一、Recon-NG 简介
- Recon-ng是一个全面的web信息搜索框架,命令格式与msf一致
- 它基于python开发,有着独立的模块、数据库交互功能、交互式帮助提示和命令补全的特性。
- 它通过命令行工具调用搜索引擎,在搜索引擎中搜索基于web的相关信息,从而帮助测试人员快速彻底地进行探测。
在命令提示符下输入命令 Recon-NG ,看到[recon-ng][default] >提示符,表示成功登录Recon-NG框架。在 Recon-NG 框架下,包括77个侦查模块、8个报告模块、2个导入模块、2个渗透攻击模块、和2个发现模块(版本不同,各模块数也会有所不同)。接下来我们就可以在[recon-ng][default] >提示符后面执行各种操作命令了。
root@kali:~# recon-ng //进入recon-ng框架
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com
[recon-ng v4.9.2, Tim Tomes (@LaNMaSteR53)]
[77] Recon modules //77个侦查模块
[8] Reporting modules //8个报告模块
[2] Import modules //2个导入模块
[2] Exploitation modules //2个渗透攻击模块
[2] Discovery modules //2个发现模块首次使用 Recon-NG 框架之前,可以使用 help 命令查看所有可执行的命令。
[recon-ng][default] > help //查看recon-ng的帮助信息
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context //从当前使用模块中退出[recon-ng][default]命令提示符下
delete Deletes records from the database
exit Exits the framework //退出recon-ng框架
help Displays this menu
keys Manages framework API keys //recon-ng支持许多网站的API接口,每个网站需要输入对应的key才能使用这个API。这个key是网站发给我们的
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots //管理工作区快照
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
[recon-ng][default] > recon-ng -h //查看recon-ng命令的使用帮助
[*] Command: recon-ng -h
usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check]
[--no-analytics]
recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-w workspace load/create a workspace //下载或创建一个工作区
-r filename load commands from a resource file
--no-check disable version check //recon-ng框架启动时,默认会检查当前版本是否是最新版本。使用此命令,可以不检查版本信息
--no-analytics disable analytics reporting //不生成报告二、模块使用
信息侦查步骤
1、DNS查询 —— google、baidu、bing、yahoo、Brute force(有自己的字典)
2、解析IP地址(查询数据库)—— resolve模块
3、生成报告 —— report模块
下面将讲解如何使用 Recon-Ng 框架来查询 sina.com 域名下的主机记录和对应 IP 地址, 帮助理解Recon-Ng 框架的使用方法。
1、创建 sina 的工作区。如果不创建新的工作区,Recon-Ng有默认的工作区(default),为了便于查询和管理,建议创建相应的工作区。
root@kali:~# recon-ng -w sina //创建sina的工作空间,并直接进入sina工作区
[recon-ng][sina] > help //查看在sina工作区内可以使用的命令
Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces
查看工作区列表,可以看到新建的sina工作区
[recon-ng][sina] > workspaces //查看workspaces的用法
Manages workspaces
Usage: workspaces [list|add|select|delete]
[recon-ng][sina] > workspaces list //查看工作空间列表
+------------+
| Workspaces |
+------------+
| sina |
| default |
+------------+
2、DNS查询:我们可以通过搜索引擎(google、baidu、bing、yahoo)或者使用 Brute force(暴力破解) 去查找主机记录
[recon-ng][sina] > search bing //查找和网站bing相关的模块
[*] Searching for 'bing'...
Recon
-----
recon/companies-contacts/bing_linkedin_cache
recon/domains-hosts/bing_domain_api //要是用这个模块,需先和google申请API
recon/domains-hosts/bing_domain_web
recon/hosts-hosts/bing_ip
3、使用和网站bing相关的 bing_domain_web 模块去进行主机记录的查询。
[recon-ng][sina] > use recon/domains-hosts/bing_domain_web //使用和bing相关的其中一个模块。在Recon-Ng模块下,会采取并发多线程方式去查询指定域名的主机名
[recon-ng][sina][bing_domain_web] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) //我们可以通过set命令改变SOURCE的值执行命令 ' show info ' 可查看 bing_domain_web 模块的详细信息
[recon-ng][sina][bing_domain_web] > show info
Name: Bing Hostname Enumerator //bing主机枚举,即通过bing来搜索主机名
Path: modules/recon/domains-hosts/bing_domain_web.py //模块对应的py文件
Author: Tim Tomes (@LaNMaSteR53)
Description:
//从bing.com网站收集主机名,并将结果保存在hosts表中
Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
4、设置要进行主机记录查询的域名为sina.com
[recon-ng][sina][bing_domain_web] > set SOURCE sina.com //设置SOURCE的值
SOURCE => sina.com
[recon-ng][sina][bing_domain_web] > show options
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE sina.com yes source of input (see 'show info' for details) //可以看到SOURCE的值设置成功5、 进行 sina.com 的主机记录查询
查询过程中,Recon-Ng 会向 bing.com 网站发送大量的主机名查询,为了避免被封杀,Recon-Ng 在发送一些查询请求后,会sleeping一会,然后接着查询
[recon-ng][sina][bing_domain_web] > run //运行
--------
SINA.COM
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asina.com
[*] [host] gold.sina.com (<blank>)
[*] [host] ued.sina.com (<blank>)
[*] [host] exmail.sina.com (<blank>)
[*] [host] slide.sports.sina.com (<blank>)
[*] [host] video.sina.com (<blank>)
[*] Sleeping to avoid lockout...
