Skip to content
Stuff Jason Does

Stuff Jason Does

My name is Jason. This is the stuff that I do.

Information Gathering Part III: recon-ng (cont.)

Posted on July 18, 2018July 18, 2018 By Jason No Comments on Information Gathering Part III: recon-ng (cont.)

Introduction

If you haven’t seen the previous two parts in this series, please check out Information Gathering Part I: theHarvester, and Information Gathering Part II: Recon-ng, go check those out before reading this post, as in this post we’ll be picking up right where we left off in Part II.

In the last post we focused on using Recon-ng to obtain information on users, user accounts, and social media accounts linked to those user accounts. We also obtained information such as users’ first, last, and in some instances middle name, and whether or not those users had been victims in any previous large-scale data beaches or leaks. We determined that it wasn’t too difficult to quickly harvest all of this information and store it in a local database within Recon-ng.

In this article we’ll be focusing more on the systems than on people. We’ll be looking for things like IP addresses and address ranges, sub-domains, servers, etc. Information gathered via these means is typically used to set up the parameters for an IP or service scan.

Scanning Domains to find Hosts

We have already populated our domains table with the known domain, pixar.com, however, we aren’t sure what hosts exist on this domain, if any. There are several modules that we can use in an attempt to find hosts on these domains and populate our hosts table. The first two of which are Bing and Google.

use recon/domains-hosts/bing_domain_web

use recon/domains-hosts/google_site_web

I’ve shown how to load and run modules in the previous article, so I’ll skip the step by step here. Both of these modules simply pulls entries from the domains table in order to run and don’t require any other parameters, so after you load each one, you should only need to execute it with run.

Let’s check the output from both of those commands.

I tried Bing first and was able to find a total of 10 hosts.

Google was then able to find 9 hosts, with two of them having not been found by Bing. This is why it’s always a good idea to use multiple tools whenever you have the chance.

Let’s take a look at all of the information gathered as it’s stored in our hosts table via the show hosts command.

Excellent. There are are quite a few hosts here, and many that we weren’t able to find with theHarvester. We see that 10 show up as being found with the bing_domain_web module and 2 with the google_site_web module.

Now let’s try running a module that’s locked behind an API key. The free modules work very well, but typically the modules that require an API key are much better, as we saw with FullContact. We’re going to use a Shodan module to search for hosts.

recon/domains-hosts/shodan_hostname

This requires no special parameters, so it can just be executed with run right away.

Almost instantly Shodan returned 25 new hostnames that weren’t before discovered. It also was able to resolve those hostnames to IP addresses and store those in the database as well.

Let’s check out the show hosts command again.

The hosts found by the Shodan module are much more interesting. Obviously without the Shodan API and the FullContact API, we would be missing out on a lot.

I won’t draw out the length of this posts unnecessarily with screen shots and step by step since you know how to use modules at this point, but we can resolve the IP addresses of the existing hosts that Google and Bing found using the module recon/hosts-hosts/resolve.

There are several modules in the Recon-ng application that provide even more functionality than what we’ve seen in these series. I recommend that you load up each module and type show info to see what each module does. By now you should get the gist of how the framework works, and how data is gathered.

Generating an HTML Report

When you’re finished with your information gathering you may want to generate a nice report. By default, Recon-ng keeps all of the database files in the directory ~/.recon-ng. That raw data, and even screen captures of show command output aren’t really too presentable though. Luckily Recon-ng provides a nice HTML reporting engine that will generate a report based on all of the data gathered in our current workspace.

For the purposes of this tutorial I’m going to fill in dummy data for the creator, customer, and filename. There is another option that must be set called SANITIZE, which sanitizes any potential sensitive material from the report. This defaults to YES, but I’m going to change it to NO.

use reporting/html
set CREATOR h4x.life
set CUSTOMER Pixar
set FILENAME /root/pixar.html
set SANITIZE False
run

This will provide you with a nice report with collapsable sections that can either be presented on the web or printed.

It’s a single, simple HTML file that relies on no other external files and contains all of the counts and data from your information gathering in an easy to read format.

Conclusion

I encourage you to go through the rest of the modules that come with Recon-ng, see what each one does, and build a workflow for your gathering. Start with a domain, then collect users, then collect information about those users. Start with the domain again, and try to collect information about hosts and IPs as we’ve done here, and then take it a step further and try to discover IP blocks, locations, and more. Recon-ng is really a very powerful tool and once you have a workflow down, you can collect valuable information extremely quickly.

If you enjoyed this tutorial and would like to see more, please feel free to share this article on social media, comment below letting me know what else you’d like to see, and follow me on Twitter @JROlmstead.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

Hacking

Post navigation

Previous Post: Information Gathering Part II: recon-ng
Next Post: Cracking Microsoft Office Document Passwords for Free using Hashcat

Leave a Reply Cancel reply

Categories

  • 3D Printing
  • Administration
  • Automotive
  • Computing
  • Console Modding
  • Food
  • Hacking
  • Photography
  • Raspberry Pi
  • Video Games

Recent Posts

  • Batch Convert HEIC to JPG in Linux
  • Creating Password Word Lists from Breach Dumps in Linux
  • Install Remmina in Debian 9 for RDS Gateway Connectivity
  • Hacking Guest Wi-Fi Portals on Linksys Access Points
  • Building a POE-Powered Kali Pi Drop Box with Reverse Shell for Remote Hacking
  • 1.4 Billion Leaked Passwords in Over 40GB of Data
  • Installing Apache, PHP 7.2, MySQL and PHPMyAdmin on Linux Mint 19.1
  • Arcade 1Up Raspberry Pi Mod
  • macOS Mojave Startup Daemons and Agents – Beyond the GUI
  • Hacking the Nintendo Switch – Part 1: RCM and Booting CFW
  • Active Directory Reconnoissance with User Permissions – Part 2
  • Active Directory Reconnoissance with User Permissions

Archives

Copyright © 2021 Stuff Jason Does.

Powered by PressBook Dark WordPress theme