root@kali:~# recon-ng
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
+---------------------------------------------------------------------------+
| _ ___ _ __ |
| |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ |
| |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ |
| / |
| Consulting | Research | Development | Training |
| http://www.blackhillsinfosec.com |
+---------------------------------------------------------------------------+
[recon-ng v4.1.7, Tim Tomes (@LaNMaSteR53)]
[57] Recon modules
[5] Reporting modules
[2] Exploitation modules
[2] Discovery modules
[1] Import modules
Auxiliary
模块包含
[recon-ng][default] > show modules
Discovery
---------
discovery/info_disclosure/cache_snoop
discovery/info_disclosure/interesting_files
Exploitation
------------
exploitation/injection/command_injector
exploitation/injection/xpath_bruter
Import
------
import/csv_file
Recon
-----
recon/companies-contacts/facebook
recon/companies-contacts/jigsaw
recon/companies-contacts/jigsaw/point_usage
recon/companies-contacts/jigsaw/purchase_contact
recon/companies-contacts/jigsaw/search_contacts
recon/companies-contacts/linkedin_auth
recon/companies-contacts/linkedin_crawl
recon/contacts-contacts/mangle
recon/contacts-contacts/namechk
recon/contacts-contacts/rapportive
recon/contacts-creds/haveibeenpwned
recon/contacts-creds/pwnedlist
recon/contacts-creds/should_change_password
recon/contacts-social/dev_diver
recon/contacts-social/twitter
recon/creds-creds/adobe
recon/creds-creds/bozocrack
recon/creds-creds/hashes_org
recon/creds-creds/leakdb
recon/domains-contacts/builtwith
recon/domains-contacts/pgp_search
recon/domains-contacts/whois_pocs
recon/domains-creds/pwnedlist/account_creds
recon/domains-creds/pwnedlist/api_usage
recon/domains-creds/pwnedlist/domain_creds
recon/domains-creds/pwnedlist/domain_ispwned
recon/domains-creds/pwnedlist/leak_lookup
recon/domains-creds/pwnedlist/leaks_dump
recon/domains-domains/brute_suffix
recon/domains-hosts/baidu_site
recon/domains-hosts/bing_domain_api
recon/domains-hosts/bing_domain_web
recon/domains-hosts/brute_hosts
recon/domains-hosts/google_site_api
recon/domains-hosts/google_site_web
recon/domains-hosts/netcraft
recon/domains-hosts/shodan_hostname
recon/domains-hosts/ssl_san
recon/domains-hosts/vpnhunter
recon/domains-hosts/yahoo_site
recon/domains-vulnerabilities/punkspider
recon/domains-vulnerabilities/xssed
recon/hosts-hosts/bing_ip
recon/hosts-hosts/ip_neighbor
recon/hosts-hosts/ipinfodb
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/locations-locations/geocode
recon/locations-locations/reverse_geocode
recon/locations-pushpins/flickr
recon/locations-pushpins/picasa
recon/locations-pushpins/shodan
recon/locations-pushpins/twitter
recon/locations-pushpins/youtube
recon/netblocks-hosts/reverse_resolve
recon/netblocks-hosts/shodan_net
recon/netblocks-ports/census_2012
Reporting
---------
reporting/csv
reporting/html
reporting/list
reporting/pushpin
reporting/xml
模块包含:
auxiliary_elmah – ’elmah.axd’ log web页面检查
auxiliary_googli – 使用Goog.li哈希数据库进行逆向hash查询
auxiliary_mangle – 根据收集到的信息,对数据库中所有内容进行混合, 生成email地址,user name
auxiliary_noisette – 对Noisette.ch哈希数据库进行逆向hash查询
auxiliary_pwnedlist – 使用PwnedList.com检查邮箱是否泄漏
auxiliary_resolve – 逆向ip查询
auxiliary_server_status –服务器状态页面检查
contacts_jigsaw – 使用Jigsaw.com来收集信息
contacts_linkedin_auth – 通过LinkedIn.com使用认证的联系网络在收集信息
hosts_baidu – Baidu
hosts_bing – Bing hostname枚举
hosts_brute_force – DNS Hostname暴力破解
hosts_google – Google hostname枚举
hosts_netcraft – Netcraft hostname枚举
hosts_shodan – Shodan hostname枚举
hosts_yahoo – Yahoo hostname枚举
与Pwnedlist关联的模块使用Pwnedlist.com来获得详细的口令和被泄露的user账号。
pwnedlist_account_creds – PwnedList 账号口令获取
pwnedlist_api_usage – PwnedList API 使用统计信息获取
pwnedlist_domain_creds – PwnedList Pwned域口令获取
pwnedlist_domain_ispwned – PwnedList Pwned 域统计信息获取
pwnedlist_leak_lookup – PwnedList泄漏细节获取
基本使用
1. 输入help
[recon-ng][default] > help
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits current prompt level
del Deletes records from the database
exit Exits current prompt level
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
[recon-ng][default] > use recon/domains-hosts/netcraft
[recon-ng][default][netcraft] > show options
Name Current Value Req Description
------ ------------- --- -----------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][default][netcraft] > set SOURCE xxx.com
SOURCE => 163.com
[recon-ng][default][netcraft] > run
运行结果:
xxx.COM
-------
[recon-ng][default] > show hosts
+---------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude |
+---------------------------------------------------------------------------------------------+
| 48 | 1.xxx.com | | | | | |
| 139 | 1.xxx.163.com | | | | | |