Recon-NG framework of the kill Linux penetration test tutorial, kailrecon-ng

Source: Internet
Author: User
Tags socket connect subdomain subdomain name

Recon-NG framework of the kill Linux penetration test tutorial, kailrecon-ng
Recon-NG framework information collection for the Kail Linux penetration test tutorial

Information collection is one of the most important stages of network attacks. To conduct penetration attacks, you need to collect various types of information about the target. The more information is collected, the higher the probability of successful attacks. This chapter describes information collection tools.

Recon-NG framework

Recon-NG is an open-source Web reconnaissance (Information Collection) framework written by python. The Recon-ng framework is a powerful tool that can be used to automatically collect information and perform network detection. The following describes how to use the Recon-NG detection tool.

Start the Recon-NG framework and run the following command:

  • Root @ kali :~ # Recon-ng

  • _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

  • _/_/_/_/_/_/_/_/_/_/_/_/_/

  • _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/

  • _/_/_/_/_/_/_/_/_/_/_/_/_/_/

  • _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

  • + --------------------------------------------------------------------------- +

  • | _ ___ _ |

  • | _) | _ |. | _ O _ (_ o _ |

  • | _) | (_ | _ \ _ | (_) | _) (/_ (_ | \/|

  • |/|

  • | Consulting | Research | Development | Training |

  • | Http://www.blackhillsinfosec.com |

  • + --------------------------------------------------------------------------- +

  • [Recon-ng v4.1.4, Tim Tomes (@ LaNMaSteR53)]

  • [56] Recon modules

  • [5] Reporting modules

  • [2] Exploitation modules

  • [2] Discovery les

  • [1] Import modules

  • [Recon-ng] [default]>

The above output information shows the basic information of the Recon-NG framework. For example, in the Recon-NG framework, 56 investigation modules, 5 Report modules, 2 penetration Attack Modules, 2 discovery modules, and 1 import module are included. The [recon-ng] [default]> prompt indicates that the Recon-NG framework is successfully logged on. Now, you can execute various operation commands at the end of the [recon-ng] [default]> prompt.

Before using the Recon-NG framework for the first time, you can use the help command to view all executable commands. As follows:

  • [Recon-ng] [default]> help

  • Commands (type [help |?] <Topic> ):

  • ---------------------------------

  • Add Adds records to the database

  • Back Exits current prompt level

  • Del Deletes records from the database

  • Exit Exits current prompt level

  • Help Displays this menu

  • Keys Manages framework API keys

  • Load Loads specified module

  • Pdb Starts a Python Debugger session

  • Query Queries the database

  • Record Records commands to a resource file

  • Reload Reloads all modules

  • Resource Executes commands from a resource file

  • Search Searches available modules

  • Set Sets module options

  • Shell Executes shell commands

  • Show Shows varous framework items

  • Spool Spools output to a file

  • Unset Unsets module options

  • Use Loads specified module

  • Workspaces Manages workspaces

The above output information shows the commands that can be run in the Recon-NG framework. This framework is similar to the Metasploit framework and also supports many modules. In this case, you can use the show modules command to view the list of all valid modules. Run the following command:

  • [Recon-ng] [default]> show modules

  • Discovery

  • ---------

  • Discovery/info_disclosure/cache_snoop

  • Discovery/info_disclosure/interesting_files

  • Exploitation

  • ------------

  • Exploitation/injection/command_injector

  • Exploitation/injection/xpath_bruter

  • Import

  • ------

  • Import/csv_file

  • Recon

  • -----

  • Recon/companies-contacts/facebook

  • Recon/companies-contacts/jigsaw

  • Recon/companies-contacts/jigsaw/point_usage

  • Recon/companies-contacts/jigsaw/purchase_contact

  • Recon/companies-contacts/jigsaw/search_contacts

  • Recon/companies-contacts/linkedin_auth

  • Recon/contacts-contacts/mangle

  • Recon/contacts-contacts/namechk

  • Recon/contacts-contacts/rapportive

  • Recon/contacts-creds/haveibeenpwned

  • ......

  • Recon/hosts-hosts/bing_ip

  • Recon/hosts-hosts/ip_neighbor

  • Recon/hosts-hosts/ipinfodb

  • Recon/hosts-hosts/resolve

  • Recon/hosts-hosts/reverse_resolve

  • Recon/locations-locations/geocode

  • Recon/locations-locations/reverse_geocode

  • Recon/locations-pushpins/flickr

  • Recon/locations-pushpins/picasa

  • Recon/locations-pushpins/shodan

  • Recon/locations-pushpins/twitter

  • Recon/locations-pushpins/youtube

  • Recon/netblocks-hosts/reverse_resolve

  • Recon/netblocks-hosts/shodan_net

  • Recon/netblocks-ports/census_2012

  • Reporting

  • ---------

  • Reporting/csv

  • Reporting/html

  • Reporting/list

  • Reporting/pushpin

  • Reporting/xml

  • [Recon-ng] [default]>

The output information shows five parts. The number of modules in each part, which can be seen after the Recon-NG framework is started. Users can use different modules to collect various information.

[Instance 3-1] use the recon/domains-hosts/baidu_site module to enumerate the subdomains of the baidu website. The procedure is as follows:

(1) Use the recon/domains-hosts/baidu_site module. Run the following command:

  • [Recon-ng] [default]> use recon/domains-hosts/baidu_site

(2) view the configurable option parameters in this module. Run the following command:

  • [Recon-ng] [default] [baidu_site]> show options

  • Name Current Value Req Description

  • -----------------------------------------------------------------------------------------------------

  • SOURCE default yes source of input (see 'show info' for details)

  • [Recon-ng] [default] [baidu_site]>

From the output information, you can see that there is an option to be configured.

(3) configure the SOURCE option parameters. Run the following command:

  • [Recon-ng] [default] [baidu_site]> set SOURCE baidu.com

  • SOURCE => baidu.com

From the output information, we can see that the SOURCE option parameter has been set to baidu.com.

(4) Start information collection. Run the following command:

  • [Recon-ng] [default] [baidu_site]> run

  • ---------

  • BAIDU. COM

  • ---------

  • [*] URL: http://www.baidu.com/s? Pn = 0 & wd = site % 3Abaidu.com

  • [*] Map.baidu.com

  • [*] 123.baidu.com

  • [*] Jingyan.baidu.com

  • [*] Top.baidu.com

  • [*] Www.baidu.com

  • [*] Hi.baidu.com

  • [*] Video.baidu.com

  • [*] Pan.baidu.com

  • [*] Zhidao.baidu.com

  • [*] Sleeping to avoid lockout...

  • -------

  • SUMMARY

  • -------

  • [*] 9 total (2 new) items found.

The output information shows nine subdomains. All the enumerated data will be connected to the database where Recon-NG is placed. In this case, you can create a report to view the connected data.

[Instance 3-2] view the obtained data. The procedure is as follows:

(1) Select the reporting/csv module and run the following command:

  • [Recon-ng] [default]> use reporting/csv

(2) create a report. Run the following command:

  • [Recon-ng] [default] [csv]> run

  • [*] 9 records added to '/root/. recon-ng/workspaces/default/results.csv '.

The output information shows that the nine enumerated records have been added to the/root/. recon-ng/workspaces/default/results.csv file. Open the file, as shown in Figure 3.1.


Figure 3.1 results.csv File

(3) you can see all the subdomains listed on this page.

You can also use the Dmitry command to query website information. The following describes how to use the Dmitry command.

View the help information of the Dmitry command. Run the following command:

  • Root @ kali :~ # Dmitry-h

  • Deepmagic Information Gathering Tool

  • "There be some deep magic going on"

  • Dmitry: invalid option -- 'H'

  • Usage: dmitry [-winsepfb] [-t 0-9] [-o hosts host.txt] host

  • -O Save output to your host.txt or to file specified by-o file

  • -I Perform a whois lookup on the IP address of a host

  • -W Perform a whois lookup on the domain name of a host

  • -N Retrieve Netcraft.com information on a host

  • -S Perform a search for possible subdomains

  • -E Perform a search for possible email addresses

  • -P Perform a TCP port scan on a host

  • *-F Perform a TCP port scan on a host showing output reporting filtered ports

  • *-B Read in the banner converted ed from the scanned port

  • *-T 0-9 Set the TTL in seconds when scanning a TCP port (Default 2)

  • * Requires the-p flagged to be passed

The preceding information shows the syntax format and all available parameters of the dmitry command. The following uses the-s option of the dmitry command to query reasonable subdomains. Run the following command:

  • Root @ kali :~ # Dmitry-s google.com

  • Deepmagic Information Gathering Tool

  • "There be some deep magic going on"

  • HostIP: 173.194.127.71

  • HostName: google.com

  • Gathered Subdomain information for google.com

  • ---------------------------------

  • Searching Google.com: 80...

  • HostName: www.google.com

  • HostIP: 173.194.127.51

  • Searching Altavista.com: 80...

  • Found 1 possible subdomain (s) for host google.com, Searched 0 pages containing 0 results

  • All scans completed, exiting

The output information shows a subdomain. The subdomain name is www.google.com and the IP address is 173.194.127.51. By default, this command is searched from the google.com website. If you cannot connect to the google.com website, the Unable to Connect: Socket connect Error message will appear when you run the preceding command.

This article is from: Kail Linux penetration testing training manual Ba internal information, reprinted please indicate the source, respect technology respect it people!


Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.