Information Gathering Series; Part A: Recon-ng

Frankline Misango
5 min readApr 1, 2023

--

Cover Image: A U.S. Air Force Lockheed SR-71A Blackbird from the 9th Strategic Reconnaissance Wing near Beale Air Force Base, California (USA). source: Wikimedia commons/TSgt. Michael Haggerty, USAF

Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks

In this series, I will be covering the key steps attackers use to start gathering vulnerabilities about a website. In all sense, you can’t hack something you don’t understand either. Recon-ng is a very great tool, which is free, to start with as it contains multiple sub-tools that allow us to capture information such as server IP addresses, open ports and emails etc. For these, Cybersecurity attackers would normally need the domain of the organization they are working on to grasp

Requirements

  • Kali Linux Separate OS /VMware Kali Linux
  • Recon-ng
  • Target subdomain of a website eg. google.com or facebook.com

Installing recon-ng:
while the program comes in default in some kali linux versions, it may miss from yours. simply run recon-ng to confirm. If it's not installed, run the steps below :

git clone https://github.com/lanmaster53/recon-ng.git

cd recon-ng

pip install -r REQUIREMENTS

./recon-ng

Procedure A: IP addresses and server locations

  1. Fire up recon-ng as shown in the figure below :
Recon-ng

2. We can type “help” to directly get an overview of how recon-ng can support us in our intelligence gathering. Furthermore, we can “show modules” to help us understand what modules are available to our advantage

We can see the modules available

3. We need to create a virtual lab to store all of our active modules. Picture it as two cups each having different ingredients that ultimately mix in the end to cook something
workspaces create ethicalhackinglab

4. We can do a “marketplace search” to help us identify which tools we might need specifically for the current payload.

5. We can begin by “marketplace install hackertarget” which installs a module to help us fish the server locations and IP information[basically hosts]. Remember, with IP, we can do other attacks like sqlninja, to perform XSS attacks, or DirBuster to identify hidden directories and pages on a website.

We can load the module using “modules load hackertarget” & “options set SOURCE abc.com(here you can use any domain you are authorized to use). For the sake of the tutorial, I will use google.com

6. Type run and observe the information relayed. Indeed we can see the servers and IP addresses of respective Google.com. observe the figure below.

[Optional: To increase the hosts' pool; you can install “google_site_web” or “netcraft” using the procedure in step 5, load it and set the options as step 6]

Procedure B: Email-addresses

What if We need to capture the Email addresses of a user let's say for attacking them using the meterpreter payload?

  1. we need to “marketplace install whois_pocs”. We can load the module as well using “modules load whois_pocs”.
  2. We can try “misango.me” & “hackthissite.org” my website and an open hacking field. Well, from the results below, we cannot find any email as we know [ This is an assurance that the website is safe and doesn’t expose to us users’ data].

3. We can try the step above on “github.com” which is an open-source website to post repositories and we can actually see the emails as below. [This is open source and available to the public]

The emails are probably fake

[Optional]: You can try “marketplace install pgp_search”, load it and see the name of emails captured.

IMPORTANT [Follow-up Notes]

Now we need to tie everything that we have been collecting into a single HTML file and see what we have so far. For this method, you need to “marketplace install hibp_paster” & “marketplace install html”.

You then can “load modules html” and follow the steps below

  1. options set CREATOR misango → Set the name of the analyst
  2. options set CUSTOMER hacked → set the contents of the output to a fictitious name i.e hacked
  3. run
Alternatively, can be opened up in the browser as below

We can see an HTML file generated and we can open on our browser to view

We can see hacked the creators name

Recommendations

Software development architecture needs to be robust and prevent leakage of emails, IP addresses etc. This can be done by installing software systems, like Google’s security, that scraps the web for intranet’s leaked credentials etc

Conclusion

We have gone briefly through recon-ng which helps us gather overview information about a victim. In the next weeks, I will be continuing with this series and write-up on “who_is enumeration” skillset.

Also, since we are in the intelligence-gathering phase, the cover image will change from time to time to show Aircraft from all over the globe super powers that are made for active & passive reconnaissance. Stay tuned!

--

--