I think very first module we should start off could be Hostname Resolver. You can find it under 'recon/hosts-hosts/resolve'. How it works is quite simple. It resolves domain names to IP addresses. For every module, right before you run them, you can go ahead read through info section and check out input type by typing show inputs. Ever time you can add a specific input which is a host in this case, you should type set source then add the host name right there. For this demonstration, I am going to run this module with yahoo.com. You can see two newly found hosts below. It automatically outputs the result at the end and saves all of them for later use. show hosts command lists every hosts you have found, including the last one . You don't necessarily have to keep every single piece of information. It is easy to remove some of them. Just type 'delete' 'table name' and 'the row id'. For example, delete hosts 2.
Reverse Resolver is another tool that looks up for each IP adress to resolve hostname. This time, input type will be IP adress and output type will be domain names. So, What it basically does is exact opposite of what Hostname Resolver does. You can observe that it updates host table adding some hostnames after it is done.
Next module is Bing API Hostname Enumerator. As you would guess, It requires API key to run. This module collects all subdomains for a target address. I kept yahoo.com as an example and ran the module. Now, we have 135 new subdomains. As it says itself, all process is conducted through bing.com
A domain name has three parts. These are subdomain which we just learn how to get, second level domain and top level domain.
One of the practical tools you would find useful is DNS Public Suffix Brute Forcer. This module bruteforces a list of TDL and SLD names on a domain to find the ones up and running. I set my source xml.com for this one. As far as I remember, It took a while to fully complete. There must be a lot of TLD and SLD extensions in the list. Again, after it is done you could go ahead and list all of them typing show domains.
Next module is Namecheck.com Username Validator. Although you can collect this type of information by simply going over to bing.com, namecheck.com,etc. it would be pretty difficult to sift through among that amount of data. How it functions is that it simply asks plenty of social networking websites whether a given username exists or not. I suppose 'Robinn' nickname would exist in most of websites.So I put the name 'Robinn' as a source then fire up the module. You can see it finally found sixty three profiles with URL adresses in 30 seconds. In this case, output type is profile which can be seen in profiles table. You should type show profiles and scroll though the list to see all of them.
Another tool you can make good use of is Whois Data Miner. By the way, most of the modules in Recon-ng are written by Tim Tomes in Python. He created a platform for this framework to make it better. There are issues faced and discussions you can be part of. Link is here. Let's get back to where we were. Whois Data Miner helps you find locations and netblocks that makes things easier for you to figure out the IP range of a host. When you don't know what type of input it needs, you should take a look at module's description, just type show info and read the input section. Apparently, what we need is a company name. I am going to go with 'BMW' to see what comes up. You can also randomly put company names to try it out. By the way, I did not find any information about Suzuki.
In the last example I prepared, We are going to convert an actual address to geo coordinate format and then use that info in flickr pushpin module to obtain images shared in a particular location. For this example, I picked Sabanci University located in Turkey. The very first thing you need to do is to acquire the address. You can take advantage of Google or the offical website that you work on. First off, what we are going to is to use Address Geocoder which you can find under recon/locations-locations directory. Set the source with that address and run the module. There supposed to be latitude and longitude values found in the results. Next step is where you load flickr module. You can simply search the name of it or just type recon/locations-pushpins/flickr. I kept radius value as it was. You should show inputs to make sure your inputs are ok before you run the module.
One of the great features Recon-ng has is that you can get fine reports of what you gather. Lastly, let's prepare a report to see images we got. You can have a look at seven report types in Recon-ng. I think report functions can be dealt with as modules. You can load and run them as you do with other modules. After you set latitude, longitude and radius values, run it and eventually you have a nice-looking html formatted report.
No comments:
Post a Comment