Recon-ng stands out as a powerful open-source intelligence (OSINT) framework, designed to streamline and automate the reconnaissance phase of cybersecurity assessments. Its modular structure and user-friendly interface, reminiscent of Metasploit, empower security professionals and enthusiasts to efficiently gather information from publicly available sources. This tutorial delves into the capabilities of Recon-ng, guiding you through installation, usage, and practical examples to elevate your OSINT skills.
What is Recon-ng?
Recon-ng is an advanced reconnaissance tool written in Python. It automates the process of information gathering, saving significant time and effort during initial security assessments. By leveraging a vast array of modules, Recon-ng can extract data from various open sources, providing a comprehensive overview of your target. Its interactive console offers features like command completion and contextual help, making it accessible even for those new to OSINT techniques.
Recon-ng Installation Guide
Setting up Recon-ng is straightforward across different operating systems. Here are common installation methods:
Kali Linux:
Recon-ng is often pre-installed in Kali Linux distributions. To ensure you have the latest version and dependencies, execute the following commands in your terminal:
sudo apt update && sudo apt install recon-ngUbuntu:
For Ubuntu and other Debian-based systems, you’ll need git and pip installed. If you don’t have them, install them first using: sudo apt install git python3-pip. Then, proceed with the following steps:
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip3 install -r REQUIREMENTSTo launch Recon-ng, navigate to the recon-ng directory and run:
./recon-ngThis will load the Recon-NG console, indicated by the prompt:
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ / / \ / Sponsored by... / // \V / / \/ // \\ \ / // // BLACK HILLS / \ www.blackhillsinfosec.com ____ ____ ____ ____ _____ _ ____ ____ ____ |____] | ___/ |____| | | | |____ |____ | | | _ | | |____ | | ____| |____ |____ www.practisec.com [recon-ng v5.1.2, Tim Tomes (@lanmaster53)] [*] No modules enabled/installed. [recon-ng][default] >Navigating the Recon-ng Console
Once Recon-ng is running, the console provides a command-line interface for interacting with the framework. Typing help displays a list of available commands:
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspacesInitially, Recon-ng starts with no modules enabled.
[*] No modules enabled/installed.Getting Started with Recon-ng: Essential Steps
Workspace Creation for Organized Reconnaissance
Workspaces are fundamental to Recon-ng, allowing you to compartmentalize your OSINT projects. Each workspace maintains its own database, ensuring data organization and easy retrieval. To create a new workspace, use the workspaces command:
[recon-ng][default] > workspaces create carcodepro_recon[recon-ng][default] > workspaces create carcodepro_recon
[recon-ng][carcodepro_recon] >To switch to an existing workspace or open it directly from the command line, use the -w flag:
recon-ng -w carcodepro_recon[recon-ng][carcodepro_recon] >Exploring the Recon-ng Marketplace and Modules
Recon-ng’s power lies in its modules. The marketplace command is your gateway to discovering and managing these modules. marketplace help provides command options for module management:
[recon-ng][default] > marketplace help
Interfaces with the module marketplace
Usage: marketplace info|install|refresh|remove|search [...]Use marketplace search to list all available modules, categorized for different reconnaissance tasks. These categories include:
discoveryexploitationimportreconreporting
For a detailed module listing, including version, installation status, update date, dependencies, and required API keys, use marketplace search.
[recon-ng][carcodepro_recon] > marketplace search
+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | |
| discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | |
... (Output truncated for brevity) ...You can refine your module search using keywords. For example, to find modules related to SSL:
[recon-ng][default] > marketplace search ssl
[*] Searching module index for 'ssl'...
+----------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+----------------------------------------------------------------------------+
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | |
+----------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.To get detailed information about a specific module, such as ssltools, use marketplace info:
[recon-ng][default] > marketplace info ssltools
+---------------------------------------------------------------------------------------+
| path | recon/hosts-hosts/ssltools |
| name | SSLTools.com Host Name Lookups |
| author | Tim Maletic (borrowing from the ssl_san module by Zach Graces) |
| version | 1.0 |
| last_updated | 2019-06-24 |
| description | Uses the ssltools.com site to obtain host names from a site's SSL |
| | certificate metadata to update the 'hosts' table. Security issues |
| | with the certificate trust are pushed to the 'vulnerabilities' table. |
| required_keys | [] |
| dependencies | [] |
| files | [] |
| status | not installed |
+------------------------------------------------------------------------------------+Practical Recon-ng Example: Subdomain Enumeration with Hackertarget Module
Let’s illustrate Recon-ng usage with the hackertarget module, which leverages the Hackertarget API to discover subdomains.
