Thank you for dropping in for part 2 of our tutorial series on LaNMaSteR53’s Recon-ng information gathering framework. Last time, we focused on the fundamentals of navigation within the tool, selecting, configuring and executing modules, and understanding the output. If you came across this page first, please drop back to Part 1 of the series to get a solid background on the bare necessities of Recon-ng. This tutorial focuses on footprinting an organization and how to gain loads of information without having to touch the network.
Put simply, footprinting is the process of gathering up the pieces of evidence and morsels of information that people and organizations leave behind because of their Internet presence. This can be a difficult process depending on the size of the organization. In the case of an individual, their social media presence and online activity greatly influence the size of their footprint. In this tutorial, we will be performing a footprint analysis of Microsoft to demonstrate how to use Recon-ng most effectively. Specifically, this tutorial will show exactly what modules to use and in what order to get the most information possible.
When you first start your search, you are generally going to have a very limited amount of information at your disposal for targeting an organization. In the case of Microsoft, we have two basic starting points, a company name and a domain. Assuming you followed the steps in the previous tutorial of adding the domain to the recon-ng database and running the whois module against it, you may also have a few names and other basic information on the Microsoft.com domain. Most recon-ng footprints start with the domain, and the idea is to create a spiderweb of inter-connecting nodes of information by using the modules that connect with one another.
Finding Targets in Recon-ng
Starting out with recon-ng is most difficult if you don’t know how to get from one piece of information to another. Generally, when you start with the domain, you might start doing fierce scans to gather sub-domains and IPs. There’s nothing wrong with that, but it isn’t always going to catch everything. If your target has a whois page that is particularly verbose like Microsoft’s, you can find they have several netblocks. Start out by running use recon/companies-multi/whois_miner and you will get loads of info on your target. The information we are particularly interested in are the netblocks. For the sake of thoroughness, a netblock is a unique range of public IP addresses that are owned by or assigned to an organization. Microsoft has MANY of them, but we are going to useadd their Irving, TX location, netblock 126.96.36.199/29 since it is of a reasonable size.
># Netblock modules
Quickly run a search netblock in recon-ng and you will see all of the modules which use or yield new netblocks. Three in particular are extremely useful, but we are going to only use one for now. First, enter use recon/netblocks-hosts/reverse_resolve and run a show info command to get some information about your next module. You will find that this module’s purpose is to resolve the hostnames of all of the IPs in our netblock. Perfect, this is exactly what we are looking for! Go ahead and run your command, and it will quickly spit out the hostname of each IP in the netblock.
Understand that in an actual engagement, you are hoping to find many more targets with much more information. This is just for demonstration purposes, but you should get a total of eight new hosts complete with their IP address and public hostname. The two additional modules Shodan_net and Censysio are both API-driven databases which you can register for and receive a free API key. I highly recommend both of these services for any engagement, especially Shodan, because it will be very helpful to us later.
># Domain and Host modules
Some smaller engagements will have you attacking IP addresses and hosts which your client uses but are owned by a third-party, such as virtual hosted sites or cloud servers that they wish to test. In these situations you may not have netblocks to go on, or you may be dealing with a a small handful of IP addresses with a lot of virtual hosts or services on them. In times like this, another module I find very useful is the recon/domains-hosts/netcraft module. Netcraft is another service like Shodan which catalogs domain names and IP addresses for penetration testing. This tool is not API-driven, so it can be queried directly by recon-ng without the need for an API key.
Netcraft quickly accomplishes the same task as fierce does. The difference is that Netcraft does not manually hammer against public DNS nameservers with a brute-force attack. This is especially useful if you need to maintain a stealthy posture, and it saves time.
># Additional host-gathering modules
At this point, you can start going through the entire list of domain-host modules to gather more targets. Be sure to explore all of the domain modules by using the search feature. Your list may look a bit different than mine, but don’t worry, we will get to that part soon. The first thing you should be looking at are what modules are available to you that will help you start drilling down from the domain level to the infrastructure of your target. To start with, we need to use DNS gathering to find additional hosts within our scope.
My suggestions are as follows:
recon/domains-hosts/brute_hosts (Basically a Fierce scan)
recon/domains-hosts/certificate_transparency (Checks certificates for explicit subdomains)
recon/domains-hosts/mx_spf_ip (Grabs and outputs SPF records. Good for phishing campaigns)
recon/domains-hosts/ssl_san (Additional SSL certificate checker for domains)
Just a little more…
There are many other modules that can yield additional, juicy information for organization footprinting. API-driven modules such as JigSaw, Shodan, censysio, threatcrowd, and fullcontact are a few that deserve mentioning. These modules, in particular, are extremely efficient at digging up useful, more granular information. The information you gather from Recon-ng is just the start. Once you have gathered a large number of hosts and domains, you can start going after individuals within the organization. Gathering emails, social media profiles, names, positions, and location-based data is priceless for phishing engagements. Credential-harvesting and finding remote-access portals like RDP, VNC, and VPN services can be accomplished with the domain resolver and “Have I been Pwned” (HIBP) modules. Recon/netblocks-ports/censysio and recon/hosts-ports/shodan_ip are both excellent modules for finding open ports without a single nmap scan.
Thanks for reading!
Before we depart, I recommend checking out github.com for additional recon-ng modules. There are many other recon-ng plugins and modules created by other developers outside of the recon-ng project. These additional tools can further aid in your footprinting endeavors and help you map out an organization’s infrastructure.
Simply clone these modules and copy them directly into the recon-ng/modules directory of your installation.
In my opinion, reconnaissance and footprinting is more art than science. There is no way to really provide a one-size fits-all list of modules that will work for every engagement. I recommend spending time just performing your own footprinting. Try it against your own company, or just yourself for some practice. See what kind of information you have leaked into the web and how it all connects back to you. The more time you spend in recon-ng, the more familiar you will become with the tool.
Good luck and happy hunting!
Originally authored by Mike