Footprinting a Target using Recon-ng
Recon-ng is a web reconnaissance framework with independent modules and database interaction that provides an environment in which open-source web- based reconnaissance can be conducted. Here, we will use Recon-ng to perform network reconnaissance, gather personnel information, and gather target information from social networking sites.
Here, we will consider www.airbnb.com as a target website. However, you can select a target domain of your choice.
In the Terminal window, type the command recon-ng and press Enter to launch the application.
Type help and press Enter to view all the commands that allow you to add/ delete records to a database, query a database, etc.
Type marketplace install all and press Enter to install all the modules available in recon-ng. Ignore the errors while running the command.
After the installation of modules, type the modules search command and press Enter. This displays all the modules available in recon-ng
You will be able to perform network discovery, exploitation, reconnaissance, etc. by loading the required modules.
Type the workspaces command and press Enter. This displays the commands related to the workspaces.
Create a workspace in which to perform network reconnaissance. In this task, we shall be creating a workspace named CEH.
To create the workspace, type the command workspaces create CEH and press Enter. This creates a workspace named CEH
Enter workspaces list. This displays a list of workspaces (along with the workspace added in the previous step) that are present within the workspaces databases.
Add a domain in which you want to perform network reconnaissance.
Type the command db insert domains and press Enter.
In the domain (TEXT) option type airbnb.com and press Enter. In the notes (TEXT) option press Enter. This adds certifiedhacker.com to the present workspace.
You can view the added domain by issuing the show domains command, as shown in the screenshot.
Harvest the hosts-related information associated with airbnb.com by loading network reconnaissance modules such as brute_hosts, Netcraft, and Bing
Type modules load brute and press Enter to view all the modules related to brute forcing. In this task, we will be using the recon/domains-hosts/ brute_hosts module to harvest hosts.
To load the recon/domains-hosts/brute_hosts module, type the modules load recon/domains-hosts/brute_hosts command and press Enter.
Type run and press Enter. This begins to harvest the hosts, as shown in the screenshot.
Observe that hosts have been added by running the recon/domains-hosts/ brute_hosts module.
You have now harvested the hosts related to certifiedhacker.com using the brute_hosts module. You can use other modules such as Netcraft and Bing to harvest more hosts.
Use the back command to go back to the CEH attributes terminal.
To resolve hosts using the Bing module, use the following commands:
Now, perform a reverse lookup for each IP address (the IP address that is obtained during the reconnaissance process) to resolve to respective hostnames.
Type modules load reverse_resolve command and press Enter to view all the modules associated with the reverse_resolve keyword. In this task, we will be using the recon/hosts-hosts/reverse_resolve module.
Type the modules load recon/hosts-hosts/reverse_resolve command and press Enter to load the module
Issue the run command to begin the reverse lookup.
Once done with the reverse lookup process, type the show hosts command and press Enter. This displays all the hosts that are harvested so far, as shown in the screenshot.
Now, type the back command and press Enter to go back to the CEH attributes terminal.
Now, that you have harvested several hosts, we will prepare a report containing all the hosts.
Type the modules load reporting command and press Enter to view all the modules associated with the reporting keyword. In this lab, we will save the report in HTML format. So, the module used is reporting/html.
Type the modules load reporting/html command and press Enter.
Observe that you need to assign values for CREATOR and CUSTOMER options while the FILENAME value is already set, and you may change the value if required.
- options set FILENAME /home/attacker/Desktop/results.html and press Enter. By issuing this command, you are setting the report name as results.html and the path to store the file as Desktop.
- options set CREATOR [your name] (here, Jason) and press Enter.
- options set CUSTOMER Certifiedhacker Networks (since you have performed network reconnaissance on certifiedhacker.com domain) and press Enter. Type the run command and press Enter to create a report for all the hosts that have been harvested. The generated report is saved to /home/attacker/Desktop/.
Click Places from the top-section of the Desktop and click Home Folder from the drop-down options. The attacker window appears. In the attacker window, double-click Desktop. Desktop window appears, right-click on the results.html file, click on Open With, and select the Firefox browser from the available options The generated report appears in the Firefox browser, displaying the summary of the harvested hosts. You can expand the Hosts node to view all the harvested hosts, as shown in the screenshot. Close all open windows.
Until now, we have used the Recon-ng tool to perform network reconnaissance on a target domain
This concludes the demonstration of gathering host information of the target domain and gathering personnel information of a target organization.