It is a tool that is used to collect information about the system and network of a victim. It is high power tool written in python language that gives full information about a target. Information gathering is incomplete without recon-ng. You must learn it deeply if you want to become an ethical hacker.
Now if we talk about the commands of the recon-ng, these have further sub-commands.
1).HELP:
It is used to see all the options of recon-ng.
TO SEE ALL OPTION: (help)
Main commands of recon-ng
2).WORKSPACES:
The first and main command of recon-ng is (workspaces). When we do a specific work related to computer then we need to create a workspace for our work to do it easily. Similarly in recon-ng first of all we need to create a specific workspace. Therefore (workspaces) command of recon-ng is used to create, load, remove, and to see the list of workspaces in recon-ng.
TO CREATE A WORKSPACE: (workspaces create + workspace name) e.g. (workspaces create Linux)
TO LOAD A SPECIFIC WORKSPACE: (workspaces load + workspace name) e.g. (workspaces load kali)
TO REMOVE A SPECIFIC WORKSPACE: (workspaces remove + workspace name) e.g. (workspaces remove kali)
Workspaces of recon-ng
3).MARKETPLACE:
In our daily life there is a great importance of market because we can obtain our all required things from a market. Similarly in recon-ng (marketplace) is a market of modules that is used to install, search, remove, to check info of modules.
TO SEARCH MODULES: (marketplace search)
TO INSTALL ALL MODULES: (marketplace install all)
TO INSTALL A SPECIFIC MODULES: (marketplace install + module name) e.g. (marketplace install import/nmap)
TO REMOVE A MODULE: (marketplace remove + module name) e.g. (marketplace remove import/nmap)
TO SEE THE REQUIREMENTS OF SPECIFIC MODULE, AND INFORMATION: (marketplace info + module name) e.g. (marketplace info import/nmap)
TO SEE NEW ADDED MODULES IN RECON-NG: (marketplace refresh)
4).INDEX:
It is used to see the information of all or a specific module like its version, its working, its power, its requirements etc.
TO SEE THE INFORMATION OF ALL MODULES: (index all)
TO SEE INFORMATION OF A SPECIFIC MODULE: (index module + module name) e.g. (index module import/nmap)
5).KEYS:
Some modules in recon-ng require specific API keys to work. In these API keys some are paid also. So, (keys) command is used to add, and remove the API keys to these modules.
TO ADDED API KEY TO MODULE: (keys add + module name + key) e.g. (keys add import/nmap
jfq123twz)
TO SEE THE LIST OF KEYS THAT WE ADDED: (key list)
Modules that require API keys for use
TO REMOVE THE KEY OF ANY MODULE: (key remove +module name + key) e.g. (keys remove import/nmap jfq123twz)
6).BACK:
As (cd ..) command is used to come back from present directory to previous directory similarly (back) command in recon-ng is used to come back.
TO COME BACK: (back)
7).DASHBOARD:
It is used to see the summary of tasks that we performed in recon-ng.
TO SEE SUMMARY: (dashboard)
8).OPTIONS:
When we use a specific module in recon-ng then it has some requirement like hots, domain etc. Therefore, in recon-ng (options) command is used to see the requirement and to set unset the requirements of modules.
TO SEE THE REQUIREMENTS: (option list)
TO SET ANY OPTION: (options set + option name + option value) e.g. (options set SOURCE kali.org)
TO UNSET ANY OPTION: (options unset + option name + option value) e.g. (options unset SOURCE kali.org)
9).MODULSE:
It is the main command of Recon-ng. It is used to lad reload and search a specific module of recon-ng to perform specific work.
TO LOAD A MODULE: (module load+ module name) e.g. (module load import/nmap)
TO RELOAD A MODULE: (module reload+ module name) e.g. (module reload import/nmap)
TO SEARCH MODULE: (modules search + module name) e.g. (modules search shodan)
10).SNAPSHOTS:
Snapshots command is used to see the work done saved in database of recon-ng. It is used to see list of snapshots. It is also used to load, remove and take snapshots in recon-ng.
TO SAVE WORK DONE IN RECON-NG: (snapshots take)
TO SEE THE LIST OF SNAPSHOTS: (snapshot list)
TO LOAD THE SPECIFIC SNAPSHOT: (snapshots load + full name of any snapshot) e.g. (snapshot load snapshot_2211913.db)
TO REMOVE SPECIFIC SNAPSHOT: (snapshots remove + full snapshot name) e.g. (snapshot remove snapshot_2211913.db)
11).SHOW:
When we do specific work in recon-ng and we save different vulnerabilities, contacts, emails etc. according to our work. At the end (show) command is used to see the results.
TO SEE SPECIFIC FRAMEWORK: (show + framework name) e.g. (show companies), (show leaks), (show contacts), (show vulnerabilities)
12).SCRIPT:
It is not used mostly in recon-ng but it is used to run a specific script consist of commands related to our work. It is similar to shell/bash scripting in recon-ng. It is also used to record, stop the script also.
TO RUN A SCRIPT: (script + path of script) e.g. (script /root/Ali)
13).EXIT:
It is used to close the recon-ng shell or interface.
TO CLOSE RECON-NG: (exit)
14).DB:
It is used to show, add and remove data from or workspace.
TO SHOW ALL FRAMEWORK TABLES: (db schema)
TO ADD SOMETHING TO ANY TABLE: (db insert + table name) e.g. (db insert profile)
Then enter username, resource, url, category and notes and your added thing will be add into your workspace.
TO DELETE SPECIFIC ROW FROM A TABLE: (db delete + table name) e.g. (db delete profile)
Then enter the row number you want to delete.
Other commands like pdb etc. are not mostly used by hackers.
