Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
- _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
- _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
- _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
- _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
- +---------------------------------------------------------------------------+
- | _ ___ _ __ |
- | |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ |
- | |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ |
- | / |
- | Consulting | Research | Development | Training |
- | http://www.blackhillsinfosec.com |
- +---------------------------------------------------------------------------+
- [33m[recon-ng v4.6.3, Tim Tomes (@LaNMaSteR53)][m
- [34m[71] Recon modules[m
- [34m[7] Reporting modules[m
- [34m[2] Import modules[m
- [34m[2] Exploitation modules[m
- [34m[2] Discovery modules[m
- [recon-ng][default] > load discovery/info_disclosure/cache_snoop
- [recon-ng][default][cache_snoop] > show info
- Name: DNS Cache Snooper
- Path: modules/discovery/info_disclosure/cache_snoop.py
- Author: thrapt (thrapt@gmail.com)
- Description:
- Uses the DNS cache snooping technique to check for visited domains
- Options:
- Name Current Value Required Description
- ---------- ------------- -------- -----------
- DOMAINS /usr/share/recon-ng/data/av_domains.lst yes file containing the list of domains to snoop for
- NAMESERVER yes IP address of authoritative nameserver
- Comments:
- * Nameserver must be in IP form.
- * http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html
- [recon-ng][default][cache_snoop] > #12
- [34m[*][m Command: #12
- [recon-ng][default][cache_snoop] > load discovery/info_disclosure/interesting_files
- [recon-ng][default] > load discovery/info_disclosure/interesting_files
- [recon-ng][default][interesting_files] > show info
- Name: Interesting File Finder
- Path: modules/discovery/info_disclosure/interesting_files.py
- Author: Tim Tomes (@LaNMaSteR53), thrapt (thrapt@gmail.com), Jay Turla (@shipcod3), and Mark Jeffery
- Description:
- Checks hosts for interesting files in predictable locations.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- DOWNLOAD True yes download discovered files
- PORT 80 yes request port
- PROTOCOL http yes request protocol
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Files: robots.txt, sitemap.xml, sitemap.xml.gz, crossdomain.xml, phpinfo.php, test.php, elmah.axd,
- server-status, jmx-console/, admin-console/, web-console/
- * Google Dorks:
- - inurl:robots.txt ext:txt
- - inurl:elmah.axd ext:axd intitle:"Error log for"
- - inurl:server-status "Apache Status"
- [recon-ng][default][interesting_files] > #12
- [34m[*][m Command: #12
- [recon-ng][default][interesting_files] > load exploitation/injection/command_injector
- [recon-ng][default] > load exploitation/injection/command_injector
- [recon-ng][default][command_injector] > show info
- Name: Remote Command Injection Shell Interface
- Path: modules/exploitation/injection/command_injector.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Provides a shell interface for remote command injection flaws in web applications.
- Options:
- Name Current Value Required Description
- ---------- ------------- -------- -----------
- BASE_URL yes the target resource url excluding any parameters
- BASIC_PASS no password for basic authentication
- BASIC_USER no username for basic authentication
- COOKIE no cookie string containing authenticated session data
- MARK_END no string to match page content following the command output
- MARK_START no string to match page content preceding the command output
- PARAMETERS yes the query parameters with '<rce>' signifying the value of the vulnerable parameter
- POST False yes set the request method to post. parameters should still be submitted in the url option
- [recon-ng][default][command_injector] > #12
- [34m[*][m Command: #12
- [recon-ng][default][command_injector] > load exploitation/injection/xpath_bruter
- [recon-ng][default] > load exploitation/injection/xpath_bruter
- [recon-ng][default][xpath_bruter] > show info
- Name: Xpath Injection Brute Forcer
- Path: modules/exploitation/injection/xpath_bruter.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Exploits XPath injection flaws to enumerate the contents of serverside XML documents.
- Options:
- Name Current Value Required Description
- ---------- ------------- -------- -----------
- BASE_URL yes target resource url excluding any parameters
- BASIC_PASS no password for basic authentication
- BASIC_USER no username for basic authentication
- COOKIE no cookie string containing authenticated session data
- PARAMETERS yes query parameters with '<inject>' signifying the injection
- POST False yes set the request method to post. parameters should still be submitted in the url option
- STRING yes unique string found when the injection results in 'True'
- [recon-ng][default][xpath_bruter] > #12
- [34m[*][m Command: #12
- [recon-ng][default][xpath_bruter] > load import/csv_file
- [recon-ng][default] > load import/csv_file
- [recon-ng][default][csv_file] > show info
- Name: Advanced CSV File Importer
- Path: modules/import/csv_file.py
- Author: Ethan Robish (@EthanRobish)
- Description:
- Imports values from a CSV file into a database table.
