Table of Contents
Recon-ng is an open-source reconnaissance tool in the cybersecurity field. It is a powerful web reconnaissance tool written in Python. This tool automates the process of gathering information about a target. This tutorial will cover the basic usage of Recon-ng modules, including step by step.
Recon-ng Definition
Recon-ng is a very popular free & open-source full-featured Web Reconnaissance framework written in Python. it was created by Tim Tomes. Recon ng is widely used in the Hacking and Cyber Security world to discover hidden information about Target. It is used primarily for gathering during the reconnaissance phase of penetration testing and security assessments.
Recon-Ng Useas
Recon ng is particularly useful for penetration testers and cybersecurity professionals. it is gathering information and collecting vulnerability from company domains. Pentester is very easy to find that information from this automated tool.
- Module Design: Recon-ng is structured around modules, which can be loaded and used individually to perform specific tasks.
- Automated Data Collection: It automates the process of collecting information from various online sources, which can save significant time and effort compared to manual data collection.
- Integration with External Services: Recon-ng can integrate with numerous external APIs and services, such as Google, Bing, Shodan, Virus Total, Censys, and others, to gather extensive information from different platforms.
- Comprehensive Reconnaissance: It can perform a wide range of reconnaissance activities, including:
- Gathering data on domain names, IP addresses, and DNS records.
- Collecting information on email addresses and social media accounts.
- Extracting data on network infrastructure and subdomains.
- Identifying vulnerabilities and potential attack vectors.
- Database Support: Recon-ng supports the use of a built-in database, which helps in storing and organizing the collected data efficiently. This feature is useful for managing large amounts of data during extensive reconnaissance operations.
Recon-ng Importance in Cybersecurity
- Comprehensive Information Gathering: Recon ng allows cybersecurity professionals to gather a wide range of information about a target. This includes domain names, IP addresses, email addresses, social media profiles, and more.
- Automation: Recon-ng automates many of the tedious and time-consuming tasks associated with reconnaissance.
- Modularity and Flexibility: The modular design of Recon-ng enables users to customize their reconnaissance efforts. They can load specific modules tailored to their needs, which makes the tool versatile and adaptable to different scenarios.
- Integration with Other Tools: Recon-ng can integrate with various APIs and external services to enrich the collected data. This integration helps in obtaining more accurate and detailed information, enhancing the quality of the reconnaissance.
- Database Storage and Reporting: The ability to store collected data in a database is valuable for documentation and analysis. It helps in keeping track of the information gathered and allows for generating reports.
Recon-ng Commands
you don’t need to install recon-ng in Kali Linux. It is a pre-install tool in Kali Linux. required root access when you run this tool. so run this tool through this command sudo recon-ng.
sudo recon-ng
“man recon-ng” through this command, you can get more information about this tool.
$ man recon-ng
NAME
recon-ng - Web Reconnaissance framework
SYNOPSIS
recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics] [--no-marketplace] [--stealth] [--version] [--ana‐
lytics]
DESCRIPTION
Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct
open source web-based reconnaissance quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework.
However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively
for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engi‐
neer, use the Social-Engineer Toolkit.
See the [Usage Guide](https://github.com/lanmaster53/recon-ng/wiki) for more information.
OPTIONS
-h, --help
show this help message and exit
-w workspace
load/create a workspace
-r filename
load commands from a resource file
--no-version
disable version check (by default in Debian)
--no-analytics
disable analytics reporting (by default in Debian)
--no-marketplace
disable remote module management
--stealth
disable all passive requests (--no-*)
-v, --version
displays the current version
--analytics
enable Google analytics reporting
Recon-ng help Commands
Recon ng “help “command supports us on, how to use this tool.
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
Recon-ng Marketplace Module
The Recon ng Marketplace is a feature on the Recon-ng framework that allows users to discover, install, and manage various modules. The module’s functionality of Recon-ng creates new capabilities for information gathering and analysis. need to marketplace when you get specific information about on target. all recon ng modules are available in the marketplace. so if you want to install those modules you need to access the marketplace. The marketplace is accessed via the “marketplace” command.
