[*] Checking SourceForge...
[*] Sourceforge username not found.
[*] Checking CodePlex...
[*] CodePlex username not found.
[*] Checking Gitorious...
[*] Gitorious username not found.
-------
SUMMARY
-------
[*] 1 total (1 new) contacts found.
Linkedin Contact Crawler – Harvests contact information from linkedin.com by parsing the link(s) given and adding the info to
the ‘contacts’ table.
Linkedin Profile Crawler – Harvests profiles from linkedin.com by visting the given link(s), crawling the “Viewers of this
profile also viewed”, parsing the pages, and adding new profiles to the ‘profiles’ table
NameChk.com Username Validator – Leverages NameChk.com to validate the existance of usernames on specific web sites and updates the
‘profiles’ table with the results.
Good for recon but also for checking if how unique is your l33t handle:
Twitter Handles – Searches Twitter for users that mentioned, or were mentioned by, the given handle.
Github Code Enumerator – Uses the Github API to enumerate repositories and gists owned by a Github user. Updates the
‘repositories’ table with the results.
Github Commit Searcher – Uses the Github API to gather user profiles from repository commits. Updates the ‘profiles’ table
with the results.
Github Gist Searcher – Uses the Github API to download and search Gists for possible information disclosures. Updates the
‘vulnerabilities’ table with the results
Github Dork Analyzer – Uses the Github API to search for possible vulnerabilites in source code by leveraging Github Dorks
and the ‘repo’ search operator. Updates the ‘vulnerabilities’ table with the results.
Indeed Resume Crawl – Crawls Indeed.com for contacts and resumes. Adds name, title, and location to the contacts table and
a link to the resume in the profiles table. Can only harvest the first 1,000 results. Result set
changes, so running the same crawl mutiple times can produce new contacts. If the PAST_EMPS option
is set to true, the module will crawl both current and past employees. Given a keyword, the module
will only harvest contacts whose resumes contain the keyword. (e.g. Linux Admin)
Meta Data Extractor – Searches for files associated with the provided domain(s) and extracts any contact related metadata
HackerTarget Lookup – Uses the HackerTarget.com API to find host names. Updates the ‘hosts’ table with the results.
ThreatCrowd DNS lookup – Leverages the ThreatCrowd passive DNS API to discover hosts/subdomains.
Google Hacking Database – Searches for possible vulnerabilites in a domain by leveraging the Google Hacking Database (GHDB)
and the ‘site’ search operator. Updates the ‘vulnerabilities’ table with the results.
This module is massive! Basically, you get Google dorks inside Recon-ng!
[recon-ng][default][ghdb] > show info
Name: Google Hacking Database
Path: modules/recon/domains-vulnerabilities/ghdb.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
Searches for possible vulnerabilites in a domain by leveraging the Google Hacking Database (GHDB)
and the 'site' search operator. Updates the 'vulnerabilities' table with the results.
Options:
Name Current Value Required Description
----------------------------------- ------------- -------- -----------
DORKS no file containing an alternate list of Google dorks
GHDB_ADVISORIES_AND_VULNERABILITIES False yes enable/disable the 1996 dorks in this category
GHDB_ERROR_MESSAGES False yes enable/disable the 93 dorks in this category
GHDB_FILES_CONTAINING_JUICY_INFO False yes enable/disable the 366 dorks in this category
GHDB_FILES_CONTAINING_PASSWORDS False yes enable/disable the 199 dorks in this category
GHDB_FILES_CONTAINING_USERNAMES False yes enable/disable the 17 dorks in this category
GHDB_FOOTHOLDS False yes enable/disable the 49 dorks in this category
GHDB_NETWORK_OR_VULNERABILITY_DATA False yes enable/disable the 63 dorks in this category
GHDB_PAGES_CONTAINING_LOGIN_PORTALS False yes enable/disable the 372 dorks in this category
GHDB_SENSITIVE_DIRECTORIES False yes enable/disable the 119 dorks in this category
GHDB_SENSITIVE_ONLINE_SHOPPING_INFO False yes enable/disable the 11 dorks in this category
GHDB_VARIOUS_ONLINE_DEVICES False yes enable/disable the 307 dorks in this category
GHDB_VULNERABLE_FILES False yes enable/disable the 62 dorks in this category
GHDB_VULNERABLE_SERVERS False yes enable/disable the 83 dorks in this category
GHDB_WEB_SERVER_DETECTION False yes enable/disable the 77 dorks in this category
SOURCE default yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
Comments:
* Special thanks to the Offenvise Security crew for maintaining the GHDB and making it available to
open source projects like Recon-ng. Thanks Muts!
SSLTools.com Host Name Lookups – Uses the ssltools.com site to obtain host names from a site’s SSL certificate metadata to update the
‘hosts’ table. Security issues with the certificate trust are pushed to the ‘vulnerabilities’
table.
censys.io port lookup by netblock – Queries censys.io to enumerate open ports for a netblock
Reporting
CSV File Creator – Creates a CSV file containing the specified harvested data
HTML Report Generator – Creates a HTML report
I really liked the HTML report format. It classifies data into:
List Creator – Creates a file containing a list of records from the database
PushPin Report Generator – Creates HTML media and map reports for all of the PushPins stored in the database.
XLSX File Creator – Creates an Excel compatible XLSX file containing the entire data set
XML Report Generator -Creates a XML report
It took a while to list everything! As you could see, the Recon-ng framework is an information gathering tool on steroids! And if you can’t find what you need among the current modules, you can write your own and contribute!
Until next time, here’s the cookie straight from the cow’s mouth:
12345678910
______________________________________
/ Q: How did you get into artificial \
| intelligence? A: Seemed logical -- I |
\ didn't have any real intelligence. /
--------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||