API tools faq
paste
Guest User

Untitled

a guest
Sep 9th, 2015
1,248
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 91.02 KB | None | 0 0
raw download clone embed print report
  1.  
  2. _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
  3. _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
  4. _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
  5. _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
  6. _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
  7.  
  8. +---------------------------------------------------------------------------+
  9. | _ ___ _ __ |
  10. | |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ |
  11. | |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ |
  12. | / |
  13. | Consulting | Research | Development | Training |
  14. | http://www.blackhillsinfosec.com |
  15. +---------------------------------------------------------------------------+
  16.  
  17. [recon-ng v4.6.3, Tim Tomes (@LaNMaSteR53)]
  18.  
  19. [71] Recon modules
  20. [7] Reporting modules
  21. [2] Import modules
  22. [2] Exploitation modules
  23. [2] Discovery modules
  24.  
  25. [recon-ng][default] > load discovery/info_disclosure/cache_snoop
  26. [recon-ng][default][cache_snoop] > show info
  27.  
  28. Name: DNS Cache Snooper
  29. Path: modules/discovery/info_disclosure/cache_snoop.py
  30. Author: thrapt (thrapt@gmail.com)
  31.  
  32. Description:
  33. Uses the DNS cache snooping technique to check for visited domains
  34.  
  35. Options:
  36. Name Current Value Required Description
  37. ---------- ------------- -------- -----------
  38. DOMAINS /usr/share/recon-ng/data/av_domains.lst yes file containing the list of domains to snoop for
  39. NAMESERVER yes IP address of authoritative nameserver
  40.  
  41. Comments:
  42. * Nameserver must be in IP form.
  43. * http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html
  44.  
  45. [recon-ng][default][cache_snoop] > #12
  46. [*] Command: #12
  47. [recon-ng][default][cache_snoop] > load discovery/info_disclosure/interesting_files
  48. [recon-ng][default] > load discovery/info_disclosure/interesting_files
  49. [recon-ng][default][interesting_files] > show info
  50.  
  51. Name: Interesting File Finder
  52. Path: modules/discovery/info_disclosure/interesting_files.py
  53. Author: Tim Tomes (@LaNMaSteR53), thrapt (thrapt@gmail.com), Jay Turla (@shipcod3), and Mark Jeffery
  54.  
  55. Description:
  56. Checks hosts for interesting files in predictable locations.
  57.  
  58. Options:
  59. Name Current Value Required Description
  60. -------- ------------- -------- -----------
  61. DOWNLOAD True yes download discovered files
  62. PORT 80 yes request port
  63. PROTOCOL http yes request protocol
  64. SOURCE default yes source of input (see 'show info' for details)
  65.  
  66. Source Options:
  67. default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host
  68. <string> string representing a single input
  69. <path> path to a file containing a list of inputs
  70. query <sql> database query returning one column of inputs
  71.  
  72. Comments:
  73. * Files: robots.txt, sitemap.xml, sitemap.xml.gz, crossdomain.xml, phpinfo.php, test.php, elmah.axd,
  74. server-status, jmx-console/, admin-console/, web-console/
  75. * Google Dorks:
  76. - inurl:robots.txt ext:txt
  77. - inurl:elmah.axd ext:axd intitle:"Error log for"
  78. - inurl:server-status "Apache Status"
  79.  
  80. [recon-ng][default][interesting_files] > #12
  81. [*] Command: #12
  82. [recon-ng][default][interesting_files] > load exploitation/injection/command_injector
  83. [recon-ng][default] > load exploitation/injection/command_injector
  84. [recon-ng][default][command_injector] > show info
  85.  
  86. Name: Remote Command Injection Shell Interface
  87. Path: modules/exploitation/injection/command_injector.py
  88. Author: Tim Tomes (@LaNMaSteR53)
  89.  
  90. Description:
  91. Provides a shell interface for remote command injection flaws in web applications.
  92.  
  93. Options:
  94. Name Current Value Required Description
  95. ---------- ------------- -------- -----------
  96. BASE_URL yes the target resource url excluding any parameters
  97. BASIC_PASS no password for basic authentication
  98. BASIC_USER no username for basic authentication
  99. COOKIE no cookie string containing authenticated session data
  100. MARK_END no string to match page content following the command output
  101. MARK_START no string to match page content preceding the command output
  102. PARAMETERS yes the query parameters with '<rce>' signifying the value of the vulnerable parameter
  103. POST False yes set the request method to post. parameters should still be submitted in the url option
  104.  
  105. [recon-ng][default][command_injector] > #12
  106. [*] Command: #12
  107. [recon-ng][default][command_injector] > load exploitation/injection/xpath_bruter
  108. [recon-ng][default] > load exploitation/injection/xpath_bruter
  109. [recon-ng][default][xpath_bruter] > show info
  110.  
  111. Name: Xpath Injection Brute Forcer
  112. Path: modules/exploitation/injection/xpath_bruter.py
  113. Author: Tim Tomes (@LaNMaSteR53)
  114.  
  115. Description:
  116. Exploits XPath injection flaws to enumerate the contents of serverside XML documents.
  117.  
  118. Options:
  119. Name Current Value Required Description
  120. ---------- ------------- -------- -----------
  121. BASE_URL yes target resource url excluding any parameters
  122. BASIC_PASS no password for basic authentication
  123. BASIC_USER no username for basic authentication
  124. COOKIE no cookie string containing authenticated session data
  125. PARAMETERS yes query parameters with '<inject>' signifying the injection
  126. POST False yes set the request method to post. parameters should still be submitted in the url option
  127. STRING yes unique string found when the injection results in 'True'
  128.  
  129. [recon-ng][default][xpath_bruter] > #12
  130. [*] Command: #12
  131. [recon-ng][default][xpath_bruter] > load import/csv_file
  132. [recon-ng][default] > load import/csv_file
  133. [recon-ng][default][csv_file] > show info
  134.  
  135. Name: Advanced CSV File Importer
  136. Path: modules/import/csv_file.py
  137. Author: Ethan Robish (@EthanRobish)
  138.  
  139. Description:
  140. Imports values from a CSV file into a database table.
  141.  
  142. Options:
  143. Name Current Value Required Description
  144. ---------------- ------------- -------- -----------
  145. COLUMN_SEPARATOR , yes character that separates each column value
  146. FILENAME yes path and filename for csv input
  147. HAS_HEADER True yes whether or not the first row in the csv file should be interpreted as column names
  148. QUOTE_CHARACTER no character that surrounds each column value
  149. TABLE yes table to import the csv values
  150.  
  151. Comments:
  152. * Only a few options are available until a valid filename is set. Then, the file is analyzed and
  153. more options become available for configuring where each CSV entry is imported.
  154. * This module is very powerful and can seriously pollute a database. Backing up the database before
  155. importing is encouraged.
  156.  
  157. [recon-ng][default][csv_file] > #12
  158. [*] Command: #12
  159. [recon-ng][default][csv_file] > load import/list
  160. [recon-ng][default] > load import/list
  161. [recon-ng][default][list] > show info
  162.  
  163. Name: List File Importer
  164. Path: modules/import/list.py
  165. Author: Tim Tomes (@LaNMaSteR53)
  166.  
  167. Description:
  168. Imports values from a list file into a database table and column.
  169.  
  170. Options:
  171. Name Current Value Required Description
  172. -------- ------------- -------- -----------
  173. COLUMN yes column to import the list values
  174. FILENAME yes path and filename for list input
  175. TABLE yes table to import the list values
  176.  
  177. [recon-ng][default][list] > #12
  178. [*] Command: #12
  179. [recon-ng][default][list] > load recon/companies-contacts/facebook
  180. [recon-ng][default] > load recon/companies-contacts/facebook
  181. [recon-ng][default][facebook] > show info
  182.  
  183. Name: Facebook Contact Enumerator
  184. Path: modules/recon/companies-contacts/facebook.py
  185. Author: Quentin Kaiser (@qkaiser) and Tim Tomes (@LaNMaSteR53)
  186.  
  187. Description:
  188. Harvests contacts from Facebook.com. Updates the 'contacts' table with the results.
  189.  
  190. Options:
  191. Name Current Value Required Description
  192. ------ ------------- -------- -----------
  193. SOURCE www.facebook.com/ebay yes source of input (see 'show info' for details)
  194.  
  195. Source Options:
  196. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
  197. <string> string representing a single input
  198. <path> path to a file containing a list of inputs
  199. query <sql> database query returning one column of inputs
  200.  
  201. [recon-ng][default][facebook] > #12
  202. [*] Command: #12
  203. [recon-ng][default][facebook] > load recon/companies-contacts/jigsaw/point_usage
  204. [recon-ng][default] > load recon/companies-contacts/jigsaw/point_usage
  205. [recon-ng][default][point_usage] > show info
  206.  
  207. Name: Jigsaw - Point Usage Statistics Fetcher
  208. Path: modules/recon/companies-contacts/jigsaw/point_usage.py
  209. Author: Tim Tomes (@LaNMaSteR53)
  210.  
  211. Description:
  212. Queries the Jigsaw API for the point usage statistics of the given account.
  213.  
  214. Options:
  215. No options available for this module.
  216.  
  217. [recon-ng][default][point_usage] > #12
  218. [*] Command: #12
  219. [recon-ng][default][point_usage] > load recon/companies-contacts/jigsaw/purchase_contact
  220. [recon-ng][default] > load recon/companies-contacts/jigsaw/purchase_contact
  221. [recon-ng][default][purchase_contact] > show info
  222.  
  223. Name: Jigsaw - Single Contact Retriever
  224. Path: modules/recon/companies-contacts/jigsaw/purchase_contact.py
  225. Author: Tim Tomes (@LaNMaSteR53)
  226.  
  227. Description:
  228. Retrieves a single complete contact from the Jigsaw.com API using points from the given account.
  229.  
  230. Options:
  231. Name Current Value Required Description
  232. ------- ------------- -------- -----------
  233. CONTACT yes jigsaw contact id
  234.  
  235. Comments:
  236. * Account Point Cost: 5 points per request.
  237. * This module is typically used to validate email address naming conventions and gather alternative
  238. social engineering information.
  239.  
  240. [recon-ng][default][purchase_contact] > #12
  241. [*] Command: #12
  242. [recon-ng][default][purchase_contact] > load recon/companies-contacts/jigsaw/search_contacts
  243. [recon-ng][default] > load recon/companies-contacts/jigsaw/search_contacts
  244. [recon-ng][default][search_contacts] > show info
  245.  
  246. Name: Jigsaw Contact Enumerator
  247. Path: modules/recon/companies-contacts/jigsaw/search_contacts.py
  248. Author: Tim Tomes (@LaNMaSteR53)
  249.  
  250. Description:
  251. Harvests contacts from the Jigsaw.com API. Updates the 'contacts' table with the results.
  252.  
  253. Options:
  254. Name Current Value Required Description
  255. -------- ------------- -------- -----------
  256. KEYWORDS no additional keywords to identify company
  257. SOURCE default yes source of input (see 'show info' for details)
  258.  
  259. Source Options:
  260. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
  261. <string> string representing a single input
  262. <path> path to a file containing a list of inputs
  263. query <sql> database query returning one column of inputs
  264.  
  265. [recon-ng][default][search_contacts] > #12
  266. [*] Command: #12
  267. [recon-ng][default][search_contacts] > load recon/companies-contacts/jigsaw_auth
  268. [recon-ng][default] > load recon/companies-contacts/jigsaw_auth
  269. [recon-ng][default][jigsaw_auth] > show info
  270.  
  271. Name: Jigsaw Authenticated Contact Enumerator
  272. Path: modules/recon/companies-contacts/jigsaw_auth.py
  273. Author: Travis Lee (@eelsivart)
  274.  
