Recon-ng Framework A Quick Intro


Recon-ng is an open-source framework coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled after the look of the Metasploit Framework but it is not meant for exploitation or for spawning a meterpreter session or a shell, it is for web-based reconnaissance and information gathering. It comes with modules to support your web reconnaissance adventure and information gathering just like Metasploit's auxiliary and exploit modules. Modules are categorized into Discovery, Experimental, Recon and Reporting.
As of this writing here are the modules with its subcategories:

Discovery
---------
discovery/exploitable/http/dnn_fcklinkgallery
discovery/exploitable/http/generic_restaurantmenu
discovery/exploitable/http/webwiz_rte
discovery/info_disclosure/dns/cache_snoop
discovery/info_disclosure/http/backup_finder
discovery/info_disclosure/http/google_ids
discovery/info_disclosure/http/interesting_files

Experimental
------------
experimental/rce

Recon
-----
recon/contacts/enum/http/web/dev_diver
recon/contacts/enum/http/web/namechk
recon/contacts/enum/http/web/pwnedlist
recon/contacts/enum/http/web/should_change_password
recon/contacts/gather/http/api/jigsaw/point_usage
recon/contacts/gather/http/api/jigsaw/purchase_contact
recon/contacts/gather/http/api/jigsaw/search_contacts
recon/contacts/gather/http/api/linkedin_auth
recon/contacts/gather/http/api/twitter
recon/contacts/gather/http/api/whois_pocs
recon/contacts/gather/http/web/jigsaw
recon/contacts/gather/http/web/pgp_search
recon/contacts/support/add_contact
recon/contacts/support/mangle
recon/creds/enum/http/api/leakdb
recon/creds/enum/http/api/noisette
recon/creds/gather/http/api/pwnedlist/account_creds
recon/creds/gather/http/api/pwnedlist/api_usage
recon/creds/gather/http/api/pwnedlist/domain_creds
recon/creds/gather/http/api/pwnedlist/domain_ispwned
recon/creds/gather/http/api/pwnedlist/leak_lookup
recon/creds/gather/http/api/pwnedlist/leaks_dump
recon/hosts/enum/dns/resolve
recon/hosts/enum/http/api/builtwith
recon/hosts/enum/http/api/punkspider
recon/hosts/enum/http/api/wascompanyhacked
recon/hosts/enum/http/api/whatweb
recon/hosts/enum/http/api/whois_lookup
recon/hosts/enum/http/web/age_analyzer
recon/hosts/enum/http/web/asafaweb
recon/hosts/enum/http/web/gender_analyzer
recon/hosts/enum/http/web/ipvoid
recon/hosts/enum/http/web/malwaredomain
recon/hosts/enum/http/web/mywot
recon/hosts/enum/http/web/netbios
recon/hosts/enum/http/web/netcraft_history
recon/hosts/enum/http/web/open_resolvers
recon/hosts/enum/http/web/urlvoid
recon/hosts/enum/http/web/web_archive
recon/hosts/enum/http/web/xssed
recon/hosts/gather/dns/brute_force
recon/hosts/gather/http/api/bing_ip
recon/hosts/gather/http/api/google_site
recon/hosts/gather/http/api/shodan_hostname
recon/hosts/gather/http/web/baidu_site
recon/hosts/gather/http/web/bing_site
recon/hosts/gather/http/web/census_2012
recon/hosts/gather/http/web/google_site
recon/hosts/gather/http/web/ip_neighbor
recon/hosts/gather/http/web/mcafee/mcafee_affil
recon/hosts/gather/http/web/mcafee/mcafee_dns
recon/hosts/gather/http/web/mcafee/mcafee_mail
recon/hosts/gather/http/web/netcraft
recon/hosts/gather/http/web/yahoo_site
recon/hosts/geo/http/api/hostip
recon/hosts/geo/http/api/ipinfodb
recon/hosts/geo/http/api/maxmind
recon/hosts/geo/http/api/uniapple
recon/hosts/geo/http/web/wigle
recon/hosts/support/add_host

Reporting
---------
reporting/csv_file
reporting/html_report
reporting/list

I am also one of the contributors for this framework and has contributed mostly to the Discovery modules.


In this article I'm going to emphasize the Backup File Finder module which I authored together with Tim Tomes (the main developer of Recon-ng). This module can be used for checking specific hosts for exposed backup files. The default configuration searches for wp-config.php files which contain WordPress database configuration information.

As a side note, this module is inspired by cmsploit.

Basic Usage:

load discovery/info_disclosure/http/backup_finder (use the module)

show options (shows the options that can be set for the module)

set source target.com (the host you want to crawl)

set uri config_file (configuration file you want to check, ex. wp-config.php)

Here is the screenshot of the Backup File Finder's actual crawling.


Now, here is what's inside in a typical configuration file:


define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'passwd');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

List of the various configuration files used by popular CMS' which can be set to the option uri:

wp-config.php >> WordPress
config.php >> phpBB, ExpressionEngine
configuration.php >> Joomla
LocalSettings.php >>MediaWiki
mt-config.cgi >> Movable Type
settings.php >> Drupal

About The Author

This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too.

Resources:
https://bitbucket.org/LaNMaSteR53/recon-ng
http://resources.infosecinstitute.com/the-recon-ng-framework-automated-information-gathering/
http://feross.org/cmsploit/