Reconnaissance with Recon-Ng, Part 1 (Getting Started)
I encourage you to start with these reconnaissance tools and others before even considering hacking/exploitation.
In
recent years, a brand new reconnaissance framework has become available
to us that leverages many of the tools we are already using, but makes
them far more powerful. This tool, Recon-ng, was developed by Tim Tomes while at Black Hills Information Security. He developed it as a Python script and tried to model its usage after Metasploit,
making it easy for a pentester with Metasploit skills to use Recon-ng.
It is built into Kali, so there's no need to download or install
anything.
Let's explore its many and powerful capabilities a bit here.
Step 1Starting Recon-Ng
Fire up Kali, open a terminal, and type: kali > recon-ng
This will open a splash screen like below.
Note that the splash screen lists the number of modules by type. Unlike SET, but rather like Metasploit, we use commands and not numbers to use Recon-ng.
Step 2Viewing Commands
At the prompt, let's type help in order to look at the commands we can use in Recon-ng. recon-ng > help
Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.
Step 3Showing Modules
To see all the modules in Recon-ng, we can type: recon-ng > show modules
Since there are 84 modules in Recon-ng, I can't fit them all on one screen, or for that matter, even two.
Step 4Viewing Keys
One
of the strengths and beauties of Recon-ng is the use of various
application programming interfaces (APIs) to extract useful recon
information. For instance, Recon-ng can use Bing, Google, Facebook,
Instagram, LinkedIn, and other online applications once you get the API
key. With that key, you have almost unlimited access to that
application.
To see what API keys Recon-ng can use, type: recon-ng > keys list
As we can see, these are all the API keys that Recon-ng can use. Some are free and some you must pay for.
When
you obtain an API key and you want to add it to Recon-ng for use, you
simply add it to the keys. For instance, if I received an API key from
Facebook and that key was "123456", I could add it to Recon-ng by
typing: recon-ng > keys add facebook_api 123456
Now when you list the keys, you can see that your facebook_api
key is listed. This means that when you use the Facebook recon module,
it will automatically use this key to access Facebook like a Facebook
application would.
Step 5Using Recon-Ng
Now that we have explored a bit of Recon-ng, let's try using one the modules that does not
require an API key. There are many, but let's use one for scanning for
XSS (cross-site scripting) vulnerabilities called XSSposed. We can load
this module by typing: recon-ng > use recon/domains-vulnerabilities/xssposed
This loads the module into memory and makes it ready for use. Let's get some info on this module by typing: recon-ng > show info
Note the similarity to Metasploit syntax.
As
you can see above, the only option we need is the website we want to
scan. Let's scan our favorite website, WonderHowTo.com, to see whether
it has any known XSS vulnerabilities.
First, set the source: recon-ng > set source wonderhowto.com
Then tell Recon-ng to run: recon-ng > run
Recon-ng
uses XSSposed to then scan the site for known XSS vulnerabilities. Note
that XSSposed found no XSS vulnerabilities in WonderHowTo.com. (Great
job, Bryan!)
Now, let's try scanning the website of the leading IT
security training company in the U.S., SANS.org, which teaches many
courses on website and web app security. recon-ng > set source sans.org recon-ng > run
Notice that our good friends at SANS.org have not secured their own website. We found two vulnerabilities from 2017.
Recon-ng
is one more tool in our hacker/pentester toolbox that provides us
powerful capabilities for gathering necessary info on the target. In
future tutorials in this series, we will explore its many varied
capabilities, most particularly using APIs to garner key info on our
target. So keep coming back, my novice hackers!
