Description

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance.

Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys.

Usage

Syntax

recon-ng [options]

Options

  --version     show program's version number and exit
  -h, --help    show this help message and exit
  -w workspace  load/create a workspace
  -r filename   load commands from a resource file

Example

cyborg@cyborg:~$ sudo recon-ng

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    

             [recon-ng v1.41 Copyright (C) 2015, Tim Tomes (@LaNMaSteR53)]              

[65] Recon modules
[7]  Discovery modules
[4]  Reporting modules
[1]  Experimental modules

recon-ng > show modules

  Discovery
  ---------
    discovery/exploitable/http/dnn_fcklinkgallery
    discovery/exploitable/http/generic_restaurantmenu
    discovery/exploitable/http/webwiz_rte
    discovery/info_disclosure/dns/cache_snoop
    discovery/info_disclosure/http/backup_finder
    discovery/info_disclosure/http/google_ids
    discovery/info_disclosure/http/interesting_files

  Experimental
  ------------
    experimental/rce

  Recon
  -----
    recon/contacts/enum/http/web/dev_diver
    recon/contacts/enum/http/web/namechk
    recon/contacts/enum/http/web/pwnedlist
    recon/contacts/enum/http/web/should_change_password
    recon/contacts/gather/http/api/jigsaw/point_usage
    recon/contacts/gather/http/api/jigsaw/purchase_contact
    recon/contacts/gather/http/api/jigsaw/search_contacts
    recon/contacts/gather/http/api/linkedin_auth
    recon/contacts/gather/http/api/twitter
    recon/contacts/gather/http/api/whois_pocs
    recon/contacts/gather/http/web/jigsaw
    recon/contacts/gather/http/web/pgp_search
    recon/contacts/support/add_contact
    recon/contacts/support/mangle
    recon/creds/enum/http/api/leakdb
    recon/creds/enum/http/api/noisette
    recon/creds/gather/http/api/pwnedlist/account_creds
    recon/creds/gather/http/api/pwnedlist/api_usage
    recon/creds/gather/http/api/pwnedlist/domain_creds
    recon/creds/gather/http/api/pwnedlist/domain_ispwned
    recon/creds/gather/http/api/pwnedlist/leak_lookup
    recon/creds/gather/http/api/pwnedlist/leaks_dump
    recon/hosts/enum/dns/resolve
    recon/hosts/enum/http/api/builtwith
    recon/hosts/enum/http/api/punkspider
    recon/hosts/enum/http/api/wascompanyhacked
    recon/hosts/enum/http/api/whatweb
    recon/hosts/enum/http/api/whois_lookup
    recon/hosts/enum/http/web/age_analyzer
    recon/hosts/enum/http/web/asafaweb
    recon/hosts/enum/http/web/gender_analyzer
    recon/hosts/enum/http/web/ipvoid
    recon/hosts/enum/http/web/malwaredomain
    recon/hosts/enum/http/web/mywot
    recon/hosts/enum/http/web/netbios
    recon/hosts/enum/http/web/netcraft_history
    recon/hosts/enum/http/web/open_resolvers
    recon/hosts/enum/http/web/urlvoid
    recon/hosts/enum/http/web/web_archive
    recon/hosts/enum/http/web/xssed
    recon/hosts/gather/dns/brute_force
    recon/hosts/gather/http/api/bing_ip
    recon/hosts/gather/http/api/google_site
    recon/hosts/gather/http/api/shodan_hostname
    recon/hosts/gather/http/web/baidu_site
    recon/hosts/gather/http/web/bing_site
    recon/hosts/gather/http/web/census_2012
    recon/hosts/gather/http/web/google_site
    recon/hosts/gather/http/web/ip_neighbor
    recon/hosts/gather/http/web/mcafee/mcafee_affil
    recon/hosts/gather/http/web/mcafee/mcafee_dns
    recon/hosts/gather/http/web/mcafee/mcafee_mail
    recon/hosts/gather/http/web/netcraft
    recon/hosts/gather/http/web/yahoo_site
    recon/hosts/geo/http/api/hostip
    recon/hosts/geo/http/api/ipinfodb
    recon/hosts/geo/http/api/maxmind
    recon/hosts/geo/http/api/uniapple
    recon/hosts/geo/http/web/wigle
    recon/hosts/support/add_host
    recon/pushpin/flickr
    recon/pushpin/picasa
    recon/pushpin/shodan
    recon/pushpin/twitter
    recon/pushpin/youtube

  Reporting
  ---------
    reporting/csv_file
    reporting/html_report
    reporting/list
    reporting/pushpin

recon-ng > load recon/contacts/gather/http/web/jigsaw
recon-ng [jigsaw] > show options

  Name      Current Value  Req  Description
  --------  -------------  ---  -----------
  COMPANY                  yes  target company name
  KEYWORDS                 no   additional keywords to identify company

recon-ng [jigsaw] > set company "ztrela"
COMPANY => "ztrela"
recon-ng [jigsaw] > run
[*] Gathering Company IDs...
[*] Query: http://www.jigsaw.com/FreeTextSearchCompany.xhtml?opCode=search&freeText=%22ztrela%22