Recon NG Guide

Recon-ng
Reference
Automate your
Intelligence Collection
Recon-ng Reference
Automate your Intelligence Collection
A Guide by Striker Security

https://strikersecurity.com
Last updated 09/22/2016
1
Recon-ng is an incredible tool for automating OSINT collection, but
its power comes with complexity. Modules offer their own capabilities
and options, and knowing what they all do takes many long hours
of practice. This reference book helps you navigate the power at
your fingertips without endlessly guessing at what modules do and
constantly typing “show info.” The module descriptions below are all
extracted directly from recon-ng’s source code, so you know they’re
straight from the source.
If you don’t know how to use Recon-ng, or want a refresher, check

out Striker Security’s tutorial at:
https://strikersecurity.com/blog/getting-started-recon-ng-tutorial/.
You can also take a look at recon-ng itself here:

https://bitbucket.org/LaNMaSteR53/recon-ng
As always, you can get in touch with me directly with an email to

[email protected] with any questions or comments. I always
love hearing what you want to see next.
Happy hunting!
Dakota
2
Contents
Discovery 7
DNS Cache Snooper . . . . . . . . . . . . . . . . . . . . . . . . . 7
Interesting File Finder . . . . . . . . . . . . . . . . . . . . . . . . 7
Exploitation 8
Xpath Injection Brute Forcer . . . . . . . . . . . . . . . . . . . . 8
Remote Command Injection Shell Interface . . . . . . . . . . . . 8
Recon 9
DNS Public Suffix Brute Forcer . . . . . . . . . . . . . . . . . . . 9
Ports to Hosts Data Migrator . . . . . . . . . . . . . . . . . . . . 9
Hosts to Domains Data Migrator . . . . . . . . . . . . . . . . . . 9
LinkedIn Authenticated Contact Enumerator . . . . . . . . . . . 9
Bing Cache Linkedin Profile and Contact Harvester . . . . . . . . 9
Indeed Resume Crawl . . . . . . . . . . . . . . . . . . . . . . . . 10
Jigsaw - Single Contact Retriever . . . . . . . . . . . . . . . . . . 10
Jigsaw - Point Usage Statistics Fetcher . . . . . . . . . . . . . . . 10
Jigsaw Contact Enumerator . . . . . . . . . . . . . . . . . . . . . 11
Twitter Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
OSINT HUMINT Profile Collector . . . . . . . . . . . . . . . . . 11
NameChk.com Username Validator . . . . . . . . . . . . . . . . . 11
Hashes.org Hash Lookup . . . . . . . . . . . . . . . . . . . . . . . 11
PyBozoCrack Hash Lookup . . . . . . . . . . . . . . . . . . . . . 12
Adobe Hash Cracker . . . . . . . . . . . . . . . . . . . . . . . . . 12
Shodan IP Enumerator . . . . . . . . . . . . . . . . . . . . . . . . 12
Contact Name Mangler . . . . . . . . . . . . . . . . . . . . . . . 12
Contact Name Unmangler . . . . . . . . . . . . . . . . . . . . . . 13
MailTester Email Validator . . . . . . . . . . . . . . . . . . . . . 13
Github Code Enumerator . . . . . . . . . . . . . . . . . . . . . . 13
Meta Data Extractor . . . . . . . . . . . . . . . . . . . . . . . . . 13
3
Whois POC Harvester . . . . . . . . . . . . . . . . . . . . . . . . 14
PGP Key Owner Lookup . . . . . . . . . . . . . . . . . . . . . . 14
Reverse Geocoder . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Address Geocoder . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Github Profile Harvester . . . . . . . . . . . . . . . . . . . . . . . 14
Dev Diver Repository Activity Examiner . . . . . . . . . . . . . . 15
IPInfoDB GeoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Hostname Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Bing API IP Neighbor Enumerator . . . . . . . . . . . . . . . . . 15
Reverse Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
FreeGeoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SSLTools.com Host Name Lookups . . . . . . . . . . . . . . . . . 16
Flickr Geolocation Search . . . . . . . . . . . . . . . . . . . . . . 16
Instagram Geolocation Search . . . . . . . . . . . . . . . . . . . . 16
Twitter Geolocation Search . . . . . . . . . . . . . . . . . . . . . 17
Shodan Geolocation Search . . . . . . . . . . . . . . . . . . . . . 17
Picasa Geolocation Search . . . . . . . . . . . . . . . . . . . . . . 17
YouTube Geolocation Search . . . . . . . . . . . . . . . . . . . . 17
Reverse Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Shodan Network Enumerator . . . . . . . . . . . . . . . . . . . . 18
PwnedList - Account Credentials Fetcher . . . . . . . . . . . . . 18
PwnedList - Leak Details Fetcher . . . . . . . . . . . . . . . . . . 18
PwnedList - Pwned Domain Credentials Fetcher . . . . . . . . . 18
PwnedList - Leak Details Retriever . . . . . . . . . . . . . . . . . 19
PwnedList - Pwned Domain Statistics Fetcher . . . . . . . . . . . 19
PwnedList - API Usage Statistics Fetcher . . . . . . . . . . . . . 19
Whois Company Harvester . . . . . . . . . . . . . . . . . . . . . 19
FullContact Contact Enumerator . . . . . . . . . . . . . . . . . . 19
Bing Hostname Enumerator . . . . . . . . . . . . . . . . . . . . . 20
Shodan Hostname Enumerator . . . . . . . . . . . . . . . . . . . 20
BuiltWith Enumerator . . . . . . . . . . . . . . . . . . . . . . . . 20
4
HackerTarget Lookup . . . . . . . . . . . . . . . . . . . . . . . . 20
Bing API Hostname Enumerator . . . . . . . . . . . . . . . . . . 21
Netcraft Hostname Enumerator . . . . . . . . . . . . . . . . . . . 21
DNS Hostname Brute Forcer . . . . . . . . . . . . . . . . . . . . 21
ThreatCrowd DNS lookup . . . . . . . . . . . . . . . . . . . . . . 21
VPNHunter Lookup . . . . . . . . . . . . . . . . . . . . . . . . . 21
Google CSE Hostname Enumerator . . . . . . . . . . . . . . . . . 22
Google Hostname Enumerator . . . . . . . . . . . . . . . . . . . . 22
SSL SAN Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
PunkSPIDER Vulnerabilty Finder . . . . . . . . . . . . . . . . . 22
Google Hacking Database . . . . . . . . . . . . . . . . . . . . . . 22
XSSed Domain Lookup . . . . . . . . . . . . . . . . . . . . . . . 23
XSSposed Domain Lookup . . . . . . . . . . . . . . . . . . . . . . 23
Have I been pwned? Breach Search . . . . . . . . . . . . . . . . . 23
Have I been pwned? Paste Search . . . . . . . . . . . . . . . . . . 23
Whois Data Miner . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Github Resource Miner . . . . . . . . . . . . . . . . . . . . . . . 24
Internet Census 2012 Lookup . . . . . . . . . . . . . . . . . . . . 24
censys.io port lookup by netblock . . . . . . . . . . . . . . . . . . 24
Hosts to Locations Data Migrator . . . . . . . . . . . . . . . . . 24
Github Gist Searcher . . . . . . . . . . . . . . . . . . . . . . . . . 25
Github Dork Analyzer . . . . . . . . . . . . . . . . . . . . . . . . 25
Github Commit Searcher . . . . . . . . . . . . . . . . . . . . . . 25
Contacts to Domains Data Migrator . . . . . . . . . . . . . . . . 25
Reporting 26
XML Report Generator . . . . . . . . . . . . . . . . . . . . . . . 26
HTML Report Generator . . . . . . . . . . . . . . . . . . . . . . 26
PushPin Report Generator . . . . . . . . . . . . . . . . . . . . . 26
List Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
JSON Report Generator . . . . . . . . . . . . . . . . . . . . . . . 26
CSV File Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
XLSX File Creator . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5
Import 28
Advanced CSV File Importer . . . . . . . . . . . . . . . . . . . . 28
List File Importer . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6
Discovery
DNS Cache Snooper
Module name: cache_snoop

Categories: discovery, info_disclosure
Author(s): thrapt ([email protected])
Uses the DNS cache snooping technique to check for visited domains
Interesting File Finder
Module name: interesting_files

Categories: discovery, info_disclosure
Author(s): Tim Tomes (@LaNMaSteR53), thrapt ([email protected]), Jay Turla
(@shipcod3), and Mark Jeffery
Checks hosts for interesting files in predictable locations.
7
Exploitation
Xpath Injection Brute Forcer
Module name: xpath_bruter

Categories: exploitation, injection
Author(s): Tim Tomes (@LaNMaSteR53)
Exploits XPath injection flaws to enumerate the contents of serverside XML

documents.
Remote Command Injection Shell Interface
Module name: command_injector

Categories: exploitation, injection
Provides a shell interface for remote command injection flaws in web applications.
8
Recon
DNS Public Suffix Brute Forcer
Module name: brute_suffix

Categories: recon, domains-domains
Author(s): Marcus Watson (@BranMacMuffin)
Brute forces TLDs and SLDs using DNS. Updates the ‘domains’ table with the
results.
Ports to Hosts Data Migrator
Module name: migrate_ports

Categories: recon, ports-hosts
Adds a new host for all the hostnames stored in the ‘ports’ table.
Hosts to Domains Data Migrator
Module name: migrate_hosts

Categories: recon, hosts-domains
Adds a new domain for all the hostnames stored in the ‘hosts’ table.
LinkedIn Authenticated Contact Enumerator
Module name: linkedin_auth

Categories: recon, companies-contacts
Harvests contacts from the LinkedIn.com API using an authenticated connections

network. Updates the ‘contacts’ table with the results.
Bing Cache Linkedin Profile and Contact Harvester
Module name: bing_linkedin_cache

9
Author(s): Joe Black (@MyChickenNinja) and @fullmetalcache
Harvests profiles from LinkedIn by querying the Bing API cache for LinkedIn
pages related to the given companies, and adds them to the ‘profiles’ table.
The module will then parse the resulting information to extract the user’s full
name and job title (title parsing is a bit spotty currently). The user’s full name
and title are then added to the ‘contacts’ table. This module does not access
LinkedIn at any time.
Indeed Resume Crawl
Module name: indeed

Author(s): Tyler Rosonke ([email protected])
Crawls Indeed.com for contacts and resumes. Adds name, title, and location
to the contacts table and a link to the resume in the profiles table. Can only
harvest the first 1,000 results. Result set changes, so running the same crawl
mutiple times can produce new contacts. If the PAST_EMPS option is set to
true, the module will crawl both current and past employees. Given a keyword,
the module will only harvest contacts whose resumes contain the keyword. (e.g.
Linux Admin)
Jigsaw - Single Contact Retriever
Module name: purchase_contact

Categories: recon, companies-contacts, jigsaw
Retrieves a single complete contact from the Jigsaw.com API using points from
the given account.
Jigsaw - Point Usage Statistics Fetcher
Module name: point_usage

Queries the Jigsaw API for the point usage statistics of the given account.
10
Jigsaw Contact Enumerator
Module name: search_contacts

Harvests contacts from the Jigsaw.com API. Updates the ‘contacts’ table with
the results.
Twitter Handles
Module name: twitter

Categories: recon, profiles-profiles
Author(s): Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
Searches Twitter for users that mentioned, or were mentioned by, the given
handle.
OSINT HUMINT Profile Collector
Module name: profiler

Author(s): Micah Hoffman (@WebBreacher)
Takes each username from the profiles table and searches a variety of web
sites for those users. The list of valid sites comes from the parent project at
https://github.com/WebBreacher/WhatsMyName
NameChk.com Username Validator
Module name: namechk

Author(s): Tim Tomes (@LaNMaSteR53) and thrapt ([email protected])
Leverages NameChk.com to validate the existance of usernames on specific web

sites and updates the ‘profiles’ table with the results.
Hashes.org Hash Lookup
Module name: hashes_org

Categories: recon, credentials-credentials
11
Author(s): Tim Tomes (@LaNMaSteR53) and Mike Lisi (@MikeCodesThings)
Uses the Hashes.org API to perform a reverse hash lookup. Updates the ‘cre-
dentials’ table with the positive results.
PyBozoCrack Hash Lookup
Module name: bozocrack

Searches Google for the value of a hash and tests for a match by hashing every
word in the resulting page using all hashing algorithms supported by the ‘hashlib’
library. Updates the ‘credentials’ table with the positive results.
Adobe Hash Cracker
Module name: adobe

Author(s): Ethan Robish (@EthanRobish) and Tim Tomes (@LaNMaSteR53)
Decrypts hashes leaked from the 2013 Adobe breach. First, the module cross
references the leak ID to identify Adobe hashes in the ‘password’ column of
the ‘creds’ table, moves the Adobe hashes to the ‘hash’ column, and changes
the ‘type’ to ‘Adobe’. Second, the module attempts to crack the hashes by
comparing the ciphertext’s decoded cipher blocks to a local block lookup table
(BLOCK_DB) of known cipher block values. Finally, the module updates the
‘creds’ table with the results based on the level of success.
Shodan IP Enumerator
Module name: shodan_ip

Categories: recon, hosts-ports
Author(s): Tim Tomes (@LaNMaSteR53) and Matt Pluckett (@t3lc0)
Harvests port information from the Shodan API by using the ‘ip’ search operator.
Updates the ‘ports’ table with the results.
Contact Name Mangler
Module name: mangle

Categories: recon, contacts-contacts
12
Applies a mangle pattern to all of the contacts stored in the database, creating
email addresses or usernames for each harvested contact. Updates the ‘contacts’
table with the results.
Contact Name Unmangler
Module name: unmangle

Author(s): Ethan Robish (@EthanRobish)
Applies a regex or unmangle pattern to all of the contacts stored in the database,
pulling out the individual name components. Updates the ‘contacts’ table with
the results.
MailTester Email Validator
Module name: mailtester

Leverages MailTester.com to validate email addresses.
Github Code Enumerator
Module name: github_repos

Categories: recon, profiles-repositories
Uses the Github API to enumerate repositories and gists owned by a Github
user. Updates the ‘repositories’ table with the results.
Meta Data Extractor
Module name: metacrawler

Categories: recon, domains-contacts
Searches for files associated with the provided domain(s) and extracts any contact
related metadata.
13
Whois POC Harvester
Module name: whois_pocs

Uses the ARIN Whois RWS to harvest POC data from whois queries for the
given domain. Updates the ‘contacts’ table with the results.
PGP Key Owner Lookup
Module name: pgp_search

Author(s): Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
Searches the MIT public PGP key server for email addresses of the given domain.
Updates the ‘contacts’ table with the results.
Reverse Geocoder
Module name: reverse_geocode

Categories: recon, locations-locations
Author(s): Quentin Kaiser ([email protected])
Queries the Google Maps API to obtain an address from coordinates.
Address Geocoder
Module name: geocode

Categories: recon, locations-locations
Author(s): Quentin Kaiser ([email protected])
Queries the Google Maps API to obtain coordinates for an address. Updates
the ‘locations’ table with the results.
Github Profile Harvester
Module name: github_users

Categories: recon, profiles-contacts
14
Uses the Github API to gather user info from harvested profiles. Updates the
‘contacts’ table with the results.
Dev Diver Repository Activity Examiner
Module name: dev_diver

Categories: recon, profiles-contacts
Searches public code repositories for information about a given username.
IPInfoDB GeoIP
Module name: ipinfodb

Categories: recon, hosts-hosts
Leverages the ipinfodb.com API to geolocate a host by IP address. Updates the

‘hosts’ table with the results.
Hostname Resolver
Module name: resolve

Resolves the IP address for a host. Updates the ‘hosts’ table with the results.
Bing API IP Neighbor Enumerator
Module name: bing_ip

Leverages the Bing API and “ip:” advanced search operator to enumerate other
virtual hosts sharing the same IP address. Updates the ‘hosts’ table with the
results.
15
Reverse Resolver
Module name: reverse_resolve

Author(s): John Babio (@3vi1john), @vulp1n3, and Tim Tomes (@LaNMaS-
teR53)
Conducts a reverse lookup for each IP address to resolve the hostname. Updates
the ‘hosts’ table with the results.
FreeGeoIP
Module name: freegeoip

