In this post I’ll discuss the use of the powerful web reconaissance framework, Recon-ng.

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng is an invaluable tool for performing information gathering. It is modeled on the Metasploit framework, so the interface and functionality are pretty similar.

recon-ng

Recon-ng core commands

With the help menu, you can get an overview of what commands are available:

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add             Adds records to the database
back            Exits the current context
delete          Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads specified module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
reload          Reloads all modules
resource        Executes commands from a resource file
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
unset           Unsets module options
use             Loads specified module
workspaces      Manages workspaces

You can already see the similarity with Metasploit. Let’s focus on what’s exclusive to to Recon-ng, the powerful recon capabilities. You can leverage different search engines and social media for information gathering. To leverage the most of this functionality, you will need to use API keys. Below you can see the available APIs:

[recon-ng][default] > keys list

  +---------------------------+
  |        Name       | Value |
  +---------------------------+
  | bing_api          |       |
  | builtwith_api     |       |
  | facebook_api      |       |
  | facebook_password |       |
  | facebook_secret   |       |
  | facebook_username |       |
  | flickr_api        |       |
  | fullcontact_api   |       |
  | google_api        |       |
  | google_cse        |       |
  | instagram_api     |       |
  | instagram_secret  |       |
  | ipinfodb_api      |       |
  | jigsaw_api        |       |
  | jigsaw_password   |       |
  | jigsaw_username   |       |
  | linkedin_api      |       |
  | linkedin_secret   |       |
  | pwnedlist_api     |       |
  | pwnedlist_iv      |       |
  | pwnedlist_secret  |       |
  | shodan_api        |       |
  | twitter_api       |       |
  | twitter_secret    |       |
  +---------------------------+

In addition to the well known APIs of the main search engines and social media, there are the following:

the BuiltWith Domain API, which provides XML and JSON access to the technology information of a website
FullContact lets you easily query by email, phone number, or Twitter username. Results include publicly- available social profiles, photos, basic demographics, job titles, company stats, and over 100 other public data points.
IPInfoDB, which provides free access to IP geolocation tools
Jigsaw is an online directory of free, downloadable Company information and more than 11 million business Contacts. Every Jigsaw business Contact is complete with hard-to-find direct dials and email addresses, while each Company record gives the low down on Company size, location, and industry.
PwnedList is designed for consumers to check if their email address has been found on commonly circulating lists of stolen accounts and passwords (this has been shut down at the time of this writing)

If you were to add a new API key, you could do it like this:

[recon-ng][default] > keys add bing_api 007007
[*] Key 'bing_api' added.
[recon-ng][default] > keys list

  +----------------------------+
  |        Name       | Value  |
  +----------------------------+
  | bing_api          | 007007 |

To delete an API key, you can use the keys delete command.

To see what items are available in the framework, use the show command:

[recon-ng][default] > show
Shows various framework items

Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|schema|vulnerabilities]

This should give you an idea of the kinds of data you can look for. Again, this should feel similar to Metasploit. In fact, like in the msfconsole, the modules are what you will use to perform different tasks. Let’s take a look at all the currently available modules. Oh, and did I mention there is tab completion as well? :D

Recon-ng modules

show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file
    import/list

  Recon
  -----
    recon/companies-contacts/facebook
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-contacts/jigsaw_auth
    recon/companies-contacts/linkedin_auth
    recon/companies-multi/whois_miner
    recon/companies-profiles/bing_linkedin
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-credentials/pwnedlist
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/credentials-credentials/leakdb
    recon/domains-contacts/pgp_search
    recon/domains-contacts/salesmaple
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/account_creds
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_creds
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/baidu_site
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/vpnhunter
    recon/domains-hosts/yahoo_domain
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ip_neighbor
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/instagram
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/linkedin
    recon/profiles-profiles/linkedin_crawl
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/pushpin
    reporting/xlsx
    reporting/xml

You can select a module via the load or use commands. Once in a module’s context, you can see information about it with the show info command. Similarly, you can see the required options for a module with the show options command, and change them with set. Let’s look at each module and see some usage examples

Discovery

DNS Cache Snooper – Uses the DNS cache snooping technique to check for visited domains
Interesting File Finder – Checks hosts for interesting files in predictable locations

Let’s see more about this module:

[recon-ng][default][interesting_files] > show info

      Name: Interesting File Finder
      Path: modules/discovery/info_disclosure/interesting_files.py
    Author: Tim Tomes (@LaNMaSteR53), thrapt (thrapt@gmail.com), Jay Turla (@shipcod3), and Mark Jeffery

Description:
  Checks hosts for interesting files in predictable locations.

Options:
  Name      Current Value  Required  Description
  --------  -------------  --------  -----------
  DOWNLOAD  True           yes       download discovered files
  PORT      80             yes       request port
  PROTOCOL  http           yes       request protocol
  SOURCE    default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

Comments:
  * Files: robots.txt, sitemap.xml, sitemap.xml.gz, crossdomain.xml, phpinfo.php, test.php, elmah.axd,
  server-status, jmx-console/, admin-console/, web-console/
  * Google Dorks:
    - inurl:robots.txt ext:txt
    - inurl:elmah.axd ext:axd intitle:"Error log for"
    - inurl:server-status "Apache Status"

I found this a bit confusing at first, but the SOURCE is the equivalent of the target you do recon on. I ran this on my own blog for a demo. When setting a target, keep in mind not to include the http or https (the protocol setting handles that), and also to exclude the trailing slash (I got errors until I did that).

