In this recon-ng tutorial, discover open source intelligence and how to easily pivot to new results. Find targets and move to discovering vulnerabilities.
What is Recon-ng?
Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.
Recon-ng is similar to theHarvester in that it is an open source tool for gathering OSINT data. However, Recon-ng is a little bit more robust and includes dozens of different “modules.” Each module runs a specific type of query and enables you to set various options that are either required or optional in order to run that query.
Some modules include:
- Whois query to identify points of contact, including names and email addresses.
- Email address search in the Have I Been Pwned? database, indicating the account may have been associated with a recent breach.
- PGP key search.
- Social media profile associations.
- File crawler.
- DNS record enumerator.
- And many more.
The interactive console provides a number of helpful features, such as command completion and contextual help.
Recon-ng Installation
Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get update && apt-get install recon-ng
. Update Kali to ensure latest dependencies installed.
For those seeking the latest code on Ubuntu, the process is nearly as simple. Make sure you have git
and pip
installed.
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
Next to run recon-ng;
./recon-ng
The Recon-NG console is now loaded.
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.0.3, Tim Tomes (@lanmaster53)]
[*] No modules enabled/installed.
[recon-ng][default] >
Using recon-ng
From the console it is easy to get help
and get started with your recon.
[recon-ng][default] > help
Commands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
On your first load of recon-ng note the message below. You begin with an empty framework.
[*] No modules enabled/installed.
As shown in the help
menu the Marketplace: Interfaces with the module marketplace
to pick and choose modules you want.
How to:
Firstly lets use the hackertarget
module to gather some subdomains. This uses the hackertarget.com API and hostname search.
Install module
Syntax to install is marketplace install hackertarget
as seen below.
[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >
Load module
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >
Set source
Now set the source
. Currently set at default (see below)
[recon-ng][default][hackertarget] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Syntax options set SOURCE tesla.com
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com
I am using tesla.com as an example domain because they have a published bug bounty program and Tesla’s are cool.
Use command – info
– which shows “Current Value” has changed to tesla.com
[recon-ng][default][hackertarget] > info
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputs
If we use input
we can see
econ-ng][default][hackertarget] > input
+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+
Run the module
Type run
to execute the module.
---------------
[recon-ng][default][hackertarget] > run
---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)
[*] [host] sso-dev.tesla.com (209.133.79.66)
-------
SUMMARY
-------
[*] 21 total (0 new) hosts found.
Show hosts
Now we have begun to populate our hosts. Typing show hosts
will give you a summary of the resources discovered.
[recon-ng][default][hackertarget] > show hosts
+------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 209.133.79.61 | | | | | hackertarget |
| 2 | sjc04d1rsaap02.tesla.com | 205.234.27.206 | | | | | hackertarget |
| 3 | model3.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 4 | marketing.tesla.com | 13.111.47.196 | | | | | hackertarget |
| 5 | email.tesla.com | 136.147.129.27 | | | | | hackertarget |
| 6 | mta2.email.tesla.com | 13.111.4.231 | | | | | hackertarget |
| 7 | mta.email.tesla.com | 13.111.14.190 | | | | | hackertarget |
| 8 | xmail.tesla.com | 204.74.99.100 | | | | | hackertarget |
| 9 | comparison.tesla.com | 64.125.183.133 | | | | | hackertarget |
| 10 | na-sso.tesla.com | 209.133.79.81 | | | | | hackertarget |
| 11 | edr.tesla.com | 209.133.79.33 | | | | | hackertarget |
| 12 | mta2.emails.tesla.com | 13.111.88.1 | | | | | hackertarget |
| 13 | mta3.emails.tesla.com | 13.111.88.2 | | | | | hackertarget |
| 14 | mta4.emails.tesla.com | 13.111.88.52 | | | | | hackertarget |
| 15 | mta5.emails.tesla.com | 13.111.88.53 | | | | | hackertarget |
| 16 | mta.emails.tesla.com | 13.111.62.118 | | | | | hackertarget |
| 17 | click.emails.tesla.com | 13.111.48.179 | | | | | hackertarget |
| 18 | view.emails.tesla.com | 13.111.49.179 | | | | | hackertarget |
| 19 | events.tesla.com | 13.111.47.195 | | | | | hackertarget |
| 20 | shop.eu.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 21 | sso-dev.tesla.com | 209.133.79.66 | | | | | hackertarget |
+------------------------------------------------------------------------------------------------------------+
[*] 21 rows returned
[recon-ng][default][hackertarget] >
Add API keys to Recon-ng
It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.
keys add shodan_api <shodanApiKey>
.recon-ng configuration files
When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db
. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.
test@test-desktop:~/.recon-ng$ ls
keys.db
modules
modules.yml
workspaces
Recon-ng Marketplace and Modules
Typing marketplace search
will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.
[recon-ng][default] > marketplace search
+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.0 | not installed | 2019-06-24 | | |
| discovery/info_disclosure/interesting_files | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.0 | not installed | 2019-06-24 | | |
| import/nmap | 1.0 | not installed | 2019-06-24 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.0 | not installed | 2019-08-08 | | |
| recon/companies-multi/github_miner | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-multi/shodan_org | 1.0 | not installed | 2019-06-26 | | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-domains/migrate_contacts | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.3 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/scylla | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-domains/brute_suffix | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/certificate_transparency | 1.1 | not installed | 2019-09-16 | | |
| recon/domains-hosts/findsubdomains | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/shodan_hostname | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/xssposed | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-domains/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipinfodb | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.1 | not installed | 2019-10-15 | | * |
| recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.1 | not installed | 2019-10-08 | | * |
| recon/profiles-contacts/dev_diver | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | not installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | not installed | 2019-06-24 | | |
| reporting/xml | 1.1 | not installed | 2019-06-24 | | |
+---------------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
Here again the help comes in handy marketplace help
shows commands for removing modules, how to find more info, search, refresh and install.
[recon-ng][default] > marketplace help
Interfaces with the module marketplace
Usage: marketplace info|install|refresh|remove|search [...]
Help
The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.
This help menu brings additional commands such as:
- goptions: Manages the global context options
- reload: Reloads the loaded module
- run: Runs the loaded module
- script: Records and executes command scripts
[recon-ng][default][hackertarget] > help
Commands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
goptions Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source option
keys Manages third party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a file
[recon-ng][default][hackertarget] >
Conclusion
Recon-ng is a powerful tool that can be further explored by viewing through the list of modules. The help
within the console is clear, and with a bit of playing around it won’t take long to become an expert.
Once you start to become more familiar with the layout of the tool, you will discover options such as workspaces
that allow you to segment based on organization or network.
The rise of bug bounties allows you to play with new tools and explore Organizations’ Internet facing footprint. Have fun. Don’t break the rules.