Author(s): Gerrit Helm (G) and Tim Tomes (@LaNMaSteR53)
Leverages the freegeoip.net API to geolocate a host by IP address. Updates the

SSLTools.com Host Name Lookups
Module name: ssltools

Author(s): Tim Maletic (borrowing from the ssl_san module by Zach Graces)
Uses the ssltools.com site to obtain host names from a site’s SSL certificate
metadata to update the ‘hosts’ table. Security issues with the certificate trust
are pushed to the ‘vulnerabilities’ table.
Flickr Geolocation Search
Module name: flickr

Categories: recon, locations-pushpins
Searches Flickr for media in the specified proximity to a location.
Instagram Geolocation Search
Module name: instagram

16
Author(s): Nathan Malcolm (@SintheticLabs) and Tim Tomes (@LaNMaSteR53)
Searches Instagram for media in the specified proximity to a location.
Twitter Geolocation Search
Module name: twitter

Searches Twitter for media in the specified proximity to a location.
Shodan Geolocation Search
Module name: shodan

Searches Shodan for media in the specified proximity to a location.
Picasa Geolocation Search
Module name: picasa

Searches Picasa for media in the specified proximity to a location.
YouTube Geolocation Search
Module name: youtube

Searches the YouTube API for media in the specified proximity to a location.
Reverse Resolver
Module name: reverse_resolve

Categories: recon, netblocks-hosts
17
Author(s): John Babio (@3vi1john)
Conducts a reverse lookup for each of a netblock’s IP addresses to resolve the

hostname. Updates the ‘hosts’ table with the results.
Shodan Network Enumerator
Module name: shodan_net

Categories: recon, netblocks-hosts
Author(s): Mike Siegel and Tim Tomes (@LaNMaSteR53)
Harvests hosts from the Shodan API by using the ‘net’ search operator. Updates
PwnedList - Account Credentials Fetcher
Module name: account_creds

Categories: recon, domains-credentials, pwnedlist
Queries the PwnedList API for credentials associated with the given usernames.
Updates the ‘credentials’ table with the results.
PwnedList - Leak Details Fetcher
Module name: leak_lookup

Queries the local database for information associated with a leak ID. The
‘leaks_dump’ module must be used to populate the local database before this
module will execute successfully.
PwnedList - Pwned Domain Credentials Fetcher
Module name: domain_creds

Queries the PwnedList API to fetch all credentials for a domain. Updates the
‘credentials’ table with the results.
18
PwnedList - Leak Details Retriever
Module name: leaks_dump

Queries the PwnedList API for information associated with all known leaks.
Updates the ‘leaks’ table with the results.
PwnedList - Pwned Domain Statistics Fetcher
Module name: domain_ispwned

Queries the PwnedList API for a domain to determine if any associated credentials
have been compromised. This module does NOT return any credentials, only a
total number of compromised credentials.
PwnedList - API Usage Statistics Fetcher
Module name: api_usage

Queries the PwnedList API for account usage statistics.
Whois Company Harvester
Module name: whois_orgs

Categories: recon, netblocks-companies
Uses the ARIN Whois RWS to harvest Companies data from whois queries for
the given netblock. Updates the ‘companies’ table with the results.
FullContact Contact Enumerator
Module name: fullcontact

Categories: recon, contacts-profiles
Author(s): Quentin Kaiser (@qkaiser, contact[at]quentinkaiser.be) and Tim
19
Tomes (@LaNMaSteR53)
Harvests contact information and profiles from the fullcontact.com API using
email addresses as input. Updates the ‘contacts’ and ‘profiles’ tables with the
results.
Bing Hostname Enumerator
Module name: bing_domain_web

Categories: recon, domains-hosts
Harvests hosts from Bing.com by using the ‘site’ search operator. Updates the
Shodan Hostname Enumerator
Module name: shodan_hostname

Harvests hosts from the Shodan API by using the ‘hostname’ search operator.
Updates the ‘hosts’ table with the results.
BuiltWith Enumerator
Module name: builtwith

