The Definitive Recon-ng Tutorial

OSINT Tools

In this recon-ng tutorial, discover open source intelligence and how to easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is Recon-ng?

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.

Recon-ng is similar to theHarvester in that it is an open source tool for gathering OSINT data. However, Recon-ng is a little bit more robust and includes dozens of different “modules.” Each module runs a specific type of query and enables you to set various options that are either required or optional in order to run that query.

Some modules include:

  • Whois query to identify points of contact, including names and email addresses.
  • Email address search in the Have I Been Pwned? database, indicating the account may have been associated with a recent breach.
  • PGP key search.
  • Social media profile associations.
  • File crawler.
  • DNS record enumerator.
  • And many more.

The interactive console provides a number of helpful features, such as command completion and contextual help.

Recon-ng Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get update && apt-get install recon-ng. Update Kali to ensure latest dependencies installed.

For those seeking the latest code on Ubuntu, the process is nearly as simple. Make sure you have git and pip installed.

git clone https://github.com/lanmaster53/recon-ng.git 
cd recon-ng 
pip install -r REQUIREMENTS

Next to run recon-ng;

./recon-ng

The Recon-NG console is now loaded.


                                          /\
                                         / \\ /\
    Sponsored by...               /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                  ____   ____   ____   ____ _____ _  ____   ____  ____
                 |____] | ___/ |____| |       |   | |____  |____ |
                 |      |   \_ |    | |____   |   |  ____| |____ |____
                                   www.practisec.com

                      [recon-ng v5.0.3, Tim Tomes (@lanmaster53)]                       

[*] No modules enabled/installed.

[recon-ng][default] > 

Using recon-ng

From the console it is easy to get help and get started with your recon.

[recon-ng][default] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
help            Displays this menu
index           Creates a module index (dev only)
keys            Manages third party resource credentials
marketplace     Interfaces with the module marketplace
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
workspaces      Manages workspaces

On your first load of recon-ng note the message below. You begin with an empty framework.

[*] No modules enabled/installed.

As shown in the help menu the Marketplace: Interfaces with the module marketplace to pick and choose modules you want.

How to:

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

Install module

Syntax to install is marketplace install hackertarget as seen below.

[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] > 

Load module

[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] > 

Set source

Now set the source. Currently set at default (see below)

[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

Syntax options set SOURCE tesla.com

[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com

I am using tesla.com as an example domain because they have a published bug bounty program and Tesla’s are cool.

Use command – info – which shows “Current Value” has changed to tesla.com

[recon-ng][default][hackertarget] > info

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  tesla.com      yes       source of input (see 'info' for details)

Source Options:
  default      SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  string       string representing a single input
  path         path to a file containing a list of inputs
  query sql    database query returning one column of inputs

If we use input we can see

econ-ng][default][hackertarget] > input

  +---------------+
  | Module Inputs |
  +---------------+
  | tesla.com     |
  +---------------+

Run the module

Type run to execute the module.

---------------
[recon-ng][default][hackertarget] > run

---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)
[*] [host] sso-dev.tesla.com (209.133.79.66)

-------
SUMMARY
-------
[*] 21 total (0 new) hosts found.

Show hosts

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

[recon-ng][default][hackertarget] > show hosts

  +------------------------------------------------------------------------------------------------------------+
  | rowid |           host           |   ip_address   | region | country | latitude | longitude |    module    |
  +------------------------------------------------------------------------------------------------------------+
  | 1     | tesla.com                | 209.133.79.61  |        |         |          |           | hackertarget |
  | 2     | sjc04d1rsaap02.tesla.com | 205.234.27.206 |        |         |          |           | hackertarget |
  | 3     | model3.tesla.com         | 205.234.27.221 |        |         |          |           | hackertarget |
  | 4     | marketing.tesla.com      | 13.111.47.196  |        |         |          |           | hackertarget |
  | 5     | email.tesla.com          | 136.147.129.27 |        |         |          |           | hackertarget |
  | 6     | mta2.email.tesla.com     | 13.111.4.231   |        |         |          |           | hackertarget |
  | 7     | mta.email.tesla.com      | 13.111.14.190  |        |         |          |           | hackertarget |
  | 8     | xmail.tesla.com          | 204.74.99.100  |        |         |          |           | hackertarget |
  | 9     | comparison.tesla.com     | 64.125.183.133 |        |         |          |           | hackertarget |
  | 10    | na-sso.tesla.com         | 209.133.79.81  |        |         |          |           | hackertarget |
  | 11    | edr.tesla.com            | 209.133.79.33  |        |         |          |           | hackertarget |
  | 12    | mta2.emails.tesla.com    | 13.111.88.1    |        |         |          |           | hackertarget |
  | 13    | mta3.emails.tesla.com    | 13.111.88.2    |        |         |          |           | hackertarget |
  | 14    | mta4.emails.tesla.com    | 13.111.88.52   |        |         |          |           | hackertarget |
  | 15    | mta5.emails.tesla.com    | 13.111.88.53   |        |         |          |           | hackertarget |
  | 16    | mta.emails.tesla.com     | 13.111.62.118  |        |         |          |           | hackertarget |
  | 17    | click.emails.tesla.com   | 13.111.48.179  |        |         |          |           | hackertarget |
  | 18    | view.emails.tesla.com    | 13.111.49.179  |        |         |          |           | hackertarget |
  | 19    | events.tesla.com         | 13.111.47.195  |        |         |          |           | hackertarget |
  | 20    | shop.eu.tesla.com        | 205.234.27.221 |        |         |          |           | hackertarget |
  | 21    | sso-dev.tesla.com        | 209.133.79.66  |        |         |          |           | hackertarget |
  +------------------------------------------------------------------------------------------------------------+