Module Installation
Install the hackertarget module using:
[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >Module Loading
Load the installed module:
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >Module-Specific Help
Once a module is loaded, the help command provides module-specific options, different from the global help. Use back to return to the main console.
[recon-ng][default][hackertarget] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
goptions Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source
keys Manages third party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a fileSetting the Target Domain
Use show options to view module parameters. The SOURCE parameter is crucial, defining the target domain. Initially, it’s set to default.
[recon-ng][default][hackertarget] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)Set the SOURCE to the domain you want to investigate. For this example, we’ll use tesla.com:
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.comVerify the change using info:
[recon-ng][default][hackertarget] > info
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputsConfirm the input source with input:
[recon-ng][default][hackertarget] > input
+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+Executing the Module
Run the hackertarget module to start subdomain enumeration:
[recon-ng][default][hackertarget] > run
--------- TESLA.COM ---------
[*] Host: tesla.com
[*] Ip_Address: 104.119.104.74
[*] --------------------------------------------------
[*] Host: o7.ptr6980.tesla.com
[*] Ip_Address: 149.72.144.42
[*] --------------------------------------------------
... (Output truncated for brevity) ...
[*] Host: mfauser-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------
------- SUMMARY -------
[*] 35 total (35 new) hosts found.Viewing Results: Hosts Table
The discovered subdomains are stored in the hosts table within the Recon-ng database. View the results using show hosts:
[recon-ng][default][hackertarget] > show hosts
+----------------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | notes | module |
+----------------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 104.119.104.74 | | | | | | hackertarget |
| 2 | o7.ptr6980.tesla.com | 149.72.144.42 | | | | | | hackertarget |
| 3 | vpn1.tesla.com | 8.45.124.215 | | | | | | hackertarget |
... (Output truncated for brevity) ...
| 35 | mfauser-dev.tesla.com | 205.234.27.209 | | | | | | hackertarget |
+----------------------------------------------------------------------------------------------------------------------+
[*] 35 rows returnedEnhancing Recon-ng with API Keys
Integrating API keys from services like Shodan significantly enhances Recon-ng’s capabilities. A Shodan Pro account, for example, allows querying open ports on discovered hosts without directly scanning them, improving stealth and efficiency.
Adding a Shodan API Key
To add a Shodan API key, first locate your API key in your Shodan account dashboard under “Account”. Then, in the Recon-ng console, use the keys add command:
[recon-ng][default] > keys add shodan_api YOUR_SHODAN_API_KEYReplace YOUR_SHODAN_API_KEY with your actual Shodan API key.
Managing Recon-ng Configuration Files
Recon-ng stores its configuration files in the .recon-ng directory within your home directory. This directory contains keys.db (storing API keys), modules, modules.yml, and workspaces. When upgrading Recon-ng or migrating to a new system, you can copy the keys.db file to preserve your API key configurations, avoiding re-entry.
ls ~/.recon-ng/
keys.db modules modules.yml workspacesConclusion: Mastering Reconnaissance with Recon-ng
Recon-ng is a versatile and powerful framework for OSINT gathering. Its modular design and extensive module library enable users to conduct in-depth reconnaissance efficiently. By understanding its console commands, module marketplace, and API key integration, you can significantly enhance your OSINT capabilities.
The evolving landscape of bug bounties provides ample opportunity to practice with tools like Recon-ng and explore the ever-expanding attack surface of organizations. Remember to use these tools ethically and within legal boundaries.
For a comprehensive overview of Recon-ng version 5, refer to Tim Tomes’s YouTube video: Recon-ng v5 Overview.
Article revised and updated November 2023
Elevate Your Network Intelligence
Explore Use Cases and Further Information
- Discover Top Vulnerability Scanners
- Access Free DNS & Network Tools
- Leverage Billions of DNS/IP Records