Leverages the BuiltWith API to identify hosts, technologies, and contacts asso-
ciated with a domain.
HackerTarget Lookup
Module name: hackertarget

Author(s): Michael Henriksen (@michenriksen)
Uses the HackerTarget.com API to find host names. Updates the ‘hosts’ table
with the results.
20
Bing API Hostname Enumerator
Module name: bing_domain_api

Author(s): Marcus Watson (@BranMacMuffin)
Leverages the Bing API and “domain:” advanced search operator to harvest
hosts. Updates the ‘hosts’ table with the results.
Netcraft Hostname Enumerator
Module name: netcraft

Author(s): thrapt ([email protected])
Harvests hosts from Netcraft.com. Updates the ‘hosts’ table with the results.
DNS Hostname Brute Forcer
Module name: brute_hosts

Brute forces host names using DNS. Updates the ‘hosts’ table with the results.
ThreatCrowd DNS lookup
Module name: threatcrowd

Author(s): mike2dot0
Leverages the ThreatCrowd passive DNS API to discover hosts/subdomains.
VPNHunter Lookup
Module name: vpnhunter

Author(s): Quentin Kaiser (contact[at]quentinkaiser.be)
Checks vpnhunter.com for SSL VPNs, remote accesses, email portals and generic
login sites. Updates the ‘hosts’ table with the results.
21
Google CSE Hostname Enumerator
Module name: google_site_api

Leverages the Google Custom Search Engine API to harvest hosts using the
‘site’ search operator. Updates the ‘hosts’ table with the results.
Google Hostname Enumerator
Module name: google_site_web

Harvests hosts from Google.com by using the ‘site’ search operator. Updates
SSL SAN Lookup
Module name: ssl_san

Author(s): Zach Grace (@ztgrace) [email protected]
Uses the ssltools.com site to obtain the Subject Alternative Names for a domain.
Updates the ‘hosts’ table with the results.
PunkSPIDER Vulnerabilty Finder
Module name: punkspider

Categories: recon, domains-vulnerabilities
Author(s): Tim Tomes (@LaNMaSteR53) and thrapt ([email protected])
Leverages the PunkSPIDER API to search for previosuly discovered vulnerabltiies

on hosts within a domain.
Google Hacking Database
Module name: ghdb

22
Searches for possible vulnerabilites in a domain by leveraging the Google Hacking

Database (GHDB) and the ‘site’ search operator. Updates the ‘vulnerabilities’
XSSed Domain Lookup
Module name: xssed

Checks XSSed.com for XSS records associated with a domain and displays the
first 20 results.
XSSposed Domain Lookup
Module name: xssposed

Checks XSSposed.com for XSS records associated with a domain.
Have I been pwned? Breach Search
Module name: hibp_breach

Categories: recon, contacts-credentials
Author(s): Tim Tomes (@LaNMaSteR53) & Tyler Halfpop (@tylerhalfpop)
Leverages the haveibeenpwned.com API to determine if email addresses are

associated with breached credentials. Adds compromised email addresses to the
‘credentials’ table.
Have I been pwned? Paste Search
Module name: hibp_paste

Categories: recon, contacts-credentials
Leverages the haveibeenpwned.com API to determine if email addresses have

been published to various paste sites. Adds compromised email addresses to the
‘credentials’ table.
23
Whois Data Miner
Module name: whois_miner

Categories: recon, companies-multi
Uses the ARIN Whois RWS to harvest companies, locations, netblocks, and
contacts associated with the given company search string. Updates the respective
tables with the results.
Github Resource Miner
Module name: github_miner

Categories: recon, companies-multi
Uses the Github API to enumerate repositories and member profiles associated
with a company search string. Updates the respective tables with the results.
Internet Census 2012 Lookup
Module name: census_2012

Categories: recon, netblocks-ports
Queries the Internet Census 2012 data through Exfiltrated.com to enumerate

open ports for a netblock.
censys.io port lookup by netblock
Module name: censysio

Categories: recon, netblocks-ports
Author(s): John Askew (https://bitbucket.org/skew)
Queries censys.io to enumerate open ports for a netblock.
Hosts to Locations Data Migrator
Module name: migrate_hosts