[recon-ng][default] > marketplace
Interfaces with the module marketplace
Usage: marketplace <info|install|refresh|remove|search> [...]
How can we use the marketplace? here you can see all commands to utilize marketplaces. so Learn about these commands.
Command | Description |
---|---|
info | Provides detailed information about a specific module, including description and usage. |
install | Installs the specified module from the marketplace into Recon-ng. |
refresh | Refreshes the list of available modules in the marketplace to ensure it is up-to-date. |
remove | Removes the specified module from Recon-ng. |
search | Searches for modules in the marketplace that match the specified keyword. |
- Search:
- This searches for modules related to the keyword “domain” in the marketplace.
- Command: marketplace search domain
[recon-ng][default] > marketplace search domain
[*] Searching module index for 'domain'...
+-----------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+-----------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | |
| recon/companies-domains/censys_subdomains | 2.1 | not installed | 2022-01-31 | * | * |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.1 | installed | 2021-08-24 | | |
| recon/companies-domains/whoxy_dns | 1.1 | installed | 2020-06-17 | | * |
| recon/companies-multi/censys_tls_subjects | 2.1 | not installed | 2022-01-31 | * | * |
| recon/contacts-domains/censys_email_to_domains | 2.1 | not installed | 2022-01-31 | * | * |
| recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-companies/censys_companies | 2.1 | not installed | 2022-01-31 | * | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-companies/whoxy_whois | 1.1 | installed | 2020-06-24 | | * |
| recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | |
| recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/censys_domain | 2.1 | not installed | 2022-01-31 | * | * |
| recon/domains-hosts/certificate_transparency | 1.3 | not installed | 2019-09-16 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | |
| recon/domains-hosts/shodan_hostname | 1.1 | installed | 2020-07-01 | * | * |
| recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | |
| recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | |
| recon/hosts-hosts/censys_query | 2.1 | not installed | 2022-01-31 | * | * |
| recon/hosts-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
+-----------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
All Marketplace modules can be viewed with the “Marketplace search” command.
- Info:
- This provides detailed information about the module.
- Command: marketplace info (modules_name)
[recon-ng][default] > marketplace info recon/domains-hosts/spyse_subdomains
+------------------------------------------------------------+
| path | recon/domains-hosts/spyse_subdomains |
| name | Spyse Subdomain lookup |
| author | Ryan Hays |
| version | 1.1 |
| last_updated | 2021-08-24 |
| description | Uses the Spyse API to discover subdomains. |
| required_keys | ['spyse_api'] |
| dependencies | [] |
| files | [] |
| status | not installed |
+------------------------------------------------------------+
- install:
- This installs modules into your Recon-ng environment. you can install all modules at once. another one you can install modules one by one.
- Command for installing modules one by one: marketplace install (module_path)
- Command for installing modules at once: marketplace install
[recon-ng][default] > marketplace install
Installs modules from the marketplace
Usage: marketplace install <<path>|<prefix>|all>
Command | Description |
---|---|
<path> | Installs a specific module from the marketplace using its full path. |
<prefix> | Installs all modules that match the specified prefix. |
all | Installs all available modules from the marketplace. |
- <path>:
- We will use the “path” to install a module.
- Command: marketplace install (module_path)
[recon-ng][default] > marketplace install recon/repositories-profiles/github_commits
[*] Module installed: recon/repositories-profiles/github_commits
[*] Reloading modules...
- <prefix>:
- We will use the “prefix” to install the same category modules such as discovery. install all modules that start on prefix discovery.
- Command: marketplace install (module_prefix_name)
[recon-ng][default] > marketplace install discovery
[*] Module installed: discovery/info_disclosure/cache_snoop
[*] Module installed: discovery/info_disclosure/interesting_files
[*] Reloading modules...
