Recon-ng is a Open Source Reconnaissance framework written in Python. This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit. It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.
This part of the series will take a look at installation, adding API Keys. Later we will show you how to create a Workspace, importing data into the database, and export data for the use with other tools.
For our targets of reconnaissance, we will use HackerOne’s directory of companies. This is not our way of saying, “Go out and hack these companies” but our way of doing safe recon and provide continuous screenshots. That will be easy to follow. This is also our way of introducing you to HackerOne and the Bug Bounty community if you are not already familiar with it.
While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:
sudo apt-get update sudo apt-get install git
sudo apt-get install python-pip python-dev build-essential sudo pip install --upgrade pip sudo pip install --upgrade virtualenv
Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
Next, change directory into the newly created recon-ng and list the contents (Figure 2).
cd recon-ng ls
We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.
pip install -r REQUIREMENTS
At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.
The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory. This directory is empty. This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).
To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.
cd recon-ng ./recon-ng
Don’t worry if you get the “_api key not set error” (Figure 4). We have not added any API keys yet.
From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules. We are also using the “default” workspace. (Figure 5)
Close recon-ng and lets look at the modules and the underlying code. (Figure 6)
cd modules cd recon ls
If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)
Adding API Keys
As I said in the introduction, this is a database driven tool. Now it’s time to add information into the database.
The API keys are used by the modules to gather information for the SQLite database. Some of the API keys are free but some can be expensive. I will keep this tutorial to the free API keys that are available.
After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)
The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)
keys add shodan_api <paste key here>
API Keys Signup URLs
Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.
Google API – https://console.developers.google.com/apis/library
Bing API – https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
Facebook API – https://developers.facebook.com/docs/apis-and-sdks
Instragram API – https://www.programmableweb.com/api/instagram
Linkedin API – https://developer.linkedin.com/docs/rest-api
Shodan API – https://developer.shodan.io/
Twitter API – https://apps.twitter.com/