Small white Diary passive information collection of 6:kali penetration test (Fri)-recon-ng

Tag: Data is specified with version debug Sha double-click Penetration

Recon-ng

Recon-ng is an open-source web reconnaissance (information gathering) framework written by Python. The Recon-ng framework is a full-feature tool that can automatically collect information and network detection. Its command format and metasploit! The default integration database, the query results can be structured in which to store the report module, the results are exported as a report. Click to open link 1, launch recon-ng framework [Recon-ng][default] > Prompt for successful start

<span style= "FONT-SIZE:18PX;"                                                                                            >[email protected]:~# Recon-ng        _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/   _/    _/  _/        _/   _/      _/  _/_/    _/            _/_/    _/  _/         _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/ _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ _/    _/                                                                                                 _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/ +------------------------------------------------------------------------  ---+           |           _                     ___    _                        __                 | | |_)| _  _|_  |_|.||  _   |           _ |_ _ _ _ _ _ _|_o _ _ _ _ _ _ _o_|_ | | |_)| (_| (_|\  | |||| _\  _|_| || (_)| ||| (_|| |  (_)| |           __)(/_(_|_|| | | \/ |                                                                        |           /  |              | Consulting | | Development |           Training |                     |           http://www.blackhillsinfosec.com |  +---------------------------------------------------------------------------+ [Recon-ng v4.6.3,   Tim tomes (@LaNMaSteR53)] [Recon] Modules #71个侦查模块 [7]                                           Reporting modules #7个报告模块 [2] Import modules                                        #2个导入模块 [2] exploitation Modules #2个渗透攻击模块 [2] Discovery modules #2个发现模块 </span>

Use the help command to view all executable commands or-H

<span style= "FONT-SIZE:18PX;" >[recon-ng][default] > Helpcommands (Type [help|?] <topic>):---------------------------------add A DDS Records to the database #将记录添加到数据库中back Exits the current context #退出当前上下文de Lete deletes records from the Databaseexit Exits the frameworkhelp displays this menu<st                     Rong>keys manages framework API keys #管理框架APIload Loads specified module #加载指定模块 </strong>pdb starts a Python Debugger session #启动python调试器query Q Ueries the database #查询数据库record Records commands to a resource file #记录命令到源文件中 <s Trong>reload reloads all modules #重新加载所有模块 </strong>resource executes comma                NDS from a resource file #在框架下从源文件中执行命令 <strong>search searches available modules#搜索可用模块 </strong>set Sets module options #设置模块参数 <strong>shell Exec Utes shell Commands #执行shell命令show shows various framework items #显示各种框架项目snapsh                   OTS manages workspace snapshots #管理工作区快照 </strong>spool spools output to a file #输出到一个文件上unset unsets module Options #复原模块参数 <span style= "color: #ff0000;"                        >use Loads specified module #加载指定模块 </span>workspaces manages workspaces #管理工作区 </span>

[Email protected]:~# recon-ng-husage:recon-ng [-h] [-v] [-W workspace] [-R FileName] [--no-check]                [--no-analytics]r Econ-ng-tim tomes (@LaNMaSteR53) tjt1980[at]gmail.comoptional arguments:  -H,--help show this help      message and E XIT  -V,--version   Show program ' s version number and exit-  W workspace    load/create a workspace             # Set different workspaces-  r filename     load commands from a resource file# save the commands in the RECON-NG framework into a text file, which automatically executes the instructions inside  --no-check      Disable version              check #每次启动不去检查recon-ng  --no-analytics  Disable analytics Reporting        # Do not check the work report every time you start

[Recon-ng] [Sina.com] > Show options  Name current        Value  Required  Description  ----------  ---------- ---  --------  -----------  DEBUG       False          Yes       enable debugging output  NAMESERVER  8.8.8.8        Yes       nameserver for DNS interrogation  proxy                      no        proxy server (address:port)  THREADS     Yes number of       THREADS (where applicable)  TIMEOUT     Ten             Yes       socket Timeout (seconds)  <strong>user-agent  recon-ng/v4    Yes       user-agent string   # Camouflage user-afent</strong>  VERBOSE     True           Yes       enable VERBOSE output

Note: User-afent can be found with grab bag

[Recon-ng] [Sina.com] > Show schema        #显示数据库中的数据结构

2. Most commonly used command

Double-click the TAB key #显示模块 to find the module using search


No Google API use Recon/domains-hosts/google_site_web use show Options/info First look at the parameters