- all:
- We will use the “all” command to install all modules.
- Command: marketplace install all
[recon-ng][default] >marketplace install all
- refresh:
- This refreshes the list of available modules, ensuring you have the latest information from the marketplace.
- Command: “marketplace refresh“
[recon-ng][default] >marketplace refresh
- remove:
- Removes the specified module from Recon-ng.
- Command: marketplace remove (module_name)
[recon-ng][default] > marketplace remove
Removes marketplace modules from the framework
Usage: marketplace remove <<path>|<prefix>|all>
Command | Description |
---|---|
<path> | Remove a specific module from the marketplace using its full path. |
<prefix> | Remove all modules that match the specified prefix. |
all | Remove all available modules from the marketplace. |
- <path>:
- We will use the “path” to Remove a module.
- Command: marketplace remove (module_path)
[recon-ng][default] > marketplace remove recon/repositories-profiles/github_commits
[*] Module removed: recon/repositories-profiles/github_commits
[*] Reloading modules...
- <prefix>:
- We will use the “prefix” to remove the same category modules such as discovery. install all modules that start on prefix discovery.
- Command: marketplace remove (module_prefix_name)
[recon-ng][default] > marketplace remove discovery
[*] Module removed: discovery/info_disclosure/cache_snoop
[*] Module removed: discovery/info_disclosure/interesting_files
[*] Reloading modules...
- all:
- We will use the “all” command to remove all modules.
- Command: marketplace remove all
[recon-ng][default] >marketplace remove all
Recon-ng Modules
Recon ng, modules are the core components that perform specific tasks related to reconnaissance and information gathering. total 107 modules are available on the marketplace in recon-ng. which are [93] Recon modules, [8] Reporting modules, [4] Import modules, [2] Exploitation modules, and [2] Discovery modules. we learn about each module’s details in the Recon-ng module tutorial.
[93] Recon modules
[8] Reporting modules
[4] Import modules
[2] Exploitation modules
[2] Discovery modules
Each module collects different kinds of data from various sources. some modules need dependencies & keys to gather information.
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
[recon-ng][default] > marketplace search
+----------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+----------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | installed | 2020-10-13 | | |
| discovery/info_disclosure/interesting_files | 1.2 | installed | 2021-10-04 | | |
| exploitation/injection/command_injector | 1.0 | installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | installed | 2019-10-08 | | |
| import/csv_file | 1.1 | installed | 2019-08-09 | | |
| import/list | 1.1 | installed | 2019-06-24 | | |
| import/masscan | 1.0 | installed | 2020-04-07 | | |
| import/nmap | 1.1 | installed | 2020-10-06 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | installed | 2019-06-24 | | * |
| recon/companies-contacts/censys_email_address | 2.1 | installed | 2022-01-31 | * | * |
| recon/companies-contacts/pen | 1.1 | installed | 2019-10-15 | | |
| recon/companies-domains/censys_subdomains | 2.1 | disabled | 2022-01-31 | * | * |
| recon/companies-domains/pen | 1.1 | installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.1 | installed | 2021-08-24 | | |
| recon/companies-domains/whoxy_dns | 1.1 | installed | 2020-06-17 | | * |
| recon/companies-multi/censys_org | 2.1 | installed | 2022-01-31 | * | * |
| recon/companies-multi/censys_tls_subjects | 2.1 | installed | 2022-01-31 | * | * |
| recon/companies-multi/github_miner | 1.1 | installed | 2020-05-15 | | * |
| recon/companies-multi/shodan_org | 1.1 | installed | 2020-07-01 | * | * |
| recon/companies-multi/whois_miner | 1.1 | installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.1 | installed | 2019-10-27 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | installed | 2019-09-10 | | * |
| recon/contacts-domains/censys_email_to_domains | 2.1 | installed | 2022-01-31 | * | * |
