Information Gathering Series; Part A: Recon-ng
Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks
In this series, I will be covering the key steps attackers use to start gathering vulnerabilities about a website. In all sense, you can’t hack something you don’t understand either. Recon-ng is a very great tool, which is free, to start with as it contains multiple sub-tools that allow us to capture information such as server IP addresses, open ports and emails etc. For these, Cybersecurity attackers would normally need the domain of the organization they are working on to grasp
Requirements
- Kali Linux Separate OS /VMware Kali Linux
- Recon-ng
- Target subdomain of a website eg. google.com or facebook.com
Installing recon-ng:
while the program comes in default in some kali linux versions, it may miss from yours. simply run recon-ng to confirm. If it's not installed, run the steps below :
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
./recon-ng
Procedure A: IP addresses and server locations
- Fire up recon-ng as shown in the figure below :
2. We can type “help” to directly get an overview of how recon-ng can support us in our intelligence gathering. Furthermore, we can “show modules” to help us understand what modules are available to our advantage
3. We need to create a virtual lab to store all of our active modules. Picture it as two cups each having different ingredients that ultimately mix in the end to cook something
workspaces create ethicalhackinglab
4. We can do a “marketplace search” to help us identify which tools we might need specifically for the current payload.
5. We can begin by “marketplace install hackertarget” which installs a module to help us fish the server locations and IP information[basically hosts]. Remember, with IP, we can do other attacks like sqlninja, to perform XSS attacks, or DirBuster to identify hidden directories and pages on a website.
We can load the module using “modules load hackertarget” & “options set SOURCE abc.com(here you can use any domain you are authorized to use). For the sake of the tutorial, I will use google.com
6. Type run and observe the information relayed. Indeed we can see the servers and IP addresses of respective Google.com. observe the figure below.
[Optional: To increase the hosts' pool; you can install “google_site_web” or “netcraft” using the procedure in step 5, load it and set the options as step 6]
Procedure B: Email-addresses
What if We need to capture the Email addresses of a user let's say for attacking them using the meterpreter payload?
- we need to “marketplace install whois_pocs”. We can load the module as well using “modules load whois_pocs”.
- We can try “misango.me” & “hackthissite.org” my website and an open hacking field. Well, from the results below, we cannot find any email as we know [ This is an assurance that the website is safe and doesn’t expose to us users’ data].
3. We can try the step above on “github.com” which is an open-source website to post repositories and we can actually see the emails as below. [This is open source and available to the public]
[Optional]: You can try “marketplace install pgp_search”, load it and see the name of emails captured.
IMPORTANT [Follow-up Notes]
Now we need to tie everything that we have been collecting into a single HTML file and see what we have so far. For this method, you need to “marketplace install hibp_paster” & “marketplace install html”.
You then can “load modules html” and follow the steps below
- options set CREATOR misango → Set the name of the analyst
- options set CUSTOMER hacked → set the contents of the output to a fictitious name i.e hacked
- run
We can see an HTML file generated and we can open on our browser to view
Recommendations
Software development architecture needs to be robust and prevent leakage of emails, IP addresses etc. This can be done by installing software systems, like Google’s security, that scraps the web for intranet’s leaked credentials etc
Conclusion
We have gone briefly through recon-ng which helps us gather overview information about a victim. In the next weeks, I will be continuing with this series and write-up on “who_is enumeration” skillset.
Also, since we are in the intelligence-gathering phase, the cover image will change from time to time to show Aircraft from all over the globe super powers that are made for active & passive reconnaissance. Stay tuned!
