In this recon-ng tutorial, discover open source intelligence and easily pivot to new results. Using a modular approach, collect and dig deeper into extracted data.
What is Recon-ng?
Recon-ng is a reconnaissance / OSINT tool with an interface similar to Metasploit. Running recon-ng from the command line speeds up the recon process as it automates gathering information from open sources.
Recon-ng has a variety of options to configure, perform recon, and output results to different report types.
The interactive console provides a number of helpful features such as command completion and contextual help.
Recon-ng Installation
Installing Recon-ng is very simple and there are a few common ways. Below are a few examples;
Kali:
At the time of this article version 5.1.2 comes pre-installed with Kali Linux. Having said that, its good to run apt-get update && apt-get install recon-ng to ensure latest dependencies installed.
Ubuntu:
Requires git and pip installed.
test@ubuntu:~/$ git clone https://github.com/lanmaster53/recon-ng.git test@ubuntu:~/$ cd recon-ng test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
Next to run recon-ng;
test@ubuntu:~/recon-ng/$ ./recon-ng
The Recon-NG console is now loaded.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[*] No modules enabled/installed.
[recon-ng][default] >
Using recon-ng
From the console it is easy to get help and get started with your recon.
[recon-ng][default] > help Commands (type [help|?]): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework help Displays this menu index Creates a module index (dev only) keys Manages third party resource credentials marketplace Interfaces with the module marketplace modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) script Records and executes command scripts shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file workspaces Manages workspaces
Recon-ng begins with an empty framework. No modules enabled or installed.
[*] No modules enabled/installed.
How to use Recon-ng:
Create a Workspace
There is a lot of options when using this OSINT tool. Maintaining collected information and notes organised is a necessary part of any OSINT investigation. Creating a workspaces keeps things orderly and easy to find. When using Recon-ng workspaces, all data located and collected is saved within a database in that workspace.
[recon-ng][default] > workspaces create example_name
[recon-ng][default] > workspaces create example_name
[recon-ng][example_name] >
The command recon-ng -w example_name opens or returns directly to that workspace.
test@ubuntu:~/$ recon-ng -w example_name
[recon-ng][example_name] >
Recon-ng Marketplace and Modules
Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.
[recon-ng][default] > marketplace help
Interfaces with the module marketplace
Usage: marketplace info|install|refresh|remove|search [...]
Typing marketplace search displays a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.
Recon-ng modules
Modules are grouped together under various categories and can be found searching on marketplace
- discovery
- exploitation
- import
- recon
- reporting
Each of the above have sub categories as shown in the table below. Use marketplace search for a full table providing information on version, status (installed or not-installed), date updated, dependencies or require keys.
[recon-ng][example_name] > marketplace search +---------------------------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +---------------------------------------------------------------------------------------------------+ | discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | | | discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | | | exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | | | exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | | | import/csv_file | 1.1 | not installed | 2019-08-09 | | | | import/list | 1.1 | not installed | 2019-06-24 | | | | import/masscan | 1.0 | not installed | 2020-04-07 | | | | import/nmap | 1.1 | not installed | 2020-10-06 | | | | recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * | | recon/companies-contacts/censys_email_address | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/censys_subdomains | 2.0 | not installed | 2021-05-10 | * | * | | recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | | | recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * | | recon/companies-hosts/censys_org | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-hosts/censys_tls_subjects | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * | | recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * | | recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | | | recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | | | recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | | | recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * | | recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * | | recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | | | recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * | | recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-companies/censys_companies | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * | | recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * | | recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | | | recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | | | recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | | | recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | | | recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | | | recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | | | recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * | | recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | | | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/censys_domain | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-hosts/certificate_transparency | 1.2 | not installed | 2019-09-16 | | | | recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/hackertarget | 1.1 | not installed | 2020-05-17 | | | | recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | | | recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * | | recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | | | recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | | | recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | | | recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | | | recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/censys_hostname | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_ip | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_query | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * | | recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * | | recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * | | recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * | | recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * | | recon/netblocks-companies/censys_netblock_company | 2.0 | not installed | 2021-05-11 | * | * | | recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/censys_netblock | 2.0 | not installed | 2021-05-10 | * | * | | recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * | | recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * | | recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | | | recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | | | recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * | | recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | | | recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/profiler | 1.0 | not installed | 2019-06-24 | | | | recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * | | recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * | | recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | | | recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * | | reporting/csv | 1.0 | not installed | 2019-06-24 | | | | reporting/html | 1.0 | not installed | 2019-06-24 | | | | reporting/json | 1.0 | not installed | 2019-06-24 | | | | reporting/list | 1.0 | not installed | 2019-06-24 | | | | reporting/proxifier | 1.0 | not installed | 2019-06-24 | | | | reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * | | reporting/xlsx | 1.0 | not installed | 2019-06-24 | | | | reporting/xml | 1.1 | not installed | 2019-06-24 | | | +---------------------------------------------------------------------------------------------------+ D = Has dependencies. See info for details. K = Requires keys. See info for details.
