Recon-ng is a comprehensive Python-based framework designed for conducting open-source web reconnaissance. It offers a robust environment, featuring independent modules, database integration, built-in convenience functions, interactive help, and command completion, enabling researchers to perform thorough and efficient web-based reconnaissance.
While Recon-ng shares a similar user interface to the Metasploit Framework, it is distinctly tailored for web-based reconnaissance, rather than exploitation or social engineering tasks. The framework provides a specialized tool for those seeking to gather intelligence from publicly available online sources.
In this walkthrough we are going to perform
Domain-based discovery
Host-based discovery
Person-based discovery/Profile-based
To start Recon-ng in Kali Linux in the terminal type:
Command: recon-ng
To add workspace type
Command: workspaces create example_workspace
To add the domain for which you want to gather information type:
Command: db insert domains
To check whether the domain is successfully added, we type
Command: show domains
Using hackertarget to find sub-domains:
Let’s install and load it:
Command: marketplace install hackertarget
Command: modules load recon/domains-hosts/hackertarget
Command: info by this you can view the SOURCE, which is currently set at default.
Now set the SOURCE to:
Command: options set SOURCE tesla.com
Run the module:
Command: run
Command: show hosts
Generate the report
After harvesting the number of hosts now, we will prepare a report containing all the information.
Install the reporting module to get the report in html format
Command: marketplace install reporting/html
Load the module:
Command: modules load reporting/html
Type info to view the values and configure the reporting details.
You will need to assign these values: CREATOR, CUSTOMER and FILENAME.
Set your name[CREATOR], customer name[CUSTOMER], path to export and the file name[FILENAME].
Command: options set CREATOR Micky
Command: options set CUSTOMER infosec Network
Command: options set FILENAME /home/kali/host.html
Run the module to export:
Command: run
The generated report is saved to the HOME folder in desktop.
There isn’t a lot in this report, but incorporating additional geolocation reports and running multiple modules can greatly complicate things. Recon-ng excels in maintaining thorough records of all activities.
Gather contacts associated with a domain
Set a domain and perform footprinting on it to extract contacts available in the domain.
The module selected to perform this technique uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain.
Install and load the module:
Command: marketplace install recon/domains-contacts/whois_pocs
Command: modules load recon/domains-contacts/whois_pocs
Now check the options which are needed to run the module:
Command: info
Set the SOURCE value to target domain:
Command: options set SOURCE facebook.com
Run the module:
Command: run
Profile existence:
We can search for the existence of user profiles on various websites using recon/profiles-profiles/profiler
Install and load the module:
Command: marketplace install recon/profiles-profiles/profiler
Command: modules load recon/profiles-profiles/profiler
Set the SOURCE value (Target username):
Command: options set SOURCE MarkZuckerberg
Run the module:
Command: run
The recon/profiles-profiles/profiler module searches for the username, which is given, and it returns the URL of the profile in various websites.
Conclusion
Recon-ng remains one of the most versatile and powerful reconnaissance frameworks available to security professionals. Its modular design, extensive feature set, and active community make it an invaluable tool for information gathering and OSINT operations.
