Recon-ng Tutorial – Part 3 Usage and Reporting

Inventory

Let’s take inventory of the information we now have and decide where we will go from here.

Information Inventory

Figure 1 – Information Inventory

Using Modules

The three commands we used (show domains, show contacts, and show companies) will help us to decide which modules to use. The show modules command will display a list of modules to choose from.

show modules
show modules

Figure 2 – show modules

As a quick note for looking at the modules, the “-” delimiter divides the module into, “what you have and what you want”. So your command would look something like this: use I have recon/domains I want hosts/shodan_hostname

use recon/domains - hosts/shodan_hostname
recon-ng to shodan module

Figure 3 – recon-ng to shodan module

The red text indicates that an error occurred when running the module. The green text indicates the new elements added to the database.

shodan summary

Figure 4 – shodan summary

The module added hosts so using the show hosts command will show the additions.  Notice that we also have ports as well.

show hosts
show hosts results

Figure 5 – show hosts results

Notice this command displays the row id, the host, the ip address, and the module that was used.

show ports
show ports results

Figure 6 – show ports results

Remove Unwanted Entries

If we wanted to stay in the .com domain, we need a way to remove the .hk and other domains.

help delete
 help delete results

Figure 7 – help delete results

Remember show ports was the last command we ran so ports was the table we viewed. Running the show ports command again shows that the selected rows were removed ONLY for the ports table. To validate the command worked we will check the table again.

show ports
Cleaned ports table

Figure 8 – Cleaned ports table

The .hk domains are still present in the hosts table.  You will need to remove them from each table.

show hosts
show hosts results

Figure 9 – show hosts results

Exporting Data and Report Generation

Now that we’ve imported data from an outside source, ran several modules inside recon-ng, and we’ve even deleted data from the database, it’s time to create our report.  There are lots of options to choose from. The search reporting command gives us our choices.

search reporting
search reporting results

Figure 10 – search reporting results

The show dashboard command allows us to look at the modules used and the number of times they’ve been ran.  We can also see the amount of information inside the database.

show dashboard
show dashboard results

Figure 11 – show dashboard results

Some of the modules I ran were not in this tutorial.  From Figure 11 you can see all the modules used. Figure 12 is a continuation of the show dashboard command.  Here you can see the information that is captured in the database.  This also makes it easier for creating a report or exporting information.

show dashboard summary

Figure 12 – show dashboard summary

Exporting Data

We will use the reporting/list module to create a list of IP addresses to use in nmap.  This will tie in several things we’ve already covered.

  • Search for modules
  • Show options
  • Schema command
  • Set command

We will also use Nmap to scan for port 80.

search reporting
search reporting

Figure 13 – search reporting

use report/list
show options
report/list options

Figure 14 – report/list options

We will run the show schema and only show the truncated results so we can get the table schema.

show schema
show schema

Figure 15 – show schema

Next, use the set command to give recon-ng the file location.

set FILNAME /location/on/file/system
set file location

Figure 16 – set file location

Finally, run and let recon-ng generate the results. The screenshot is truncated so you can get an idea of what it looks like, your mileage may vary.

run
Report Results

Figure 17 – Report Results

<<Truncation Occurs>>>

Report Summary

Figure 18 – Report Summary

Using export_iplist.txt as input for our Nmap scan.

  • -iL input list filename
  • -p 80 port to scan
  • -Pn No Ping
nmap -iL export_iplist.txt -Pn -p 80
Nmap port 80 scan

Figure 19 – Nmap port 80 scan

Create Report

This section will show you how to create an HTML report using the same data set.

use reporting/html
show options
set CREATOR Pentester
set COMPANY United Airlines
report/html

Figure 20 – report/html

set options for report

Figure 21 – set options for report

We used the set command to add the creator and the customer properties for our report. Use the run command to execute the module.

run
generate report

Figure 22 – generate report

Not too exciting but we have our report waiting for us in the .recon-ng folder.

Report location

Figure 23 – Report location

Lets look at that file using a browser.

 File Browser

Figure 24 – File Browser

HTML Report Example

Figure 25 – HTML Report Example

The next set of figures will show the expanded results for the Summary, Domains, and Locations sections.

Summary Section

Figure 26 – Summary Section

Domains Section

Figure 27 – Domains Section

Locations Section

Figure 28 – Locations Section

The Contacts section we could have done a more with the information here.  One thing I like to do is us with this information is expand using the  https://pipl.com website. Using Pipl we could really dig into who any of the individuals are to create more effective spear phishing attacks or sales calls. Who are we kidding? We don’t do sales calls.

Contacts Section

Figure 29 – Contacts Section

Look through the Vulnerabilities section. We haven’t even started a technical vulnerability assessment and we already have a place to start. OSINT for the win!

Vulnerabilities Section

Figure 30 – Vulnerabilities Section

Vulnerabilities Section 2

Figure 31 – Vulnerabilities Section 2

Conclusion

In this tutorial we covered Recon-ng.  It can be found at https://bitbucket.org/LaNMaSteR53/recon-ng.  I really enjoy working with this tool.  Just playing with it can give you a better understanding of other ways to gather information about your target.  It really becomes about bread crumbs. How deep can you dig into a company, email address, or person?

Areas we covered:

  • Installation
  • Adding API Keys
  • Creating a Workspace
  • Importing information into the database “ Grep and Awk commands”
  • Using Modules
  • Removing unwanted entries
  • Exporting Data “ to use with nmap”
  • Creating Reports

Leave a Reply