利用Recon-ng进行被动信息搜集
全特性的web信息搜索框架,基于Python开发。
注:阅读本文的时候注意同时阅读代码中的注释。
文章目录
1 进入recon-ng环境
1.1 欢迎界面
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.1, Tim Tomes (@lanmaster53)]
[84] Recon modules
[14] Disabled modules
[8] Reporting modules
[4] Import modules
[2] Exploitation modules
[2] Discovery modules
[recon-ng][default] > # 命令提示符,在此进入交互模式
1.2 帮助界面
1.2.1 查看交互模式下可使用的命令
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces
1.2.2 查看recon-ng命令
$ recon-ng -h
usage: recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics]
[--no-marketplace] [--stealth] [--accessible] [--version]
recon-ng - Tim Tomes (@lanmaster53)
optional arguments:
-h, --help show this help message and exit
-w workspace load/create a workspace
-r filename load commands from a resource file
--no-version disable version check. Already disabled by default in Debian
--no-analytics disable analytics reporting. Already disabled by default in Debian
--no-marketplace disable remote module management
--stealth disable all passive requests (--no-*)
--accessible Use accessible outputs when available
--version displays the current version
2 工作区
如果不创建工作区,会在recon-ng
的默认工作区default
中进行工作,但是为了方便管理,进行独立的任务时最好创建一个独立的分区,分区与分区之间数据相互不影响。
2.1 查看已有的工作区
[recon-ng][default] > workspaces list # 列举工作区
+----------------------------------+
| Workspaces | Modified |
+----------------------------------+
| default | 2021-09-25 11:24:00 |
| test1 | 2021-09-27 09:06:49 |
| test2 | 2021-09-27 09:50:58 |
+----------------------------------+
2.2 添加新的工作区
[recon-ng][default] > workspaces create demo # 创建工作区
[recon-ng][demo] > # 创建完了之后会自动进入该工作区
2.3 进入某个工作区
recon-ng
进入某个工作区有两种方式。
在交互界面内:
[recon-ng][demo] > workspaces load default # 导入工作区
[recon-ng][default] >
在命令行内:
$ recon-ng -w demo
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
____ ____ ____ ____ _____ _ ____ ____ ____
|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com
[recon-ng v5.1.1, Tim Tomes (@lanmaster53)]
[84] Recon modules
[14] Disabled modules
[8] Reporting modules
[4] Import modules
[2] Exploitation modules
[2] Discovery modules
[recon-ng][demo] >
2.4 工作区参数
2.4.1 显示工作区参数
[recon-ng][demo] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v5 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
2.4.2 设置工作区参数
这里的工作区参数也可以直接跳过不进行设置,不影响结果;但是如果不设置参数的话,对方是很容易发现你用recon-ng对他进行扫描的。所以最好还是进行设置,扫描会更加隐蔽。
[recon-ng][demo] > options set USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 # 设置选项值
USER-AGENT => Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[recon-ng][demo] > options list
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes default nameserver for the resolver mixin
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
3 DNS查询
3.1 查询hosts
3.1.1 查询过程
[recon-ng][demo] > modules search brute # 还可以搜索bing、baidu、shodan等其他搜索引擎
[*] Searching installed modules for 'brute'...
Exploitation
------------
exploitation/injection/xpath_bruter
Recon
-----
recon/domains-domains/brute_suffix
recon/domains-hosts/brute_hosts
[recon-ng][demo] > modules load recon/domains-hosts/brute_hosts # 引入对应模块
[recon-ng][demo][brute_hosts] > options list # 列举选项
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
WORDLIST /home/parallels/.recon-ng/data/hostnames.txt yes path to hostname wordlist
[recon-ng][demo][brute_hosts] > options set SOURCE nju.edu.cn # 设置源
SOURCE => nju.edu.cn
[recon-ng][demo][brute_hosts] > run # 运行模块
----------
NJU.EDU.CN
----------
...... # 具体查询结果略
-------
SUMMARY
-------
[*] 92 total (92 new) hosts found.
