一、recon-ng簡介
- Web信息搜索框架
- 命令格式與 msf 一致
- 基於python開發
- 使用方法:模塊,數據庫,報告
二、簡用教程
1、recon-ng 幫助命令
root@kali:~# recon-ng -h usage: recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics] [--no-marketplace] [--stealth] [--version] [--analytics] recon-ng - Tim Tomes (@lanmaster53) optional arguments: -h, --help show this help message and exit -w workspace load/create a workspace -r filename load commands from a resource file --no-version disable version check. Already disabled by default in Debian --no-analytics disable analytics reporting. Already disabled by default in Debian --no-marketplace disable remote module management --stealth disable all passive requests (--no-*) --version displays the current version --analytics enable analytics reporting. Send analytics to google
2、創建一個test工作區,如下
root@kali:~# recon-ng -w test [!] Unable to synchronize module index. (ConnectionError). [*] Version check disabled. _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ /\ / \\ /\ Sponsored by... /\ /\/ \\V \/\ / \\/ // \\\\\ \\ \/\ // // BLACK HILLS \/ \\ www.blackhillsinfosec.com ____ ____ ____ ____ _____ _ ____ ____ ____ |____] | ___/ |____| | | | |____ |____ | | | \_ | | |____ | | ____| |____ |____ www.practisec.com [recon-ng v5.0.0, Tim Tomes (@lanmaster53)] [*] No modules enabled/installed. [recon-ng][test] >
- 備注:紅色報錯是recon-ng更新導致的(新版本模塊需要自己手動安裝),暫時忽略,后面解決
3、模塊安裝(解決上述報錯)
(1)單個模塊的安裝,以brute_hosts為例
[recon-ng][default] > marketplace refresh [*] Marketplace index refreshed. [recon-ng][default] > marketplace search brute_hosts [*] Searching module index for 'brute_hosts'... +--------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +--------------------------------------------------------------------------------+ | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | +--------------------------------------------------------------------------------+ D = Has dependencies. See info for details. K = Requires keys. See info for details. [recon-ng][default] > marketplace install recon/domains-hosts/brute_hosts [*] Module installed: recon/domains-hosts/brute_hosts [*] Reloading modules... [recon-ng][default] > modules load reload search [recon-ng][default] > modules reload [*] Reloading modules... [recon-ng][default] > modules search brute [*] Searching installed modules for 'brute'... Recon ----- recon/domains-hosts/brute_hosts [recon-ng][default] > use recon/domains-hosts/brute_hosts [!] Invalid command: use recon/domains-hosts/brute_hosts. [recon-ng][default] > modules load recon/domains-hosts/brute_hosts [recon-ng][default][brute_hosts] >options list Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /root/.recon-ng/data/hostnames.txt yes path to hostname wordlist [recon-ng][default][brute_hosts] > options list set unset [recon-ng][default][brute_hosts] > options set SOURCE ???.com SOURCE => ???.com [recon-ng][default][brute_hosts] > run --------- BAIDU.COM --------- [*] No Wildcard DNS entry found. [*] 1.???.com => No record found. ……………… [*] b2c.???.com => No record found. ------- SUMMARY ------- [*] 85 total (80 new) hosts found. [recon-ng][default][brute_hosts] > show companies domains locations profiles vulnerabilities contacts hosts netblocks pushpins credentials leaks ports repositories [recon-ng][default][brute_hosts] > show hosts +----------------------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +----------------------------------------------------------------------------------------------------------------------+ | 1 | wwwyq.n.???.com | | | | | | brute_hosts | ……………… | 80 | b2b.???.com | xxx.xxx.212.101 | | | | | brute_hosts | +----------------------------------------------------------------------------------------------------------------------+ [*] 80 rows returned [recon-ng][default][brute_hosts] >
- 為避免給自己帶來不必要的麻煩,部分信息使用“???”和“xxx”做了替換!
