GCS Learn
Web Recon with Recon-NG
Author - GIGOCYBERSPACE
Republished - 22 October 2024
Recon-ng is a reconnaissance / OSINT tool with an interface similar to Metasploit 1 and 2. Running recon-ng from the command line speeds up the recon process as it automates gathering information from open sources. Recon-ng has a variety of options to configure, perform recon, and output results to different report types.Recon-ng can be used to look for error based SQL injections. Recon-ng can be used to find sensitive files such as robots. txt. Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup and many more.
What is fun about Recon-ng is to that:
- Recon-ng is a complete package of Information gathering tools.
- Recon-ng can be used to find IP Addresses of target.
- Recon-ng can be used to look for error based SQL injections.
- Recon-ng can be used to find sensitive files such as robots.txt.
- Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup .
- Recon-ng can be used to detects Content Management Systems (CMS) in use of a target web application,
InfoSploit can be used for WHOIS data collection, Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP, and MX records lookup
- Recon-ng is a complete package (TOOL) for information gathering. This tool is free and Open Source.
- Recon-ng subdomain finder modules is used to find subdomains of a singer domain.
- Recon-ng can be used to find robots.txt file of a website.
- Recon-ng port scanner modules find closes and open ports which can be used to maintain access to the server.
- Recon-ng has various modules that can be used to get the information about target.
Let's get started using Recon-ng
But before we start, we need to be familiar with Recon-ng. So it is time.
Step 1
Getting familiar with Recon-ng
Let us fire up Kali Linux by typing:
./recon-ng
Now we see the result:
sh recon-ng
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[3] Recon modules
[1] Reporting modules
[1] Exploitation modules
Simply modules are like libraries which perform specific tasks. For instance, a module in Recon-ng can be responsible for checking XSS vulnerability in a website. It like in app development where they are lib folders that contains different library for different task.
Now, let's get the help menu by typing:
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
Now let's create a workspace called demo
[recon-ng][default] > workspaces create demo
[recon-ng][demo] >
So now we're a little used to Recon-NG, let's find some target to recon.
Step 2
Install and configure Recon-NG
Now you've probably be wondering why I use Github in most of my pages. There are many reasons, but some are:
It's used for storing, tracking, and collaborating on software projects, It makes it easy for developers to share code files and collaborate with fellow developers on open-source projects,It is 100% safe.It is a platform for contribution of idea of code from people all over the world eho share their creative ideas
Clone Recon-NG by typing:
git clone https://github.com/lanmaster53/recon-ng.git
Cloning into 'recon-ng'...
remote: Enumerating objects: 9522, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (16/16), done.
Receiving objects: 5% (477/9522), 108.01 KiB | 192.0Receiving objects: 6% (572/9522), 108.01 KiB | 192.0Receiving objects: 7%
...
(8951/9522), 2.34 MiB | 496.00Receiving objects: 95% (9046/9522), 2.78 MiB | 559.00Receiving objects: 96% (9142/9522), 2.78 MiB | 559.00Receiving objects: 97% (9237/9522), 2.78 MiB | 559.00Receiving objects: 98% (9332/9522), 2.78 MiB | 559.00Receiving objects: 99% (9427/9522), 2.78 MiB | 559.00remote: Total 9522 (delta 3), reused 14 (delta 3), pack-reused 9503
Receiving objects: 100% (9522/9522), 2.78 MiB | 559.00Receiving objects: 100% (9522/9522), 3.06 MiB | 529.00 KiB/s, done.
Resolving deltas: 100% (4958/4958), done.
We have installed the respirosity, we are going to install the python required tools in the requirements.txt file. Type:
~/recon-ng $ pip install -r requirements.txt
And we see all sorts of tools being installed.And most importantly, we need also a component known called keys. Keys are like id for particular modules. Like assume your Facebook id or phone number. This can be a lot of stress but let us use a module that does not require a key. Let's use the module recon/domains-vulnerabilities/xssed. Install by:
~/recon-ng $ ./recon-ng
[recon-ng][demo] > marketplace install recon/domains-vulnerabilities/xssed
[*] Module installed: recon/domains-vulnerabilities/xssed
[*] Reloading modules...
[recon-ng][demo] >
Recon-NG Vulnerability Scan
This is the final and last step. This is where we're going to find the vulnerability of the target site.
We're going to use the module recon/domains-vulnerabilities/xssed because it doesn't require any special keys or dependency. Our two target to test will be Google and GIGOCYBERSPACE. This set of commands will load our demo workspace, load our recon module and test Google and GIGOCYBERSPACE. This are the commands:
[recon-ng][default] > workspaces
Manages workspaces
Usage: workspaces <create|list|load|remove> [...]
[recon-ng][default] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2023-01-25 16:36:40 |
| demo | 2023-01-22 05:04:30 |
| loophole | 2023-01-10 08:10:42 |
+----------------------------------+
[recon-ng][default] > workspaces load demo
[recon-ng][demo] > modules load recon/domains-vulnerabilities/xssed
[recon-ng][demo][xssed] > options set SOURCE google.com
SOURCE => google.com
[recon-ng][demo][xssed] > run
----------
GOOGLE.COM
----------
[*] Category: Redirect
[*] Example: https://accounts.google.com/o/oauth2/auth?redirect_uri=http://www.something.com
[*] Host: accounts.google.com
[*] Notes: None
[*] Publish_Date: 2012-01-13 00:00:00
[*] Reference: http://xssed.com/mirror/75532/
[*] Status: unfixed
[*] --------------------------------------------------
[*] Category: Redirect
[*] Example: http://books.google.com/search?btnI&q=http://www.yahoo.com
[*] Host: books.google.com
[*] Notes: None
[*] Publish_Date: 2011-12-21 00:00:00
[*] Reference: http://xssed.com/mirror/71083/
[*] Status: unfixed
[*] --------------------------------------------------
[*] Category: Redirect
[*] Example: http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/
[*] Host: www.google.com
[*] Notes: None
[*] Publish_Date: 2010-10-15 00:00:00
[*] Reference: http://xssed.com/mirror/67132/
[*] Status: unfixed
...
[*] --------------------------------------------------
[*] Category: XSS
[*] Example: http://finance.google.com/finance/portfolio?action=add&hash=0bdb25b244bb4501
[*] Host: finance.google.com
[*] Notes: None
[*] Publish_Date: 2007-12-03 00:00:00
[*] Reference: http://xssed.com/mirror/27391/
[*] Status: fixed
[*] --------------------------------------------------
-------
SUMMARY
-------
[*] 19 total (19 new) vulnerabilities found.
[recon-ng][demo][xssed] > options set SOURCE gigocyberspace.com
SOURCE => gigocyberspace.com
[recon-ng][demo][xssed] > run
------------------
GIGOCYBERSPACE.COM
------------------
[*] No vulnerabilites found.
[recon-ng][demo][xssed] >
