Kail recon-ng framework for the Linux penetration testing tutorial

Kail Linux Penetration Test Tutorial recon-ng Framework information collection

Information collection is one of the most important stages of cyber attack. To infiltrate an attack, you need to collect all kinds of information about the target. The more information gathered, the greater the probability of a successful attack. This chapter describes the tools for collecting information.

Recon-ng Frame

Recon-ng is an open-source web reconnaissance (information gathering) framework written by Python. The RECON-NG framework is a powerful tool used to automatically collect information and network detection. The following describes the use of the Recon-ng Scout tool.

To start the Recon-ng framework, execute the command as follows:

• [Email protected]:~# recon-ng
• _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
• _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/
• _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
• _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/
• _/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
• +---------------------------------------------------------------------------+
• | _                     ___    _                        __                 |
• | |_)| _  _|_  |_|.||  _   | _ |_ _ _ _ _ _ _|_o _ _ _ _ _ _ _o_|_ |
• | |_)| (_| (_|\  | |||| _\  _|_| || (_)| ||| (_| | |  (_)| | __)(/_(_|_|| | | \/ |
• | /  |
• | Consulting | | Development | Training |
• | http://www.blackhillsinfosec.com |
• +---------------------------------------------------------------------------+
• [Recon-ng v4.1.4, Tim tomes (@LaNMaSteR53)]
• [Recon] Modules
• [5] Reporting modules
• [2] Exploitation modules
• [2] Discovery modules
• [1] Import modules
• [Recon-ng] [Default] >

The above output information shows the basic information of the RECON-NG framework. For example, under the Recon-ng framework, there are 56 reconnaissance modules, 5 reporting modules, 2 penetration attack modules, 2 discovery modules, and one import module. See [Recon-ng][default] > Prompt for successful login to Recon-ng framework. You can now perform various operations commands at the end of the [Recon-ng][default] > prompt.

Before you use the RECON-NG framework for the first time, you can use the Help command to view all executable commands. As shown below:

• [Recon-ng] [Default] > Help
• Commands (Type [help|?] <topic>):
• ---------------------------------
• Add Adds records to the database
• Back Exits current prompt level
• Del deletes records from the database
• Exit Exits Current Prompt level
• Help displays this menu
• Keys manages framework API keys
• Load Loads specified module
• PDB starts a Python Debugger session
• Query Queries the database
• Record Records commands to a resource file
• Reload reloads all modules
• Resource executes commands from a resource file
• Search searches available Modules
• Set Sets module options
• Shell executes shell commands
• Show shows various framework items
• Spool spools output to a file
• unset unsets Module Options
• Use Loads specified module
• Workspaces manages workspaces

The above output information shows the commands that can be run in the Recon-ng framework. The framework is similar to the Metasploit framework and also supports many modules. At this point, you can use the show modules command to see a list of all valid modules. The execution commands are as follows:

• [Recon-ng] [Default] > Show modules
• Discovery
• ---------
• Discovery/info_disclosure/cache_snoop
• Discovery/info_disclosure/interesting_files
• Exploitation
• ------------
• Exploitation/injection/command_injector
• Exploitation/injection/xpath_bruter
• Import
• ------
• Import/csv_file
• Recon
• -----
• Recon/companies-contacts/facebook
• Recon/companies-contacts/jigsaw
• Recon/companies-contacts/jigsaw/point_usage
• Recon/companies-contacts/jigsaw/purchase_contact
• Recon/companies-contacts/jigsaw/search_contacts
• Recon/companies-contacts/linkedin_auth
• Recon/contacts-contacts/mangle
• Recon/contacts-contacts/namechk
• Recon/contacts-contacts/rapportive
• recon/contacts-creds/haveibeenpwned
• ......
• Recon/hosts-hosts/bing_ip
• Recon/hosts-hosts/ip_neighbor
• Recon/hosts-hosts/ipinfodb
• Recon/hosts-hosts/resolve
• Recon/hosts-hosts/reverse_resolve
• Recon/locations-locations/geocode
• Recon/locations-locations/reverse_geocode
• Recon/locations-pushpins/flickr
• Recon/locations-pushpins/picasa
• Recon/locations-pushpins/shodan
• Recon/locations-pushpins/twitter
• Recon/locations-pushpins/youtube
• Recon/netblocks-hosts/reverse_resolve
• Recon/netblocks-hosts/shodan_net
• recon/netblocks-ports/census_2012
• Reporting
• ---------
• Reporting/csv
• Reporting/html
• Reporting/list
• Reporting/pushpin
• Reporting/xml
• [Recon-ng] [Default] >

From the output information, you can see that five parts are displayed. The number of modules included in each section can be seen after starting the recon-ng frame. Users can use different modules for various kinds of information collection.

