|
|
|
# Recon-NG
|
|
|
|
## Description
|
|
|
|
|
|
|
|
Recon-ng is a useful tool written in python, that is set-up much like metasploit for reconnaissance of websites. It has many different modules to search for hosts, POC, email, geocode and many more.
|
|
|
|
|
|
|
|
### Kali - Install
|
|
|
|
```bash
|
|
|
|
apt install recon-ng
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
#### Start the program
|
|
|
|
```bash
|
|
|
|
recon-ng
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Create a new workspace
|
|
|
|
This is where the info on your targets will be stored.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
[recon-ng][default] > workspaces add new-workspace
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Various info commands
|
|
|
|
Use help from anywhere to get info about usage
|
|
|
|
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > help
|
|
|
|
```
|
|
|
|
For a list of all tables
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > show schema
|
|
|
|
```
|
|
|
|
For an individual table.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > show domains
|
|
|
|
```
|
|
|
|
For all information that can be shown.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > show
|
|
|
|
```
|
|
|
|
Shows a summary of all collected info and modules used.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > show dashboard
|
|
|
|
```
|
|
|
|
#### Reconnaissance
|
|
|
|
Add a domain to recon.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > add domains mst.edu
|
|
|
|
```
|
|
|
|
Add a company info to obtain more info.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > add companies
|
|
|
|
company (TEXT): MST
|
|
|
|
description (TEXT): A university
|
|
|
|
```
|
|
|
|
|
|
|
|
Show modules available to use
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > show modules
|
|
|
|
```
|
|
|
|
|
|
|
|
or search directly.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > search domains
|
|
|
|
```
|
|
|
|
|
|
|
|
Load module to use
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace] > use recon/domains-contacts/whois_pocs
|
|
|
|
```
|
|
|
|
|
|
|
|
To show options for module and where info will be stored.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace][whois_pocs] > show info
|
|
|
|
```
|
|
|
|
|
|
|
|
To run the module with defaults.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace][whois_pocs] > run
|
|
|
|
```
|
|
|
|
|
|
|
|
This module looks for POC for the website and sends info to table contacts.
|
|
|
|
```bash
|
|
|
|
[recon-ng][new-workspace][whois_pocs] > show contacts
|
|
|
|
```
|
|
|
|
|
|
|
|
## Wrap Up
|
|
|
|
This guide only uses 1 of the 81 different Recon modules. There are at the moment
|
|
|
|
95 different modules in 5 different categories that can be utilized. Check out
|
|
|
|
the references below for more advanced capabilities including api key usage to
|
|
|
|
include Bing, Google, Twitter and many more for more in depth reconnaissance.
|
|
|
|
|
|
|
|
## References
|
|
|
|
|
|
|
|
[Author's BitBucket Site](https://bitbucket.org/LaNMaSteR53/recon-ng/overview)
|
|
|
|
|
|
|
|
[Usage Guide](https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide#!getting-started)
|
|
|
|
|
|
|
|
[Get the CheatSheet here](https://www.getdrip.com/forms/38118976/submissions/new) |