[recon-ng][default][interesting_files] > run
[*] http://chousensha.github.io:80/robots.txt => 200. 'robots.txt' found!
[*] http://chousensha.github.io:80/sitemap.xml => 200. 'sitemap.xml' found!
[*] http://chousensha.github.io:80/sitemap.xml.gz => 404
[*] http://chousensha.github.io:80/crossdomain.xml => 404
[*] http://chousensha.github.io:80/phpinfo.php => 404
[*] http://chousensha.github.io:80/test.php => 404
[*] http://chousensha.github.io:80/elmah.axd => 404
[*] http://chousensha.github.io:80/server-status => 404
[*] http://chousensha.github.io:80/jmx-console/ => 404
[*] http://chousensha.github.io:80/admin-console/ => 404
[*] http://chousensha.github.io:80/web-console/ => 404
[*] 2 interesting files found.
[*] ...downloaded to '/root/.recon-ng/workspaces/default/'

You can see recon-ng found 2 interesting files and it downloaded them to my machine

Exploitation

Remote Command Injection Shell Interface – Provides a shell interface for remote command injection flaws in web applications
Xpath Injection Brute Forcer – Exploits XPath injection flaws to enumerate the contents of serverside XML documents

Import

Advanced CSV File Importer – Imports values from a CSV file into a database table.
List File Importer – Imports values from a list file into a database table and column

Recon

Facebook Contact Enumerator – Harvests contacts from Facebook.com. Updates the ‘contacts’ table with the results
Jigsaw – Point Usage Statistics Fetcher – Queries the Jigsaw API for the point usage statistics of the given account.
Jigsaw – Single Contact Retriever – Retrieves a single complete contact from the Jigsaw.com API using points from the given account
Jigsaw Contact Enumerator – Harvests contacts from the Jigsaw.com API. Updates the ‘contacts’ table with the results
Jigsaw Authenticated Contact Enumerator – Harvests contacts from Data.com using an authenticated user account. Updates the ‘contacts’ table with the results. Use ‘keys’ to set your jigsaw username and password before use.
LinkedIn Authenticated Contact Enumerator – Harvests contacts from the LinkedIn.com API using an authenticated connections network. Updates the ‘contacts’ table with the results.
Whois Data Miner – Uses the ARIN Whois RWS to harvest companies, locations, netblocks, and contacts associated with the given company search string. Updates the respective tables with the results.

Let’s see this in action against Yahoo:

[recon-ng][default][whois_miner] > run
[*] URL: http://whois.arin.net/rest/orgs;name=yahoo

-----
YAHOO
-----
[*] Location: 701 First Avenue, Sunnyvale, CA 94089
[*] URL: http://whois.arin.net/rest/org/YAHOO-1/nets
[*] Netblock: 8.3.34.0/23
[*] Netblock: 216.34.77.0/25
[*] Netblock: 8.8.178.0/24
[*] Netblock: 64.209.232.0/24
[*] Netblock: 64.39.38.208/28
[*] Netblock: 204.71.177.0/24
[*] Netblock: 204.71.188.0/24
[*] Netblock: 216.136.220.128/25
[*] Netblock: 64.56.197.208/28
[*] Netblock: 67.72.118.0/23
[*] URL: http://whois.arin.net/rest/org/YAHOO-1/pocs
[*] Contact: Netblock Admin (netblockadmin@yahoo-inc.com) - Whois contact (Admin) (Sunnyvale, CA - United States)
[*] Contact: Netblock Admin (netblockadmin@yahoo-inc.com) - Whois contact (Tech) (Sunnyvale, CA - United States)
[*] Contact: Network Abuse (abuse@yahoo-inc.com) - Whois contact (Abuse) (Sunnyvale, CA - United States)

-----
YAHOO
-----
[*] Location: 325 Geri St, Lawrenceburg, TN 38464
[*] URL: http://whois.arin.net/rest/org/YAHOO-10/nets
[*] Netblock: 12.23.247.176/29
[*] URL: http://whois.arin.net/rest/org/YAHOO-10/pocs
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Admin) (Lawrenceburg, TN - United States)
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Abuse) (Lawrenceburg, TN - United States)
[*] Contact: Janice Kilburn (jkilburn1stop@yahoo.com) - Whois contact (Tech) (Lawrenceburg, TN - United States)
[*] URL: http://whois.arin.net/rest/customers;name=yahoo

-----
YAHOO
-----
[*] Location: 225 Broadway, San Diego, CA 92101
[*] URL: http://whois.arin.net/rest/customer/C00146168/nets
[*] Netblock: 209.132.98.0/29
[*] URL: http://whois.arin.net/rest/customer/C00146168/pocs
[*] No POCS found.

-----
YAHOO
-----
[*] Location: 225 Broadway, San Diego, CA 92101
[*] URL: http://whois.arin.net/rest/customer/C00146169/nets
[*] Netblock: 209.132.98.8/29
[*] URL: http://whois.arin.net/rest/customer/C00146169/pocs
[*] No POCS found.

-----
YAHOO
-----
[*] Location: 624 S Grand, Los Angeles, CA 90017
[*] URL: http://whois.arin.net/rest/customer/C01196389/nets
[*] Netblock: 65.91.7.80/29
[*] URL: http://whois.arin.net/rest/customer/C01196389/pocs
[*] No POCS found.

