recon-ng
- von admin
- 30. Mai 2023
Installation von recon‑ng
- Recon-ng repository klonen
git clone https://github.com/lanmaster53/recon-ng.git
- In den recon-ng Ordner wechseln
cd recon-ng- Venv installieren
python3 -m venv venv- Venv aktivieren
source venv/bin/activate- Abhängigkeiten installieren
pip install -r REQUIREMENTSrecon-ng starten
./recon-ng
Sie erhalten als Ergebnis eine Eingabeaufforderung ähnlich der Shell bei Linux.
Bedienung von recon‑ng
Mit dem Befehl
<help>
oder
<?>
wird die Hilfe angezeigt.
[recon-ng][default] > help Commands (type [help|?] <topic>): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework help Displays this menu index Creates a module index (dev only) keys Manages third party resource credentials marketplace Interfaces with the module marketplace modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) script Records and executes command scripts shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file workspaces Manages workspaces [recon-ng][default] >
Bei der Arbeit mit recon-ng tritt der Begriff "workspaces" auf. Diesen können sie als Projekt-Container ansehen.
Wenn Sie sich die Eingabeaufforderung ansehen
[recon-ng][default] >
Hier ist der Standard-Workspace "default" ausgewählt.
Wie der Befehl zum Erzeugen eines neuen Workspace aussieht können Sie mit
[recon-ng][default] > help workspaces Manages workspaces Usage: workspaces <create|list|load|remove> [...] [recon-ng][default] > abrufen.
Ein neuer Workspace wird also mit dem Befehl
[recon-ng][default] > workspaces create test_workspace [recon-ng][test_workspace] >
erzeugt.
Der neue Workspace wird auch sofort zum aktuellen "Arbeits-Workspace". Das sehen sie in der Anzeige der Eingabezeile.
Bei der Arbeit mit recon-ng wird im Homeverzeichnis ein Ordner ".recon-ng" erzeugt. Im Unterordner
~/.recon-ng/workspaces$
wird für jeden Workspace ein Unterordner mit selben Namen erzeugt. Darin ist jeweils die SQLite Datenbank mit den Daten für den jeweiligen Workspace abgelegt.
Der recon‑ng Marketplace und Module
Über den Befehl
[recon-ng][test_workspace] > marketplace help Interfaces with the module marketplace Usage: marketplace <info|install|refresh|remove|search> [...] [recon-ng][test_workspace] >
Erhalten Sie Informationen wie der Marektplace nutzbar ist.
Mit dem Befehl
[recon-ng][test_workspace] > marketplace search +---------------------------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +---------------------------------------------------------------------------------------------------+ | discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | | | discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | | | exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | | | exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | | | import/csv_file | 1.1 | not installed | 2019-08-09 | | | | import/list | 1.1 | not installed | 2019-06-24 | | | | import/masscan | 1.0 | not installed | 2020-04-07 | | | | import/nmap | 1.1 | not installed | 2020-10-06 | | | | recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * | | recon/companies-contacts/censys_email_address | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/censys_subdomains | 2.0 | not installed | 2021-05-10 | * | * | | recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | | | recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * | | recon/companies-hosts/censys_org | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-hosts/censys_tls_subjects | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * | | recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * | | recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | | | recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | | | recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | | | recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * | | recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * | | recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | | | recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * | | recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-companies/censys_companies | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * | | recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * | | recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | | | recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | | | recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | | | recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | | | recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | | | recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | | | recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * | | recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | | | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/censys_domain | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-hosts/certificate_transparency | 1.2 | not installed | 2019-09-16 | | | | recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | | | recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | | | recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * | | recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | | | recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | | | recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | | | recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | | | recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/censys_hostname | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_ip | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_query | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * | | recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * | | recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * | | recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * | | recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * | | recon/netblocks-companies/censys_netblock_company | 2.0 | not installed | 2021-05-11 | * | * | | recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/censys_netblock | 2.0 | not installed | 2021-05-10 | * | * | | recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * | | recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * | | recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | | | recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | | | recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * | | recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | | | recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/profiler | 1.1 | not installed | 2019-10-16 | | | | recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * | | recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * | | recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | | | recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * | | reporting/csv | 1.0 | not installed | 2019-06-24 | | | | reporting/html | 1.0 | not installed | 2019-06-24 | | | | reporting/json | 1.0 | not installed | 2019-06-24 | | | | reporting/list | 1.0 | not installed | 2019-06-24 | | | | reporting/proxifier | 1.0 | not installed | 2019-06-24 | | | | reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * | | reporting/xlsx | 1.0 | not installed | 2019-06-24 | | | | reporting/xml | 1.1 | not installed | 2019-06-24 | | | +---------------------------------------------------------------------------------------------------+ D = Has dependencies. See info for details. K = Requires keys. See info for details. [recon-ng][test_workspace] >
Werden alle Module angezeigt, die aktuell zur Verfügung stehen.
