2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.

md at master · Samsar4/Ethical-Hacking-Labs · GitHub

Samsar4 / Ethical-Hacking-Labs Public

Code Issues 11 Pull requests 2 Actions Projects Security Insi

Ethical-Hacking-Labs / 1-Footprinting-and-Reconnaissance / 3-Recon-ng.md

Samsar4 fixes and update f04c2cd · 5 years ago

301 lines (224 loc) · 9.77 KB

Preview Code Blame Raw

Recon-ng Tutorial
Recon-ng is a web-based open-source reconnaissance tool used to extract information
from a target organization and its personnel.
Official repository: https://github.com/lanmaster53/recon-ng

Version: v5.0.1

Requirements:
Kali Linux virtual machine

Objectives:
How to perform network recon.
Gather hosts related to a domain.
Personal Information Gathering.
Generate a report with harvested information.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the
learning curve for leveraging the framework.

First steps
1. Open the terminal and type recon-ng
2. Type help to view all commands that allow you to add/delete records to DB,
query, etc.

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 1/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

back Exits the current context

dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces

Note:
On your first load of recon-ng note the message below. You begin with an empty
framework (without modules pre-installed).

[*] No modules enabled/installed.

3. Create a new workspace:

workspaces create CEH

4. Add the target domain to perform a network recon:

db insert domains
certifiedhacker.com

You can view the added domain by typing show domains

[recon-ng][CEH] > db insert domains

domain (TEXT): certifiedhacker.com
[*] 1 rows affected.
[recon-ng][CEH] > show domains

+--------------------------------------------+
| rowid | domain | module |
+--------------------------------------------+
| 1 | certifiedhacker.com | user_defined |
+--------------------------------------------+

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 2/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

Using Modules from Recon-ng Marketplace

Recon-ng works with independent modules, database interaction, built in convenience
functions, interactive help, and command completion, Recon-ng provides a powerful
environment in which open source web-based reconnaissance can be conducted
quickly and thoroughly. To add new modules you will use marketplace.

Recon-ng Marketplace repository:

https://github.com/lanmaster53/recon-ng-marketplace

To view the entire marketplace repo type: marketplace search

Dealing with modules and workspaces process is very easy as shown on the example
below:

0. Installing module using marketplace command:

> marketplace install recon/domains-hosts/findsubdomains

1. Loading the module using modules load command:

> modules load /recon/domains-hosts/findsubdomains

2. To show module options:

> info

3. Executing the module:

> run

4. To switch between modules or workspaces type:

> back

5. Select an existing workspace:

> workspaces select W0rkspaceName

6. Select an installed module:

> modules load path/to/module-name

Using hackertarget to find sub-domains

You can find another modules to gather some subdomains, we will use hackertarget on
this tutorial.

Let's install and load it: marketplace install hackertarget

modules load hackertarget

Type info to view the SOURCE, currently set at default as show below: info

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 3/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

Name Current Value Required Description

------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for
details)

Now set the SOURCE to:

options set SOURCE certifiedhacker.com

You can use the input command to see the target:

input

+---------------------+
| Module Inputs |
+---------------------+
| certifiedhacker.com |
+---------------------+

Run the module:

run

Note: If your response is working properly but messy with a bunch of queries and
values, just type show hosts to populate a better output.

show hosts
...
(This command will show a clean summary of resources discovered)

Brute-forcing hostnames

You can use another modules to harvest more hosts, such as brute_hosts.

Exit your current module:

back

Install the brute_hosts module:

marketplace install recon/domain-hosts/brute_hosts

Load the module:

modules load recon/domain-hosts/brute_hosts

Set the SOURCE to target domain:

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 4/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

options set SOURCE certifiedhacker.com

By typing info you can see on this particular module, you can set your own hostnames
wordlist. I recommend to use the default one that is pretty good.

Name Current Value

-------- -------------
SOURCE certifiedhacker.com
WORDLIST /root/.recon-ng/data/hostnames.txt

5. Run the module: run

...
(keep in mind that will take a while)

Generate a report
Now that you have harvested a number of hosts, you will prepare a report containing all
the information.

Install the reporting module to report in html format.

marketplace install reporting/html

Note: You can install any of these modules below to export in different formats.

reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml

Load the module:

modules load reporting/html

To configure the reporting information, type info to see the values.

Name Current Value

-------- -------------
CREATOR
CUSTOMER
FILENAME /root/.recon-ng/workspaces/CEH/results.html
SANITIZE True

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 5/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

You will need to assign these values, CREATOR, CUSTOMER and FILENAME.

Set your name[CREATOR], customer name[CUSTOMER], path to export and the file
name[FILENAME].

options set CREATOR J0nDoe

options set CUSTOMER CertifiedHacker Network
options set FILENAME /root/Desktop/CE-Results.html

Run the module to export:

run

The generated report is saved to to the Desktop.

There is not much in this report, but when you start running multiple modules and add
in geolocation reports can get very complex. Recon-ng does a great job keeping track
of everything.

Using Recon-ng to Gather Personnel

Information (part 2)
Objectives:

Obtain contacts of personnel working in a organization.

Find the existence of user profiles on varios websites.

Important note: The location and pushpin modules mentioned in this tutorial require a
valid API key to use and have some GDPR implications about data collection. Some
require you to pay money, which will be mentioned below. I suggest as you go along,
you save all the API keys to a file so you can use them later. To setup an API key to your
recon-ng is very simple, just follow the document below, and manage your keys inside
Recon-ng using: keys command.
https://github.com/Raikia/Recon-NG-API-Key-Creation/blob/master/README-v4.8.3.md

Personal Information Gathering

Gathering personal information involves discovering contact details such as email,
address, etc. present on target organization's web site. The Recon-ng contains various
modules for haversting and discovering contact information about a certain company.
Some Recon-ng modules for discovering personal information are:

recon/domain-contacts
recon/companies-contacts

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 6/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

recon/domain-contacts/namechk

Setup your Recon-ng

1. Boot your Kali Linux and open the terminal.
2. Type recon-ng to launch the application.
3. Add a new workspace named recon:

workspaces create recon

Gather contacts associated with a domain

Set a domain and perform footprinting on it to extract contact available in the domain.

The module selected to perform this technique uses the ARIN Whois RWS to harvest
POC data from whois queries for the given domain.

Install and load the module:

marketplace install recon/domains-contacts/whois_pocs

modules load recon/domains-contacts/whois_pocs

Check the options required to run the module:

info

Set the SOURCE value to target domain:

options set SOURCE facebook.com

Run the module:

run

------------
FACEBOOK.COM
------------
[*] URL: http://whois.arin.net/rest/pocs;domain=facebook.com
[*] URL: http://whois.arin.net/rest/poc/NOL17-ARIN
[*] [contact] Lea Neteork ops ([email protected]) - Whois contact
[*] URL: http://whois.arin.net/rest/poc/OPERA82-ARIN
[*] [contact] <blank> Operations ([email protected]) - Whois contact
[*] URL: http://whois.arin.net/rest/poc/BST184-ARIN
[*] [contact] Brandon Stout ([email protected]) - Whois contact
[*] URL: http://whois.arin.net/rest/poc/DJW23-ARIN
[*] [contact] Darrell Wayne ([email protected]) - Whois
contact

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 7/8
2024/9/2 中午12:19 Ethical-Hacking-Labs/1-Footprinting-and-Reconnaissance/3-Recon-ng.md at master · Samsar4/Ethical-Hacking-Labs · GitHub

[*] URL: http://whois.arin.net/rest/poc/MZU-ARIN

[*] [contact] Mark Zuckerberg ([email protected]) - Whois contact

The output will return the contacts related to the domains.

Profile existence
The recon/profiles-profiles/namechk module validates the username existence of a
specified contact, but unfortunately namechk charges to use their API.

We can search the existence of user profiles in various websites using the
recon/profiles-profiles/profiler.

Type back to return to the workspaces home.

Install and load the module:

marketplace install recon/profiles-profiles/profiler

modules load recon/profiles-profiles/profiler

Set the SOURCE value (Target username):

options set SOURCE MarkZuckerberg

Run the module:

run

The recon/profiles-profiles/profiler module searches for this username and returns the
URL of the profile in various websites (found with the matching username).

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md 8/8