Kali Linux Course #492: Recon-ng Fundamentals
# Kali Linux Course #492: Recon-ng Fundamentals## Section 5: Advanced Recon-ng Techniques### IntroductionAs we reach the final section of our course on recon-ng, we will delve deeper into the advanced techniques and real-world applications of this powerful open-source reconnaissance framework. Throughout this section, you will learn how to effectively install and configure recon-ng on Kali Linux, explore various usage scenarios, and understand the underlying technical concepts that will enable you to leverage recon-ng for potent pentesting endeavors.### 1. Installation and Configuration on Kali LinuxInstalling recon-ng on Kali Linux is a straightforward process. This framework is included in the Kali Linux repositories, making it easily accessible. Below, we outline the steps necessary for installation and initial configuration.#### Step 1: Update Your SystemBefore installing new software, it's crucial to ensure your system is up-to-date. Open a terminal and run the following commands:
sudo apt update
sudo apt upgrade -y
#### Step 2: Install Recon-ngTo install recon-ng, run:
sudo apt install recon-ng -y
#### Step 3: Verify the InstallationAfter installation, you can verify that recon-ng is correctly installed by entering:
If the installation was successful, you should see the recon-ng prompt.#### Step 4: Setting Up the WorkspaceRecon-ng uses workspaces to organize your reconnaissance data. To create a new workspace, enter the following command within the recon-ng interface:
workspaces create [workspace_name]
For example:
workspaces create my_first_workspace
You can switch between workspaces using:
workspaces select [workspace_name]
### 2. Step-by-Step Usage and Real-World Use CasesNow that we have recon-ng installed and configured, let's explore some of its fundamental features and real-world applications.#### 2.1 Basic Commands OverviewWhen you start using recon-ng, it's essential to understand its basic commands. Here’s a list of fundamental commands to get you started:– **modules**: List all available modules.
– **use [module]**: Load a specific module.
– **show options**: Display the module options that can be configured.
– **set [option] [value]**: Set the necessary options for the module.
– **run**: Execute the loaded module.
– **show results**: Display the results from the last executed module.#### 2.2 Example: Domain ReconnaissanceLet’s walk through a practical example of conducting domain reconnaissance using recon-ng. We will gather information about the domain `example.com`.1. **Load the Domain Info Module**:Start by using the `domain_info` module:
use recon/domains-contacts/domain_info
2. **Set the Target Domain**:Specify the domain you want to gather information about.
3. **Run the Module**:Execute the command:
4. **View the Results**:After running the module, you can display the results with:
This will provide you with valuable information such as the domain's registrar, name servers, and other pertinent details.#### 2.3 Real-World Use Case: Subdomain EnumerationSubdomain enumeration is a vital step in reconnaissance and can uncover hidden assets associated with a target domain. Recon-ng offers several modules to aid in this task.1. **Load the Subdomain Enumeration Module**:We will use the `subdomain_brute` module to perform a brute-force attack on subdomains:
use recon/domains-hosts/subdomain_brute
2. **Set the Source Domain**:Input the target domain:
3. **Define the Wordlist**:You can also provide a custom wordlist for subdomain enumeration. Use the default wordlist or your own:
set WORDLIST /path/to/wordlist.txt
4. **Run the Module**:Execute the brute-force search:
5. **View the Subdomains Found**:View the discovered subdomains with:
This procedure will yield a list of potential subdomains associated with the target, which can be crucial for further exploitation or testing.### 3. Detailed Technical ExplanationsRecon-ng operates through a modular architecture, allowing users to extend its functionality by adding new modules or modifying existing ones. Each module typically performs a specific reconnaissance task and can be combined with other modules to achieve comprehensive data collection.#### 3.1 Module Architecture– **Modules**: Each module has a defined purpose, and can be categorized broadly into:
– **Information Gathering**: Modules designed to extract data from various sources.
– **Exploit Modules**: Designed for executing attacks based on the data collected.For example, the `recon/domains-hosts/subdomain_enum` module focuses on enumerating subdomains, while `recon/hosts-ports/port_scan` can be used to identify open ports on discovered hosts.#### 3.2 Data Storage and ManagementRecon-ng utilizes SQLite for data storage, allowing users to manage their collected information efficiently. You can export results to various formats, including CSV and JSON, for further analysis or reporting.#### 3.3 External Reference Links1. [Recon-ng GitHub Repository](https://github.com/lanmaster53/recon-ng)
2. [Recon-ng Documentation](https://recon-ng.readthedocs.io/en/latest/)
3. [OWASP Recon-ng Overview](https://owasp.org/www-project-recon-ng/)### 4. ConclusionIn this section, we have explored the advanced functionalities of recon-ng, from installation to practical usage and real-world applications. By mastering recon-ng, you can significantly enhance your reconnaissance efforts during penetration tests, making it an invaluable skill in the arsenal of any cybersecurity professional.As you continue to explore and utilize recon-ng, remember to stay updated with new modules and features that may emerge. The landscape of cybersecurity is ever-evolving, and continuous learning is crucial in maintaining your edge as a white-hat pentester.With this section, you have reached the culmination of your training on recon-ng. Congratulations on expanding your skill set, and may your future reconnaissance efforts be successful and enlightening.Made by pablo rotem / פבלו רותם
