At this time this is incomplete, This is my “working” notes page When they are are useful I’ll remove this line. All commands and expected results are “to the best of my understanding”, I am not an expert, and will be improving my understanding over time.
Site – https://bitbucket.org/LaNMaSteR53/recon-ng
Usage Guide – https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide
Another guide which I found useful – https://www.codemetrix.net/practical-osint-recon-ng/
Recon-NG is a tool for finding information on the web about a target company or entity. This tool, when properly configured, can do a better job than you in less time at reconnaissance. The usage guides above are likely better resources, this is a place for my personal notes.
Basic commands
Workspaces
I think before doing anything else, you should understand workspaces. They are essentially containers for your projects. These commands must be executed from the root level of recon-ng.
workspaces list
workspaces add (some name)
workspaces select (some name)
workspaces delete (some name) – if you delete “default” workspace, it automatically creates a new, empty default workspace.
Modules
Show modules – on its own shows all available modules, you can dive into them individually if you prefer by appending the group you’d like to see.
show modules discovery
show modules exploitation, or import, or recon.
Commands
API’s and Not API’s
If you really want to take advantage of recon-ng, you will most likely want to go beyond the basic non API functionalities. See below for pricing and signup pages.
Full list… (copied and pasted from application)
(bold means it requires an API, will link below)
(Italics means it does not require and API key)
(No formatting means I haven’t checked yet).
Discovery --------- discovery/info_disclosure/cache_snoop discovery/info_disclosure/interesting_files Exploitation ------------ exploitation/injection/command_injector exploitation/injection/xpath_bruter Import ------ import/csv_file import/list Recon ----- recon/companies-contacts/bing_linkedin_cache recon/companies-contacts/jigsaw/point_usage recon/companies-contacts/jigsaw/purchase_contact recon/companies-contacts/jigsaw/search_contacts recon/companies-contacts/linkedin_auth recon/companies-multi/github_miner recon/companies-multi/whois_miner recon/contacts-contacts/mailtester recon/contacts-contacts/mangle recon/contacts-contacts/unmangle recon/contacts-credentials/hibp_breach recon/contacts-credentials/hibp_paste recon/contacts-domains/migrate_contacts recon/contacts-profiles/fullcontact recon/credentials-credentials/adobe recon/credentials-credentials/bozocrack recon/credentials-credentials/hashes_org recon/domains-contacts/metacrawler recon/domains-contacts/pgp_search recon/domains-contacts/whois_pocs recon/domains-credentials/pwnedlist/account_creds recon/domains-credentials/pwnedlist/api_usage recon/domains-credentials/pwnedlist/domain_creds recon/domains-credentials/pwnedlist/domain_ispwned recon/domains-credentials/pwnedlist/leak_lookup recon/domains-credentials/pwnedlist/leaks_dump recon/domains-domains/brute_suffix recon/domains-hosts/bing_domain_api recon/domains-hosts/bing_domain_web recon/domains-hosts/brute_hosts recon/domains-hosts/builtwith recon/domains-hosts/certificate_transparency recon/domains-hosts/google_site_api recon/domains-hosts/google_site_web recon/domains-hosts/hackertarget recon/domains-hosts/mx_spf_ip recon/domains-hosts/netcraft recon/domains-hosts/shodan_hostname recon/domains-hosts/ssl_san recon/domains-hosts/threatcrowd recon/domains-vulnerabilities/ghdb recon/domains-vulnerabilities/punkspider recon/domains-vulnerabilities/xssed recon/domains-vulnerabilities/xssposed recon/hosts-domains/migrate_hosts recon/hosts-hosts/bing_ip recon/hosts-hosts/freegeoip recon/hosts-hosts/ipinfodb recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/hosts-hosts/ssltools recon/hosts-locations/migrate_hosts recon/hosts-ports/shodan_ip recon/locations-locations/geocode recon/locations-locations/reverse_geocode recon/locations-pushpins/flickr recon/locations-pushpins/instagram recon/locations-pushpins/picasa recon/locations-pushpins/shodan recon/locations-pushpins/twitter recon/locations-pushpins/youtube recon/netblocks-companies/whois_orgs recon/netblocks-hosts/reverse_resolve recon/netblocks-hosts/shodan_net recon/netblocks-ports/census_2012 recon/netblocks-ports/censysio recon/ports-hosts/migrate_ports recon/profiles-contacts/dev_diver recon/profiles-contacts/github_users recon/profiles-profiles/namechk recon/profiles-profiles/profiler recon/profiles-profiles/twitter_mentioned recon/profiles-profiles/twitter_mentions recon/profiles-repositories/github_repos recon/repositories-profiles/github_commits recon/repositories-vulnerabilities/gists_search recon/repositories-vulnerabilities/github_dorks Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml
Getting access to API’s (in the order listed above)
| bing_api Free trial (90 d), Pricing | builtwith_api Free (1 req/second), Pricing | censysio_id Rate Limited free | censysio_secret Is this different than above? | flickr_api Free for personal, See details on page for commercial | fullcontact_api Appears free | github_api Appears free | google_api Appears free | google_cse Appears Free | hashes_api Please donate | instagram_api free for personal business? | instagram_secret Different from above? | ipinfodb_api free | jigsaw_api Free or starts at $250/yr, not sure. | jigsaw_password | jigsaw_username | linkedin_api Appears free | linkedin_secret | pwnedlist_api Site is down at the time of writing | pwnedlist_ivSite is down at the time of writing | pwnedlist_secret Site is down at the time of writing | shodan_api Free, may have limitations Pricing | twitter_api free | twitter_secret Different from above?