The recon-ng framework

The recon-ng framework is an open source framework for conducting reconnaissance (passive and active). The framework is similar to Metasploit and Social Engineer Toolkit (SET). recon-ng uses a very modular framework. Each module is a customized cmd interpreter, preconfigured to perform a specific task.

The recon-ng framework and its modules are written in Python, allowing penetration testers to easily build or alter modules to facilitate testing.

The recon-ng tool also leverages third-party APIs to conduct some assessments; this additional flexibility means that some activities undertaken by recon-ng may be tracked by those parties. Users can specify a custom useragent string or proxy requests to minimize the chances of alerting the target network.

recon-ng is installed by default in newer versions of Kali. All data collected by recon-ng is placed in a database, allowing you to create various reports on the stored data. The user can select one of the report modules to automatically create either a CVS report, or an HTML report.

To start the application, enter recon-ng in the prompt, as shown in the following screenshot. The start screen will indicate the number of modules present, and the help command will show the commands available for navigation, as shown in the following screenshot:

To show the available modules, type show in the recon-ng> prompt. To load a specific module, type load followed by the name of the module. Hitting the Tab key while typing will autocomplete the command. If the module has a unique name, you can type in the unique part of the name, and the module will be loaded without entering the full path.

Entering info, as shown in the screenshot which follows, will provide you with information on how the module works, and where to obtain API keys, if required.

Once the module is loaded, use the set command to set the options, and then enter run to execute, as shown in the following screenshot:

In general, testers rely on recon-ng to do the following:

• Harvest contacts, using Whois, Jigsaw, LinkedIn, and Twitter (use the mangle module to extract and present email data)
• Identify hosts
• Identify the geographical locations of hosts and individuals using hostop, ipinfodb, maxmind, uniapple, and wigle
• Identify host information using netcraft and related modules
• Identify account and password information that has previously been compromised and leaked onto the internet (the pwnedlist modules, wascompanyhacked, xssed, and punkspider)