• Subscribe to the low volume list for updates.

Recon-NG Tutorial

In this recon-ng tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is Recon-ng?

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.

OSINT with our Recon-NG Tutorial
The interactive console provides a number of helpful features such as command completion and contextual help.

Recon-ng Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng.

For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make sure you have git and pip installed.

test@ubuntu:~/$ git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
test@ubuntu:~/recon-ng/$ ./recon-ng

You should now be up and running, with the Recon-NG console loaded.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[75] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] > 

Above the splash screen you will get a screen of red errors, these are simply warnings that the API keys for those services are not populated. Many of the modules within recon-ng use web services that require an API key for full access to the data. On the recon-ng wiki is a quick run down of the keys are where to get them. This will save you time fussing about on each of the sites looking for the API signup page.

Using recon-ng

From the console it is easy to get help and get started with your recon.

Getting help is obvious, then help is available different options by typing help -option-.

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

To use a module the syntax is use recon/$category/$module as seen below.

[recon-ng][default] > use recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][default][hackertarget] > set SOURCE teslamotors.com
SOURCE => teslamotors.com

I am using teslamotors.com as an exmaple domain because they have a published bug bounty program and Tesla's are cool. Simply type run to execute the module.

[recon-ng][default][hackertarget] > run

---------------
TESLAMOTORS.COM
---------------
[*] [host] email1.teslamotors.com (192.28.144.15)
[*] [host] originwww45.teslamotors.com (205.234.27.211)
[*] [host] storetest5.teslamotors.com (209.11.133.41)
[*] [host] lync.teslamotors.com (209.11.133.11)
[*] [host] epc.teslamotors.com (209.11.133.110)
[*] [host] upload.teslamotors.com (205.234.27.250)
[*] [host] evprd.teslamotors.com (205.234.27.199)
[*] [host] mta.e.teslamotors.com (68.232.192.245)
[*] [host] service.teslamotors.com (209.11.133.37)
[*] [host] extconfluence.teslamotors.com (209.11.133.50)
[*] [host] leaseappde.teslamotors.com (64.125.183.134)
[*] [host] rav4garage.teslamotors.com (209.11.133.16)
[*] [host] energystorage.teslamotors.com (209.10.208.24)
[*] [host] quickbase.teslamotors.com (205.234.27.246)
[*] [host] seg.teslamotors.com (209.10.208.32)
[*] [host] myteslastg.teslamotors.com (209.11.133.54)
[*] [host] cn.auth.teslamotors.com (211.147.80.202)
[*] [host] us.auth.teslamotors.com (209.10.208.27)
[*] [host] extconfl.teslamotors.com (209.11.133.50)
[*] [host] xmail.teslamotors.com (209.11.133.61)
[*] [host] externalssl.teslamotors.com (209.11.133.19)
[*] [host] storagesim.teslamotors.com (209.10.208.39)
[*] [host] japan.teslamotors.com (204.74.99.100)
[*] [host] xmailcn.teslamotors.com (211.147.80.203)
[*] [host] cnorigin.teslamotors.com (211.147.80.201)
[*] [host] wwworigin.teslamotors.com (209.11.133.106)
[*] [host] vpn.teslamotors.com (205.234.27.218)
[*] [host] sdlcvpn.teslamotors.com (209.10.208.55)
[*] [host] hkvpn.teslamotors.com (14.136.104.118)
[*] [host] cnvpn.teslamotors.com (211.147.88.104)
[*] [host] euvpn.teslamotors.com (149.14.82.93)
[*] [host] shop.teslamotors.com (205.234.27.221)
[*] [host] sftp.teslamotors.com (205.234.27.226)
[*] [host] externalsmtp.teslamotors.com (205.234.27.238)
[*] [host] supercharger.teslamotors.com (209.11.133.36)
[*] [host] ipaddocs.teslamotors.com (205.234.27.252)
[*] [host] extissues.teslamotors.com (209.11.133.35)
[*] [host] adfs.teslamotors.com (205.234.27.243)
[*] [host] mobileapps.teslamotors.com (205.234.27.196)
[*] [host] suppliers.teslamotors.com (209.10.208.37)
[*] [host] wechat.teslamotors.com (211.147.80.205)
[*] [host] myteslawduat.teslamotors.com (209.11.133.43)
[*] [host] wwwuat.teslamotors.com (205.234.27.225)
[*] [host] trt.teslamotors.com (209.10.208.20)
[*] [host] origintest.teslamotors.com (205.234.27.221)
[*] [host] wsext.teslamotors.com (209.11.133.49)
[*] [host] fleetview.teslamotors.com (209.10.208.31)
[*] [host] toolbox.teslamotors.com (209.11.133.107)
[*] [host] mobility.teslamotors.com (209.10.208.14)
[*] [host] eumobility.teslamotors.com (82.199.92.7)
[*] [host] wsproxy.teslamotors.com (205.234.27.212)
[*] [host] smswsproxy.teslamotors.com (205.234.27.197)

-------
SUMMARY
-------
[*] 52 total (52 new) hosts found.

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api < insert shodan api key here > 

Recon-ng Modules

Typing show modules will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file
    import/list

  Recon
  -----
    recon/companies-contacts/bing_linkedin_cache
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-multi/github_miner
    recon/companies-multi/whois_miner
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/domains-contacts/metacrawler
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/account_creds
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_creds
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/certificate_transparency
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/hackertarget
    recon/domains-hosts/mx_spf_ip
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/threatcrowd
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/hosts-hosts/ssltools
    recon/hosts-locations/migrate_hosts
    recon/hosts-ports/shodan_ip
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/netblocks-ports/censysio
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/github_users
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter_mentioned
    recon/profiles-profiles/twitter_mentions
    recon/profiles-repositories/github_repos
    recon/repositories-profiles/github_commits
    recon/repositories-vulnerabilities/gists_search
    recon/repositories-vulnerabilities/github_dorks

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

Conclusion

Recon-ng is a powerful tool that can be further explored by looking through the list of modules above. The help within the console is very clear and with a bit of playing around it wont take long to become an expert.

Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and simple go explore organizations Internet facing footprint. Have fun. Don't break the rules.