Recon-NG How-To III
Let’s see what we’ve gathered so far. Type ‘show dashboard’ in the console.
We have information about medium.com hosts. Let’s dig deeper
Mail Exchange and Sender Polivy Framework Retriever
> use recon/domains-hosts/mx_spf_ip
And we should get some more IP to our hosts table
DNS Hostname Brute Forcer
This module uses a wordlist to brute force check the existence of hosts through DNS.
> use recon/domains-hosts/brute_hosts
HackerTarget API
The Hackertarget module uses their API to return information. I advise its use
> use recon/domains-hosts/hackertarget
Contacts
We have domains, hosts, ip, locations. Lets get some contacts with the help of the following modules.
Whois_poc
> use recon/domains-contacts/whois_poc
Pgp_search
> use recon/domains-contacts/pgp_search
fullcontact
Again, we’ll need to obtain an API. Go to fullcontact and register.
> use recon /contacts-profiles/fullcontact
Further reconnaissance
Interesting Files
This module tests for the existence of predictable files on hosts.
> use discovery//interesting_files
BuiltWith
Another module that need an API Key.
> use recon/domains-host/builtwith
XSSposed and XSSed
Two modules for checking XSS records associated with a domain.
> use recon/domains-vulnarabilites/xssposed
> use recon/domains-vulnarabilites/xssed
Reporting
Everything we’ve done so far has been gathered into Recon-NG DB. It’s now time to take all that information and create a report. Reports are an essential part of pentesting. A good report includes as much info as possible.
> show modules reporting
> use reporting/html
> show info
But first we’ll set the ‘creator’ and ‘customer’ option.
> set CREATOR ‘your_name’
> set CUSTOMER Medium
> run
Other Reconnaissance Tools
You can view more articles about other reconnaissance tools here.