- Options:
- Name Current Value Required Description
- ---------------- ------------- -------- -----------
- COLUMN_SEPARATOR , yes character that separates each column value
- FILENAME yes path and filename for csv input
- HAS_HEADER True yes whether or not the first row in the csv file should be interpreted as column names
- QUOTE_CHARACTER no character that surrounds each column value
- TABLE yes table to import the csv values
- Comments:
- * Only a few options are available until a valid filename is set. Then, the file is analyzed and
- more options become available for configuring where each CSV entry is imported.
- * This module is very powerful and can seriously pollute a database. Backing up the database before
- importing is encouraged.
- [recon-ng][default][csv_file] > #12
- [34m[*][m Command: #12
- [recon-ng][default][csv_file] > load import/list
- [recon-ng][default] > load import/list
- [recon-ng][default][list] > show info
- Name: List File Importer
- Path: modules/import/list.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Imports values from a list file into a database table and column.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- COLUMN yes column to import the list values
- FILENAME yes path and filename for list input
- TABLE yes table to import the list values
- [recon-ng][default][list] > #12
- [34m[*][m Command: #12
- [recon-ng][default][list] > load recon/companies-contacts/facebook
- [recon-ng][default] > load recon/companies-contacts/facebook
- [recon-ng][default][facebook] > show info
- Name: Facebook Contact Enumerator
- Path: modules/recon/companies-contacts/facebook.py
- Author: Quentin Kaiser (@qkaiser) and Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests contacts from Facebook.com. Updates the 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE www.facebook.com/ebay yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][facebook] > #12
- [34m[*][m Command: #12
- [recon-ng][default][facebook] > load recon/companies-contacts/jigsaw/point_usage
- [recon-ng][default] > load recon/companies-contacts/jigsaw/point_usage
- [recon-ng][default][point_usage] > show info
- Name: Jigsaw - Point Usage Statistics Fetcher
- Path: modules/recon/companies-contacts/jigsaw/point_usage.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the Jigsaw API for the point usage statistics of the given account.
- Options:
- No options available for this module.
- [recon-ng][default][point_usage] > #12
- [34m[*][m Command: #12
- [recon-ng][default][point_usage] > load recon/companies-contacts/jigsaw/purchase_contact
- [recon-ng][default] > load recon/companies-contacts/jigsaw/purchase_contact
- [recon-ng][default][purchase_contact] > show info
- Name: Jigsaw - Single Contact Retriever
- Path: modules/recon/companies-contacts/jigsaw/purchase_contact.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Retrieves a single complete contact from the Jigsaw.com API using points from the given account.
- Options:
- Name Current Value Required Description
- ------- ------------- -------- -----------
- CONTACT yes jigsaw contact id
- Comments:
- * Account Point Cost: 5 points per request.
- * This module is typically used to validate email address naming conventions and gather alternative
- social engineering information.
- [recon-ng][default][purchase_contact] > #12
- [34m[*][m Command: #12
- [recon-ng][default][purchase_contact] > load recon/companies-contacts/jigsaw/search_contacts
- [recon-ng][default] > load recon/companies-contacts/jigsaw/search_contacts
- [recon-ng][default][search_contacts] > show info
- Name: Jigsaw Contact Enumerator
- Path: modules/recon/companies-contacts/jigsaw/search_contacts.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests contacts from the Jigsaw.com API. Updates the 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- KEYWORDS no additional keywords to identify company
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][search_contacts] > #12
- [34m[*][m Command: #12
- [recon-ng][default][search_contacts] > load recon/companies-contacts/jigsaw_auth
- [recon-ng][default] > load recon/companies-contacts/jigsaw_auth
- [recon-ng][default][jigsaw_auth] > show info
- Name: Jigsaw Authenticated Contact Enumerator
- Path: modules/recon/companies-contacts/jigsaw_auth.py
- Author: Travis Lee (@eelsivart)
- Description:
- Harvests contacts from Data.com using an authenticated user account. Updates the 'contacts' table
- with the results. Use 'keys' to set your jigsaw username and password before use.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][jigsaw_auth] > #12
- [34m[*][m Command: #12
- [recon-ng][default][jigsaw_auth] > load recon/companies-contacts/linkedin_auth
- [recon-ng][default] > load recon/companies-contacts/linkedin_auth
- [recon-ng][default][linkedin_auth] > show info
- Name: LinkedIn Authenticated Contact Enumerator
- Path: modules/recon/companies-contacts/linkedin_auth.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests contacts from the LinkedIn.com API using an authenticated connections network. Updates the
- 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][linkedin_auth] > #12
- [34m[*][m Command: #12
- [recon-ng][default][linkedin_auth] > load recon/companies-multi/whois_miner
- [recon-ng][default] > load recon/companies-multi/whois_miner
- [recon-ng][default][whois_miner] > show info
- Name: Whois Data Miner
- Path: modules/recon/companies-multi/whois_miner.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Uses the ARIN Whois RWS to harvest companies, locations, netblocks, and contacts associated with the
- given company search string. Updates the respective tables with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Wildcard searches are allowed using the "*" character.
