recon-ng信息收集工具介绍

Posted by D on January 23, 2020

recon-ng主要是用于前期信息收集,功能模块很多,那就以功能模块来区分吧。

1. recon-ng 模块安装

打开终端输入recon-ng:

recon-ng

然后进入recon-ng

[recon-ng][default] >

安装所有模块:

[recon-ng][default] > marketplace install all

查看已安装的模块

[recon-ng][default] > modules search

2. 模块使用

2.1 hackertarget 模块

那么我们现在使用路径为 recon/domains-hosts/hackertarget 查询子域名的模块

[recon-ng][default] > modules load recon/domains-hosts/hackertarget

得到:

[recon-ng][default][hackertarget] >

2.1.1 先用 info 查看信息

[recon-ng][default][hackertarget] > info

2.1.2 设置要查询的子域名

[recon-ng][default][hackertarget] > options set SOURCE google.com

2.1.3 运行

[recon-ng][default][hackertarget] > run

2.1.3 显示发现的资源的摘要使用命令 show hosts

[recon-ng][default][hackertarget] > show hosts

2.2 brute_hosts 模块

brute_hosts是暴力破解域名的模块,路径recon/domains-hosts/brute_hosts.使用:

[recon-ng][default][hackertarget] > modules load recon/domains-hosts/brute_hosts

得到:

[recon-ng][default][brute_hosts] >

2.2.1 先用 info 查看信息

[recon-ng][default][brute_hosts] > info

2.2.2 设置要查询的子域名

[recon-ng][default][brute_hosts] > options set SOURCE google.com

2.2.3 运行

[recon-ng][default][brute_hosts] > run

2.2.3 显示发现的资源的摘要使用命令 show hosts

[recon-ng][default][brute_hosts] > show hosts

2.3 域名查找的其他模块

  • google_site_web 需要墙外的服务器才行
  • bing_domain_web

2.4 interesting_files 模块

  • 路径: discovery/info_disclosure/interesting_files
  • 功能: 发现一些有意思的文件,比如robots.txt, sitemap.xml等等.
  • 使用方法跟其他模块一样.
[recon-ng][default][interesting_files] > run

得到下面信息:

[recon-ng][default][interesting_files] > run
[*] http://test.com:80/robots.txt => 200. 'robots.txt' found!
[*] http://test.com:80/sitemap.xml => 200. 'sitemap.xml' found!
[*] http://test.com:80/sitemap.xml.gz => 404
[*] http://test.com:80/crossdomain.xml => 404
[*] http://test.com:80/phpinfo.php => 404
[*] http://test.com:80/test.php => 404
[*] http://test.com:80/elmah.axd => 404
[*] http://test.com:80/server-status => 404
[*] http://test.com:80/jmx-console/ => 404
[*] http://test.com:80/admin-console/ => 404
[*] http://test.com:80/web-console/ => 404
[*] 2 interesting files found.
[*] Files downloaded to '/home/jun/.recon-ng/workspaces/default/'

信息显示,发现两个文件robots.txt和sitemap.xml,切文件存放在/home/jun/.recon-ng/workspaces/default/.

2.5 shodan 模块

shodan搜索出来的东西比较多,但是收费.
2.5.1 shodan api key
shodan对于recon-ng来说是属于第三方资源,所以需要提起注册shodan的帐号,获取shodan的api key.
向recon-ng添加shodan的api key:

[recon-ng][default] > keys add shodan_api your_shodan_api

2.5.2 使用shodan发现域名

[recon-ng][default] > modules load recon/domains-hosts/shodan_hostname

使用方法与其他模块一样:

[recon-ng][default][shodan_hostname] > options set SOURCE yourdomain.com
[recon-ng][default][shodan_hostname] > run

3. 信息处理

3.1 db 信息筛选

[recon-ng][default] > show hosts 

会得到:

+-----------------------------------------------------------------------------------------------------------------------------+                                                                                                          
| rowid |                host               |   ip_address   | region | country | latitude | longitude | notes |    module    |                                                                                                          
+-----------------------------------------------------------------------------------------------------------------------------+  

如果你只想显示其中的某一列,比如你只想显示其中的ip_address可以使用db

[recon-ng][default] > db query SELECT ip_address FROM hosts

3.2 产生/导出 report

查看有哪些report模块:

[recon-ng][default] > marketplace search report
  +-----------------------------------------------------------------------------+
  |               Path               | Version |   Status  |  Updated   | D | K |
  +-----------------------------------------------------------------------------+
  | recon/hosts-hosts/virustotal     | 1.0     | installed | 2019-06-24 |   | * |
  | recon/netblocks-hosts/virustotal | 1.0     | installed | 2019-06-24 |   | * |
  | reporting/csv                    | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/html                   | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/json                   | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/list                   | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/proxifier              | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/pushpin                | 1.0     | installed | 2019-06-24 |   | * |
  | reporting/xlsx                   | 1.0     | installed | 2019-06-24 |   |   |
  | reporting/xml                    | 1.1     | installed | 2019-06-24 |   |   |
  +-----------------------------------------------------------------------------+

3.2.1 使用reporting/csv模块产生完整的报告

[recon-ng][default] > modules load reporting/csv

使用方法跟其他的模块使用方法是一样的:

[recon-ng][default][csv] > info

如果需要进行设置用options命令设置,然后run,便可导出报告文件.

[recon-ng][default][csv] > run
[*]  45 records added to '/home/jun/.recon-ng/workspaces/default/resluts.csv'

3.2.2 使用reporting/list产生不重复的ip列表:

[recon-ng][default][csv] > modules load reporting/list
[recon-ng][default][csv] > run
[*] 29 items added to '/home/jun/.recon-ng/workspaces/default/list.txt'.

4. 创建/删除workspaces

4.1 创建workspaces

[recon-ng][default] > workspaces list 
+----------------------------------+
| Workspaces |       Modified      |
+----------------------------------+
| default    | 2020-04-14 17:52:49 |
+----------------------------------+

创建workspaces

[recon-ng][default] > workspaces create test 

创建后会直接进入创建的workspaces,这里是test:

[recon-ng][test] > workspaces list

可见workspaces多了test.

+----------------------------------+
| Workspaces |       Modified      |
+----------------------------------+
| default    | 2020-04-15 12:00:13 |
| test       | 2020-04-15 12:20:11 |
+----------------------------------+

4.2 删除workspaces

[recon-ng][default] > workspaces list 
+----------------------------------+
| Workspaces |       Modified      |
+----------------------------------+
| default    | 2020-04-14 17:52:49 |
+----------------------------------+

选择要删除的workspaces

[recon-ng][default] > workspaces remove default

这样之后default的数据就后被删除.

References:
recon-ng github
recon-ng v5指南
recon-ng 指南
recon-ng v5 youtube

: