小白日记6:kali渗透测试之被动信息收集(五)-Recon-ng
Recon-ng
Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架。Recon-ng框架是一个全特性的工具,使用它可以自动的收集信息和网络侦查。其命令格式与Metasploit!默认集成数据库,可把查询结果结构化存储在其中,有报告模块,把结果导出为报告。1、启动Recon-NG框架[recon-ng][default] >提示符表示启动成功<span style="font-size:18px;">root@kali:~# recon-ng _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ +---------------------------------------------------------------------------+ | _ ___ _ __ | | |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ | | |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ | | / | | Consulting | Research | Development | Training | | http://www.blackhillsinfosec.com | +---------------------------------------------------------------------------+ [recon-ng v4.6.3, Tim Tomes (@LaNMaSteR53)] [71] Recon modules #71个侦查模块 [7] Reporting modules #7个报告模块 [2] Import modules #2个导入模块 [2] Exploitation modules #2个渗透攻击模块 [2] Discovery modules #2个发现模块 </span>
使用help命令查看所有可执行的命令或-h<span style="font-size:18px;">[recon-ng][default] > help Commands (type [help|?] <topic>): --------------------------------- add Adds records to the database #将记录添加到数据库中 back Exits the current context #退出当前上下文 delete Deletes records from the database exit Exits the framework help Displays this menu <strong>keys Manages framework API keys #管理框架API load Loads specified module #加载指定模块</strong> pdb Starts a Python Debugger session #启动python调试器 query Queries the database #查询数据库 record Records commands to a resource file #记录命令到源文件中 <strong>reload Reloads all modules #重新加载所有模块</strong> resource Executes commands from a resource file #在框架下从源文件中执行命令 <strong>search Searches available modules #搜索可用模块</strong> set Sets module options #设置模块参数 <strong>shell Executes shell commands #执行shell命令 show Shows various framework items #显示各种框架项目 snapshots Manages workspace snapshots #管理工作区快照 </strong>spool Spools output to a file #输出到一个文件上 unset Unsets module options #复原模块参数 <span style="color:#ff0000;">use Loads specified module #加载指定模块</span> workspaces Manages workspaces #管理工作区 </span>root@kali:~# recon-ng -h usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check] [--no-analytics] recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at]gmail.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w workspace load/create a workspace #设置不同工作区 -r filename load commands from a resource file#把recon-ng框架下的命令存成文本文件,可自动执行里面的指令 --no-check disable version check #每次启动不去检查recon-ng版本检查 --no-analytics disable analytics reporting #每次启动不去检查工作报告[recon-ng][sina.com] > show options Name Current Value Required Description ---------- ------------- -------- ----------- DEBUG False yes enable debugging output NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation PROXY no proxy server (address:port) THREADS 10 yes number of threads (where applicable) TIMEOUT 10 yes socket timeout (seconds) <strong>USER-AGENT Recon-ng/v4 yes user-agent string #伪装USER-AFENT</strong> VERBOSE True yes enable verbose output注:可用抓包发现USER-AFENT
[recon-ng][sina.com] > show schema #显示数据库中的数据结构2、最常用命令use[recon-ng][sina.com] > use双击tab键 #显示模块,可用search 寻找模块
无Google API 使用recon/domains-hosts/google_site_web使用show options/info先看一下参数[recon-ng][sina.com][google_site_web] > show Shows various framework items Usage: show [companies|contacts|credentials|dashboard|domains|globals|hosts|info|inputs|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|schema|source|vulnerabilities] [recon-ng][sina.com][google_site_web] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) [recon-ng][sina.com][google_site_web] > show info Name: Google Hostname Enumerator Path: modules/recon/domains-hosts/google_site_web.py Author: Tim Tomes (@LaNMaSteR53) Description: Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with the results. Options: Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs [recon-ng][sina.com][google_site_web] > show s schema source [recon-ng][sina.com][google_site_web] > show schema指定域
[recon-ng][sina.com][google_site_web] > set SOURCE <strong>sina.com</strong> SOURCE => sina.com运行:run #搜索部分结果会短暂sleep,防止被搜索引擎屏蔽没找到结果
query 使用数据库语句 select * from hosts#Select * from hosts where host like ‘%baidu.com%’ order by ip_address#select * from hosts where host like '%www%'
3、Brute force #暴力破解模块,如果搜不出来
[recon-ng][sina.com][bing_domain_web] > search brut
[*] Searching for 'brut'...
Exploitation
------------
exploitation/injection/xpath_bruter
Recon
-----
recon/domains-domains/brute_suffix
recon/domains-hosts/brute_hosts
[recon-ng][sina.com][bing_domain_web] > use recon/domains-hosts/brute_hosts
[recon-ng][sina.com][brute_hosts] > show options
Name Current Value Required Description
-------- ------------- -------- -----------
SOURCE default yes source of input (see 'show info' for details)
WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
[recon-ng][sina.com][brute_hosts] > set SOURCE sina.com
SOURCE => sina.com
[recon-ng][sina.com][brute_hosts] > run
<strong style="font-family: Arial, Helvetica, sans-serif; "></strong><pre name="code" class="plain" style="display: inline !important;">--------
4、解析IP地址(查询数据库)
</pre><pre name="code" class="plain">[recon-ng][sina.com][brute_hosts] > search res [*] Searching for 'res'... Discovery --------- discovery/info_disclosure/interesting_files Recon ----- recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/netblocks-hosts/reverse_resolve [recon-ng][sina.com][brute_hosts] > use recon/hosts-hosts/resolve [recon-ng][sina.com][resolve] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) [recon-ng][sina.com][resolve] > show info Name: Hostname Resolver Path: modules/recon/hosts-hosts/resolve.py Author: Tim Tomes (@LaNMaSteR53) Description: Resolves the IP address for a host. Updates the 'hosts' table with the results. Options: Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) Source Options: default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL AND ip_address IS NULL <string> string representing a single input <path> path to a file containing a list of inputs <span style="color:#ff0000;">query</span> <sql> database query returning one column of inputs Comments: * Note: Nameserver must be in IP form.#负载均衡,一个域名可能被解析为多个IP地址
[recon-ng][sina.com][resolve] > set SOURCE query select host from hosts where host like '%youku.com%'### SQL语句, SOURCE => query select host from hosts where host like '%youku.com%' [recon-ng][sina.com][resolve] > run
5、导出为报告模块
[recon-ng][sina.com][resolve] > search report [*] Searching for 'report'... Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/pushpin reporting/xlsx reporting/xml [recon-ng][sina.com][resolve] > use reporting/html [recon-ng][sina.com][html] > show options Name Current Value Required Description -------- ------------- -------- ----------- CREATOR yes creator name for the report footer CUSTOMER yes customer name for the report header FILENAME /root/.recon-ng/workspaces/default/results.html yes path and filename for report output SANITIZE True yes mask sensitive data in the report [recon-ng][sina.com][html] > [recon-ng][sina.com][html] > set CREATOR ZiXuan CREATOR => ZiXuan [recon-ng][sina.com][html] > set CUSTOMER youku.com CUSTOMER => youku.com [recon-ng][sina.com][html] > set FILENAME /root/sina.html FILENAME => /root/sina.html [recon-ng][sina.com][html] > run [*] Report generated at '/root/sina.html'.
小白日记,未完待续……
