Recon-ng features a feel and look similar to the Metasploit Framework and offers a simple to operate program to assemble source intelligence that is open.
This may be a post on doing available supply intel with recon-ng. The post is split in two parts :
The installation of recon-ng is very easy on Ubuntu Linux.
How will you use recon-ng?
Open source intel with recon-ng
The best way to show recon-ng is via a use-case. In this example I shall gather the maximum amount of source that is open possible you start with my company domain name (c[u]de[s]o.be).
Recon-ng is extremely database-driven. Which means that all of the operations are done beginning with the given information that is available in the database.
But in the event that you begin with a clear database you will need to inject a keyword someplace getting recon-ng started вЂ¦
Begin with a workplace plus one domain
I first start having a workspace that is new. It is not totally necessary however it keeps the outcome cleanly contained in one single container. With the use of workspaces it is possible to run numerous recon that is different with no the outcomes getting mixed up with each other.
My point that is starting is domain and so I need to add these records manually to your database.
From domains to associates
I now want to seek out information starting with just information that is domain. Recon-ng posseses an effortless method to get most of the modules that will work further on domain information.
By using SEARCH domain names- we get everything that adds information beginning with a domain. You could utilize the search function the other way around with RE SEARCH -domains. This may record every module that results in domain information.
I now use the PGP search module getting contact information.
Just like the Metasploit Framework you can get record of options utilizing the SET command
This module has only one option, the foundation choice. This option is something which youвЂ™ll see in the also other modules.
Remember that earlier we pointed out that recon-ng is highly database-driven. This method lets you influence this database-driven behavior. Instead of utilizing the database information as a starting point you’ll provide your personal information as being a point that is starting.
In a early in the day action a domain was added by me manually. I really could have skipped that step and used the PGP module directly, feeding it the domain manually being a source. By doing it by doing this however I would personally have lost the conceptual relationship вЂњdomain -> contactsвЂќ.
You can easily check exactly what information a module needs for a kick off point with SHOW INFORMATION
The info that is necessary to start the crawling regarding the module is scheduled into the standard query sequence. In this full case it really is вЂњSELECT DISTINCT domain FROM domains WHERE domain IS NOT NULLвЂќ and thus it requires a domain to begin with. The default can be changed by you(database) behavior to using a sequence as input or additionally a file. The latter is extremely of good use you need to conduct a recon for a customer provided domain list) if you have multiple starting sources for a module (in this case for example imagine a case where.
Run the module and view the outcome
Operating the module is easy with RUN
The results will be added to immediately the database. You can have a review of the current content associated with database with SHOW DASHBOARD
This programs I have actually home elevators one domain and two connections. Imagine if I have forgotten the contact information? You’ll display them ( along with information from the other groups) via SHOW CONNECTIONS
Expanding contact information
IвЂ™d now want to expand the contact information. What is available with RE SEARCH CONTACTS-?
The hibp_ modules could possibly get me personally helpful information that is credential (previous) account breaches that is made available via. First I do want to have an overview of what breaches have useful tips for my search
This search returns one breach (the Adobe hack) which includes of good use username and passwords.
We now search for the pasties where this given information was kept. These pasties sometimes holds additional of good use information. By default hibp_paste shall make an effort to install the pastie.
You can disable this with the choice SET INSTALL False.
The module has found a couple of pasties but regrettably they have been deleted.
Extending the credentials
Just What choices can be obtained to increase the qualifications? I seek out the modules that may utilize credentials as input and output with SEARCH QUALIFICATIONS:
For the intended purpose of this demo I assume a hash ended up being found in a run that is previous. For this instance a hash is added by me(that could as an example have been found through the pasties-information) manually up to a record. In order to do this i personally use the QUERY command
IвЂ™ll query for matches on this hash. In order to do therefore I have to supply a key that is api.
Adding API keys for modules
Some modules will access resources that are public an API in addition they require an API key. You need to add this API key to recon-ng with all the demand keys add.
Given that an API key is set we are able to make use of the module to extend the credential information.
The above mentioned command implies that a match aided by the hash is based in the database of hashes.org. The matching password is immediately put into the qualifications dining table.
Social networking profiles
By using the module for Fullcontact IвЂ™m able to get an overview of other available social media marketing pages for the reports that were previously found. Note that this module additionally calls for an API key.
You are able to expand the profiling information for the user that is different with other modules. Just perform a look for precisely what stretches pages with RE SEARCH pages.
End of part 1
This is the very first element of a post on doing source that is open with recon-ng. This post focused on gathering open source information for user accounts. The part that is second recon-ng centers around gathering domain and host information.
Leave A reply cancel response
This web site uses Akismet to reduce spam. Understand how your comment information is prepared.