SOME MODULES OF RECON-NG
Now if we talk about the use of different modules of recon-ng. It has many modules we will learn the use of main modules of recon–ng in our book.
1).USE OF (recon/domain-contacts/whois_pocs) MODULE:
It is used to discover contacts of target domain. To use it run the following commands in recon-ng;
(modules load recon/domain-contacts/whois_pocs)
(options list)
(options set SOURCE +domain of the website) e.g.
(options set SOURCE kali.org)
(run)
(show contacts)
As a result of this module you will get the different contacts related to your target domain that can be useful during attack and other information.
2).USE OF (discovery/info_disclosure/chache_snoop) MODULE:
It is used to discover some basic information related to target domain of website. To use it run the following commands in recon-ng;
(modules load discovery/info_disclosure/chache_snoop)
(options list)
(options set NAMESERVER +IP address of the website) e.g. (options set NAMESERVER 192.168.8.1)
(options set DOMAINS +domain of the target website) e.g. (options set DOMAINS kali.org)
(run)
As the result of these module of recon-ng you will get some information related to your target that can be helpful.
3).USE OF (discovery/info_disclosure/interesting_files) MODULE:
It is used to find some interesting files related to our target domain. To use it run the following commands in recon-ng;
(modules load discovery/info_disclosure/interesting_files)
(options list)
(options set SOURCE +domain of the website) e.g. (options set SOURCE kali.org)
(run)
As output this module will give you different files like robots.txt, sitemap.xml, sitemap.xml.gz, crossdomain.xml, phpinfo.php, test.php, elmah.axd etc. Related to our target domain that can be useful during further hacking.
4).USE OF (exploitation/injection/command_injector) MODULE:
It is an exploitation module of recon-ng. It is used to for command injection in website like commix. But target website must be vulnerable to command injection. Vulnerable resource link and vulnerable parameters for command injection are required to use this module. To use it run the following commands in recon-ng;
5).USE OF (exploitation/injection/command _ injector) MODULE:
This is an exploitation module of recon-ng. It is used for command injection but target website must be vulnerable for command injection. Resource URL or link and vulnerable parameters are required to use this module run the following commands:
(module load exploitation/injection/command_injector)
(options list)
(option set BASE_URL + target link)
(option set BASE_URL http://vulnweb.com/php)
(options set PARAMETERS + vulnerable parameters)
(option set PARAMETERS param = nottelling <injection> & query_str=%2f%2f Employee%5BUser name%3D%27+and+password%3D%27%7BINJECT%27%5D & submit= search))
(options set POST True)
(run)
As a result it will give you that command access to target website and you can control the website.
6).USE OF (exploitation/ injection/xpath_bruter) module:
It is an exploitation module of recon-ng. It is used to perform brute force attack on xml file website that is vulnerable. It also require resource URL or link and vulnerable parameters. To run this module run the following commands.
(module load exploitation/ injection/xpath_ bruter)
(options list)
(option set BASE_URL + vulnerable link)
(option set BASE_URL http://vulnweb.com/php/)
(options set PARAMETERS + path of parameter completely)
(options set PARAMETER param = nottelling <injection> & query_str=%2f%2f Employee%5BUser name%3D%27+and+password%3D%27%7BINJECT%27%5D & submit= search)
<injection> is used itself by hacker after parameter and &.
(options set POST True)
Xpath bruter module output of recon-ng
(options set STRING + unique string of xml file)
(options set STRING peter)
(run)
As a result this module will give you the complete code and content of vulnerable. Xml of website that can be helpful during hacking.
7).USE OF (recon/domains-contacts/whois_pocs) module:
It is the information gathering module of recon-ng. It is used to find the different contacts of a specific domain. To use this module run the following commands;
(modules load recon/domains-contacts/whois_pocs)
(options list)
(options set SOURCE + domain of web)
(options set SOURCE google.com)
(run)
As a result it will show you the different contact emails and countries related to specific domain. It is very good and helpful tool of recon-ng.
8).USE OF (recon/domains-hosts/hackertarget):
It is useful information gathering module of recon-ng that is used to discover hosts and their ip addresses of a domain. To use this module run the following commands;
(module load recon/domains-hosts/hackertarget)
(options list)
(options set SOURCE + domain of web)
(options set SOURCE google.com)
(run)
As a result this module will show you the hosts or sub domains of given domain with ip-addresses that can be used during hacking.
9).USE OF (recon/profiles-contacts/dev_diver) MODULE:
It is one of the most important module of recon-ng.
This module is used to find the detail of user on website of GitHub. To use this module run the following commands;
(module load recon/profiles-contacts/dev_diver)
(options list)
(options set SOURCE + username)
(options set SOURCE Sohail)
(run)
As a result this module will show you the GitHub username, real name, GitHub profile link, location, followers, id, joined data, update date etc. of user. Sometimes it provides blog link, company name and email of user also. This information can be very helpful for you during hacking.
10).USE OF (recon/repositories-vulnerabilities/gists_search) module:
It is also a very useful module of recon-ng that is used to find the vulnerabilities related to password in given website link.
To use this module run the following commands;
( module load recon/repositories-vulnerabilities/gists_search) module:
(options list)
(options set SOURCE + domain of web)
(options set SOURCE http://vulnweb.com/)
(run)
As result this module will give you the password vulnerabilities of a website and links related to these vulnerabilities that can be useful during hacking. You should use this module.
These were some modules of recon-ng for information gathering but recon-ng has lot of modules for information gathering, you can use. Some require API keys to use and mostly are free. You must use main modules for information. All modules are easy to use. You can use them like a game. Set module, its options and run. Best of luck for recon-ng.