3.1.2 显示结果
查询到的结果会保存在数据库host表中,可以用show命令或者
db query
接SQL语句的方式查看或获取这些数据。
使用show
:
[recon-ng][demo][brute_hosts] > show hosts
+-----------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | notes | module |
+-----------------------------------------------------------------------------------------------------------------+
| 1 | access.nju.edu.cn | 210.28.130.5 | | | | | | brute_hosts |
...... # 详细结果略
| 92 | www.nju.edu.cn | 202.119.32.7 | | | | | | brute_hosts |
+-----------------------------------------------------------------------------------------------------------------+
[*] 92 rows returned
使用db query SQL
:
db query select host, ip_address from hosts
+-----------------------------------------+
| host | ip_address |
+-----------------------------------------+
| access.nju.edu.cn | 210.28.130.5 |
...... # 详细结果略
| www.nju.edu.cn | 202.119.32.7 |
+-----------------------------------------+
[*] 92 rows returned
3.1.3 如果不熟悉模块
可以使用info命令打印当前模块的详情信息,包括各种功能,以及每个选项的含义。
[recon-ng][demo][brute_hosts] > info
Name: DNS Hostname Brute Forcer
Author: Tim Tomes (@lanmaster53)
Version: 1.0
Description:
Brute forces host names using DNS. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE nju.edu.cn yes source of input (see 'info' for details)
WORDLIST /home/parallels/.recon-ng/data/hostnames.txt yes path to hostname wordlist
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
3.2 hosts解析
解析已有的host可以发现新的host,具体如下。
[recon-ng][demo][brute_hosts] > back
[recon-ng][demo] > modules search resolve
[*] Searching installed modules for 'resolve'...
Recon
-----
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/netblocks-hosts/reverse_resolve
[recon-ng][demo] > modules load recon/hosts-hosts/resolve
[recon-ng][demo][resolve] > options list
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
[recon-ng][demo][resolve] > options set SOURCE query select host from hosts
SOURCE => query select host from hosts # 这里解析刚刚查询到的hosts
[recon-ng][demo][resolve] > run
...... # 详细结果略
-------
SUMMARY
-------
[*] 12 total (12 new) hosts found.
3.3 根据hosts查询ports
3.3.1 查询过程
[recon-ng][demo][resolve] > back
[recon-ng][demo] > modules search shodan
[*] Searching installed modules for 'shodan'...
Recon
-----
recon/companies-multi/shodan_org
recon/domains-hosts/shodan_hostname
recon/hosts-ports/shodan_ip
recon/locations-pushpins/shodan
recon/netblocks-hosts/shodan_net
[recon-ng][demo] > modules load recon/hosts-ports/shodan_ip
[recon-ng][demo][shodan_ip] > options list
Name Current Value Required Description
------ ------------- -------- -----------
LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
SOURCE default yes source of input (see 'info' for details)
options set SOURCE query select ip_address from hosts
SOURCE => query select ip_address from hosts
[recon-ng][demo][shodan_ip] > run
...... # 详细结果略,此处可能需要等一会儿
-------
SUMMARY
-------
[*] 2499 total (263 new) ports found.
[recon-ng][demo][shodan_ip] > show ports
+----------------------------------------------------------------------------------------------------------------------------+
| rowid | ip_address | host | port | protocol | banner | notes | module |
+----------------------------------------------------------------------------------------------------------------------------+
| 1 | 202.119.32.7 | nsc2017.nju.edu.cn | 443 | tcp | | | shodan_ip |
...... # 详细结果略,也可以通过之前所说的查询数据库的方式查询结果
+----------------------------------------------------------------------------------------------------------------------------+
[*] 263 rows returned
4 生成报告
4.1 生成过程
Recon-ng支持生成多种格式的报告,下面以html为例演示。
[recon-ng][demo][shodan_ip] > back
[recon-ng][demo] > modules search report
[*] Searching installed modules for 'report'...
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
[recon-ng][demo] > modules load reporting/html
[recon-ng][demo][html] > options list
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes use creator name in the report footer
CUSTOMER yes use customer name in the report header
FILENAME /home/parallels/.recon-ng/workspaces/demo/results.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][demo][html] > options set FILENAME /home/parallels/results.html
FILENAME => /home/parallels/results.html
[recon-ng][demo][html] > options set CREATOR 201220014@smail.nju.edu.cn
CREATOR => 201220014@smail.nju.edu.cn
[recon-ng][demo][html] > options set CUSTOMER a single dog
CUSTOMER => a single dog
[recon-ng][demo][html] > run
[*] Report generated at '/home/parallels/results.html'.
4.2 生成效果
其中点击hosts和ports部分可以展开具体的所有的搜索到的结果。