Recon-ng简介

Recon-ng是一个python的开源框架，它的接口类似metasploit，但是不是用来利用漏洞或生成meterpreter session或shell。它用来web侦查和信息收集。它支持类似auxiliary和exploit模块的web侦查和信息收集。
root@kali:~# recon-ng

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
_/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/

     +---------------------------------------------------------------------------+
     |  _                     ___    _                        __                 |
     | |_)| _  _|_  |_|.|| _   |  _ |_ _  _ _  _ _|_o _  _   (_  _  _    _o_|_   |
     | |_)|(_|(_|\  | ||||_\  _|_| || (_)| |||(_| | |(_)| |  __)(/_(_|_|| | | \/ |
     |                                                                        /  |
     |              Consulting | Research | Development | Training               |
     |                     http://www.blackhillsinfosec.com                      |
     +---------------------------------------------------------------------------+

                      [recon-ng v4.1.7, Tim Tomes (@LaNMaSteR53)]

[57] Recon modules
[5]  Reporting modules
[2]  Exploitation modules
[2]  Discovery modules
[1]  Import modules
Auxiliary
模块包含
[recon-ng][default] > show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file

  Recon
  -----
    recon/companies-contacts/facebook
    recon/companies-contacts/jigsaw
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-contacts/linkedin_auth
    recon/companies-contacts/linkedin_crawl
    recon/contacts-contacts/mangle
    recon/contacts-contacts/namechk
    recon/contacts-contacts/rapportive
    recon/contacts-creds/haveibeenpwned
    recon/contacts-creds/pwnedlist
    recon/contacts-creds/should_change_password
    recon/contacts-social/dev_diver
    recon/contacts-social/twitter
    recon/creds-creds/adobe
    recon/creds-creds/bozocrack
    recon/creds-creds/hashes_org
    recon/creds-creds/leakdb
    recon/domains-contacts/builtwith
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-creds/pwnedlist/account_creds
    recon/domains-creds/pwnedlist/api_usage
    recon/domains-creds/pwnedlist/domain_creds
    recon/domains-creds/pwnedlist/domain_ispwned
    recon/domains-creds/pwnedlist/leak_lookup
    recon/domains-creds/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/baidu_site
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/vpnhunter
    recon/domains-hosts/yahoo_site
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/ip_neighbor
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/list
    reporting/pushpin
    reporting/xml

模块包含：
auxiliary_elmah – ’elmah.axd’ log web页面检查
auxiliary_googli – 使用Goog.li哈希数据库进行逆向hash查询
auxiliary_mangle – 根据收集到的信息，对数据库中所有内容进行混合, 生成email地址，user name
auxiliary_noisette – 对Noisette.ch哈希数据库进行逆向hash查询
auxiliary_pwnedlist – 使用PwnedList.com检查邮箱是否泄漏
auxiliary_resolve – 逆向ip查询
auxiliary_server_status –服务器状态页面检查

contacts_jigsaw – 使用Jigsaw.com来收集信息
contacts_linkedin_auth – 通过LinkedIn.com使用认证的联系网络在收集信息

hosts_baidu – Baidu
hosts_bing – Bing hostname枚举
hosts_brute_force – DNS Hostname暴力破解
hosts_google – Google hostname枚举
hosts_netcraft – Netcraft hostname枚举
hosts_shodan – Shodan hostname枚举
hosts_yahoo – Yahoo hostname枚举

与Pwnedlist关联的模块使用Pwnedlist.com来获得详细的口令和被泄露的user账号。
pwnedlist_account_creds – PwnedList 账号口令获取
pwnedlist_api_usage – PwnedList API 使用统计信息获取
pwnedlist_domain_creds – PwnedList Pwned域口令获取
pwnedlist_domain_ispwned – PwnedList Pwned 域统计信息获取
pwnedlist_leak_lookup – PwnedList泄漏细节获取
基本使用
1. 输入help
[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add             Adds records to the database
back            Exits current prompt level
del             Deletes records from the database
exit            Exits current prompt level
help            Displays this menu
keys            Manages framework API keys
load            Loads specified module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
reload          Reloads all modules
resource        Executes commands from a resource file
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file
unset           Unsets module options
use             Loads specified module
workspaces      Manages workspaces

[recon-ng][default] > use recon/domains-hosts/netcraft

[recon-ng][default][netcraft] > show options

  Name    Current Value  Req  Description
  ------  -------------  ---  -----------
  SOURCE  default        yes  source of input (see 'show info' for details)

[recon-ng][default][netcraft] > set SOURCE xxx.com

SOURCE => 163.com

[recon-ng][default][netcraft] > run

运行结果：
xxx.COM
-------

URL: http://searchdns.netcraft.com/?restriction=site%2Bends%2Bwith&host=xxx.com

mail.xxx.com

v.xxx.com

music.xxx.com

temp.xxx.com

sports.xxx.com

entry.mail.xxx.com

ent.xxx.com

twebmail.mail.xxx.com

api.blog.xxx.com

blog.xxx.com

tech.xxx.com

www.xxx.com

money.xxx.com

ud.blog.xxx.com

caipiao.xxx.com

reg.xxx.com

cwebmail.mail.xxx.com

photo.xxx.com

news.xxx.com

comment.news.xxx.com

Next page available! Requesting again...

Sleeping to Avoid Lock-out...

URL: http://searchdns.netcraft.com/?restriction=site%2Bends%2Bwith&host=xxx.com&last=tech.xxx.com&from=21

digi.xxx.com

comment.money.xxx.com

war.xxx.com

email.xxx.com

lady.xxx.com

显示发现的主机

[recon-ng][default] > show hosts

  +---------------------------------------------------------------------------------------------+
  | rowid |             host             | ip_address | region | country | latitude | longitude |
  +---------------------------------------------------------------------------------------------+
  | 48    | 1.xxx.com                    |            |        |         |          |           |
  | 139   | 1.xxx.163.com               |            |        |         |          |           |