<h1>Advanced Reconnaissance with Recon-ng (Part II)</h1>

NOTE: I will be using as an example a company listed on HackerOne’s bug bounty platform. You can read the accepted terms here and here.

Workspace and database setup

Before using this tool, it is advisable to create a workspace on which you save your retrieve data.

Creating a workspace

The workspace is a separate area that will help keep your reconnaissance data organized. Each workspace has an individual directory inside the hidden .recon-ng directory in the home directory.

• To create a workspace simply type:

[recon-ng][default] > workspaces create <name of workspace>

After this command you are automatically placed into your new workspace and you can easily see the status of your workspaces.

• Type:

recon-ng][default] > workspaces list

Adding information to your workspace

Next, you will usually add a company and a domain. This will add information to the SQLite database. To add information into the database, we need to understand the schema, the layout of the tables.

• To look at the schema of the database run the following command:

[recon-ng][United] > db schema

Now we add information to the proper tables inside the workspace database.

• To insert the company, type:

[recon-ng][United] > db insert companies

• To insert the domain, type:

[recon-ng][United] > db insert domains

Adding the API keys

As I’ve mentioned before, using API keys will give access to a lot more information. This are the keys used for the following examples. They are all free and easy to get:

Social engineering reconnaissance

Recon-ng can be used to get information about networks, domains, hosts, user profiles, user e-mail addresses, credentials, etc. However, it might be a good idea to start by separating what is infrastructure related information from user related information. If your main goal is launching a phishing attack, it is more important to know about users and e-mails than to know about open TCP ports.

Getting data

The starting point is going to be the previously inserted domain and company names.

• Let’s see which modules can be used:

[recon-ng][United] > modules load companies

As you can see, the first seven modules will use the companies information to get contacts, domains, etc.

• Let’s start using them!

[recon-ng][United] > modules load recon/companies-contacts/bing_linkedin_cache
[recon-ng][United][bing_linkedin_cache] > run

• Now the next one

[recon-ng][United][bing_linkedin_cache] > modules load recon/companies-contacts/pen
[recon-ng][United][pen] > run

Before getting any more data, it might be a good idea to create a workspace database snapshot. This way, there will be a backup to return to.

• Just type:

[recon-ng][United] snapshots take

Keep using all modules and notice some won’t get you any data at all

• Getting more data:

Notice some contacts are not from @united.com but from other domains like @*united.com. We will fix that in a few moments

• Let’s try to get some contacts and credentials from past leaks, using the domain as a starting point for the scylla module
[recon-ng][United] modules load recon/domains-credentials/scylla
[recon-ng][United] [scylla] run

• List the information already available in the credentials table:

[recon-ng][United] show credentials

• List the information already available in the contacts table:

[recon-ng][United] show contacts

These e-mail addresses can be converted to First Name, Last Name with a specific module; unmangle.

• Just tyep:

[recon-ng][United] modules load recon/contacts-contacts/unmangle
[recon-ng][United] info

Now run the module and watch the result:

• Lets’ use a different scylla module, using the contacts as a reference to search for more credentials

[recon-ng][United] modules load recon/contacts-credentials/scylla
[recon-ng][United] [scylla] run

We already have a lot of information, but not all of it is useful. In the next post I’ll show you how to filter and clean you data.