Мануал по recon-ng

Discussion in 'Инструменты' started by fandor9, 6 Nov 2019.

  1. fandor9

    fandor9 Well-Known Member

    Joined:
    16 Nov 2018
    Messages:
    413
    Likes Received:
    621
    Reputations:
    19
    В общем, если кто не знаком, то recon-ng это тулза по добыче информации. Так-как с 5-той версией полностью изменились комманды, решил написать (и что-бы самому не забыть) мануал, как и что. После установки запускаем:
    Code:
    recon-ng
    [*] Version check disabled.
    [*] No modules enabled/installed.
    [recon-ng][default] >
    Тоесть из каробки в нем нет модулей, их надо установить, перед этим обновив модули
    Code:
    [recon-ng][default] > marketplace refresh
    [*] Marketplace index refreshed.
    [recon-ng][default] > marketplace install all
    [*] Reloading modules...
    
    [*] Module installed: discovery/info_disclosure/cache_snoop
    [*] Module installed: discovery/info_disclosure/interesting_files
    [*] Module installed: exploitation/injection/command_injector
    [*] Module installed: exploitation/injection/xpath_bruter
    [*] Module installed: import/csv_file
    [*] Module installed: import/list
    [*] Module installed: import/nmap
    [*] Module installed: recon/companies-contacts/bing_linkedin_cache
    [*] Module installed: recon/companies-contacts/pen
    [*] Module installed: recon/companies-domains/pen
    [*] Module installed: recon/companies-domains/viewdns_reverse_whois
    [*] Module installed: recon/companies-multi/github_miner
    [*] Module installed: recon/companies-multi/shodan_org
    [*] Module installed: recon/companies-multi/whois_miner
    [*] Module installed: recon/contacts-contacts/abc
    [*] Module installed: recon/contacts-contacts/mailtester
    [*] Module installed: recon/contacts-contacts/mangle
    [*] Module installed: recon/contacts-contacts/unmangle
    [*] Module installed: recon/contacts-credentials/hibp_breach
    [*] Module installed: recon/contacts-credentials/hibp_paste
    [*] Module installed: recon/contacts-credentials/scylla
    [*] Module installed: recon/contacts-domains/migrate_contacts
    [*] Module installed: recon/contacts-profiles/fullcontact
    [*] Module installed: recon/credentials-credentials/adobe
    [*] Module installed: recon/credentials-credentials/bozocrack
    [*] Module installed: recon/credentials-credentials/hashes_org
    [*] Module installed: recon/domains-companies/pen
    [*] Module installed: recon/domains-contacts/metacrawler
    [*] Module installed: recon/domains-contacts/pen
    [*] Module installed: recon/domains-contacts/pgp_search
    [*] Module installed: recon/domains-contacts/whois_pocs
    [*] Module installed: recon/domains-credentials/pwnedlist/account_creds
    [*] Module installed: recon/domains-credentials/pwnedlist/api_usage
    [*] Module installed: recon/domains-credentials/pwnedlist/domain_creds
    [*] Module installed: recon/domains-credentials/pwnedlist/domain_ispwned
    [*] Module installed: recon/domains-credentials/pwnedlist/leak_lookup
    [*] Module installed: recon/domains-credentials/pwnedlist/leaks_dump
    [*] Module installed: recon/domains-credentials/scylla
    [*] Module installed: recon/domains-domains/brute_suffix
    [*] Module installed: recon/domains-hosts/binaryedge
    [*] Module installed: recon/domains-hosts/bing_domain_api
    [*] Module installed: recon/domains-hosts/bing_domain_web
    [*] Module installed: recon/domains-hosts/brute_hosts
    [*] Module installed: recon/domains-hosts/builtwith
    [*] Module installed: recon/domains-hosts/certificate_transparency
    [*] Module installed: recon/domains-hosts/findsubdomains
    [*] Module installed: recon/domains-hosts/google_site_web
    [*] Module installed: recon/domains-hosts/hackertarget
    [*] Module installed: recon/domains-hosts/mx_spf_ip
    [*] Module installed: recon/domains-hosts/netcraft
    [*] Module installed: recon/domains-hosts/shodan_hostname
    [*] Module installed: recon/domains-hosts/ssl_san
    [*] Module installed: recon/domains-hosts/threatcrowd
    [*] Module installed: recon/domains-hosts/threatminer
    [*] Module installed: recon/domains-vulnerabilities/ghdb
    [*] Module installed: recon/domains-vulnerabilities/xssed
    [*] Module installed: recon/domains-vulnerabilities/xssposed
    [*] Module installed: recon/hosts-domains/migrate_hosts
    [*] Module installed: recon/hosts-hosts/bing_ip
    [*] Module installed: recon/hosts-hosts/ipinfodb
    [*] Module installed: recon/hosts-hosts/ipstack
    [*] Module installed: recon/hosts-hosts/resolve
    [*] Module installed: recon/hosts-hosts/reverse_resolve
    [*] Module installed: recon/hosts-hosts/ssltools
    [*] Module installed: recon/hosts-hosts/virustotal
    [*] Module installed: recon/hosts-locations/migrate_hosts
    [*] Module installed: recon/hosts-ports/binaryedge
    [*] Module installed: recon/hosts-ports/shodan_ip
    [*] Module installed: recon/locations-locations/geocode
    [*] Module installed: recon/locations-locations/reverse_geocode
    [*] Module installed: recon/locations-pushpins/flickr
    [*] Module installed: recon/locations-pushpins/shodan
    [*] Module installed: recon/locations-pushpins/twitter
    [*] Module installed: recon/locations-pushpins/youtube
    [*] Module installed: recon/netblocks-companies/whois_orgs
    [*] Module installed: recon/netblocks-hosts/reverse_resolve
    [*] Module installed: recon/netblocks-hosts/shodan_net
    [*] Module installed: recon/netblocks-hosts/virustotal
    [*] Module installed: recon/netblocks-ports/census_2012
    [*] Module installed: recon/netblocks-ports/censysio
    [*] Module installed: recon/ports-hosts/migrate_ports
    [*] Module installed: recon/profiles-contacts/bing_linkedin_contacts
    [*] Module installed: recon/profiles-contacts/dev_diver
    [*] Module installed: recon/profiles-contacts/github_users
    [*] Module installed: recon/profiles-profiles/namechk
    [*] Module installed: recon/profiles-profiles/profiler
    [*] Module installed: recon/profiles-profiles/twitter_mentioned
    [*] Module installed: recon/profiles-profiles/twitter_mentions
    [*] Module installed: recon/profiles-repositories/github_repos
    [*] Module installed: recon/repositories-profiles/github_commits
    [*] Module installed: recon/repositories-vulnerabilities/gists_search
    [*] Module installed: recon/repositories-vulnerabilities/github_dorks
    [*] Module installed: reporting/csv
    [*] Module installed: reporting/html
    [*] Module installed: reporting/json
    [*] Module installed: reporting/list
    [*] Module installed: reporting/proxifier
    [*] Module installed: reporting/pushpin
    [*] Module installed: reporting/xlsx
    [*] Module installed: reporting/xml
    Теперь есть модули, но что-бы с ними работать нужно создать рабочий проект:
    Code:
    [recon-ng][default] > workspaces create antichat.me
    [recon-ng][antichat.me] >
    
    и туда уже впихиваем в базу данных нужный нам домейн:
    Code:
    [recon-ng][antichat.me] > db insert domains antichat.me
    [*] 1 rows affected.
    
    теперь можем использовать модули, которые работают с данными домейна:
    Code:
    [recon-ng][antichat.me] > modules search domain
    [*] Searching installed modules for 'domain'...
    
    Recon
    -----
    recon/companies-domains/pen
    recon/companies-domains/viewdns_reverse_whois
    recon/contacts-domains/migrate_contacts
    recon/domains-companies/pen
    recon/domains-contacts/pen
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-credentials/scylla
    recon/domains-domains/brute_suffix
    recon/domains-hosts/binaryedge
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/certificate_transparency
    recon/domains-hosts/findsubdomains
    recon/domains-hosts/google_site_web
    recon/domains-hosts/hackertarget
    recon/domains-hosts/mx_spf_ip
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/threatcrowd
    recon/domains-hosts/threatminer
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    что-бы использовать модуль brute_hosts, который даст нам имена поддомейнов (хостов), исходя из списка домейнов в базе данных, нужно его загрузить и можем посмотреть инфу о нём:
    Code:
    [recon-ng][antichat.me] > modules load recon/domains-hosts/brute_hosts
    recon-ng][antichat.me][brute_hosts] > info
    
          Name: DNS Hostname Brute Forcer
        Author: Tim Tomes (@lanmaster53)
       Version: 1.0
    
    Description:
      Brute forces host names using DNS. Updates the 'hosts' table with the results.
    