| recon/contacts-domains/migrate_contacts | 1.1 | installed | 2020-05-17 | | |
| recon/contacts-profiles/fullcontact | 1.1 | installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | installed | 2019-06-24 | | * |
| recon/domains-companies/censys_companies | 2.1 | installed | 2022-01-31 | * | * |
| recon/domains-companies/pen | 1.1 | installed | 2019-10-15 | | |
| recon/domains-companies/whoxy_whois | 1.1 | installed | 2020-06-24 | | * |
| recon/domains-contacts/hunter_io | 1.3 | installed | 2020-04-14 | | * |
| recon/domains-contacts/metacrawler | 1.1 | disabled | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.4 | installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | installed | 2019-06-24 | | |
| recon/domains-contacts/wikileaker | 1.0 | installed | 2020-04-08 | | |
| recon/domains-domains/brute_suffix | 1.1 | installed | 2020-05-17 | | |
| recon/domains-hosts/binaryedge | 1.2 | installed | 2020-06-18 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.1 | installed | 2021-08-24 | | * |
| recon/domains-hosts/censys_domain | 2.1 | installed | 2022-01-31 | * | * |
| recon/domains-hosts/certificate_transparency | 1.3 | installed | 2019-09-16 | | |
| recon/domains-hosts/google_site_web | 1.0 | installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.1 | installed | 2020-02-05 | | |
| recon/domains-hosts/shodan_hostname | 1.1 | installed | 2020-07-01 | * | * |
| recon/domains-hosts/spyse_subdomains | 1.1 | installed | 2021-08-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.1 | installed | 2020-10-18 | | |
| recon/hosts-domains/migrate_hosts | 1.1 | installed | 2020-05-17 | | |
| recon/hosts-hosts/bing_ip | 1.0 | installed | 2019-06-24 | | * |
| recon/hosts-hosts/censys_hostname | 2.1 | installed | 2022-01-31 | * | * |
| recon/hosts-hosts/censys_ip | 2.1 | installed | 2022-01-31 | * | * |
| recon/hosts-hosts/censys_query | 2.1 | installed | 2022-01-31 | * | * |
| recon/hosts-hosts/ipinfodb | 1.2 | installed | 2021-08-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.2 | installed | 2020-07-01 | * | * |
| recon/locations-locations/geocode | 1.0 | installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.1 | installed | 2020-07-07 | * | * |
| recon/locations-pushpins/twitter | 1.1 | installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.2 | installed | 2020-09-02 | | * |
| recon/netblocks-companies/censys_netblock_company | 2.1 | installed | 2022-01-31 | * | * |
| recon/netblocks-companies/whois_orgs | 1.0 | installed | 2019-06-24 | | |
| recon/netblocks-hosts/censys_netblock | 2.1 | installed | 2022-01-31 | * | * |
| recon/netblocks-hosts/reverse_resolve | 1.0 | installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.2 | installed | 2020-07-21 | * | * |
| recon/netblocks-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | installed | 2021-08-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.2 | installed | 2021-08-24 | | * |
| recon/profiles-contacts/dev_diver | 1.1 | installed | 2020-05-15 | | |
| recon/profiles-contacts/github_users | 1.0 | installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.2 | installed | 2023-12-30 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.1 | installed | 2020-05-15 | | * |
| recon/repositories-profiles/github_commits | 1.0 | installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | installed | 2019-06-24 | | |
| reporting/html | 1.0 | installed | 2019-06-24 | | |
| reporting/json | 1.0 | installed | 2019-06-24 | | |
| reporting/list | 1.0 | installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | installed | 2019-06-24 | | |
| reporting/xml | 1.1 | installed | 2019-06-24 | | |
+----------------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
Here’s an overview of Recon-ng modules:
Types of Modules
- Recon Modules:
- These modules gather information about targets. They are often categorized by the type of data they collect or the source they query.
- Example:
recon/domains-hosts/whois_pocs
- Collects Points of Contact (POCs) from WHOIS records for a given domain.