[Recon-ng] [Sina.com] [Google_site_web] > showshows various framework itemsusage:show [companies|contacts|credentials|dashboard|domains |globals|hosts|info|inputs|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|schema|source| Vulnerabilities][recon-ng][sina.com][google_site_web] > Show options Name current Value Required Description--- -----------------------------------Source Default Yes Source of input (see ' Show info ' for details) [ Recon-ng][sina.com][google_site_web] > Show Info name:google Hostname Enumerator path:modules/recon/domains -hosts/google_site_web.py Author:tim tomes (@LaNMaSteR53) description:harvests hosts from google.com by using the ' Si Te ' search operator. Updates to the ' hosts ' table with the results.        Options:name current Value Required Description--------------------------------------SOURCE Default Yes source of input (see ' Show info ' for details) source Options:defaulT SELECT DISTINCT domain from domains WHERE domain was not NULL ORDER by domain <string> string Represe  Nting a single input <path> path to a file containing a list of inputs query <sql> database query Returning one column of Inputs[recon-ng][sina.com][google_site_web] > show Sschema source [Recon-ng][sina.com][googl E_site_web] > Show schema

Specify domain

[Recon-ng] [Sina.com] [Google_site_web] > Set SOURCE <strong>sina.com</strong>source = Sina.com

Running: Run #搜索部分结果会短暂sleep to prevent search engine blocking

No results found query using DATABASE statement SELECT * FROM Hosts#select * from hosts where host like '%baidu.com% ' ORDER by Ip_address#select * FROM Hosts where host like '%www% '

3, Brute force #暴力破解模块, if the search does not come out

[Recon-ng] [Sina.com]  [Bing_domain_web] > Search brut[*] searching for ' brut ' ... Exploitation------------Exploitation/injection/xpath_bruter Recon-----recon/domains-domains/brute_suffix r Econ/domains-hosts/brute_hosts[recon-ng][sina.com][bing_domain_web] > Use recon/domains-hosts/brute_hosts[ Recon-ng][sina.com][brute_hosts] > Show options Name current Value Required descriptio                                 n----------------------------------------SOURCE Default Yes source of input (see ' Show info ' for details) Wordlist/usr/share/recon-ng/data/hostnames.txt Yes P ATH to hostname wordlist[recon-ng][sina.com][brute_hosts] > Set SOURCE sina.comsource = sina.com[recon-ng][ Sina.com][brute_hosts] > Run<strong style= "font-family:arial, Helvetica, Sans-serif; "></strong><pre name=" code "class=" plain "style=" display:inline!important; " >--------

4. Resolve IP address (query database)

</pre><pre name= "code" class= "plain" >[recon-ng][sina.com][brute_hosts] > Search res[*] Searching for '  Res ' ... Discovery---------discovery/info_disclosure/interesting_files Recon-----recon/hosts-hosts/resolve recon/ho Sts-hosts/reverse_resolve recon/netblocks-hosts/reverse_resolve[recon-ng][sina.com][brute_hosts] > Use recon/  Hosts-hosts/resolve[recon-ng][sina.com][resolve] > Show options Name current Value Required Description------ --------------------------------Source Default Yes Source of input (see ' Show info ' for details) [Recon -ng][sina.com][resolve] > Show Info name:hostname Resolver path:modules/recon/hosts-hosts/resolve.py Aut Hor:tim tomes (@LaNMaSteR53) description:resolves the IP address for a host. Updates to the ' hosts ' table with the results.        Options:name current Value Required Description--------------------------------------SOURCE Default Yes Source of InpuT (see ' Show info ' for details) Source Options:default SELECT DISTINCT host from hosts WHERE host was not NULL and IP_Address is NULL <string> string representing a single input <path> path to a file Containin G A list of inputs <span style= "color: #ff0000;" >query</span> <sql> database query returning one column of inputscomments: * Note:nameserver must be I n IP form.

#负载均衡, a domain name may be resolved to multiple IP addresses

[Recon-ng] [Sina.com] [Resolve] > Set SOURCE Query Select host from the hosts where host like '%youku.com% '

# # # SQL statement, SOURCE = Query Select host from hosts where host like '%youku.com% ' [recon-ng][sina.com][resolve] > Run

5. Export as Report module

[Recon-ng] [Sina.com]  [Resolve] > Search report[*] Searching for ' report ' ... Reporting---------reporting/csv reporting/html reporting/json reporting/list reporting/pushpin Report ING/XLSX Reporting/xml[recon-ng][sina.com][resolve] > Use reporting/html[recon-ng][sina.com][html] > show                                    Options Name Current Value Required Description--------------------- -------------------CREATOR Yes CR Eator name for the footer customer Yes customer name for T   He report header filename/root/.recon-ng/workspaces/default/results.html Yes path and FILENAME to report output SANITIZE True Yes mask sensitive data in the report[recon-ng][sina.co M][html] > [recon-ng][sina.com][html] > set CREATOR zixuancreator =&Gt Zixuan[recon-ng][sina.com][html] > Set CUSTOMER youku.comcustomer = youku.com[recon-ng][sina.com][html] > Set filename/root/sina.htmlfilename =/root/sina.html[recon-ng][sina.com][html] > run[*] report generated at '/ Root/sina.html '.

Little white Diary, not to be continued ...