Pown Recon - A Powerful Target Reconnaissance Framework Powered Past Times Graph Theory


Pown Recon is a target reconnaissance framework powered yesteryear graph theory. The produce goodness of using graph theory instead of apartment tabular array representation is that it is easier to uncovering the relationships betwixt dissimilar types of information which comes quite handy inwards many situations. Graph theory algorithms also assist amongst diffing, searching, similar finding the shortest path, in addition to many to a greater extent than interesting tasks.

Quickstart
This tool is meant to endure used equally purpose of Pown.js but it tin endure invoked separately equally an independent tool.
If installed globally equally purpose of Pown invoke similar this:
$ pown recon
Otherwise, install this module from the root of your project:
$ npm install @pown/recon --save
Once done, invoke pown recon similar this:
$ ./node_modules/.bin/pown-cli recon
You tin also utilization Pown to invoke it locally:
$ POWN_ROOT=. pown recon

Usage
WARNING: This pown ascendancy is currently nether evolution in addition to equally a number volition endure discipline to breaking changes.
pown recon [options]   Target recon  Commands:   pown recon transform   Perform inline transformation  [aliases: t]   pown recon conduct     Perform a selection  [aliases: s]   pown recon diff     Perform a diff betwixt 2 recon files  [aliases: d]  Options:   --version  Show version number  [boolean]   --debug    Debug trend  [boolean]   --help     Show assist  [boolean]

Transform
pown recon transform   Perform inline transformation  Commands:   pown recon transform archiveindex [options]                   Obtain a commoncraw index for specific URL.  [aliases: archive_index, arci]   pown recon transform awsiamendpoints [options]                Enumeration AWS IAM Endpoints  [aliases: aws_iam_endpoints, awsie]   pown recon transform builtwithscraperelationships [options]   Performs scrape of builtwith relationships  [aliases: builtwith_scrape_relationships, bwsr]   pown recon transform cloudflarednsquery [options]             Query CloudFlare DNS API  [aliases: cloudflare_dns_query, cfdq]   pown recon transform commoncrawlindex [options]               Obtain a commoncraw index for specific URL.  [aliases: commoncrawl_index, cci]   pown recon transform crtshdomainreport [options]              Obtain crt.sh domain study which helps enumerating potential target subdomains.  [aliases: crtsh_domain_report, crtshdr]   pown recon transform dockerhublistrepos [options]             List the kickoff 100 DockerHub repositories  [aliases: dockerhub_list_repos, dhlr]   pown recon transform githublistrepos [options]                List the kickoff 100 GitHub repositories  [aliases: github_list_repos, ghlr]   pown recon transform githublistmembers [options]              List the kickoff 100 GitHub members inwards org  [aliases: github_list_members, ghlm]   pown recon transform gravatar [options]                       Get gravatar   pown recon transform hackertargetreverseiplookup [options]    Obtain contrary IP information from hackertarget.com.  [aliases: hackertarget_reverse_ip_lookup, htril]   pown recon transform hibpreport [options]                     Obtain haveibeenpwned.com breach report.  [aliases: hibp_report, hibpr]   pown recon transform pkslookupkeys [options]                  Look the the PKS database at pool.sks-keyservers.net which pgp.mit.edu is purpose of.  [aliases: pks_lookup_keys, pkslk]   pown recon transform riddleripsearch [options]                Searches for IP references using F-Secure riddler.io.  [aliases: riddler_ip_search, ris]   pown recon transform riddlerdomainsearch [options]            Searches for Domain references using F-Secure riddler.io.  [aliases: riddler_domain_search, rds]   pown recon transform threatcrowddomainreport [options]        Obtain threatcrowd domain study which helps enumerating potential target subdomains in addition to e-mail addresses.  [aliases: threatcrowd_domain_report, tcdr]   pown recon transform threatcrowdipreport [options]            Obtain threatcrowd ip study which helps enumerating virtual hosts.  [aliases: threatcrowd_ip_report, tcir]   pown recon transform urlscanliveshot [options]                Generates a liveshot of whatever populace site via urlscan.  [aliases: usls]   pown recon transform wappalyzerprofile [options]              Enumerate technologies amongst api.wappalyzer.com  [aliases: wappalyzer_profile, wzp]   pown recon transform whatsmynamereport [options]              Find social accounts amongst whatsmyname database.  [aliases: wmnr]   pown recon transform zoomeyescrapesearchresults [options]     Performs kickoff page scrape on ZoomEye search results  [aliases: zoomeye_scrape_search_results, zyssr]  Options:   --version    Show version number  [boolean]   --debug      Debug trend  [boolean]   --help       Show assist  [boolean]   --read, -r   Read file  [string]   --write, -w  Write file  [string]

Select
pown recon conduct   Perform a selection  Options:   --version            Show version number  [boolean]   --debug              Debug trend  [boolean]   --help               Show assist  [boolean]   --read, -r           Read file  [string]   --write, -w          Write file  [string]   --output-format, -o  Output format  [string] [choices: "table", "csv", "json"] [default: "table"]   --output-fields      Output fields  [string] [default: ""]   --output-with-ids    Output ids  [boolean] [default: false]

