1. 程式人生 > >資訊收集框架——recon-ng

資訊收集框架——recon-ng

 

 

背景:在滲透測試前期做攻擊面發現(資訊收集)時候往往需要用到很多工具,最後再將蒐集到的資訊彙總到一塊。

         現在有這樣一個現成的框架,裡面集成了許多資訊收集模組、資訊儲存資料庫、以及報告生成模組,為工程化資訊收集提供了可能。

         它就是recon-ng。recon-ng使用python編寫,其使用方式和metasploit十分相似

 

 

 

使用方法介紹:

1、新建工作區(建議一個滲透目標一個工作區,這樣能確保蒐集到的資訊都是針對一個目標的)

命令:Recon-ng -w 工作區名字  

例:

recon-ng -w cctv

# 通過上面的命令建立‘cctv’工作區後可以通過如下命令檢視工作區情況
[recon-ng][cctv] > show workspaces

  +------------+
  | Workspaces |
  +------------+
  | cctv       |
  | default    |
  +------------+

 

                     

2、設定搜尋引擎api

Keys list  ===>檢視現有搜尋引擎api

keys add shodan fdkasjkfljklasjkldffjalks  ===>設定shodan搜尋api

[recon-ng][cctv] > keys list

  +--------------------------+
  |       Name       | Value |
  +--------------------------+
  | bing_api         |       |
  | builtwith_api    |       |
  | censysio_id      |       |
  | censysio_secret  |       |
  | flickr_api       |       |
  | fullcontact_api  |       |
  | github_api       |       |
  | google_api       |       |
  | hashes_api       |       |
  | ipinfodb_api     |       |
  | ipstack_api      |       |
  | jigsaw_api       |       |
  | jigsaw_password  |       |
  | jigsaw_username  |       |
  | pwnedlist_api    |       |
  | pwnedlist_iv     |       |
  | pwnedlist_secret |       |
  | shodan_api       |       |
  | twitter_api      |       |
  | twitter_secret   |       |
  | virustotal_api   |       |
  +--------------------------+

[recon-ng][cctv] > keys add shodan_api fdkasjkfljklasjkldffjalks 

 

 

3、show options(檢視全域性設定)

[recon-ng][cctv] > show options

  Name        Current Value  Required  Description
  ----------  -------------  --------  -----------
  NAMESERVER  8.8.8.8        yes       nameserver for DNS interrogation
  PROXY                      no        proxy server (address:port)
  THREADS     10             yes       number of threads (where applicable)
  TIMEOUT     10             yes       socket timeout (seconds)
  USER-AGENT  Recon-ng/v4    yes       user-agent string
  VERBOSITY   1              yes       verbosity level (0 = minimal, 1 = verbose, 2 = debug)

 建議設定代理,讓可以訪問google(不得不佩服google的搜尋能力)

  set PROXY 127.0.0.1:1087 

 