Marketplace search brings up the full table, however you can be more specific in your search, a couple of examples
recon-ng][default] >marketplace search ssl
[*] Searching module index for 'ssl'...
+----------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+----------------------------------------------------------------------------+
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | |
+----------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
[recon-ng][default] >
To find out more info on a specific module
[recon-ng][default] > marketplace info ssltools
+---------------------------------------------------------------------------------------+
| path | recon/hosts-hosts/ssltools |
| name | SSLTools.com Host Name Lookups |
| author | Tim Maletic (borrowing from the ssl_san module by Zach Graces) |
| version | 1.0 |
| last_updated | 2019-06-24 |
| description | Uses the ssltools.com site to obtain host names from a site's SSL certificate metadata to update the 'hosts' table. Security issues with the certificate trust are pushed to the 'vulnerabilities' table. |
| required_keys | [] |
| dependencies | [] |
| files | [] |
| status | not installed |
+------------------------------------------------------------------------------------+
[recon-ng][default] >
As noted above Hackertarget has a module. This will be used as an example on how to use recon-ng.
Recon-ng example
As an example on how to use Recon-ng, hackertarget has a module to gather subdomains recon/domains-hosts/hackertarget. This module uses the Hackertarget API and hostname search.
Install module
To install this module use the following:
[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >
Load module
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >
Module Help
The help command from within a loaded module has different options to the global 'help'.
When you are ready to explore more modules use 'back'.
[recon-ng][default][hackertarget] > help Commands (type [help|?]): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework goptions Manages the global context options help Displays this menu info Shows details about the loaded module input Shows inputs based on the source option keys Manages third party resource credentials modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) reload Reloads the loaded module run Runs the loaded module script Records and executes command scripts shell Executes shell commands show Shows various framework items spool Spools output to a file [recon-ng][default][hackertarget] >
Set source
Using show options, brings a table showing the source current value set at default.
[recon-ng][default][hackertarget] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Now, set the source to the name of the domain investigating. This example uses tesla.com as they have a published big bounty.
Use command options set SOURCE tesla.com
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com
Use command info. This shows current value has changed to tesla.com
[recon-ng][default][hackertarget] > info Options: Name Current Value Required Description ------ ------------- -------- ----------- SOURCE tesla.com yes source of input (see 'info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL string string representing a single input path path to a file containing a list of inputs query sql database query returning one column of inputs
Use input to see
[recon-ng][default][hackertarget] > input
+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+
Run the module
Type run to execute the module.
[recon-ng][default][hackertarget] > run
---------
TESLA.COM
---------
[*] Host: tesla.com
[*] Ip_Address: 104.119.104.74
[*] --------------------------------------------------
[*] Host: o7.ptr6980.tesla.com
[*] Ip_Address: 149.72.144.42
[*] --------------------------------------------------
[*] Host: vpn1.tesla.com
[*] Ip_Address: 8.45.124.215
[*] --------------------------------------------------
[*] Host: apacvpn1.tesla.com
[*] Ip_Address: 8.244.131.215
[*] --------------------------------------------------
[*] Host: cnvpn1.tesla.com
[*] Ip_Address: 114.141.176.215
[*] --------------------------------------------------
[*] Host: vpn2.tesla.com
[*] Ip_Address: 8.47.24.215
[*] --------------------------------------------------
[*] Host: model3.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: o3.ptr1444.tesla.com
[*] Ip_Address: 149.72.152.236
[*] --------------------------------------------------
[*] Host: o2.ptr556.tesla.com
[*] Ip_Address: 149.72.134.64
[*] --------------------------------------------------
[*] Host: o5.ptr8466.tesla.com
[*] Ip_Address: 149.72.172.170
[*] --------------------------------------------------
[*] Host: o6.ptr9437.tesla.com
[*] Ip_Address: 168.245.123.10
[*] --------------------------------------------------
[*] Host: o4.ptr1867.tesla.com
[*] Ip_Address: 149.72.163.58
[*] --------------------------------------------------
[*] Host: marketing.tesla.com
[*] Ip_Address: 13.111.47.196
[*] --------------------------------------------------
[*] Host: o1.ptr2410.link.tesla.com
[*] Ip_Address: 149.72.247.52
[*] --------------------------------------------------
[*] Host: referral.tesla.com
[*] Ip_Address: 72.10.32.90
[*] --------------------------------------------------
[*] Host: mta2.email.tesla.com
[*] Ip_Address: 13.111.4.231
[*] --------------------------------------------------
[*] Host: mta.email.tesla.com
[*] Ip_Address: 13.111.14.190
[*] --------------------------------------------------
[*] Host: xmail.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: comparison.tesla.com
[*] Ip_Address: 64.125.183.133
[*] --------------------------------------------------
[*] Host: apacvpn.tesla.com
[*] Ip_Address: 8.244.67.215
[*] --------------------------------------------------
[*] Host: cnvpn.tesla.com
[*] Ip_Address: 103.222.41.215
[*] --------------------------------------------------
[*] Host: emails.tesla.com
[*] Ip_Address: 13.111.18.27
[*] --------------------------------------------------
[*] Host: mta2.emails.tesla.com
[*] Ip_Address: 13.111.88.1
[*] --------------------------------------------------
[*] Host: mta3.emails.tesla.com
[*] Ip_Address: 13.111.88.2
[*] --------------------------------------------------
[*] Host: mta4.emails.tesla.com
[*] Ip_Address: 13.111.88.52
[*] --------------------------------------------------
[*] Host: mta5.emails.tesla.com
[*] Ip_Address: 13.111.88.53
[*] --------------------------------------------------
[*] Host: mta.emails.tesla.com
[*] Ip_Address: 13.111.62.118
[*] --------------------------------------------------
[*] Host: click.emails.tesla.com
[*] Ip_Address: 13.111.48.179
[*] --------------------------------------------------
[*] Host: view.emails.tesla.com
[*] Ip_Address: 13.111.49.179
[*] --------------------------------------------------
[*] Host: itanswers.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: events.tesla.com
[*] Ip_Address: 13.111.47.195
[*] --------------------------------------------------
[*] Host: www-uat.tesla.com
[*] Ip_Address: 199.66.9.47
[*] --------------------------------------------------
[*] Host: shop.eu.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: mfamobile-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------
[*] Host: mfauser-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------
-------
SUMMARY
-------
[*] 35 total (35 new) hosts found.
Show hosts
Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.