Wenn Sie zum search-Befehl ein weiteres Argument angeben, dann wird nach Modulen gesucht, die diesen Ausdruck im Namen enthalten
[recon-ng][test_workspace] > marketplace search ssl [*] Searching module index for 'ssl'... +----------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +----------------------------------------------------------------------------+ | recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | | | recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | | +----------------------------------------------------------------------------+ D = Has dependencies. See info for details. K = Requires keys. See info for details. [recon-ng][test_workspace] >
Hier wurde nach den Begriff "ssl" gesucht.
Wollen Sie mehr über ein Modul erfahren so geben Sie vor dem Modulname das Argument "info" an
[recon-ng][test_workspace] > marketplace info ssltools +-------------------------------------------------------------------------------------------------------------------------------------------------+ | path | recon/hosts-hosts/ssltools | name | SSLTools.com Host Name Lookups | author | Tim Maletic (borrowing from the ssl_san module by Zach Graces) | version | 1.0 | last_updated | 2019-06-24 | description | Uses the ssltools.com site to obtain host names from a site's SSL certificate metadata to update the 'hosts' table.\ Security issues with the certificate trust are pushed to the 'vulnerabilities' table. | required_keys | [] | dependencies | [] | files | [] | status | not installed +-------------------------------------------------------------------------------------------------------------------------------------------------+ [recon-ng][test_workspace] >
Hier wurden die Infos für das Modul ssltools abgerufen.
Beispiel wie ein Modul angewendet wird
In der Liste aller Module ist unter anderem auch eine Zeile
| recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17
Dieses Modul wird mit dem Befehl
[recon-ng][test_workspace] > marketplace install hackertarget [*] Module installed: recon/domains-hosts/hackertarget [*] Reloading modules... [recon-ng][test_workspace] >
installiert.
Nutzung von Modulen
Um ein Modul nun zu nutzen muss es geladen werden
[recon-ng][test_workspace] > modules load hackertarget [recon-ng][test_workspace][hackertarget] >
In der Eingabezeile sieht man "wo" man sich gerade befindet. Hier im Workspace "test-workspace" im Modul "hackertarget".
Infos zu einem Modul erhalten Sie über
[recon-ng][test_workspace][hackertarget] > help Commands (type [help|?] <topic>): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework goptions Manages the global context options help Displays this menu info Shows details about the loaded module input Shows inputs based on the source option keys Manages third party resource credentials modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) reload Reloads the loaded module run Runs the loaded module script Records and executes command scripts shell Executes shell commands show Shows various framework items spool Spools output to a file [recon-ng][test_workspace][hackertarget] >
Für fast alle Module sind noch Einstellungen zu treffen. Mit dem folgenden Befehl sehen sie die Optionen für das jeweilig aktive Modul
[recon-ng][test_workspace][hackertarget] > options list Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'info' for details) [recon-ng][test_workspace][hackertarget] >
Es werden auch noch Infos zu den angezeigten Optionen angezeigt.
Benötigen Sie weiter Infos zu einem Modul
[recon-ng][test_workspace][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][test_workspace][hackertarget] >
Wie in der Beschreibung zu lesen ist, wird dieses Modul zum Auffinden von Hostnamen für ein bestimmtes Ziel verwendet.
Mit dem nachfolgendem Befehl wird die Option "SOURCE" auf "google.com" gesetzt
[recon-ng][test_workspace][hackertarget] > options set SOURCE google.com SOURCE => google.com [recon-ng][test_workspace][hackertarget] >
Wenn Sie erneut den Befehl "info" eingeben sehen Sie, mit welchem Wert die Option(en) belegt sind
[recon-ng][test_workspace][hackertarget] > info
Name: HackerTarget Lookup
Author: Michael Henriksen (@michenriksen)
Version: 1.1
Description:
Uses the HackerTarget.com API to find host names. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE google.com yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][test_workspace][hackertarget] >
Hier mit dem Wert "google.com".
Nun soll das Modul ausgeführt werden. Dazu muss der Befehl "run" eingegeben werden.