4、查詢包含哪些可用模組

通過use加tab鍵可以檢視有哪些可用模組

[recon-ng][cctv] > use 
discovery/info_disclosure/cache_snoop               recon/domains-companies/pen                         recon/domains-hosts/threatcrowd                     recon/netblocks-hosts/shodan_net
discovery/info_disclosure/interesting_files         recon/domains-contacts/metacrawler                  recon/domains-hosts/threatminer                     recon/netblocks-hosts/virustotal
exploitation/injection/command_injector             recon/domains-contacts/pen                          recon/domains-vulnerabilities/ghdb                  recon/netblocks-ports/census_2012
exploitation/injection/xpath_bruter                 recon/domains-contacts/pgp_search                   recon/domains-vulnerabilities/punkspider            recon/netblocks-ports/censysio
import/csv_file                                     recon/domains-contacts/whois_pocs                   recon/domains-vulnerabilities/xssed                 recon/ports-hosts/migrate_ports
import/list                                         recon/domains-credentials/pwnedlist/account_creds   recon/domains-vulnerabilities/xssposed              recon/profiles-contacts/dev_diver
recon/companies-contacts/bing_linkedin_cache        recon/domains-credentials/pwnedlist/api_usage       recon/hosts-domains/migrate_hosts                   recon/profiles-contacts/github_users
recon/companies-contacts/jigsaw/point_usage         recon/domains-credentials/pwnedlist/domain_creds    recon/hosts-hosts/bing_ip                           recon/profiles-profiles/namechk
recon/companies-contacts/jigsaw/purchase_contact    recon/domains-credentials/pwnedlist/domain_ispwned  recon/hosts-hosts/ipinfodb                          recon/profiles-profiles/profiler
recon/companies-contacts/jigsaw/search_contacts     recon/domains-credentials/pwnedlist/leak_lookup     recon/hosts-hosts/ipstack                           recon/profiles-profiles/twitter_mentioned
recon/companies-contacts/pen                        recon/domains-credentials/pwnedlist/leaks_dump      recon/hosts-hosts/resolve                           recon/profiles-profiles/twitter_mentions
recon/companies-domains/pen                         recon/domains-domains/brute_suffix                  recon/hosts-hosts/reverse_resolve                   recon/profiles-repositories/github_repos
recon/companies-multi/github_miner                  recon/domains-hosts/bing_domain_api                 recon/hosts-hosts/ssltools                          recon/repositories-profiles/github_commits
recon/companies-multi/whois_miner                   recon/domains-hosts/bing_domain_web                 recon/hosts-hosts/virustotal                        recon/repositories-vulnerabilities/gists_search
recon/contacts-contacts/mailtester                  recon/domains-hosts/brute_hosts                     recon/hosts-locations/migrate_hosts                 recon/repositories-vulnerabilities/github_dorks
recon/contacts-contacts/mangle                      recon/domains-hosts/builtwith                       recon/hosts-ports/shodan_ip                         reporting/csv
recon/contacts-contacts/unmangle                    recon/domains-hosts/certificate_transparency        recon/locations-locations/geocode                   reporting/html
recon/contacts-credentials/hibp_breach              recon/domains-hosts/findsubdomains                  recon/locations-locations/reverse_geocode           reporting/json
recon/contacts-credentials/hibp_paste               recon/domains-hosts/google_site_web                 recon/locations-pushpins/flickr                     reporting/list
recon/contacts-domains/migrate_contacts             recon/domains-hosts/hackertarget                    recon/locations-pushpins/shodan                     reporting/proxifier
recon/contacts-profiles/fullcontact                 recon/domains-hosts/mx_spf_ip                       recon/locations-pushpins/twitter                    reporting/pushpin
recon/credentials-credentials/adobe                 recon/domains-hosts/netcraft                        recon/locations-pushpins/youtube                    reporting/xlsx
recon/credentials-credentials/bozocrack             recon/domains-hosts/shodan_hostname                 recon/netblocks-companies/whois_orgs                reporting/xml
recon/credentials-credentials/hashes_org            recon/domains-hosts/ssl_san                         recon/netblocks-hosts/reverse_resolve               

 

 

也可以通過search命令來查詢相關模組

[recon-ng][cctv] > search google
[*] Searching for 'google'...

  Recon
  -----
    recon/domains-hosts/google_site_web

 

此時大家可能會有疑問,這麼多模組我怎麼知道哪個模組是幹什麼使的呢? 這個時候我們可以use相應模組後用show info看到關於該模組的詳細解釋

[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show info

      Name: Google Hostname Enumerator
      Path: modules/recon/domains-hosts/google_site_web.py
    Author: Tim Tomes (@LaNMaSteR53)

Description:
  Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
  the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  cctv.com       yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

 

此外recon-ng會將收集到的資訊自動存入資料庫,後面咱們可以將這些資料掏出來進行二次查詢。可以通過下面這個命令檢視資料庫有哪些表:

[recon-ng][cctv] > show schema

  +---------------+
  |    domains    |
  +---------------+
  | domain | TEXT |
  | module | TEXT |
  +---------------+


  +--------------------+
  |     companies      |
  +--------------------+
  | company     | TEXT |
  | description | TEXT |
  | module      | TEXT |
  +--------------------+


  +-----------------+
  |    netblocks    |
  +-----------------+
  | netblock | TEXT |
  | module   | TEXT |
  +-----------------+


  +-----------------------+
  |       locations       |
  +-----------------------+
  | latitude       | TEXT |
  | longitude      | TEXT |
  | street_address | TEXT |
  | module         | TEXT |
  +-----------------------+


  +---------------------+
  |   vulnerabilities   |
  +---------------------+
  | host         | TEXT |
  | reference    | TEXT |
  | example      | TEXT |
  | publish_date | TEXT |
  | category     | TEXT |
  | status       | TEXT |
  | module       | TEXT |
  +---------------------+


  +-------------------+
  |       ports       |
  +-------------------+
  | ip_address | TEXT |
  | host       | TEXT |
  | port       | TEXT |
  | protocol   | TEXT |
  | module     | TEXT |
  +-------------------+


  +-------------------+
  |       hosts       |
  +-------------------+
  | host       | TEXT |
  | ip_address | TEXT |
  | region     | TEXT |
  | country    | TEXT |
  | latitude   | TEXT |
  | longitude  | TEXT |
  | module     | TEXT |
  +-------------------+


  +--------------------+
  |      contacts      |
  +--------------------+
  | first_name  | TEXT |
  | middle_name | TEXT |
  | last_name   | TEXT |
  | email       | TEXT |
  | title       | TEXT |
  | region      | TEXT |
  | country     | TEXT |
  | module      | TEXT |
  +--------------------+


  +-----------------+
  |   credentials   |
  +-----------------+
  | username | TEXT |
  | password | TEXT |
  | hash     | TEXT |
  | type     | TEXT |
  | leak     | TEXT |
  | module   | TEXT |
  +-----------------+


  +-----------------------------+
  |            leaks            |
  +-----------------------------+
  | leak_id              | TEXT |
  | description          | TEXT |
  | source_refs          | TEXT |
  | leak_type            | TEXT |
  | title                | TEXT |
  | import_date          | TEXT |
  | leak_date            | TEXT |
  | attackers            | TEXT |
  | num_entries          | TEXT |
  | score                | TEXT |
  | num_domains_affected | TEXT |
  | attack_method        | TEXT |
  | target_industries    | TEXT |
  | password_hash        | TEXT |
  | password_type        | TEXT |
  | targets              | TEXT |
  | media_refs           | TEXT |
  | module               | TEXT |
  +-----------------------------+


  +---------------------+
  |       pushpins      |
  +---------------------+
  | source       | TEXT |
  | screen_name  | TEXT |
  | profile_name | TEXT |
  | profile_url  | TEXT |
  | media_url    | TEXT |
  | thumb_url    | TEXT |
  | message      | TEXT |
  | latitude     | TEXT |
  | longitude    | TEXT |
  | time         | TEXT |
  | module       | TEXT |
  +---------------------+


  +-----------------+
  |     profiles    |
  +-----------------+
  | username | TEXT |
  | resource | TEXT |
  | url      | TEXT |
  | category | TEXT |
  | notes    | TEXT |
  | module   | TEXT |
  +-----------------+


  +--------------------+
  |    repositories    |
  +--------------------+
  | name        | TEXT |
  | owner       | TEXT |
  | description | TEXT |
  | resource    | TEXT |
  | category    | TEXT |
  | url         | TEXT |
  | module      | TEXT |
  +--------------------+

 

5、使用方法舉例(拿搜尋子域名與對應ip的場景來舉例)

使用google搜尋來查詢目標有哪些子域名 

[recon-ng][cctv] > use recon/domains-hosts/google_site_web
[recon-ng][cctv][google_site_web] > show options   # 檢視需要填哪些資料

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][cctv][google_site_web] > set SOURCE cctv.com    # 設定目標域名
SOURCE => cctv.com
[recon-ng][cctv][google_site_web] > run  #開始執行

 

也可以使用暴力猜解的方式來獲取目標子域名:

[recon-ng][cctv] > use recon/domains-hosts/brute_hosts
[recon-ng][cctv][brute_hosts] > show options

  Name      Current Value                                                Required  Description
  --------  -------------                                                --------  -----------
  SOURCE    default                                                      yes       source of input (see 'show info' for details)
  WORDLIST  /usr/local/Cellar/recon-ng/4.9.6/libexec/data/hostnames.txt  yes       path to hostname wordlist            # 字典路徑

[recon-ng][cctv][brute_hosts] > set SOURCE cctv.com   # 設定目標域名
SOURCE => cctv.com
[recon-ng][cctv][brute_hosts] > run #開始執行

