Lab 3: Gathering Intelligence with Recon-ng
Objective
Learn how to use Recon-ng, a reconnaissance framework, to gather intelligence about a target domain. This exercise helps you understand how attackers collect data during the information-gathering phase and how to use this knowledge for defensive purposes.
Prerequisites
- Kali Linux or Any Linux Distro with Recon-ng Installed:
- To check if Recon-ng is installed, type:
recon-ng --version
- Install it if necessary:
sudo apt update && sudo apt install recon-ng
- To check if Recon-ng is installed, type:
- Basic Understanding of Domains and DNS:
- Familiarity with domain names, subdomains, and DNS records.
- Tip: If you’re unsure, review the basics of how DNS works.
- Target Domain:
- Identify a domain you own or have explicit permission to test.
Step 1: Launching Recon-ng
- Start your Kali Linux environment and open a terminal.
- Launch Recon-ng by typing:
recon-ng
- You will see the Recon-ng framework interface, which looks similar to a Metasploit console.
Step 2: Setting Up a Workspace
- Create a workspace to organize your reconnaissance data:
workspace create <workspace_name>
- Replace
<workspace_name>
with a descriptive name (e.g.,testdomain
). - Tip: Workspaces help you keep data for different projects separate.
- Replace
- Verify your active workspace:
workspace list
- The active workspace will be marked with an asterisk (
*
).
- The active workspace will be marked with an asterisk (
Step 3: Adding a Target Domain
- Set the target domain for reconnaissance:
add domains <target_domain>
- Replace
<target_domain>
with the domain you’re analyzing (e.g.,example.com
).
- Replace
- Verify the domain was added:
show domains
Step 4: Installing and Using Modules
Recon-ng uses modules to perform specific tasks, such as gathering subdomains, identifying DNS records, or retrieving WHOIS data.
- View available modules:
modules search
- Tip: Use keywords like
whois
,dns
, orsubdomain
to narrow the search.
- Tip: Use keywords like
- Load a module:
modules load <module_name>
- Replace
<module_name>
with the name of the module (e.g.,recon/domains-hosts/whois_pocs
).
- Replace
- Set module options:
options set <option_name> <value>
- Replace
<option_name>
with the required parameter (e.g.,source
) and<value>
with the corresponding value (e.g., your target domain).
- Replace
- Run the module:
run
- Tip: Use
options show
to check which parameters need to be set before running.
- Tip: Use
- Review the output:
- The results will display directly in the terminal or be saved in the database for later use.
Step 5: Gathering Subdomains
- Use the
recon/domains-hosts/brute_hosts
module to find subdomains:modules load recon/domains-hosts/brute_hosts
- Set the
source
option to your target domain:options set source <target_domain>
- Run the module:
run
- View the discovered subdomains:
show hosts
- Insight: Subdomains can reveal internal services or overlooked attack surfaces.
Step 6: Retrieving WHOIS Information
- Use the
recon/domains-hosts/whois_pocs
module to gather WHOIS data:modules load recon/domains-hosts/whois_pocs
- Set the
source
to your target domain and run the module:options set source <target_domain> run
- Review the collected WHOIS information, including registrant details and administrative contacts.
- Tip: WHOIS data often reveals useful details about the organization and network.
Step 7: Exporting Results
- Export collected data for reporting or further analysis:
output csv <file_name>
- Replace
<file_name>
with a descriptive name (e.g.,recon_results.csv
).
- Replace
- Verify the exported file is saved in the current working directory:
ls
Step 8: Cleaning Up
- Remove sensitive data from the workspace if needed:
delete domains delete hosts
- Exit Recon-ng:
exit
Additional Tips and Insights
- Ethical Guidelines:
- Only gather intelligence on systems or domains you own or have explicit permission to test.
- Insight: Unauthorized reconnaissance is illegal and can lead to severe consequences.
- Leveraging Recon-ng’s Database:
- Recon-ng stores collected data in an internal database for easy access.
- Tip: Use commands like
show hosts
,show domains
, andshow contacts
to view stored data.
- API Keys for Enhanced Functionality:
- Some modules require API keys for external services (e.g., Shodan, VirusTotal).
- Configure API keys using:
keys add <service> <api_key>
- Continuous Practice:
- Experiment with different modules and targets to deepen your understanding.
- Insight: Regular practice with Recon-ng builds proficiency in gathering and analyzing intelligence.
Key Takeaways
- Recon-ng is a powerful framework for collecting and managing reconnaissance data.
- Its modular design allows for flexible and targeted information gathering.
- Ethical use and adherence to legal guidelines are critical when performing reconnaissance.