- Import Modules:
- These modules import data from external files or other sources into the Recon-ng framework.
- Example: import/list
- Imports a list of targets from a file into the current workspace.
- Reporting Modules:
- These modules generate reports from the collected data.
- Example: reporting/csv
- Creates a CSV report of the data stored in the current workspace.
- Exploit Modules:
- These modules are used to exploit vulnerabilities found during reconnaissance. They are less common in Recon-ng, which focuses more on information gathering.
- Example: exploit/cross-site-scripting
- Tests for cross-site scripting (XSS) vulnerabilities.
- Discovery Modules:
- These modules gather information about targets. They are often categorized by the type of data they collect or the source they query.
- Example:
discovery/info_disclosure/cache_snoop
Recon-ng Workspace Management
Recon ng, workspace is crucial for organizing and storing reconnaissance data related to different Target like as a folder. Uses Workspace in recon-ng through this command Workspace.
recon-ng][default] > workspaces
Manages workspaces
Usage: workspaces <create|list|load|remove> [...]
you can create, list, load & remove Workspaces in this section.
Commands | Description |
---|---|
list | Lists all existing workspaces along with their details. |
create | Creates a new workspace with the specified name. |
load | Loads the specified workspace, setting it as active for operations. |
remove | Removes the specified workspace, deleting all associated data irreversibly. |
- View workspaces list:
- This command lists all existing workspaces along with their details, such as creation date and last accessed date.
- Command: workspaces list
recon-ng][default] >workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2024-01-11 06:22:53 |
+----------------------------------+
- create workspaces:
- This command creates a new workspace with the specified name.
- Command: workspaces create (my_workspace_name)
recon-ng][default] >workspaces create Google
[recon-ng][google] >
- Load workspaces:
- This command loads the specified workspace, making it the active workspace where all subsequent operations will occur.
- Command: workspaces load (workspaces_name)
[recon-ng][google] >workspaces load default
[recon-ng][default] >
- remove workspaces:
- This command removes the specified workspace, along with all associated data.
- Note: This action is irreversible and permanently deletes all data stored within the workspace.
- Command: workspaces remove (workspace_name)
[recon-ng][default] >workspaces remove google
These commands provide essential functionality for managing multiple reconnaissance projects or targets within Recon-ng. By using workspaces, users can keep their reconnaissance efforts organized, maintain separation between different engagements, and easily switch between contexts as needed.
Use Recon ng Modules
When an attacker or pentester gathers information about the target, it first loads particular modules with data about the target. Some modules get keys (API Key), and you will need them. how to know which modules need keys & dependency. How you will find them. you notice that when we see all modules using the “marketplace search” command. here D & K means Dependency & API KEY. we will learn them Recon-ng module tutorial section.
access modules using the “modules” command. 3 types work in modules such as load, reload, & search.
[recon-ng][google] > modules
Interfaces with installed modules
Usage: modules <load|reload|search> [...]
let’s talk about module usage load, reload, & search.
Command | Description |
---|---|
load | Loads a specific module into Recon-ng for use. |
reload | Reloads all modules currently available in Recon-ng. |
search | Searches for modules that match the specified keyword. |
- Reloading Modules:
- Description: Refreshes and updates the list of available modules.
- Command: modules reload
[recon-ng][google] > modules reload
[*] Reloading modules...
- Searching for Modules:
- Description: Searches for modules matching the keyword.
- Command: modules search <keyword>
[recon-ng][google] > modules search hack
[*] Searching installed modules for 'hack'...
Recon
-----
recon/domains-hosts/hackertarget
- Loading a Module:
- Description: Loads the specified module.
- Command: modules load (modules_name_path)
recon-ng][google] > modules load recon/domains-hosts/hackertarget
[recon-ng][google][hackertarget] >
Load Modules Workspace in recon ng
modules in 3 diffrent ways usage, we see in Previous section. So now how to use module after load a module. The “modules load” command set a module. see command list after load module using “help” command. Here we know details about all commands.
recon-ng][google] > modules load recon/domains-hosts/hackertarget
[recon-ng][google][hackertarget] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
goptions Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source option
keys Manages third party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a file
Command | Description |
---|---|
back | Exits the current context and returns to the previous one. |
dashboard | Displays a summary of recent activity and current status. |
db | Interfaces with the workspace’s database for data management. |
exit | Exits the Recon-ng framework. |
goptions | Manages the global context options that apply across modules. |
help | Displays the help menu with a list of available commands and their descriptions. |
info | Shows detailed information about the currently loaded module. |
input | Shows inputs based on the source option for the loaded module. |
keys | Manages credentials for third-party resources and services. |
modules | Interfaces with installed modules, including loading, reloading, and searching for modules. |
options | Manages the options for the current context or module. |
pdb | Starts a Python Debugger session (intended for developers only). |
reload | Reloads the currently loaded module to apply any changes. |
run | Executes the currently loaded module with the specified options. |
script | Records and executes command scripts to automate tasks. |
shell | Executes shell commands directly from within the Recon-ng framework. |
show | Shows various framework items, such as modules, options, and databases. |
spool | Spools output to a file for logging and record-keeping purposes. |
here we know step by step. Now, Show detailed information about the currently loaded module. if you want to show details about the modules which loaded need to run “info” command.
[recon-ng][google][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE google.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
here you see about the modules. you need to understand here that how to work this module. see here description, options, & Source options be carefully. here need to set options Source Which you can set string, path & query <SQL>.
Set module Options in recon ng
This allows the module to perform its task with the correct configuration. type “options” command to configure options.
[recon-ng][google][hackertarget] > options
Manages the current context options
Usage: options <list|set|unset> [...]
Subcommand | Description | Example Usage |
---|---|---|
list | Lists all available options and their current values for the loaded module. | options list |
set | Sets a specific option to the given value for the loaded module. | options set source example.com |
unset | Clears the value of the specified option for the loaded module. | options unset source |
- options list:
- Description: This command lists all the options available for the currently loaded module along with their current values.
- Command: options list
[recon-ng][google][hackertarget] > options list
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE google.com yes source of input (see 'info' for details)
- options set:
- Description: This command sets a specific option to the provided value for the loaded module.
- Command: options set SOURCE (example.com) note: here you can set “string” or “path” or “query (SQL)”.
[recon-ng][google][hackertarget] > options set SOURCE facebook.com
SOURCE => facebook.com
- options unset:
- Description: This command clears the value of the specified option, resetting it to its default state.
- Command: options unset SOURCE
[recon-ng][gogle][hackertarget] > options unset SOURCE
SOURCE => None
After set SOURCE value you can execute this module to find information. “run” command to execute this module.
[recon-ng][google][hackertarget] > run
------------
FACEBOOK.COM
------------
<all result show here>
Finally, you can gather information & successfully run this recon-ng tool.
Source Configure in recon-ng modules
In Recon-ng, source options can be of different types such as strings, file paths, or SQL queries. These options specify where the module should get its input data from. Here’s how you can use these different types of source options:
Types of Source Options
- String:
- Description: A simple text string that specifies a single value.
- Example: A domain name or IP address.
options set SOURCE example.com
- Path:
- Description: A file path that points to a file containing a list of values.
- Example: A file with a list of domains or IP addresses.
options set SOURCE /path/to/file.txt
- SQL Query:
- Description: An SQL query that retrieves data from the Recon-ng database.
- Example: A query to select domains from a previously populated table.
options set SOURCE query "SELECT domain FROM domains WHERE domain LIKE 'example%'"
Commands Summary
Source Type | Description | Example Usage |
---|---|---|
String | A simple text string specifying a single value. | set source example.com |
Path | A file path pointing to a list of values. | set source /path/to/file.txt |
SQL Query | An SQL query to fetch data from the database. | set source query "SELECT domain FROM domains WHERE domain LIKE 'example%'" |
By setting these source options appropriately, you can provide the necessary input data for the modules in Recon-ng to perform their tasks effectively.
