Recon-ng 2

Previous post was mainly about Recon-ng. We went over how it functions, input types, how inputs are related and so forth. This time, our focus will be utterly on modules. Since there are lots of modules in it and a few of them require API keys, there are still tons of modules you can run without API key. My recommendation is spending some time with every single one of them. It would really be time-consuming to go cover all of them. We will just go over a few of modules here. Let's get started.

I think very first module we should start off could be Hostname Resolver. You can find it under 'recon/hosts-hosts/resolve'. How it works is quite simple. It resolves domain names to IP addresses. For every module, right before you run them, you can go ahead read through info section and check out input type by typing show inputs. Ever time you can add a specific input which is a host in this case, you should type set source then add the host name right there. For this demonstration, I am going to run this module with yahoo.com. You can see two newly found hosts below. It automatically outputs the result at the end and saves all of them for later use. show hosts command lists every hosts you have found, including the last one . You don't necessarily have to keep every single piece of information. It is easy to remove some of them. Just type 'delete'  'table name' and 'the row id'. For example, delete hosts 2.

Reverse Resolver is another tool that looks up for each IP adress to resolve hostname. This time, input type will be IP adress and output type will be domain names. So, What it basically does is exact opposite of what Hostname Resolver does. You can observe that it updates host table adding some hostnames after it is done.

Next module is Bing API Hostname Enumerator. As you would guess, It requires API key to run. This module collects all subdomains for a target address. I kept yahoo.com as an example and ran the module. Now, we have 135 new subdomains. As it says itself, all process is conducted through bing.com

A domain name has three parts. These are subdomain which we just learn how to get, second level domain and top level domain.

One of the practical tools you would find useful is DNS Public Suffix Brute Forcer. This module bruteforces a list of TDL and SLD names on a domain to find the ones up and running. I set my source xml.com for this one. As far as I remember, It took a while to fully complete. There must be a lot of TLD and SLD extensions in the list. Again, after it is done you could go ahead and list all of them typing show domains. 

Next module is Namecheck.com Username Validator. Although you can collect this type of information by simply going over to bing.com, namecheck.com,etc. it would be pretty difficult to sift through among that amount of data. How it functions is that it simply asks plenty of social networking websites whether a given username exists or not. I suppose 'Robinn' nickname would exist in most of websites.So I put the name 'Robinn' as a source then fire up the module. You can see it finally found sixty three profiles with URL adresses in  30 seconds. In this case, output type is profile which can be seen in profiles table. You should type show profiles and scroll though the list to see all of them.

Another tool you can make good use of is Whois Data Miner. By the way, most of the modules in Recon-ng are written by Tim Tomes in Python. He created a platform for this framework to make it better. There are issues faced and discussions you can be part of. Link is here. Let's get back to where we were. Whois Data Miner helps you find locations and netblocks that makes things easier for you to figure out the IP range of a host. When you don't know what type of input it needs, you should take a look at module's description, just type show info and read the input section. Apparently, what we need is a company name. I am going to go with 'BMW' to see what comes up. You can also randomly put company names to try it out. By the way, I did not find any information about Suzuki.

In the last example I prepared, We are going to convert an actual address to geo coordinate format and then use that info in flickr pushpin module to obtain images shared in a particular location. For this example, I picked Sabanci University located in Turkey. The very first thing you need to do is to acquire the address. You can take advantage of Google or the offical website that you work on. First off, what we are going to is to use Address Geocoder which you can find under recon/locations-locations directory. Set the source with that address and run the module. There supposed to be latitude and longitude values found in the results.  Next step is where you load flickr module. You can simply search the name of it or just type recon/locations-pushpins/flickr. I kept radius value as it was. You should show inputs to make sure your inputs are ok before you run the module.

One of the great features Recon-ng has is that you can get fine reports of what you gather. Lastly, let's prepare a report to see images we got. You can have a look at seven report types in Recon-ng. I think report functions can be dealt with as modules. You can load and run them as you do with other modules. After you set latitude, longitude and radius values, run it and eventually you have a nice-looking html formatted report.

