Recon-NG How-To III

Let’s see what we’ve gathered so far. Type ‘show dashboard’ in the console.

We have information about medium.com hosts. Let’s dig deeper

Mail Exchange and Sender Polivy Framework Retriever

> use recon/domains-hosts/mx_spf_ip

And we should get some more IP to our hosts table

DNS Hostname Brute Forcer

This module uses a wordlist to brute force check the existence of hosts through DNS.

> use recon/domains-hosts/brute_hosts

HackerTarget API

The Hackertarget module uses their API to return information. I advise its use

> use recon/domains-hosts/hackertarget

Contacts

We have domains, hosts, ip, locations. Lets get some contacts with the help of the following modules.

Whois_poc

> use recon/domains-contacts/whois_poc

Pgp_search

> use recon/domains-contacts/pgp_search

fullcontact

Again, we’ll need to obtain an API. Go to fullcontact and register.

> use recon /contacts-profiles/fullcontact

Further reconnaissance

Interesting Files

This module tests for the existence of predictable files on hosts.

> use discovery//interesting_files

BuiltWith

Another module that need an API Key.

> use recon/domains-host/builtwith

XSSposed and XSSed

Two modules for checking XSS records associated with a domain.

> use recon/domains-vulnarabilites/xssposed

> use recon/domains-vulnarabilites/xssed

Reporting

Everything we’ve done so far has been gathered into Recon-NG DB. It’s now time to take all that information and create a report. Reports are an essential part of pentesting. A good report includes as much info as possible.

> show modules reporting

> use reporting/html

> show info

But first we’ll set the ‘creator’ and ‘customer’ option.

> set CREATOR ‘your_name’

> set CUSTOMER Medium

> run

Other Reconnaissance Tools

You can view more articles about other reconnaissance tools here.