Recon-NG framework of the kill Linux penetration test tutorial, kailrecon-ng
Recon-NG framework information collection for the Kail Linux penetration test tutorial
Information collection is one of the most important stages of network attacks. To conduct penetration attacks, you need to collect various types of information about the target. The more information is collected, the higher the probability of successful attacks. This chapter describes information collection tools.
Recon-NG framework
Recon-NG is an open-source Web reconnaissance (Information Collection) framework written by python. The Recon-ng framework is a powerful tool that can be used to automatically collect information and perform network detection. The following describes how to use the Recon-NG detection tool.
Start the Recon-NG framework and run the following command:
Root @ kali :~ # Recon-ng
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
+ --------------------------------------------------------------------------- +
| _ ___ _ |
| _) | _ |. | _ O _ (_ o _ |
| _) | (_ | _ \ _ | (_) | _) (/_ (_ | \/|
|/|
| Consulting | Research | Development | Training |
| Http://www.blackhillsinfosec.com |
+ --------------------------------------------------------------------------- +
[Recon-ng v4.1.4, Tim Tomes (@ LaNMaSteR53)]
[56] Recon modules
[5] Reporting modules
[2] Exploitation modules
[2] Discovery les
[1] Import modules
[Recon-ng] [default]>
The above output information shows the basic information of the Recon-NG framework. For example, in the Recon-NG framework, 56 investigation modules, 5 Report modules, 2 penetration Attack Modules, 2 discovery modules, and 1 import module are included. The [recon-ng] [default]> prompt indicates that the Recon-NG framework is successfully logged on. Now, you can execute various operation commands at the end of the [recon-ng] [default]> prompt.
Before using the Recon-NG framework for the first time, you can use the help command to view all executable commands. As follows:
[Recon-ng] [default]> help
Commands (type [help |?] <Topic> ):
---------------------------------
Add Adds records to the database
Back Exits current prompt level
Del Deletes records from the database
Exit Exits current prompt level
Help Displays this menu
Keys Manages framework API keys
Load Loads specified module
Pdb Starts a Python Debugger session
Query Queries the database
Record Records commands to a resource file
Reload Reloads all modules
Resource Executes commands from a resource file
Search Searches available modules
Set Sets module options
Shell Executes shell commands
Show Shows varous framework items
Spool Spools output to a file
Unset Unsets module options
Use Loads specified module
Workspaces Manages workspaces
The above output information shows the commands that can be run in the Recon-NG framework. This framework is similar to the Metasploit framework and also supports many modules. In this case, you can use the show modules command to view the list of all valid modules. Run the following command:
[Recon-ng] [default]> show modules
Discovery
---------
Discovery/info_disclosure/cache_snoop
Discovery/info_disclosure/interesting_files
Exploitation
------------
Exploitation/injection/command_injector
Exploitation/injection/xpath_bruter
Import
------
Import/csv_file
Recon
-----
Recon/companies-contacts/facebook
Recon/companies-contacts/jigsaw
Recon/companies-contacts/jigsaw/point_usage
Recon/companies-contacts/jigsaw/purchase_contact
Recon/companies-contacts/jigsaw/search_contacts
Recon/companies-contacts/linkedin_auth
Recon/contacts-contacts/mangle
Recon/contacts-contacts/namechk
Recon/contacts-contacts/rapportive
Recon/contacts-creds/haveibeenpwned
......
Recon/hosts-hosts/bing_ip
Recon/hosts-hosts/ip_neighbor
Recon/hosts-hosts/ipinfodb
Recon/hosts-hosts/resolve
Recon/hosts-hosts/reverse_resolve
Recon/locations-locations/geocode
Recon/locations-locations/reverse_geocode
Recon/locations-pushpins/flickr
Recon/locations-pushpins/picasa
Recon/locations-pushpins/shodan
Recon/locations-pushpins/twitter
Recon/locations-pushpins/youtube
Recon/netblocks-hosts/reverse_resolve
Recon/netblocks-hosts/shodan_net
Recon/netblocks-ports/census_2012
Reporting
---------
Reporting/csv
Reporting/html
Reporting/list
Reporting/pushpin
Reporting/xml
[Recon-ng] [default]>
The output information shows five parts. The number of modules in each part, which can be seen after the Recon-NG framework is started. Users can use different modules to collect various information.