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asina.com+-domain%3Agold.sina.com+-domain%3Aued.sina.com+-domain%3Aexmail.sina.com+-domain%3Aslide.sports.sina.com+-domain%3Avideo.sina.com+-domain%3Azt.sina.com+-domain%3Amaiche.sina.com+-domain%3Aads.sina.com+-domain%3Atravel.sina.com+-domain%3Alymf.sina.com+-domain%3Amed.sina.com+-domain%3Ahainan.sina.com+-domain%3Afinance.sina.com+-domain%3Asifa.sina.com+-domain%3Aimmigration.sina.com+-domain%3Agame.sina.com+-domain%3Aslide.fashion.sina.com+-domain%3Aslide.ent.sina.com+-domain%3Avpnmail.sina.com+-domain%3Ayuqing.sina.com+-domain%3Axwz.sina.com+-domain%3Aeva.sina.com+-domain%3Ahome.games.sina.com+-domain%3Amt.sina.com+-domain%3Aenglish.sina.com+-domain%3Amgame.sina.com
[*] [host] auto.sina.com (<blank>)
[*] [host] gb.nba.sina.com (<blank>)
[*] [host] eds.mail.sina.com (<blank>)
[*] [host] zb.sina.com (<blank>)
[*] [host] m.us.sina.com (<blank>)
... ... //由于搜索结果太多,这里我只显示一部分
... ...
-------
SUMMARY
-------
[*] 42 total (42 new) hosts found. //一共发现了42个结果,有42个新主机被发现了
6、查看 hosts 表,可以看到所有查询到的主机名记录
[recon-ng][sina][bing_domain_web] > show hosts //查看hosts表,里面保存所有查询到的主机记录
+---------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+---------------------------------------------------------------------------------------------------------+
| 1 | gold.sina.com | | | | | | bing_domain_web |
| 2 | ued.sina.com | | | | | | bing_domain_web |
| 3 | exmail.sina.com | | | | | | bing_domain_web |
| 4 | slide.sports.sina.com | | | | | | bing_domain_web |
| 5 | video.sina.com | | | | | | bing_domain_web |
| 6 | zt.sina.com | | | | | | bing_domain_web |
| 7 | maiche.sina.com | | | | | | bing_domain_web |
| 8 | ads.sina.com | | | | | | bing_domain_web |
| 9 | travel.sina.com | | | | | | bing_domain_web |
| 10 | lymf.sina.com | | | | | | bing_domain_web |
| 11 | med.sina.com | | | | | | bing_domain_web |
| 12 | hainan.sina.com | | | | | | bing_domain_web |
| 13 | finance.sina.com | | | | | | bing_domain_web |
| 14 | sifa.sina.com | | | | | | bing_domain_web |
| 15 | immigration.sina.com | | | | | | bing_domain_web |
| 16 | game.sina.com | | | | | | bing_domain_web |
| 17 | slide.fashion.sina.com | | | | | | bing_domain_web |
| 18 | slide.ent.sina.com | | | | | | bing_domain_web |
| 19 | vpnmail.sina.com | | | | | | bing_domain_web |
| 20 | yuqing.sina.com | | | | | | bing_domain_web |
| 21 | xwz.sina.com | | | | | | bing_domain_web |
| 22 | eva.sina.com | | | | | | bing_domain_web |
| 23 | home.games.sina.com | | | | | | bing_domain_web |
| 24 | mt.sina.com | | | | | | bing_domain_web |
| 25 | english.sina.com | | | | | | bing_domain_web |
| 26 | mgame.sina.com | | | | | | bing_domain_web |
| 27 | auto.sina.com | | | | | | bing_domain_web |
| 28 | gb.nba.sina.com | | | | | | bing_domain_web |
| 29 | eds.mail.sina.com | | | | | | bing_domain_web |
| 30 | zb.sina.com | | | | | | bing_domain_web |
| 31 | m.us.sina.com | | | | | | bing_domain_web |
| 32 | dwj.sina.com | | | | | | bing_domain_web |
| 33 | igame.sina.com | | | | | | bing_domain_web |
| 34 | sc.sina.com | | | | | | bing_domain_web |
| 35 | home.sina.com | | | | | | bing_domain_web |
| 36 | weekly.games.sina.com | | | | | | bing_domain_web |
| 37 | opay.sina.com | | | | | | bing_domain_web |
| 38 | gb.comic.sina.com | | | | | | bing_domain_web |
| 39 | weibous.sina.com | | | | | | bing_domain_web |
| 40 | dhl.sina.com | | | | | | bing_domain_web |
| 41 | yn.house.sina.com | | | | | | bing_domain_web |
| 42 | it.mn.sina.com | | | | | | bing_domain_web |
+---------------------------------------------------------------------------------------------------------+
[*] 42 rows returned也可输入 ' query select * from hosts ' 命令,与 show hosts 结果完全一样。
[recon-ng][sina][bing_domain_web] > query select * from hosts
7、查找解析模块,将查询到的主机记录解析成IP地址
[recon-ng][sina][brute_hosts] > search resolve //查找解析模块
[*] Searching for 'resolve'...