    Options:
      Name      Current Value                                             Required  Description
      --------  -------------                                             --------  -----------
      SOURCE    default                                                   yes       source of input (see 'show info' for details)
      WORDLIST  /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt  yes       path to hostname wordlist
    
    Source Options:
      default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
      <string>       string representing a single input
      <path>         path to a file containing a list of inputs
      query <sql>    database query returning one column of inputs
    
    
    модули могут иметь разные опции, которые можно посмотреть (list) и выставить (set). Особая опция это source, это источник откуда будут браться домейны для модуля, их можно загружать из файла, указав путь или напрямую самому указать домейн. Стандартом используется данные из базы данных, которые там уже есть.
    Code:
    [recon-ng][antichat.me][brute_hosts] > options list
    
      Name      Current Value                       Required  Description
      --------  -------------                       --------  -----------
      SOURCE    default                             yes       source of input (see 'show info' for details)
      WORDLIST  /root/.recon-ng/data/hostnames.txt  yes       path to hostname wordlist
    
    [recon-ng][antichat.me][brute_hosts] > options set WORDLIST /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt
    WORDLIST => /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt
    
    теперь просто запускаем модуль:
    Code:
    [recon-ng][antichat.me][brute_hosts] > run
    (...)
    -------
    SUMMARY
    -------
    [*] 14 total (13 new) hosts found.
    
    
    и в итоге получаем 13 поддомейнов:
    Code:
    [recon-ng][antichat.me][brute_hosts] > show hosts
      +--------------------------------------------------------------------------------------------------------+
      | rowid |          host          |   ip_address  | region | country | latitude | longitude |    module   |
      +--------------------------------------------------------------------------------------------------------+
      | 1     | apps.antichat.me       | 52.216.187.2  |        |         |          |           | brute_hosts |
      | 2     | antichat.me            |               |        |         |          |           | brute_hosts |
      | 3     | ftp.antichat.me        |               |        |         |          |           | brute_hosts |
      | 4     | ftp.antichat.me        | 45.60.11.90   |        |         |          |           | brute_hosts |
      | 5     | ftp.antichat.me        | 45.60.101.90  |        |         |          |           | brute_hosts |
      | 6     | img.antichat.me        | 35.171.171.46 |        |         |          |           | brute_hosts |
      | 7     | img.antichat.me        | 52.23.124.186 |        |         |          |           | brute_hosts |
      | 8     | mail.antichat.me       |               |        |         |          |           | brute_hosts |
      | 9     | mail.antichat.me       | 45.60.11.90   |        |         |          |           | brute_hosts |
      | 10    | mail.antichat.me       | 45.60.101.90  |        |         |          |           | brute_hosts |
      | 11    | a5q55pw.x.incapdns.net |               |        |         |          |           | brute_hosts |
      | 12    | www.antichat.me        |               |        |         |          |           | brute_hosts |
      | 13    | www.antichat.me        | 45.60.13.90   |        |         |          |           | brute_hosts |
      +--------------------------------------------------------------------------------------------------------+
    
    [*] 13 rows returned
    
    Допустим результаты 3,8,11,12 левые и нам не нужны, поэтому мы их стираем из базы данных:
    Code:
    [recon-ng][antichat.me][brute_hosts] > db delete hosts 3,8,11,12
    [*] 4 rows affected.
    [recon-ng][antichat.me][brute_hosts] > show hosts
      +--------------------------------------------------------------------------------------------------+
      | rowid |       host       |   ip_address  | region | country | latitude | longitude |    module   |
      +--------------------------------------------------------------------------------------------------+
      | 1     | apps.antichat.me | 52.216.187.2  |        |         |          |           | brute_hosts |
      | 2     | antichat.me      |               |        |         |          |           | brute_hosts |
      | 4     | ftp.antichat.me  | 45.60.11.90   |        |         |          |           | brute_hosts |
      | 5     | ftp.antichat.me  | 45.60.101.90  |        |         |          |           | brute_hosts |
      | 6     | img.antichat.me  | 35.171.171.46 |        |         |          |           | brute_hosts |
      | 7     | img.antichat.me  | 52.23.124.186 |        |         |          |           | brute_hosts |
      | 9     | mail.antichat.me | 45.60.11.90   |        |         |          |           | brute_hosts |
      | 10    | mail.antichat.me | 45.60.101.90  |        |         |          |           | brute_hosts |
      | 13    | www.antichat.me  | 45.60.13.90   |        |         |          |           | brute_hosts |
      +--------------------------------------------------------------------------------------------------+
    
    [*] 9 rows returned
    
     
Loading...