Recon-ng is an open-source framework
coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled
after the look of the Metasploit Framework but it is not meant for
exploitation or for spawning a meterpreter session or a shell, it is for
web-based reconnaissance and information gathering. It comes with
modules to support your web reconnaissance adventure and information
gathering just like Metasploit's auxiliary and exploit modules. Modules
are categorized into Discovery, Experimental, Recon and Reporting.
As of this writing here are the modules with its subcategories:
Discovery
---------
discovery/exploitable/http/dnn
discovery/exploitable/http/gen
discovery/exploitable/http/web
discovery/info_disclosure/dns/
discovery/info_disclosure/http
discovery/info_disclosure/http
discovery/info_disclosure/http
Experimental
------------
experimental/rce
Recon
-----
recon/contacts/enum/http/web/d
recon/contacts/enum/http/web/n
recon/contacts/enum/http/web/p
recon/contacts/enum/http/web/s
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/web
recon/contacts/gather/http/web
recon/contacts/support/add_con
recon/contacts/support/mangle
recon/creds/enum/http/api/leak
recon/creds/enum/http/api/nois
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/hosts/enum/dns/resolve
recon/hosts/enum/http/api/buil
recon/hosts/enum/http/api/punk
recon/hosts/enum/http/api/wasc
recon/hosts/enum/http/api/what
recon/hosts/enum/http/api/whoi
recon/hosts/enum/http/web/age_
recon/hosts/enum/http/web/asaf
recon/hosts/enum/http/web/gend
recon/hosts/enum/http/web/ipvo
recon/hosts/enum/http/web/malw
recon/hosts/enum/http/web/mywo
recon/hosts/enum/http/web/netb
recon/hosts/enum/http/web/netc
recon/hosts/enum/http/web/open
recon/hosts/enum/http/web/urlv
recon/hosts/enum/http/web/web_
recon/hosts/enum/http/web/xsse
recon/hosts/gather/dns/brute_f
recon/hosts/gather/http/api/bi
recon/hosts/gather/http/api/go
recon/hosts/gather/http/api/sh
recon/hosts/gather/http/web/ba
recon/hosts/gather/http/web/bi
recon/hosts/gather/http/web/ce
recon/hosts/gather/http/web/go
recon/hosts/gather/http/web/ip
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/ne
recon/hosts/gather/http/web/ya
recon/hosts/geo/http/api/hosti
recon/hosts/geo/http/api/ipinf
recon/hosts/geo/http/api/maxmi
recon/hosts/geo/http/api/uniap
recon/hosts/geo/http/web/wigle
recon/hosts/support/add_host
Reporting
---------
reporting/csv_file
reporting/html_report
reporting/list
![]()
In this article I'm going to emphasize the Backup File Finder module
which I authored together with Tim Tomes (the main developer of
Recon-ng). This module can be used for checking specific hosts for
exposed backup files. The default configuration searches for
wp-config.php files which contain WordPress database configuration
information.
As a side note, this module is inspired by cmsploit.
Basic Usage:
load discovery/info_disclosure/http
show options (shows the options that can be set for the module)
set source target.com (the host you want to crawl)
set uri config_file (configuration file you want to check, ex. wp-config.php)
Here is the screenshot of the Backup File Finder's actual crawling.
![]()
Now, here is what's inside in a typical configuration file:
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'passwd');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
List of the various configuration files used by popular CMS' which can be set to the option uri:
wp-config.php >> WordPress
config.php >> phpBB, ExpressionEngine
configuration.php >> Joomla
LocalSettings.php >>MediaWiki
mt-config.cgi >> Movable Type
settings.php >> Drupal
About The Author
This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too.
As of this writing here are the modules with its subcategories:
---------
discovery/exploitable/http/dnn
discovery/exploitable/http/gen
discovery/exploitable/http/web
discovery/info_disclosure/dns/
discovery/info_disclosure/http
discovery/info_disclosure/http
discovery/info_disclosure/http
Experimental
------------
experimental/rce
Recon
-----
recon/contacts/enum/http/web/d
recon/contacts/enum/http/web/n
recon/contacts/enum/http/web/p
recon/contacts/enum/http/web/s
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/api
recon/contacts/gather/http/web
recon/contacts/gather/http/web
recon/contacts/support/add_con
recon/contacts/support/mangle
recon/creds/enum/http/api/leak
recon/creds/enum/http/api/nois
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/creds/gather/http/api/pw
recon/hosts/enum/dns/resolve
recon/hosts/enum/http/api/buil
recon/hosts/enum/http/api/punk
recon/hosts/enum/http/api/wasc
recon/hosts/enum/http/api/what
recon/hosts/enum/http/api/whoi
recon/hosts/enum/http/web/age_
recon/hosts/enum/http/web/asaf
recon/hosts/enum/http/web/gend
recon/hosts/enum/http/web/ipvo
recon/hosts/enum/http/web/malw
recon/hosts/enum/http/web/mywo
recon/hosts/enum/http/web/netb
recon/hosts/enum/http/web/netc
recon/hosts/enum/http/web/open
recon/hosts/enum/http/web/urlv
recon/hosts/enum/http/web/web_
recon/hosts/enum/http/web/xsse
recon/hosts/gather/dns/brute_f
recon/hosts/gather/http/api/bi
recon/hosts/gather/http/api/go
recon/hosts/gather/http/api/sh
recon/hosts/gather/http/web/ba
recon/hosts/gather/http/web/bi
recon/hosts/gather/http/web/ce
recon/hosts/gather/http/web/go
recon/hosts/gather/http/web/ip
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/mc
recon/hosts/gather/http/web/ne
recon/hosts/gather/http/web/ya
recon/hosts/geo/http/api/hosti
recon/hosts/geo/http/api/ipinf
recon/hosts/geo/http/api/maxmi
recon/hosts/geo/http/api/uniap
recon/hosts/geo/http/web/wigle
recon/hosts/support/add_host
Reporting
---------
reporting/csv_file
reporting/html_report
reporting/list
I am also one of the contributors for this framework and has contributed mostly to the Discovery modules.
As a side note, this module is inspired by cmsploit.
Basic Usage:
load discovery/info_disclosure/http
show options (shows the options that can be set for the module)
set source target.com (the host you want to crawl)
set uri config_file (configuration file you want to check, ex. wp-config.php)
Here is the screenshot of the Backup File Finder's actual crawling.
Now, here is what's inside in a typical configuration file:
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'passwd');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
List of the various configuration files used by popular CMS' which can be set to the option uri:
wp-config.php >> WordPress
config.php >> phpBB, ExpressionEngine
configuration.php >> Joomla
LocalSettings.php >>MediaWiki
mt-config.cgi >> Movable Type
settings.php >> Drupal
About The Author
This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too.
No comments:
Post a Comment