# Kali Linux Course #492: Recon-ng Fundamentals
## Section 1: Installation and Configuration on Kali Linux
### 1.1 Introduction to Recon-ng
Recon-ng is an open-source reconnaissance framework designed for gathering and analyzing data from various sources. It provides a powerful environment for penetration testers to conduct open-source intelligence (OSINT) gathering, which aids in the reconnaissance phase of penetration testing. In this section, we will explore the installation, configuration, and usage of Recon-ng on Kali Linux.
### 1.2 Installation of Recon-ng
#### Step 1: Update Your System
Before installing any new tools, it is crucial to ensure that your Kali Linux system is up-to-date. Open your terminal and run the following commands:
"`bash
sudo apt update && sudo apt upgrade -y
"`
#### Step 2: Install Recon-ng
Recon-ng is included in the Kali Linux repositories, which makes installation straightforward. Run the following command to install it:
"`bash
sudo apt install recon-ng -y
"`
#### Step 3: Verify Installation
To confirm that Recon-ng has been installed successfully, you can check its version by running:
"`bash
recon-ng –version
"`
You should see output similar to:
"`
Recon-ng vX.X.X
"`
### 1.3 Configuration
#### Step 4: Setting Up Recon-ng
Once installed, you can start Recon-ng by typing `recon-ng` in your terminal:
"`bash
recon-ng
"`
This will initialize the framework and bring you into its command-line interface. The first thing you'll want to do is create a new workspace, which will help keep your data organized. You can create a workspace by running:
"`bash
workspaces create
"`
Replace `
"`bash
workspaces create pentest_project
"`
### 1.4 Overview of the Command-Line Interface (CLI)
Recon-ng's CLI is structured in a way that allows you to easily navigate through its features. Here are some basic commands to get started:
– **help**: Displays a list of commands available in the current context.
– **modules**: Displays a list of modules available in Recon-ng.
– **exit**: Exits the Recon-ng framework.
### 1.5 Usage of Recon-ng: Step-by-Step
Now that we have Recon-ng installed and configured, let's dive into its usage with real-world examples.
#### Step 1: Importing Targets
The first step in any reconnaissance effort is to define your targets. You can add a target to your workspace using the `add` command:
"`bash
add domains
"`
For example, to add `example.com`:
"`bash
add domains example.com
"`
You can verify that your target was added by using:
"`bash
show domains
"`
#### Step 2: Using Modules
Recon-ng is equipped with numerous modules that can help you gather information about your targets. To see a list of available modules, run:
"`bash
modules search
"`
To use a specific module, you first need to load it:
"`bash
modules load
"`
For example, to use the `recon/domains-contacts/whois_pocs` module, you would run:
"`bash
modules load recon/domains-contacts/whois_pocs
"`
#### Step 3: Running the Module
Once the module is loaded, check its options to see if there are any required fields:
"`bash
show options
"`
Set the required options using:
"`bash
set
"`
For example:
"`bash
set SOURCE example.com
"`
After setting the necessary options, run the module:
"`bash
run
"`
#### Real-World Use Cases
– **WHOIS Lookups**: You can find valuable information about domain ownership, contact details, and registration dates.
– **Subdomain Enumeration**: Discover subdomains associated with a target domain, which can reveal additional attack surfaces.
### 1.6 Detailed Technical Explanations
#### WHOIS Module
The WHOIS module retrieves contact information from the WHOIS database for the given domain. The output can include administrative and technical contacts, registration dates, and name servers, which can provide insights into the organization behind the domain.
**Code Example**:
"`bash
modules load recon/domains-contacts/whois_pocs
set SOURCE example.com
run
"`
**Output Example**:
"`
+———————–+————————–+
| Name | Value |
+———————–+————————–+
| admin_name | John Doe |
| admin_email | [email protected] |
| registration_date | 2021-01-15 |
| name_servers | ns1.example.com |
| name_servers | ns2.example.com |
+———————–+————————–+
"`
#### Subdomain Enumeration Module
Subdomain enumeration can reveal hidden assets such as staging environments and APIs. The `recon/domains-hosts/get_subdomains` module can be used to discover subdomains.
**Code Example**:
"`bash
modules load recon/domains-hosts/get_subdomains
set SOURCE example.com
run
"`
**Output Example**:
"`
+———————–+
| Subdomain |
+———————–+
| www.example.com |
| api.example.com |
| dev.example.com |
+———————–+
"`
### 1.7 External References
To deepen your understanding of Recon-ng and its capabilities, consider exploring the following resources:
– [Recon-ng Official Documentation](https://bitbucket.org/LaNMaSteR53/recon-ng/src/master/)
– [Kali Linux Tools Documentation](https://www.kali.org/tools/)
– [Open Source Intelligence (OSINT) Framework](https://osintframework.com/)
### Conclusion
In this section, we've covered the installation and configuration of Recon-ng on Kali Linux, as well as its basic usage through practical examples. Recon-ng serves as a powerful tool in the arsenal of a penetration tester, and mastering its features will greatly enhance your reconnaissance capabilities.
—
Made by pablo rotem / פבלו רותם