Recon-NG How-To III

Let’s see what we’ve gathered so far. Type ‘show dashboard’ in the console.

We have information about hosts. Let’s dig deeper

Mail Exchange and Sender Polivy Framework Retriever

> use recon/domains-hosts/mx_spf_ip

And we should get some more IP to our hosts table

DNS Hostname Brute Forcer

This module uses a wordlist to brute force check the existence of hosts through DNS.

> use recon/domains-hosts/brute_hosts

HackerTarget API

The Hackertarget module uses their API to return information. I advise its use

> use recon/domains-hosts/hackertarget


We have domains, hosts, ip, locations. Lets get some contacts with the help of the following modules.


> use recon/domains-contacts/whois_poc


> use recon/domains-contacts/pgp_search


Again, we’ll need to obtain an API. Go to fullcontact and register.

> use recon /contacts-profiles/fullcontact

Further reconnaissance

Interesting Files

This module tests for the existence of predictable files on hosts.

> use discovery//interesting_files


Another module that need an API Key.

> use recon/domains-host/builtwith

XSSposed and XSSed

Two modules for checking XSS records associated with a domain.

> use recon/domains-vulnarabilites/xssposed
> use recon/domains-vulnarabilites/xssed


Everything we’ve done so far has been gathered into Recon-NG DB. It’s now time to take all that information and create a report. Reports are an essential part of pentesting. A good report includes as much info as possible.

> show modules reporting
> use reporting/html
> show info

But first we’ll set the ‘creator’ and ‘customer’ option.

> set CREATOR ‘your_name’
> set CUSTOMER Medium
> run