目录
遇到困难别放弃
- 全特性的web侦擦和框架
- 基于Python开发
- 命令格式和msf一致
- 模块——多样化
- 数据库——结构化存储便于查询
- 报告——结果直接生成报告
1. 使用
# 进入框架
recon-ng
help
2.(debug
关闭防火墙 (没用)
设置静态路由及DNS (没用)
apt-get install 更新、重新安装 (没用)
新版的recon-ng的module都需要自己安装。
最终解决方案:搞半天应该是要科学上网蛤,感谢小🐟giegie
物理机上的工具可用才可以成功下载。
没有科学——timeout
3. 参数
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials/管理第三方API接口
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
modules 命令介绍
modules load 加载某个模块
modules reload 退出某个模块
modules search 搜索某个模块
快照
db—— 工作区的数据库页面
设置
option list # 显示当前设置
options set # 可以更改参数(如域名解析服务器、代理、线程)
keys
[recon-ng][default] > keys add
Adds/Updates a third party resource credential
Usage: keys add <name> <value>
[recon-ng][default] > keys list
+--------------------------+
| Name | Value |
+--------------------------+
| binaryedge_api | |
| bing_api | |
| builtwith_api | |
| censysio_id | |
| censysio_secret | |
| flickr_api | |
| fullcontact_api | |
| github_api | |
| google_api | |
| hashes_api | |
| hibp_api | |
| hunter_io | |
| ipinfodb_api | |
| ipstack_api | |
| namechk_api | |
| pwnedlist_api | |
| pwnedlist_secret | |
| shodan_api | |
| spyse_api | |
| twitter_api | |
| twitter_secret | |
| virustotal_api | |
| whoxy_api | |
+--------------------------+
marketplace
marketplace install all
modules使用
1. 搜索模块
只能说功夫不负有心人,原来是命令使用不对,终于解决了[!] Invalid command: search bing.
原因:命令使用不正确,直接按提示来,多试几次就好了
[*] Version check disabled.
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[84] Recon modules
[14] Disabled modules
[8] Reporting modules
[4] Import modules
[2] Exploitation modules
[2] Discovery modules
[recon-ng][sina] > workspaces list
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2021-09-23 23:17:29 |
| sina | 2021-09-25 12:39:23 |
| sina.com | 2021-09-25 13:04:17 |
+----------------------------------+
[recon-ng][sina] > shell pwd
[*] Command: pwd
/usr/share/recon-ng
[proxychains] DLL init: proxychains-ng 4.14
[recon-ng][sina] > show options
Shows various framework items
Usage: show <companies|contacts|credentials|domains|hosts|leaks|locations|netblocks|ports|profiles|pushpins|repositories|vulnerabilities>
[recon-ng][sina] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][sina] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v5 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
[!] Invalid command: search bing.
[recon-ng][sina.com] > show optins
Shows various framework items
Usage: show <companies|contacts|credentials|domains|hosts|leaks|locations|netblocks|ports|profiles|pushpins|repositories|vulnerabilities>
[recon-ng][sina.com] > show companies
[*] No data returned.
[recon-ng][sina.com] > modules
Interfaces with installed modules
Usage: modules <load|reload|search> [...]
[recon-ng][sina.com] > modules search bing
[*] Searching installed modules for 'bing'...
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/hosts-hosts/bing_ip
recon/profiles-contacts/bing_linkedin_contacts
2. 使用modules:
不断试错——成功
modules load xxxx
[recon-ng][sina.com] > use recon/domains-hosts/google_site_web
[!] Invalid command: use recon/domains-hosts/google_site_web.
[recon-ng][sina.com] > load recon/domains-hosts/google_site_web
[!] Invalid command: load recon/domains-hosts/google_site_web.
[recon-ng][sina.com] > modules load recon/domains-hosts/google_site_web
[recon-ng][sina.com][google_site_web] >
3. 显示options、info
options list
[recon-ng][sina][google_site_web] > options list
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
[recon-ng][sina][google_site_web] > info
Name: Google Hostname Enumerator
Author: Tim Tomes (@lanmaster53)
Version: 1.0
Description:
Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
4. 设置网站名
options set
[recon-ng][sina][google_site_web] > optionsd
[!] Invalid command: optionsd.
