<h1>Advanced Reconnaissance with Recon-ng (Part IV)</h1>

Now the goal is to gather information about the network infrastructure and not about the users.

Network reconnaissance

• Create a new workspace

workspace create SANS

• Now you have two workspaces:

• To insert the company, you can use an alternative way:

db insert companies SANS~SANS Institute

• To insert the domain, type

db insert domains sans.org

• And repeat to add a second domain.

Now we are going to use different modules because we want to reach a different goal.

• Let’s start trying to get the Private Enterprise Numbers (PEN)

This doesn’t seem to be really useful. Let’s delete all these new domains.

• List the rows on the domains table and delete the useless ones

Let’s try to use the given domains to find hosts.

• There are a number of modules capable of doing that:

Not all of them return results for every scenario so I’ll just list the ones that produce something for the given domains:

Bing Hostname Enumerator

Certificate Transparency Search

Google Hostname Enumerator

HackerTarget Lookup

Mail eXchange (MX) and Sender Policy Framework (SPF) Record Retriever

ThreatCrowd DNS lookup

ThreatMiner DNS lookup

We can also try to brute force the discovery of new hosts. This is done using a provided wordlist and checking each new combination against the default DNS server.

• Load the module and check the default options

As you can see, the application is using the file /root/.recon-ng/data/hostnames.txt as a source of strings to be added to the given domain name. You can use other files if you want to.

• Check the ones available in /usr/share/wordlists

• Check the global options (recon-ng environment) to identify the configured DNS server

goptions list

The choice of the DNS server is important because you’ll probably be blocked before the end of the wordlist due to the excess number of requests.

To change the DNS server you have to exit he current loaded module.

• Just type:

back

• Then set the proper option

options set NAMESERVER 1.1.1.1

Run the module with the default configuration

• Maybe now is a good time to take a snapshot before moving on to the next set of modules

snapshots take

We have now 302 hosts but only two domains.

Let’s populate the domains table with info from the host table

• Load and run the migrate_host module

As you can see, a number of useless domains are added to the database.

If you don’t like the results, load the previous database from the snapshot

• List the available snapshots

snapshots list

• Load the desired snapshot

snapshots load <snapshot name>

Let’s try to use the “hosts to hosts” modules:

• List them

Again, not all modules return useful information or can be used due to the lack of proper API keys

Hostname Resolver

Reverse Resolver

Now it’s time to evaluate the quality of the information gathered so far. In the previous post I showed how to query the database and how to clean the data.

In this case, try the following queries:

• Let’s delete al hosts outside the desired domain

db query DELETE FROM hosts WHERE host NOT LIKE "%sans.org"

db query DELETE FROM hosts WHERE host LIKE "*%"

• Let’s also delete the unwanted domains

db query DELETE FROM domains WHERE domain NOT LIKE "%sans.org"

Repeating the use of the previously used “domain to hosts” modules will add another handful of hosts to the database.

There are many repeated entries in the hosts table. However, this is not conclusive because several services can run in the same host and due to the distributed nature of these services, the same service can have more than one IP address.

Let’s get additional info about each host

Geolocation via IPStack

Open ports via Binary Edge

Open ports via Censys

Final result: 494 hosts with 510 open ports. Nod bad

All this information was gathered without any direct interacting with any of the target machines/domains.

If you decide to use the discovery or the exploitation modules be very careful before doing so because you will be in direct contact with the target machines and that is something that should always be done with the proper authorization.

Exporting and analyzing information

Lets’ export the information in html format

• Load the proper module

• Setting the options

• Opening the output file

If you prefer, you can access all available data in recon-ng in a web-based user interface

• Exit the application and type

recon-web

The major advantage of this analytics engine is the possibility to access all workspaces easily and to have all the info very well organized.

Final conclusion: Recon-ng v5.0.1 is one of the best free tools currently available to conduct an initial analysis on a potential target. With more APIs the results will be even better.

Next post: Advanced Footprinting with Maltego (Part I)