Pown Recon - A Powerful Target Reconnaissance Framework Powered Past Times Graph Theory
Pown Recon is a target reconnaissance framework powered yesteryear graph theory. The produce goodness of using graph theory instead of apartment tabular array representation is that it is easier to uncovering the relationships betwixt dissimilar types of information which comes quite handy inwards many situations. Graph theory algorithms also assist amongst diffing, searching, similar finding the shortest path, in addition to many to a greater extent than interesting tasks.
Quickstart
This tool is meant to endure used equally purpose of Pown.js but it tin endure invoked separately equally an independent tool.
If installed globally equally purpose of Pown invoke similar this:
$ pown recon
$ npm install @pown/recon --save
$ ./node_modules/.bin/pown-cli recon
$ POWN_ROOT=. pown recon
Usage
WARNING: This pown ascendancy is currently nether evolution in addition to equally a number volition endure discipline to breaking changes.
pown recon [options] Target recon Commands: pown recon transform Perform inline transformation [aliases: t] pown recon conduct Perform a selection [aliases: s] pown recon diff Perform a diff betwixt 2 recon files [aliases: d] Options: --version Show version number [boolean] --debug Debug trend [boolean] --help Show assist [boolean]
Transform
pown recon transform Perform inline transformation Commands: pown recon transform archiveindex [options] Obtain a commoncraw index for specific URL. [aliases: archive_index, arci] pown recon transform awsiamendpoints [options] Enumeration AWS IAM Endpoints [aliases: aws_iam_endpoints, awsie] pown recon transform builtwithscraperelationships [options] Performs scrape of builtwith relationships [aliases: builtwith_scrape_relationships, bwsr] pown recon transform cloudflarednsquery [options] Query CloudFlare DNS API [aliases: cloudflare_dns_query, cfdq] pown recon transform commoncrawlindex [options] Obtain a commoncraw index for specific URL. [aliases: commoncrawl_index, cci] pown recon transform crtshdomainreport [options] Obtain crt.sh domain study which helps enumerating potential target subdomains. [aliases: crtsh_domain_report, crtshdr] pown recon transform dockerhublistrepos [options] List the kickoff 100 DockerHub repositories [aliases: dockerhub_list_repos, dhlr] pown recon transform githublistrepos [options] List the kickoff 100 GitHub repositories [aliases: github_list_repos, ghlr] pown recon transform githublistmembers [options] List the kickoff 100 GitHub members inwards org [aliases: github_list_members, ghlm] pown recon transform gravatar [options] Get gravatar pown recon transform hackertargetreverseiplookup [options] Obtain contrary IP information from hackertarget.com. [aliases: hackertarget_reverse_ip_lookup, htril] pown recon transform hibpreport [options] Obtain haveibeenpwned.com breach report. [aliases: hibp_report, hibpr] pown recon transform pkslookupkeys [options] Look the the PKS database at pool.sks-keyservers.net which pgp.mit.edu is purpose of. [aliases: pks_lookup_keys, pkslk] pown recon transform riddleripsearch [options] Searches for IP references using F-Secure riddler.io. [aliases: riddler_ip_search, ris] pown recon transform riddlerdomainsearch [options] Searches for Domain references using F-Secure riddler.io. [aliases: riddler_domain_search, rds] pown recon transform threatcrowddomainreport [options] Obtain threatcrowd domain study which helps enumerating potential target subdomains in addition to e-mail addresses. [aliases: threatcrowd_domain_report, tcdr] pown recon transform threatcrowdipreport [options] Obtain threatcrowd ip study which helps enumerating virtual hosts. [aliases: threatcrowd_ip_report, tcir] pown recon transform urlscanliveshot [options] Generates a liveshot of whatever populace site via urlscan. [aliases: usls] pown recon transform wappalyzerprofile [options] Enumerate technologies amongst api.wappalyzer.com [aliases: wappalyzer_profile, wzp] pown recon transform whatsmynamereport [options] Find social accounts amongst whatsmyname database. [aliases: wmnr] pown recon transform zoomeyescrapesearchresults [options] Performs kickoff page scrape on ZoomEye search results [aliases: zoomeye_scrape_search_results, zyssr] Options: --version Show version number [boolean] --debug Debug trend [boolean] --help Show assist [boolean] --read, -r Read file [string] --write, -w Write file [string]
Select
pown recon conduct Perform a selection Options: --version Show version number [boolean] --debug Debug trend [boolean] --help Show assist [boolean] --read, -r Read file [string] --write, -w Write file [string] --output-format, -o Output format [string] [choices: "table", "csv", "json"] [default: "table"] --output-fields Output fields [string] [default: ""] --output-with-ids Output ids [boolean] [default: false]
Diff
pown recon diff Perform a diff betwixt 2 recon files Options: --version Show version number [boolean] --debug Debug trend [boolean] --help Show assist [boolean] --subset, -s The subset to conduct [choices: "left", "right", "both"] [default: "left"] --write, -w Write file [string] --output-format, -o Output format [string] [choices: "table", "csv", "json"] [default: "table"] --output-fields Output fields [string] [default: ""] --output-with-ids Output ids [boolean] [default: false]
Transforms
- GitHub Search of Repos in addition to Members
- CloudFlare 1.1.1.1 DNS API
- CRTSH
- DockerHub Repo Search
- Gravatar URLs
- Hacker Target Reverse IP Lookup
- Have I Been Pwned Lookup
- PKS Lookup
- Urlscan Live Shot
- Threatcrowd Lookup
- ZoomEye Scraper
- Wappalyzer
- AWS Landing Pages
- Builtwith
- Riddler
- Commoncraw
- Archive.org
- WhatsMyName
Tutorial
To demonstrate the ability of Pown Recon in addition to graph-based OSINT (Open Source Intelligence), let's accept a await at the next picayune example.
Let's start yesteryear querying everyone who is a fellow member of Google's applied scientific discipline squad in addition to contributes to their GitHub account.
pown recon t -w google.network ghlm google
┌─────────┬─────────────────┬────────────────────────────────────────────┬─────────────────────────┬─────────────────────────────────────────────────────────┐ │ (index) │ type │ uri │ login │ avatar │ ├─────────┼─────────────────┼────────────────────────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────┤ │ 0 │ 'github:member' │ 'https://github.com/3rf' │ '3rf' │ 'https://avatars1.githubusercontent.com/u/1242478?v=4' │ │ 1 │ 'github:member' │ 'https://github.com/aaroey' │ 'aaroey' │ 'https://avatars0.githubusercontent.com/u/31743510?v=4' │ │ 2 │ 'github:member' │ 'https://github.com/aarongable' │ 'aarongable' │ 'https://avatars3.githubusercontent.com/u/2474926?v=4' │ ... ... ... │ 97 │ 'github:member' │ 'https://github.com/alexv' │ 'alexv' │ 'https://avatars0.githubusercontent.com/u/30807372?v=4' │ │ 98 │ 'github:member' │ 'https://github.com/alexwhouse' │ 'alexwhouse' │ 'https://avatars3.githubusercontent.com/u/1448490?v=4' │ │ 99 │ 'github:member' │ 'https://github.com/alexwoz' │ 'alexwoz' │ 'https://avatars3.githubusercontent.com/u/501863?v=4' │ └─────────┴─────────────────┴────────────────────────────────────────────┴─────────────────────────┴─────────────────────────────────────────────────────────┘
You simply created your kickoff network!The representation is tabular for convenience but underneath we've got a model which consists of nodes connected yesteryear edges.
If yous are wondering what that looks similar yous tin utilization SecApps Recon. The command line does non accept the necessary marking of interactivity to introduce the complexity of graphs.
The
-w google.network
ascendancy trouble alternative exported the network to a file. You tin charge the file straight into SecApps Recon amongst the file opened upwards feature. The number volition await similar this:Now imagine that nosotros desire to enquiry what repositories these Google engineers are working on. This is easy. First, nosotros demand to conduct the nodes inwards the graph in addition to and therefore transform them amongst the "GitHub List Repositories" transformation. This is how nosotros produce it from the ascendancy line:
pown recon t ghlr -r google.network -w google2.nework -s 'node[type="github:member"]'
┌─────────┬───────────────┬──────────────────────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────┐ │ (index) │ type │ uri │ fullName │ ├─────────┼───────────────┼──────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤ │ 0 │ 'github:repo' │ 'https://github.com/3rf/2015-talks' │ '3rf/2015-talks' │ │ 1 │ 'github:repo' │ 'https://github.com/3rf/codecoroner' │ '3rf/codecoroner' │ │ 2 │ 'github:repo' │ 'https://github.com/3rf/DefinitelyTyped' │ '3rf/DefinitelyTyped' │ ... ... ... │ 1348 │ 'github:repo' │ 'https://github.com/agau4779/ultimate-tic-tac-toe' │ 'agau4779/ultimate-tic-tac-toe' │ │ 1349 │ 'github:repo' │ 'https://github.com/agau4779/worm_scraper' │ 'agau4779/worm_scraper' │ │ 1350 │ 'github:repo' │ 'https://github.com/agau4779/zsearch' │ 'agau4779/zsearch' │ └─────────┴───────────────┴──────────────────────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────┘
google.network
in addition to google2.network
yous mightiness endure wondering what is the deviation betwixt them. Well, nosotros accept a tool for doing simply that. This is how nosotros produce it.pown recon diff google.network google2.network