Using Recon-Ng for Recon for Bug Bounty

jowin922
2 min readDec 6, 2022

--

Recon-Ng is a great tool for automating your recon workflow and is one of the must have tool for Bug bounties.

This tutorial shows how to use Recon-Ng.

Installation —

The commands to install are

git clone https://github.com/lanmaster53/recon-ng

cd recon-ng

pip install -r REQUIREMENTS

./recon-ng

Now recon-ng would start

The next step is to install all the modules. Use below command

marketplace install all

You can add the API keys for some modules like censys, shodan etc to make use of all the modules in recon-ng

Now lets start recon on a target

Step 1 : Create a new workspace for your bug bounty target

workspaces create hackerone

Step 2 : Add domains to the workspace

[recon-ng][hackerone] > db insert domains
domain (TEXT): hackerone.com

Step 3: There are several modules in recon-ng which can enumerate subdomains. ( Builtwith, Censys, hackertarget, netcraft, threatcrowd, threatminer, certificate transparency etc ). You can run them one after the other. Try to use most of these modules so that you get the maximum domains.

[recon-ng][hackerone] > modules load recon/domains-hosts/builtwith
[recon-ng][hackerone][builtwith] > run

[recon-ng][hackerone][builtwith] > modules load recon/domains-hosts/certificate_transparency
[recon-ng][hackerone][certificate_transparency] > run

[recon-ng][hackerone][brute_hosts] > modules load recon/domains-hosts/brute_hosts

[recon-ng][hackerone][brute_hosts] > run

Like the above examples. Run modules in recon/domain-hosts to get more subdomains

Step 3 : Get IP address for the subdomains. This can be done by running the modules resolve and reverse resolve in recon/domains-hosts

Run below commands to get IP address

[recon-ng][hackerone][brute_hosts] > modules load recon/hosts-hosts/resolve
[recon-ng][hackerone][resolve] > run

[recon-ng][hackerone][resolve] > modules load recon/hosts-hosts/reverse_resolve
[recon-ng][hackerone][reverse_resolve] > run

Step 4 : Enter below command to see all the domains and IP address collected tilll now

[recon-ng][hackerone][reverse_resolve] > show hosts

Step 5 : You would need the results in txt files for further processing, This can be done by using the modules in reporting.

Use below commands to export the subdomains & IP address

Export IP addresses to a list

[recon-ng][hackerone][reverse_resolve] > modules load reporting/list
[recon-ng][hackerone][list] > options set FILENAME /home/kali/hackerone.txt

[recon-ng][hackerone][list] > options set COLUMN ip_address
[recon-ng][hackerone][list] > run

Export Subdomains in a list

[recon-ng][hackerone][list] > options set COLUMN host

[recon-ng][hackerone][list] > options set FILENAME /home/jowin/pentest/hackerone.txt

[recon-ng][hackerone][list] > run

--

--

jowin922
jowin922

Written by jowin922

Web App Pentester, Cybersecurity Enthusiast

No responses yet