В общем, если кто не знаком, то recon-ng это тулза по добыче информации. Так-как с 5-той версией полностью изменились комманды, решил написать (и что-бы самому не забыть) мануал, как и что. После установки запускаем: Code: recon-ng [*] Version check disabled. [*] No modules enabled/installed. [recon-ng][default] > Тоесть из каробки в нем нет модулей, их надо установить, перед этим обновив модули Code: [recon-ng][default] > marketplace refresh [*] Marketplace index refreshed. [recon-ng][default] > marketplace install all [*] Reloading modules... Spoiler: Список модулей [*] Module installed: discovery/info_disclosure/cache_snoop [*] Module installed: discovery/info_disclosure/interesting_files [*] Module installed: exploitation/injection/command_injector [*] Module installed: exploitation/injection/xpath_bruter [*] Module installed: import/csv_file [*] Module installed: import/list [*] Module installed: import/nmap [*] Module installed: recon/companies-contacts/bing_linkedin_cache [*] Module installed: recon/companies-contacts/pen [*] Module installed: recon/companies-domains/pen [*] Module installed: recon/companies-domains/viewdns_reverse_whois [*] Module installed: recon/companies-multi/github_miner [*] Module installed: recon/companies-multi/shodan_org [*] Module installed: recon/companies-multi/whois_miner [*] Module installed: recon/contacts-contacts/abc [*] Module installed: recon/contacts-contacts/mailtester [*] Module installed: recon/contacts-contacts/mangle [*] Module installed: recon/contacts-contacts/unmangle [*] Module installed: recon/contacts-credentials/hibp_breach [*] Module installed: recon/contacts-credentials/hibp_paste [*] Module installed: recon/contacts-credentials/scylla [*] Module installed: recon/contacts-domains/migrate_contacts [*] Module installed: recon/contacts-profiles/fullcontact [*] Module installed: recon/credentials-credentials/adobe [*] Module installed: recon/credentials-credentials/bozocrack [*] Module installed: recon/credentials-credentials/hashes_org [*] Module installed: recon/domains-companies/pen [*] Module installed: recon/domains-contacts/metacrawler [*] Module installed: recon/domains-contacts/pen [*] Module installed: recon/domains-contacts/pgp_search [*] Module installed: recon/domains-contacts/whois_pocs [*] Module installed: recon/domains-credentials/pwnedlist/account_creds [*] Module installed: recon/domains-credentials/pwnedlist/api_usage [*] Module installed: recon/domains-credentials/pwnedlist/domain_creds [*] Module installed: recon/domains-credentials/pwnedlist/domain_ispwned [*] Module installed: recon/domains-credentials/pwnedlist/leak_lookup [*] Module installed: recon/domains-credentials/pwnedlist/leaks_dump [*] Module installed: recon/domains-credentials/scylla [*] Module installed: recon/domains-domains/brute_suffix [*] Module installed: recon/domains-hosts/binaryedge [*] Module installed: recon/domains-hosts/bing_domain_api [*] Module installed: recon/domains-hosts/bing_domain_web [*] Module installed: recon/domains-hosts/brute_hosts [*] Module installed: recon/domains-hosts/builtwith [*] Module installed: recon/domains-hosts/certificate_transparency [*] Module installed: recon/domains-hosts/findsubdomains [*] Module installed: recon/domains-hosts/google_site_web [*] Module installed: recon/domains-hosts/hackertarget [*] Module installed: recon/domains-hosts/mx_spf_ip [*] Module installed: recon/domains-hosts/netcraft [*] Module installed: recon/domains-hosts/shodan_hostname [*] Module installed: recon/domains-hosts/ssl_san [*] Module installed: recon/domains-hosts/threatcrowd [*] Module installed: recon/domains-hosts/threatminer [*] Module installed: recon/domains-vulnerabilities/ghdb [*] Module installed: recon/domains-vulnerabilities/xssed [*] Module installed: recon/domains-vulnerabilities/xssposed [*] Module installed: recon/hosts-domains/migrate_hosts [*] Module installed: recon/hosts-hosts/bing_ip [*] Module installed: recon/hosts-hosts/ipinfodb [*] Module installed: recon/hosts-hosts/ipstack [*] Module installed: recon/hosts-hosts/resolve [*] Module installed: recon/hosts-hosts/reverse_resolve [*] Module installed: recon/hosts-hosts/ssltools [*] Module installed: recon/hosts-hosts/virustotal [*] Module installed: recon/hosts-locations/migrate_hosts [*] Module installed: recon/hosts-ports/binaryedge [*] Module installed: recon/hosts-ports/shodan_ip [*] Module installed: recon/locations-locations/geocode [*] Module installed: recon/locations-locations/reverse_geocode [*] Module installed: recon/locations-pushpins/flickr [*] Module installed: recon/locations-pushpins/shodan [*] Module installed: recon/locations-pushpins/twitter [*] Module installed: recon/locations-pushpins/youtube [*] Module installed: recon/netblocks-companies/whois_orgs [*] Module installed: recon/netblocks-hosts/reverse_resolve [*] Module installed: recon/netblocks-hosts/shodan_net [*] Module installed: recon/netblocks-hosts/virustotal [*] Module installed: recon/netblocks-ports/census_2012 [*] Module installed: recon/netblocks-ports/censysio [*] Module installed: recon/ports-hosts/migrate_ports [*] Module installed: recon/profiles-contacts/bing_linkedin_contacts [*] Module installed: recon/profiles-contacts/dev_diver [*] Module installed: recon/profiles-contacts/github_users [*] Module installed: recon/profiles-profiles/namechk [*] Module installed: recon/profiles-profiles/profiler [*] Module installed: recon/profiles-profiles/twitter_mentioned [*] Module installed: recon/profiles-profiles/twitter_mentions [*] Module installed: recon/profiles-repositories/github_repos [*] Module installed: recon/repositories-profiles/github_commits [*] Module installed: recon/repositories-vulnerabilities/gists_search [*] Module installed: recon/repositories-vulnerabilities/github_dorks [*] Module installed: reporting/csv [*] Module installed: reporting/html [*] Module installed: reporting/json [*] Module installed: reporting/list [*] Module installed: reporting/proxifier [*] Module installed: reporting/pushpin [*] Module installed: reporting/xlsx [*] Module installed: reporting/xml Теперь есть модули, но что-бы с ними работать нужно создать рабочий проект: Code: [recon-ng][default] > workspaces create antichat.me [recon-ng][antichat.me] > и туда уже впихиваем в базу данных нужный нам домейн: Code: [recon-ng][antichat.me] > db insert domains antichat.me [*] 1 rows affected. теперь можем использовать модули, которые работают с данными домейна: Code: [recon-ng][antichat.me] > modules search domain [*] Searching installed modules for 'domain'... Spoiler: Список модулей по домейнам Recon ----- recon/companies-domains/pen recon/companies-domains/viewdns_reverse_whois recon/contacts-domains/migrate_contacts recon/domains-companies/pen recon/domains-contacts/pen recon/domains-contacts/pgp_search recon/domains-contacts/whois_pocs recon/domains-credentials/pwnedlist/api_usage recon/domains-credentials/pwnedlist/domain_ispwned recon/domains-credentials/pwnedlist/leak_lookup recon/domains-credentials/pwnedlist/leaks_dump recon/domains-credentials/scylla recon/domains-domains/brute_suffix recon/domains-hosts/binaryedge recon/domains-hosts/bing_domain_api recon/domains-hosts/bing_domain_web recon/domains-hosts/brute_hosts recon/domains-hosts/builtwith recon/domains-hosts/certificate_transparency recon/domains-hosts/findsubdomains recon/domains-hosts/google_site_web recon/domains-hosts/hackertarget recon/domains-hosts/mx_spf_ip recon/domains-hosts/netcraft recon/domains-hosts/shodan_hostname recon/domains-hosts/ssl_san recon/domains-hosts/threatcrowd recon/domains-hosts/threatminer recon/domains-vulnerabilities/ghdb recon/domains-vulnerabilities/xssed recon/domains-vulnerabilities/xssposed recon/hosts-domains/migrate_hosts что-бы использовать модуль brute_hosts, который даст нам имена поддомейнов (хостов), исходя из списка домейнов в базе данных, нужно его загрузить и можем посмотреть инфу о нём: Code: [recon-ng][antichat.me] > modules load recon/domains-hosts/brute_hosts recon-ng][antichat.me][brute_hosts] > info Name: DNS Hostname Brute Forcer Author: Tim Tomes (@lanmaster53) Version: 1.0 Description: Brute forces host names using DNS. Updates the 'hosts' table with the results. Options: Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt yes path to hostname wordlist Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs модули могут иметь разные опции, которые можно посмотреть (list) и выставить (set). Особая опция это source, это источник откуда будут браться домейны для модуля, их можно загружать из файла, указав путь или напрямую самому указать домейн. Стандартом используется данные из базы данных, которые там уже есть. Code: [recon-ng][antichat.me][brute_hosts] > options list Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /root/.recon-ng/data/hostnames.txt yes path to hostname wordlist [recon-ng][antichat.me][brute_hosts] > options set WORDLIST /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt WORDLIST => /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt теперь просто запускаем модуль: Code: [recon-ng][antichat.me][brute_hosts] > run (...) ------- SUMMARY ------- [*] 14 total (13 new) hosts found. и в итоге получаем 13 поддомейнов: Code: [recon-ng][antichat.me][brute_hosts] > show hosts +--------------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +--------------------------------------------------------------------------------------------------------+ | 1 | apps.antichat.me | 52.216.187.2 | | | | | brute_hosts | | 2 | antichat.me | | | | | | brute_hosts | | 3 | ftp.antichat.me | | | | | | brute_hosts | | 4 | ftp.antichat.me | 45.60.11.90 | | | | | brute_hosts | | 5 | ftp.antichat.me | 45.60.101.90 | | | | | brute_hosts | | 6 | img.antichat.me | 35.171.171.46 | | | | | brute_hosts | | 7 | img.antichat.me | 52.23.124.186 | | | | | brute_hosts | | 8 | mail.antichat.me | | | | | | brute_hosts | | 9 | mail.antichat.me | 45.60.11.90 | | | | | brute_hosts | | 10 | mail.antichat.me | 45.60.101.90 | | | | | brute_hosts | | 11 | a5q55pw.x.incapdns.net | | | | | | brute_hosts | | 12 | www.antichat.me | | | | | | brute_hosts | | 13 | www.antichat.me | 45.60.13.90 | | | | | brute_hosts | +--------------------------------------------------------------------------------------------------------+ [*] 13 rows returned Допустим результаты 3,8,11,12 левые и нам не нужны, поэтому мы их стираем из базы данных: Code: [recon-ng][antichat.me][brute_hosts] > db delete hosts 3,8,11,12 [*] 4 rows affected. [recon-ng][antichat.me][brute_hosts] > show hosts +--------------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +--------------------------------------------------------------------------------------------------+ | 1 | apps.antichat.me | 52.216.187.2 | | | | | brute_hosts | | 2 | antichat.me | | | | | | brute_hosts | | 4 | ftp.antichat.me | 45.60.11.90 | | | | | brute_hosts | | 5 | ftp.antichat.me | 45.60.101.90 | | | | | brute_hosts | | 6 | img.antichat.me | 35.171.171.46 | | | | | brute_hosts | | 7 | img.antichat.me | 52.23.124.186 | | | | | brute_hosts | | 9 | mail.antichat.me | 45.60.11.90 | | | | | brute_hosts | | 10 | mail.antichat.me | 45.60.101.90 | | | | | brute_hosts | | 13 | www.antichat.me | 45.60.13.90 | | | | | brute_hosts | +--------------------------------------------------------------------------------------------------+ [*] 9 rows returned
