RSS

Discover Contacts And Domains With Recon-ng

31 Jan

Automation is really important in penetration testing engagements because it can help the penetration tester to save time and to give more attention to other activities.For that reason many pen testers are putting effort to build tools to assist them with a variety of tasks.Such a tool is the recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.In this article we will examine how we can use the Recon-Ng framework to discover different type of information.

We can type help in the framework in order to see a list with all the available commands.

recon-ng - commands

recon-ng – commands

 

We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules.

recon-ng - sample of the available modules

recon-ng – sample of the available modules

 

There is a module called contacts_jigsaw.Jigsaw is a website similar to Linkedin that contains a large database of business contacts.So let’s say that we want to discover the contacts of a company that exists on jigsaw.We will load the module with the command load contacts_jigsaw and we will set the domain of our preference.

load jigsaw module

load jigsaw module

 

in the next image we can see a sample of the output:

Gathering Contacts

recon-ng – Gathering Contacts

 

Now that we have some contacts we can try to use the Google module to discover additional domains of the same company.

discover hosts via google

discover hosts via google

 

In the image below we can see a sample of the results that recon-ng has produced.

Discovering subdomain with recon-ng

Discovering subdomains with recon-ng

 

Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file.

Save the results in HTML file

Save the results in HTML file

 

You can see in the next two images the output of the report:

recon-ng - Report

recon-ng – Report

 

recon-ng report 2

recon-ng report contacts

 

Conclusion

Recon-ng is a great framework that can help in the information gathering stage of a penetration test.This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework then it will included in every penetration tester toolkit.

About these ads
 
2 Comments

Posted by on January 31, 2013 in Information Gathering

 

Tags: , , ,

2 responses to “Discover Contacts And Domains With Recon-ng

  1. Yaopointcom

    January 31, 2013 at 10:51 am

    Thank you so much for sharing this !!!
    After reading THIS BLOG i did search and found these 2 commands will help to get started with Recon-ng (source :https://bitbucket.org/)

    Clone the Recon-ng repository to your local system with
    git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
    Change into the Recon-ng directory cd recon-ng
    and launch recon-ng with ./recon-ng.py

    It worked me on Backtrackr3

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 667 other followers

%d bloggers like this: