recon-ng主要是用于前期信息收集,功能模块很多,那就以功能模块来区分吧。
1. recon-ng 模块安装
打开终端输入recon-ng:
recon-ng
然后进入recon-ng
[recon-ng][default] >
安装所有模块:
[recon-ng][default] > marketplace install all
查看已安装的模块
[recon-ng][default] > modules search
2. 模块使用
2.1 hackertarget 模块
那么我们现在使用路径为 recon/domains-hosts/hackertarget 查询子域名的模块
[recon-ng][default] > modules load recon/domains-hosts/hackertarget
得到:
[recon-ng][default][hackertarget] >
2.1.1 先用 info 查看信息
[recon-ng][default][hackertarget] > info
2.1.2 设置要查询的子域名
[recon-ng][default][hackertarget] > options set SOURCE google.com
2.1.3 运行
[recon-ng][default][hackertarget] > run
2.1.3 显示发现的资源的摘要使用命令 show hosts
[recon-ng][default][hackertarget] > show hosts
2.2 brute_hosts 模块
brute_hosts是暴力破解域名的模块,路径recon/domains-hosts/brute_hosts.使用:
[recon-ng][default][hackertarget] > modules load recon/domains-hosts/brute_hosts
得到:
[recon-ng][default][brute_hosts] >
2.2.1 先用 info 查看信息
[recon-ng][default][brute_hosts] > info
2.2.2 设置要查询的子域名
[recon-ng][default][brute_hosts] > options set SOURCE google.com
2.2.3 运行
[recon-ng][default][brute_hosts] > run
2.2.3 显示发现的资源的摘要使用命令 show hosts
[recon-ng][default][brute_hosts] > show hosts
2.3 域名查找的其他模块
google_site_web需要墙外的服务器才行bing_domain_web
2.4 interesting_files 模块
- 路径:
discovery/info_disclosure/interesting_files - 功能: 发现一些有意思的文件,比如robots.txt, sitemap.xml等等.
- 使用方法跟其他模块一样.
[recon-ng][default][interesting_files] > run
得到下面信息:
[recon-ng][default][interesting_files] > run
[*] http://test.com:80/robots.txt => 200. 'robots.txt' found!
[*] http://test.com:80/sitemap.xml => 200. 'sitemap.xml' found!
[*] http://test.com:80/sitemap.xml.gz => 404
[*] http://test.com:80/crossdomain.xml => 404
[*] http://test.com:80/phpinfo.php => 404
[*] http://test.com:80/test.php => 404
[*] http://test.com:80/elmah.axd => 404
[*] http://test.com:80/server-status => 404
[*] http://test.com:80/jmx-console/ => 404
[*] http://test.com:80/admin-console/ => 404
[*] http://test.com:80/web-console/ => 404
[*] 2 interesting files found.
[*] Files downloaded to '/home/jun/.recon-ng/workspaces/default/'
信息显示,发现两个文件robots.txt和sitemap.xml,切文件存放在/home/jun/.recon-ng/workspaces/default/.
2.5 shodan 模块
shodan搜索出来的东西比较多,但是收费.
2.5.1 shodan api key
shodan对于recon-ng来说是属于第三方资源,所以需要提起注册shodan的帐号,获取shodan的api key.
向recon-ng添加shodan的api key:
[recon-ng][default] > keys add shodan_api your_shodan_api
2.5.2 使用shodan发现域名
[recon-ng][default] > modules load recon/domains-hosts/shodan_hostname
使用方法与其他模块一样:
[recon-ng][default][shodan_hostname] > options set SOURCE yourdomain.com
[recon-ng][default][shodan_hostname] > run
3. 信息处理
3.1 db 信息筛选
[recon-ng][default] > show hosts
会得到:
+-----------------------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | notes | module |
+-----------------------------------------------------------------------------------------------------------------------------+
如果你只想显示其中的某一列,比如你只想显示其中的ip_address可以使用db
[recon-ng][default] > db query SELECT ip_address FROM hosts
3.2 产生/导出 report
查看有哪些report模块:
[recon-ng][default] > marketplace search report
+-----------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+-----------------------------------------------------------------------------+
| recon/hosts-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | installed | 2019-06-24 | | |
| reporting/html | 1.0 | installed | 2019-06-24 | | |
| reporting/json | 1.0 | installed | 2019-06-24 | | |
| reporting/list | 1.0 | installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | installed | 2019-06-24 | | |
| reporting/xml | 1.1 | installed | 2019-06-24 | | |
+-----------------------------------------------------------------------------+
3.2.1 使用reporting/csv模块产生完整的报告
[recon-ng][default] > modules load reporting/csv
使用方法跟其他的模块使用方法是一样的:
[recon-ng][default][csv] > info
如果需要进行设置用options命令设置,然后run,便可导出报告文件.
[recon-ng][default][csv] > run
[*] 45 records added to '/home/jun/.recon-ng/workspaces/default/resluts.csv'
3.2.2 使用reporting/list产生不重复的ip列表:
[recon-ng][default][csv] > modules load reporting/list
[recon-ng][default][csv] > run
[*] 29 items added to '/home/jun/.recon-ng/workspaces/default/list.txt'.
4. 创建/删除workspaces
4.1 创建workspaces
[recon-ng][default] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2020-04-14 17:52:49 |
+----------------------------------+
创建workspaces
[recon-ng][default] > workspaces create test
创建后会直接进入创建的workspaces,这里是test:
[recon-ng][test] > workspaces list
可见workspaces多了test.
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2020-04-15 12:00:13 |
| test | 2020-04-15 12:20:11 |
+----------------------------------+
4.2 删除workspaces
[recon-ng][default] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2020-04-14 17:52:49 |
+----------------------------------+
选择要删除的workspaces
[recon-ng][default] > workspaces remove default
这样之后default的数据就后被删除.
References:
recon-ng github
recon-ng v5指南
recon-ng 指南
recon-ng v5 youtube