-------
SUMMARY
-------
[*] 5 total (2 new) companies found.
[*] 5 total (4 new) locations found.
[*] 14 total (14 new) netblocks found.
[*] 6 total (6 new) contacts found.

Bing Linkedin Profile Harvester – Harvests contacts from linkedin.com by querying Bing for Linkedin pages related to the given companies, parsing the profiles, and adding them to the ‘profiles’ table
MailTester Email Validator – Leverages MailTester.com to validate email addresses
Contact Name Mangler – Applies a mangle pattern to all of the contacts stored in the database, creating email addresses or usernames for each harvested contact. Updates the ‘contacts’ table with the results.
Contact Name Unmangler – Applies a regex or unmangle pattern to all of the contacts stored in the database, pulling out the individual name components. Updates the ‘contacts’ table with the results.
Have I been pwned? Breach Search – Leverages the haveibeenpwned.com API to determine if email addresses are associated with breached credentials. Adds compromised email addresses to the ‘credentials’ table.
Have I been pwned? Paste Search – Leverages the haveibeenpwned.com API to determine if email addresses have been published to various paste sites. Adds compromised email addresses to the ‘credentials’ table.
PwnedList Validator – Leverages PwnedList.com to determine if email addresses are associated with leaked credentials. Adds compromised email addresses to the ‘credentials’ table.
Contacts to Domains Data Migrator – Adds a new domain for all the hostnames associated with email addresses stored in the ‘contacts’ table.
FullContact Contact Enumerator – Harvests contact information and profiles from the fullcontact.com API using email addresses as input. Updates the ‘contacts’ and ‘profiles’ tables with the results.
Adobe Hash Cracker – Decrypts hashes leaked from the 2013 Adobe breach. First, the module cross references the leak ID to identify Adobe hashes in the ‘password’ column of the ‘creds’ table, moves the Adobe hashes to the ‘hash’ column, and changes the ‘type’ to ‘Adobe’. Second, the module attempts to crack the hashes by comparing the ciphertext’s decoded cipher blocks to a local block lookup table (BLOCK_DB) of known cipher block values. Finally, the module updates the ‘creds’ table with the results based on the level of success.
PyBozoCrack Hash Lookup – Searches Google for the value of a hash and tests for a match by hashing every word in the resulting page using all hashing algorithms supported by the ‘hashlib’ library. Updates the ‘credentials’ table with the positive results.
Hashes.org Hash Lookup – Uses the Hashes.org API to perform a reverse hash lookup. Updates the ‘credentials’ table with the positive results.
leakdb Hash Lookup – Uses the leakdb hash database to perform a reverse hash lookup. Updates the ‘credentials’ table with the positive results.
PGP Key Owner Lookup – Searches the MIT public PGP key server for email addresses of the given domain. Updates the ‘contacts’ table with the results

This module is similar to theHarvester

SalesMaple Contact Harvester – Harvests contacts from the SalesMaple API using domains as input. Updates the ‘contacts’ table with the results.
Whois POC Harvester – Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the ‘contacts’ table with the results.
PwnedList – Account Credentials Fetcher – Queries the PwnedList API for credentials associated with the given usernames. Updates the ‘credentials’ table with the results.
PwnedList – API Usage Statistics Fetcher – Queries the PwnedList API for account usage statistics
PwnedList – Pwned Domain Credentials Fetcher – Queries the PwnedList API to fetch all credentials for a domain. Updates the ‘credentials’ table with the results
PwnedList – Pwned Domain Statistics Fetcher – Queries the PwnedList API for a domain to determine if any associated credentials have been compromised. This module does NOT return any credentials, only a total number of compromised credentials.
PwnedList – Leak Details Fetcher (leak_lookup.py) – Queries the local database for information associated with a leak ID. The ‘leaks_dump’ module must be used to populate the local database before this module will execute successfully.
PwnedList – Leak Details Fetcher (leaks_dump.py) – Queries the PwnedList API for information associated with all known leaks. Updates the ‘leaks’ table with the results.
DNS Public Suffix Brute Forcer – Brute forces TLDs and SLDs using DNS. Updates the ‘domains’ table with the results
Baidu Hostname Enumerator – Harvests hosts from Baidu.com by using the ‘site’ search operator. Updates the ‘hosts’ table with the results
Bing API Hostname Enumerator – Leverages the Bing API and “domain:” advanced search operator to harvest hosts. Updates the ‘hosts’ table with the results.
Bing Hostname Enumerator – Harvests hosts from Bing.com by using the ‘site’ search operator. Updates the ‘hosts’ table with the results.
DNS Hostname Brute Forcer – Brute forces host names using DNS. Updates the ‘hosts’ table with the results
BuiltWith Enumerator – Leverages the BuiltWith API to identify hosts, technologies, and contacts associated with a domain
Google CSE Hostname Enumerator – Leverages the Google Custom Search Engine API to harvest hosts using the ‘site’ search operator. Updates the ‘hosts’ table with the results.
Google Hostname Enumerator – Harvests hosts from Google.com by using the ‘site’ search operator. Updates the ‘hosts’ table with the results
Netcraft Hostname Enumerator – Harvests hosts from Netcraft.com. Updates the ‘hosts’ table with the results
Shodan Hostname Enumerator – Harvests hosts from the Shodan API by using the ‘hostname’ search operator. Updates the ‘hosts’ table with the results.
SSL SAN Lookup – Uses the ssltools.com site to obtain the Subject Alternative Names for a domain. Updates the ‘hosts’ table with the results.
VPNHunter Lookup – Checks vpnhunter.com for SSL VPNs, remote accesses, email portals and generic login sites. Updates the ‘hosts’ table with the results.
Yahoo Hostname Enumerator – Harvests hosts from Yahoo.com by using the ‘domain’ search operator. Updates the ‘hosts’ table with the results.
PunkSPIDER Vulnerabilty Finder – Leverages the PunkSPIDER API to search for previosuly discovered vulnerabltiies on hosts within a domain.
XSSed Domain Lookup – Checks XSSed.com for XSS records associated with a domain and displays the first 20 results