Diff
pown recon diff    Perform a diff betwixt 2 recon files  Options:   --version            Show version number  [boolean]   --debug              Debug trend  [boolean]   --help               Show assist  [boolean]   --subset, -s         The subset to conduct  [choices: "left", "right", "both"] [default: "left"]   --write, -w          Write file  [string]   --output-format, -o  Output format  [string] [choices: "table", "csv", "json"] [default: "table"]   --output-fields      Output fields  [string] [default: ""]   --output-with-ids    Output ids  [boolean] [default: false]

Transforms
  • GitHub Search of Repos in addition to Members
  • CloudFlare 1.1.1.1 DNS API
  • CRTSH
  • DockerHub Repo Search
  • Gravatar URLs
  • Hacker Target Reverse IP Lookup
  • Have I Been Pwned Lookup
  • PKS Lookup
  • Urlscan Live Shot
  • Threatcrowd Lookup
  • ZoomEye Scraper
  • Wappalyzer
  • AWS Landing Pages
  • Builtwith
  • Riddler
  • Commoncraw
  • Archive.org
  • WhatsMyName

Tutorial
To demonstrate the ability of Pown Recon in addition to graph-based OSINT (Open Source Intelligence), let's accept a await at the next picayune example.
Let's start yesteryear querying everyone who is a fellow member of Google's applied scientific discipline squad in addition to contributes to their GitHub account.
pown recon t -w google.network ghlm google
This ascendancy volition generate a tabular array similar to this:
┌─────────┬─────────────────┬────────────────────────────────────────────┬─────────────────────────┬─────────────────────────────────────────────────────────┐ │ (index) │      type       │                    uri                     │          login          │                         avatar                          │ ├─────────┼─────────────────┼────────────────────────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────┤ │    0    │ 'github:member' │          'https://github.com/3rf'          │          '3rf'          │ 'https://avatars1.githubusercontent.com/u/1242478?v=4'  │ │    1    │ 'github:member' │        'https://github.com/aaroey'         │        'aaroey'         │ 'https://avatars0.githubusercontent.com/u/31743510?v=4' │ │    2    │ 'github:member' │      'https://github.com/aarongable'       │      'aarongable'       │ 'https://avatars3.githubusercontent.com/u/2474926?v=4'  │ ... ... ... │   97    │ 'github:member' │         'https://github.com/alexv'         │         'alexv'         │ 'https://avatars0.githubusercontent.com/u/30807372?v=4' │ │   98    │ 'github:member' │      'https://github.com/alexwhouse'       │      'alexwhouse'       │ 'https://avatars3.githubusercontent.com/u/1448490?v=4'  │ │   99    │ 'github:member' │        'https://github.com/alexwoz'        │        'alexwoz'        │  'https://avatars3.githubusercontent.com/u/501863?v=4'  │ └─────────┴─────────────────┴────────────────────────────────────────────┴─────────────────────────┴─────────────────────────────────────────────────────────┘
You simply created your kickoff network!
The representation is tabular for convenience but underneath we've got a model which consists of nodes connected yesteryear edges.
If yous are wondering what that looks similar yous tin utilization SecApps Recon. The command line does non accept the necessary marking of interactivity to introduce the complexity of graphs.
The -w google.network ascendancy trouble alternative exported the network to a file. You tin charge the file straight into SecApps Recon amongst the file opened upwards feature. The number volition await similar this:


Now imagine that nosotros desire to enquiry what repositories these Google engineers are working on. This is easy. First, nosotros demand to conduct the nodes inwards the graph in addition to and therefore transform them amongst the "GitHub List Repositories" transformation. This is how nosotros produce it from the ascendancy line:
pown recon t ghlr -r google.network -w google2.nework -s 'node[type="github:member"]'
If yous don't hitting GitHub API charge per unit of measurement limits, yous volition endure presented amongst this:
┌─────────┬───────────────┬──────────────────────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────┐ │ (index) │     type      │                                     uri                                      │                         fullName                          │ ├─────────┼───────────────┼──────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤ │    0    │ 'github:repo' │                     'https://github.com/3rf/2015-talks'                      │                     '3rf/2015-talks'                      │ │    1    │ 'github:repo' │                     'https://github.com/3rf/codecoroner'                     │                     '3rf/codecoroner'                     │ │    2    │ 'github:repo' │                   'https://github.com/3rf/DefinitelyTyped'                   │                   '3rf/DefinitelyTyped'                   │ ... ... ... │  1348   │ 'github:repo' │              'https://github.com/agau4779/ultimate-tic-tac-toe'              │              'agau4779/ultimate-tic-tac-toe'              │ │  1349   │ 'github:repo' │                  'https://github.com/agau4779/worm_scraper'                  │                  'agau4779/worm_scraper'                  │ │  1350   │ 'github:repo' │                    'https://github.com/agau4779/zsearch'                     │                    'agau4779/zsearch'                     │ └─────────┴───────────────┴──────────────────────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────┘
Since forthwith nosotros accept 2 files google.network in addition to google2.network yous mightiness endure wondering what is the deviation betwixt them. Well, nosotros accept a tool for doing simply that. This is how nosotros produce it.
pown recon diff google.network google2.network
Now nosotros know! This characteristic is quite useful if yous are edifice large recon maps in addition to yous are simply curious to know what are the primal differences. Imagine your cron task performs the same recon every 24-hour interval in addition to yous would similar to know if something novel simply appeared which mightiness endure worth exploring further. Hello, põrnikas bounty hunters!