Doing open source intel with recon-ng – part 2

Recon-ng

This is the second part of a post on doing open source intel with recon-ng. The first part focused on gathering open source information for user accounts. This second part focuses on gathering domain and host information.

Finding hosts

I started with one single domain. I’m interested in what other hosts related to this domain can be found. To do this I use the search command SEARCH domains-hosts.

[recon-ng]de[s]o][hashes_org] > search domains-hosts
[*] Searching for 'domains-hosts'...

  Recon
  -----
    recon/domains-hosts/baidu_site
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/vpnhunter
    recon/domains-hosts/yahoo_domain

The list shows modules that use for example Baidu, Bing and Google to get additional information. Bing and Google have both an API and web version. Ideally you stick to the API version because both Google and Bing can quickly block repeated queries. You can unlock the block by entering the correct captcha but this can be a cumbersome if you run recon-ng through a remote shell. Recon-ng will download the captcha in an image file in /tmp which you then have to copy to your host and view manually.

Baidu does not -yet- block repeated queries so this search engine is a great choice to start looking for additional information. I first start with

[recon-ng]de[s]o][hashes_org] > use recon/domains-hosts/baidu_site

[recon-ng]de[s]o][baidu_site] > run

---------
c[u]de[s]o.BE
---------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%3Ac[u]de[s]o.be
[*] www.c[u]de[s]o.be
[*] linux.c[u]de[s]o.be
[*] Sleeping to avoid lockout...
[*] URL: http://www.baidu.com/s?pn=0&wd=site%3Ac[u]de[s]o.be+-site%3Awww.c[u]de[s]o.be+-site%3Alinux.c[u]de[s]o.be

-------
SUMMARY
-------
[*] 2 total (2 new) hosts found.

Because I’m starting with only one domain I will use the web version of Bing to check for extra host information (and hopefully not get locked out before getting useful results)

[recon-ng]de[s]o][baidu_site] > use recon/domains-hosts/bing_domain_web

[recon-ng]de[s]o][bing_domain_web] > run

---------
c[u]de[s]o.BE
---------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Ac[u]de[s]o.be
[*] www.c[u]de[s]o.be
[*] solution.c[u]de[s]o.be
[*] Sleeping to avoid lockout...
[*] URL: https://www.bing.com/search?first=0&q=domain%3Ac[u]de[s]o.be+-domain%3Awww.c[u]de[s]o.be+-domain%3Asolution.c[u]de[s]o.be

-------
SUMMARY
-------
[*] 2 total (1 new) hosts found.

So in total I now found three hosts related to the domain.

[recon-ng]de[s]o][bing_domain_web] > show hosts

  +-----------------------------------------------------------------------------------------------------+
  | rowid |        host        | ip_address | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------+
  | 1     | www.c[u]de[s]o.be      |            |        |         |          |           | baidu_site      |
  | 2     | linux.c[u]de[s]o.be    |            |        |         |          |           | baidu_site      |
  | 3     | solution.c[u]de[s]o.be |            |        |         |          |           | bing_domain_web |
  +-----------------------------------------------------------------------------------------------------+

[*] 3 rows returned

Other modules that can give you extra hosts are for example the netcraft, shodan, vpnhunter and ssltools modules.

Resolve the hosts

I will now do a forward and reverse resolve of the hosts.

[recon-ng]de[s]o][bing_domain_web] > use recon/hosts-hosts/resolve
[recon-ng]de[s]o][resolve] > run
[*] www.c[u]de[s]o.be => 92.243.8.142
[*] linux.c[u]de[s]o.be => 92.243.8.142
[*] solution.c[u]de[s]o.be => 92.243.8.142
[recon-ng]de[s]o][resolve] > use recon/hosts-hosts/reverse_resolve
[recon-ng]de[s]o][reverse_resolve] > run
[*] 92.243.8.142 => www.c[u]de[s]o.be

-------
SUMMARY
-------
[*] 1 total (0 new) hosts found.

Starting with this IP I will use a module that queries My-IP-Neighbors.com for “near-by” IPs.

[recon-ng]de[s]o][reverse_resolve] > use recon/hosts-hosts/ip_neighbor
[recon-ng]de[s]o][ip_neighbor] > run

-------------
WWW.c[u]de[s]o.BE
-------------
[*] URL: http://www.my-ip-neighbors.com/?domain=www.c[u]de[s]o.be
[*] No additional hosts discovered at the same IP address.

---------------
LINUX.c[u]de[s]o.BE
---------------
[*] URL: http://www.my-ip-neighbors.com/?domain=linux.c[u]de[s]o.be
[*] No additional hosts discovered at the same IP address.

------------------
SOLUTION.c[u]de[s]o.BE
------------------
[*] URL: http://www.my-ip-neighbors.com/?domain=solution.c[u]de[s]o.be
[*] No additional hosts discovered at the same IP address.

No additional IPs have been found.

Vulnerability searching

Recon-ng also has support for the Google Hacking Database (GHDB) with the module ghdb. I load this module via a shortcut.

The default for loading a module is to add the full path to a module, in this case “recon/domains-vulnerabilities/ghdb”. However if the module name is uniquely identified you can load it immediately.

[recon-ng]de[s]o] > use ghdb
[recon-ng]de[s]o][ghdb] >

The module has a number of options, each representing a type of Google Dork.

[recon-ng]de[s]o][ghdb] > set
Sets module options

Usage: set <option> <value>

  Name                                 Current Value  Required  Description
  -----------------------------------  -------------  --------  -----------
  DORKS                                               no        file containing an alternate list of Google dorks
  GHDB_ADVISORIES_AND_VULNERABILITIES  False          yes       enable/disable the 1985 dorks in this category
  GHDB_ERROR_MESSAGES                  False          yes       enable/disable the 82 dorks in this category
  GHDB_FILES_CONTAINING_JUICY_INFO     False          yes       enable/disable the 343 dorks in this category
  GHDB_FILES_CONTAINING_PASSWORDS      False          yes       enable/disable the 189 dorks in this category
  GHDB_FILES_CONTAINING_USERNAMES      False          yes       enable/disable the 17 dorks in this category
  GHDB_FOOTHOLDS                       False          yes       enable/disable the 34 dorks in this category
  GHDB_NETWORK_OR_VULNERABILITY_DATA   False          yes       enable/disable the 63 dorks in this category
  GHDB_PAGES_CONTAINING_LOGIN_PORTALS  False          yes       enable/disable the 313 dorks in this category
  GHDB_SENSITIVE_DIRECTORIES           False          yes       enable/disable the 110 dorks in this category
  GHDB_SENSITIVE_ONLINE_SHOPPING_INFO  False          yes       enable/disable the 10 dorks in this category
  GHDB_VARIOUS_ONLINE_DEVICES          False          yes       enable/disable the 270 dorks in this category
  GHDB_VULNERABLE_FILES                False          yes       enable/disable the 61 dorks in this category
  GHDB_VULNERABLE_SERVERS              False          yes       enable/disable the 83 dorks in this category
  GHDB_WEB_SERVER_DETECTION            False          yes       enable/disable the 74 dorks in this category
  SOURCE                               default        yes       source of input (see 'show info' for details)

If you want to check for files containing usernames you have to enable the option GHDB_FILES_CONTAINING_USERNAMES and then run the module.

[recon-ng]de[s]o][ghdb] > set GHDB_FILES_CONTAINING_USERNAMES true
GHDB_FILES_CONTAINING_USERNAMES => true
[recon-ng]de[s]o][ghdb] > run

---------
c[u]de[s]o.BE
---------
[*] Searching Google for: site:c[u]de[s]o.be intitle:"Index of" .bash_history
[*] Searching Google for: site:c[u]de[s]o.be intitle:"Index of" .sh_history
[*] Searching Google for: site:c[u]de[s]o.be inurl:admin inurl:userlist
[*] Searching Google for: site:c[u]de[s]o.be inurl:admin filetype:asp inurl:userlist
[*] Searching Google for: site:c[u]de[s]o.be "index of" / lck
[*] Searching Google for: site:c[u]de[s]o.be index.of perform.ini
[*] Searching Google for: site:c[u]de[s]o.be inurl:php inurl:hlstats intext:"Server Username"
[*] Searching Google for: site:c[u]de[s]o.be Google for: +intext:"webalizer" +intext:"Total Usernames" +intext:"Usage Statistics for"
[*] Searching Google for: site:c[u]de[s]o.be filetype:reg reg HKEY_CURRENT_USER username
[*] Searching Google for: site:c[u]de[s]o.be filetype:reg reg +intext:"internet account manager
[*] Searching Google for: site:c[u]de[s]o.be filetype:log username putty
[*] Searching Google for: site:c[u]de[s]o.be filetype:conf inurl:proftpd.conf -sample
[*] Searching Google for: site:c[u]de[s]o.be inurl:root.asp?acs=anon
[*] /tmp/tmpbei3ow.jpg
[CAPTCHA] Answer: impwedig
[*] Searching Google for: site:c[u]de[s]o.be intext:"SteamUserPassphrase=" intext:"SteamAppUser=" -"username"  -"user"
...

