Introduction

We covered Recon-ng as a Reconnaissance framework that is used commonly by red teams during engagements. We covered creating workspaces, installing and loading modules, adding and removing keys in addition to examples on some recon modules such as using Google and DNS to discover domains and other useful info. This video was part of TryHackMe Red Team Recon which is under the Red Team Track.

Recon-ng Framework

Reconnaissance (recon) can be classified into two parts:

  1. Passive Recon: can be carried out by watching passively
  2. Active Recon: requires interacting with the target to provoke it in order to observe its response.

Passive recon doesn’t require interacting with the target. In other words, you aren’t sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target’s publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we’ll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.

Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected – or lack of responses – would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.

Active recon can be classified as:

  1. External Recon: Conducted outside the target’s network and focuses on the externally facing assets assessable from the Internet. One example is running Nikto from outside the company network.
  2. Internal Recon: Conducted from within the target company’s network. In other words, the pentester or red teamer might be physically located inside the company building. In this scenario, they might be using an exploited host on the target’s network. An example would be using Nessus to scan the internal network using one of the target’s computers.

Recon-ng is a framework that helps automate the OSINT work. It uses modules from various authors and provides a multitude of functionality. Some modules require keys to work; the key allows the module to query the related online API.

From a penetration testing and red team point of view, Recon-ng can be used to find various bits and pieces of information that can aid in an operation or OSINT task. All the data collected is automatically saved in the database related to your workspace. For instance, you might discover host addresses to later port-scan or collect contact email addresses for phishing attacks.

Getting Started: Workspaces and Databases

First off, I discovered that workspaces are fundamental to organizing your reconnaissance efforts in Recon-NG. Each workspace acts as a separate environment with its own dedicated database, keeping all your collected data neatly separated.

To manually insert data into these tables, I used DB insert <table_name>. For example, to add a domain, I’d type DB insert domains, and then I’d be prompted to fill in the relevant details like the domain name.

To create a new workspace, I simply used the command: workspaces create <workspace_name>. For instance, in the video, I saw an example like workspaces create Clinic red team.

Once a workspace was active, I could inspect its database schema using DB schema. This command showed me all the tables available, such as domains, companies, hosts, ports, and repositories, which are designed to store different types of information I’d gather.

Exploring and Using Modules

The real power of Recon-NG lies in its modules, which are essentially specialized tools for various reconnaissance tasks. I found the marketplace system for managing these modules to be very efficient.

  • To find modules, I could use marketplace search <keyword>. If I wanted to find all DNS-related modules, I’d type marketplace search DNS. The search results were helpful, indicating if a module was already installed, required an API key (marked with a ‘K*’), or had dependencies (marked with a ‘D*’).
  • Before installing, I could get more information about a specific module using marketplace info <module_name>. This provided details like the author, description, and what the module does.
  • Installing a module was straightforward: marketplace install <module_name>.
  • To see all the modules I had installed, I used modules search.
  • If I needed to remove a module, the command was marketplace remove <module_name>.
  • To activate and use an installed module, I’d load it with modules load <module_name>. If I loaded the wrong one, Ctrl+C or typing back would take me out of the module context.
  • Once a module was loaded, I could view its configurable options using options list. For more details on a specific option, I could use info.
  • Finally, to execute a loaded module, I just typed run.

Handling API Keys

I learned that some modules require API keys to access external services, like Shodan.

  • To list any API keys I had already configured, I used keys list.
  • To add a new API key, the command was keys add <key_name> <key_value>. For example, to add a Shodan key, I’d use keys add shodan <your_shodan_api_key>.

Practical Examples I Saw

The video provided some great examples that helped solidify my understanding:

  • I saw how to search for DNS modules and then inspect the viewdns_reverse_whois module for details.
  • Another example involved loading the google_site_web module. I observed its options, which by default pulled domain names from the domains table. When attempting to run it, I saw that it encountered a Google CAPTCHA, which is a common hurdle with such tools.
  • I also explored an nmap module, learning that it was designed for importing existing nmap XML output rather than directly running nmap scans.

My Key Takeaway

Overall, my biggest takeaway from this video is the importance of understanding Recon-NG’s core components: workspaces for organization, the database for data storage, and the module system for extending functionality. Mastering these aspects is crucial for anyone looking to effectively use Recon-NG for their reconnaissance tasks.

TryHackMe Red Team Recon Room Answers

How do you start recon-ng with the workspace clinicredteam?

How many modules with the name virustotal exist?

There is a single module under hosts-domains. What is its name?

censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles