Lab setup data from the Pluralsight course on:
Penetration Testing OSINT Gathering with Recon-ng
The Complete Obsolete Guide to Generative AI (from Manning) is a lighthearted look at programming with AI, as well as a rock-solid resource for getting the most out of these insanely powerful services. Let it be your guide to analyzing massive data sources, summarize pages and pages of text, and scour the live internet.
Recon-ng Installation
Create a simple index.html file and the following dockerfile:
apt install python-pip git git clone https://github.com/lanmaster53/recon-ng.git ls cd recon-ng ls [pip install -r REQUIREMENTS (if necessary)] cd recon-ng ls ./recon-ng help
The Basic Recon-ng Features
show modules show tables show dashboard [show tab completion] workspaces add newspace [from parent shell in new terminal window] ls -a cd .recon-ng/workspaces/ ls cd newspace ls [from recon-ng shell] workspaces select default workspaces select newspace add domains > bbc.com add companies > British Broadcasting Corporation > broadcasting show domains show companies add workspaces newname [it will fail] use whois_pocs show info run [from recon-ng directory on host] ./recon-web [browse to localhost:5000] NOTE: To make the browser viewer work, you may need to use pip to install the flask, dicttoxml, unicodecsv, and xlsxwriter modules (i.e., pip install flask).
Using Recon-ng Modules
use whois_pocs show info show contacts run SELECT * FROM domains use interesting_files show info use google_site_web show info run use interesting_files run [from host:] cd /home/<username>/.recon-ng/workspaces/<workspace-name>/ ls show domains query select * from domains add contacts >David > >Clinton >info@bootstrap-it.com query SELECT * FROM contacts WHERE email LIKE '%bootstrap%' use bing_linkedin_cache show info set subdomains www, ca, domain show info unset subdomains set limit 5
The Complete Module List
Recon --------- recon/companies-contacts/bing_linkedin_cache recon/companies-contacts/jigsaw/point_usage recon/companies-contacts/jigsaw/purchase_contact recon/companies-contacts/jigsaw/search_contacts recon/companies-contacts/linkedin_auth recon/companies-multi/github_miner recon/companies-multi/whois_miner recon/contacts-contacts/mailtester recon/contacts-contacts/mangle recon/contacts-contacts/unmangle recon/contacts-credentials/hibp_breach recon/contacts-credentials/hibp_paste recon/contacts-domains/migrate_contacts recon/contacts-profiles/fullcontact recon/credentials-credentials/adobe recon/credentials-credentials/bozocrack recon/credentials-credentials/hashes_org recon/domains-contacts/metacrawler recon/domains-contacts/pgp_search recon/domains-contacts/whois_pocs recon/domains-credentials/pwnedlist/account_creds recon/domains-credentials/pwnedlist/api_usage recon/domains-credentials/pwnedlist/domain_creds recon/domains-credentials/pwnedlist/domain_ispwned recon/domains-credentials/pwnedlist/leak_lookup recon/domains-credentials/pwnedlist/leaks_dump recon/domains-domains/brute_suffix recon/domains-hosts/bing_domain_api recon/domains-hosts/bing_domain_web recon/domains-hosts/brute_hosts recon/domains-hosts/builtwith recon/domains-hosts/certificate_transparency recon/domains-hosts/google_site_api recon/domains-hosts/google_site_web recon/domains-hosts/hackertarget recon/domains-hosts/netcraft recon/domains-hosts/shodan_hostname recon/domains-hosts/ssl_san recon/domains-hosts/threatcrowd recon/domains-vulnerabilities/ghdb recon/domains-vulnerabilities/punkspider recon/domains-vulnerabilities/xssed recon/domains-vulnerabilities/xssposed recon/hosts-hosts/bing_ip recon/hosts-hosts/freegeoip recon/hosts-hosts/ipinfodb recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/hosts-hosts/ssltools recon/hosts-locations/migrate_hosts recon/hosts-domains/migrate_hosts recon/hosts-ports/shodan_ip recon/locations-locations/geocode recon/locations-locations/reverse_geocode recon/locations-pushpins/flickr recon/locations-pushpins/instagram recon/locations-pushpins/picasa recon/locations-pushpins/shodan recon/locations-pushpins/twitter recon/locations-pushpins/youtube recon/netblocks-companies/whois_orgs recon/netblocks-hosts/reverse_resolve recon/netblocks-hosts/shodan_net recon/netblocks-ports/census_2012 recon/netblocks-ports/censysio recon/ports-hosts/migrate_ports recon/profiles-contacts/dev_diver recon/profiles-contacts/github_users recon/profiles-profiles/namechk recon/profiles-profiles/profiler recon/profiles-profiles/twitter_mentioned recon/profiles-profiles/twitter_mentions recon/profiles-repositories/github_repos recon/repositories-profiles/github_commits recon/repositories-vulnerabilities/gists_search recon/repositories-vulnerabilities/github_dorks Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml Discovery --------- discovery/info_disclosure/cache_snoop discovery/info_disclosure/interesting_files Exploitation ------------ exploitation/injection/command_injector exploitation/injection/xpath_bruter Import ------ import/csv_file import/list
Using the Builtwith Module
use builtwith show info keys add builtwith_api a554bd9d-1a15-2159-76aa-ebde04875f68 [fake ID - don't use] show keys run
Scripting Recon-ng
record start /home/<username>/.recon-ng/workspaces/newspace/myscript.txt workspaces select newspace add domains bbc.co.uk use pgp_search run record stop show domains delete domains 2 show domains exit ./recon-ng -r /home/<username>/.recon-ng/workspaces/newspace/myscript.txt show domains [from host] less /home/<username>/.recon-ng/workspaces/newspace/myscript.txt [from recon] spool start /home/<username>/.recon-ng/workspaces/newspace/myspool.txt
Preparing for a Scan
workspaces add campaign add domains bbc.com add companies > British Broadcasting Corporation > public service broadcaster use whois_pocs show info run show contacts [don't run] use pgp_search run use bing_domain_web show info run show hosts use brute_hosts [from host] less ~/recon-ng/data/hostnames.txt [back in recon-ng shell] run show hosts use interesting_files run
Using Mangle to Work With Email Addresses
workspaces add mangle add contacts > steve > > geek add contacts > sam > > adminguy add contacts > joe > > topguy > j.topguy@bbc.com show contacts use contacts/mangle show info set domain bbc.com show info set pattern <fi>.<ln> run show contacts use hibp_breach run use hibp_paste run show credentials
Geolocation
workspaces add location add hosts > data.bootstrap-it.com show hosts use hosts-hosts/resolve run show hosts use freegeoip show info run show hosts use pushpins/shodan add locations > 39.0481 > -77.4729 show info set radius 10
Reporting
workspaces select newspace show dashboard search reporting use reporting/csv show info run use reporting/json show info set tables hosts, contacts, credentials run use reporting/lists show info show hosts set COLUMN region run use reporting/html show info set CREATOR Bootstrap IT set CUSTOMER BBC run cd recon-ng/modules/reporting