Categories: recon, hosts-locations
24
Adds a new location for all the locations stored in the ‘hosts’ table.
Github Gist Searcher
Module name: gists_search

Categories: recon, repositories-vulnerabilities
Uses the Github API to download and search Gists for possible information
disclosures. Updates the ‘vulnerabilities’ table with the results.
Github Dork Analyzer
Module name: github_dorks

Categories: recon, repositories-vulnerabilities
Uses the Github API to search for possible vulnerabilites in source code by lever-
aging Github Dorks and the ‘repo’ search operator. Updates the ‘vulnerabilities’
Github Commit Searcher
Module name: github_commits

Categories: recon, repositories-profiles
Author(s): Michael Henriksen (@michenriksen)
Uses the Github API to gather user profiles from repository commits. Updates
the ‘profiles’ table with the results.
Contacts to Domains Data Migrator
Module name: migrate_contacts

Categories: recon, contacts-domains
Adds a new domain for all the hostnames associated with email addresses stored
in the ‘contacts’ table.
25
Reporting
XML Report Generator
Module name: xml

Categories: reporting
Author(s): Eric Humphries (@e2fsck) and Tim Tomes (@LaNMaSteR53)
Creates a XML report.
HTML Report Generator
Module name: html

Creates a HTML report.
PushPin Report Generator
Module name: pushpin

Creates HTML media and map reports for all of the PushPins stored in the
database.
List Creator
Module name: list

Creates a file containing a list of records from the database.
JSON Report Generator
Module name: json

Author(s): Paul (@PaulWebSec)
26
Creates a JSON report.
CSV File Creator
Module name: csv

Creates a CSV file containing the specified harvested data.
XLSX File Creator
Module name: xlsx

Creates an Excel compatible XLSX file containing the entire data set.
27
Import
Advanced CSV File Importer
Module name: csv_file

Categories: import
Author(s): Ethan Robish (@EthanRobish)
Imports values from a CSV file into a database table.
List File Importer
Module name: list

Categories: import
Imports values from a list file into a database table and column.
28

Recon NG Guide

Uploaded by

Copyright:

Available Formats

Recon NG Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Recon NG Guide

Uploaded by

Copyright:

Available Formats

What is Recon-ng used for?

What is Recon-ng used for?

What are some of the modules described in the document?

What are some of the modules described in the document?

Recon-ng

A Guide by Striker Security

Last updated 09/22/2016

If you don’t know how to use Recon-ng, or want a refresher, check

You can also take a look at recon-ng itself here:

As always, you can get in touch with me directly with an email to

Module name: cache_snoop

Interesting File Finder

Module name: interesting_files

Checks hosts for interesting files in predictable locations.

Module name: xpath_bruter

Exploits XPath injection flaws to enumerate the contents of serverside XML

Remote Command Injection Shell Interface

Module name: command_injector

Module name: brute_suffix

Ports to Hosts Data Migrator

Module name: migrate_ports

Hosts to Domains Data Migrator

Module name: migrate_hosts

LinkedIn Authenticated Contact Enumerator

Module name: linkedin_auth

Harvests contacts from the LinkedIn.com API using an authenticated connections

Bing Cache Linkedin Profile and Contact Harvester

Module name: bing_linkedin_cache

Indeed Resume Crawl

Module name: indeed

Jigsaw - Single Contact Retriever

Module name: purchase_contact

Jigsaw - Point Usage Statistics Fetcher

Module name: point_usage

Module name: search_contacts

Module name: twitter

OSINT HUMINT Profile Collector

Module name: profiler

NameChk.com Username Validator

Module name: namechk

Leverages NameChk.com to validate the existance of usernames on specific web

Hashes.org Hash Lookup

Module name: hashes_org

PyBozoCrack Hash Lookup

Module name: bozocrack

Adobe Hash Cracker

Module name: adobe

Module name: shodan_ip

Contact Name Mangler

Module name: mangle

Contact Name Unmangler

Module name: unmangle

MailTester Email Validator

Module name: mailtester

Leverages MailTester.com to validate email addresses.

Github Code Enumerator

Module name: github_repos

Meta Data Extractor