[Instance 3-1] use the recon/domains-hosts/baidu_site module to enumerate the subdomains of the baidu website. The procedure is as follows:
(1) Use the recon/domains-hosts/baidu_site module. Run the following command:
(2) view the configurable option parameters in this module. Run the following command:
[Recon-ng] [default] [baidu_site]> show options
Name Current Value Req Description
-----------------------------------------------------------------------------------------------------
SOURCE default yes source of input (see 'show info' for details)
[Recon-ng] [default] [baidu_site]>
From the output information, you can see that there is an option to be configured.
(3) configure the SOURCE option parameters. Run the following command:
From the output information, we can see that the SOURCE option parameter has been set to baidu.com.
(4) Start information collection. Run the following command:
[Recon-ng] [default] [baidu_site]> run
---------
BAIDU. COM
---------
[*] URL: http://www.baidu.com/s? Pn = 0 & wd = site % 3Abaidu.com
[*] Map.baidu.com
[*] 123.baidu.com
[*] Jingyan.baidu.com
[*] Top.baidu.com
[*] Www.baidu.com
[*] Hi.baidu.com
[*] Video.baidu.com
[*] Pan.baidu.com
[*] Zhidao.baidu.com
[*] Sleeping to avoid lockout...
-------
SUMMARY
-------
[*] 9 total (2 new) items found.
The output information shows nine subdomains. All the enumerated data will be connected to the database where Recon-NG is placed. In this case, you can create a report to view the connected data.
[Instance 3-2] view the obtained data. The procedure is as follows:
(1) Select the reporting/csv module and run the following command:
(2) create a report. Run the following command:
The output information shows that the nine enumerated records have been added to the/root/. recon-ng/workspaces/default/results.csv file. Open the file, as shown in Figure 3.1.
Figure 3.1 results.csv File
(3) you can see all the subdomains listed on this page.
You can also use the Dmitry command to query website information. The following describes how to use the Dmitry command.
View the help information of the Dmitry command. Run the following command:
Root @ kali :~ # Dmitry-h
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Dmitry: invalid option -- 'H'
Usage: dmitry [-winsepfb] [-t 0-9] [-o hosts host.txt] host
-O Save output to your host.txt or to file specified by-o file
-I Perform a whois lookup on the IP address of a host
-W Perform a whois lookup on the domain name of a host
-N Retrieve Netcraft.com information on a host
-S Perform a search for possible subdomains
-E Perform a search for possible email addresses
-P Perform a TCP port scan on a host
*-F Perform a TCP port scan on a host showing output reporting filtered ports
*-B Read in the banner converted ed from the scanned port
*-T 0-9 Set the TTL in seconds when scanning a TCP port (Default 2)
* Requires the-p flagged to be passed
The preceding information shows the syntax format and all available parameters of the dmitry command. The following uses the-s option of the dmitry command to query reasonable subdomains. Run the following command:
Root @ kali :~ # Dmitry-s google.com
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP: 173.194.127.71
HostName: google.com
Gathered Subdomain information for google.com
---------------------------------
Searching Google.com: 80...
HostName: www.google.com
HostIP: 173.194.127.51
Searching Altavista.com: 80...
Found 1 possible subdomain (s) for host google.com, Searched 0 pages containing 0 results
All scans completed, exiting
The output information shows a subdomain. The subdomain name is www.google.com and the IP address is 173.194.127.51. By default, this command is searched from the google.com website. If you cannot connect to the google.com website, the Unable to Connect: Socket connect Error message will appear when you run the preceding command.
This article is from: Kail Linux penetration testing training manual Ba internal information, reprinted please indicate the source, respect technology respect it people!
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.