信息收集框架——recon-ng
背景:在渗透测试前期做攻击面发现(信息收集)时候往往需要用到很多工具,最后再将搜集到的信息汇总到一块。
现在有这样一个现成的框架,里面集成了许多信息收集模块、信息存储数据库、以及报告生成模块,为工程化信息收集提供了可能。
它就是recon-ng。recon-ng使用python编写,其使用方式和metasploit十分相似
使用方法介绍:
1、新建工作区(建议一个渗透目标一个工作区,这样能确保搜集到的信息都是针对一个目标的)
命令:Recon-ng -w 工作区名字
例:
recon-ng -w cctv
# 通过上面的命令创建‘cctv’工作区后可以通过如下命令查看工作区情况
[recon-ng][cctv] > show workspaces +------------+
| Workspaces |
+------------+
| cctv |
| default |
+------------+
2、设置搜索引擎api
Keys list ===>查看现有搜索引擎api
keys add shodan fdkasjkfljklasjkldffjalks ===>设置shodan搜索api
[recon-ng][cctv] > keys list +--------------------------+
| Name | Value |
+--------------------------+
| bing_api | |
| builtwith_api | |
| censysio_id | |
| censysio_secret | |
| flickr_api | |
| fullcontact_api | |
| github_api | |
| google_api | |
| hashes_api | |
| ipinfodb_api | |
| ipstack_api | |
| jigsaw_api | |
| jigsaw_password | |
| jigsaw_username | |
| pwnedlist_api | |
| pwnedlist_iv | |
| pwnedlist_secret | |
| shodan_api | |
| twitter_api | |
| twitter_secret | |
| virustotal_api | |
+--------------------------+ [recon-ng][cctv] > keys add shodan_api fdkasjkfljklasjkldffjalks
3、show options(查看全局设置)
[recon-ng][cctv] > show options Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v4 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
建议设置代理,让可以访问google(不得不佩服google的搜索能力)
set PROXY 127.0.0.1:1087
4、查询包含哪些可用模块
通过use加tab键可以查看有哪些可用模块
[recon-ng][cctv] > use
discovery/info_disclosure/cache_snoop recon/domains-companies/pen recon/domains-hosts/threatcrowd recon/netblocks-hosts/shodan_net
discovery/info_disclosure/interesting_files recon/domains-contacts/metacrawler recon/domains-hosts/threatminer recon/netblocks-hosts/virustotal
exploitation/injection/command_injector recon/domains-contacts/pen recon/domains-vulnerabilities/ghdb recon/netblocks-ports/census_2012
exploitation/injection/xpath_bruter recon/domains-contacts/pgp_search recon/domains-vulnerabilities/punkspider recon/netblocks-ports/censysio
import/csv_file recon/domains-contacts/whois_pocs recon/domains-vulnerabilities/xssed recon/ports-hosts/migrate_ports
import/list recon/domains-credentials/pwnedlist/account_creds recon/domains-vulnerabilities/xssposed recon/profiles-contacts/dev_diver
recon/companies-contacts/bing_linkedin_cache recon/domains-credentials/pwnedlist/api_usage recon/hosts-domains/migrate_hosts recon/profiles-contacts/github_users
recon/companies-contacts/jigsaw/point_usage recon/domains-credentials/pwnedlist/domain_creds recon/hosts-hosts/bing_ip recon/profiles-profiles/namechk
recon/companies-contacts/jigsaw/purchase_contact recon/domains-credentials/pwnedlist/domain_ispwned recon/hosts-hosts/ipinfodb recon/profiles-profiles/profiler
recon/companies-contacts/jigsaw/search_contacts recon/domains-credentials/pwnedlist/leak_lookup recon/hosts-hosts/ipstack recon/profiles-profiles/twitter_mentioned
recon/companies-contacts/pen recon/domains-credentials/pwnedlist/leaks_dump recon/hosts-hosts/resolve recon/profiles-profiles/twitter_mentions
recon/companies-domains/pen recon/domains-domains/brute_suffix recon/hosts-hosts/reverse_resolve recon/profiles-repositories/github_repos
recon/companies-multi/github_miner recon/domains-hosts/bing_domain_api recon/hosts-hosts/ssltools recon/repositories-profiles/github_commits
recon/companies-multi/whois_miner recon/domains-hosts/bing_domain_web recon/hosts-hosts/virustotal recon/repositories-vulnerabilities/gists_search
recon/contacts-contacts/mailtester recon/domains-hosts/brute_hosts recon/hosts-locations/migrate_hosts recon/repositories-vulnerabilities/github_dorks