(2)安裝所有模塊
[recon-ng][default] > marketplace refresh [*] Marketplace index refreshed. [recon-ng][default] > marketplace install all [*] Module installed: discovery/info_disclosure/cache_snoop [*] Module installed: discovery/info_disclosure/interesting_files [*] Module installed: exploitation/injection/command_injector [*] Module installed: exploitation/injection/xpath_bruter [*] Module installed: import/csv_file [*] Module installed: import/list [*] Module installed: import/masscan [*] Module installed: import/nmap ………… [*] Module installed: reporting/proxifier [*] Module installed: reporting/pushpin [*] Module installed: reporting/xlsx [*] Module installed: reporting/xml
注意:
marketplace refresh 該指令輸入后應該會報錯,解決方法如下(參考自:https://www.hacksafe.net/tool/hacktool/4135.html)
(1)配置本地DNS服務器信息(即不使用本地DNS):
nameserver 114.114.114.114 nameserver 8.8.4.4
(2)將動態IP轉換為靜態IP
auto lo iface lo inet loopback auto eth0 iface eth0 inet static # static IP address #本機IP netmask 255.255.255.0 gateway #網關
4、使用 help 查看幫助信息
[recon-ng][test] > help Commands (type [help|?] <topic>): --------------------------------- back Exits the current context dashboard Displays a summary of activity db Interfaces with the workspace's database exit Exits the framework help Displays this menu index Creates a module index (dev only) keys Manages third party resource credentials marketplace Interfaces with the module marketplace modules Interfaces with installed modules options Manages the current context options pdb Starts a Python Debugger session (dev only) script Records and executes command scripts shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file workspaces Manages workspaces [recon-ng][test] >
- 對於一個命令不知道有什么參數時,可先輸入命令然后雙擊Tab查看可用參數/指令,如下
-
[recon-ng][default] > marketplace info install refresh remove search #可用指令
(1)keys命令
當想要在終端使用谷歌,bing,shodan,twitter等查詢信息時,可通過keys添加相應的API即可,例如:
[recon-ng][test] > keys add list remove [recon-ng][test] > keys list +--------------------------+ | Name | Value | +--------------------------+ | binaryedge_api | | | bing_api | | | builtwith_api | | | censysio_id | | | censysio_secret | | | flickr_api | | | fullcontact_api | | | github_api | | | google_api | | | hashes_api | | | hibp_api | | | hunter_io | | | ipinfodb_api | | | ipstack_api | | | namechk_api | | | pwnedlist_api | | | pwnedlist_secret | | | spyse_api | | | twitter_api | | | twitter_secret | | | virustotal_api | | | whoxy_api | | +--------------------------+ [recon-ng][test] > keys add bing_api 111w1w1w1w1w1w12w1sjjkas [*] Key 'bing_api' added. [recon-ng][test] > keys list +---------------------------------------------+ | Name | Value | +---------------------------------------------+ | binaryedge_api | | | bing_api | 111w1w1w1w1w1w12w1sjjkas | | builtwith_api | | | censysio_id | | | censysio_secret | | | flickr_api | | | fullcontact_api | | | github_api | | | google_api | | | hashes_api | | | hibp_api | | | hunter_io | | | ipinfodb_api | | | ipstack_api | | | namechk_api | | | pwnedlist_api | | | pwnedlist_secret | | | spyse_api | | | twitter_api | | | twitter_secret | | | virustotal_api | | | whoxy_api | | +---------------------------------------------+
- remove同理,移除某一API
(2)shell 命令
[recon-ng][test] > shell ls [*] Command: ls recon recon-cli recon-ng recon-web VERSION [recon-ng][test] > shell pwd [*] Command: pwd /usr/share/recon-ng
(3) snapshots (快照)命令
[recon-ng][test] > snapshots delete list load take [recon-ng][test] > snapshots take [*] Snapshot created: snapshot_20211117040109.db [recon-ng][test] > snapshots load snapshot_20211117040109.db [*] Snapshot loaded: snapshot_20211117040109.db [recon-ng][test] > snapshots delete snapshot_20211117040109.db [*] Snapshot removed: snapshot_20211117040109.db [recon-ng][test] >
(4)options 命令
[recon-ng][test] > options list set unset [recon-ng][test] > options list Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Recon-ng/v5 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug) [recon-ng][test] > options set PROXY 127.0.0.1:8889 PROXY => 127.0.0.1:8889 [recon-ng][test] > options unset NAMESERVER NAMESERVER => None [recon-ng][test] > options list Name Current Value Required Description ---------- ------------- -------- ----------- NAMESERVER yes default nameserver for the resolver mixin PROXY 127.0.0.1:8889 no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) USER-AGENT Recon-ng/v5 yes user-agent string VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug) [recon-ng][test] >
其它命令同理!