Recon-NG How-To II

Domains

We’re going to do some network reconnaissance on Medium. Our first task was creating a dedicated workspace for the information gathered. Remember it’s easy to collect data, but it’s crucial to keep it organized. Let’s add ‘medium.com’ to the list of domains:

> add domains medium.com
> show domains

We now have ‘medium.com’ in our database. Let’s find our hosts.

Hosts

We’ll start by using the Google Hostname Enumerator:

> use recon/domains-host/google_site_web
> run

Lets display our findings running ‘show hosts’:

Let’s dig deeper in our domain’s target and use the ‘findsubdomains’ module:

> back
> use recon/domains-host/findsubdomains
> show info
> run
> show hosts

Resolve Hosts to IP

Now that we have a list of hosts, lets find their IP address:

> back
> use recon/hosts-hosts/resolve
> run
> show hosts

Our list is getting more complete. Let’s try to obtain their location.

Searching modules

Recon-NG has several modules for different uses. We can see a full list with the command ‘show’

> show modules

We can search through its modules using the command ‘search’:

> search location

We can use ipinfodb.com API or ipstack.com API to update our hosts table. Remember to obtain a key and update Recon-NG.

IP Location

There is no right way of obtaining locations from IP. We’ll go through several modules until we have obtained all the information possible.

> use recon/hosts-hosts/ipinfodb