Inventory
Let’s take inventory of the information we now have and decide where we will go from here.
Using Modules
The three commands we used (show domains, show contacts, and show companies) will help us to decide which modules to use. The show modules command will display a list of modules to choose from.
show modules
As a quick note for looking at the modules, the “-” delimiter divides the module into, “what you have and what you want”. So your command would look something like this: use I have recon/domains I want hosts/shodan_hostname
use recon/domains - hosts/shodan_hostname
The red text indicates that an error occurred when running the module. The green text indicates the new elements added to the database.
The module added hosts so using the show hosts command will show the additions. Notice that we also have ports as well.
show hosts
Notice this command displays the row id, the host, the ip address, and the module that was used.
show ports
Remove Unwanted Entries
If we wanted to stay in the .com domain, we need a way to remove the .hk and other domains.
help delete
Remember show ports was the last command we ran so ports was the table we viewed. Running the show ports command again shows that the selected rows were removed ONLY for the ports table. To validate the command worked we will check the table again.
show ports
The .hk domains are still present in the hosts table. You will need to remove them from each table.
show hosts
Exporting Data and Report Generation
Now that we’ve imported data from an outside source, ran several modules inside recon-ng, and we’ve even deleted data from the database, it’s time to create our report. There are lots of options to choose from. The search reporting command gives us our choices.
search reporting
The show dashboard command allows us to look at the modules used and the number of times they’ve been ran. We can also see the amount of information inside the database.
show dashboard
Some of the modules I ran were not in this tutorial. From Figure 11 you can see all the modules used. Figure 12 is a continuation of the show dashboard command. Here you can see the information that is captured in the database. This also makes it easier for creating a report or exporting information.
Exporting Data
We will use the reporting/list module to create a list of IP addresses to use in nmap. This will tie in several things we’ve already covered.
- Search for modules
- Show options
- Schema command
- Set command
We will also use Nmap to scan for port 80.
search reporting
use report/list
show options
We will run the show schema and only show the truncated results so we can get the table schema.
show schema
Next, use the set command to give recon-ng the file location.
set FILNAME /location/on/file/system
Finally, run and let recon-ng generate the results. The screenshot is truncated so you can get an idea of what it looks like, your mileage may vary.
run
<<Truncation Occurs>>>
Using export_iplist.txt as input for our Nmap scan.
- -iL input list filename
- -p 80 port to scan
- -Pn No Ping
nmap -iL export_iplist.txt -Pn -p 80
Create Report
This section will show you how to create an HTML report using the same data set.
use reporting/html
show options
set CREATOR Pentester
set COMPANY United Airlines
We used the set command to add the creator and the customer properties for our report. Use the run command to execute the module.
run
Not too exciting but we have our report waiting for us in the .recon-ng folder.
Lets look at that file using a browser.
The next set of figures will show the expanded results for the Summary, Domains, and Locations sections.
The Contacts section we could have done a more with the information here. One thing I like to do is us with this information is expand using the https://pipl.com website. Using Pipl we could really dig into who any of the individuals are to create more effective spear phishing attacks or sales calls. Who are we kidding? We don’t do sales calls.
Look through the Vulnerabilities section. We haven’t even started a technical vulnerability assessment and we already have a place to start. OSINT for the win!
Conclusion
In this tutorial we covered Recon-ng. It can be found at https://bitbucket.org/LaNMaSteR53/recon-ng. I really enjoy working with this tool. Just playing with it can give you a better understanding of other ways to gather information about your target. It really becomes about bread crumbs. How deep can you dig into a company, email address, or person?
Areas we covered:
- Installation
- Adding API Keys
- Creating a Workspace
- Importing information into the database “ Grep and Awk commands”
- Using Modules
- Removing unwanted entries
- Exporting Data “ to use with nmap”
- Creating Reports