Recon-ng Framework A Quick Intro
Recon-ng is an open-source framework coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled after the look of the Metasploit Framework but it is not meant for exploitation or for spawning a meterpreter session or a shell, it is for web-based reconnaissance and information gathering. It comes with modules to support your web reconnaissance adventure and information gathering just like Metasploit's auxiliary and exploit modules. Modules are categorized into Discovery, Experimental, Recon and Reporting.
As of this writing here are the modules with its subcategories:
---------
discovery/exploitable/http/
discovery/exploitable/http/
discovery/exploitable/http/
discovery/info_disclosure/dns/
discovery/info_disclosure/
discovery/info_disclosure/
discovery/info_disclosure/
Experimental
------------
experimental/rce
Recon
-----
recon/contacts/enum/http/web/
recon/contacts/enum/http/web/
recon/contacts/enum/http/web/
recon/contacts/enum/http/web/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/gather/http/
recon/contacts/support/add_
recon/contacts/support/mangle
recon/creds/enum/http/api/
recon/creds/enum/http/api/
recon/creds/gather/http/api/
recon/creds/gather/http/api/
recon/creds/gather/http/api/
recon/creds/gather/http/api/
recon/creds/gather/http/api/
recon/creds/gather/http/api/
recon/hosts/enum/dns/resolve
recon/hosts/enum/http/api/
recon/hosts/enum/http/api/
recon/hosts/enum/http/api/
recon/hosts/enum/http/api/
recon/hosts/enum/http/api/
recon/hosts/enum/http/web/age_
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/
recon/hosts/enum/http/web/web_
recon/hosts/enum/http/web/
recon/hosts/gather/dns/brute_
recon/hosts/gather/http/api/
recon/hosts/gather/http/api/
recon/hosts/gather/http/api/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/gather/http/web/
recon/hosts/geo/http/api/
recon/hosts/geo/http/api/
recon/hosts/geo/http/api/
recon/hosts/geo/http/api/
recon/hosts/geo/http/web/wigle
recon/hosts/support/add_host
Reporting
---------
reporting/csv_file
reporting/html_report
reporting/list
I am also one of the contributors for this framework and has contributed mostly to the Discovery modules.
As a side note, this module is inspired by cmsploit.
Basic Usage:
load discovery/info_disclosure/
show options (shows the options that can be set for the module)
set source target.com (the host you want to crawl)
set uri config_file (configuration file you want to check, ex. wp-config.php)
Here is the screenshot of the Backup File Finder's actual crawling.
Now, here is what's inside in a typical configuration file:
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'passwd');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
List of the various configuration files used by popular CMS' which can be set to the option uri:
wp-config.php >> WordPress
config.php >> phpBB, ExpressionEngine
configuration.php >> Joomla
LocalSettings.php >>MediaWiki
mt-config.cgi >> Movable Type
settings.php >> Drupal
About The Author
This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too.
Resources:
https://bitbucket.org/
http://resources.
http://feross.org/cmsploit/