滲透測試PT:Recon-ng

資訊收集 Information Gathering

Ting
11 min readApr 28, 2020

Recon-ng

Recon-ng是一個開源、可擴充、以Python撰寫的資訊收集 (information gathering) 工具,透過被動式的資訊收集,來獲取目標的開源(公開)情報,可以取得如IP位址、郵件、使用者等等資訊

此篇文章將著重在recon-ng下載、安裝使用模組、查詢子網域等最基本的功能

接下來我們就來實作看看吧!

Installation 下載

通常都會使用Kali Linux內建的recon-ng,如果沒有內建,在terminal中輸入

> apt-get update && apt-get install recon-ng

就可以安裝recon-ng這次使用的是v5.0.1,如果版本還沒有update可以至https://github.com/lanmaster53/recon-ng clone最新版本喔 (沒有意外的話應該是v5)

下載Kali Linux https://www.kali.org/downloads/
(我用的是 Kali Linux 64-bit VMware 的Kali-Linux-2020.1-vmware-amd64版本讀者可以自行選擇版本,不同版本內建的recon-ng可能會不一樣)

Open recon-ng 開啟recon-ng

> recon-ng
recon-ng 歡迎介面

在v5中,初始狀態不會有任何module,會看到

[*] No modules enabled/installed.

開始前,我們可以先用 help 指令看看在recon-ng裡面有哪些指令可以使用

[recon-ng][default] > helpCommands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspace

Install Module 安裝模組

我們先下載 hackertarget 模組來偵查一個網域(domain) 下的子網域(subdomain)

[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules…
[recon-ng][default] >

Load Module 載入模組

載入剛剛下載的hackertarget

[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >

Check Current Source 檢查看看

我們可以輸入 options list 指令來看看現在這個模組的source
這裡的source其實就是我們的目標網域,預設是default

[recon-ng][default][hackertarget] > options list

Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)

Set Source 設定Source

在這裡我們設定目標為 tesla.com ,當然你也可以選擇任何你想要的目標

[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com

我們可以查看 SOURCE是否有成功被更改成 tesla.com

[recon-ng][default][hackertarget] > info

Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)

Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputs

Start Gathering Info! 開始收集資訊!

很簡單,輸入 run 就好 (結果會依當下狀態改變)

[recon-ng][default][hackertarget] > run

---------
TESLA.COM
---------
[*] [host] tesla.com (209.133.79.61)
[*] [host] sjc04d1rsaap02.tesla.com (205.234.27.206)
[*] [host] model3.tesla.com (205.234.27.221)
[*] [host] marketing.tesla.com (13.111.47.196)
[*] [host] email.tesla.com (136.147.129.27)
[*] [host] mta2.email.tesla.com (13.111.4.231)
[*] [host] mta.email.tesla.com (13.111.14.190)
[*] [host] xmail.tesla.com (204.74.99.100)
[*] [host] comparison.tesla.com (64.125.183.133)
[*] [host] na-sso.tesla.com (209.133.79.81)
[*] [host] edr.tesla.com (209.133.79.33)
[*] [host] mta2.emails.tesla.com (13.111.88.1)
[*] [host] mta3.emails.tesla.com (13.111.88.2)
[*] [host] mta4.emails.tesla.com (13.111.88.52)
[*] [host] mta5.emails.tesla.com (13.111.88.53)
[*] [host] mta.emails.tesla.com (13.111.62.118)
[*] [host] click.emails.tesla.com (13.111.48.179)
[*] [host] view.emails.tesla.com (13.111.49.179)
[*] [host] events.tesla.com (13.111.47.195)
[*] [host] shop.eu.tesla.com (205.234.27.221)

-------
SUMMARY
-------
[*] 20 total (0 new) hosts found.

回傳結果為所有主機(host)的清單,也就是tesla.com這個網域的子網域,總共有20個

Results 看看結果吧!

我們可以查看所有偵查到的host

[recon-ng][default][hackertarget] > show hosts

+------------------------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+------------------------------------------------------------------------------------------------------------+
| 1 | tesla.com | 209.133.79.61 | | | | | hackertarget |
| 2 | sjc04d1rsaap02.tesla.com | 205.234.27.206 | | | | | hackertarget |
| 3 | model3.tesla.com | 205.234.27.221 | | | | | hackertarget |
| 4 | marketing.tesla.com | 13.111.47.196 | | | | | hackertarget |
| 5 | email.tesla.com | 136.147.129.27 | | | | | hackertarget |
| 6 | mta2.email.tesla.com | 13.111.4.231 | | | | | hackertarget |
| 7 | mta.email.tesla.com | 13.111.14.190 | | | | | hackertarget |
| 8 | xmail.tesla.com | 204.74.99.100 | | | | | hackertarget |
| 9 | comparison.tesla.com | 64.125.183.133 | | | | | hackertarget |
| 10 | na-sso.tesla.com | 209.133.79.81 | | | | | hackertarget |
| 11 | edr.tesla.com | 209.133.79.33 | | | | | hackertarget |
| 12 | mta2.emails.tesla.com | 13.111.88.1 | | | | | hackertarget |
| 13 | mta3.emails.tesla.com | 13.111.88.2 | | | | | hackertarget |
| 14 | mta4.emails.tesla.com | 13.111.88.52 | | | | | hackertarget |
| 15 | mta5.emails.tesla.com | 13.111.88.53 | | | | | hackertarget |
| 16 | mta.emails.tesla.com | 13.111.62.118 | | | | | hackertarget |
| 17 | click.emails.tesla.com | 13.111.48.179 | | | | | hackertarget |
| 18 | view.emails.tesla.com | 13.111.49.179 | | | | | hackertarget |
| 19 | events.tesla.com | 13.111.47.195 | | | | | hackertarget |
| 20 | shop.eu.tesla.com | 205.234.27.221 | | | | | hackertarget |
+------------------------------------------------------------------------------------------------------------+

[*] 20 rows returned
[recon-ng][default][hackertarget] >

Reference: https://hackertarget.com/recon-ng-tutorial/

剛剛踏入滲透測試這個神秘領域,如果內容須更正或是可改進的地方,請留言告知我謝謝~

--

--