背景:在渗透测试前期做攻击面发现(信息收集)时候往往需要用到很多工具,最后再将搜集到的信息汇总到一块。

         现在有这样一个现成的框架,里面集成了许多信息收集模块、信息存储数据库、以及报告生成模块,为工程化信息收集提供了可能。

         它就是recon-ng。recon-ng使用python编写,其使用方式和metasploit十分相似

使用方法介绍:

1、新建工作区(建议一个渗透目标一个工作区,这样能确保搜集到的信息都是针对一个目标的)

命令:Recon-ng -w 工作区名字

例:

recon-ng -w cctv

# 通过上面的命令创建‘cctv’工作区后可以通过如下命令查看工作区情况
[recon-ng][cctv] > show workspaces

  +------------+
| Workspaces |
+------------+
| cctv |
| default |
+------------+

2、设置搜索引擎api

Keys list  ===>查看现有搜索引擎api

keys add shodan fdkasjkfljklasjkldffjalks  ===>设置shodan搜索api

[recon-ng][cctv] > keys list

  +--------------------------+
| Name | Value |
+--------------------------+
| bing_api | |
| builtwith_api | |
| censysio_id | |
| censysio_secret | |
| flickr_api | |
| fullcontact_api | |
| github_api | |
| google_api | |
| hashes_api | |
| ipinfodb_api | |
| ipstack_api | |
| jigsaw_api | |
| jigsaw_password | |
| jigsaw_username | |
| pwnedlist_api | |
| pwnedlist_iv | |
| pwnedlist_secret | |
| shodan_api | |
| twitter_api | |
| twitter_secret | |
| virustotal_api | |
+--------------------------+ [recon-ng][cctv] > keys add shodan_api fdkasjkfljklasjkldffjalks 

3、show options(查看全局设置)

[recon-ng][cctv] > show options

  Name        Current Value  Required  Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v4 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)

建议设置代理,让可以访问google(不得不佩服google的搜索能力)

  set PROXY 127.0.0.1:1087

4、查询包含哪些可用模块

通过use加tab键可以查看有哪些可用模块

[recon-ng][cctv] > use
discovery/info_disclosure/cache_snoop recon/domains-companies/pen recon/domains-hosts/threatcrowd recon/netblocks-hosts/shodan_net
discovery/info_disclosure/interesting_files recon/domains-contacts/metacrawler recon/domains-hosts/threatminer recon/netblocks-hosts/virustotal
exploitation/injection/command_injector recon/domains-contacts/pen recon/domains-vulnerabilities/ghdb recon/netblocks-ports/census_2012
exploitation/injection/xpath_bruter recon/domains-contacts/pgp_search recon/domains-vulnerabilities/punkspider recon/netblocks-ports/censysio
import/csv_file recon/domains-contacts/whois_pocs recon/domains-vulnerabilities/xssed recon/ports-hosts/migrate_ports
import/list recon/domains-credentials/pwnedlist/account_creds recon/domains-vulnerabilities/xssposed recon/profiles-contacts/dev_diver
recon/companies-contacts/bing_linkedin_cache recon/domains-credentials/pwnedlist/api_usage recon/hosts-domains/migrate_hosts recon/profiles-contacts/github_users
recon/companies-contacts/jigsaw/point_usage recon/domains-credentials/pwnedlist/domain_creds recon/hosts-hosts/bing_ip recon/profiles-profiles/namechk
recon/companies-contacts/jigsaw/purchase_contact recon/domains-credentials/pwnedlist/domain_ispwned recon/hosts-hosts/ipinfodb recon/profiles-profiles/profiler
recon/companies-contacts/jigsaw/search_contacts recon/domains-credentials/pwnedlist/leak_lookup recon/hosts-hosts/ipstack recon/profiles-profiles/twitter_mentioned
recon/companies-contacts/pen recon/domains-credentials/pwnedlist/leaks_dump recon/hosts-hosts/resolve recon/profiles-profiles/twitter_mentions
recon/companies-domains/pen recon/domains-domains/brute_suffix recon/hosts-hosts/reverse_resolve recon/profiles-repositories/github_repos
recon/companies-multi/github_miner recon/domains-hosts/bing_domain_api recon/hosts-hosts/ssltools recon/repositories-profiles/github_commits
recon/companies-multi/whois_miner recon/domains-hosts/bing_domain_web recon/hosts-hosts/virustotal recon/repositories-vulnerabilities/gists_search
recon/contacts-contacts/mailtester recon/domains-hosts/brute_hosts recon/hosts-locations/migrate_hosts recon/repositories-vulnerabilities/github_dorks
recon/contacts-contacts/mangle recon/domains-hosts/builtwith recon/hosts-ports/shodan_ip reporting/csv
recon/contacts-contacts/unmangle recon/domains-hosts/certificate_transparency recon/locations-locations/geocode reporting/html
recon/contacts-credentials/hibp_breach recon/domains-hosts/findsubdomains recon/locations-locations/reverse_geocode reporting/json
recon/contacts-credentials/hibp_paste recon/domains-hosts/google_site_web recon/locations-pushpins/flickr reporting/list
recon/contacts-domains/migrate_contacts recon/domains-hosts/hackertarget recon/locations-pushpins/shodan reporting/proxifier
recon/contacts-profiles/fullcontact recon/domains-hosts/mx_spf_ip recon/locations-pushpins/twitter reporting/pushpin
recon/credentials-credentials/adobe recon/domains-hosts/netcraft recon/locations-pushpins/youtube reporting/xlsx
recon/credentials-credentials/bozocrack recon/domains-hosts/shodan_hostname recon/netblocks-companies/whois_orgs reporting/xml
recon/credentials-credentials/hashes_org recon/domains-hosts/ssl_san recon/netblocks-hosts/reverse_resolve

也可以通过search命令来查找相关模块

[recon-ng][cctv] > search google
[*] Searching for 'google'... Recon
-----
recon/domains-hosts/google_site_web

此时大家可能会有疑问,这么多模块我怎么知道哪个模块是干什么使的呢? 这个时候我们可以use相应模块后用show info看到关于该模块的详细解释

[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show info

      Name: Google Hostname Enumerator
Path: modules/recon/domains-hosts/google_site_web.py
Author: Tim Tomes (@LaNMaSteR53) Description:
Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
the results. Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE cctv.com yes source of input (see 'show info' for details) Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs

此外recon-ng会将收集到的信息自动存入数据库,后面咱们可以将这些数据掏出来进行二次查询。可以通过下面这个命令查看数据库有哪些表:

[recon-ng][cctv] > show schema

  +---------------+
| domains |
+---------------+
| domain | TEXT |
| module | TEXT |
+---------------+ +--------------------+
| companies |
+--------------------+
| company | TEXT |
| description | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| netblocks |
+-----------------+
| netblock | TEXT |
| module | TEXT |
+-----------------+ +-----------------------+
| locations |
+-----------------------+
| latitude | TEXT |
| longitude | TEXT |
| street_address | TEXT |
| module | TEXT |
+-----------------------+ +---------------------+
| vulnerabilities |
+---------------------+
| host | TEXT |
| reference | TEXT |
| example | TEXT |
| publish_date | TEXT |
| category | TEXT |
| status | TEXT |
| module | TEXT |
+---------------------+ +-------------------+
| ports |
+-------------------+
| ip_address | TEXT |
| host | TEXT |
| port | TEXT |
| protocol | TEXT |
| module | TEXT |
+-------------------+ +-------------------+
| hosts |
+-------------------+
| host | TEXT |
| ip_address | TEXT |
| region | TEXT |
| country | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| module | TEXT |
+-------------------+ +--------------------+
| contacts |
+--------------------+
| first_name | TEXT |
| middle_name | TEXT |
| last_name | TEXT |
| email | TEXT |
| title | TEXT |
| region | TEXT |
| country | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| credentials |
+-----------------+
| username | TEXT |
| password | TEXT |
| hash | TEXT |
| type | TEXT |
| leak | TEXT |
| module | TEXT |
+-----------------+ +-----------------------------+
| leaks |
+-----------------------------+
| leak_id | TEXT |
| description | TEXT |
| source_refs | TEXT |
| leak_type | TEXT |
| title | TEXT |
| import_date | TEXT |
| leak_date | TEXT |
| attackers | TEXT |
| num_entries | TEXT |
| score | TEXT |
| num_domains_affected | TEXT |
| attack_method | TEXT |
| target_industries | TEXT |
| password_hash | TEXT |
| password_type | TEXT |
| targets | TEXT |
| media_refs | TEXT |
| module | TEXT |
+-----------------------------+ +---------------------+
| pushpins |
+---------------------+
| source | TEXT |
| screen_name | TEXT |
| profile_name | TEXT |
| profile_url | TEXT |
| media_url | TEXT |
| thumb_url | TEXT |
| message | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| time | TEXT |
| module | TEXT |
+---------------------+ +-----------------+
| profiles |
+-----------------+
| username | TEXT |
| resource | TEXT |
| url | TEXT |
| category | TEXT |
| notes | TEXT |
| module | TEXT |
+-----------------+ +--------------------+
| repositories |
+--------------------+
| name | TEXT |
| owner | TEXT |
| description | TEXT |
| resource | TEXT |
| category | TEXT |
| url | TEXT |
| module | TEXT |
+--------------------+

5、使用方法举例(拿搜索子域名与对应ip的场景来举例)

使用google搜索来查询目标有哪些子域名

[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show options # 查看需要填哪些数据 Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) [recon-ng][cctv][google_site_web] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][google_site_web] > run #开始运行

也可以使用暴力猜解的方式来获取目标子域名:

[recon-ng][cctv] > use recon/domains-hosts/brute_hosts
[recon-ng][cctv][brute_hosts] > show options Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/local/Cellar/recon-ng/4.9.6/libexec/data/hostnames.txt yes path to hostname wordlist # 字典路径 [recon-ng][cctv][brute_hosts] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][brute_hosts] > run #开始运行

运行完毕后查询到的数据将自动存入数据库,我们可以通过'show hosts'或'query+sql语句'的方式来查询,例:

[recon-ng][cctv] > show hosts

  +-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
[recon-ng][cctv] >query select * from hosts;
  +-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
# 为了保证隐私删掉了大部分数据,只给3个做为举例

数据库里已经有目标的子域名信息,现在想基于数据库里信息做进一步查询可以吗? 当然可以,我们以查询域名对应的ip为例:

[recon-ng][cctv] > use recon/hosts-hosts/resolve
[recon-ng][cctv][resolve] > show options Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) # 正常来说SOURCE后应该是跟一个域名信息,比如'www.cctv.com' [recon-ng][cctv][resolve] > set SOURCE query select host from hosts # 这里厉害了哦!我们要查的是一个表的内容,如果一个域名设置一次那还不累死了? recon-ng竟然支持将值设为一个sql语句! 这样就可以批量查询表内的数据了!
SOURCE => query select host from hosts
[recon-ng][cctv][resolve] > run

执行完成后我们可以看下现在数据库里的内容有什么变化:

 [recon-ng][cctv][resolve] > show hosts
+----------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+----------------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | 123.125.195.125 | | | | | google_site_web |
| 2 | www.cctv.com | 114.112.172.231 | | | | | google_site_web |
| 3 | news.cctv.com | 111.206.186.245 | | | | | google_site_web |
| 4 | tv.cctv.com | 123.125.195.125 | | | | | resolve |
| 5 | www.cctv.com | 114.112.172.231 | | | | | resolve |
| 6 | news.cctv.com | 111.206.186.245 | | | | | resolve |
+----------------------------------------------------------------------------------------------------------------+
# 可以看到已经把查询到的ip地址填入表内了

就拿我们现在查询到的数据来举例说明一下该怎么导出报表

[recon-ng][cctv] > search report   # 查下看有哪些报表相关模块
[*] Searching for 'report'... Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml [recon-ng][cctv] > use reporting/html # 导出成html文件
[recon-ng][cctv][html] > show options Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /Users/liwei/.recon-ng/workspaces/cctv/results.html yes path and filename for report output # 报表导出路径
SANITIZE True yes mask sensitive data in the report [recon-ng][cctv][html] > set CREATOR liwei # 填写报告作者
CREATOR => liwei
[recon-ng][cctv][html] > set CUSTOMER cctv # 填写用户单位名称
CUSTOMER => cctv
[recon-ng][cctv][html] > run
[*] Report generated at '/Users/liwei/.recon-ng/workspaces/cctv/results.html'. # 导出成功
[recon-ng][cctv][html] >

最终报表长这样:

