Monthly Archives: January 2015

Playing around with recon-ng

recon-ng is an Open Source set of tools created by the estimable LaNMaSteR53 (aka Tim Tomes). Proper credit goes out to Black Hills Information Society for their sponsorship and support of the toolkit.

recon-ng is incredibly easy to use and I found it very intuitive. The modules and core are written in Python and easy to modify to meet your needs. The interface functions well and provides good help information. There are also numerous handy options for scripting, reading commands from a file, etc. All of the data collection goes into a SQLITE database on the backend. Simple queries are handled within the interface and more complex ones can be passed from command line arguments or read in from files. There is also record and playback functionality within the standard interface for actions.

Two types of modules comprise the toolkit. The collection modules are used to collect data from multiple sources and source types (Twitter, domain information, netblocks, Instagram, etc). Once the data is collected, reporting modules are used to represent the collections. Reporting options include JSON output, CSV, Pushpin (my favorite so far) and HTML.

The modules are very well connected and allow data elements to be utilized and reported on across modules. A domain name or netblock can easily be used as a starting point to collect a wealth of intel including vulnerabilities, contacts, leaks, and owned resources.

I’m currently using recon-ng for multiple purposes. As an exercise for me to understanding the capabilities, I utilized the s/twitter module for data collection and the reporting/pushpin module for reporting to build a view of 24 hours worth of Twitter posts in the Wichita, KS area. I was easily able to create some quick and dirty crontabs to update the data collection reporting elements every 5 minutes and prune the database entries in the pushpins table to keep a rolling 24 hours worth of data.

I’m also utilizing recon-ng as an integral piece for threat modeling. I’m able to collect threat intel data acting as an outside threat actor and report that data to a wide variety of audiences. These audiences include C-level executives, technical and security teams, and business process owners.

Overall, an excellent set of tools to utilize in a wide variety of information security endeavors.