"Instance 3-1" uses the Recon/domains-hosts/baidu_site module to enumerate the subdomains of the Baidu website. The procedure is as follows:

(1) Use the Recon/domains-hosts/baidu_site module. The execution commands are as follows:

• [Recon-ng] [Default] > Use Recon/domains-hosts/baidu_site

(2) View the configurable option parameters under this module. The execution commands are as follows:

• [Recon-ng] [Default] [Baidu_site] > Show options
• Name Current Value Req Description
• --------------  ----------------------    ---------  --------------------------------------------------------
• Source default Yes Source of input (see ' Show info ' for details)
• [Recon-ng] [Default] [Baidu_site] >

From the output information, you can see that there is an option that needs to be configured.

(3) Configure the source option parameter. The execution commands are as follows:

• [Recon-ng] [Default] [Baidu_site] > set SOURCE baidu.com
• SOURCE = baidu.com

From the output information, you can see that the source option parameter has been set to baidu.com.

(4) Initiate information collection. The execution commands are as follows:

• [Recon-ng] [Default] [Baidu_site] > Run
• ---------
• Baidu.com
• ---------
• [*] Url:http://www.baidu.com/s?pn=0&wd=site%3abaidu.com
• [*] Map.baidu.com
• [*] 123.baidu.com
• [*] Jingyan.baidu.com
• [*] Top.baidu.com
• [*] Www.baidu.com
• [*] Hi.baidu.com
• [*] Video.baidu.com
• [*] Pan.baidu.com
• [*] Zhidao.baidu.com
• [*] Sleeping to avoid lockout ...
• -------
• SUMMARY
• -------
• [*] 9 Total (2 new) items found.

From the output information, you can see that 9 subdomains are found. All data that is enumerated will be connected to the Recon-ng placed database. At this point, the user can create a report to view the data being connected.

"Instance 3-2" to view the data obtained. The procedure is as follows:

(1) Select the Reporting/csv module and execute the command as follows:

• [Recon-ng] [Default] > Use Reporting/csv

(2) Create a report. The execution commands are as follows:

• [Recon-ng] [Default] [CSV] > Run
• [*] 9 Records added to '/root/.recon-ng/workspaces/default/results.csv '.

From the output information you can see that the enumerated 9 records have been added to the/root/.recon-ng/workspaces/default/results.csv file. Open the file, as shown in 3.1.

Figure 3.1 Results.csv File

(3) From the interface you can see that all subdomains are enumerated.

Users can also use the Dmitry command to query information about the site. The use of the Dmitry command is described below.

View the help information for the Dmitry Command. The execution commands are as follows:

• [Email protected]:~# dmitry-h
• Deepmagic Information gathering Tool
• "There is some deep magic going on"
• Dmitry:invalid option--' h '
• Usage:dmitry [-WINSEPFB] [-t 0-9] [-O%host.txt] Host
• -O Save output to%host.txt or to file specified By-o file
• -I Perform a whois lookup on the IP address of a host
• -W Perform a whois lookup on the domain name of a host
• -N Retrieve netcraft.com information on a host
• -S Perform a search for possible subdomains
• -e Perform A search for possible email addresses
• -P Perform A TCP port scan on a host
• *-F Perform a TCP port scan on a host showing output reporting filtered ports
• *-B Read in the banner received from the scanned port
• *-T 0-9 Set the TTL in seconds when scanning a TCP port (Default 2)
• *requires The-p flagged to be passed

The above information shows the syntax format of the Dmitry Command and all available parameters. Use the-s option of the Dmitry command below to query for a reasonable subdomain. The execution commands are as follows:

• [Email protected]:~# dmitry-s google.com
• Deepmagic Information gathering Tool
• "There is some deep magic going on"
• hostip:173.194.127.71
• HostName:google.com
• Gathered subdomain information for google.com
• ---------------------------------
• Searching google.com:80 ...
• HostName:www.google.com
• hostip:173.194.127.51
• Searching altavista.com:80 ...
• Found 1 Possible subdomain (s) for host google.com, searched 0 pages containing 0 results
• All scans completed, exiting

From the output information, you can see the search to a subdomain. The subdomain has a Www.google.com,IP address of 173.194.127.51. the command is searched from the google.com Web site by default, and if the Google.com site cannot be connected, executing the above command will result in the unable to connect:socket connect error error message.

This article is selected from: Kail Linux Penetration Testing Training manual University bully Internal information, reproduced please indicate the source, respect the technology respect the IT person!

Kail recon-ng framework for the Linux penetration testing tutorial