注:以下是引自网友对各个模块的简要说明:

cache_snoop – DNS缓存录制

interesting_files – 敏感文件探测

command_injector – 远程命令注入shell接口

xpath_bruter – Xpath注入爆破

csv_file – 高级csv文件导入

list – List文件导入

point_usage – Jigsaw – 统计信息提取用法

purchase_contact – Jigsaw – 简单的联系查询

search_contacts – Jigsaw联系枚举

jigsaw_auth – Jigsaw认证联系枚举

linkedin_auth – LinkedIn认证联系枚举

github_miner – Github资源挖掘

whois_miner – Whois数据挖掘

bing_linkedin – Bing Linkedin信息采集

email_validator – SalesMaple邮箱验证

mailtester – MailTester邮箱验证

mangle – 联系分离

unmangle –联系反分离

hibp_breach –Breach搜索

hibp_paste – Paste搜索

pwnedlist – PwnedList验证

migrate_contacts – 域名数据迁移联系

facebook_directory – Facebook目录爬行

fullcontact – FullContact联系枚举

adobe – Adobe Hash破解

bozocrack – PyBozoCrack Hash 查询

hashes_org – Hashes.org Hash查询

leakdb – leakdb Hash查询

metacrawler – 元数据提取

pgp_search – PGP Key Owner查询

salesmaple – SalesMaple联系获取

whois_pocs – Whois POC获取

account_creds – PwnedList – 账户认证信息获取

api_usage – PwnedList – API使用信息

domain_creds – PwnedList – Pwned域名认证获取

domain_ispwned – PwnedList – Pwned域名统计获取

leak_lookup – PwnedList – 泄露信息查询

leaks_dump – PwnedList –泄露信息获取

brute_suffix – DNS公共后缀爆破

baidu_site – Baidu主机名枚举

bing_domain_api – Bing API主机名枚举

bing_domain_web – Bing主机名枚举

brute_hosts – DNS主机名爆破

builtwith – BuiltWith枚举

google_site_api – Google CSE主机名枚举

google_site_web – Google主机名枚举

netcraft – Netcraft主机名枚举

shodan_hostname – Shodan主机名枚举

ssl_san – SSL SAN查询

vpnhunter – VPNHunter查询

yahoo_domain – Yahoo主机名枚举

zone_transfer – DNS域文件收集

ghdb – Google Hacking数据库

punkspider – PunkSPIDER漏洞探测

xssed – XSSed域名查询

xssposed – XSSposed域名查询

migrate_hosts – 域名数据迁移host

bing_ip – Bing API旁站查询

freegeoip –FreeGeoIP ip定位查询

ip_neighbor – My-IP-Neighbors.com查询

ipinfodb – IPInfoDB GeoIP查询

resolve – 主机名解析器

reverse_resolve – 反解析

ssltools – SSLTools.com主机名查询

geocode – 地理位置编码

reverse_geocode – 反地理位置编码

flickr – Flickr地理位置查询

instagram – Instagram地理位置查询

picasa – Picasa地理位置查询

shodan – Shodan地理位置查询

twitter – Twitter地理位置查询

whois_orgs – Whois公司信息收集

reverse_resolve – 反解析

shodan_net – Shodan网络枚举

census_2012 – Internet Census 2012 查询

sonar_cio – Project Sonar查询

migrate_ports – 主机端口数据迁移

dev_diver – Dev Diver Repository检查

linkedin – Linkedin联系获取

linkedin_crawl – Linkedin信息抓取

namechk – NameChk.com用户名验证

profiler – OSINT HUMINT信息收集

twitter – Twitter操作

github_repos – Github代码枚举

gists_search – Github Gist搜索

github_dorks – Github Dork分析

csv – CSV文件生成

html – HTML报告生成

json – JSON报告生成

list – List生成

pushpin – PushPin报告生成

xlsx – XLSX文件创建

xml – XML报告生成

信息收集框架——recon-ng的更多相关文章

  1. Kali Linux信息收集工具

    http://www.freebuf.com/column/150118.html 可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得 ...

  2. Kali Linux信息收集工具全集

    001:0trace.tcptraceroute.traceroute 描述:进行路径枚举时,传统基于ICMP协议的探测工具经常会受到屏蔽,造成探测结果不够全面的问题.与此相对基于TCP协议的探测,则 ...

  3. Kali Linux信息收集工具全

    可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得那个戏份不多但一直都在的Q先生(由于年级太长目前已经退休).他为007发明了众多神奇 ...

