root@kali:~# recon-ng
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
+---------------------------------------------------------------------------+
| _ ___ _ __ |
| |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ |
| |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ |
| / |
| Consulting | Research | Development | Training |
| http://www.blackhillsinfosec.com |
+---------------------------------------------------------------------------+
[recon-ng v4.1.4, Tim Tomes (@LaNMaSteR53)]
[56] Recon modules
[5] Reporting modules
[2] Exploitation modules
[2] Discovery modules
[1] Import modules
[recon-ng][default] >
以上輸出信息顯示了Recon-NG框架的基本信息。例如在Recon-NG框架下,包括56個偵查模塊、5個報告模塊、2個滲透攻擊模塊、2個發現模塊和1個導入模塊。看到[recon-ng][default] >提示符,表示成功登錄Recon-NG框架。現在,就可以在[recon-ng][default] >提示符後面執行各種操作命令了。
首次使用Recon-NG框架之前,可以使用help命令查看所有可執行的命令。如下所示:
[recon-ng][default] > help
Commands (type [help|?]
---------------------------------
add Adds records to the database
back Exits current prompt level
del Deletes records from the database
exit Exits current prompt level
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
以上輸出信息顯示了在Recon-NG框架中可運行的命令。該框架和Metasploit框架類似,同樣也支持很多模塊。此時,可以使用show modules命令查看所有有效的模塊列表。執行命令如下所示:
[recon-ng][default] > show modules
Discovery
---------
discovery/info_disclosure/cache_snoop
discovery/info_disclosure/interesting_files
Exploitation
------------
exploitation/injection/command_injector
exploitation/injection/xpath_bruter
Import
------
import/csv_file
Recon
-----
recon/companies-contacts/facebook
recon/companies-contacts/jigsaw
recon/companies-contacts/jigsaw/point_usage
recon/companies-contacts/jigsaw/purchase_contact
recon/companies-contacts/jigsaw/search_contacts
recon/companies-contacts/linkedin_auth
recon/contacts-contacts/mangle
recon/contacts-contacts/namechk
recon/contacts-contacts/rapportive
recon/contacts-creds/haveibeenpwned
……
recon/hosts-hosts/bing_ip
recon/hosts-hosts/ip_neighbor
recon/hosts-hosts/ipinfodb
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/locations-locations/geocode
recon/locations-locations/reverse_geocode
recon/locations-pushpins/flickr
recon/locations-pushpins/picasa
recon/locations-pushpins/shodan
recon/locations-pushpins/twitter
recon/locations-pushpins/youtube
recon/netblocks-hosts/reverse_resolve
recon/netblocks-hosts/shodan_net
recon/netblocks-ports/census_2012
Reporting
---------
reporting/csv
reporting/html
reporting/list
reporting/pushpin
reporting/xml
[recon-ng][default] >
從輸出的信息中,可以看到顯示了五部分。每部分包括的模塊數,在啟動Recon-NG框架後可以看到。用戶可以使用不同的模塊,進行各種的信息收集。
【實例3-1】使用recon/domains-hosts/baidu_site模塊,枚舉baidu網站的子域。具體操作步驟如下所示:
(1)使用recon/domains-hosts/baidu_site模塊。執行命令如下所示:
[recon-ng][default] > use recon/domains-hosts/baidu_site
(2)查看該模塊下可配置選項參數。執行命令如下所示:
[recon-ng][default][baidu_site] > show options
Name Current Value Req Description
-------------- ---------------------- --------- --------------------------------------------------------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][default][baidu_site] >
從輸出的信息中,可以看到有一個選項需要配置。
(3)配置SOURCE選項參數。執行命令如下所示:
[recon-ng][default][baidu_site] > set SOURCE baidu.com
SOURCE => baidu.com
從輸出的信息中,可以看到SOURCE選項參數已經設置為baidu.com。
(4)啟動信息收集。執行命令如下所示:
[recon-ng][default][baidu_site] > run
---------
BAIDU.COM
---------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%3Abaidu.com
[*] map.baidu.com
[*] 123.baidu.com
[*] jingyan.baidu.com
[*] top.baidu.com
[*] www.baidu.com
[*] hi.baidu.com
[*] video.baidu.com
[*] pan.baidu.com
[*] zhidao.baidu.com
[*] Sleeping to avoid lockout...
-------
SUMMARY
-------
[*] 9 total (2 new) items found.
從輸出的信息中,可以看到找到9個子域。枚舉到的所有數據將被連接到Recon-NG放置的數據庫中。這時候,用戶可以創建一個報告查看被連接的數據。
【實例3-2】查看獲取的數據。具體操作步驟如下所示:
(1)選擇reporting/csv模塊,執行命令如下所示:
[recon-ng][default] > use reporting/csv
(2)創建報告。執行命令如下所示:
[recon-ng][default][csv] > run
[*] 9 records added to '/root/.recon-ng/workspaces/default/results.csv'.
從輸出的信息可以看到,枚舉到的9個記錄已被添加到/root/.recon-ng/workspaces/default/results.csv文件中。打開該文件,如圖3.1所示。
圖3.1 results.csv文件
(3)從該界面可以看到,枚舉到的所有子域。
用戶也可以使用Dmitry命令,查詢關於網站的信息。下面將介紹Dmitry命令的使用。
查看Dmitry命令的幫助信息。執行命令如下所示:
root@kali:~# dmitry -h
Deepmagic Information Gathering Tool
"There be some deep magic going on"
dmitry: invalid option -- 'h'
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
以上信息顯示了dmitry命令的語法格式和所有可用參數。下面使用dmitry命令的-s選項,查詢合理的子域。執行命令如下所示:
root@kali:~# dmitry -s google.com
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:173.194.127.71
HostName:google.com
Gathered Subdomain information for google.com
---------------------------------
Searching Google.com:80...
HostName:www.google.com
HostIP:173.194.127.51
Searching Altavista.com:80...
Found 1 possible subdomain(s) for host google.com, Searched 0 pages containing 0 results
All scans completed, exiting
從輸出的信息中,可以看到搜索到一個子域。該子域名為www.google.com,IP地址為173.194.127.51。該命令默認是從google.com網站搜索,如果不能連接google.com網站的話,執行以上命令將會出現Unable to connect: Socket Connect Error錯誤信息。