Recon-ng is a full-featured web reconnaissance framework written in Python. With independent modules, database interactions, built-in feature functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and well. Recon-ng has the same look and feel as the Metasploit Framework, reducing the learning curve to take advantage of the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is specifically designed for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want a Social Engineer, we are the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng.
To start Recon-ng in Kali Linux in the terminal type.
To add workspace type
Command: workspaces add pen_test
To add domains about which you want to gather information type
Command: add domains comptia.org (here we are taking the example of CompTIA website)
To check whether the domain is added successfully type
Command: show domains
Now to check the modules available type
Command: show modules
A module is a specific task that recon-ng will execute based on the parameters you provide it. the Recon category has the most modules so far.
Command: search the domain for contact information.
Command: use recon/domains-contacts/whois_pocs
show options (it will show source option )
run (contacts & email addresses will be displayed)
Search account for evidence of compromise
Command: use recon/contacts-credentials/hibp_breach
This module search that has I been pawned ??HIBP database to see if a particular email account is known to have been affected by any major breaches in the last few years.
set source email address (enter the email address you found in the previous step to check whether I was compromised in last few years or not.)
Identify the organization’s social media presence
Command: use recon/profiles-profiles/profiler
set source comptia (here domain will be domain name without the top level domain suffix)
In the same way, you can use different modules to gather information about the organization like.
Identify organization mail based DNS Records
Command : recon/domains-hosts/brute_hosts
At last to generate a report of your findings type
Command: use reporting /html
set creator (your name)
set customer (clients name )
set filename /root/desktop/recon_report.html