  4. OSNIT信息收集分析框架OSRFramework

     OSNIT信息收集分析框架OSRFramework OSNIT是一种从公开的信息资源搜集信息的有效方式.Kali Linux集成了一款专用分析工具集OSRFramework.该工具集包含多个常用工具 ...

  5. 小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng

    Recon-ng Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架.Recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查.其命令格式与Metasploi ...

  6. 被动信息收集-其他收集目标信息的途径:cupp、 recon-ng

    除了google等搜索收集,还有其他途径进行信息收集,其中就包括用命令行或集成的软件.框架进行搜集信息. 1.先举例几个简单的命令: 其实也会是调用搜索引擎,如谷歌必应等,需要翻墙,可以用proxyc ...

  7. 『.NET Core CLI工具文档』(二).NET Core 工具遥测(应用信息收集)

    说明:本文是个人翻译文章,由于个人水平有限,有不对的地方请大家帮忙更正. 原文:.NET Core Tools Telemetry 翻译:.NET Core 工具遥测(应用信息收集) .NET Cor ...

  8. ExceptionLess异常日志收集框架-1

    哈哈,中秋和代码更配哦,不知不觉一年过半了,祝园友们中秋快乐 前一阵子在博客园看到了一篇博文 http://www.cnblogs.com/savorboard/p/exceptionless.htm ...

  9. 漫谈iOS Crash收集框架

    漫谈iOS Crash收集框架   Crash日志收集 为了能够第一时间发现程序问题,应用程序需要实现自己的崩溃日志收集服务,成熟的开源项目很多,如 KSCrash,plcrashreporter,C ...

随机推荐

  1. scrapy基础知识之 CrawlSpiders爬取lagou招聘保存在mysql(分布式):

    items.py import scrapy class LagouItem(scrapy.Item): # define the fields for your item here like: # ...

  2. scrapy基础知识之 CrawlSpiders:

    通过下面的命令可以快速创建 CrawlSpider模板 的代码: scrapy genspider -t crawl spidername xx.com LinkExtractors class sc ...

  3. SFC20 功能例子 注解

    谁能够把这注解一下,给大家分享一下,谢谢了 LAR1  P##SOURCE       L     B#16#10       T     LB [AR1,P#0.0]       L     B#1 ...

  4. 嵊州D3T2 福尔贝斯太太的快乐夏日 summer

    宗教,或是无节制的自由主义,是致人腐化的毒剂. 现在,一个人要经历 n 个事件,编号为 1 ∼ n. 经历 x 号事件,他的危险值就会增加 x. 一开始他的危险值是 0. 当一个人的危险值大于 0 且 ...

  5. Linux安装httpd

    一.相关下载 1.httpd下载 官网下载:http://httpd.apache.org/ 或者 百度网盘链接: https://pan.baidu.com/s/1JPdU28tv6rePKJanB ...

  6. centos7 + Nginx+ HTTPS + uwsgi + python3.6 + Docker + Django1.11 + mysql 5.6 + virtualenv 环境搭建

    环境搭建: 系统: ​ centos7.2 x64 开发环境: ​ python3.6 ​ Django 1.11 虚拟环境: [Docker](https://www.runoob.com/dock ...

  7. Socket网络编程系列教程序

    C语言的用途相当多,可以用在数据结构.数据库.网络.嵌入式等方面,历经40多年不衰,真是厉害!最近一直想从某一应用方面写一个系列教程,好好地把某一方面讲深讲透.         正好博主对网络方面的编 ...

  8. VS2012-SSAS 表格模型安全性

    模型安全性与AD域账户结合之后,浏览模型出现的问题: 当对在表“Products”中定义的行级别安全性表达式求值时遇到了错误.错误消息: 当对在表“Products”中定义的行级别安全性表达式求值时遇 ...

  9. excel报表开发-- 根据datatable个数自动生成新sheet

    总结一下很久之前做的报表小程序,今日有问题又调试了一下. DB中存在一个表,记录了ID<自增长>,SqlStatement<sql查询语句>及其他必要字段,比如SheetNam ...

  10. 个人永久性免费-Excel催化剂功能第44波-可见区域复制粘贴不覆盖隐藏内容

    Excel的复制粘贴操作,每天都在进行,若其中稍能提升一点效率,长久来说,实在是很可观的效率提升. Excel自带的复制粘贴功能,若复制的数据源或粘贴的目标位置中有隐藏的行列内容,简单一个复制粘贴充满 ...