People Recon With Recon-ng

Open source intelligence gathering guide

Recon-ng is an excellent tool for information gathering in the early stages of penetration testing. It was briefly mentioned in my previous OSINT article, and this one will cover the tool more in detail. Recon-ng comes with people reconnaissance modules, which will be described in the article.

Workspace setup

Workspaces keep related information in a single container and prevent mixing of different projects. They also help to store information after you exit the tool, so the work can be continued later. Recon-ng starts with the default workspace. Use the following commands to manage workspaces.

workspaces list

workspaces add workspace_name

A workspace per target separates different recon jobs

Modules

Import

The Import/list module saves a lot of time when there are multiple data entries. Rather than manually entering information, it can be done by importing data from the list.

use import/list

To successfully import data into tables their schema has to be followed.

show schema

Set the variables accordingly to the schema.

set TABLE profiles set COLUMN username set FILENAME file_name.txt

It’s also possible to import from the CSV file

Profiler

The Profiler module performs a username search on various websites using WhatsMyName. Usernames are loaded from the “profiles” table. As the import module was previously used, the “profiles” table is already filled with usernames. It can be checked using the following command.

show profiles

If the table looks good — select the module and run it.

use profiler

Several usernames were removed just to show how to use the delete option

Twitter

The Twitter_mentions module leverages the Twitter API to enumerate users that were mentioned by the given handle. Twitter_mentioned module enumerates users that mentioned the given handle. After enumeration is completed the “profiles” table updates with the results. Note, that Twitter module requires an API key and limits searchable tweet history to 7 days. If you need more history, then use the Twitter machine in Maltego, it doesn’t have history limits. If using Twitter profile for Maltego integration or applying for a developer account looks troublesome — get Twint, it works without API key and integrations.

use twitter_mentions

When the module is selected — set the Twitter username and run it.

set source twitter_username

Twitter_mentioned module has a similar setup

Have I been pwned

The Hibp_breach module leverages the haveibeenpwned.com API to determine if email addresses are associated with breached credentials. After the scan is done the “credentials” table is filled with the compromised emails.

use hibp_breach

If the is no data in the “contacts” table — add it and run the module.

add contacts

After the scan is done — check the “credentials” table for results.

show credentials

haveibeenpwned.com API doesn’t pass all the data, thus the “credentials” table is half empty

Whois POC Harvester

The Whois_pocs module uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. After the scan is done the “contacts” table updates with the results.

use whois_pocs

When the module is selected — set the source and run it.

set source contact_info