 

執行完畢後查詢到的資料將自動存入資料庫,我們可以通過'show hosts'或'query+sql語句'的方式來查詢,例:

[recon-ng][cctv] > show hosts

  +-----------------------------------------------------------------------------------------------------------+
  | rowid |           host           | ip_address | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------+
  | 1     |  tv.cctv.com             |            |        |         |          |           | google_site_web |
  | 2     |  www.cctv.com            |            |        |         |          |           | google_site_web |
  | 3     |  news.cctv.com           |            |        |         |          |           | google_site_web |
  +-----------------------------------------------------------------------------------------------------------+

[recon-ng][cctv] >query select * from hosts;
  +-----------------------------------------------------------------------------------------------------------+
  | rowid |           host           | ip_address | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------+
  | 1     |  tv.cctv.com             |            |        |         |          |           | google_site_web |
  | 2     |  www.cctv.com            |            |        |         |          |           | google_site_web |
  | 3     |  news.cctv.com           |            |        |         |          |           | google_site_web |
  +-----------------------------------------------------------------------------------------------------------+

# 為了保證隱私刪掉了大部分資料,只給3個做為舉例

 

資料庫裡已經有目標的子域名資訊,現在想基於資料庫裡資訊做進一步查詢可以嗎? 當然可以,我們以查詢域名對應的ip為例:

[recon-ng][cctv] > use recon/hosts-hosts/resolve
[recon-ng][cctv][resolve] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)  # 正常來說SOURCE後應該是跟一個域名資訊,比如'www.cctv.com'

[recon-ng][cctv][resolve] > set SOURCE query select host from hosts   # 這裡厲害了哦!我們要查的是一個表的內容,如果一個域名設定一次那還不累死了? recon-ng竟然支援將值設為一個sql語句! 這樣就可以批量查詢表內的資料了!
SOURCE => query select host from hosts
[recon-ng][cctv][resolve] > run

 

執行完成後我們可以看下現在資料庫裡的內容有什麼變化:

 [recon-ng][cctv][resolve] > show hosts
  +----------------------------------------------------------------------------------------------------------------+
  | rowid |           host           |    ip_address   | region | country | latitude | longitude |      module     |
  +----------------------------------------------------------------------------------------------------------------+
  | 1     | tv.cctv.com              | 123.125.195.125 |        |         |          |           | google_site_web |
  | 2     | www.cctv.com             | 114.112.172.231 |        |         |          |           | google_site_web |
  | 3     | news.cctv.com            | 111.206.186.245 |        |         |          |           | google_site_web |
  | 4     | tv.cctv.com              | 123.125.195.125 |        |         |          |           | resolve         |
  | 5     | www.cctv.com             | 114.112.172.231 |        |         |          |           | resolve         |
  | 6     | news.cctv.com            | 111.206.186.245 |        |         |          |           | resolve         |
  +----------------------------------------------------------------------------------------------------------------+
# 可以看到已經把查詢到的ip地址填入表內了

 

就拿我們現在查詢到的資料來舉例說明一下該怎麼匯出報表

[recon-ng][cctv] > search report   # 查下看有哪些報表相關模組
[*] Searching for 'report'...

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

[recon-ng][cctv] > use reporting/html   # 匯出成html檔案
[recon-ng][cctv][html] > show options

  Name      Current Value                                        Required  Description
  --------  -------------                                        --------  -----------
  CREATOR                                                        yes       creator name for the report footer
  CUSTOMER                                                       yes       customer name for the report header
  FILENAME  /Users/liwei/.recon-ng/workspaces/cctv/results.html  yes       path and filename for report output   # 報表匯出路徑
  SANITIZE  True                                                 yes       mask sensitive data in the report

[recon-ng][cctv][html] > set CREATOR liwei  # 填寫報告作者
CREATOR => liwei
[recon-ng][cctv][html] > set CUSTOMER cctv  # 填寫使用者單位名稱
CUSTOMER => cctv
[recon-ng][cctv][html] > run
[*] Report generated at '/Users/liwei/.recon-ng/workspaces/cctv/results.html'.    # 匯出成功
[recon-ng][cctv][html] > 

 

最終報表長這樣:

 

          

&n