As you can see in the output, when the module ran at one moment the Google queries were blocked by a captcha. After opening the jpg file and entering the code the module continued.

Reporting

Once all the modules have run you have a database with useful and interesting information. You can extract the information with SHOW DASHBOARD or SHOW CREDENTIALS but in the end it is easier to have some sort of accessible report.

Recon-ng has a number of reporting options, search for SEARCH REPORT.

[recon-ng]de[s]o][ghdb] > search report
[*] Searching for 'report'...

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/pushpin
    reporting/xlsx
    reporting/xml

You can for example export your findings to a CSV format with the use of the reporting/csv module. Note that shortcut loading this module with “use csv” will not work because there are multiple modules with the same name.

[recon-ng]de[s]o][ghdb] > use csv
[*] Multiple modules match 'csv'.

  Import
  ------
    import/csv_file

  Reporting
  ---------
    reporting/csv

So this module has to been loaded with the full path.

[recon-ng]de[s]o][ghdb] > use reporting/csv
[recon-ng]de[s]o][csv] > set
Sets module options

Usage: set <option> <value>

  Name      Current Value                                        Required  Description
  --------  -------------                                        --------  -----------
  FILENAME  /home/koenv/.recon-ng/workspaces/c[u]de[s]o/results.csv  yes       path and filename for output
  TABLE     hosts                                                yes       source table of data to export

You can specify the output filename with the FILENAME option. The TABLE option describes which table has to be exported.

The CSV module will only export table by table. With the use of the HTML module you can generate a full report.

[recon-ng]de[s]o][csv] > use html
[recon-ng]de[s]o] > set
Sets module options

Usage: set <option> <value>

  Name      Current Value                                         Required  Description
  --------  -------------                                         --------  -----------
  CREATOR                                                         yes       creator name for the report footer
  CUSTOMER                                                        yes       customer name for the report header
  FILENAME  /home/koenv/.recon-ng/workspaces/c[u]de[s]o/results.html  yes       path and filename for report output
  SANITIZE  True                                                  yes       mask sensitive data in the report

[recon-ng]de[s]o] > set CREATOR Koen Van Impe
CREATOR => Koen Van Impe
[recon-ng]de[s]o] > set CUSTOMER c[u]de[s]o.be
CUSTOMER => c[u]de[s]o.be
[recon-ng]de[s]o] > run
[*] Report generated at '/home/koenv/.recon-ng/workspaces/c[u]de[s]o/results.html'.

Conclusion

Recon-ng in a penetration test

Reconnaissance is the first phase in a penetration test. Ideally (but also depending on the rules of engagement) you stay as low profile as possible to gather target information. This means that you do not directly probe any of the target systems or users and you rely on information available via different open source channels.

Recon-ng is an ideal tool to gather all of this information. Of course you can conduct the searches manually and extract the necessary information yourself. But this costs a lot of time and is cumbersome. There’s also the risk of introducing data manipulation errors. Recon-ng does all of the hard work for you.

Combining recon-ng together with the Metasploit framework makes a great tool set for doing penetration tests.

Spam protection

I use my own accounts and domain for this example but I do not have to make it to easy for spambots to index all the data. For this reason I mangled the domain name and user names in the output results in this post.

Adobe hack

Note: my account was in the 2013 Adobe account breach. I use unique passwords per site/application. These passwords are generated with a password manager and in most cases I even don’t know the password (left alone that in most cases they are impossible to remember due to their complexity). They are stored in a password vault and I export the requested password when needed. As such, the impact of the Adobe breach had little impact on any of my other accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *