Let’s take inventory of the information we now have and decide where we will go from here.
The three commands we used (show domains, show contacts, and show companies) will help us to decide which modules to use. The show modules command will display a list of modules to choose from.
As a quick note for looking at the modules, the “-” delimiter divides the module into, “what you have and what you want”. So your command would look something like this: use I have recon/domains I want hosts/shodan_hostname
use recon/domains - hosts/shodan_hostname
The red text indicates that an error occurred when running the module. The green text indicates the new elements added to the database.
The module added hosts so using the show hosts command will show the additions. Notice that we also have ports as well.
Notice this command displays the row id, the host, the ip address, and the module that was used.
Remove Unwanted Entries
If we wanted to stay in the .com domain, we need a way to remove the .hk and other domains.
Remember show ports was the last command we ran so ports was the table we viewed. Running the show ports command again shows that the selected rows were removed ONLY for the ports table. To validate the command worked we will check the table again.
The .hk domains are still present in the hosts table. You will need to remove them from each table.
Exporting Data and Report Generation
Now that we’ve imported data from an outside source, ran several modules inside recon-ng, and we’ve even deleted data from the database, it’s time to create our report. There are lots of options to choose from. The search reporting command gives us our choices.
The show dashboard command allows us to look at the modules used and the number of times they’ve been ran. We can also see the amount of information inside the database.
Some of the modules I ran were not in this tutorial. From Figure 11 you can see all the modules used. Figure 12 is a continuation of the show dashboard command. Here you can see the information that is captured in the database. This also makes it easier for creating a report or exporting information.
We will use the reporting/list module to create a list of IP addresses to use in nmap. This will tie in several things we’ve already covered.
- Search for modules
- Show options
- Schema command
- Set command
We will also use Nmap to scan for port 80.
use report/list show options
We will run the show schema and only show the truncated results so we can get the table schema.
Next, use the set command to give recon-ng the file location.
set FILNAME /location/on/file/system
Finally, run and let recon-ng generate the results. The screenshot is truncated so you can get an idea of what it looks like, your mileage may vary.
Using export_iplist.txt as input for our Nmap scan.
- -iL input list filename
- -p 80 port to scan
- -Pn No Ping
nmap -iL export_iplist.txt -Pn -p 80
This section will show you how to create an HTML report using the same data set.
use reporting/html show options set CREATOR Pentester set COMPANY United Airlines
We used the set command to add the creator and the customer properties for our report. Use the run command to execute the module.
Not too exciting but we have our report waiting for us in the .recon-ng folder.
Lets look at that file using a browser.
The next set of figures will show the expanded results for the Summary, Domains, and Locations sections.
The Contacts section we could have done a more with the information here. One thing I like to do is us with this information is expand using the https://pipl.com website. Using Pipl we could really dig into who any of the individuals are to create more effective spear phishing attacks or sales calls. Who are we kidding? We don’t do sales calls.
Look through the Vulnerabilities section. We haven’t even started a technical vulnerability assessment and we already have a place to start. OSINT for the win!
In this tutorial we covered Recon-ng. It can be found at https://bitbucket.org/LaNMaSteR53/recon-ng. I really enjoy working with this tool. Just playing with it can give you a better understanding of other ways to gather information about your target. It really becomes about bread crumbs. How deep can you dig into a company, email address, or person?
Areas we covered:
- Adding API Keys
- Creating a Workspace
- Importing information into the database “ Grep and Awk commands”
- Using Modules
- Removing unwanted entries
- Exporting Data “ to use with nmap”
- Creating Reports