Open source intelligence collection is a laborious process. Information related to the target organization may be available at numerous public resources and dragging the information relevant to our target is a difficult and time-consuming job. Recon-ng is the tool that penetration testers or ethical hackers always use. It’s an information gathering tool working on steroids. This is a very interactive tool, quite similar to the Metasploit framework. Recon-ng framework uses many different sources to gather data for example Google, Twitter and Shodan. Some modules require an API key before querying the website that can be generated by registering for it on the search engine’s website. A few of these modules use paid API keys.
For using Recon-ng in Kali Linux, navigate to the Applications menu and click on the Information gathering sub menu. You will see Recon-ng listed on the right side pane. When the framework is up and running, you can type in “show modules” to check out the different modules that come along with it. Some modules are passive, while some actively probe the target to extract the needed information.
For querying search engines using automated tools, search engine may require an API key to identify who is sending those requests and apply a quota. This tool works faster than human and by assigning an API and the usage can be tracked and can prevent you from abusing the service. So make sure you don’t overwhelm the search engine or you will be ignored. You can generate your API key for Bing from the following link:
The free subscription provides you with 5000 queries per month. Once the key is generated, it needs to be added in the keys table of Recon-ng tool using the following command:
keys add bing_api <api key generated>
To display all the API keys that you have stored in Recon-ng, type in the following command:
Following screenshot displays the output of the preceding command:
Domain enumeration using Recon-ng
Gathering information about the subdomains of the target website will assist you in identification of different contents and features of target website. Each product or service provided by the target may have a subdomain dedicated for it. This helps to organize diverse contents in a coherent manner. By identifying different subdomains, you can create a site map of interconnecting various pieces and understand the flow of website.
Sub-level and top-level domain enumeration
Using the Bing API hostname enumerator module, we will try to find additional sub domains under the facebook.com website. You need to first load the module by entering below command:
Next, type in the show info command that will display information describing the module. Then our step would be to set the target domain in the SOURCE option:
When you are ready then use the Run command to start module. Recon-ng first queries for a few domains then uses the (-) directive to remove the already queried domains and then searches for additional domains again. The biggest advantage is speed, the output is also stored in a database in plain text can be used as an input to others tools such as Nmap, Metasploit and Nessus as shown in the following screenshot:
The DNS public suffix brute forcer module used to identify top-level domains (TLDs) and second-level domains (SLDs). Many product-based and service-based businesses have separate websites for each geographical region; you can use this brute forcing module to identify them. It uses the wordlist file from /usr/share/recon-ng/data/suffixes.txt to enumerate additional domains.
Recon-ng Reporting modules
Each reconnaissance module that you run will store the output into separate tables. You can export these tables in several formats such as CSV, HTML, and XML files. To view the different tables that Recon-ng tool uses, you need to type in show and press Tab twice:
To export a table into a CSV file, load the CSV reporting module by typing in load/reporting/csv.
After loading the module, set the filename and the table to be exported and type run:
Additional reconnaissance modules in Recon-ng
- Netcraft hostname enumerator: Recon-ng will harvest the Netcraft website and collect all the hosts related to the target and stores them in hosts table.
- SSL SAN lookup: Many SSL-enabled websites have a single certificate that works through multiple domains by using Subject Alternative Names (SAN) feature. This module uses the ssltools.com website to retrieve the domains listed in the SAN attribute of the certificate.
- LinkedIn authenticated contact enumerator: This will retrieve the contacts from a LinkedIn profile and store it in contacts table.
- IPInfoDB GeoIP: This will display the geolocation of a host by using the IPinfoDB database (requires an API).
- Yahoo! hostname enumerator: This uses the Yahoo search engine to locate hosts in the domains. Having modules for multiple search engines at your disposal can help you locate hosts and subdomains that may have not been indexed by other search engines.
- Geocoder and reverse geocoder: These modules obtain the address using the provided coordinates by using the Google Map API and also retrieve the coordinates if an address is given. The information then gets stored in the locations table.
- Pushpin modules: Using the Recon-ng pushpin modules can pull data from popular social- networking websites and correlate it with geo-location coordinates and create maps. Two widely used modules are listed as follows:
- Twitter geolocation search: This searches Twitter for media (images, tweets) uploaded from a specific radius of the given coordinates.
- Flickr geolocation search: This tries to locate photos uploaded from the area around the given coordinates.
These pushpin modules used to map people to physical locations and to determine who was at the given co-ordinates at specific time. The information accumulated and converted to a HTML file can be mapped on to a satellite image at the exact co-ordinates. Using Recon-ng, you can create a huge database of hosts, IP addresses, physical locations, and humans just by using publicly available resources. Information gathering should always be done with aim of extracting information from various public resources and to identify critical data from it which an attacker can use to directly or indirectly target the organization.