This is a very handy module for XSS lookup. Let’s take a look at it:

[recon-ng][default][xssed] > run

---------
YAHOO.COM
---------
[*] Category: XSS
[*] Example: http://adz.kr.yahoo.com/CRZY/2006/hyundaicard_0913_150365_1a.swf?clickTAG=javascript:alert%20(docume<br>nt.cookie);document.location%20=%20%22http://1337hax0rz.com%22
[*] Host: adz.kr.yahoo.com
[*] Publish_Date: 2015-03-10 00:00:00
[*] Reference: http://xssed.com/mirror/60821/
[*] Status: fixed
--------------------------------------------------
[*] Category: XSS
[*] Example: http://us.yimg.vip.scd.yahoo.com/us.yimg.com/a/ya/yahoo_mail/ninja8b_nooffer.swf?clickTAG=javascript<br>:alert(/412/)
[*] Host: us.yimg.vip.scd.yahoo.com
[*] Publish_Date: 2012-02-16 00:00:00
[*] Reference: http://xssed.com/mirror/57596/
[*] Status: fixed
--------------------------------------------------
[*] Category: Script Insertion
[*] Example: http://fr.groups.yahoo.com/search?query=%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fsc<br>ript%3E&sort=relevance
[*] Host: fr.groups.yahoo.com
[*] Publish_Date: 2011-12-22 00:00:00
[*] Reference: http://xssed.com/mirror/61982/
[*] Status: unfixed
--------------------------------------------------
[*] Category: XSS
[*] Example: http://basketball.fantasysports.yahoo.com/nba/playerranker?lid=<script>alert(/XSS-by-[]0iZy5/)</scri<br>pt>
[*] Host: basketball.fantasysports.yahoo.com
[*] Publish_Date: 2011-12-21 00:00:00
[*] Reference: http://xssed.com/mirror/71051/
[*] Status: unfixed
--------------------------------------------------
[*] Category: Redirect
[*] Example: http://www.yahoo.com/SIG=15ohh3h62/M=722732.13975606.14062129.13194555/D=regst/S=150002347:R2/Y=YAHO<br>O/EXP=1275539597/L=hnNys0Kjqbp5Cok8Sr10cAJDTPYa3UwHFG0AANhn/B=VSDoPmKJiUs-/J=1275532397077354/K=rS6p<br>wy3MN2NPP7SBqBCOAQ/A=6097785/R=0/SIG=11o4aqdmv/*http://xssed.com/newsearch/searchpad.html
[*] Host: www.yahoo.com
[*] Publish_Date: 2011-12-21 00:00:00
[*] Reference: http://xssed.com/mirror/67076/
[*] Status: unfixed
--------------------------------------------------
[snip]

XSSposed Domain Lookup – Checks XSSposed.com for XSS records associated with a domain

Another good module for hunting down XSS

[recon-ng][default][xssposed] > run

---------------
BITDEFENDER.COM
---------------
[*] Category: REDIRECT
[*] Example: https://safeweb.norton.com/report/show?url=store.bitdefender.com
[*] Host: store.bitdefender.com
[*] Publish_Date: 2016-06-20 21:09:16
[*] Reference: https://www.openbugbounty.org/incidents/160213/
[*] Status: unfixed
--------------------------------------------------
[*] Category: XSS
[*] Example: https://labs.bitdefender.com/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alert`OPENBUGBOUNTY`
[*] Host: labs.bitdefender.com
[*] Publish_Date: 2016-05-17 20:31:25
[*] Reference: https://www.openbugbounty.org/incidents/154457/
[*] Status: fixed
--------------------------------------------------
[*] Category: XSS
[*] Example: https://rdprojects.bitdefender.com/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alert`OPENBUGBOUNTY`
[*] Host: rdprojects.bitdefender.com
[*] Publish_Date: 2016-05-17 20:32:26
[*] Reference: https://www.openbugbounty.org/incidents/154458/
[*] Status: fixed
--------------------------------------------------
[*] Category: REDIRECT
[*] Example: http://www.bitdefender.com/site/Main/tdRedirect/?url=http://xssposed.org/
[*] Host: bitdefender.com
[*] Publish_Date: 2016-01-03 01:53:37
[*] Reference: https://www.openbugbounty.org/incidents/121291/
[*] Status: fixed
--------------------------------------------------
[*] Category: REDIRECT
[*] Example: https://store.bitdefender.com/redirect.php?url=http://xssposed.org/
[*] Host: store.bitdefender.com
[*] Publish_Date: 2015-09-19 20:33:58
[*] Reference: https://www.openbugbounty.org/incidents/87399/
[*] Status: fixed
--------------------------------------------------

-------
SUMMARY
-------
[*] 5 total (5 new) vulnerabilities found.