Die Wahl "google.com" war vielleicht nicht die beste Wahl, weil hier einige hundert Hostnamen zurückgeliefert werden. Also ein Ziel wählen, das weniger Resultate zurück liefert.
Wir ändern die Variable "SOURCE" auf "landshut.de"
[recon-ng][test_workspace][hackertarget] > options set SOURCE landshut.de SOURCE => landshut.de [recon-ng][test_workspace][hackertarget] >
und geben den Befehl "run" ein
[recon-ng][test_workspace][hackertarget] > run ----------- LANDSHUT.DE ----------- [*] Country: None [*] Host: cloudla.landshut.de [*] Ip_Address: 80.154.222.66 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: opac.landshut.de [*] Ip_Address: 62.153.86.70 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: lastenrad.landshut.de [*] Ip_Address: 88.99.84.29 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: termine.landshut.de [*] Ip_Address: 80.154.222.84 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: stadtrundgang.landshut.de [*] Ip_Address: 178.16.56.134 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: mail.landshut.de [*] Ip_Address: 62.153.86.68 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: stadtplan.landshut.de [*] Ip_Address: 5.9.124.215 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: wunschkennzeichen.landshut.de [*] Ip_Address: 62.153.86.72 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: region.landshut.de [*] Ip_Address: 178.63.192.57 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: www.region.landshut.de [*] Ip_Address: 178.63.192.57 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: app.landshut.de [*] Ip_Address: 159.69.230.98 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: ris.landshut.de [*] Ip_Address: 62.153.86.75 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: adventsstadt.landshut.de [*] Ip_Address: 193.53.251.136 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: www.adventsstadt.landshut.de [*] Ip_Address: 193.53.251.136 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: planauskunft.landshut.de [*] Ip_Address: 80.154.222.81 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: sa-test.landshut.de [*] Ip_Address: 159.69.230.98 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: tnv.landshut.de [*] Ip_Address: 80.154.222.82 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: www.landshut.de [*] Ip_Address: 185.243.132.227 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: www.medienportal.landshut.de [*] Ip_Address: 185.121.204.24 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- ------- SUMMARY ------- [*] 19 total (19 new) hosts found. [recon-ng][test_workspace][hackertarget] >
Es wurden 19 Hosts gefunden.
API Keys hinzufügen
Für manche Dienste von Drittanbietern (z.B. Shodan) werden Schlüssel für die Nutzung dieses Dienstes benötigt.
Geben Sie "marketplace search" ein
[recon-ng][test_workspace] > marketplace search +---------------------------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +---------------------------------------------------------------------------------------------------+ | discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | | | discovery/info_disclosure/interesting_files | 1.2 | installed | 2021-10-04 | | | | exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | | | exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | | | import/csv_file | 1.1 | installed | 2019-08-09 | | | | import/list | 1.1 | not installed | 2019-06-24 | | | | import/masscan | 1.0 | not installed | 2020-04-07 | | | | import/nmap | 1.1 | installed | 2020-10-06 | | | | recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * | | recon/companies-contacts/censys_email_address | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/censys_subdomains | 2.0 | not installed | 2021-05-10 | * | * | | recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | | | recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | | | recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * | | recon/companies-hosts/censys_org | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-hosts/censys_tls_subjects | 2.0 | not installed | 2021-05-11 | * | * | | recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * | | recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * | | recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | | | recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | | | recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | | | recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | | | recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * | | recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * | | recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | | | recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * | | recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | | | recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-companies/censys_companies | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * | | recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * | | recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | | | recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | | | recon/domains-contacts/whois_pocs | 1.0 | installed | 2019-06-24 | | | | recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | | | recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * | | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | | | recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | | | recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * | | recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * | | recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | | | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/censys_domain | 2.0 | not installed | 2021-05-10 | * | * | | recon/domains-hosts/certificate_transparency | 1.2 | not installed | 2019-09-16 | | | | recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/hackertarget | 1.1 | installed | 2020-05-17 | | | | recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/netcraft | 1.1 | installed | 2020-02-05 | | | | recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * | | recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * | | recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | | | recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | | | recon/domains-vulnerabilities/ghdb | 1.1 | installed | 2019-06-26 | | | | recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | | | recon/hosts-domains/migrate_hosts | 1.1 | installed | 2020-05-17 | | | | recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/censys_hostname | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_ip | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/censys_query | 2.0 | not installed | 2021-05-10 | * | * | | recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * | | recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | | | recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-locations/migrate_hosts | 1.0 | installed | 2019-06-24 | | | | recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * | | recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * | | recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * | | recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * | | recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * | | recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * | | recon/netblocks-companies/censys_netblock_company | 2.0 | not installed | 2021-05-11 | * | * | | recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/censys_netblock | 2.0 | not installed | 2021-05-10 | * | * | | recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * | | recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * | | recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | | | recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * | | recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | | | recon/ports-hosts/ssl_scan | 1.1 | installed | 2021-08-24 | | | | recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * | | recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | | | recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/profiler | 1.1 | not installed | 2019-10-16 | | | | recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * | | recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * | | recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * | | recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | | | recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * | | reporting/csv | 1.0 | not installed | 2019-06-24 | | | | reporting/html | 1.0 | not installed | 2019-06-24 | | | | reporting/json | 1.0 | not installed | 2019-06-24 | | | | reporting/list | 1.0 | not installed | 2019-06-24 | | | | reporting/proxifier | 1.0 | not installed | 2019-06-24 | | | | reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * | | reporting/xlsx | 1.0 | not installed | 2019-06-24 | | | | reporting/xml | 1.1 | not installed | 2019-06-24 | | | +---------------------------------------------------------------------------------------------------+ D = Has dependencies. See info for details. K = Requires keys. See info for details. [recon-ng][test_workspace] >
In der letzten Spalte mit der Überschrift "K" sind die Module mit einen * markiert, die einen Schlüssel zur Nutzung benötigen.
Wenn sie auf Worspace-Ebene das Kommando "help" eingeben
[recon-ng][test_workspace] > help Commands (type [help|?] <topic>): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework help Displays this menu index Creates a module index (dev only) keys Manages third party resource credentials marketplace Interfaces with the module marketplace modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) script Records and executes command scripts shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file workspaces Manages workspaces [recon-ng][test_workspace] >
sehen sie in der ausgegebenen Liste von Kommandos auch die Zeile
keys Manages third party resource credentials
Geben Sie das Kommando "keys" gefolgt von "TAB" + "TAB" ein
[recon-ng][test_workspace] > keys add list remove [recon-ng][test_workspace] > keys
erhalten Sie die möglichen Optionen für den Befehl.
Geben Sie den Befehl "keys" mit der Option "list" ein
[recon-ng][test_workspace] > keys list +--------------------+ | Name | Value | +--------------------+ | google_api | | +--------------------+ [recon-ng][test_workspace] >
Sie sehen, dass ein Key bereits vorinstalliert ist.
Wir fügen nun den Key für Shodan hinzu. Diesen Key müssen Sie sich selbstverständlich
zuerst über eine Anmeldung bei Shodan besorgen.
Hierzu laden wir zuerst das Modul, das diesen Key benötigt
[recon-ng][test_workspace] > marketplace install recon/domains-hosts/shodan_hostname
[*] Module installed: recon/domains-hosts/shodan_hostname
[*] Reloading modules...
[!] Module 'recon/domains-hosts/shodan_hostname' disabled. Dependency required: ''shodan''.
[recon-ng][test_workspace] >
Sie sehen, dass bei der Installation des Moduls eine Warnung eingeblendet wird, dass für dieses Modul Abhängigkeiten bestehen.
Wir müssen zuerst noch recon-ng beenden, und "shodan" installieren
~/recon/recon-ng# pip install shodan
Danach starten wir recon-ng neu, und wechseln wieder in unseren Workspace.