  275. Description:
  276. Harvests contacts from Data.com using an authenticated user account. Updates the 'contacts' table
  277. with the results. Use 'keys' to set your jigsaw username and password before use.
  278.  
  279. Options:
  280. Name Current Value Required Description
  281. ------ ------------- -------- -----------
  282. SOURCE default yes source of input (see 'show info' for details)
  283.  
  284. Source Options:
  285. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
  286. <string> string representing a single input
  287. <path> path to a file containing a list of inputs
  288. query <sql> database query returning one column of inputs
  289.  
  290. [recon-ng][default][jigsaw_auth] > #12
  291. [*] Command: #12
  292. [recon-ng][default][jigsaw_auth] > load recon/companies-contacts/linkedin_auth
  293. [recon-ng][default] > load recon/companies-contacts/linkedin_auth
  294. [recon-ng][default][linkedin_auth] > show info
  295.  
  296. Name: LinkedIn Authenticated Contact Enumerator
  297. Path: modules/recon/companies-contacts/linkedin_auth.py
  298. Author: Tim Tomes (@LaNMaSteR53)
  299.  
  300. Description:
  301. Harvests contacts from the LinkedIn.com API using an authenticated connections network. Updates the
  302. 'contacts' table with the results.
  303.  
  304. Options:
  305. Name Current Value Required Description
  306. ------ ------------- -------- -----------
  307. SOURCE default yes source of input (see 'show info' for details)
  308.  
  309. Source Options:
  310. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
  311. <string> string representing a single input
  312. <path> path to a file containing a list of inputs
  313. query <sql> database query returning one column of inputs
  314.  
  315. [recon-ng][default][linkedin_auth] > #12
  316. [*] Command: #12
  317. [recon-ng][default][linkedin_auth] > load recon/companies-multi/whois_miner
  318. [recon-ng][default] > load recon/companies-multi/whois_miner
  319. [recon-ng][default][whois_miner] > show info
  320.  
  321. Name: Whois Data Miner
  322. Path: modules/recon/companies-multi/whois_miner.py
  323. Author: Tim Tomes (@LaNMaSteR53)
  324.  
  325. Description:
  326. Uses the ARIN Whois RWS to harvest companies, locations, netblocks, and contacts associated with the
  327. given company search string. Updates the respective tables with the results.
  328.  
  329. Options:
  330. Name Current Value Required Description
  331. ------ ------------- -------- -----------
  332. SOURCE default yes source of input (see 'show info' for details)
  333.  
  334. Source Options:
  335. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL
  336. <string> string representing a single input
  337. <path> path to a file containing a list of inputs
  338. query <sql> database query returning one column of inputs
  339.  
  340. Comments:
  341. * Wildcard searches are allowed using the "*" character.
  342. * Validate results of the SEARCH string with these URLs:
  343. - http://whois.arin.net/rest/orgs;name=<SEARCH>
  344. - http://whois.arin.net/rest/customers;name=<SEARCH>
  345.  
  346. [recon-ng][default][whois_miner] > #12
  347. [*] Command: #12
  348. [recon-ng][default][whois_miner] > load recon/companies-profiles/bing_linkedin
  349. [recon-ng][default] > load recon/companies-profiles/bing_linkedin
  350. [recon-ng][default][bing_linkedin] > show info
  351.  
  352. Name: Bing Linkedin Profile Harvester
  353. Path: modules/recon/companies-profiles/bing_linkedin.py
  354. Author: Mike Larch and Brian Fehrman (@fullmetalcache)
  355.  
  356. Description:
  357. Harvests contacts from linkedin.com by querying Bing for Linkedin pages related to the given
  358. companies, parsing the profiles, and adding them to the 'profiles' table
  359.  
  360. Options:
  361. Name Current Value Required Description
  362. -------- ------------- -------- -----------
  363. LIMIT 2 no number of pages to use from bing search
  364. PREVIOUS False yes include previous employees
  365. SOURCE default yes source of input (see 'show info' for details)
  366.  
  367. Source Options:
  368. default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
  369. <string> string representing a single input
  370. <path> path to a file containing a list of inputs
  371. query <sql> database query returning one column of inputs
  372.  
  373. [recon-ng][default][bing_linkedin] > #12
  374. [*] Command: #12
  375. [recon-ng][default][bing_linkedin] > load recon/contacts-contacts/mailtester
  376. [recon-ng][default] > load recon/contacts-contacts/mailtester
  377. [recon-ng][default][mailtester] > show info
  378.  
  379. Name: MailTester Email Validator
  380. Path: modules/recon/contacts-contacts/mailtester.py
  381. Author: Tim Tomes (@LaNMaSteR53)
  382.  
  383. Description:
  384. Leverages MailTester.com to validate email addresses.
  385.  
  386. Options:
  387. Name Current Value Required Description
  388. ------ ------------- -------- -----------
  389. REMOVE False yes remove invalid email addresses
  390. SOURCE default yes source of input (see 'show info' for details)
  391.  
  392. Source Options:
  393. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
  394. <string> string representing a single input
  395. <path> path to a file containing a list of inputs
  396. query <sql> database query returning one column of inputs
  397.  
  398. [recon-ng][default][mailtester] > #12
  399. [*] Command: #12
  400. [recon-ng][default][mailtester] > load recon/contacts-contacts/mangle
  401. [recon-ng][default] > load recon/contacts-contacts/mangle
  402. [recon-ng][default][mangle] > show info
  403.  
  404. Name: Contact Name Mangler
  405. Path: modules/recon/contacts-contacts/mangle.py
  406. Author: Tim Tomes (@LaNMaSteR53)
  407.  
  408. Description:
  409. Applies a mangle pattern to all of the contacts stored in the database, creating email addresses or
  410. usernames for each harvested contact. Updates the 'contacts' table with the results.
  411.  
  412. Options:
  413. Name Current Value Required Description
  414. ---------- ------------- -------- -----------
  415. DOMAIN no target email domain
  416. MAX-LENGTH 30 yes maximum length of email address prefix or username
  417. OVERWRITE False yes overwrite existing email addresses
  418. PATTERN <fn>.<ln> yes pattern applied to mangle first and last name
  419. SOURCE default yes source of input (see 'show info' for details)
  420. SUBSTITUTE - yes character to substitute for invalid email address characters
  421.  
  422. Source Options:
  423. default SELECT rowid, first_name, middle_name, last_name, email FROM contacts ORDER BY first_name
  424. <string> string representing a single input
  425. <path> path to a file containing a list of inputs
  426. query <sql> database query returning one column of inputs
  427.  
  428. Comments:
  429. * Pattern options: <fi>,<fn>,<mi>,<mn>,<li>,<ln>
  430. * Example: <fi>.<ln> => j.doe@domain.com
  431. * Note: Omit the 'domain' option to create usernames
  432.  
  433. [recon-ng][default][mangle] > #12
  434. [*] Command: #12
  435. [recon-ng][default][mangle] > load recon/contacts-contacts/unmangle
  436. [recon-ng][default] > load recon/contacts-contacts/unmangle
  437. [recon-ng][default][unmangle] > show info
  438.  
  439. Name: Contact Name Unmangler
  440. Path: modules/recon/contacts-contacts/unmangle.py
  441. Author: Ethan Robish (@EthanRobish)
  442.  
  443. Description:
  444. Applies a regex or unmangle pattern to all of the contacts stored in the database, pulling out the
  445. individual name components. Updates the 'contacts' table with the results.
  446.  
  447. Options:
  448. Name Current Value Required Description
  449. --------- ------------- -------- -----------
  450. OVERWRITE True yes if set to true will update existing contact entry, otherwise it will create a new entry
  451. PATTERN <fn>.<ln> yes pattern applied to email
  452. SOURCE default yes source of input (see 'show info' for details)
  453.  
  454. Source Options:
  455. default SELECT rowid, first_name, middle_name, last_name, email FROM contacts WHERE email IS NOT NULL
  456. <string> string representing a single input
  457. <path> path to a file containing a list of inputs
  458. query <sql> database query returning one column of inputs
  459.  
  460. Comments:
  461. * Pattern can be either a regex or a pattern.
  462. * The available patterns are:
  463. - <fn>.<ln>, <fn>, <fi><ln>, <fn>-<ln>, <ln>, <fn>_<ln>, <ln><fi><mi>, <ln><fi>
  464. * A regex must capture the values using these named capture groups:
  465. - (?P<first_name>) (?P<middle_name>) (?P<last_name>)
  466. * A regex syntax cheatsheet and troubleshooter can be found here:
  467. - http://pythex.org/ or http://www.pyregex.com/
  468.  
  469. [recon-ng][default][unmangle] > #12
  470. [*] Command: #12
  471. [recon-ng][default][unmangle] > load recon/contacts-credentials/hibp_breach
  472. [recon-ng][default] > load recon/contacts-credentials/hibp_breach
  473. [recon-ng][default][hibp_breach] > show info
  474.  
  475. Name: Have I been pwned? Breach Search
  476. Path: modules/recon/contacts-credentials/hibp_breach.py
  477. Author: Tim Tomes (@LaNMaSteR53) & Tyler Halfpop (@tylerhalfpop)
  478.  
  479. Description:
  480. Leverages the haveibeenpwned.com API to determine if email addresses are associated with breached
  481. credentials. Adds compromised email addresses to the 'credentials' table.
  482.  
  483. Options:
  484. Name Current Value Required Description
  485. ------ ------------- -------- -----------
  486. SOURCE default yes source of input (see 'show info' for details)
  487.  
  488. Source Options:
  489. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
  490. <string> string representing a single input
  491. <path> path to a file containing a list of inputs
  492. query <sql> database query returning one column of inputs
  493.  
  494. [recon-ng][default][hibp_breach] > #12
  495. [*] Command: #12
  496. [recon-ng][default][hibp_breach] > load recon/contacts-credentials/hibp_paste
  497. [recon-ng][default] > load recon/contacts-credentials/hibp_paste
  498. [recon-ng][default][hibp_paste] > show info
  499.  
  500. Name: Have I been pwned? Paste Search
  501. Path: modules/recon/contacts-credentials/hibp_paste.py
  502. Author: Tim Tomes (@LaNMaSteR53)
  503.  
  504. Description:
  505. Leverages the haveibeenpwned.com API to determine if email addresses have been published to various
  506. paste sites. Adds compromised email addresses to the 'credentials' table.
  507.  
  508. Options:
  509. Name Current Value Required Description
  510. -------- ------------- -------- -----------
  511. DOWNLOAD True yes download pastes
  512. SOURCE default yes source of input (see 'show info' for details)
  513.  
  514. Source Options:
  515. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
  516. <string> string representing a single input
  517. <path> path to a file containing a list of inputs
  518. query <sql> database query returning one column of inputs
  519.  
  520. Comments:
  521. * Paste sites supported: Pastebin, Pastie, or Slexy
  522.  
  523. [recon-ng][default][hibp_paste] > #12
  524. [*] Command: #12
  525. [recon-ng][default][hibp_paste] > load recon/contacts-credentials/pwnedlist
  526. [recon-ng][default] > load recon/contacts-credentials/pwnedlist
  527. [recon-ng][default][pwnedlist] > show info
  528.  
  529. Name: PwnedList Validator
  530. Path: modules/recon/contacts-credentials/pwnedlist.py
  531. Author: Tim Tomes (@LaNMaSteR53)
  532.  
  533. Description:
  534. Leverages PwnedList.com to determine if email addresses are associated with leaked credentials. Adds
  535. compromised email addresses to the 'credentials' table.
  536.  
  537. Options:
  538. Name Current Value Required Description
  539. ------ ------------- -------- -----------
  540. SOURCE default yes source of input (see 'show info' for details)
  541.  
  542. Source Options:
  543. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
  544. <string> string representing a single input
  545. <path> path to a file containing a list of inputs
  546. query <sql> database query returning one column of inputs
  547.  
  548. [recon-ng][default][pwnedlist] > #12
  549. [*] Command: #12
  550. [recon-ng][default][pwnedlist] > load recon/contacts-domains/migrate_contacts
  551. [recon-ng][default] > load recon/contacts-domains/migrate_contacts
  552. [recon-ng][default][migrate_contacts] > show info
  553.  
  554. Name: Contacts to Domains Data Migrator
  555. Path: modules/recon/contacts-domains/migrate_contacts.py
  556. Author: Tim Tomes (@LaNMaSteR53)
  557.  
  558. Description:
  559. Adds a new domain for all the hostnames associated with email addresses stored in the 'contacts'
  560. table.
  561.  
  562. Options:
  563. Name Current Value Required Description
  564. ------ ------------- -------- -----------
  565. SOURCE default yes source of input (see 'show info' for details)
  566.  
  567. Source Options:
  568. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
  569. <string> string representing a single input
  570. <path> path to a file containing a list of inputs
  571. query <sql> database query returning one column of inputs
  572.  
  573. Comments:
  574. * This modules considers that everything after the first element could contain other hosts besides
  575. the current. Therefore, hosts > 2 domains deep will create domains > 2 elements in length.
  576.  
  577. [recon-ng][default][migrate_contacts] > #12
  578. [*] Command: #12
  579. [recon-ng][default][migrate_contacts] > load recon/contacts-profiles/fullcontact
  580. [recon-ng][default] > load recon/contacts-profiles/fullcontact
  581. [recon-ng][default][fullcontact] > show info
  582.  
  583. Name: FullContact Contact Enumerator
  584. Path: modules/recon/contacts-profiles/fullcontact.py
  585. Author: Quentin Kaiser (@qkaiser, contact[at]quentinkaiser.be) and Tim Tomes (@LaNMaSteR53)
  586.  
  587. Description:
  588. Harvests contact information and profiles from the fullcontact.com API using email addresses as
  589. input. Updates the 'contacts' and 'profiles' tables with the results.
  590.  
  591. Options:
  592. Name Current Value Required Description
  593. ------ ------------- -------- -----------
  594. SOURCE default yes source of input (see 'show info' for details)
  595.  
  596. Source Options:
  597. default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
  598. <string> string representing a single input
  599. <path> path to a file containing a list of inputs
  600. query <sql> database query returning one column of inputs
  601.  
  602. [recon-ng][default][fullcontact] > #12
  603. [*] Command: #12
  604. [recon-ng][default][fullcontact] > load recon/credentials-credentials/adobe
  605. [recon-ng][default] > load recon/credentials-credentials/adobe
  606. [recon-ng][default][adobe] > show info
  607.  
  608. Name: Adobe Hash Cracker
  609. Path: modules/recon/credentials-credentials/adobe.py
  610. Author: Ethan Robish (@EthanRobish) and Tim Tomes (@LaNMaSteR53)
  611.  
  612. Description:
  613. Decrypts hashes leaked from the 2013 Adobe breach. First, the module cross references the leak ID to
  614. identify Adobe hashes in the 'password' column of the 'creds' table, moves the Adobe hashes to the
  615. 'hash' column, and changes the 'type' to 'Adobe'. Second, the module attempts to crack the hashes
  616. by comparing the ciphertext's decoded cipher blocks to a local block lookup table (BLOCK_DB) of
  617. known cipher block values. Finally, the module updates the 'creds' table with the results based on
  618. the level of success.
  619.  
  620. Options:
  621. Name Current Value Required Description
  622. -------- ------------- -------- -----------
  623. BLOCK_DB /usr/share/recon-ng/data/adobe_blocks.json yes JSON file containing known Adobe cipher blocks and plaintext
  624. SOURCE default yes source of input (see 'show info' for details)
  625.  
  626. Source Options:
  627. default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS 'Adobe'
  628. <string> string representing a single input
  629. <path> path to a file containing a list of inputs
  630. query <sql> database query returning one column of inputs
  631.  
  632. Comments:
  633. * Hash types supported: Adobe's base64 format
  634. * Hash database from: http://stricture-group.com/files/adobe-top100.txt
  635. * A completely padded password indicates that the exact length is known.
  636.  
  637. [recon-ng][default][adobe] > #12
  638. [*] Command: #12
  639. [recon-ng][default][adobe] > load recon/credentials-credentials/bozocrack
  640. [recon-ng][default] > load recon/credentials-credentials/bozocrack
  641. [recon-ng][default][bozocrack] > show info
  642.  
  643. Name: PyBozoCrack Hash Lookup
  644. Path: modules/recon/credentials-credentials/bozocrack.py
  645. Author: Tim Tomes (@LaNMaSteR53)
  646.  
  647. Description:
  648. Searches Google for the value of a hash and tests for a match by hashing every word in the resulting
  649. page using all hashing algorithms supported by the 'hashlib' library. Updates the 'credentials'
  650. table with the positive results.
  651.  
  652. Options:
  653. Name Current Value Required Description
  654. ------ ------------- -------- -----------
  655. SOURCE default yes source of input (see 'show info' for details)
  656.  
  657. Source Options:
  658. default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
  659. <string> string representing a single input
  660. <path> path to a file containing a list of inputs
  661. query <sql> database query returning one column of inputs
  662.  
  663. Comments:
  664. * Inspired by the PyBozoCrack script: https://github.com/ikkebr/PyBozoCrack
  665.  
  666. [recon-ng][default][bozocrack] > #12
  667. [*] Command: #12
  668. [recon-ng][default][bozocrack] > load recon/credentials-credentials/hashes_org
  669. [recon-ng][default] > load recon/credentials-credentials/hashes_org
  670. [recon-ng][default][hashes_org] > show info
  671.  
  672. Name: Hashes.org Hash Lookup
  673. Path: modules/recon/credentials-credentials/hashes_org.py
  674. Author: Tim Tomes (@LaNMaSteR53) and Mike Lisi (@MikeCodesThings)
  675.  
  676. Description:
  677. Uses the Hashes.org API to perform a reverse hash lookup. Updates the 'credentials' table with the
  678. positive results.
  679.  
  680. Options:
  681. Name Current Value Required Description
  682. ------ ------------- -------- -----------
  683. SOURCE default yes source of input (see 'show info' for details)
  684.  
  685. Source Options:
  686. default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
  687. <string> string representing a single input
  688. <path> path to a file containing a list of inputs
  689. query <sql> database query returning one column of inputs
  690.  
  691. Comments:
  692. * Hash types supported: MD5, MD4, NTLM, LM, DOUBLEMD5, TRIPLEMD5, MD5SHA1, SHA1, MYSQL5, SHA1MD5,
  693. DOUBLESHA1, RIPEMD160
  694.  
  695. [recon-ng][default][hashes_org] > #12
  696. [*] Command: #12
  697. [recon-ng][default][hashes_org] > load recon/credentials-credentials/leakdb
  698. [recon-ng][default] > load recon/credentials-credentials/leakdb
  699. [recon-ng][default][leakdb] > show info
  700.  
  701. Name: leakdb Hash Lookup
  702. Path: modules/recon/credentials-credentials/leakdb.py
  703. Author: Tim Tomes (@LaNMaSteR53)
  704.  
  705. Description:
  706. Uses the leakdb hash database to perform a reverse hash lookup. Updates the 'credentials' table with
  707. the positive results.
  708.  
  709. Options:
  710. Name Current Value Required Description
  711. ------ ------------- -------- -----------
  712. SOURCE default yes source of input (see 'show info' for details)
  713.  
  714. Source Options:
  715. default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
  716. <string> string representing a single input
  717. <path> path to a file containing a list of inputs
  718. query <sql> database query returning one column of inputs
  719.  
  720. Comments:
  721. * Hash types supported: MD4, MD5, MD5x2, MYSQL 3, MYSQL 4, MYSQL 5, RIPEMD160, NTLM, GOST, SHA1,
  722. SHA1x2, SHA224, SHA256, SHA384, SHA512, WHIRLPOOL
  723.  
  724. [recon-ng][default][leakdb] > #12
  725. [*] Command: #12
  726. [recon-ng][default][leakdb] > load recon/domains-contacts/pgp_search
  727. [recon-ng][default] > load recon/domains-contacts/pgp_search
  728. [recon-ng][default][pgp_search] > show info
  729.  
  730. Name: PGP Key Owner Lookup
  731. Path: modules/recon/domains-contacts/pgp_search.py
  732. Author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
  733.  
  734. Description:
  735. Searches the MIT public PGP key server for email addresses of the given domain. Updates the
  736. 'contacts' table with the results.
  737.  
  738. Options:
  739. Name Current Value Required Description
  740. ------ ------------- -------- -----------
  741. SOURCE default yes source of input (see 'show info' for details)
  742.  
  743. Source Options:
  744. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  745. <string> string representing a single input
  746. <path> path to a file containing a list of inputs
  747. query <sql> database query returning one column of inputs
  748.  
  749. Comments:
  750. * Inspiration from theHarvester.py by Christan Martorella: cmarorella[at]edge-seecurity.com
  751.  
  752. [recon-ng][default][pgp_search] > #12
  753. [*] Command: #12
  754. [recon-ng][default][pgp_search] > load recon/domains-contacts/salesmaple
  755. [recon-ng][default] > load recon/domains-contacts/salesmaple
  756. [recon-ng][default][salesmaple] > show info
  757.  
  758. Name: SalesMaple Contact Harvester
  759. Path: modules/recon/domains-contacts/salesmaple.py
  760. Author: Tim Tomes (@LaNMaSteR53)
  761.  
  762. Description:
  763. Harvests contacts from the SalesMaple API using domains as input. Updates the 'contacts' table with
  764. the results.
  765.  
  766. Options:
  767. Name Current Value Required Description
  768. ------ ------------- -------- -----------
  769. SOURCE default yes source of input (see 'show info' for details)
  770.  
  771. Source Options:
  772. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  773. <string> string representing a single input
  774. <path> path to a file containing a list of inputs
  775. query <sql> database query returning one column of inputs
  776.  
  777. [recon-ng][default][salesmaple] > #12
  778. [*] Command: #12
  779. [recon-ng][default][salesmaple] > load recon/domains-contacts/whois_pocs
  780. [recon-ng][default] > load recon/domains-contacts/whois_pocs
  781. [recon-ng][default][whois_pocs] > show info
  782.  
  783. Name: Whois POC Harvester
  784. Path: modules/recon/domains-contacts/whois_pocs.py
  785. Author: Tim Tomes (@LaNMaSteR53)
  786.  
  787. Description:
  788. Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the
  789. 'contacts' table with the results.
  790.  
  791. Options:
  792. Name Current Value Required Description
  793. ------ ------------- -------- -----------
  794. SOURCE default yes source of input (see 'show info' for details)
  795.  
  796. Source Options:
  797. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  798. <string> string representing a single input
  799. <path> path to a file containing a list of inputs
  800. query <sql> database query returning one column of inputs
  801.  
  802. [recon-ng][default][whois_pocs] > #12
  803. [*] Command: #12
  804. [recon-ng][default][whois_pocs] > load recon/domains-credentials/pwnedlist/account_creds
  805. [recon-ng][default] > load recon/domains-credentials/pwnedlist/account_creds
  806. [recon-ng][default][account_creds] > show info
  807.  
  808. Name: PwnedList - Account Credentials Fetcher
  809. Path: modules/recon/domains-credentials/pwnedlist/account_creds.py
  810. Author: Tim Tomes (@LaNMaSteR53)
  811.  
  812. Description:
  813. Queries the PwnedList API for credentials associated with the given usernames. Updates the
  814. 'credentials' table with the results.
  815.  
  816. Options:
  817. Name Current Value Required Description
  818. ------ ------------- -------- -----------
  819. SOURCE default yes source of input (see 'show info' for details)
  820.  
  821. Source Options:
  822. default SELECT DISTINCT username FROM credentials WHERE username IS NOT NULL and password IS NULL ORDER BY username
  823. <string> string representing a single input
  824. <path> path to a file containing a list of inputs
  825. query <sql> database query returning one column of inputs
  826.  
  827. Comments:
  828. * API Query Cost: 1 query per request.
  829.  
  830. [recon-ng][default][account_creds] > #12
  831. [*] Command: #12
  832. [recon-ng][default][account_creds] > load recon/domains-credentials/pwnedlist/api_usage
  833. [recon-ng][default] > load recon/domains-credentials/pwnedlist/api_usage
  834. [recon-ng][default][api_usage] > show info
  835.  
  836. Name: PwnedList - API Usage Statistics Fetcher
  837. Path: modules/recon/domains-credentials/pwnedlist/api_usage.py
  838. Author: Tim Tomes (@LaNMaSteR53)
  839.  
  840. Description:
  841. Queries the PwnedList API for account usage statistics.
  842.  
  843. Options:
  844. No options available for this module.
  845.  
  846. [recon-ng][default][api_usage] > #12
  847. [*] Command: #12
  848. [recon-ng][default][api_usage] > load recon/domains-credentials/pwnedlist/domain_creds
  849. [recon-ng][default] > load recon/domains-credentials/pwnedlist/domain_creds
  850. [recon-ng][default][domain_creds] > show info
  851.  
  852. Name: PwnedList - Pwned Domain Credentials Fetcher
  853. Path: modules/recon/domains-credentials/pwnedlist/domain_creds.py
  854. Author: Tim Tomes (@LaNMaSteR53)
  855.  
  856. Description:
  857. Queries the PwnedList API to fetch all credentials for a domain. Updates the 'credentials' table
  858. with the results.
  859.  
  860. Options:
  861. Name Current Value Required Description
  862. ------ ------------- -------- -----------
  863. SOURCE default yes source of input (see 'show info' for details)
  864.  
  865. Source Options:
  866. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  867. <string> string representing a single input
  868. <path> path to a file containing a list of inputs
  869. query <sql> database query returning one column of inputs
  870.  
  871. Comments:
  872. * API Query Cost: 10,000 queries per request plus 1 query for each account returned.
  873.  
  874. [recon-ng][default][domain_creds] > #12
  875. [*] Command: #12
  876. [recon-ng][default][domain_creds] > load recon/domains-credentials/pwnedlist/domain_ispwned
  877. [recon-ng][default] > load recon/domains-credentials/pwnedlist/domain_ispwned
  878. [recon-ng][default][domain_ispwned] > show info
  879.  
  880. Name: PwnedList - Pwned Domain Statistics Fetcher
  881. Path: modules/recon/domains-credentials/pwnedlist/domain_ispwned.py
  882. Author: Tim Tomes (@LaNMaSteR53)
  883.  
  884. Description:
  885. Queries the PwnedList API for a domain to determine if any associated credentials have been
  886. compromised. This module does NOT return any credentials, only a total number of compromised
  887. credentials.
  888.  
  889. Options:
  890. Name Current Value Required Description
  891. ------ ------------- -------- -----------
  892. SOURCE default yes source of input (see 'show info' for details)
  893.  
  894. Source Options:
  895. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  896. <string> string representing a single input
  897. <path> path to a file containing a list of inputs
  898. query <sql> database query returning one column of inputs
  899.  
  900. Comments:
  901. * API Query Cost: 1 query per request.
  902.  
  903. [recon-ng][default][domain_ispwned] > #12
  904. [*] Command: #12
  905. [recon-ng][default][domain_ispwned] > load recon/domains-credentials/pwnedlist/leak_lookup
  906. [recon-ng][default] > load recon/domains-credentials/pwnedlist/leak_lookup
  907. [recon-ng][default][leak_lookup] > show info
  908.  
  909. Name: PwnedList - Leak Details Fetcher
  910. Path: modules/recon/domains-credentials/pwnedlist/leak_lookup.py
  911. Author: Tim Tomes (@LaNMaSteR53)
  912.  
  913. Description:
  914. Queries the local database for information associated with a leak ID. The 'leaks_dump' module must
  915. be used to populate the local database before this module will execute successfully.
  916.  
  917. Options:
  918. Name Current Value Required Description
  919. ------ ------------- -------- -----------
  920. SOURCE default yes source of input (see 'show info' for details)
  921.  
  922. Source Options:
  923. default SELECT DISTINCT leak FROM credentials WHERE leak IS NOT NULL
  924. <string> string representing a single input
  925. <path> path to a file containing a list of inputs
  926. query <sql> database query returning one column of inputs
  927.  
  928. [recon-ng][default][leak_lookup] > #12
  929. [*] Command: #12
  930. [recon-ng][default][leak_lookup] > load recon/domains-credentials/pwnedlist/leaks_dump
  931. [recon-ng][default] > load recon/domains-credentials/pwnedlist/leaks_dump
  932. [recon-ng][default][leaks_dump] > show info
  933.  
  934. Name: PwnedList - Leak Details Fetcher
  935. Path: modules/recon/domains-credentials/pwnedlist/leaks_dump.py
  936. Author: Tim Tomes (@LaNMaSteR53)
  937.  
  938. Description:
  939. Queries the PwnedList API for information associated with all known leaks. Updates the 'leaks' table
  940. with the results.
  941.  
  942. Options:
  943. No options available for this module.
  944.  
  945. Comments:
  946. * API Query Cost: 1 query per request.
  947.  
  948. [recon-ng][default][leaks_dump] > #12
  949. [*] Command: #12
  950. [recon-ng][default][leaks_dump] > load recon/domains-domains/brute_suffix
  951. [recon-ng][default] > load recon/domains-domains/brute_suffix
  952. [recon-ng][default][brute_suffix] > show info
  953.  
  954. Name: DNS Public Suffix Brute Forcer
  955. Path: modules/recon/domains-domains/brute_suffix.py
  956. Author: Marcus Watson (@BranMacMuffin)
  957.  
  958. Description:
  959. Brute forces TLDs and SLDs using DNS. Updates the 'domains' table with the results.
  960.  
  961. Options:
  962. Name Current Value Required Description
  963. -------- ------------- -------- -----------
  964. SOURCE default yes source of input (see 'show info' for details)
  965. SUFFIXES /usr/share/recon-ng/data/suffixes.txt yes path to public suffix wordlist
  966.  
  967. Source Options:
  968. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  969. <string> string representing a single input
  970. <path> path to a file containing a list of inputs
  971. query <sql> database query returning one column of inputs
  972.  
  973. Comments:
  974. * TLDs: https://data.iana.org/TLD/tlds-alpha-by-domain.txt
  975. * SLDs: https://raw.github.com/gavingmiller/second-level-domains/master/SLDs.csv
  976.  
  977. [recon-ng][default][brute_suffix] > #12
  978. [*] Command: #12
  979. [recon-ng][default][brute_suffix] > load recon/domains-hosts/baidu_site
  980. [recon-ng][default] > load recon/domains-hosts/baidu_site
  981. [recon-ng][default][baidu_site] > show info
  982.  
  983. Name: Baidu Hostname Enumerator
  984. Path: modules/recon/domains-hosts/baidu_site.py
  985. Author: Tim Tomes (@LaNMaSteR53)
  986.  
  987. Description:
  988. Harvests hosts from Baidu.com by using the 'site' search operator. Updates the 'hosts' table with
  989. the results.
  990.  
  991. Options:
  992. Name Current Value Required Description
  993. ------ ------------- -------- -----------
  994. SOURCE default yes source of input (see 'show info' for details)
  995.  
  996. Source Options:
  997. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  998. <string> string representing a single input
  999. <path> path to a file containing a list of inputs
  1000. query <sql> database query returning one column of inputs
  1001.  
  1002. [recon-ng][default][baidu_site] > #12
  1003. [*] Command: #12
  1004. [recon-ng][default][baidu_site] > load recon/domains-hosts/bing_domain_api
  1005. [recon-ng][default] > load recon/domains-hosts/bing_domain_api
  1006. [recon-ng][default][bing_domain_api] > show info
  1007.  
  1008. Name: Bing API Hostname Enumerator
  1009. Path: modules/recon/domains-hosts/bing_domain_api.py
  1010. Author: Marcus Watson (@BranMacMuffin)
  1011.  
  1012. Description:
  1013. Leverages the Bing API and "domain:" advanced search operator to harvest hosts. Updates the 'hosts'
  1014. table with the results.
  1015.  
  1016. Options:
  1017. Name Current Value Required Description
  1018. ------ ------------- -------- -----------
  1019. LIMIT 0 yes limit total number of api requests (0 = unlimited)
  1020. SOURCE default yes source of input (see 'show info' for details)
  1021.  
  1022. Source Options:
  1023. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1024. <string> string representing a single input
  1025. <path> path to a file containing a list of inputs
  1026. query <sql> database query returning one column of inputs
  1027.  
  1028. [recon-ng][default][bing_domain_api] > #12
  1029. [*] Command: #12
  1030. [recon-ng][default][bing_domain_api] > load recon/domains-hosts/bing_domain_web
  1031. [recon-ng][default] > load recon/domains-hosts/bing_domain_web
  1032. [recon-ng][default][bing_domain_web] > show info
  1033.  
  1034. Name: Bing Hostname Enumerator
  1035. Path: modules/recon/domains-hosts/bing_domain_web.py
  1036. Author: Tim Tomes (@LaNMaSteR53)
  1037.  
  1038. Description:
  1039. Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
  1040. results.
  1041.  
  1042. Options:
  1043. Name Current Value Required Description
  1044. ------ ------------- -------- -----------
  1045. SOURCE default yes source of input (see 'show info' for details)
  1046.  
  1047. Source Options:
  1048. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1049. <string> string representing a single input
  1050. <path> path to a file containing a list of inputs
  1051. query <sql> database query returning one column of inputs
  1052.  
  1053. [recon-ng][default][bing_domain_web] > #12
  1054. [*] Command: #12
  1055. [recon-ng][default][bing_domain_web] > load recon/domains-hosts/brute_hosts
  1056. [recon-ng][default] > load recon/domains-hosts/brute_hosts
  1057. [recon-ng][default][brute_hosts] > show info
  1058.  
  1059. Name: DNS Hostname Brute Forcer
  1060. Path: modules/recon/domains-hosts/brute_hosts.py
  1061. Author: Tim Tomes (@LaNMaSteR53)
  1062.  
  1063. Description:
  1064. Brute forces host names using DNS. Updates the 'hosts' table with the results.
  1065.  
  1066. Options:
  1067. Name Current Value Required Description
  1068. -------- ------------- -------- -----------
  1069. SOURCE mcetcolloquium.in yes source of input (see 'show info' for details)
  1070. WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
  1071.  
  1072. Source Options:
  1073. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  1074. <string> string representing a single input
  1075. <path> path to a file containing a list of inputs
  1076. query <sql> database query returning one column of inputs
  1077.  
  1078. [recon-ng][default][brute_hosts] > #12
  1079. [*] Command: #12
  1080. [recon-ng][default][brute_hosts] > load recon/domains-hosts/builtwith
  1081. [recon-ng][default] > load recon/domains-hosts/builtwith
  1082. [recon-ng][default][builtwith] > show info
  1083.  
  1084. Name: BuiltWith Enumerator
  1085. Path: modules/recon/domains-hosts/builtwith.py
  1086. Author: Tim Tomes (@LaNMaSteR53)
  1087.  
  1088. Description:
  1089. Leverages the BuiltWith API to identify hosts, technologies, and contacts associated with a domain.
  1090.  
  1091. Options:
  1092. Name Current Value Required Description
  1093. -------- ------------- -------- -----------
  1094. SHOW_ALL True yes display technologies
  1095. SOURCE default yes source of input (see 'show info' for details)
  1096.  
  1097. Source Options:
  1098. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  1099. <string> string representing a single input
  1100. <path> path to a file containing a list of inputs
  1101. query <sql> database query returning one column of inputs
  1102.  
  1103. [recon-ng][default][builtwith] > #12
  1104. [*] Command: #12
  1105. [recon-ng][default][builtwith] > load recon/domains-hosts/google_site_api
  1106. [recon-ng][default] > load recon/domains-hosts/google_site_api
  1107. [recon-ng][default][google_site_api] > show info
  1108.  
  1109. Name: Google CSE Hostname Enumerator
  1110. Path: modules/recon/domains-hosts/google_site_api.py
  1111. Author: Tim Tomes (@LaNMaSteR53)
  1112.  
  1113. Description:
  1114. Leverages the Google Custom Search Engine API to harvest hosts using the 'site' search operator.
  1115. Updates the 'hosts' table with the results.
  1116.  
  1117. Options:
  1118. Name Current Value Required Description
  1119. ------ ------------- -------- -----------
  1120. SOURCE default yes source of input (see 'show info' for details)
  1121.  
  1122. Source Options:
  1123. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1124. <string> string representing a single input
  1125. <path> path to a file containing a list of inputs
  1126. query <sql> database query returning one column of inputs
  1127.  
  1128. [recon-ng][default][google_site_api] > #12
  1129. [*] Command: #12
  1130. [recon-ng][default][google_site_api] > load recon/domains-hosts/google_site_web
  1131. [recon-ng][default] > load recon/domains-hosts/google_site_web
  1132. [recon-ng][default][google_site_web] > show info
  1133.  
  1134. Name: Google Hostname Enumerator
  1135. Path: modules/recon/domains-hosts/google_site_web.py
  1136. Author: Tim Tomes (@LaNMaSteR53)
  1137.  
  1138. Description:
  1139. Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
  1140. the results.
  1141.  
  1142. Options:
  1143. Name Current Value Required Description
  1144. ------ ------------- -------- -----------
  1145. SOURCE default yes source of input (see 'show info' for details)
  1146.  
  1147. Source Options:
  1148. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1149. <string> string representing a single input
  1150. <path> path to a file containing a list of inputs
  1151. query <sql> database query returning one column of inputs
  1152.  
  1153. [recon-ng][default][google_site_web] > #12
  1154. [*] Command: #12
  1155. [recon-ng][default][google_site_web] > load recon/domains-hosts/netcraft
  1156. [recon-ng][default] > load recon/domains-hosts/netcraft
  1157. [recon-ng][default][netcraft] > show info
  1158.  
  1159. Name: Netcraft Hostname Enumerator
  1160. Path: modules/recon/domains-hosts/netcraft.py
  1161. Author: thrapt (thrapt@gmail.com)
  1162.  
  1163. Description:
  1164. Harvests hosts from Netcraft.com. Updates the 'hosts' table with the results.
  1165.  
  1166. Options:
  1167. Name Current Value Required Description
  1168. ------ ------------- -------- -----------
  1169. SOURCE default yes source of input (see 'show info' for details)
  1170.  
  1171. Source Options:
  1172. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1173. <string> string representing a single input
  1174. <path> path to a file containing a list of inputs
  1175. query <sql> database query returning one column of inputs
  1176.  
  1177. [recon-ng][default][netcraft] > #12
  1178. [*] Command: #12
  1179. [recon-ng][default][netcraft] > load recon/domains-hosts/shodan_hostname
  1180. [recon-ng][default] > load recon/domains-hosts/shodan_hostname
  1181. [recon-ng][default][shodan_hostname] > show info
  1182.  
  1183. Name: Shodan Hostname Enumerator
  1184. Path: modules/recon/domains-hosts/shodan_hostname.py
  1185. Author: Tim Tomes (@LaNMaSteR53)
  1186.  
  1187. Description:
  1188. Harvests hosts from the Shodan API by using the 'hostname' search operator. Updates the 'hosts'
  1189. table with the results.
  1190.  
  1191. Options:
  1192. Name Current Value Required Description
  1193. ------ ------------- -------- -----------
  1194. LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
  1195. SOURCE default yes source of input (see 'show info' for details)
  1196.  
  1197. Source Options:
  1198. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1199. <string> string representing a single input
  1200. <path> path to a file containing a list of inputs
  1201. query <sql> database query returning one column of inputs
  1202.  
  1203. [recon-ng][default][shodan_hostname] > #12
  1204. [*] Command: #12
  1205. [recon-ng][default][shodan_hostname] > load recon/domains-hosts/ssl_san
  1206. [recon-ng][default] > load recon/domains-hosts/ssl_san
  1207. [recon-ng][default][ssl_san] > show info
  1208.  
  1209. Name: SSL SAN Lookup
  1210. Path: modules/recon/domains-hosts/ssl_san.py
  1211. Author: Zach Grace (@ztgrace) zgrace@403labs.com
  1212.  
  1213. Description:
  1214. Uses the ssltools.com site to obtain the Subject Alternative Names for a domain. Updates the 'hosts'
  1215. table with the results.
  1216.  
  1217. Options:
  1218. Name Current Value Required Description
  1219. ------ ------------- -------- -----------
  1220. SOURCE default yes source of input (see 'show info' for details)
  1221.  
  1222. Source Options:
  1223. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1224. <string> string representing a single input
  1225. <path> path to a file containing a list of inputs
  1226. query <sql> database query returning one column of inputs
  1227.  
  1228. Comments:
  1229. * For an alternative version see https://github.com/403labs/recon-ng_modules.
  1230.  
  1231. [recon-ng][default][ssl_san] > #12
  1232. [*] Command: #12
  1233. [recon-ng][default][ssl_san] > load recon/domains-hosts/vpnhunter
  1234. [recon-ng][default] > load recon/domains-hosts/vpnhunter
  1235. [recon-ng][default][vpnhunter] > show info
  1236.  
  1237. Name: VPNHunter Lookup
  1238. Path: modules/recon/domains-hosts/vpnhunter.py
  1239. Author: Quentin Kaiser (contact[at]quentinkaiser.be)
  1240.  
  1241. Description:
  1242. Checks vpnhunter.com for SSL VPNs, remote accesses, email portals and generic login sites. Updates
  1243. the 'hosts' table with the results.
  1244.  
  1245. Options:
  1246. Name Current Value Required Description
  1247. ------ ------------- -------- -----------
  1248. SOURCE default yes source of input (see 'show info' for details)
  1249.  
  1250. Source Options:
  1251. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1252. <string> string representing a single input
  1253. <path> path to a file containing a list of inputs
  1254. query <sql> database query returning one column of inputs
  1255.  
  1256. [recon-ng][default][vpnhunter] > #12
  1257. [*] Command: #12
  1258. [recon-ng][default][vpnhunter] > load recon/domains-hosts/yahoo_domain
  1259. [recon-ng][default] > load recon/domains-hosts/yahoo_domain
  1260. [recon-ng][default][yahoo_domain] > show info
  1261.  
  1262. Name: Yahoo Hostname Enumerator
  1263. Path: modules/recon/domains-hosts/yahoo_domain.py
  1264. Author: Tim Tomes (@LaNMaSteR53)
  1265.  
  1266. Description:
  1267. Harvests hosts from Yahoo.com by using the 'domain' search operator. Updates the 'hosts' table with
  1268. the results.
  1269.  
  1270. Options:
  1271. Name Current Value Required Description
  1272. ------ ------------- -------- -----------
  1273. SOURCE default yes source of input (see 'show info' for details)
  1274.  
  1275. Source Options:
  1276. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1277. <string> string representing a single input
  1278. <path> path to a file containing a list of inputs
  1279. query <sql> database query returning one column of inputs
  1280.  
  1281. [recon-ng][default][yahoo_domain] > #12
  1282. [*] Command: #12
  1283. [recon-ng][default][yahoo_domain] > load recon/domains-vulnerabilities/punkspider
  1284. [recon-ng][default] > load recon/domains-vulnerabilities/punkspider
  1285. [recon-ng][default][punkspider] > show info
  1286.  
  1287. Name: PunkSPIDER Vulnerabilty Finder
  1288. Path: modules/recon/domains-vulnerabilities/punkspider.py
  1289. Author: Tim Tomes (@LaNMaSteR53) and thrapt (thrapt@gmail.com)
  1290.  
  1291. Description:
  1292. Leverages the PunkSPIDER API to search for previosuly discovered vulnerabltiies on hosts within a
  1293. domain.
  1294.  
  1295. Options:
  1296. Name Current Value Required Description
  1297. ------ ------------- -------- -----------
  1298. SOURCE default yes source of input (see 'show info' for details)
  1299.  
  1300. Source Options:
  1301. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1302. <string> string representing a single input
  1303. <path> path to a file containing a list of inputs
  1304. query <sql> database query returning one column of inputs
  1305.  
  1306. [recon-ng][default][punkspider] > #12
  1307. [*] Command: #12
  1308. [recon-ng][default][punkspider] > load recon/domains-vulnerabilities/xssed
  1309. [recon-ng][default] > load recon/domains-vulnerabilities/xssed
  1310. [recon-ng][default][xssed] > show info
  1311.  
  1312. Name: XSSed Domain Lookup
  1313. Path: modules/recon/domains-vulnerabilities/xssed.py
  1314. Author: Micah Hoffman (@WebBreacher)
  1315.  
  1316. Description:
  1317. Checks XSSed.com for XSS records associated with a domain and displays the first 20 results.
  1318.  
  1319. Options:
  1320. Name Current Value Required Description
  1321. ------ ------------- -------- -----------
  1322. SOURCE default yes source of input (see 'show info' for details)
  1323.  
  1324. Source Options:
  1325. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1326. <string> string representing a single input
  1327. <path> path to a file containing a list of inputs
  1328. query <sql> database query returning one column of inputs
  1329.  
  1330. [recon-ng][default][xssed] > #12
  1331. [*] Command: #12
  1332. [recon-ng][default][xssed] > load recon/domains-vulnerabilities/xssposed
  1333. [recon-ng][default] > load recon/domains-vulnerabilities/xssposed
  1334. [recon-ng][default][xssposed] > show info
  1335.  
  1336. Name: XSSposed Domain Lookup
  1337. Path: modules/recon/domains-vulnerabilities/xssposed.py
  1338. Author: Tim Tomes (@LaNMaSteR53)
  1339.  
  1340. Description:
  1341. Checks XSSposed.com for XSS records associated with a domain.
  1342.  
  1343. Options:
  1344. Name Current Value Required Description
  1345. ------ ------------- -------- -----------
  1346. SOURCE default yes source of input (see 'show info' for details)
  1347.  
  1348. Source Options:
  1349. default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
  1350. <string> string representing a single input
  1351. <path> path to a file containing a list of inputs
  1352. query <sql> database query returning one column of inputs
  1353.  
  1354. [recon-ng][default][xssposed] > #12
  1355. [*] Command: #12
  1356. [recon-ng][default][xssposed] > load recon/hosts-domains/migrate_hosts
  1357. [recon-ng][default] > load recon/hosts-domains/migrate_hosts
  1358. [recon-ng][default][migrate_hosts] > show info
  1359.  
  1360. Name: Hosts to Domains Data Migrator
  1361. Path: modules/recon/hosts-domains/migrate_hosts.py
  1362. Author: Tim Tomes (@LaNMaSteR53)
  1363.  
  1364. Description:
  1365. Adds a new domain for all the hostnames stored in the 'hosts' table.
  1366.  
  1367. Options:
  1368. Name Current Value Required Description
  1369. ------ ------------- -------- -----------
  1370. SOURCE default yes source of input (see 'show info' for details)
  1371.  
  1372. Source Options:
  1373. default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL
  1374. <string> string representing a single input
  1375. <path> path to a file containing a list of inputs
  1376. query <sql> database query returning one column of inputs
  1377.  
  1378. Comments:
  1379. * This modules considers that everything after the first element could contain other hosts besides
  1380. the current. Therefore, hosts > 2 domains deep will create domains > 2 elements in length.
  1381.  
  1382. [recon-ng][default][migrate_hosts] > #12
  1383. [*] Command: #12
  1384. [recon-ng][default][migrate_hosts] > load recon/hosts-hosts/bing_ip
  1385. [recon-ng][default] > load recon/hosts-hosts/bing_ip
  1386. [recon-ng][default][bing_ip] > show info
  1387.  
  1388. Name: Bing API IP Neighbor Enumerator
  1389. Path: modules/recon/hosts-hosts/bing_ip.py
  1390. Author: Tim Tomes (@LaNMaSteR53)
  1391.  
  1392. Description:
  1393. Leverages the Bing API and "ip:" advanced search operator to enumerate other virtual hosts sharing
  1394. the same IP address. Updates the 'hosts' table with the results.
  1395.  
  1396. Options:
  1397. Name Current Value Required Description
  1398. -------- ------------- -------- -----------
  1399. RESTRICT True yes restrict added hosts to current domains
  1400. SOURCE default yes source of input (see 'show info' for details)
  1401.  
  1402. Source Options:
  1403. default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
  1404. <string> string representing a single input
  1405. <path> path to a file containing a list of inputs
  1406. query <sql> database query returning one column of inputs
  1407.  
  1408. Comments:
  1409. * This module only stores hosts whose domain matches an entry in the domains table.
  1410.  
  1411. [recon-ng][default][bing_ip] > #12
  1412. [*] Command: #12
  1413. [recon-ng][default][bing_ip] > load recon/hosts-hosts/freegeoip
  1414. [recon-ng][default] > load recon/hosts-hosts/freegeoip
  1415. [recon-ng][default][freegeoip] > show info
  1416.  
  1417. Name: FreeGeoIP
  1418. Path: modules/recon/hosts-hosts/freegeoip.py
  1419. Author: Gerrit Helm (G) and Tim Tomes (@LaNMaSteR53)
  1420.  
  1421. Description:
  1422. Leverages the freegeoip.net API to geolocate a host by IP address. Updates the 'hosts' table with
  1423. the results.
  1424.  
  1425. Options:
  1426. Name Current Value Required Description
  1427. --------- ------------- -------- -----------
  1428. SERVERURL http://freegeoip.net yes overwrite server url (e.g. for local installations)
  1429. SOURCE default yes source of input (see 'show info' for details)
  1430.  
  1431. Source Options:
  1432. default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
  1433. <string> string representing a single input
  1434. <path> path to a file containing a list of inputs
  1435. query <sql> database query returning one column of inputs
  1436.  
  1437. Comments:
  1438. * Allows up to 10,000 queries per hour by default. Once this limit is reached, all requests will
  1439. result in HTTP 403, forbidden, until the quota is cleared.
  1440.  
  1441. [recon-ng][default][freegeoip] > #12
  1442. [*] Command: #12
  1443. [recon-ng][default][freegeoip] > load recon/hosts-hosts/ip_neighbor
  1444. [recon-ng][default] > load recon/hosts-hosts/ip_neighbor
  1445. [recon-ng][default][ip_neighbor] > show info
  1446.  
  1447. Name: My-IP-Neighbors.com Lookup
  1448. Path: modules/recon/hosts-hosts/ip_neighbor.py
  1449. Author: Micah Hoffman (@WebBreacher)
  1450.  
  1451. Description:
  1452. Checks My-IP-Neighbors.com for virtual hosts on the same server. Updates the 'hosts' table with the
  1453. results.
  1454.  
  1455. Options:
  1456. Name Current Value Required Description
  1457. -------- ------------- -------- -----------
  1458. RESTRICT True yes restrict added hosts to current domains
  1459. SOURCE default yes source of input (see 'show info' for details)
  1460.  
  1461. Source Options:
  1462. default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL
  1463. <string> string representing a single input
  1464. <path> path to a file containing a list of inputs
  1465. query <sql> database query returning one column of inputs
  1466.  
  1467. Comments:
  1468. * This module only stores hosts whose domain matches an entry in the domains table.
  1469. * Knowing what other hosts are hosted on a provider's server can sometimes yield interesting results
  1470. and help identify additional targets for assessment.
  1471.  
  1472. [recon-ng][default][ip_neighbor] > #12
  1473. [*] Command: #12
  1474. [recon-ng][default][ip_neighbor] > load recon/hosts-hosts/ipinfodb
  1475. [recon-ng][default] > load recon/hosts-hosts/ipinfodb
  1476. [recon-ng][default][ipinfodb] > show info
  1477.  
  1478. Name: IPInfoDB GeoIP
  1479. Path: modules/recon/hosts-hosts/ipinfodb.py
  1480. Author: Tim Tomes (@LaNMaSteR53)
  1481.  
  1482. Description:
  1483. Leverages the ipinfodb.com API to geolocate a host by IP address. Updates the 'hosts' table with the
  1484. results.
  1485.  
  1486. Options:
  1487. Name Current Value Required Description
  1488. ------ ------------- -------- -----------
  1489. SOURCE default yes source of input (see 'show info' for details)
  1490.  
  1491. Source Options:
  1492. default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
  1493. <string> string representing a single input
  1494. <path> path to a file containing a list of inputs
  1495. query <sql> database query returning one column of inputs
  1496.  
  1497. [recon-ng][default][ipinfodb] > #12
  1498. [*] Command: #12
  1499. [recon-ng][default][ipinfodb] > load recon/hosts-hosts/resolve
  1500. [recon-ng][default] > load recon/hosts-hosts/resolve
  1501. [recon-ng][default][resolve] > show info
  1502.  
  1503. Name: Hostname Resolver
  1504. Path: modules/recon/hosts-hosts/resolve.py
  1505. Author: Tim Tomes (@LaNMaSteR53)
  1506.  
  1507. Description:
  1508. Resolves the IP address for a host. Updates the 'hosts' table with the results.
  1509.  
  1510. Options:
  1511. Name Current Value Required Description
  1512. ------ ------------- -------- -----------
  1513. SOURCE default yes source of input (see 'show info' for details)
  1514.  
  1515. Source Options:
  1516. default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL AND ip_address IS NULL
  1517. <string> string representing a single input
  1518. <path> path to a file containing a list of inputs
  1519. query <sql> database query returning one column of inputs
  1520.  
  1521. Comments:
  1522. * Note: Nameserver must be in IP form.
  1523.  
  1524. [recon-ng][default][resolve] > #12
  1525. [*] Command: #12
  1526. [recon-ng][default][resolve] > load recon/hosts-hosts/reverse_resolve
  1527. [recon-ng][default] > load recon/hosts-hosts/reverse_resolve
  1528. [recon-ng][default][reverse_resolve] > show info
  1529.  
  1530. Name: Reverse Resolver
  1531. Path: modules/recon/hosts-hosts/reverse_resolve.py
  1532. Author: John Babio (@3vi1john), @vulp1n3, and Tim Tomes (@LaNMaSteR53)
  1533.  
  1534. Description:
  1535. Conducts a reverse lookup for each IP address to resolve the hostname. Updates the 'hosts' table
  1536. with the results.
  1537.  
  1538. Options:
  1539. Name Current Value Required Description
  1540. ------ ------------- -------- -----------
  1541. SOURCE default yes source of input (see 'show info' for details)
  1542.  
  1543. Source Options:
  1544. default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
  1545. <string> string representing a single input
  1546. <path> path to a file containing a list of inputs
  1547. query <sql> database query returning one column of inputs
  1548.  
  1549. [recon-ng][default][reverse_resolve] > #12
  1550. [*] Command: #12
  1551. [recon-ng][default][reverse_resolve] > load recon/locations-locations/geocode
  1552. [recon-ng][default] > load recon/locations-locations/geocode
  1553. [recon-ng][default][geocode] > show info
  1554.  
  1555. Name: Address Geocoder
  1556. Path: modules/recon/locations-locations/geocode.py
  1557. Author: Quentin Kaiser (contact@quentinkaiser.be)
  1558.  
  1559. Description:
  1560. Queries the Google Maps API to obtain coordinates for an address. Updates the 'locations' table with
  1561. the results.
  1562.  
  1563. Options:
  1564. Name Current Value Required Description
  1565. ------ ------------- -------- -----------
  1566. SOURCE default yes source of input (see 'show info' for details)
  1567.  
  1568. Source Options:
  1569. default SELECT DISTINCT street_address FROM locations WHERE street_address IS NOT NULL
  1570. <string> string representing a single input
  1571. <path> path to a file containing a list of inputs
  1572. query <sql> database query returning one column of inputs
  1573.  
  1574. [recon-ng][default][geocode] > #12
  1575. [*] Command: #12
  1576. [recon-ng][default][geocode] > load recon/locations-locations/reverse_geocode
  1577. [recon-ng][default] > load recon/locations-locations/reverse_geocode
  1578. [recon-ng][default][reverse_geocode] > show info
  1579.  
  1580. Name: Reverse Geocoder
  1581. Path: modules/recon/locations-locations/reverse_geocode.py
  1582. Author: Quentin Kaiser (contact@quentinkaiser.be)
  1583.  
  1584. Description:
  1585. Queries the Google Maps API to obtain an address from coordinates.
  1586.  
  1587. Options:
  1588. Name Current Value Required Description
  1589. ------ ------------- -------- -----------
  1590. SOURCE default yes source of input (see 'show info' for details)
  1591.  
  1592. Source Options:
  1593. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1594. <string> string representing a single input
  1595. <path> path to a file containing a list of inputs
  1596. query <sql> database query returning one column of inputs
  1597.  
  1598. [recon-ng][default][reverse_geocode] > #12
  1599. [*] Command: #12
  1600. [recon-ng][default][reverse_geocode] > load recon/locations-pushpins/flickr
  1601. [recon-ng][default] > load recon/locations-pushpins/flickr
  1602. [recon-ng][default][flickr] > show info
  1603.  
  1604. Name: Flickr Geolocation Search
  1605. Path: modules/recon/locations-pushpins/flickr.py
  1606. Author: Tim Tomes (@LaNMaSteR53)
  1607.  
  1608. Description:
  1609. Searches Flickr for media in the specified proximity to a location.
  1610.  
  1611. Options:
  1612. Name Current Value Required Description
  1613. ------ ------------- -------- -----------
  1614. RADIUS 1 yes radius in kilometers
  1615. SOURCE default yes source of input (see 'show info' for details)
  1616.  
  1617. Source Options:
  1618. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1619. <string> string representing a single input
  1620. <path> path to a file containing a list of inputs
  1621. query <sql> database query returning one column of inputs
  1622.  
  1623. Comments:
  1624. * Radius must be greater than zero and less than 32 kilometers.
  1625.  
  1626. [recon-ng][default][flickr] > #12
  1627. [*] Command: #12
  1628. [recon-ng][default][flickr] > load recon/locations-pushpins/instagram
  1629. [recon-ng][default] > load recon/locations-pushpins/instagram
  1630. [recon-ng][default][instagram] > show info
  1631.  
  1632. Name: Instagram Geolocation Search
  1633. Path: modules/recon/locations-pushpins/instagram.py
  1634. Author: Nathan Malcolm (@SintheticLabs) and Tim Tomes (@LaNMaSteR53)
  1635.  
  1636. Description:
  1637. Searches Instagram for media in the specified proximity to a location.
  1638.  
  1639. Options:
  1640. Name Current Value Required Description
  1641. ------ ------------- -------- -----------
  1642. RADIUS 1 yes radius in kilometers
  1643. SOURCE default yes source of input (see 'show info' for details)
  1644.  
  1645. Source Options:
  1646. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1647. <string> string representing a single input
  1648. <path> path to a file containing a list of inputs
  1649. query <sql> database query returning one column of inputs
  1650.  
  1651. Comments:
  1652. * Radius must be greater than zero and no more than 5 kilometers (5000 meters).
  1653.  
  1654. [recon-ng][default][instagram] > #12
  1655. [*] Command: #12
  1656. [recon-ng][default][instagram] > load recon/locations-pushpins/picasa
  1657. [recon-ng][default] > load recon/locations-pushpins/picasa
  1658. [recon-ng][default][picasa] > show info
  1659.  
  1660. Name: Picasa Geolocation Search
  1661. Path: modules/recon/locations-pushpins/picasa.py
  1662. Author: Tim Tomes (@LaNMaSteR53)
  1663.  
  1664. Description:
  1665. Searches Picasa for media in the specified proximity to a location.
  1666.  
  1667. Options:
  1668. Name Current Value Required Description
  1669. ------ ------------- -------- -----------
  1670. RADIUS 1 yes radius in kilometers
  1671. SOURCE default yes source of input (see 'show info' for details)
  1672.  
  1673. Source Options:
  1674. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1675. <string> string representing a single input
  1676. <path> path to a file containing a list of inputs
  1677. query <sql> database query returning one column of inputs
  1678.  
  1679. [recon-ng][default][picasa] > #12
  1680. [*] Command: #12
  1681. [recon-ng][default][picasa] > load recon/locations-pushpins/shodan
  1682. [recon-ng][default] > load recon/locations-pushpins/shodan
  1683. [recon-ng][default][shodan] > show info
  1684.  
  1685. Name: Shodan Geolocation Search
  1686. Path: modules/recon/locations-pushpins/shodan.py
  1687. Author: Tim Tomes (@LaNMaSteR53)
  1688.  
  1689. Description:
  1690. Searches Shodan for media in the specified proximity to a location.
  1691.  
  1692. Options:
  1693. Name Current Value Required Description
  1694. ------ ------------- -------- -----------
  1695. LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
  1696. RADIUS 1 yes radius in kilometers
  1697. SOURCE default yes source of input (see 'show info' for details)
  1698.  
  1699. Source Options:
  1700. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1701. <string> string representing a single input
  1702. <path> path to a file containing a list of inputs
  1703. query <sql> database query returning one column of inputs
  1704.  
  1705. Comments:
  1706. * Shodan 'geo' searches can take a long time to complete. If receiving connection timeout errors,
  1707. increase the global SOCKET_TIMEOUT option.
  1708.  
  1709. [recon-ng][default][shodan] > #12
  1710. [*] Command: #12
  1711. [recon-ng][default][shodan] > load recon/locations-pushpins/twitter
  1712. [recon-ng][default] > load recon/locations-pushpins/twitter
  1713. [recon-ng][default][twitter] > show info
  1714.  
  1715. Name: Twitter Geolocation Search
  1716. Path: modules/recon/locations-pushpins/twitter.py
  1717. Author: Tim Tomes (@LaNMaSteR53)
  1718.  
  1719. Description:
  1720. Searches Twitter for media in the specified proximity to a location.
  1721.  
  1722. Options:
  1723. Name Current Value Required Description
  1724. ------ ------------- -------- -----------
  1725. RADIUS 1 yes radius in kilometers
  1726. SOURCE default yes source of input (see 'show info' for details)
  1727.  
  1728. Source Options:
  1729. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1730. <string> string representing a single input
  1731. <path> path to a file containing a list of inputs
  1732. query <sql> database query returning one column of inputs
  1733.  
  1734. [recon-ng][default][twitter] > #12
  1735. [*] Command: #12
  1736. [recon-ng][default][twitter] > load recon/locations-pushpins/youtube
  1737. [recon-ng][default] > load recon/locations-pushpins/youtube
  1738. [recon-ng][default][youtube] > show info
  1739.  
  1740. Name: YouTube Geolocation Search
  1741. Path: modules/recon/locations-pushpins/youtube.py
  1742. Author: Tim Tomes (@LaNMaSteR53)
  1743.  
  1744. Description:
  1745. Searches YouTube for media in the specified proximity to a location.
  1746.  
  1747. Options:
  1748. Name Current Value Required Description
  1749. ------ ------------- -------- -----------
  1750. RADIUS 1 yes radius in kilometers
  1751. SOURCE default yes source of input (see 'show info' for details)
  1752.  
  1753. Source Options:
  1754. default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
  1755. <string> string representing a single input
  1756. <path> path to a file containing a list of inputs
  1757. query <sql> database query returning one column of inputs
  1758.  
  1759. Comments:
  1760. * Radius must be greater than zero and less than 1000 kilometers.
  1761.  
  1762. [recon-ng][default][youtube] > #12
  1763. [*] Command: #12
  1764. [recon-ng][default][youtube] > load recon/netblocks-companies/whois_orgs
  1765. [recon-ng][default] > load recon/netblocks-companies/whois_orgs
  1766. [recon-ng][default][whois_orgs] > show info
  1767.  
  1768. Name: Whois Company Harvester
  1769. Path: modules/recon/netblocks-companies/whois_orgs.py
  1770. Author: Tim Tomes (@LaNMaSteR53)
  1771.  
  1772. Description:
  1773. Uses the ARIN Whois RWS to harvest Companies data from whois queries for the given netblock. Updates
  1774. the 'companies' table with the results.
  1775.  
  1776. Options:
  1777. Name Current Value Required Description
  1778. ------ ------------- -------- -----------
  1779. SOURCE default yes source of input (see 'show info' for details)
  1780.  
  1781. Source Options:
  1782. default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
  1783. <string> string representing a single input
  1784. <path> path to a file containing a list of inputs
  1785. query <sql> database query returning one column of inputs
  1786.  
  1787. [recon-ng][default][whois_orgs] > #12
  1788. [*] Command: #12
  1789. [recon-ng][default][whois_orgs] > load recon/netblocks-hosts/reverse_resolve
  1790. [recon-ng][default] > load recon/netblocks-hosts/reverse_resolve
  1791. [recon-ng][default][reverse_resolve] > show info
  1792.  
  1793. Name: Reverse Resolver
  1794. Path: modules/recon/netblocks-hosts/reverse_resolve.py
  1795. Author: John Babio (@3vi1john)
  1796.  
  1797. Description:
  1798. Conducts a reverse lookup for each of a netblock's IP addresses to resolve the hostname. Updates the
  1799. 'hosts' table with the results.
  1800.  
  1801. Options:
  1802. Name Current Value Required Description
  1803. ------ ------------- -------- -----------
  1804. SOURCE default yes source of input (see 'show info' for details)
  1805.  
  1806. Source Options:
  1807. default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
  1808. <string> string representing a single input
  1809. <path> path to a file containing a list of inputs
  1810. query <sql> database query returning one column of inputs
  1811.  
  1812. [recon-ng][default][reverse_resolve] > #12
  1813. [*] Command: #12
  1814. [recon-ng][default][reverse_resolve] > load recon/netblocks-hosts/shodan_net
  1815. [recon-ng][default] > load recon/netblocks-hosts/shodan_net
  1816. [recon-ng][default][shodan_net] > show info
  1817.  
  1818. Name: Shodan Network Enumerator
  1819. Path: modules/recon/netblocks-hosts/shodan_net.py
  1820. Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)
  1821.  
  1822. Description:
  1823. Harvests hosts from the Shodan API by using the 'net' search operator. Updates the 'hosts' table
  1824. with the results.
  1825.  
  1826. Options:
  1827. Name Current Value Required Description
  1828. ------ ------------- -------- -----------
  1829. LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
  1830. SOURCE default yes source of input (see 'show info' for details)
  1831.  
  1832. Source Options:
  1833. default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
  1834. <string> string representing a single input
  1835. <path> path to a file containing a list of inputs
  1836. query <sql> database query returning one column of inputs
  1837.  
  1838. [recon-ng][default][shodan_net] > #12
  1839. [*] Command: #12
  1840. [recon-ng][default][shodan_net] > load recon/netblocks-ports/census_2012
  1841. [recon-ng][default] > load recon/netblocks-ports/census_2012
  1842. [recon-ng][default][census_2012] > show info
  1843.  
  1844. Name: Internet Census 2012 Lookup
  1845. Path: modules/recon/netblocks-ports/census_2012.py
  1846. Author: Tim Tomes (@LaNMaSteR53)
  1847.  
  1848. Description:
  1849. Queries the Internet Census 2012 data through Exfiltrated.com to enumerate open ports for a
  1850. netblock.
  1851.  
  1852. Options:
  1853. Name Current Value Required Description
  1854. ------ ------------- -------- -----------
  1855. SOURCE default yes source of input (see 'show info' for details)
  1856.  
  1857. Source Options:
  1858. default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
  1859. <string> string representing a single input
  1860. <path> path to a file containing a list of inputs
  1861. query <sql> database query returning one column of inputs
  1862.  
  1863. Comments:
  1864. * http://exfiltrated.com/querystart.php
  1865.  
  1866. [recon-ng][default][census_2012] > #12
  1867. [*] Command: #12
  1868. [recon-ng][default][census_2012] > load recon/ports-hosts/migrate_ports
  1869. [recon-ng][default] > load recon/ports-hosts/migrate_ports
  1870. [recon-ng][default][migrate_ports] > show info
  1871.  
  1872. Name: Ports to Hosts Data Migrator
  1873. Path: modules/recon/ports-hosts/migrate_ports.py
  1874. Author: Tim Tomes (@LaNMaSteR53)
  1875.  
  1876. Description:
  1877. Adds a new host for all the hostnames stored in the 'ports' table.
  1878.  
  1879. Options:
  1880. No options available for this module.
  1881.  
  1882. [recon-ng][default][migrate_ports] > #12
  1883. [*] Command: #12
  1884. [recon-ng][default][migrate_ports] > load recon/profiles-contacts/dev_diver
  1885. [recon-ng][default] > load recon/profiles-contacts/dev_diver
  1886. [recon-ng][default][dev_diver] > show info
  1887.  
  1888. Name: Dev Diver Repository Activity Examiner
  1889. Path: modules/recon/profiles-contacts/dev_diver.py
  1890. Author: Micah Hoffman (@WebBreacher)
  1891.  
  1892. Description:
  1893. Searches public code repositories for information about a given username.
  1894.  
  1895. Options:
  1896. Name Current Value Required Description
  1897. ------ ------------- -------- -----------
  1898. SOURCE default yes source of input (see 'show info' for details)
  1899.  
  1900. Source Options:
  1901. default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
  1902. <string> string representing a single input
  1903. <path> path to a file containing a list of inputs
  1904. query <sql> database query returning one column of inputs
  1905.  
  1906. [recon-ng][default][dev_diver] > #12
  1907. [*] Command: #12
  1908. [recon-ng][default][dev_diver] > load recon/profiles-contacts/linkedin
  1909. [recon-ng][default] > load recon/profiles-contacts/linkedin
  1910. [recon-ng][default][linkedin] > show info
  1911.  
  1912. Name: Linkedin Contact Crawler
  1913. Path: modules/recon/profiles-contacts/linkedin.py
  1914. Author: Mike Larch and Brian Fehrman
  1915.  
