Open source intelligence assortment is a laborious course of. Info associated to the goal group could also be obtainable at quite a few public sources and dragging the data related to our goal is a tough and time-consuming job. Recon-ng is the device that penetration testers or moral hackers at all times use. It is an data gathering software engaged on steroids. It is a very interactive device, fairly just like the Metasploit framework. Recon-ng framework makes use of many alternative sources to collect knowledge for instance Google, Twitter and Shodan. Some modules require an API key earlier than querying the web site that may be generated by registering for it on the search engine’s web site. Just a few of those modules use paid API keys.
For utilizing Recon-ng in Kali Linux, navigate to the Purposes menu and click on on the Data gathering sub menu. You will note Recon-ng listed on the proper facet pane. When the framework is up and operating, you’ll be able to sort in “present modules” to take a look at the completely different modules that come together with it. Some modules are passive, whereas some actively probe the goal to extract the wanted info.
For querying search engines like google utilizing automated instruments, search engine could require an API key to establish who’s sending these requests and apply a quota. This device works sooner than human and by assigning an API and the utilization could be tracked and might forestall you from abusing the service. So be sure you do not overwhelm the search engine or you can be ignored. You possibly can generate your API key for Bing from the next hyperlink:
The free subscription offers you with 5000 queries per 30 days. As soon as the secret is generated, it must be added within the keys desk of Recon-ng device utilizing the next command:
keys add bing_api <api key generated>
To show all of the API keys that you’ve got saved in Recon-ng, kind within the following command:
Following screenshot shows the output of the previous command:
Area enumeration utilizing Recon-ng
Gathering details about the subdomains of the goal web site will help you in identification of various contents and options of goal web site. Every services or products supplied by the goal could have a subdomain devoted for it. This helps to arrange numerous contents in a coherent method. By figuring out totally different subdomains, you’ll be able to create a website map of interconnecting numerous items and perceive the move of web site.
Sub-degree and high-stage area enumeration
Utilizing the Bing API hostname enumerator module, we are going to attempt to discover further sub domains beneath the fb.com web site. It’s essential first load the module by coming into beneath command:
Subsequent, sort within the present data command that may show data describing the module. Then our step can be to set the goal area within the SOURCE choice:
When you’re prepared then use the Run command to begin module. Recon-ng first queries for just a few domains then makes use of the (-) directive to take away the already queried domains after which searches for added domains once more. The most important benefit is pace, the output can be saved in a database in plain textual content can be utilized as an enter to others instruments equivalent to Nmap, Metasploit and Nessus as proven within the following screenshot:
The DNS public suffix brute forcer module used to establish prime-stage domains (TLDs) and second-stage domains (SLDs). Many product-primarily based and repair-based mostly companies have separate web sites for every geographical area; you should utilize this brute forcing module to establish them. It makes use of the wordlist file from /usr/share/recon-ng/information/suffixes.txt to enumerate extra domains.
Recon-ng Reporting modules
Every reconnaissance module that you just run will retailer the output into separate tables. You possibly can export these tables in a number of codecs akin to CSV, HTML, and XML recordsdata. To view the totally different tables that Recon-ng instrument makes use of, it’s good to sort in present and press Tab twice:
To export a desk right into a CSV file, load the CSV reporting module by typing in load/reporting/csv.
After loading the module, set the filename and the desk to be exported and sort run:
Extra reconnaissance modules in Recon-ng
- Netcraft hostname enumerator: Recon-ng will harvest the Netcraft web site and accumulate all of the hosts associated to the goal and shops them in hosts desk.
- SSL SAN lookup: Many SSL-enabled web sites have a single certificates that works by a number of domains by utilizing Topic Different Names (SAN) function. This module makes use of the ssltools.com web site to retrieve the domains listed within the SAN attribute of the certificates.
- LinkedIn authenticated contact enumerator: This can retrieve the contacts from a LinkedIn profile and retailer it in contacts desk.
- IPInfoDB GeoIP: This may show the geolocation of a bunch by utilizing the IPinfoDB database (requires an API).
- Yahoo! hostname enumerator: This makes use of the Yahoo search engine to find hosts within the domains. Having modules for a number of search engines like google and yahoo at your disposal might help you find hosts and subdomains that will haven’t been listed by different serps.
- Geocoder and reverse geocoder: These modules get hold of the deal with utilizing the offered coordinates by utilizing the Google Map API and in addition retrieve the coordinates if an deal with is given. The knowledge then will get saved within the areas desk.
- Pushpin modules: Utilizing the Recon-ng pushpin modules can pull information from widespread social- networking web sites and correlate it with geo-location coordinates and create maps. Two extensively used modules are listed as follows:
- Twitter geolocation search: This searches Twitter for media (pictures, tweets) uploaded from a particular radius of the given coordinates.
- Flickr geolocation search: This tries to find pictures uploaded from the realm across the given coordinates.
These pushpin modules used to map individuals to bodily places and to find out who was on the given co-ordinates at particular time. The data amassed and transformed to a HTML file may be mapped on to a satellite tv for pc picture on the precise co-ordinates. Utilizing Recon-ng, you’ll be able to create an enormous database of hosts, IP addresses, bodily areas, and people simply by utilizing publicly obtainable sources. Info gathering ought to at all times be executed with purpose of extracting info from numerous public assets and to determine crucial information from it which an attacker can use to straight or not directly goal the group.