This piece goes over the basics of Recon-ng and how to use it to facilitate OSINT research! I’ll be covering two modules: google_site_web and the Profiler. This piece assumes you already have Recon-ng installed. (If you are using Kali Linux, then Recon-ng is installed by default.)
What is OSINT?
OSINT stands for Open Source Intelligence. OSINT gathering is the process of obtaining information about a target(be it an individual or organization) via publicly available sources. The information is accessible to anyone and costs nothing to obtain, hence why it’s called open source. Possible sources for useful information an attacker might find valuable include the following:
- Websites, discussion groups/forums, newspapers, person blogs.
- Social Media such as Twitter, Instagram, LinkedIn, Facebook
- An other places such as Github
The point of OSINT research is to identify valid systems and targets, software types and any other information that can be used as actionable intelligence. For example:
- Usernames, profile names, email addresses
- Software and operating system types and versions
- Domain names, hostnames, external and internal IP addresses
- Passwords, private keys, and pins.
To sum up, OSINT is a passive information gathering method that utilizes publicly available sources to obtain data. It does not require interaction or engagement with the target individual or organization, and is free of cost.
Recon-ng
Recon-ng is a module-based web reconnaissance framework created by lanmaster53. It is an automation tool that can be used to reduce the time spent harvesting information from open sources. It provides access to multiple info-gathering functions from the command-line interface. It allows you to create workspaces in which you can store results from modules and functions in a database. Recon-ng requires API keys to interact with certain online services and websites, but there are still alot of things you can accomplish without them!
You can launch Recon-ng with the simple command:
- recon-ng
After using the above command, you should see something similar to the following:
The messages you see in red are simply alerting you to the fact that you have not yet setup API keys, you can ignore them for now. If you scroll down, you will see you are left with the prompt [recon-ng][default]>
Let’s create a workspace using the following command.
- workspaces create ExampleWorkspace
The above command creates a workspace named ExampleWorkspace. Take notice that Recon-ng’s prompt has changed to reflect that you are currently using the workspace. [recon-ng][ExampleWorkspace]>.
You can view all workspaces like so:
- workspaces list
Now close your terminal and relaunch recon-ng using the recon-ng command. We can access our created workspace by using the commad: workspaces load ExampleWorkspace or by launching recon-ng with the workspace specified like so: recon-ng -w ExampleWorkspace.
The next thing to do is install the needed modules from the Marketplace.
- marketplace search can be used to get a list of all available modules
- marketplace install followed by the name of the module will install the specified module into Recon-ng
- marketplace info followed by the name of a module will explain what the module does.
- modules search will return a list of all installed modules
- modules load followed by the module name will load a specific module that has been installed.
- modules remove followed by the name of a specific module will have it removed
- marketplace install all will install all available modules!
Let’s go ahead and install all modules with the marketplace install all command!
Now that we’ve installed all available modules, let’s see some in action. Load the google_site_web module using the modules load google_site_web command and then view the module’s details with the info command.
As you can see, the module google_site_web “Harvests hosts from Google.com by using the ‘site’ search operator. Updates the ‘hosts’ table with the results.” That is, it will query Google to discover hosts.
Let’s add a domain to the database so that when we run the module, it will gather information about our domain and add it to the hosts table.
- db insert domains
Enter your domain of interest into the domain (TEXT): field. Leave the notes (TEXT): blank, and now run the module by using the command run
We can see from the summary that 50 new hosts were found! We can view them by using the following command:
- show hosts
We can unload the google_site_web module while remaining within our workspace by using the command back.
Another neat module Recon-ng offers is the profiler. This is a profile collector, it searches the web for user profiles belonging to target individuals, scrapes information from them and stores them inside Recon-ng’s database called profiles!
Let’s load it with the following command:
- modules load profiler
Let’s insert a username/handle or email address into the profiles database that we’d like the Profiler to gather info on.
- db insert profiles
After entering in your desired username(“I’ve used my own Kaorrosi), making sure to leave the other prompts blank, run the module using the run command.
As you can see the profiler has found 9 new profiles! I can view them using the following command:
- show profiles
The profiler has found multiple websites that have accounts associated with the username Kaorrosi(some of which are not even mine)!
You can discover a lot about a person based on the websites they visit! The Profiler module can return results to sites that contain adult content such as pornography or even recreational drug sites!
A couple more commands that might come in handy:
You can delete a specific entry in a database with the following
- db delete domains 1 (This will delete row 1 from our domains database)
- db delete profiles 1–9(This will delete all entries within the specific range)
Hopefully by demonstrating the use of two Recon-ng modules, you can see how very helpful this automation tool can be to a hacker trying to gain knowledge about their target. There are many many more amazing modules Recon-ng has to offer, so be sure to check them out!
I hope you were able to learn something new! Thankyou so much for reading!
Happy Hacking!