recon/contacts-contacts/mangle recon/domains-hosts/builtwith recon/hosts-ports/shodan_ip reporting/csv
recon/contacts-contacts/unmangle recon/domains-hosts/certificate_transparency recon/locations-locations/geocode reporting/html
recon/contacts-credentials/hibp_breach recon/domains-hosts/findsubdomains recon/locations-locations/reverse_geocode reporting/json
recon/contacts-credentials/hibp_paste recon/domains-hosts/google_site_web recon/locations-pushpins/flickr reporting/list
recon/contacts-domains/migrate_contacts recon/domains-hosts/hackertarget recon/locations-pushpins/shodan reporting/proxifier
recon/contacts-profiles/fullcontact recon/domains-hosts/mx_spf_ip recon/locations-pushpins/twitter reporting/pushpin
recon/credentials-credentials/adobe recon/domains-hosts/netcraft recon/locations-pushpins/youtube reporting/xlsx
recon/credentials-credentials/bozocrack recon/domains-hosts/shodan_hostname recon/netblocks-companies/whois_orgs reporting/xml
recon/credentials-credentials/hashes_org recon/domains-hosts/ssl_san recon/netblocks-hosts/reverse_resolve
也可以通过search命令来查找相关模块
[recon-ng][cctv] > search google
[*] Searching for 'google'... Recon
-----
recon/domains-hosts/google_site_web
此时大家可能会有疑问,这么多模块我怎么知道哪个模块是干什么使的呢? 这个时候我们可以use相应模块后用show info看到关于该模块的详细解释
[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show info
Name: Google Hostname Enumerator
Path: modules/recon/domains-hosts/google_site_web.py
Author: Tim Tomes (@LaNMaSteR53)
Description:
Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
the results.
Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE cctv.com yes source of input (see 'show info' for details)
Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs
此外recon-ng会将收集到的信息自动存入数据库,后面咱们可以将这些数据掏出来进行二次查询。可以通过下面这个命令查看数据库有哪些表:
[recon-ng][cctv] > show schema +---------------+
| domains |
+---------------+
| domain | TEXT |
| module | TEXT |
+---------------+ +--------------------+
| companies |
+--------------------+
| company | TEXT |
| description | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| netblocks |
+-----------------+
| netblock | TEXT |
| module | TEXT |
+-----------------+ +-----------------------+
| locations |
+-----------------------+
| latitude | TEXT |
| longitude | TEXT |
| street_address | TEXT |
| module | TEXT |
+-----------------------+ +---------------------+
| vulnerabilities |
+---------------------+
| host | TEXT |
| reference | TEXT |
| example | TEXT |
| publish_date | TEXT |
| category | TEXT |
| status | TEXT |
| module | TEXT |
+---------------------+ +-------------------+
| ports |
+-------------------+
| ip_address | TEXT |
| host | TEXT |
| port | TEXT |
| protocol | TEXT |
| module | TEXT |
+-------------------+ +-------------------+
| hosts |
+-------------------+
| host | TEXT |
| ip_address | TEXT |
| region | TEXT |
| country | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| module | TEXT |
+-------------------+ +--------------------+
| contacts |
+--------------------+
| first_name | TEXT |
| middle_name | TEXT |
| last_name | TEXT |
| email | TEXT |
| title | TEXT |
| region | TEXT |
| country | TEXT |
| module | TEXT |
+--------------------+ +-----------------+
| credentials |
+-----------------+
| username | TEXT |
| password | TEXT |
| hash | TEXT |
| type | TEXT |
| leak | TEXT |
| module | TEXT |
+-----------------+ +-----------------------------+
| leaks |
+-----------------------------+
| leak_id | TEXT |
| description | TEXT |
| source_refs | TEXT |
| leak_type | TEXT |
| title | TEXT |
| import_date | TEXT |
| leak_date | TEXT |
| attackers | TEXT |
| num_entries | TEXT |
| score | TEXT |
| num_domains_affected | TEXT |
| attack_method | TEXT |
| target_industries | TEXT |
| password_hash | TEXT |
| password_type | TEXT |
| targets | TEXT |
| media_refs | TEXT |
| module | TEXT |
+-----------------------------+ +---------------------+
| pushpins |
+---------------------+
| source | TEXT |
| screen_name | TEXT |
| profile_name | TEXT |
| profile_url | TEXT |
| media_url | TEXT |
| thumb_url | TEXT |
| message | TEXT |
| latitude | TEXT |
| longitude | TEXT |
| time | TEXT |
| module | TEXT |
+---------------------+ +-----------------+
| profiles |
+-----------------+
| username | TEXT |
| resource | TEXT |
| url | TEXT |
| category | TEXT |
| notes | TEXT |
| module | TEXT |
+-----------------+ +--------------------+
| repositories |
+--------------------+
| name | TEXT |
| owner | TEXT |
| description | TEXT |
| resource | TEXT |
| category | TEXT |
| url | TEXT |
| module | TEXT |
+--------------------+
5、使用方法举例(拿搜索子域名与对应ip的场景来举例)
使用google搜索来查询目标有哪些子域名
[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show options # 查看需要填哪些数据 Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) [recon-ng][cctv][google_site_web] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][google_site_web] > run #开始运行
也可以使用暴力猜解的方式来获取目标子域名:
[recon-ng][cctv] > use recon/domains-hosts/brute_hosts
[recon-ng][cctv][brute_hosts] > show options Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/local/Cellar/recon-ng/4.9.6/libexec/data/hostnames.txt yes path to hostname wordlist # 字典路径 [recon-ng][cctv][brute_hosts] > set SOURCE cctv.com # 设置目标域名
SOURCE => cctv.com
[recon-ng][cctv][brute_hosts] > run #开始运行
运行完毕后查询到的数据将自动存入数据库,我们可以通过'show hosts'或'query+sql语句'的方式来查询,例:
[recon-ng][cctv] > show hosts +-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
[recon-ng][cctv] >query select * from hosts;
+-----------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+-----------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | | | | | | google_site_web |
| 2 | www.cctv.com | | | | | | google_site_web |
| 3 | news.cctv.com | | | | | | google_site_web |
+-----------------------------------------------------------------------------------------------------------+
# 为了保证隐私删掉了大部分数据,只给3个做为举例
数据库里已经有目标的子域名信息,现在想基于数据库里信息做进一步查询可以吗? 当然可以,我们以查询域名对应的ip为例:
[recon-ng][cctv] > use recon/hosts-hosts/resolve
[recon-ng][cctv][resolve] > show options Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details) # 正常来说SOURCE后应该是跟一个域名信息,比如'www.cctv.com' [recon-ng][cctv][resolve] > set SOURCE query select host from hosts # 这里厉害了哦!我们要查的是一个表的内容,如果一个域名设置一次那还不累死了? recon-ng竟然支持将值设为一个sql语句! 这样就可以批量查询表内的数据了!
SOURCE => query select host from hosts
[recon-ng][cctv][resolve] > run
执行完成后我们可以看下现在数据库里的内容有什么变化:
[recon-ng][cctv][resolve] > show hosts
+----------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+----------------------------------------------------------------------------------------------------------------+
| 1 | tv.cctv.com | 123.125.195.125 | | | | | google_site_web |
| 2 | www.cctv.com | 114.112.172.231 | | | | | google_site_web |
| 3 | news.cctv.com | 111.206.186.245 | | | | | google_site_web |
| 4 | tv.cctv.com | 123.125.195.125 | | | | | resolve |
| 5 | www.cctv.com | 114.112.172.231 | | | | | resolve |
| 6 | news.cctv.com | 111.206.186.245 | | | | | resolve |
+----------------------------------------------------------------------------------------------------------------+
# 可以看到已经把查询到的ip地址填入表内了
就拿我们现在查询到的数据来举例说明一下该怎么导出报表
[recon-ng][cctv] > search report # 查下看有哪些报表相关模块
[*] Searching for 'report'... Reporting
---------
reporting/csv
reporting/html
reporting/json
reporting/list
reporting/proxifier
reporting/pushpin
reporting/xlsx
reporting/xml [recon-ng][cctv] > use reporting/html # 导出成html文件
[recon-ng][cctv][html] > show options Name Current Value Required Description
-------- ------------- -------- -----------
CREATOR yes creator name for the report footer
CUSTOMER yes customer name for the report header
FILENAME /Users/liwei/.recon-ng/workspaces/cctv/results.html yes path and filename for report output # 报表导出路径
SANITIZE True yes mask sensitive data in the report [recon-ng][cctv][html] > set CREATOR liwei # 填写报告作者
CREATOR => liwei
[recon-ng][cctv][html] > set CUSTOMER cctv # 填写用户单位名称
CUSTOMER => cctv
[recon-ng][cctv][html] > run
[*] Report generated at '/Users/liwei/.recon-ng/workspaces/cctv/results.html'. # 导出成功
[recon-ng][cctv][html] >
最终报表长这样:
注:以下是引自网友对各个模块的简要说明:
cache_snoop – DNS缓存录制 interesting_files – 敏感文件探测 command_injector – 远程命令注入shell接口 xpath_bruter – Xpath注入爆破 csv_file – 高级csv文件导入 list – List文件导入 point_usage – Jigsaw – 统计信息提取用法 purchase_contact – Jigsaw – 简单的联系查询 search_contacts – Jigsaw联系枚举 jigsaw_auth – Jigsaw认证联系枚举 linkedin_auth – LinkedIn认证联系枚举 github_miner – Github资源挖掘 whois_miner – Whois数据挖掘 bing_linkedin – Bing Linkedin信息采集 email_validator – SalesMaple邮箱验证 mailtester – MailTester邮箱验证 mangle – 联系分离 unmangle –联系反分离 hibp_breach –Breach搜索 hibp_paste – Paste搜索 pwnedlist – PwnedList验证 migrate_contacts – 域名数据迁移联系 facebook_directory – Facebook目录爬行 fullcontact – FullContact联系枚举 adobe – Adobe Hash破解 bozocrack – PyBozoCrack Hash 查询 hashes_org – Hashes.org Hash查询 leakdb – leakdb Hash查询 metacrawler – 元数据提取 pgp_search – PGP Key Owner查询 salesmaple – SalesMaple联系获取 whois_pocs – Whois POC获取 account_creds – PwnedList – 账户认证信息获取 api_usage – PwnedList – API使用信息 domain_creds – PwnedList – Pwned域名认证获取 domain_ispwned – PwnedList – Pwned域名统计获取 leak_lookup – PwnedList – 泄露信息查询 leaks_dump – PwnedList –泄露信息获取 brute_suffix – DNS公共后缀爆破 baidu_site – Baidu主机名枚举 bing_domain_api – Bing API主机名枚举 bing_domain_web – Bing主机名枚举 brute_hosts – DNS主机名爆破 builtwith – BuiltWith枚举 google_site_api – Google CSE主机名枚举 google_site_web – Google主机名枚举 netcraft – Netcraft主机名枚举 shodan_hostname – Shodan主机名枚举 ssl_san – SSL SAN查询 vpnhunter – VPNHunter查询 yahoo_domain – Yahoo主机名枚举 zone_transfer – DNS域文件收集 ghdb – Google Hacking数据库 punkspider – PunkSPIDER漏洞探测 xssed – XSSed域名查询 xssposed – XSSposed域名查询 migrate_hosts – 域名数据迁移host bing_ip – Bing API旁站查询 freegeoip –FreeGeoIP ip定位查询 ip_neighbor – My-IP-Neighbors.com查询 ipinfodb – IPInfoDB GeoIP查询 resolve – 主机名解析器 reverse_resolve – 反解析 ssltools – SSLTools.com主机名查询 geocode – 地理位置编码 reverse_geocode – 反地理位置编码 flickr – Flickr地理位置查询 instagram – Instagram地理位置查询 picasa – Picasa地理位置查询 shodan – Shodan地理位置查询 twitter – Twitter地理位置查询 whois_orgs – Whois公司信息收集 reverse_resolve – 反解析 shodan_net – Shodan网络枚举 census_2012 – Internet Census 2012 查询 sonar_cio – Project Sonar查询 migrate_ports – 主机端口数据迁移 dev_diver – Dev Diver Repository检查 linkedin – Linkedin联系获取 linkedin_crawl – Linkedin信息抓取 namechk – NameChk.com用户名验证 profiler – OSINT HUMINT信息收集 twitter – Twitter操作 github_repos – Github代码枚举 gists_search – Github Gist搜索 github_dorks – Github Dork分析 csv – CSV文件生成 html – HTML报告生成 json – JSON报告生成 list – List生成 pushpin – PushPin报告生成 xlsx – XLSX文件创建 xml – XML报告生成
信息收集框架——recon-ng的更多相关文章
- Kali Linux信息收集工具
http://www.freebuf.com/column/150118.html 可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得 ...
- Kali Linux信息收集工具全集
001:0trace.tcptraceroute.traceroute 描述:进行路径枚举时,传统基于ICMP协议的探测工具经常会受到屏蔽,造成探测结果不够全面的问题.与此相对基于TCP协议的探测,则 ...
- Kali Linux信息收集工具全
可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得那个戏份不多但一直都在的Q先生(由于年级太长目前已经退休).他为007发明了众多神奇 ...