Recon
-----
recon/hosts-hosts/resolve
recon/hosts-hosts/reverse_resolve
recon/netblocks-hosts/reverse_resolve
使用 ' show info ' 命令查看 resolve 模块的详细信息
[recon-ng][sina][resolve] > show info
Name: Hostname Resolver //主机名解析
Path: modules/recon/hosts-hosts/resolve.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
//将主机名解析为IP地址,并将结果更新到hosts表中
Resolves the IP address for a host. Updates the 'hosts' table with the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL AND ip_address IS NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
Comments:
* Note: Nameserver must be in IP form.8、使用 'recon/hosts-hosts/resolve ' 解析模块
[recon-ng][sina][brute_hosts] > use recon/hosts-hosts/resolve //使用解析模块9、将 SOURCE 设置成 hosts 表的 host 列中的主机名含 ' ww ' 的主机记录,即只解析 sina.com 域名下含有 ' ww ' 的主机记录。从下面的解析结果中,我们可以看到一个主机记录可能被解析成多个IP地址,这个是由于负载均衡引起的。
[recon-ng][sina][resolve] > show options //显示选择
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
[recon-ng][sina][resolve] > set SOURCE query select host from hosts where host like '%ww%' //将SOURCE设置成hosts表的host列中的主机名含'ww'的host
SOURCE => query select host from hosts where host like '%ww%'
[recon-ng][sina][resolve] > run //开始将主机名中含'ww'的host解析成IP地址
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.227
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.231
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.233
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.230
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.229
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.226
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.228
[*] ww1.sinaimg.cn.w.alikunlun.com => 116.177.250.232
[*] ww7.sina.com => 71.5.7.191
[*] ww8.sina.com => 71.5.7.191
[*] www.vip9999.com => 121.40.176.71
[*] ww10.sina.com => 71.5.7.191
[*] ww.sina.com => 61.135.153.194
[*] www.sina.com => 61.158.251.244
[*] www.sina.com => 221.204.241.188
[*] www.sina.com => 221.204.241.188
[*] www.sina.com => 61.158.251.244
[*] www.sina.com => 61.158.251.244
[*] www.sina.com => 221.204.241.188
-------
SUMMARY
-------
[*] 10 total (10 new) hosts found.
如果想将整个hosts表中主机记录解析成对应的IP地址,可以将 SOURCE 设置成下图所示的值。
[recon-ng][sina][resolve] > set SOURCE query select host from hosts
10、查找报告模块,选择你想要导出的格式,设置好创建人、用户名、文件保存的位置等,就可以生成相应的报告了。
[recon-ng][sina][resolve] > search report //查找报告模块
[*] Searching for 'report'...
Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml
[recon-ng][sina][resolve] > use reporting/html //将信息导出成html格式
[recon-ng][sina][html] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /root/.recon-ng/workspaces/sina/results.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][sina][html] > set CREATOR zhuyilong //设置创建人
CREATOR => zhuyilong
[recon-ng][sina][html] > set CUSTOMER sina.com //设置用户名
CUSTOMER => sina.com
[recon-ng][sina][html] > set FILENAME /root/sina.html //设置文件的保存位置
FILENAME => /root/sina.html
[recon-ng][sina][html] > show options //查看设置后的结果
Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR zhuyilong yes creator name for the report footer
CUSTOMER sina.com yes customer name for the report header
FILENAME /root/sina.html yes path and filename for report output
SANITIZE True yes mask sensitive data in the report
[recon-ng][sina][html] > run //运行,生成sina.html报告
[*] Report generated at '/root/sina.html'.
11、在 /root/sina.com 中查看生成的报告。
