Recon-ng is a reconnaissance tool that is used to provide a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. It is based on Open Source Intelligence (OSINT), which is the easiest and useful tool for reconnaissance.
Recon-ng is written in Python. Complete with database interaction, independent modules, interactive help, command completion, and built-in convenience functions.
- what is Recon-ng?
- Using recon-ng.
What is Recon-ng?
Recon-ng is a full-featured reconnaissance framework that has a similar interface to that of Metasploit(which comes in handy and easy to use).
Recon-ng has the command-line interface which you can run on Kali Linux, also you enter a shell-like environment where you can configure options, perform recon, and output results to different report types.
The interactive console provides several helpful features, such as command completion and contextual help.
- The free and open-source tool and can be downloaded and used for free.
- One of the easiest and useful tools for performing reconnaissance.
- Used for vulnerability assessment of web applications.
- Uses the Shodan search engine to scan IoT devices.
- Easily find loopholes in the code of website & web applications.
- Recon-ng has the following modules GeoIP lookup, Banner grabbing, DNS lookup, port scanning, These modules make this tool so powerful.
- Recon-ng can target a single domain and can find all the subdomains of that domain making work easy for pen-testers.
Uses of Recon-ng
- Recon-ng can be used to find the IP Addresses of a target.
- Recon-ng can be used to look for error-based SQL injections.
- Recon-ng can be used to find sensitive files such as robots.txt.
- Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup.
- Recon-ng can be used to detects Content Management Systems (CMS) in the use of a target web application.
Step 1: Installing Module.
Syntax to install is marketplace install whois_pocs as seen below.
> marketplace install recon/domains-contacts/whois_pocs
Module installed: recon/domains-contacts/whois_pocs
Step 2: Loading Modules.
> modules loadrecon/domains-contacts/whois_pocs
Step 3: Set source.
Now set the source. Currently set at default (see below)
> show options/ options list
Syntax options set SOURCE hacksheets.in
> options set SOURCE hacksheets.in
SOURCE => hacksheets.in
Step 3: Run The Module.
Type run to execute the module.
The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.
This help menu brings additional commands such as:
- options: Manages the global context options
- reload: Reloads the loaded module
- run: Runs the loaded module
- script: Records and executes command scripts.
Commands (type ):
— — — — — — — — — — — — — — — — -
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace’s database
exit Exits the framework
options Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source option
keys Manages third-party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a file