Pown Recon is an open-source reconnaissance tool that uses graph theory to find any existing relationship in given set of data on a specific target. The tool was originally designed to be used as a component of the Pown.js project, a toolkit that is used to carry out test procedures and exploitation on a security system on top of NPM and Node.js.
___ ___ ___ _ ___ ___ ___
/ __| __/ __| /_\ | _ \ _ \/ __|
\__ \ _| (__ / _ \| _/ _/\__ \
|___/___\___/_/ \_\_| |_| |___/
https://secapps.com
NB: Pown Recon is the result of an almost direct copy of SecApps' excellent Recon tool.Despite being part of secapps.com open-source initiative, Pown Recon can be launched on its own as a separate tool.
Pown Recon: Powerful Target Reconnaissance Framework Powered by Graph Theory
The use of graph theory in its reconnaissance operations makes Pown Recon one of the most powerful reconnaissance tools available. This tool extracts graph elements based on group, ID and the class in which the element belongs. Compared with other reconnaissance tools which arrange the target’s data in simple database tables, Pown Recon uses graphs to identify existing relationships in a given set of informational data tied to a specific target.
Graph theory is more effective in reconnaissance procedures because the algorithms deployed are able to identify the shortest possible route that can be used to gather information on a given target.
How Pown Recon Works as Part of SecApps Recon?
Preview
All graphs generated by Pown Recon can be previewed using SecApps Recon which can be launched from a browser, the other option is to run the following command:
$ pown modules install @pown/apps.
For this to work @pown/apps must be installed.
Scripting
The tool can also use scripts known as Pown Scripts to generate graphs without having to save the graphs in intermediate files.
Pown scripts can be used only after selecting and naming a favorite editor, editors can be named as example.pown, scripts can be launched using:
$ pown script path/to/example.pown
Selectors
Pown Recon has selectors which aid in the identification and collection of the elements used in building graphs. Useful queries can be generated by combining selectors and this makes it easy to gather a large volume of information on a given target with a single run.
The queries can be made more powerful by joining a set of combined selectors using commas as follows in which all strings must be enclosed using quotation marks:
$ pown select 'node#j, edge[source = "j"]'
If the queries are properly generated they can be used in large scale information gathering such as identifying what members of a given organization have been doing in relation to a given organizational task.
Features:
- Ability to perform inline transformation
- Supports remote management
- Can add, remove, group, ungroup and traverse nodes
- Can merge two recon files
Transforms:
- GitHub Search of Repos, Gists, and Members
- Bitbucket Search of Repos, Snippets, and Members
- CloudFlare 1.1.1.1 DNS API
- CRTSH
- DockerHub Repo Search
- Gravatar URLs
- Hacker Target Reverse IP Lookup
- Have I Been Pwned Lookup
- PKS Lookup
- Urlscan Live Shot
- Threatcrowd Lookup
- ZoomEye Scraper
- Wappalyzer
- AWS IAM Pages
- Builtwith
- Riddler
- CommonCraw
- Archive.org
- WhatsMyName
- Utility Transforms
- Security Trails
- Auto Recon
Pown Recon Install
Install as part of Pown.js :
$ npm install -g pown@latest
To invoke directly from Pown run:
$ pown recon
Install from root project locally
$ npm install @pown/recon –save
After installation invoke pown cli as follows:
$ POWN_ROOT=. ./node_modules/.bin/pown-cli recon
To invoke it locally using the global pown, run the following:
$ POWN_ROOT=. pown recon
Usage
pown recon <command>
Target recon
Commands:
pown recon transform <transform> Perform inline transformation [aliases: t]
pown recon select <expressions...> Select nodes [aliases: s]
pown recon traverse <expressions...> Traverse nodes [aliases: v]
pown recon options <command> Manage options
pown recon add <nodes...> Add nodes [aliases: a]
pown recon remove <expressions...> Remove nodes [aliases: r]
pown recon merge <files...> Perform a merge between at least two recon files [aliases: m]
pown recon diff <fileA> <fileB> Perform a diff between two recon files [aliases: d]
pown recon group <name> <expressions...> Group nodes [aliases: g]
pown recon ungroup <expressions...> Ungroup nodes [aliases: u]
pown recon load <file> Load a file [aliases: l]
pown recon save <file> Save to file [aliases: o]
pown recon import <file> Import file [aliases: i]
pown recon export <file> Export to file [aliases: e]
pown recon remote <command> Remote managment [aliases: f]
pown recon layout <name> Layout the graph [aliases: r]
pown recon summary Create a summary [aliases: y]
Options:
--version Show version number [boolean]
--help Show help [boolean]Pown Recon Options
pown recon options <command>
Manage options
Commands:
pown recon options list List option [aliases: l]
pown recon options set <name> <value> Set option [aliases: s]
pown recon options get <name> Get option [aliases: g]
pown recon options delete <name> Delete option [aliases: d]
pown recon options clear Clear options [aliases: c]
Options:
--version Show version number [boolean]
--help Show help [boolean]Usage Example
Querying everyone who is a member of Google’s engineering team and contributes to their GitHub account.
$ pown recon t -w google.network ghlm google
Result generated as table:
github:member
┌─────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────┐
│ uri │ login │ avatar │
├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ https://github.com/3rf │ 3rf │ https://avatars1.githubusercontent.com/u/1242478?v=4 │
├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ https://github.com/aaroey │ aaroey │ https://avatars0.githubusercontent.com/u/31743510?v=4 │
├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ https://github.com/aarongable │ aarongable │ https://avatars3.githubusercontent.com/u/2474926?v=4 │
...
...
...
│ https://github.com/alexpennace │ alexpennace │ https://avatars1.githubusercontent.com/u/2506548?v=4 │
├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ https://github.com/alexv │ alexv │ https://avatars0.githubusercontent.com/u/30807372?v=4 │
├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ https://github.com/alexwhouse │ alexwhouse │ https://avatars3.githubusercontent.com/u/1448490?v=4 │
└─────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────┘
