Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (2024)

Welcome back, my novice hackers!

As many of you know, recon is crucial to a successful hack/pentest. In most cases, hackers spend more time doing good reconnaissance than actually hacking. Without proper recon, you are simply guessing at what type of approach or exploit is going to work and, as a result, your time is wasted without any useful outcomes.

I have an entire series here on Null Byte on the various ways to approach reconnaissance, including such key tools as:

  • Nmap
  • Hping3
  • Shodan
  • Netcraft
  • Maltego
  • FOCA
  • pygeoip
  • Whois

I encourage you to start with these reconnaissance tools and others before even considering hacking/exploitation.

In recent years, a brand new reconnaissance framework has become available to us that leverages many of the tools we are already using, but makes them far more powerful. This tool, Recon-ng, was developed by Tim Tomes while at Black Hills Information Security. He developed it as a Python script and tried to model its usage after Metasploit, making it easy for a pentester with Metasploit skills to use Recon-ng. It is built into Kali, so there's no need to download or install anything.

Let's explore its many and powerful capabilities a bit here.

Step 1: Starting Recon-Ng

Fire up Kali, open a terminal, and type:

kali > recon-ng

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (1)

This will open a splash screen like below.

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (2)

Note that the splash screen lists the number of modules by type. Unlike SET, but rather like Metasploit, we use commands and not numbers to use Recon-ng.

Step 2: Viewing Commands

At the prompt, let's type help in order to look at the commands we can use in Recon-ng.

recon-ng > help

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (3)

Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.

Step 3: Showing Modules

To see all the modules in Recon-ng, we can type:

recon-ng > show modules

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (4)

Since there are 84 modules in Recon-ng, I can't fit them all on one screen, or for that matter, even two.

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (5)

Step 4: Viewing Keys

One of the strengths and beauties of Recon-ng is the use of various application programming interfaces (APIs) to extract useful recon information. For instance, Recon-ng can use Bing, Google, Facebook, Instagram, LinkedIn, and other online applications once you get the API key. With that key, you have almost unlimited access to that application.

To see what API keys Recon-ng can use, type:

recon-ng > keys list

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (6)

As we can see, these are all the API keys that Recon-ng can use. Some are free and some you must pay for.

When you obtain an API key and you want to add it to Recon-ng for use, you simply add it to the keys. For instance, if I received an API key from Facebook and that key was "123456", I could add it to Recon-ng by typing:

recon-ng > keys add facebook_api 123456

Now when you list the keys, you can see that your facebook_api key is listed. This means that when you use the Facebook recon module, it will automatically use this key to access Facebook like a Facebook application would.

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (7)

Step 5: Using Recon-Ng

Now that we have explored a bit of Recon-ng, let's try using one the modules that does not require an API key. There are many, but let's use one for scanning for XSS (cross-site scripting) vulnerabilities called XSSposed. We can load this module by typing:

recon-ng > use recon/domains-vulnerabilities/xssposed

This loads the module into memory and makes it ready for use. Let's get some info on this module by typing:

recon-ng > show info

Note the similarity to Metasploit syntax.

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (8)

As you can see above, the only option we need is the website we want to scan. Let's scan our favorite website, WonderHowTo.com, to see whether it has any known XSS vulnerabilities.

First, set the source:

recon-ng > set source wonderhowto.com

Then tell Recon-ng to run:

recon-ng > run

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (9)

Recon-ng uses XSSposed to then scan the site for known XSS vulnerabilities. Note that XSSposed found no XSS vulnerabilities in WonderHowTo.com. (Great job, Bryan!)

Now, let's try scanning the website of the leading IT security training company in the U.S., SANS.org, which teaches many courses on website and web app security.

recon-ng > set source sans.org
recon-ng > run

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (10)

Notice that our good friends at SANS.org have not secured their own website. We found two vulnerabilities from 2015.

Recon-ng is one more tool in our hacker/pentester toolbox that provides us powerful capabilities for gathering necessary info on the target. In future tutorials in this series, we will explore its many varied capabilities, most particularly using APIs to garner key info on our target. So keep coming back, my novice hackers!

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started) (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Geoffrey Lueilwitz

Last Updated:

Views: 5927

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Geoffrey Lueilwitz

Birthday: 1997-03-23

Address: 74183 Thomas Course, Port Micheal, OK 55446-1529

Phone: +13408645881558

Job: Global Representative

Hobby: Sailing, Vehicle restoration, Rowing, Ghost hunting, Scrapbooking, Rugby, Board sports

Introduction: My name is Geoffrey Lueilwitz, I am a zealous, encouraging, sparkling, enchanting, graceful, faithful, nice person who loves writing and wants to share my knowledge and understanding with you.