Hosts to Domains Data Migrator – Adds a new domain for all the hostnames stored in the ‘hosts’ table
Bing API IP Neighbor Enumerator – Leverages the Bing API and “ip:” advanced search operator to enumerate other virtual hosts sharing the same IP address. Updates the ‘hosts’ table with the results.
FreeGeoIP – Leverages the freegeoip.net API to geolocate a host by IP address. Updates the ‘hosts’ table with the results

I used this to check the location of www.google.com host (resolved the IP first):

[recon-ng][default][freegeoip] > run
[*] 172.217.16.100 - 37.4192,-122.0574 - Mountain View, California, United States

My-IP-Neighbors.com Lookup – Checks My-IP-Neighbors.com for virtual hosts on the same server. Updates the ‘hosts’ table with the results.
IPInfoDB GeoIP – Leverages the ipinfodb.com API to geolocate a host by IP address. Updates the ‘hosts’ table with the results.
Hostname Resolver – Resolves the IP address for a host. Updates the ‘hosts’ table with the results
Reverse Resolver – Conducts a reverse lookup for each IP address to resolve the hostname. Updates the ‘hosts’ table with the results.
Address Geocoder – Queries the Google Maps API to obtain coordinates for an address. Updates the ‘locations’ table with the results.

Let’s see this module in action with one of our favorite tech giants’ addresses xD (I leave it to you to see what’s located there):

[recon-ng][default][geocode] > run
[*] Geocoding '1600 Amphitheatre Parkway'...
[*] Latitude: 37.4224713, Longitude: -122.0843333

-------
SUMMARY
-------
[*] 1 total (1 new) locations found.

Reverse Geocoder – Queries the Google Maps API to obtain an address from coordinates.

So we have some coordinates. Let’s see what’s there:

[recon-ng][default][reverse_geocode] > run
[*] Reverse geocoding (35.670337, 139.702573)...
[*] 1 Chome-18-20 Jingūmae, Shibuya-ku, Tōkyō-to 150-0001, Japan

-------
SUMMARY
-------
[*] 1 total (1 new) locations found.

Flickr Geolocation Search – Searches Flickr for media in the specified proximity to a location.
Instagram Geolocation Search – Searches Instagram for media in the specified proximity to a location.
Picasa Geolocation Search – Searches Picasa for media in the specified proximity to a location.
Shodan Geolocation Search – Searches Shodan for media in the specified proximity to a location.
Twitter Geolocation Search – Searches Twitter for media in the specified proximity to a location.
YouTube Geolocation Search – Searches YouTube for media in the specified proximity to a location.
Whois Company Harvester – Uses the ARIN Whois RWS to harvest Companies data from whois queries for the given netblock. Updates the ‘companies’ table with the results.
Reverse Resolver – Conducts a reverse lookup for each of a netblock’s IP addresses to resolve the hostname. Updates the ‘hosts’ table with the results.
Shodan Network Enumerator – Harvests hosts from the Shodan API by using the ‘net’ search operator. Updates the ‘hosts’ table with the results.
Internet Census 2012 Lookup – Queries the Internet Census 2012 data through Exfiltrated.com to enumerate open ports for a netblock.

This will come in handy to give you an idea about hosts without directly port scanning them:

[recon-ng][default][census_2012] > run

-----------
8.3.34.0/23
-----------
[*] 8.3.34.0/23 (8.3.34.0 - 8.3.35.255)
[*] 8.3.34.5 (rsw4-1-gci.smpenn.corp.yahoo.com) - 80
[*] 8.3.34.28 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.46 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.60 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.66 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.79 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.222 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.225 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.231 (UNKNOWN-8-3-34-X.yahoo.com) - 25
[*] 8.3.34.231 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.34.246 (tstsqlclstr1d.smca.yahoo.com) - 80
[*] 8.3.34.255 (UNKNOWN-8-3-34-X.yahoo.com) - 80
[*] 8.3.35.71 (UNKNOWN-8-3-35-X.yahoo.com) - 80
[*] 8.3.35.182 (UNKNOWN-8-3-35-X.yahoo.com) - 25
[*] 8.3.35.182 (UNKNOWN-8-3-35-X.yahoo.com) - 80
[*] 8.3.35.186 (UNKNOWN-8-3-35-X.yahoo.com) - 80
[*] 8.3.35.220 (UNKNOWN-8-3-35-X.yahoo.com) - 80

-------
SUMMARY
-------
[*] 17 total (17 new) ports found.

Ports to Hosts Data Migrator – Adds a new host for all the hostnames stored in the ‘ports’ table.
Dev Diver Repository Activity Examiner – Searches public code repositories for information about a given username.

This is another useful module to search for a developer on different platforms (note to self: I have to get back into coding frenzy):

[recon-ng][default][dev_diver] > run
[*] Checking Github...
[*] Github username found - (https://api.github.com/users/chousensha)

  +-------------------------------------------------------------------+
  |                               Github                              |
  +-------------------------------------------------------------------+
  | Resource    | Github                                              |
  | User Name   | chousensha                                          |
  | Profile URL | https://github.com/chousensha                       |
  | Avatar URL  | https://avatars.githubusercontent.com/u/5703557?v=3 |
  | Location    |                                                     |
  | Company     |                                                     |
  | Blog URL    | http://chousensha.github.io/                        |
  | Email       |                                                     |
  | Bio         |                                                     |
  | Followers   | 2                                                   |
  | ID          | 5703557                                             |
  | Joined      | 2013-10-16                                          |
  | Updated     | 2016-04-29                                          |
  +-------------------------------------------------------------------+

[*] Checking Bitbucket...
[*] Bitbucket username not found.
[*] Checking SourceForge...
[*] Sourceforge username not found.
[*] Checking CodePlex...
[*] CodePlex username not found.
[*] Checking Gitorious...
[*] Gitorious username not found.