Recon ng Data Stores
Recon-ng, data stores are crucial for managing and organizing the data collected during reconnaissance activities. The framework utilizes a database to store and manage this information, enabling efficient data retrieval, manipulation, and reporting.
Data Stores
Recon-ng uses a SQLite database as its primary data store. This database is created for each workspace and contains various tables to store different types of data.
Key Tables in Recon-ng Data Store
Table Name | Description |
---|---|
domains | Stores domain names collected during reconnaissance. |
hosts | Stores hostnames and associated information. |
contacts | Store contact information such as emails and phone numbers. |
credentials | Stores collected credentials, including usernames and passwords. |
netblocks | Stores network block information, which includes ranges of IP addresses. |
ports | Stores port information, including open ports and services running on them. |
vulnerabilities | Stores information about discovered vulnerabilities. |
Commands for Managing Data Stores
[recon-ng][default] > db
Interfaces with the workspace's database
Usage: db <delete|insert|notes|query|schema> [...]
Recon-ng provides several commands to interface with the data store, allowing users to manipulate and query the collected data effectively.
Command | Description |
---|---|
db schema <table> | Displays the schema (structure) of the specified table. |
db query <SQL query> | Executes a custom SQL query on the database. |
db insert <table> <values> | Inserts a new record into the specified table with the given values. |
db delete <table> <where> | Deletes records from the specified table based on the given condition. |
Example Workflows
Viewing a Table Schema
- View Schema:
- This displays the structure of the
domains
table. - Command:
db schema domains
ordb schema
- This displays the structure of the
Inserting Data into a Table
- Insert Data:
- This inserts a new record into the
domains
table. - Command:
db insert domains example.com
- This inserts a new record into the
Querying the Database
- Execute SQL Query:
- This retrieves all records from the
domains
a table where the domain name starts with “example”. - Command:
db query "SELECT * FROM domains WHERE domain LIKE 'example%'"
- This retrieves all records from the
Commands Summary
Command | Description | Example Usage |
---|---|---|
db schema <table> | Displays the schema of the specified table. | db schema domains |
db query <SQL query> | Executes a custom SQL query on the database. | db query "SELECT * FROM domains" |
db insert <table> <values> | Inserts a new record into the specified table with the given values. | db insert domains example.com |
db delete <table> <where> | Deletes records from the specified table based on the given condition. | db delete domains "domain='example.com'" |
Common Issues and Troubleshooting
Troubleshooting Tips : If you run into issues, here are some tips:
- Ensure your modules are up to date with marketplace updates.
- Check your API keys and network connectivity.
- Refer to the module documentation for specific requirements.
Best Practices for Using Recon ng
- Ensuring Accurate Results
- Always verify your results with multiple sources to ensure accuracy. Recon-ng is powerful, but it’s essential to cross-check the data.
- Ethical Considerations
- Use Recon-ng ethically. Always have permission before scanning and gathering information on a target. Respect privacy and legal boundaries.
Conclusion
Recon-ng is a powerful tool in the cybersecurity field. With its vast array of modules and functionalities. By following this tutorial, you should now have a solid understanding of how to use Recon-ng modules effectively. Remember to keep your tools updated, verify your data, and always use them ethically.
-
Can I contribute to the development of Recon-ng?
Yes, Recon-ng is open-source, and contributions are welcome. You can contribute by submitting bug reports, feature requests, or directly contributing code on GitHub.
-
Are there any alternatives to Recon-ng?
Yes, there are other tools like Maltego, theHarvester, and SpiderFoot. Each has its unique features and strengths, so exploring them can complement your Recon-ng use.
-
How do I ensure the ethical use of Recon-ng?
Always have explicit permission before conducting reconnaissance on a target. Follow legal guidelines and respect privacy to ensure ethical use of Recon-ng.