[recon-ng][sina][google_site_web] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][sina][google_site_web] > options set SOURCE sina.com
SOURCE => sina.com
[recon-ng][sina][google_site_web] > options list
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE sina.com yes source of input (see 'info' for details)
[recon-ng][sina][google_site_web] >
5. 暴力破解
[recon-ng][sina][google_site_web] >
[recon-ng][sina] > modules load recon/domains-hosts/brute_hosts
[recon-ng][sina][brute_hosts] >
[recon-ng][sina][brute_hosts] > options list
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
WORDLIST /home/kali-2/.recon-ng/data/hostnames.txt yes path to hostname wordlist
-------
SUMMARY
-------
[*] 471 total (414 new) hosts found.
[recon-ng][sina][brute_hosts] > db query select * from hosts where host like '%sina.com.cn%'
+---------------------------------------------------------------------------------------------------+
| host | ip_address | region | country | latitude | longitude | notes | module |
+---------------------------------------------------------------------------------------------------+
| blog.sina.com.cn | | | | | | | brute_hosts |
| blogx.sina.com.cn | | | | | | | brute_hosts |
| theone.sina.com.cn | | | | | | | brute_hosts |
| w3.dpool.sina.com.cn | | | | | | | brute_hosts |
| gd.sina.com.cn | | | | | | | brute_hosts |
| www.sina.com.cn | | | | | | | brute_hosts |
| imap.sina.com.cn | | | | | | | brute_hosts |
| mail.sina.com.cn | | | | | | | brute_hosts |
| w5.dpool.sina.com.cn | | | | | | | brute_hosts |
| mall.sina.com.cn | | | | | | | brute_hosts |
| pop3.sina.com.cn | | | | | | | brute_hosts |
| smtp.sina.com.cn | | | | | | | brute_hosts |
| wap.sina.com.cn | | | | | | | brute_hosts |
+---------------------------------------------------------------------------------------------------+
[*] 13 rows returned
6.将查询出的域名解析成IP
[*] 13 rows returned
[recon-ng][sina][brute_hosts] > search resolv
[!] Invalid command: search resolv.
[recon-ng][sina][brute_hosts] > modules search resolv
[*] Searching installed modules for 'resolv'...
Recon
-----
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/netblocks-hosts/reverse_resolve
[recon-ng][sina][brute_hosts] > modules load recon/hosts-hosts/resolve
[recon-ng][sina][resolve] > list
[!] Invalid command: list.
[recon-ng][sina][resolve] > lists
[!] Invalid command: lists.
[recon-ng][sina][resolve] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][sina][resolve] > options set SOURCE query select host from hosts where host like '%sina.com.cn%'
SOURCE => query select host from hosts where host like '%sina.com.cn%'
[recon-ng][sina][resolve] > run
[*] blog.sina.com.cn => 49.7.37.126
[*] blogx.sina.com.cn => 49.7.37.126
[*] theone.sina.com.cn => 123.126.53.69
7. 生成报告
[*] 444 rows returned
[recon-ng][sina][resolve] > modules search reporting
[*] Searching installed modules for 'reporting'...
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
[recon-ng][sina][resolve] > modules load reporting/html
[recon-ng][sina][html] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][sina][html] > options list
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes use creator name in the report footer
CUSTOMER yes use customer name in the report header
FILENAME /home/kali-2/.recon-ng/workspaces/sina/results.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][sina][html] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][sina][html] > [recon-ng][sina][html] >
[!] Invalid command: [recon-ng][sina][html] >.
[recon-ng][sina][html] > options set CREATOR AAAA
CREATOR => AAAA
[recon-ng][sina][html] > options set CUSTOMER BBBB
CUSTOMER => BBBB
[recon-ng][sina][html] > run
[*] Report generated at '/home/kali-2/.recon-ng/workspaces/sina/results.html'.
[recon-ng][sina][html] >