First off, recon-ng is a reconnaissance tool which collects data from online resources like facebook, twitter, shodan. It has a CLI interface somewhat looks like SEToolkit and how it works is quite similar to Metasploit.So It is techically not an explotation framework. Some of the sections in recon-ng what we would call 'modules' require api key to use. For those who don't know, api key is sort of a connection which makes your application remotely engaged with a service so that the service becomes directly integrated into your application. It could be a linkedin query, something that allows you post your entry or searching a specific domain name on websites like shodan. You can acquire your own api keys from these websites when you fill out the section with mentioning what your application you are working on is about. You don't necessarily have to explain its functionality and how it works.
Besides modules requiring api key, there are several freely-used modules come in handy as well. The ones I like the most is pushpin modules. With these modules, you can find images or videos shared on flickr, instagram, youtube etc. inside a pre-defined radius.
Let's start off with installation. Normally, recon-ng is pre-installed in Kali Linux by default. It is possible to execute the python file for this framework in other linux distros. For more detail check it out on https://bitbucket.org/LaNMaSteR53/recon-ng.git. By the way, this framework is coded by Tim Tomes a.k.a LaNMaSteR53 in python. I guess he is going to keep adding new modules in it in future. To run the framework, you should type 'recon-ng' then click the enter. You'll have a screen like this.
As you can see, we have a CLI interface kind of resembles SEToolkit welcome screen. Do not try putting any numbers you see there. They do not work. I highly recommend taking a look at the help menu which I think can guide you. For doing this, type 'help' then hit the enter.
Actually, the first thing you need to know is that things can get messy dealing with hosts, domain names and contacts etc when you make intelligence gathering. In order to make things clear, there is a workspace concept. You can create, delete and see workspaces. By default, there is supposed to be [recon-ng][default] in your command line. When you type 'workspaces' and hit the enter, you see the commands with workspace. You can create a new one with add selection like 'workspaces add newworkspace'. As you'd probably guess, you should jump into workspaces by selecting them like 'workspaces select newworkspace'.
There are severals of inputs we can add, delete or change like domains, company name, contacts, profiles etc. Those normally change based on the workspace you work on. You can manage all of them typing 'show schema'. Most of inputs are directly connected to each other.
I previously mentioned api keys and how to use them. Let's first take a look at what kind of api keys can be used with recon-ng. Put 'keys list' and hit enter. You'll see all api list in a table of Name and Value. You can see all command managing api keys. Usage section has list, add and delete options. Then you can play with them until you get the hang of how it works.
We just learned how to add workspaces, api keys and other type of inputs like domains, hosts, contacts. Last thing we need is to find the proper module. Just like in Metasploit you can easily type 'show modules' or 'search ...' for all the modules related to a specific name. It'd be google, resolve, jigsaw and so forth. We'll put the word 'use' and the 'directory' of the module you want. For example, use recon/hosts-hosts/resolve. Each modules has its own information as to how it functions and what sort of input it needs. After loading your module, you then type show options to find out the type of input. Every input or source can be alterable by preference. Type 'set' and 'option name' then 'the value' which could be an email address, a domain name etc. If it is a module that requires a specific input, you should surely take a look at the input typing show inputs. For instance, pushpin modules work with location which means you will have to specify the longitude and latitude. By the way, we have modules named geocode and reverse_geocode that we can convert addresses to longitude and latitude parameters and vice versa. Considering your inputs are valid and your api key is already specified which is not require for every modules, you can type 'run' and click the enter. Recon-ng saves every information at the end of the process. The results you get can be your input for your next work.
One of the amazing features of Recon-ng is the ability of outputting the information harvested as reports fomatted in csv, html, xlsx, xml etc. You can go ahead and load the one you want. You should consider them as being some sort of like modules, load them, make some alterations and it is ready. There are a few of variables like creator, filename etc which you can name as you'd like and your report file is eventually ready where specified.
Next post, We will go deep more into a few of modules and how to use them.
No comments:
Post a Comment