  1916. Description:
  1917. Harvests contact information from linkedin.com by parsing the link(s) given and adding the info to
  1918. the 'contacts' table.
  1919.  
  1920. Options:
  1921. Name Current Value Required Description
  1922. ------ ------------- -------- -----------
  1923. SOURCE default yes source of input (see 'show info' for details)
  1924.  
  1925. Source Options:
  1926. default SELECT DISTINCT url FROM profiles WHERE url IS NOT NULL ORDER BY url
  1927. <string> string representing a single input
  1928. <path> path to a file containing a list of inputs
  1929. query <sql> database query returning one column of inputs
  1930.  
  1931. [recon-ng][default][linkedin] > #12
  1932. [*] Command: #12
  1933. [recon-ng][default][linkedin] > load recon/profiles-profiles/linkedin_crawl
  1934. [recon-ng][default] > load recon/profiles-profiles/linkedin_crawl
  1935. [recon-ng][default][linkedin_crawl] > show info
  1936.  
  1937. Name: Linkedin Profile Crawler
  1938. Path: modules/recon/profiles-profiles/linkedin_crawl.py
  1939. Author: Mike Larch and Brian Fehrman (@fullmetalcache)
  1940.  
  1941. Description:
  1942. Harvests profiles from linkedin.com by visting the given link(s), crawling the "Viewers of this
  1943. profile also viewed", parsing the pages, and adding new profiles to the 'profiles' table
  1944.  
  1945. Options:
  1946. Name Current Value Required Description
  1947. -------- ------------- -------- -----------
  1948. PREVIOUS False yes include previous employees
  1949. SOURCE default yes source of input (see 'show info' for details)
  1950.  
  1951. Source Options:
  1952. default SELECT DISTINCT url FROM profiles WHERE url IS NOT NULL ORDER BY url
  1953. <string> string representing a single input
  1954. <path> path to a file containing a list of inputs
  1955. query <sql> database query returning one column of inputs
  1956.  
  1957. [recon-ng][default][linkedin_crawl] > #12
  1958. [*] Command: #12
  1959. [recon-ng][default][linkedin_crawl] > load recon/profiles-profiles/namechk
  1960. [recon-ng][default] > load recon/profiles-profiles/namechk
  1961. [recon-ng][default][namechk] > show info
  1962.  
  1963. Name: NameChk.com Username Validator
  1964. Path: modules/recon/profiles-profiles/namechk.py
  1965. Author: Tim Tomes (@LaNMaSteR53) and thrapt (thrapt@gmail.com)
  1966.  
  1967. Description:
  1968. Leverages NameChk.com to validate the existance of usernames on specific web sites and updates the
  1969. 'profiles' table with the results.
  1970.  
  1971. Options:
  1972. Name Current Value Required Description
  1973. ------ ------------- -------- -----------
  1974. SOURCE default yes source of input (see 'show info' for details)
  1975.  
  1976. Source Options:
  1977. default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
  1978. <string> string representing a single input
  1979. <path> path to a file containing a list of inputs
  1980. query <sql> database query returning one column of inputs
  1981.  
  1982. Comments:
  1983. * Note: The global timeout option may need to be increased to support slower sites.
  1984.  
  1985. [recon-ng][default][namechk] > #12
  1986. [*] Command: #12
  1987. [recon-ng][default][namechk] > load recon/profiles-profiles/profiler
  1988. [recon-ng][default] > load recon/profiles-profiles/profiler
  1989. [recon-ng][default][profiler] > show info
  1990.  
  1991. Name: OSINT HUMINT Profile Collector
  1992. Path: modules/recon/profiles-profiles/profiler.py
  1993. Author: Micah Hoffman (@WebBreacher)
  1994.  
  1995. Description:
  1996. Takes each username from the profiles table and searches a variety of web sites for those users.
  1997.  
  1998. Options:
  1999. Name Current Value Required Description
  2000. ------- ------------- -------- -----------
  2001. SITE_DB /usr/share/recon-ng/data/profiler_sites.json yes JSON file containing known sites and response codes
  2002. SOURCE default yes source of input (see 'show info' for details)
  2003.  
  2004. Source Options:
  2005. default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
  2006. <string> string representing a single input
  2007. <path> path to a file containing a list of inputs
  2008. query <sql> database query returning one column of inputs
  2009.  
  2010. Comments:
  2011. * Note: The global timeout option may need to be increased to support slower sites.
  2012. * Warning: Using this module behind a filtering proxy may cause false negatives as some of these
  2013. sites may be blocked.
  2014.  
  2015. [recon-ng][default][profiler] > #12
  2016. [*] Command: #12
  2017. [recon-ng][default][profiler] > load recon/profiles-profiles/twitter
  2018. [recon-ng][default] > load recon/profiles-profiles/twitter
  2019. [recon-ng][default][twitter] > show info
  2020.  
  2021. Name: Twitter Handles
  2022. Path: modules/recon/profiles-profiles/twitter.py
  2023. Author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
  2024.  
  2025. Description:
  2026. Searches Twitter for users that mentioned, or were mentioned by, the given handle.
  2027.  
  2028. Options:
  2029. Name Current Value Required Description
  2030. ------ ------------- -------- -----------
  2031. SOURCE default yes source of input (see 'show info' for details)
  2032. UNTIL no date-time group in the form YYYY-MM-DD
  2033.  
  2034. Source Options:
  2035. default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL AND resource='Twitter' COLLATE NOCASE
  2036. <string> string representing a single input
  2037. <path> path to a file containing a list of inputs
  2038. query <sql> database query returning one column of inputs
  2039.  
  2040. Comments:
  2041. * Twitter limits searchable tweet history to ~3 days.
  2042.  
  2043. [recon-ng][default][twitter] > #12
  2044. [*] Command: #12
  2045. [recon-ng][default][twitter] > load reporting/csv
  2046. [recon-ng][default] > load reporting/csv
  2047. [recon-ng][default][csv] > show info
  2048.  
  2049. Name: CSV File Creator
  2050. Path: modules/reporting/csv.py
  2051. Author: Tim Tomes (@LaNMaSteR53)
  2052.  
  2053. Description:
  2054. Creates a CSV file containing the specified harvested data.
  2055.  
  2056. Options:
  2057. Name Current Value Required Description
  2058. -------- ------------- -------- -----------
  2059. FILENAME /root/.recon-ng/workspaces/default/results.csv yes path and filename for output
  2060. TABLE hosts yes source table of data to export
  2061.  
  2062. [recon-ng][default][csv] > #12
  2063. [*] Command: #12
  2064. [recon-ng][default][csv] > load reporting/html
  2065. [recon-ng][default] > load reporting/html
  2066. [recon-ng][default][html] > show info
  2067.  
  2068. Name: HTML Report Generator
  2069. Path: modules/reporting/html.py
  2070. Author: Tim Tomes (@LaNMaSteR53)
  2071.  
  2072. Description:
  2073. Creates a HTML report.
  2074.  
  2075. Options:
  2076. Name Current Value Required Description
  2077. -------- ------------- -------- -----------
  2078. CREATOR yes creator name for the report footer
  2079. CUSTOMER yes customer name for the report header
  2080. FILENAME /root/.recon-ng/workspaces/default/results.html yes path and filename for report output
  2081. SANITIZE True yes mask sensitive data in the report
  2082.  
  2083. [recon-ng][default][html] > #12
  2084. [*] Command: #12
  2085. [recon-ng][default][html] > load reporting/json
  2086. [recon-ng][default] > load reporting/json
  2087. [recon-ng][default][json] > show info
  2088.  
  2089. Name: JSON Report Generator
  2090. Path: modules/reporting/json.py
  2091. Author: Paul (@PaulWebSec)
  2092. Version: v0.0.1
  2093.  
  2094. Description:
  2095. Creates a JSON report.
  2096.  
  2097. Options:
  2098. Name Current Value Required Description
  2099. -------- ------------- -------- -----------
  2100. FILENAME /root/.recon-ng/workspaces/default/results.json yes path and filename for report output
  2101. TABLES hosts, contacts, credentials yes comma delineated list of tables
  2102.  
  2103. [recon-ng][default][json] > #12
  2104. [*] Command: #12
  2105. [recon-ng][default][json] > load reporting/list
  2106. [recon-ng][default] > load reporting/list
  2107. [recon-ng][default][list] > show info
  2108.  
  2109. Name: List Creator
  2110. Path: modules/reporting/list.py
  2111. Author: Tim Tomes (@LaNMaSteR53)
  2112.  
  2113. Description:
  2114. Creates a file containing a list of records from the database.
  2115.  
  2116. Options:
  2117. Name Current Value Required Description
  2118. -------- ------------- -------- -----------
  2119. COLUMN ip_address yes source column of data for the list
  2120. FILENAME /root/.recon-ng/workspaces/default/list.txt yes path and filename for output
  2121. NULLS False yes include nulls in the dataset
  2122. TABLE hosts yes source table of data for the list
  2123. UNIQUE True yes only return unique items from the dataset
  2124.  
  2125. [recon-ng][default][list] > #12
  2126. [*] Command: #12
  2127. [recon-ng][default][list] > load reporting/pushpin
  2128. [recon-ng][default] > load reporting/pushpin
  2129. [recon-ng][default][pushpin] > show info
  2130.  
  2131. Name: PushPin Report Generator
  2132. Path: modules/reporting/pushpin.py
  2133. Author: Tim Tomes (@LaNMaSteR53)
  2134.  
  2135. Description:
  2136. Creates HTML media and map reports for all of the PushPins stored in the database.
  2137.  
  2138. Options:
  2139. Name Current Value Required Description
  2140. -------------- ------------- -------- -----------
  2141. LATITUDE yes latitude of the epicenter
  2142. LONGITUDE yes longitude of the epicenter
  2143. MAP_FILENAME /root/.recon-ng/workspaces/default/pushpin_map.html yes path and filename for pushpin map report
  2144. MEDIA_FILENAME /root/.recon-ng/workspaces/default/pushpin_media.html yes path and filename for pushpin media report
  2145. RADIUS yes radius from the epicenter in kilometers
  2146.  
  2147. [recon-ng][default][pushpin] > #12
  2148. [*] Command: #12
  2149. [recon-ng][default][pushpin] > load reporting/xlsx
  2150. [recon-ng][default] > load reporting/xlsx
  2151. [recon-ng][default][xlsx] > show info
  2152.  
  2153. Name: XLSX File Creator
  2154. Path: modules/reporting/xlsx.py
  2155. Author: Tim Tomes (@LaNMaSteR53)
  2156.  
  2157. Description:
  2158. Creates an Excel compatible XLSX file containing the entire data set.
  2159.  
  2160. Options:
  2161. Name Current Value Required Description
  2162. -------- ------------- -------- -----------
  2163. FILENAME /root/.recon-ng/workspaces/default/results.xlsx yes path and filename for output
  2164.  
  2165. [recon-ng][default][xlsx] > #12
  2166. [*] Command: #12
  2167. [recon-ng][default][xlsx] > load reporting/xml
  2168. [recon-ng][default] > load reporting/xml
  2169. [recon-ng][default][xml] > show info
  2170.  
  2171. Name: XML Report Generator
  2172. Path: modules/reporting/xml.py
  2173. Author: Eric Humphries (@e2fsck) and Tim Tomes (@LaNMaSteR53)
  2174. Version: v0.0.2
  2175.  
  2176. Description:
  2177. Creates a XML report.
  2178.  
  2179. Options:
  2180. Name Current Value Required Description
  2181. -------- ------------- -------- -----------
  2182. FILENAME /root/.recon-ng/workspaces/default/results.xml yes path and filename for report output
  2183. TABLES hosts, contacts, credentials yes comma delineated list of tables
  2184.  
  2185. [recon-ng][default][xml] > exit
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!