Recon-ng

In this chapter, I am going to be going over one of the useful and powerful reconnaissance tools named recon-ng. In earlier posts, I mentioned active and passive infomation gathering stages and how to conduct information through online services publicly available including Nmap usage. Wouldn't it be nice if we can do most of them in the same tool without going over to websites for Dns queries and other things needed? 

First off, recon-ng is a reconnaissance tool which collects data from online resources like facebook, twitter, shodan. It has a CLI interface somewhat looks like SEToolkit and how it works is quite similar to Metasploit.So It is techically not an explotation framework. Some of the sections in recon-ng what we would call 'modules' require api key to use. For those who don't know, api key is sort of a connection which makes your application remotely engaged with a service so that the service becomes directly integrated into your application. It could be a linkedin query, something that allows you post your entry or searching a specific domain name on websites like shodan. You can acquire your own api keys from these websites when you fill out the section with mentioning what your application you are working on is about. You don't necessarily have to explain its functionality and how it works. 

Besides modules requiring api key, there are several freely-used modules come in handy as well. The ones I like the most is pushpin modules. With these modules, you can find images or videos shared on flickr, instagram, youtube etc. inside a pre-defined radius.

Let's start off with installation. Normally, recon-ng is pre-installed in Kali Linux by default. It is possible to execute the python file for this framework in other linux distros. For more detail check it out on https://bitbucket.org/LaNMaSteR53/recon-ng.git. By the way, this framework is coded by Tim Tomes a.k.a LaNMaSteR53 in python. I guess he is going to keep adding new modules in it in future. To run the framework, you should type 'recon-ng' then click the enter. You'll have a screen like this. 

As you can see, we have a CLI interface kind of resembles SEToolkit welcome screen. Do not try putting any numbers you see there. They do not work. I highly recommend taking a look at the help menu which I think can guide you. For doing this, type 'help' then hit the enter. 

Actually, the first thing you need to know is that things can get messy dealing with hosts, domain names and contacts etc when you make intelligence gathering. In order to make things clear, there is a workspace concept. You can create, delete and see workspaces. By default, there is supposed to be [recon-ng][default] in your command line. When you type 'workspaces' and hit the enter, you see the commands  with workspace. You can create a new one with add selection like 'workspaces add newworkspace'. As you'd probably guess, you should jump into workspaces by selecting them like 'workspaces select newworkspace'.

There are severals of inputs we can add, delete or change like domains, company name, contacts, profiles etc. Those normally change based on the workspace you work on. You can manage all of them typing 'show schema'. Most of inputs are directly connected to each other. 

I previously mentioned api keys and how to use them. Let's first take a look at what kind of api keys can be used with recon-ng. Put 'keys list' and hit enter. You'll see all api list in a table of Name and Value. You can see all command managing api keys. Usage section has list, add and delete options. Then you can play with them until you get the hang of how it works.

We just learned how to add workspaces, api keys and other type of inputs like domains, hosts, contacts. Last thing we need is to find the proper module. Just like in Metasploit you can easily type 'show modules' or 'search ...' for all the modules related to a specific name. It'd be google, resolve, jigsaw and so forth. We'll put the word 'use' and the 'directory' of the module you want. For example, use recon/hosts-hosts/resolve. Each modules has its own information as to how it functions and what sort of input it needs. After loading your module, you then type show options to find out the type of input. Every input or source can be alterable by preference. Type 'set' and 'option name' then 'the value' which could be an email address, a domain name etc. If it is a module that requires a specific input, you should surely take a look at the input typing show inputs. For instance, pushpin modules work with location which means you will have to specify the longitude and latitude. By the way, we have modules named geocode and reverse_geocode that we can convert addresses to longitude and latitude parameters and vice versa. Considering your inputs are valid and your api key is already specified which is not require for every modules, you can type 'run' and click the enter. Recon-ng saves every information at the end of the process. The results you get can be your input for your next work. 

One of the amazing features of Recon-ng is the ability of outputting the information harvested as reports fomatted in csv, html, xlsx, xml etc. You can go ahead and load the one you want. You should consider them as being some sort of like modules, load them, make some alterations and it is ready. There are a few of variables like creator, filename etc which you can name as you'd like and your report file is eventually ready where specified.

Next post, We will go deep more into a few of modules and how to use them.