Web Reconnaissance Framework – [Recon-ng]


Web Reconnaissance Framework – [Recon-ng]

Introduction

Recon-ng is an powerful tool for Open Source Intelligence Gathering (OSINT), a full-featured Web Reconnaissance Framework written in Python, with interface similar to Metasploit.

Web Reconnaissance Framework [Recon-ng]

Recon-ng is mainly a passive reconnaissance framework for web-based open source reconnaissance that can automatically collect information and network detection. It has a powerful environment with independent modules, interactive help, database interaction, built in functions and interactive console with command completion.

Dependencies

All 3rd party libraries/packages should be installed prior to use. Make sure you check for the presence of the following dependencies, in order to run everything smoothly:

  • dnspython
  • dicttoxml
  • jsonrpclib
  • lxml
  • mechanize
  • slowaes
  • XlsxWriter

Recon-ng Install

In Kali Linux it’s very simple, just type:

$ apt-get install recon-ng

Installation from source:

# Clone the Recon-ng repository.
$ git clone https://[email protected]/LaNMaSteR53/recon-ng.git

# Change into the Recon-ng directory.
$ cd recon-ng

# Install dependencies.
$ pip install -r REQUIREMENTS

# Launch Recon-ng.
$ ./recon-ng

If there’s no errors, the Recon-NG console will be loaded and framework banner will appear:

[email protected]:~# recon-ng
 
    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[77] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] >

Use the “-h” switch for information on runtime options:

$ ./recon-ng -h

Modules

Recon-ng is a completely modular framework.

Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys.
  • Recon modules – for reconnaissance activities;
  • Reporting modules – for reporting results on a file;
  • Import modules – for importing values from a file into a database table;
  • Exploitation modules – for explotation activities;
  • Discovery modules – for discovery activities.

To display a list of all available modules for each category just type show command:

[recon-ng][default] > show modules

   Discovery
   ---------
     discovery/info_disclosure/cache_snoop
     discovery/info_disclosure/interesting_files

   Exploitation
   ------------
     exploitation/injection/command_injector
     exploitation/injection/xpath_bruter

   Import
   ------
     import/csv_file
     import/list

   Recon
   -----
     recon/companies-contacts/bing_linkedin_cache
     recon/companies-contacts/indeed
     recon/companies-contacts/jigsaw/point_usage
     recon/companies-contacts/jigsaw/purchase_contact
     recon/companies-contacts/jigsaw/search_contacts
     recon/companies-contacts/linkedin_auth
     recon/companies-multi/github_miner
     recon/companies-multi/whois_miner
     recon/contacts-contacts/mailtester
     recon/contacts-contacts/mangle
     recon/contacts-contacts/unmangle
     recon/contacts-credentials/hibp_breach
     recon/contacts-credentials/hibp_paste
     recon/contacts-domains/migrate_contacts
     recon/contacts-profiles/fullcontact
     recon/credentials-credentials/adobe
     recon/credentials-credentials/bozocrack
     recon/credentials-credentials/hashes_org
     recon/domains-contacts/metacrawler
     recon/domains-contacts/pgp_search
     recon/domains-contacts/whois_pocs
     recon/domains-credentials/pwnedlist/account_creds
     recon/domains-credentials/pwnedlist/api_usage
     recon/domains-credentials/pwnedlist/domain_creds
     recon/domains-credentials/pwnedlist/domain_ispwned
     recon/domains-credentials/pwnedlist/leak_lookup
     recon/domains-credentials/pwnedlist/leaks_dump
     recon/domains-domains/brute_suffix
     recon/domains-hosts/bing_domain_api
     recon/domains-hosts/bing_domain_web
     recon/domains-hosts/brute_hosts
     recon/domains-hosts/builtwith
     recon/domains-hosts/certificate_transparency
     recon/domains-hosts/google_site_api
     recon/domains-hosts/google_site_web
     recon/domains-hosts/hackertarget
     recon/domains-hosts/mx_spf_ip
     recon/domains-hosts/netcraft
     recon/domains-hosts/shodan_hostname
     recon/domains-hosts/ssl_san
     recon/domains-hosts/threatcrowd
     recon/domains-vulnerabilities/ghdb
     recon/domains-vulnerabilities/punkspider
     recon/domains-vulnerabilities/xssed
     recon/domains-vulnerabilities/xssposed
     recon/hosts-domains/migrate_hosts
     recon/hosts-hosts/bing_ip
     recon/hosts-hosts/freegeoip
     recon/hosts-hosts/ipinfodb
     recon/hosts-hosts/resolve
     recon/hosts-hosts/reverse_resolve
     recon/hosts-hosts/ssltools
     recon/hosts-locations/migrate_hosts
     recon/hosts-ports/shodan_ip
     recon/locations-locations/geocode
     recon/locations-locations/reverse_geocode
     recon/locations-pushpins/flickr
     recon/locations-pushpins/picasa
     recon/locations-pushpins/shodan
     recon/locations-pushpins/twitter
     recon/locations-pushpins/youtube
     recon/netblocks-companies/whois_orgs
     recon/netblocks-hosts/reverse_resolve
     recon/netblocks-hosts/shodan_net
     recon/netblocks-ports/census_2012
     recon/netblocks-ports/censysio
     recon/ports-hosts/migrate_ports
     recon/profiles-contacts/dev_diver
     recon/profiles-contacts/github_users
     recon/profiles-profiles/namechk
     recon/profiles-profiles/profiler
     recon/profiles-profiles/twitter_mentioned
     recon/profiles-profiles/twitter_mentions
     recon/profiles-repositories/github_repos
     recon/repositories-profiles/github_commits
     recon/repositories-vulnerabilities/gists_search
     recon/repositories-vulnerabilities/github_dorks

   Reporting
   ---------
     reporting/csv
     reporting/html
     reporting/json
     reporting/list
     reporting/proxifier
     reporting/pushpin
     reporting/xlsx
     reporting/xml

Just explore those modules and you’ll soon become an expert.