In a previous article, Network Scanning Tools (part 2), we briefly covered recon-ng which is described as:
… a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.recon-ng
Another description is that recon-ng is an:
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.recon-ng
Below are some of the main features of recon-ng:
- Database Interaction – provides an interface to the underlying database using SQL (Structured Query Language). This includes a graphical representation of the schema.
- Recording Commands – series of commands can be recorded to file and then repeatedly executed.
- Configuration Persistence – settings for modules are stored locally per workspace and loaded dynamically to avoid repeatedly setting them.
- Workspaces – help users conduct multiple engagements with each workspace having its own database instance and module settings.
- Module Marketplace – recon-ng does not include any modules by default so these need to be searched for, analyzed, installed and if needed removed. Modules can also be disabled.
- Database Snapshots – data obtained during reconnaissance can be backed up and restored to help prevent corruption or unexpected resource behavior.
- Analysis & Reporting – recon-web is a web interface for analyzing and visualizing data stored in the database. This data can also be exported in a variety of formats.
Further details on these and other features can be found here.
The synopsis or syntax of recon-ng is as follows:
recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics] [--no-marketplace] [--stealth] [--accessible] [--version]
Below are some of the most common command settings:
- -w workspace
- load/create a workspace
- -r filename
- loads commands from a resource file
- disable version check
- disable analytics reporting
- disable remote module management
- disable all passive requests
- use accessible output when available
- displays the current version
For the purposes of this article we will be using recon-ng v5.1.1 installed on a Kali Linux 2021.2 virtual machine running within VirtualBox 6.1.
1) Initial startup, list commands & run shell commands
When recon-ng is started for the first time the banner, sponsor, version and author will be displayed. Pressing the Tab button twice will list the available command options within the tool:
By issuing the ‘shell’ command it is possible to run Linux commands:
Running the ‘help’ command lists explanations of each command and by issuing ‘help <topic>’ the description and usage of an individual command is shown:
2) Using Workspaces
Issuing the command ‘workspaces’ shows the command description and usage which is the ability to create, list, load & remove workspaces. Running the command ‘workspaces list’ shows the only workspace that exists is ‘default’ for a new installation:
Below we will create a new workspace called ‘recon-zds’ which will automatically be selected. We then list all workspaces, load ‘default’ and remove ‘recon-zds’:
3) Backups using Snapshots
Workspaces can be backed up and restored using the ‘snapshots’ command. The options available are to list, load, remove & take a snapshot of the workspace data at a specific moment in time. Below are examples of the commands to show the command description & options then taking a snapshot, listing them and removing one:
4) Marketplace for Modules
The ‘marketplace’ command allows the searching for modules together with displaying information about them, performing an install and removal.
Using the ‘marketplace search’ command without a search string lists all the available modules:
A search for modules that match specific criteria can be performed:
Summary details on a particular module can be examined then it can be installed as follows:
5) Using Modules
Using the ‘modules’ command we can load, reload and search for modules. Once loaded we can view detailed information on it:
Using the ‘options’ command we can list, set and unset individual options for the module:
Once the options have been set then the module can be ‘run’:
In part 2 of this article we will continue to look at recon-ng functionality with further examples.