-------
SUMMARY
-------
[*] 1 total (1 new) contacts found.

Linkedin Contact Crawler – Harvests contact information from linkedin.com by parsing the link(s) given and adding the info to the ‘contacts’ table.
Linkedin Profile Crawler – Harvests profiles from linkedin.com by visting the given link(s), crawling the “Viewers of this profile also viewed”, parsing the pages, and adding new profiles to the ‘profiles’ table
NameChk.com Username Validator – Leverages NameChk.com to validate the existance of usernames on specific web sites and updates the ‘profiles’ table with the results.

Good for recon but also for checking if how unique is your l33t handle:

[recon-ng][default][namechk] > run
[*] Retrieving site data...

----------
CHOUSENSHA
----------
[*] Wordpress: Available.
[*] Reddit: Available.
[*] Blogger: Available.
[*] GooglePlus: Available.
[*] Ebay: Available.
[*] Twitch: Available.
[*] Instagram: Available.
[*] Twitter: User exists!
[*] Facebook: User exists!
[*] Slack: Available.
[*] PayPal: Available.
[*] Pinterest: Available.
[*] Vine: User exists!
[*] Github: User exists!
[*] Basecamp: Available.
[*] Flickr: Available.
[*] Pandora: Available.
[*] Spotify: Available.
[*] YouTube: User exists!
[*] MySpace: Available.
[*] Steam: Available.
[*] Flipboard: Available.
[*] OkCupid: Available.
[*] UStream: Available.
[*] Vimeo: Available.
[*] Etsy: User exists!
[*] BitBucket: Available.
[*] SoundCloud: Available.
[*] 500px: Available.
[*] CashMe: Available.
[*] Meetup: Available.
[*] DailyMotion: Available.
[*] About.me: User exists!
[*] ProductHunt: Available.
[*] Disqus: User exists!
[*] Medium: User exists!
[*] Behance: Available.
[*] Imgur: Available.
[*] Bit.ly: User exists!
[*] Fanpop: Available.
[*] Cafe Mom: Available.
[*] Instructables: Available.
[*] Photobucket: Available.
[*] Good Reads: Available.
[*] deviantART: Available.
[*] Tumblr: Available.
[*] Gravatar: Available.
[*] Venmo: User exists!
[*] Keybase: Available.
[*] StumbleUpon: User exists!
[*] Kongregate: User exists!
[*] LiveJournal: Available.
[*] Yelp: User exists!
[*] Codecademy: Available.
[*] Foursquare: Available.
[*] Team Treehouse: Available.
[*] AngelList: Available.
[*] Viddler: Available.
[*] tsu: Available.
[*] last.fm: Available.
[*] Technorati: Available.
[*] Aviary: User exists!
[*] Fotolog: User exists!
[*] Slideshare: Available.
[*] Blinklist: Available.
[*] Tripit: User exists!
[*] GogoBot: Available.
[*] Flavors.me: Available.
[*] BuzzFeed: Available.
[*] TripAdvisor: Available.
[*] blip.fm: Available.
[*] Dribbble: Available.
[*] Geeklist: User exists!
[*] Papaly: Available.
[*] wishlistr: Available.
[*] Vk: Available.
[*] Pastebin: Available.
[*] Coinbase: Available.
[*] iFunny: Available.
[*] Roblox: User exists!
[*] XFire: Available.
[*] Witty: User exists!
[*] Wikipedia: Available.
[*] Hackernews: User exists!
[*] StreamMe: Available.
[*] Abouto: Available.
[*] qmpeople: Available.
[*] Fiverr: Available.
[*] Plenty Of Fish: Available.
[*] Voat: User exists!
[*] Trakt: Available.
[*] IFTTT: Available.
[*] Crokes: User exists!
[*] Tracky: Available.
[*] GetSatisfaction: Available.
[*] Ello: User exists!

-------
SUMMARY
-------
[*] 24 total (24 new) profiles found.

Hmm, quite a few other “challengers”.

OSINT HUMINT Profile Collector – Takes each username from the profiles table and searches a variety of web sites for those users.

This one checks 191 sites for the username, here we go:

[recon-ng][default][profiler] > run
[*] Retrieving https://raw.githubusercontent.com/WebBreacher/WhatsMyName/master/web_accounts_list.json...

