At Derbycon and Hack3rCon this year, I gave talks that discussed ways of automating reconnaissance so that it doesn’t have to be something penetration testers neglect due to time constraints. During those talks, I mentioned the possibility of a framework, but only released a script which automated some of the techniques that were discussed. Well, since DerbyCon, I have been hard at work developing the aforementioned framework, and now I am happy to announce the release of the Recon-ng reconnaissance framework.
Recon-ng Banner
Recon-ng is a true framework whose interface is modeled after the very popular and powerful Metasploit Framework. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng
Recon-ng was built to feel like the Metasploit Framework in order to reduce the learning curve for leveraging the framework. However, Recon-ng is quite different. First and foremost, Recon-ng is written completely in Python. Finally! A framework written in Python! Now, developers and penetration testers who prefer to work in Python have an open source framework to which they can contribute. Another difference is Recon-ng’s purpose. Recon-ng is not intended to compete with any existing framework, as it was designed exclusively for web-based reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!
Recon-ng
Recon-ng is a completely modular framework. Each module is a Subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done for you. Building modules is simple and takes little more than a few minutes. While tasks, such as making web requests, can be done manually from within a module, there are benefits to using the prebuilt interfaces and convenience functions. For example, there are global settings to the framework which allow the user to specify a custom User-Agent string or enable proxying of requests. These global settings are only applied to all requests which use the prebuilt interface.
Recon-ng
Recon-ng comes packaged with many modules and is well equipped to begin supporting your reconnaissance efforts immediately. Here is some information about the included modules, according to module type.
Recon-ng
Auxiliary:
Auxiliary modules enhance the information that has already been stored in the database. The included modules look for known information leakage pages on hosts, conduct reverse lookups of hashed credentials, mangle names into usernames and email addresses, check whether or not an email address has been associated with a public credentials leak, and resolve hostnames to IP addresses.
Contacts:
Contacts modules harvest information about people that are associated with a given company and store it in the database. The included modules leverage LinkedIn and Jigsaw to harvest full names and job titles. The information gathered from the Contacts modules can be manipulated with the Auxiliary modules and used in conjunction with the Social Engineer Toolkit to produce devastating results. Recon-ng + SET, a match made in heaven.
Hosts:
Hosts modules harvest hosts that are associated with a given domain and store them in the database. The included modules leverage Baidu, Bing, Google, Shodan, and Yahoo search engines to enumerate internet aware hosts, and leverage DNS to brute guess hosts. The hosts gathered with the Hosts modules can assist penetration testers during the scoping process. They can also be used in conjunction with Auxiliary modules to identify known information leakage pages that contain active session IDs and authentication credentials.
Output:
Output modules create usable forms of the data stored in the database. The included modules provide the ability to create CSV and HTML reports. Whether you are looking to move data from Recon-ng to Excel, or create an appendix for a deliverable, we’ve got you covered.
Pwnedlist:
Recon-ng was not designed to deliver shell, but what if I told you that you could gain authenticated access to an environment without sending a packet to the target network or application? Pwnedlist modules leverage the Pwnedlist.com API to retrieve full credentials of “pwned” user accounts. The included modules retrieve single account credentials, credentials for all “pwned” accounts within a domain, or information about known leaks. Imagine having multiple sets of legitimate credentials for a VPN or web application prior to a penetration test even beginning. That’s power that simply cannot be denied.
So there you have it. The Recon-ng framework. The repository is located here and the Usage and Development Guides are located on the wiki here. Clone it, use it, love it, fork it, and contribute to it. I do not consider myself a “true” developer, but I love to code, so I gave it my best shot. I welcome any and all expertise in improving the project and making it more useful to the community. Enjoy!
Join me for SEC542: Web App Penetration Testing and Ethical Hacking at SANS Monterey 2013!
Monterey, CA | Fri Mar 22 – Wed Mar 27, 2013

About the author