- OSNIT信息收集分析框架OSRFramework
OSNIT信息收集分析框架OSRFramework OSNIT是一种从公开的信息资源搜集信息的有效方式.Kali Linux集成了一款专用分析工具集OSRFramework.该工具集包含多个常用工具 ...
- 小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng
Recon-ng Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架.Recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查.其命令格式与Metasploi ...
- 被动信息收集-其他收集目标信息的途径:cupp、 recon-ng
除了google等搜索收集,还有其他途径进行信息收集,其中就包括用命令行或集成的软件.框架进行搜集信息. 1.先举例几个简单的命令: 其实也会是调用搜索引擎,如谷歌必应等,需要翻墙,可以用proxyc ...
- 『.NET Core CLI工具文档』(二).NET Core 工具遥测(应用信息收集)
说明:本文是个人翻译文章,由于个人水平有限,有不对的地方请大家帮忙更正. 原文:.NET Core Tools Telemetry 翻译:.NET Core 工具遥测(应用信息收集) .NET Cor ...
- ExceptionLess异常日志收集框架-1
哈哈,中秋和代码更配哦,不知不觉一年过半了,祝园友们中秋快乐 前一阵子在博客园看到了一篇博文 http://www.cnblogs.com/savorboard/p/exceptionless.htm ...
- 漫谈iOS Crash收集框架
漫谈iOS Crash收集框架 Crash日志收集 为了能够第一时间发现程序问题,应用程序需要实现自己的崩溃日志收集服务,成熟的开源项目很多,如 KSCrash,plcrashreporter,C ...
随机推荐
- Skyline WEB端开发1——入门
Skyline是一套优秀的三维数字地球平台软件.凭借其国际领先的三维数字化显示技术,它可以利用海量的遥感航测影像数据.数字高程数据以及其他二三维数据搭建出一个对真实世界进行模拟的三维场景.目前在国内, ...
- Codeforces Gym101518F:Dimensional Warp Drive(二分+高斯消元)
题目链接 题意 给出一个11元组A和11元组B,给出n个11元方程,每个方程有一个日期,要让A变成B,问最少需要日期多少才可以变. 思路 因为日期满足单调性,所以可以二分答案.判断的时候就是高斯消元套 ...
- Git使用小技巧之Stash命令藏储零乱分支
想要获取更多文章可以访问我的博客 - 代码无止境. 在开发的过程中可能会经常出现下面这种情况,我们正在开发某个功能,当前分支的内容比较乱,不太适合提交,而此时我们需要切换到其他分支上处理一些事情.这 ...
- .net core2学习笔记
在Linux上安装完netcore的sdk后,发现每次重新登录dotnet命令都会失效,咨询完同事后才知道之前的设置只是临时变量,需要vim /etc/profile 编辑这个文件,把环境变量写入 ...
- 个人永久性免费-Excel催化剂功能第105波-批量调整不规范的图形对象到单一单元格内存储
在日常制表过程中,一个不得不面对的问题,许多的工作起点是基于其他人加工过的表格,无论自己多大的本领,面对不规范的其他人的制作的表格,经过自己的手,该擦的屁股还是要自己去亲手去擦,而带出来的也只会是一堆 ...
- C#3.0新增功能03 隐式类型本地变量
连载目录 [已更新最新开发文章,点击查看详细] 从 Visual C# 3.0 开始,在方法范围内声明的变量可以具有隐式“类型”var. 隐式类型本地变量为强类型,就像用户已经自行声明该类型,但 ...
- python执行unittest界面设置
执行单元测试时,系统会自动添加unittest in...的执行服务器. 执行时unittest in...的执行服务器在界面右上方可以看到,且执行结果为左侧框和右侧统计结果. 如果没有,会导致测试结 ...
- Spring Cloud 之 Config与动态路由.
一.简介 Spring Cloud Confg 是用来为分布式系统中的基础设施和微服务应用提供集中化的外部配置支持,它分为服务端与客户端两个部分.其中服务端也称为分布式配置中心,它是一个独立的微服务 ...
- Java面向对象16种原则
一 类的设计原则 1 依赖倒置原则-Dependency Inversion Principle (DIP) 2 里氏替换原则-Liskov Substitution Principle (L ...
- 2019前端面试系列——Vue面试题
Vue 双向绑定原理 mvvm 双向绑定,采用数据劫持结合发布者-订阅者模式的方式,通过 Object.defineProperty()来劫持各个属性的 setter.getter,在数 ...