Recon-Ng is a great tool for automating your recon workflow and is one of the must have tool for Bug bounties.
This tutorial shows how to use Recon-Ng.
Installation —
The commands to install are
git clone https://github.com/lanmaster53/recon-ng
cd recon-ng
pip install -r REQUIREMENTS
./recon-ng
Now recon-ng would start
The next step is to install all the modules. Use below command
marketplace install allYou can add the API keys for some modules like censys, shodan etc to make use of all the modules in recon-ng
Now lets start recon on a target
Step 1 : Create a new workspace for your bug bounty target
workspaces create hackerone
Step 2 : Add domains to the workspace
[recon-ng][hackerone] > db insert domains
domain (TEXT): hackerone.com
Step 3: There are several modules in recon-ng which can enumerate subdomains. ( Builtwith, Censys, hackertarget, netcraft, threatcrowd, threatminer, certificate transparency etc ). You can run them one after the other. Try to use most of these modules so that you get the maximum domains.
[recon-ng][hackerone] > modules load recon/domains-hosts/builtwith
[recon-ng][hackerone][builtwith] > run[recon-ng][hackerone][builtwith] > modules load recon/domains-hosts/certificate_transparency
[recon-ng][hackerone][certificate_transparency] > run[recon-ng][hackerone][brute_hosts] > modules load recon/domains-hosts/brute_hosts
[recon-ng][hackerone][brute_hosts] > run
Like the above examples. Run modules in recon/domain-hosts to get more subdomains
Step 3 : Get IP address for the subdomains. This can be done by running the modules resolve and reverse resolve in recon/domains-hosts
Run below commands to get IP address
[recon-ng][hackerone][brute_hosts] > modules load recon/hosts-hosts/resolve
[recon-ng][hackerone][resolve] > run[recon-ng][hackerone][resolve] > modules load recon/hosts-hosts/reverse_resolve
[recon-ng][hackerone][reverse_resolve] > run
Step 4 : Enter below command to see all the domains and IP address collected tilll now
[recon-ng][hackerone][reverse_resolve] > show hosts
Step 5 : You would need the results in txt files for further processing, This can be done by using the modules in reporting.
Use below commands to export the subdomains & IP address
Export IP addresses to a list
[recon-ng][hackerone][reverse_resolve] > modules load reporting/list
[recon-ng][hackerone][list] > options set FILENAME /home/kali/hackerone.txt[recon-ng][hackerone][list] > options set COLUMN ip_address
[recon-ng][hackerone][list] > run
Export Subdomains in a list
[recon-ng][hackerone][list] > options set COLUMN host
[recon-ng][hackerone][list] > options set FILENAME /home/jowin/pentest/hackerone.txt
[recon-ng][hackerone][list] > run