  Looking Up Data For: Chousensha
  -------------------------------
[*] Checking: about.me
[*] Checking: AdultFriendFinder
[*] Checking: Matchdoctor
[*] Checking: AngelList
[*] Checking: aNobil
[*] Checking: ask.fm
[*] Checking: Atlassian
[*] Checking: Atlassian Self-Signup
[*] Checking: AudioBoom
[*] Checking: authorSTREAM
[*] Checking: badoo
[*] Checking: Bitbucket
[*] Checking: BLIP.fm
[*] Checking: Black Planet
[*] Checking: Blogmarks
[*] Checking: Blogspot
[*] Checking: BodyBuilding.com
[*] Checking: Break
[*] Checking: Bugcrowd
[*] Checking: cafemom
[*] Checking: CarDomain
[*] Checking: cHEEZburger
[*] Checking: CodePlex
[*] Checking: CoderStats
[*] Checking: COLOURlovers
[*] Checking: Conferize
[*] Checking: copytaste
[*] Checking: cruiseMates
[*] Checking: Dailymotion
[*] Checking: Delicious
[*] Checking: DeviantArt
[*] Checking: diigo
[*] Checking: DIY
[*] Checking: eBay
[*] Checking: EightBit
[*] [profile] chousensha - CoderStats (http://coderstats.net/github/chousensha/)
[*] Checking: Engadget
[*] Checking: EPORNER
[*] Checking: Etsy
[*] Checking: facebook.com
[*] Checking: families.com
[*] Checking: fanpop
[*] Checking: FFFFOUND!
[*] Checking: Fiverr
[*] Checking: Flickr
[*] Checking: Foodspotting
[*] Checking: Fotolog
[*] Checking: Foursquare
[*] Checking: freesound
[*] Checking: FriendFinder-X
[*] Checking: FunnyOrDie
[*] Checking: Garmin connect
[*] Checking: GeekGrade
[*] Checking: Geocaching
[*] Checking: GETItON
[*] Checking: GitHub
[*] Checking: gogobot
[*] Checking: goodreads
[*] Checking: Gravatar
[*] Checking: howaboutwe
[*] Checking: HubPages
[*] Checking: I-am-pregnant
[*] Checking: IFTTT
[*] [profile] chousensha - GitHub (https://api.github.com/users/chousensha)
[*] Checking: ImageShack
[*] Checking: imgur
[*] Checking: InsaneJournal
[*] Checking: Instagram
[*] Checking: instructables
[*] Checking: Internet Archive
[*] Checking: interpals
[*] Checking: Keybase
[*] Checking: Klear
[*] Checking: Klout
[*] Checking: Kongregate
[*] Checking: Lanyrd
[*] Checking: Last.fm
[*] Checking: LibraryThing
[*] Checking: LinkedIn
[*] Checking: LiveJasmin
[*] Checking: Marketing Land
[*] Checking: mate1
[*] [profile] chousensha - Kongregate (http://www.kongregate.com/accounts/chousensha)
[*] Checking: Medium
[*] Checking: Meetzur
[*] Checking: Microsoft Technet Community
[*] Checking: Mixcloud
[*] Checking: Mixcrate
[*] Checking: Mixlr
[*] Checking: Mod DB
[*] Checking: Muck Rack
[*] [profile] chousensha - Internet Archive (http://archive.org/search.php?query=chousensha)
[*] Checking: MyBuilder.com
[*] Checking: MyFitnessPal
[*] Checking: MyLot
[*] Checking: Myspace
[*] Checking: netvibes
[*] Checking: Newsvine
[*] Checking: Overcast Network
[*] Checking: Photoblog
[*] Checking: PhotoBucket
[*] Checking: PictureTrail
[*] Checking: PinkBike
[*] Checking: Pinterest
[*] Checking: Playlists.net
[*] Checking: Plurk
[*] Checking: POF
[*] Checking: Porn.com
[*] Checking: Pornhub
[*] Checking: PSNProfiles
[*] Checking: raptr
[*] Checking: Readability
[*] Checking: Reunion.com
[*] Checking: scratch
[*] Checking: Security Street
[*] Checking: SEOClerks
[*] Checking: setlist.fm
[*] Checking: Shopcade
[*] Checking: singlemuslim
[*] Checking: slideshare
[*] Checking: SmugMug
[*] Checking: smule
[*] Checking: snooth
[*] Checking: Soup
[*] Checking: Speaker Deck
[*] Checking: sporcle
[*] Checking: Steam
[*] Checking: stupidcancer
[*] Checking: TF2 Backpack Examiner
[*] Checking: theguardian
[*] Checking: thesixtyone
[*] Checking: tribe
[*] Checking: tripadvisor
[*] Checking: Tripit
[*] Checking: tumblr
[*] Checking: Twitter
[*] Checking: untappd
[*] Checking: uSTREAM
[*] Checking: viddler
[*] Checking: VideoLike
[*] Checking: vidme
[*] Checking: Vimeo
[*] Checking: Vine
[*] Checking: VisualizeUs
[*] Checking: Voices.com
[*] Checking: Wanelo
[*] Checking: wattpad
[*] Checking: WeeWorld
[*] Checking: wishlistr
[*] [profile] chousensha - VideoLike (http://videolike.org/video/chousensha)
[*] Checking: Wikipedia
[*] [profile] chousensha - Twitter (https://twitter.com/chousensha)
[*] Checking: WordPress
[*] Checking: WordPress Support
[*] Checking: Xanga
[*] Checking: Xbox Gamertag
[*] Checking: xHamster
[*] Checking: XVIDEOS
[*] Checking: YouTube
[*] Checking: Zooppa
[*] [profile] chousensha - YouTube (https://www.youtube.com/user/chousensha/videos)

-------
SUMMARY
-------
[*] 7 total (5 new) profiles found.

Twitter Handles – Searches Twitter for users that mentioned, or were mentioned by, the given handle.
Github Code Enumerator – Uses the Github API to enumerate repositories and gists owned by a Github user. Updates the ‘repositories’ table with the results.
Github Commit Searcher – Uses the Github API to gather user profiles from repository commits. Updates the ‘profiles’ table with the results.
Github Gist Searcher – Uses the Github API to download and search Gists for possible information disclosures. Updates the ‘vulnerabilities’ table with the results
Github Dork Analyzer – Uses the Github API to search for possible vulnerabilites in source code by leveraging Github Dorks and the ‘repo’ search operator. Updates the ‘vulnerabilities’ table with the results.
Indeed Resume Crawl – Crawls Indeed.com for contacts and resumes. Adds name, title, and location to the contacts table and a link to the resume in the profiles table. Can only harvest the first 1,000 results. Result set changes, so running the same crawl mutiple times can produce new contacts. If the PAST_EMPS option is set to true, the module will crawl both current and past employees. Given a keyword, the module will only harvest contacts whose resumes contain the keyword. (e.g. Linux Admin)
Meta Data Extractor – Searches for files associated with the provided domain(s) and extracts any contact related metadata
HackerTarget Lookup – Uses the HackerTarget.com API to find host names. Updates the ‘hosts’ table with the results.
ThreatCrowd DNS lookup – Leverages the ThreatCrowd passive DNS API to discover hosts/subdomains.
Google Hacking Database – Searches for possible vulnerabilites in a domain by leveraging the Google Hacking Database (GHDB) and the ‘site’ search operator. Updates the ‘vulnerabilities’ table with the results.

This module is massive! Basically, you get Google dorks inside Recon-ng!

[recon-ng][default][ghdb] > show info

      Name: Google Hacking Database
      Path: modules/recon/domains-vulnerabilities/ghdb.py
    Author: Tim Tomes (@LaNMaSteR53)

Description:
  Searches for possible vulnerabilites in a domain by leveraging the Google Hacking Database (GHDB)
  and the 'site' search operator. Updates the 'vulnerabilities' table with the results.

Options:
  Name                                 Current Value  Required  Description
  -----------------------------------  -------------  --------  -----------
  DORKS                                               no        file containing an alternate list of Google dorks
  GHDB_ADVISORIES_AND_VULNERABILITIES  False          yes       enable/disable the 1996 dorks in this category
  GHDB_ERROR_MESSAGES                  False          yes       enable/disable the 93 dorks in this category
  GHDB_FILES_CONTAINING_JUICY_INFO     False          yes       enable/disable the 366 dorks in this category
  GHDB_FILES_CONTAINING_PASSWORDS      False          yes       enable/disable the 199 dorks in this category
  GHDB_FILES_CONTAINING_USERNAMES      False          yes       enable/disable the 17 dorks in this category
  GHDB_FOOTHOLDS                       False          yes       enable/disable the 49 dorks in this category
  GHDB_NETWORK_OR_VULNERABILITY_DATA   False          yes       enable/disable the 63 dorks in this category
  GHDB_PAGES_CONTAINING_LOGIN_PORTALS  False          yes       enable/disable the 372 dorks in this category
  GHDB_SENSITIVE_DIRECTORIES           False          yes       enable/disable the 119 dorks in this category
  GHDB_SENSITIVE_ONLINE_SHOPPING_INFO  False          yes       enable/disable the 11 dorks in this category
  GHDB_VARIOUS_ONLINE_DEVICES          False          yes       enable/disable the 307 dorks in this category
  GHDB_VULNERABLE_FILES                False          yes       enable/disable the 62 dorks in this category
  GHDB_VULNERABLE_SERVERS              False          yes       enable/disable the 83 dorks in this category
  GHDB_WEB_SERVER_DETECTION            False          yes       enable/disable the 77 dorks in this category
  SOURCE                               default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

Comments:
  * Special thanks to the Offenvise Security crew for maintaining the GHDB and making it available to
  open source projects like Recon-ng. Thanks Muts!

SSLTools.com Host Name Lookups – Uses the ssltools.com site to obtain host names from a site’s SSL certificate metadata to update the ‘hosts’ table. Security issues with the certificate trust are pushed to the ‘vulnerabilities’ table.
censys.io port lookup by netblock – Queries censys.io to enumerate open ports for a netblock

Reporting

CSV File Creator – Creates a CSV file containing the specified harvested data
HTML Report Generator – Creates a HTML report

I really liked the HTML report format. It classifies data into:

domains  
companies 
netblocks 
locations 
vulnerabilities   
ports 
hosts 
contacts  
credentials   
leaks 
pushpins  
profiles  
repositories

JSON Report Generator – Creates a JSON report.
List Creator – Creates a file containing a list of records from the database
PushPin Report Generator – Creates HTML media and map reports for all of the PushPins stored in the database.
XLSX File Creator – Creates an Excel compatible XLSX file containing the entire data set
XML Report Generator -Creates a XML report

It took a while to list everything! As you could see, the Recon-ng framework is an information gathering tool on steroids! And if you can’t find what you need among the current modules, you can write your own and contribute!

Until next time, here’s the cookie straight from the cow’s mouth:

 ______________________________________
/ Q: How did you get into artificial   \
| intelligence? A: Seemed logical -- I |
\ didn't have any real intelligence.   /
 --------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Core dump overflow

Core dump in progress...

Pentest tools - Recon-ng