Schon beim Start von recon-ng erhalten wir eine Info, dass der Shodan API Key nicht installiert ist
[!] 'shodan_api' key not set. shodan_hostname module will likely fail at runtime. See 'keys add'.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[8] Recon modules
[2] Import modules
[1] Discovery modules
[recon-ng][default] >
Wir fügen nun den Key für die Shodan API hinzu
[recon-ng][test_workspace] > keys add shodan_api djV97Vog8jS9fiTaCvbbkjW18JG0abWn [*] Key 'shodan_api' added. [recon-ng][test_workspace] >
Nun das Modul laden
[recon-ng][test_workspace] > modules load recon/domains-hosts/shodan_hostname [recon-ng][test_workspace][shodan_hostname] >
Zunächst noch die Info für das Modul anzeigen lassen
[recon-ng][test_workspace][shodan_hostname] > info
Name: Shodan Hostname Enumerator
Author: Tim Tomes (@lanmaster53) & Ryan Hays (@_ryanhays)
Version: 1.1
Keys: shodan_api
Description:
Harvests hosts from the Shodan API by using the 'hostname' search operator. Updates the 'hosts'
table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][test_workspace][shodan_hostname] >
Wir passen noch die Option "SOURCE" an
[recon-ng][test_workspace][shodan_hostname] > options set SOURCE landshut.de SOURCE => landshut.de [recon-ng][test_workspace][shodan_hostname] >
Wir geben "run" ein, und warten auf das Ergebnis
[recon-ng][test_workspace][shodan_hostname] > run ----------- LANDSHUT.DE ----------- [recon-ng][test_workspace][shodan_hostname] >
Das Ergebnis sollte nicht "Nichts" sein wie oben dargestellt ... wenn die Shodan-API funktioniert (:-)
Das war die grundlegende Herangehensweise, wie ein API-Key hinzugefügt wird.
Es muss Ihnen klar sein, dass Sie bei der Verwendung solcher APIs von Drittanbietern immer darauf angewiesen sind, dass die API sich nicht ändert, oder Sie evtl. dafür bezahlen müssen!
Die Datenbank
Wie bereits erwähnt, wird zu jedem Workspace eine SQLite Datenbank angelegt.
Wenn Sie den Befehl "db" + "TAB" eingeben, werden die Möglichkeiten angezeigt um mit der Datenbank zu "kommunizieren".
[recon-ng][test_workspace] > db schema +---------------+ | domains | +---------------+ | domain | TEXT | | notes | TEXT | | module | TEXT | +---------------+ +--------------------+ | companies | +--------------------+ | company | TEXT | | description | TEXT | | notes | TEXT | | module | TEXT | +--------------------+ +-----------------+ | netblocks | +-----------------+ | netblock | TEXT | | notes | TEXT | | module | TEXT | +-----------------+ +-----------------------+ | locations | +-----------------------+ | latitude | TEXT | | longitude | TEXT | | street_address | TEXT | | notes | TEXT | | module | TEXT | +-----------------------+ +---------------------+ | vulnerabilities | +---------------------+ | host | TEXT | | reference | TEXT | | example | TEXT | | publish_date | TEXT | | category | TEXT | | status | TEXT | | notes | TEXT | | module | TEXT | +---------------------+ +-------------------+ | ports | +-------------------+ | ip_address | TEXT | | host | TEXT | | port | TEXT | | protocol | TEXT | | banner | TEXT | | notes | TEXT | | module | TEXT | +-------------------+ +-------------------+ | hosts | +-------------------+ | host | TEXT | | ip_address | TEXT | | region | TEXT | | country | TEXT | | latitude | TEXT | | longitude | TEXT | | notes | TEXT | | module | TEXT | +-------------------+ +--------------------+ | contacts | +--------------------+ | first_name | TEXT | | middle_name | TEXT | | last_name | TEXT | | email | TEXT | | title | TEXT | | region | TEXT | | country | TEXT | | phone | TEXT | | notes | TEXT | | module | TEXT | +--------------------+ +-----------------+ | credentials | +-----------------+ | username | TEXT | | password | TEXT | | hash | TEXT | | type | TEXT | | leak | TEXT | | notes | TEXT | | module | TEXT | +-----------------+ +-----------------------------+ | leaks | +-----------------------------+ | leak_id | TEXT | | description | TEXT | | source_refs | TEXT | | leak_type | TEXT | | title | TEXT | | import_date | TEXT | | leak_date | TEXT | | attackers | TEXT | | num_entries | TEXT | | score | TEXT | | num_domains_affected | TEXT | | attack_method | TEXT | | target_industries | TEXT | | password_hash | TEXT | | password_type | TEXT | | targets | TEXT | | media_refs | TEXT | | notes | TEXT | | module | TEXT | +-----------------------------+ +---------------------+ | pushpins | +---------------------+ | source | TEXT | | screen_name | TEXT | | profile_name | TEXT | | profile_url | TEXT | | media_url | TEXT | | thumb_url | TEXT | | message | TEXT | | latitude | TEXT | | longitude | TEXT | | time | TEXT | | notes | TEXT | | module | TEXT | +---------------------+ +-----------------+ | profiles | +-----------------+ | username | TEXT | | resource | TEXT | | url | TEXT | | category | TEXT | | notes | TEXT | | module | TEXT | +-----------------+ +--------------------+ | repositories | +--------------------+ | name | TEXT | | owner | TEXT | | description | TEXT | | resource | TEXT | | category | TEXT | | url | TEXT | | notes | TEXT | | module | TEXT | +--------------------+ [recon-ng][test_workspace] >
Die Option schema zeigt die Tabellen der Datenbank an.