[recon-ng][default][hackertarget] > show hosts
+----------------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | notes | module |
+----------------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 104.119.104.74 | | | | | | hackertarget |
| 2 | o7.ptr6980.tesla.com | 149.72.144.42 | | | | | | hackertarget |
| 3 | vpn1.tesla.com | 8.45.124.215 | | | | | | hackertarget |
| 4 | apacvpn1.tesla.com | 8.244.131.215 | | | | | | hackertarget |
| 5 | cnvpn1.tesla.com | 114.141.176.215 | | | | | | hackertarget |
| 6 | vpn2.tesla.com | 8.47.24.215 | | | | | | hackertarget |
| 7 | model3.tesla.com | 205.234.27.221 | | | | | | hackertarget |
| 8 | o3.ptr1444.tesla.com | 149.72.152.236 | | | | | | hackertarget |
| 9 | o2.ptr556.tesla.com | 149.72.134.64 | | | | | | hackertarget |
| 10 | o5.ptr8466.tesla.com | 149.72.172.170 | | | | | | hackertarget |
| 11 | o6.ptr9437.tesla.com | 168.245.123.10 | | | | | | hackertarget |
| 12 | o4.ptr1867.tesla.com | 149.72.163.58 | | | | | | hackertarget |
| 13 | marketing.tesla.com | 13.111.47.196 | | | | | | hackertarget |
| 14 | o1.ptr2410.link.tesla.com | 149.72.247.52 | | | | | | hackertarget |
| 15 | referral.tesla.com | 72.10.32.90 | | | | | | hackertarget |
| 16 | mta2.email.tesla.com | 13.111.4.231 | | | | | | hackertarget |
| 17 | mta.email.tesla.com | 13.111.14.190 | | | | | | hackertarget |
| 18 | xmail.tesla.com | 204.74.99.100 | | | | | | hackertarget |
| 19 | comparison.tesla.com | 64.125.183.133 | | | | | | hackertarget |
| 20 | apacvpn.tesla.com | 8.244.67.215 | | | | | | hackertarget |
| 21 | cnvpn.tesla.com | 103.222.41.215 | | | | | | hackertarget |
| 22 | emails.tesla.com | 13.111.18.27 | | | | | | hackertarget |
| 23 | mta2.emails.tesla.com | 13.111.88.1 | | | | | | hackertarget |
| 24 | mta3.emails.tesla.com | 13.111.88.2 | | | | | | hackertarget |
| 25 | mta4.emails.tesla.com | 13.111.88.52 | | | | | | hackertarget |
| 26 | mta5.emails.tesla.com | 13.111.88.53 | | | | | | hackertarget |
| 27 | mta.emails.tesla.com | 13.111.62.118 | | | | | | hackertarget |
| 28 | click.emails.tesla.com | 13.111.48.179 | | | | | | hackertarget |
| 29 | view.emails.tesla.com | 13.111.49.179 | | | | | | hackertarget |
| 30 | itanswers.tesla.com | 204.74.99.100 | | | | | | hackertarget |
| 31 | events.tesla.com | 13.111.47.195 | | | | | | hackertarget |
| 32 | www-uat.tesla.com | 199.66.9.47 | | | | | | hackertarget |
| 33 | shop.eu.tesla.com | 205.234.27.221 | | | | | | hackertarget |
| 34 | mfamobile-dev.tesla.com | 205.234.27.209 | | | | | | hackertarget |
| 35 | mfauser-dev.tesla.com | 205.234.27.209 | | | | | | hackertarget |
+----------------------------------------------------------------------------------------------------------------------+
[*] 35 rows returned
[recon-ng][default][hackertarget] >
--------------------------------------------------------------
Add API keys to Recon-ng
It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. This will enable queries to open ports on your discovered hosts without sending any packets to the target systems.
How to add shodan API key
Create or login to your Shodan account, Go to 'Account" in top right corner. The API Key is listed here on the Account Overview page.
Recon-ng shows the syntax to add an API key is below
[recon-ng][default] > keys add
Adds/Updates a third party resource credential
Usage: keys add name value
[recon-ng][default] keys add shodan_api bbexampleapikey33
.recon-ng configuration files
When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.
test@test-desktop:~/.recon-ng$ ls keys.db modules modules.yml workspaces test@test-desktop:~/.recon-ng$
Conclusion
Recon-ng is a powerful tool that can be further explored by viewing the list of modules. The help within the console is clear, and with a bit of playing around it won't take long to become an expert.
The rise of bug bounties allows you to play with new tools and explore Organizations' every expanding attack surface footprint. Have fun. Don't break the rules.
For a great overview on version 5 check out the you tube video by Tim Tomes.
**article revised and updated Nov 2022
Next Level Your Technical Network Intelligence
- 13 Vulnerability Scanners
- 17 Free DNS & Network Tools
- 4+ Billion Records of DNS / IP data