KEMBAR78
Recon NG Tutorial | PDF | Computing | Software
Scribd
Upload
37 views17 pages

Recon NG Tutorial

The Recon-ng tutorial provides an overview of the reconnaissance tool designed for open source intelligence (OSINT) gathering, highlighting its modular approach and command-line interface. It covers installation instructions for Kali and Ubuntu, as well as how to create workspaces and utilize the marketplace for modules. Users can easily navigate the console to perform various reconnaissance tasks and manage collected data efficiently.

Uploaded by

skynet ceh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views17 pages

Recon NG Tutorial

The Recon-ng tutorial provides an overview of the reconnaissance tool designed for open source intelligence (OSINT) gathering, highlighting its modular approach and command-line interface. It covers installation instructions for Kali and Ubuntu, as well as how to create workspaces and utilize the marketplace for modules. Users can easily navigate the console to perform various reconnaissance tasks and manage collected data efficiently.

Uploaded by

skynet ceh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Recon-NG Tutorial | HackerTarget.

com

the admin

In this recon-ng tutorial, discover open source intelligence and easily pivot to new results. Using a
modular approach, collect and dig deeper into extracted data.

What is Recon-ng?

Recon-ng is a reconnaissance / OSINT tool with an interface similar to Metasploit. Running recon-ng
from the command line speeds up the recon process as it automates gathering information from open
sources.

Recon-ng has a variety of options to configure, perform recon, and output results to different report
types.

The interactive console provides a number of helpful features such as command completion and
contextual help.

Recon-ng Installation

Installing Recon-ng is very simple and there are a few common ways. Below are a few examples;

Kali:

At the time of this article version 5.1.2 comes pre-installed with Kali Linux. Having said that, its good
to run apt-get update && apt-get install recon-ng to ensure latest dependencies installed.

Ubuntu:

Requires git and pip installed.


test@ubuntu:~/$ git clone https://github.com/lanmaster53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS

Next to run recon-ng;

test@ubuntu:~/recon-ng/$ ./recon-ng

The Recon-NG console is now loaded.

_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/


_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
www.blackhillsinfosec.com

____ ____ ____ ____ _____ _ ____ ____ ____


|____] | ___/ |____| | | | |____ |____ |
| | \_ | | |____ | | ____| |____ |____
www.practisec.com

[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]

[*] No modules enabled/installed.

[recon-ng][default] >

Using recon-ng

From the console it is easy to get help and get started with your recon.

[recon-ng][default] > help


Commands (type [help|?] ):
---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
help Displays this menu
index Creates a module index (dev only)
keys Manages third party resource credentials
marketplace Interfaces with the module marketplace
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
workspaces Manages workspaces

Recon-ng begins with an empty framework. No modules enabled or installed.

[*] No modules enabled/installed.

How to use Recon-ng:

Create a Workspace

There is a lot of options when using this OSINT tool. Maintaining collected information and notes
organised is a necessary part of any OSINT investigation. Creating a workspaces keeps things orderly
and easy to find. When using Recon-ng workspaces, all data located and collected is saved within a
database in that workspace.

[recon-ng][default] > workspaces create example_name

[recon-ng][default] > workspaces create example_name


[recon-ng][example_name] >

The command recon-ng -w example_name opens or returns directly to that workspace.

test@ubuntu:~/$ recon-ng -w example_name


[recon-ng][example_name] >

Recon-ng Marketplace and Modules

Here again the help comes in handy marketplace help shows commands for removing modules,
how to find more info, search, refresh and install.

[recon-ng][default] > marketplace help


Interfaces with the module marketplace

Usage: marketplace info|install|refresh|remove|search [...]

Typing marketplace search displays a list of all the modules. From which you can start following
the white rabbit exploring and getting deeper into recon and open source intelligence.

Recon-ng modules

Modules are grouped together under various categories and can be found searching on marketplace

- discovery
- exploitation
- import
- recon
- reporting

Each of the above have sub categories as shown in the table below. Use marketplace search for a
full table providing information on version, status (installed or not-installed), date updated,
dependencies or require keys.

[recon-ng][example_name] > marketplace search

+---------------------------------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+---------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | 2020-10-13 | | |
| discovery/info_disclosure/interesting_files | 1.2 | not installed | 2021-10-04 | | |
| exploitation/injection/command_injector | 1.0 | not installed | 2019-06-24 | | |
| exploitation/injection/xpath_bruter | 1.2 | not installed | 2019-10-08 | | |
| import/csv_file | 1.1 | not installed | 2019-08-09 | | |
| import/list | 1.1 | not installed | 2019-06-24 | | |
| import/masscan | 1.0 | not installed | 2020-04-07 | | |
| import/nmap | 1.1 | not installed | 2020-10-06 | | |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | 2019-06-24 | | * |
| recon/companies-contacts/censys_email_address | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/censys_subdomains | 2.0 | not installed | 2021-05-10 | * | * |
| recon/companies-domains/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/companies-domains/viewdns_reverse_whois | 1.1 | not installed | 2021-08-24 | | |
| recon/companies-domains/whoxy_dns | 1.1 | not installed | 2020-06-17 | | * |
| recon/companies-hosts/censys_org | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-hosts/censys_tls_subjects | 2.0 | not installed | 2021-05-11 | * | * |
| recon/companies-multi/github_miner | 1.1 | not installed | 2020-05-15 | | * |
| recon/companies-multi/shodan_org | 1.1 | not installed | 2020-07-01 | * | * |
| recon/companies-multi/whois_miner | 1.1 | not installed | 2019-10-15 | | |
| recon/contacts-contacts/abc | 1.0 | not installed | 2019-10-11 | * | |
| recon/contacts-contacts/mailtester | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/mangle | 1.0 | not installed | 2019-06-24 | | |
| recon/contacts-contacts/unmangle | 1.1 | not installed | 2019-10-27 | | |
| recon/contacts-credentials/hibp_breach | 1.2 | not installed | 2019-09-10 | | * |
| recon/contacts-credentials/hibp_paste | 1.1 | not installed | 2019-09-10 | | * |
| recon/contacts-domains/migrate_contacts | 1.1 | not installed | 2020-05-17 | | |
| recon/contacts-profiles/fullcontact | 1.1 | not installed | 2019-07-24 | | * |
| recon/credentials-credentials/adobe | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/bozocrack | 1.0 | not installed | 2019-06-24 | | |
| recon/credentials-credentials/hashes_org | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-companies/censys_companies | 2.0 | not installed | 2021-05-10 | * | * |
| recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * |
| recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * |
| recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | |
| recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | |
| recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | |
| recon/domains-contacts/whois_pocs | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-contacts/wikileaker | 1.0 | not installed | 2020-04-08 | | |
| recon/domains-credentials/pwnedlist/account_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/api_usage | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/domain_creds | 1.0 | not installed | 2019-06-24 | * | * |
| recon/domains-credentials/pwnedlist/domain_ispwned | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-credentials/pwnedlist/leak_lookup | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-credentials/pwnedlist/leaks_dump | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-domains/brute_suffix | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-hosts/binaryedge | 1.2 | not installed | 2020-06-18 | | * |
| recon/domains-hosts/bing_domain_api | 1.0 | not installed | 2019-06-24 | | * |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | 2019-07-04 | | |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/builtwith | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/censys_domain | 2.0 | not installed | 2021-05-10 | * | * |
| recon/domains-hosts/certificate_transparency | 1.2 | not installed | 2019-09-16 | | |
| recon/domains-hosts/google_site_web | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/hackertarget | 1.1 | not installed | 2020-05-17 | | |
| recon/domains-hosts/mx_spf_ip | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/netcraft | 1.1 | not installed | 2020-02-05 | | |
| recon/domains-hosts/shodan_hostname | 1.1 | not installed | 2020-07-01 | * | * |
| recon/domains-hosts/spyse_subdomains | 1.1 | not installed | 2021-08-24 | | * |
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatcrowd | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-hosts/threatminer | 1.0 | not installed | 2019-06-24 | | |
| recon/domains-vulnerabilities/ghdb | 1.1 | not installed | 2019-06-26 | | |
| recon/domains-vulnerabilities/xssed | 1.1 | not installed | 2020-10-18 | | |
| recon/hosts-domains/migrate_hosts | 1.1 | not installed | 2020-05-17 | | |
| recon/hosts-hosts/bing_ip | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/censys_hostname | 2.0 | not installed | 2021-05-10 | * | * |
| recon/hosts-hosts/censys_ip | 2.0 | not installed | 2021-05-10 | * | * |
| recon/hosts-hosts/censys_query | 2.0 | not installed | 2021-05-10 | * | * |
| recon/hosts-hosts/ipinfodb | 1.2 | not installed | 2021-08-24 | | * |
| recon/hosts-hosts/ipstack | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-hosts/resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-locations/migrate_hosts | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-ports/binaryedge | 1.0 | not installed | 2019-06-24 | | * |
| recon/hosts-ports/shodan_ip | 1.2 | not installed | 2020-07-01 | * | * |
| recon/locations-locations/geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-locations/reverse_geocode | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/flickr | 1.0 | not installed | 2019-06-24 | | * |
| recon/locations-pushpins/shodan | 1.1 | not installed | 2020-07-07 | * | * |
| recon/locations-pushpins/twitter | 1.1 | not installed | 2019-10-17 | | * |
| recon/locations-pushpins/youtube | 1.2 | not installed | 2020-09-02 | | * |
| recon/netblocks-companies/censys_netblock_company | 2.0 | not installed | 2021-05-11 | * | * |
| recon/netblocks-companies/whois_orgs | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/censys_netblock | 2.0 | not installed | 2021-05-10 | * | * |
| recon/netblocks-hosts/reverse_resolve | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-hosts/shodan_net | 1.2 | not installed | 2020-07-21 | * | * |
| recon/netblocks-hosts/virustotal | 1.0 | not installed | 2019-06-24 | | * |
| recon/netblocks-ports/census_2012 | 1.0 | not installed | 2019-06-24 | | |
| recon/netblocks-ports/censysio | 1.0 | not installed | 2019-06-24 | | * |
| recon/ports-hosts/migrate_ports | 1.0 | not installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | |
| recon/profiles-contacts/bing_linkedin_contacts | 1.2 | not installed | 2021-08-24 | | * |
| recon/profiles-contacts/dev_diver | 1.1 | not installed | 2020-05-15 | | |
| recon/profiles-contacts/github_users | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/namechk | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/profiler | 1.0 | not installed | 2019-06-24 | | |
| recon/profiles-profiles/twitter_mentioned | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-profiles/twitter_mentions | 1.0 | not installed | 2019-06-24 | | * |
| recon/profiles-repositories/github_repos | 1.1 | not installed | 2020-05-15 | | * |
| recon/repositories-profiles/github_commits | 1.0 | not installed | 2019-06-24 | | * |
| recon/repositories-vulnerabilities/gists_search | 1.0 | not installed | 2019-06-24 | | |
| recon/repositories-vulnerabilities/github_dorks | 1.0 | not installed | 2019-06-24 | | * |
| reporting/csv | 1.0 | not installed | 2019-06-24 | | |
| reporting/html | 1.0 | not installed | 2019-06-24 | | |
| reporting/json | 1.0 | not installed | 2019-06-24 | | |
| reporting/list | 1.0 | not installed | 2019-06-24 | | |
| reporting/proxifier | 1.0 | not installed | 2019-06-24 | | |
| reporting/pushpin | 1.0 | not installed | 2019-06-24 | | * |
| reporting/xlsx | 1.0 | not installed | 2019-06-24 | | |
| reporting/xml | 1.1 | not installed | 2019-06-24 | | |
+---------------------------------------------------------------------------------------------------+

D = Has dependencies. See info for details.


K = Requires keys. See info for details.
Marketplace search brings up the full table, however you can be more specific in your search, a couple
of examples

recon-ng][default] >marketplace search ssl


[*] Searching module index for 'ssl'...

+----------------------------------------------------------------------------+
| Path | Version | Status | Updated | D | K |
+----------------------------------------------------------------------------+
| recon/domains-hosts/ssl_san | 1.0 | not installed | 2019-06-24 | | |
| recon/hosts-hosts/ssltools | 1.0 | not installed | 2019-06-24 | | |
| recon/ports-hosts/ssl_scan | 1.1 | not installed | 2021-08-24 | | |
+----------------------------------------------------------------------------+

D = Has dependencies. See info for details.


K = Requires keys. See info for details.

[recon-ng][default] >

To find out more info on a specific module

[recon-ng][default] > marketplace info ssltools

+---------------------------------------------------------------------------------------+
| path | recon/hosts-hosts/ssltools
|
| name | SSLTools.com Host Name Lookups
|
| author | Tim Maletic (borrowing from the ssl_san module by Zach Graces)
|
| version | 1.0
|
| last_updated | 2019-06-24
|
| description | Uses the ssltools.com site to obtain host names from a site's SSL certificate metadata
to update the 'hosts' table. Security issues with the certificate trust are pushed to the 'vulnerabilities'
table. |
| required_keys | []
|
| dependencies | []
|
| files | []
|
| status | not installed
|
+------------------------------------------------------------------------------------+

[recon-ng][default] >

As noted above Hackertarget has a module. This will be used as an example on how to use recon-ng.

Recon-ng example

As an example on how to use Recon-ng, hackertarget has a module to gather subdomains recon/
domains-hosts/hackertarget. This module uses the Hackertarget API and hostname search.

Install module

To install this module use the following:

[recon-ng][default] > marketplace install hackertarget


[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] >

Load module

[recon-ng][default] > modules load hackertarget


[recon-ng][default][hackertarget] >

Module Help

The help command from within a loaded module has different options to the global 'help'.
When you are ready to explore more modules use 'back'.

[recon-ng][default][hackertarget] > help

Commands (type [help|?] ):


---------------------------------
back Exits the current context
dashboard Displays a summary of activity
db Interfaces with the workspace's database
exit Exits the framework
goptions Manages the global context options
help Displays this menu
info Shows details about the loaded module
input Shows inputs based on the source option
keys Manages third party resource credentials
modules Interfaces with installed modules
options Manages the current context options
pdb Starts a Python Debugger session (dev only)
reload Reloads the loaded module
run Runs the loaded module
script Records and executes command scripts
shell Executes shell commands
show Shows various framework items
spool Spools output to a file

[recon-ng][default][hackertarget] >

Set source

Using show options, brings a table showing the source current value set at default.

[recon-ng][default][hackertarget] > show options

Name Current Value Required Description


------ ------------- -------- -----------
SOURCE
default

yes source of input (see 'show info' for details)

Now, set the source to the name of the domain investigating. This example uses tesla.com as they
have a published big bounty.

Use command options set SOURCE tesla.com

[recon-ng][default][hackertarget] > options set SOURCE tesla.com


SOURCE => tesla.com

Use command info. This shows current value has changed to tesla.com

[recon-ng][default][hackertarget] > info

Options:
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE tesla.com yes source of input (see 'info' for details)

Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
string string representing a single input
path path to a file containing a list of inputs
query sql database query returning one column of inputs

Use input to see

[recon-ng][default][hackertarget] > input

+---------------+
| Module Inputs |
+---------------+
| tesla.com |
+---------------+

Run the module

Type run to execute the module.

[recon-ng][default][hackertarget] > run

---------
TESLA.COM
---------
[*] Host: tesla.com
[*] Ip_Address: 104.119.104.74
[*] --------------------------------------------------
[*] Host: o7.ptr6980.tesla.com
[*] Ip_Address: 149.72.144.42
[*] --------------------------------------------------
[*] Host: vpn1.tesla.com
[*] Ip_Address: 8.45.124.215
[*] --------------------------------------------------
[*] Host: apacvpn1.tesla.com
[*] Ip_Address: 8.244.131.215
[*] --------------------------------------------------
[*] Host: cnvpn1.tesla.com
[*] Ip_Address: 114.141.176.215
[*] --------------------------------------------------
[*] Host: vpn2.tesla.com
[*] Ip_Address: 8.47.24.215
[*] --------------------------------------------------
[*] Host: model3.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: o3.ptr1444.tesla.com
[*] Ip_Address: 149.72.152.236
[*] --------------------------------------------------
[*] Host: o2.ptr556.tesla.com
[*] Ip_Address: 149.72.134.64
[*] --------------------------------------------------
[*] Host: o5.ptr8466.tesla.com
[*] Ip_Address: 149.72.172.170
[*] --------------------------------------------------
[*] Host: o6.ptr9437.tesla.com
[*] Ip_Address: 168.245.123.10
[*] --------------------------------------------------
[*] Host: o4.ptr1867.tesla.com
[*] Ip_Address: 149.72.163.58
[*] --------------------------------------------------
[*] Host: marketing.tesla.com
[*] Ip_Address: 13.111.47.196
[*] --------------------------------------------------
[*] Host: o1.ptr2410.link.tesla.com
[*] Ip_Address: 149.72.247.52
[*] --------------------------------------------------
[*] Host: referral.tesla.com
[*] Ip_Address: 72.10.32.90
[*] --------------------------------------------------
[*] Host: mta2.email.tesla.com
[*] Ip_Address: 13.111.4.231
[*] --------------------------------------------------
[*] Host: mta.email.tesla.com
[*] Ip_Address: 13.111.14.190
[*] --------------------------------------------------
[*] Host: xmail.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: comparison.tesla.com
[*] Ip_Address: 64.125.183.133
[*] --------------------------------------------------
[*] Host: apacvpn.tesla.com
[*] Ip_Address: 8.244.67.215
[*] --------------------------------------------------
[*] Host: cnvpn.tesla.com
[*] Ip_Address: 103.222.41.215
[*] --------------------------------------------------
[*] Host: emails.tesla.com
[*] Ip_Address: 13.111.18.27
[*] --------------------------------------------------
[*] Host: mta2.emails.tesla.com
[*] Ip_Address: 13.111.88.1
[*] --------------------------------------------------
[*] Host: mta3.emails.tesla.com
[*] Ip_Address: 13.111.88.2
[*] --------------------------------------------------
[*] Host: mta4.emails.tesla.com
[*] Ip_Address: 13.111.88.52
[*] --------------------------------------------------
[*] Host: mta5.emails.tesla.com
[*] Ip_Address: 13.111.88.53
[*] --------------------------------------------------
[*] Host: mta.emails.tesla.com
[*] Ip_Address: 13.111.62.118
[*] --------------------------------------------------
[*] Host: click.emails.tesla.com
[*] Ip_Address: 13.111.48.179
[*] --------------------------------------------------
[*] Host: view.emails.tesla.com
[*] Ip_Address: 13.111.49.179
[*] --------------------------------------------------
[*] Host: itanswers.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: events.tesla.com
[*] Ip_Address: 13.111.47.195
[*] --------------------------------------------------
[*] Host: www-uat.tesla.com
[*] Ip_Address: 199.66.9.47
[*] --------------------------------------------------
[*] Host: shop.eu.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: mfamobile-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------
[*] Host: mfauser-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------

-------
SUMMARY
-------
[*] 35 total (35 new) hosts found.

Show hosts

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the
resources discovered.

[recon-ng][default][hackertarget] > show hosts

+----------------------------------------------------------------------------------------------------------------------
+
| rowid | host | ip_address | region | country | latitude | longitude | notes | module |

+----------------------------------------------------------------------------------------------------------------------
+
| 1 | tesla.com | 104.119.104.74 | | | | | | hackertarget |
| 2 | o7.ptr6980.tesla.com | 149.72.144.42 | | | | | | hackertarget |
| 3 | vpn1.tesla.com | 8.45.124.215 | | | | | | hackertarget |
| 4 | apacvpn1.tesla.com | 8.244.131.215 | | | | | | hackertarget |
| 5 | cnvpn1.tesla.com | 114.141.176.215 | | | | | | hackertarget |
| 6 | vpn2.tesla.com | 8.47.24.215 | | | | | | hackertarget |
| 7 | model3.tesla.com | 205.234.27.221 | | | | | | hackertarget |
| 8 | o3.ptr1444.tesla.com | 149.72.152.236 | | | | | | hackertarget |
| 9 | o2.ptr556.tesla.com | 149.72.134.64 | | | | | | hackertarget |
| 10 | o5.ptr8466.tesla.com | 149.72.172.170 | | | | | | hackertarget |
| 11 | o6.ptr9437.tesla.com | 168.245.123.10 | | | | | | hackertarget |
| 12 | o4.ptr1867.tesla.com | 149.72.163.58 | | | | | | hackertarget |
| 13 | marketing.tesla.com | 13.111.47.196 | | | | | | hackertarget |
| 14 | o1.ptr2410.link.tesla.com | 149.72.247.52 | | | | | | hackertarget |
| 15 | referral.tesla.com | 72.10.32.90 | | | | | | hackertarget |
| 16 | mta2.email.tesla.com | 13.111.4.231 | | | | | | hackertarget |
| 17 | mta.email.tesla.com | 13.111.14.190 | | | | | | hackertarget |
| 18 | xmail.tesla.com | 204.74.99.100 | | | | | | hackertarget |
| 19 | comparison.tesla.com | 64.125.183.133 | | | | | | hackertarget |
| 20 | apacvpn.tesla.com | 8.244.67.215 | | | | | | hackertarget |
| 21 | cnvpn.tesla.com | 103.222.41.215 | | | | | | hackertarget |
| 22 | emails.tesla.com | 13.111.18.27 | | | | | | hackertarget |
| 23 | mta2.emails.tesla.com | 13.111.88.1 | | | | | | hackertarget |
| 24 | mta3.emails.tesla.com | 13.111.88.2 | | | | | | hackertarget |
| 25 | mta4.emails.tesla.com | 13.111.88.52 | | | | | | hackertarget |
| 26 | mta5.emails.tesla.com | 13.111.88.53 | | | | | | hackertarget |
| 27 | mta.emails.tesla.com | 13.111.62.118 | | | | | | hackertarget |
| 28 | click.emails.tesla.com | 13.111.48.179 | | | | | | hackertarget |
| 29 | view.emails.tesla.com | 13.111.49.179 | | | | | | hackertarget |
| 30 | itanswers.tesla.com | 204.74.99.100 | | | | | | hackertarget |
| 31 | events.tesla.com | 13.111.47.195 | | | | | | hackertarget |
| 32 | www-uat.tesla.com | 199.66.9.47 | | | | | | hackertarget |
| 33 | shop.eu.tesla.com | 205.234.27.221 | | | | | | hackertarget |
| 34 | mfamobile-dev.tesla.com | 205.234.27.209 | | | | | | hackertarget |
| 35 | mfauser-dev.tesla.com | 205.234.27.209 | | | | | | hackertarget |

+----------------------------------------------------------------------------------------------------------------------
+

[*] 35 rows returned

[recon-ng][default][hackertarget] >

--------------------------------------------------------------

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly
recommended option. This will enable queries to open ports on your discovered hosts without
sending any packets to the target systems.

How to add shodan API key

Create or login to your Shodan account, Go to 'Account" in top right corner. The API Key is listed here
on the Account Overview page.

Recon-ng shows the syntax to add an API key is below

[recon-ng][default] > keys add


Adds/Updates a third party resource credential

Usage: keys add name value

[recon-ng][default] keys add shodan_api bbexampleapikey33

.recon-ng configuration files

When you install recon-ng on your machine, it creates a folder in your home directory called .recon-
ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed
computers, and have previous modules that require keys to work, copy this file from the old version
on your system and move it on the new one. You do not have to start all over again.

test@test-desktop:~/.recon-ng$ ls

keys.db
modules
modules.yml
workspaces

test@test-desktop:~/.recon-ng$

Conclusion

Recon-ng is a powerful tool that can be further explored by viewing the list of modules. The help
within the console is clear, and with a bit of playing around it won't take long to become an expert.

The rise of bug bounties allows you to play with new tools and explore Organizations' every expanding
attack surface footprint. Have fun. Don't break the rules.

For a great overview on version 5 check out the you tube video by Tim Tomes.

**article revised and updated Nov 2022

You might also like