[*] 21 rows returned
[recon-ng][default][hackertarget] > 

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api <shodanApiKey> 

.recon-ng configuration files

When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.

test@test-desktop:~/.recon-ng$ ls

keys.db  
modules  
modules.yml  
workspaces

Recon-ng Marketplace and Modules

Typing marketplace search will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > marketplace search

  +---------------------------------------------------------------------------------------------------+
  |                        Path                        | Version |     Status    |  Updated   | D | K |
  +---------------------------------------------------------------------------------------------------+
  | discovery/info_disclosure/cache_snoop              | 1.0     | not installed | 2019-06-24 |   |   |
  | discovery/info_disclosure/interesting_files        | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/command_injector            | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/xpath_bruter                | 1.2     | not installed | 2019-10-08 |   |   |
  | import/csv_file                                    | 1.1     | not installed | 2019-08-09 |   |   |
  | import/list                                        | 1.0     | not installed | 2019-06-24 |   |   |
  | import/nmap                                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/companies-contacts/bing_linkedin_cache       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-contacts/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/viewdns_reverse_whois      | 1.0     | not installed | 2019-08-08 |   |   |
  | recon/companies-multi/github_miner                 | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-multi/shodan_org                   | 1.0     | not installed | 2019-06-26 |   | * |
  | recon/companies-multi/whois_miner                  | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-contacts/abc                        | 1.0     | not installed | 2019-10-11 | * |   |
  | recon/contacts-contacts/mailtester                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/mangle                     | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/unmangle                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-credentials/hibp_breach             | 1.2     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/hibp_paste              | 1.1     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/scylla                  | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-domains/migrate_contacts            | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-profiles/fullcontact                | 1.1     | not installed | 2019-07-24 |   | * |
  | recon/credentials-credentials/adobe                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/bozocrack            | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/hashes_org           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-companies/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/metacrawler                 | 1.1     | not installed | 2019-06-24 | * |   |
  | recon/domains-contacts/pen                         | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/pgp_search                  | 1.3     | not installed | 2019-10-16 |   |   |
  | recon/domains-contacts/whois_pocs                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-credentials/pwnedlist/account_creds  | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/api_usage      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/domain_creds   | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/leak_lookup    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-credentials/pwnedlist/leaks_dump     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/scylla                   | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-domains/brute_suffix                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/binaryedge                     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_api                | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_web                | 1.1     | not installed | 2019-07-04 |   |   |
  | recon/domains-hosts/brute_hosts                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/builtwith                      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/certificate_transparency       | 1.1     | not installed | 2019-09-16 |   |   |
  | recon/domains-hosts/findsubdomains                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/google_site_web                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/hackertarget                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/mx_spf_ip                      | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/netcraft                       | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/shodan_hostname                | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/ssl_san                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatcrowd                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatminer                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/ghdb                 | 1.1     | not installed | 2019-06-26 |   |   |
  | recon/domains-vulnerabilities/xssed                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/xssposed             | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-domains/migrate_hosts                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/bing_ip                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/ipinfodb                         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/ipstack                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/resolve                          | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/reverse_resolve                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/ssltools                         | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/virustotal                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-locations/migrate_hosts                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-ports/binaryedge                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-ports/shodan_ip                        | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/geocode                  | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/reverse_geocode          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/flickr                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/shodan                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/twitter                   | 1.1     | not installed | 2019-10-17 |   | * |
  | recon/locations-pushpins/youtube                   | 1.1     | not installed | 2019-10-15 |   | * |
  | recon/netblocks-companies/whois_orgs               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/reverse_resolve              | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/shodan_net                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-hosts/virustotal                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-ports/census_2012                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-ports/censysio                     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/ports-hosts/migrate_ports                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-contacts/bing_linkedin_contacts     | 1.1     | not installed | 2019-10-08 |   | * |
  | recon/profiles-contacts/dev_diver                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-contacts/github_users               | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/namechk                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/profiler                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-profiles/twitter_mentioned          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/twitter_mentions           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-repositories/github_repos           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-profiles/github_commits         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-vulnerabilities/gists_search    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/repositories-vulnerabilities/github_dorks    | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/csv                                      | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/html                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/json                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/list                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/proxifier                                | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/pushpin                                  | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/xlsx                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/xml                                      | 1.1     | not installed | 2019-06-24 |   |   |
  +---------------------------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.

[recon-ng][default] > marketplace help
Interfaces with the module marketplace

Usage: marketplace info|install|refresh|remove|search [...] 

Help

The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.

This help menu brings additional commands such as:

  • goptions: Manages the global context options
  • reload: Reloads the loaded module
  • run: Runs the loaded module
  • script: Records and executes command scripts
[recon-ng][default][hackertarget] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
goptions        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file

[recon-ng][default][hackertarget] > 

Conclusion

Recon-ng is a powerful tool that can be further explored by viewing through the list of modules. The help within the console is clear, and with a bit of playing around it won’t take long to become an expert.

Once you start to become more familiar with the layout of the tool, you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and explore Organizations’ Internet facing footprint. Have fun. Don’t break the rules.

https://tools.kali.org/information-gathering/recon-ng

https://github.com/lanmaster53/recon-ng

Leave a Reply

Your email address will not be published. Required fields are marked *