One , Tool introduction

* Recon-NG It is a powerful tool for information collection and network investigation
* Recon-NG It not only provides the function of passive scanning , It also provides the function of active scanning
Two ,Recon-NG Opening of

Mode 1 : Open via GUI

Mode 2 : Open from the command line

* recon-ng

* After opening , The startup interface is as follows

Three ,Recon-NG Common commands for

* add: Add a record to the database
* back: Exit current module , Go back up one level
* delete: Delete a record from the database
* exit: sign out recon-ng frame
* help: display help information
* keys: Administration API //recon-ng Support for many websites API Interface , Each site needs to enter the corresponding key To use this API. this key It was sent to us by the website
* load: Load the specified module
* pdb: open Python debugging
* query: query data base
* record: Save the command as a resource file
* reload: Reload all modules
* resource: Execute a resource file
* search: Search for available modules
* set: Set the value of the parameter
* shell: Command execution of the operating system
* show: Show entries for various frames
* snapshots: Create a snapshot   // Manage workspace snapshots
* spool: Output the results to a file
* unset: Reset parameter values
* use: Load the specified module
* workspaces: Manage workspace

Four , see Recon-NG All modules of (show modules command )

The role of modules

* Recon-NG There are many modules ,Recon-NG It is through these modules to work
* If you want to use a module , Just type it on the command line use+ The module name is OK
Classification of modules

There are a lot of modules , The system divides them into 5 Public class

* ①Discovery
* ②Exploitation
* ③Import
* ④Recon: Used to investigate targets
* ⑤Reporting: Used to put this time in Recon-NG The results of the operation in generate a report ( There are many report file formats available )
The format of the module

* The naming of modules adopts “ Layered ” name
for example : with recon/domains-hosts/bing_domain_web Module as an example , The module is divided into 3 Parts

* recon: This is the type of module
* domains-hosts: The working target of the module is given , The goal of this module is to domains-hosts, You can see from the domain name that the target is the name
* bing_domain_web: Give the technology used , For example, this module bing_domain_web With the help of Microsoft bing Check a domain name's children
Five , Use of modules

Enter a module

* input use+ Module name

View the parameters that a module can use

* show options

Six ,Recon-NG Medium API Keys operation

* API Keys concept :
Recon-NG It's not a stand-alone tool , A lot of its functions come from some tools of the Internet , for example :Google,Bing And so on , When using these tools, you need to add the API
keys Command parameters :

* list: List the current ones that have been added in Recon-NG All in API Kyes
* add: add to API Kyes
* delete: delete API Kyes
View current Recon-NG Existing in API Kyes:

Seven , Demonstration case : Domain name resolution module

* Modules used :recon/domains-hosts/brute_hosts
* function : This module can list all subdomains of a domain name
* principle : The solution of violence . It is to use dictionary files to generate various domain names , Then make a request for these domain names , If you get a response , Confirm the existence of the domain name
Module parameters :

* SOURCE: Followed by domain name , Used to set the scan target
* WORDLIST: Dictionary file for exhaustive list , This file already has default values

Use cases :

* The first step : Set the domain name for this scan

* Step two : implement run command , Scan the target domain name just set , If the No record found, Delegate is an invalid domain name

* Step three : After scanning , View results ( A total of 891 Results , among 787 It works )

* Step 4 : use show hosts View hosts found

Eight , Demonstration case : Report generation module

* function :Reporting Classification has some modules , These modules are recorded in the Recon-NG Information recorded in
* Modules with different file formats are provided , You can choose the file format you want to generate to generate the report
Demonstration case

* The first step : Exit current module , use reporting/xml Module .xml Report file in format

* Step two : implement run command , The results of this experiment will be generated into a report ( You can see what you just scanned 787 All valid results have been recorded )

* Step three : Out of use Recon-NG, use cat Command to view the contents of the report file

Nine , Demonstration case : Detection information leakage module

* Modules used :recon/contacts-credentials/hibp_paste
* function : This module can quickly help you detect whether a certain information has been leaked
* principle :
The module utilizes the “haveibeenpwned” Services provided , The website aggregated the account information leaked in several security leakage accidents . for example : You can enter an email address on this website , Then the website will determine whether the email address you entered is in the database where the account information is leaked
Module parameters :

Demonstration case :

* The first step : use recon/contacts-credentials/hibp_paste modular

* Step two : Set the information of this query ( Enter a mailbox here )

* Step three : implement run command , Check whether a mailbox is in the database where account information is leaked ( Show here Not Found, The information on behalf of the mailbox has not been disclosed )