Employing comprehensive reconnaissance applications

Although Kali contains multiple tools to facilitate reconnaissance, many of them contain features that overlap, and importing data from one tool into another is usually a complex manual process. Most testers select a subset of tools and invoke them with a script.

Comprehensive tools focused on reconnaissance were originally command-line tools with a defined set of functions; one of the most commonly used was Deepmagic Information Gathering Tool (DMitry). DMitry could perform whois lookups, retrieve netcraft.com information, search for subdomains and email addresses, and perform TCP scans. Unfortunately, it was not extensible beyond those functions.

The following screenshot provides details for running DMitry on www.cyberhia.com:

dmitry -winsepo output.txt example.com

Recent advances have led to the creation of comprehensive framework applications that combine passive and active reconnaissance; in the following section, we will be looking more at recon-ng.