Mit einem Programm wie dem DB Browser für SQLite für Linux können Sie sich die Datenbank auch direkt ansehen und bearbeiten.
Nehmen wir als Beispiel nochmal die host Tabelle in der DB
[recon-ng][test_workspace] > show hosts +--------------------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | notes | module | +--------------------------------------------------------------------------------------------------------------------------+ | 1 | cloudla.landshut.de | 80.154.222.66 | | | | | | hackertarget | | 2 | opac.landshut.de | 62.153.86.70 | | | | | | hackertarget | | 3 | lastenrad.landshut.de | 88.99.84.29 | | | | | | hackertarget | | 4 | termine.landshut.de | 80.154.222.84 | | | | | | hackertarget | | 5 | stadtrundgang.landshut.de | 178.16.56.134 | | | | | | hackertarget | | 6 | mail.landshut.de | 62.153.86.68 | | | | | | hackertarget | | 7 | stadtplan.landshut.de | 5.9.124.215 | | | | | | hackertarget | | 8 | wunschkennzeichen.landshut.de | 62.153.86.72 | | | | | | hackertarget | | 9 | region.landshut.de | 178.63.192.57 | | | | | | hackertarget | | 10 | www.region.landshut.de | 178.63.192.57 | | | | | | hackertarget | | 11 | app.landshut.de | 159.69.230.98 | | | | | | hackertarget | | 12 | ris.landshut.de | 62.153.86.75 | | | | | | hackertarget | | 13 | adventsstadt.landshut.de | 193.53.251.136 | | | | | | hackertarget | | 14 | www.adventsstadt.landshut.de | 193.53.251.136 | | | | | | hackertarget | | 15 | planauskunft.landshut.de | 80.154.222.81 | | | | | | hackertarget | | 16 | sa-test.landshut.de | 159.69.230.98 | | | | | | hackertarget | | 17 | tnv.landshut.de | 80.154.222.82 | | | | | | hackertarget | | 18 | www.landshut.de | 185.243.132.227 | | | | | | hackertarget | | 19 | www.medienportal.landshut.de | 185.121.204.24 | | | | | | hackertarget | +--------------------------------------------------------------------------------------------------------------------------+ [*] 19 rows returned [recon-ng][test_workspace] >
Es sind 19 Einträge in der host Tabelle vorhanden. Mit dem db Befehl können nun Einträge in der Tabelle gelöscht oder hinzugefügt werden.
[recon-ng][test_workspace] > db query select * from hosts where ip_address like "62.%" +---------------------------------------------------------------------------------------------------------------+ | host | ip_address | region | country | latitude | longitude | notes | module | +---------------------------------------------------------------------------------------------------------------+ | opac.landshut.de | 62.153.86.70 | | | | | | hackertarget | | mail.landshut.de | 62.153.86.68 | | | | | | hackertarget | | wunschkennzeichen.landshut.de | 62.153.86.72 | | | | | | hackertarget | | ris.landshut.de | 62.153.86.75 | | | | | | hackertarget | +---------------------------------------------------------------------------------------------------------------+ [*] 4 rows returned [recon-ng][test_workspace] >
Mit der Option "query" kann die Datenbank abgefragt werden.
Bei der Nutzung von Modulen kann die "source-Option" auch eine solche Abfrage der Datenbank sein - d.h. es werden nicht alle Hosts in der Tabelle als Parameter für die ausgewählte Aktion verwendet, sonder nur diejenigen, die Sie durch die Abfrage ausgewählt haben.
Zusammenfassung
Die hier vorgestellten Techniken sind nur ein Ausschnitt der Möglichkeiten mit recon-ng.
Wichtige Funktionen sind z.B. noch der Import von CSV-Dateien - z.B. eines Scan-Ergebnisses aus nmap - oder auch das Erstellen eines Berichtes über die entsprechenden Module.
Unter Linux kann man normaler Weise recon-ng über den eigenen Paketmanager installieren, was aber nicht anzuraten ist.
Erzeugen Sie lieber mit Python eine Virtuelle Umgebung ( venv ) und installieren alle benötigten Pakete über pip.
Vorteile:
- Die Installation von recon-ng ist auf dem neuesten Stand
- Über den Befehl "pip install --upgrade ... " lassen sich die installierten Komponenten schnell und bequem updaten