Saturday, 6 April 2013

Kali linux - recon-ng v3

This is the third and final post on recon-ng, covering automation among other things. After all all this functionality is great but I don't want to kick it off manually every time!

Some of the most interesting modules I will mention below avoiding most that need real interaction or APIs or even registration (pwnedlist.com yeah awesome service but not free...)

One of the simplest commands in the recon-ng world is record (start/stop/status) where you can record and create a script that contains a series of commands to be run in sequence, really nothing more than a command-per-line file (default save at ./data/cmd.rc) so... here we go, I have created my own script with my favorite modules.

Outputs from the script are either going to be saved in the database or under ./workspaces/default

Lets see the script (the comments will be run in a shell so you can leave them there.. bash knows what a comment looks like):

# Recon script recon.rc
# lets set up the environment
set workspace project1
set company "name of company"
set domain targetcompany.com
# important! setup a correct user-agent http://www.useragentstring.com/
set user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17"
# lets start looking now
use recon/contacts/gather/http/whois_pocs
run
back
use recon/contacts/gather/http/jigsaw
run
back
# enough with people lets get some hosts now
use recon/hosts/gather/dns/brute_force
run
back
use recon/hosts/gather/http/bing
run
back
use recon/hosts/gather/http/google
run
back
use recon/hosts/gather/http/netcraft
run
back
use recon/hosts/enum/dns/resolve
run
back
use recon/hosts/enum/http/geoip/hostip
run
back
use recon/hosts/enum/http/netcraft_history
run
back
use recon/hosts/enum/http/urlvoid
run
back
# lets see if there are any intresting files in the discovered hosts
# (files will be saved in the ./workspaces/project1 location)
use discovery/info_disclosure/http/interesting_files
run
back
# lets create a nice report as well
use reporting/html_report
set filename ./workspaces/project1/results.html
run
back


Ok... now lets run it and see what happens :)

./recon-ng -r recon.rc

Some additional modules I found interesting are
use recon/contacts/support/mangle
info
use recon/hosts/enum/http/builtwith

info
use recon/hosts/enum/http/server_enum

info

but I would run them manually after the script to better play with with outputs..

That's it with recon-ng (until I find something else interesting to do with it really...) thanks for reading :)

Enjoy :)

No comments:

Post a Comment