recon-ng
- Recon-NG是一款功能极为强大的信息收集和网络侦查工具,特别是在收集子域名以及解析子域名的IP地址时,十分方便。
- Recon-NG既提供了被动扫描的功能、也提供了主动扫描的功能
- 基于python开发
- 命令格式与msf一直
recon-ng使用
-h, --help show this help message and exit
-w workspace 工作区加载/创建工作区
-r filename 从资源文件加载命令
recon-ng -r a.txt//执行a.txt中的设置的命令(框架下的)
--nocheck//检测版本,升级,使用后不进行升级
-- -no-analytics//不检查报告模块
创建一个百度 工作区,查看现有工作区,可以看到我们现在有一个默认工作区和一个百度工作区
直接在kali下输入recon-ng,进入命令提示符界面
back 返回上一级
dashboard 显示活动的总结
db 工作区的数据库页面
exit 退出recon-ng
help 帮助信息
index 创造一个模块
keys 管理第三方的api接口
marketplace 应用市场
modules 已经安装的模块
option 管理当前文本的选项
pdb 打开python进行调试
script 记录并执行命令脚本
shell 执行操作系统命令
show 显示各种框架的条目
snapshots 管理一个快照
spool 将结果输出到一个文件里
modules 介绍
modules 命令介绍
modules load 加载某个模块
modules reload 退出某个模块
modules search 搜索某个模块
框架下如果不知道怎么用,可以使用help进行查询
进入模块,命令提示符,输入back进行退出模块,回到根命令提示符
key选项
key 选项,调用一些搜索引擎api时需要用到的key,比如shodan
keys add shodan_api 内容//添加shodan api
搜索模块
如果我们想调用谷歌的模块,但是不知道具体名称,可以使用search来搜索
search google
完整使用流程
- 更新模块列表
marketplace refresh
- 输入
marketplace search 模块名(例如shodan)
//搜索shadon相关模块
[recon-ng][default] > marketplace search shodan
[*] Searching module index for 'shodan'...
+------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+------------------------------------------------------------------------------------+
| recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * |
| recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * |
| recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * |
| recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-01 | | * |
| recon/netblocks-hosts/shodan_net | 1.1 | not installed | 2020-07-01 | * | * |
+------------------------------------------------------------------------------------+
D = Has dependencies. See info for details.
K = Requires keys. See info for details.
//安装上面的某个模块
[recon-ng][default] > marketplace install recon/hosts-ports/shodan_ip
[*] Module installed: recon/hosts-ports/shodan_ip
[*] Reloading modules...
//加载模块
[recon-ng][default] > modules load recon/hosts-ports/shodan_ip
//查看详细信息
[recon-ng][default][shodan_ip] > info
Name: Shodan IP Enumerator
Author: Tim Tomes (@lanmaster53) and Matt Puckett (@t3lc0) & Ryan Hays (@_ryanhays)
Version: 1.2
Keys: shodan_api
Description:
Harvests port information from the Shodan API by using the 'ip' search operator. Updates the 'ports'
table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
SOURCE default yes source of input (see 'info' for details)
Source Options:
default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
[recon-ng][default][shodan_ip] > options set SOURCE
Sets a current context option
使用模块
//更换参数
[recon-ng][default][shodan_ip] > options set SOURCE 67.212.2.200
SOURCE => 67.212.2.200
//执行
[recon-ng][default][shodan_ip] > run
//结果如下
------------
67.212.2.200
------------
[*] Banner: None
[*] Host: 200.2.212.67.static.dc74.com
[*] Ip_Address: 67.212.2.200
[*] Notes: None
[*] Port: 7443
[*] Protocol: tcp
[*] --------------------------------------------------
[*] Banner: None
[*] Host: 200.2.212.67.static.dc74.com
[*] Ip_Address: 67.212.2.200
[*] Notes: None
[*] Port: 5001
[*] Protocol: tcp
[*] --------------------------------------------------
[*] Banner: None
[*] Host: 200.2.212.67.static.dc74.com
[*] Ip_Address: 67.212.2.200
[*] Notes: None
[*] Port: 22
[*] Protocol: tcp
[*] --------------------------------------------------
-------
SUMMARY
-------
[*] 13 total (13 new) ports found.
查看参数
[recon-ng][default] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][default] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v5 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
进行user-agent伪装
什么是user-agent
User Agent中文名为用户代理,是Http协议中的一部分,属于头域的组成部分,User Agent也简称UA。它是一个特殊字符串头,是一种向访问网站提供你所使用的浏览器类型及版本、操作系统及版本、浏览器内核、等信息的标识。通过这个标识,用户所访问的网站可以显示不同的排版从而为用户提供更好的体验或者进行信息统计。
一般安全工具有自己的user-agent,因此可以通过这个来进行封禁
进行user-agent伪装
options set USER-AGENT 后面加要伪装的USER-AGENT,这里是在搜狗浏览器的User-agent
[recon-ng][default] > options set USER-AGENT Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
USER-AGENT => Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
[recon-ng][default] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
清空user-agent
[recon-ng][default] > options unset USER-AGENT
USER-AGENT => None
查看数据库相关
查看数据库结构
[recon-ng][default] > db schema
+---------------+
| domains |
+---------------+
| domain | TEXT |
| notes | TEXT |
| module | TEXT |
+---------------+
太多了,省略
创建快照
//创建快照
[recon-ng][default] > snapshots take
[*] Snapshot created: snapshot_20200718102445.db
//查看快照
[recon-ng][default] > snapshots list
+----------------------------+
| Snapshots |
+----------------------------+
| snapshot_20200718102445.db |
+----------------------------+
//恢复快照
[recon-ng][default] > snapshots load snapshot_20200718102445.db
[*] Snapshot loaded: snapshot_20200718102445.db
//删除快照
[recon-ng][default] > snapshots remove snapshot_20200718102445.db
[*] Snapshot removed: snapshot_20200718102445.db
resolve 解析域名相关模块
resolve相关模块可以解析ip地址和主机
批量查询host文件中包含ina.com.cn的ip
report 报告相关模块
搜索report相关模块
[recon-ng][default] > marketplace search report
[*] Searching module index for 'report'...
+---------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------+
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24
下载后启动模块,与上面类似,运行即可
出了点问题,没法下载,用了一张别人的图,不过都是一样的
联系人相关
联系人可以搜索contact相关模块,进行搜索