- * Validate results of the SEARCH string with these URLs:
- - http://whois.arin.net/rest/orgs;name=<SEARCH>
- - http://whois.arin.net/rest/customers;name=<SEARCH>
- [recon-ng][default][whois_miner] > #12
- [34m[*][m Command: #12
- [recon-ng][default][whois_miner] > load recon/companies-profiles/bing_linkedin
- [recon-ng][default] > load recon/companies-profiles/bing_linkedin
- [recon-ng][default][bing_linkedin] > show info
- Name: Bing Linkedin Profile Harvester
- Path: modules/recon/companies-profiles/bing_linkedin.py
- Author: Mike Larch and Brian Fehrman (@fullmetalcache)
- Description:
- Harvests contacts from linkedin.com by querying Bing for Linkedin pages related to the given
- companies, parsing the profiles, and adding them to the 'profiles' table
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- LIMIT 2 no number of pages to use from bing search
- PREVIOUS False yes include previous employees
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT company FROM companies WHERE company IS NOT NULL ORDER BY company
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][bing_linkedin] > #12
- [34m[*][m Command: #12
- [recon-ng][default][bing_linkedin] > load recon/contacts-contacts/mailtester
- [recon-ng][default] > load recon/contacts-contacts/mailtester
- [recon-ng][default][mailtester] > show info
- Name: MailTester Email Validator
- Path: modules/recon/contacts-contacts/mailtester.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages MailTester.com to validate email addresses.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- REMOVE False yes remove invalid email addresses
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][mailtester] > #12
- [34m[*][m Command: #12
- [recon-ng][default][mailtester] > load recon/contacts-contacts/mangle
- [recon-ng][default] > load recon/contacts-contacts/mangle
- [recon-ng][default][mangle] > show info
- Name: Contact Name Mangler
- Path: modules/recon/contacts-contacts/mangle.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Applies a mangle pattern to all of the contacts stored in the database, creating email addresses or
- usernames for each harvested contact. Updates the 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- ---------- ------------- -------- -----------
- DOMAIN no target email domain
- MAX-LENGTH 30 yes maximum length of email address prefix or username
- OVERWRITE False yes overwrite existing email addresses
- PATTERN <fn>.<ln> yes pattern applied to mangle first and last name
- SOURCE default yes source of input (see 'show info' for details)
- SUBSTITUTE - yes character to substitute for invalid email address characters
- Source Options:
- default SELECT rowid, first_name, middle_name, last_name, email FROM contacts ORDER BY first_name
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Pattern options: <fi>,<fn>,<mi>,<mn>,<li>,<ln>
- * Example: <fi>.<ln> => j.doe@domain.com
- * Note: Omit the 'domain' option to create usernames
- [recon-ng][default][mangle] > #12
- [34m[*][m Command: #12
- [recon-ng][default][mangle] > load recon/contacts-contacts/unmangle
- [recon-ng][default] > load recon/contacts-contacts/unmangle
- [recon-ng][default][unmangle] > show info
- Name: Contact Name Unmangler
- Path: modules/recon/contacts-contacts/unmangle.py
- Author: Ethan Robish (@EthanRobish)
- Description:
- Applies a regex or unmangle pattern to all of the contacts stored in the database, pulling out the
- individual name components. Updates the 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- --------- ------------- -------- -----------
- OVERWRITE True yes if set to true will update existing contact entry, otherwise it will create a new entry
- PATTERN <fn>.<ln> yes pattern applied to email
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT rowid, first_name, middle_name, last_name, email FROM contacts WHERE email IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Pattern can be either a regex or a pattern.
- * The available patterns are:
- - <fn>.<ln>, <fn>, <fi><ln>, <fn>-<ln>, <ln>, <fn>_<ln>, <ln><fi><mi>, <ln><fi>
- * A regex must capture the values using these named capture groups:
- - (?P<first_name>) (?P<middle_name>) (?P<last_name>)
- * A regex syntax cheatsheet and troubleshooter can be found here:
- - http://pythex.org/ or http://www.pyregex.com/
- [recon-ng][default][unmangle] > #12
- [34m[*][m Command: #12
- [recon-ng][default][unmangle] > load recon/contacts-credentials/hibp_breach
- [recon-ng][default] > load recon/contacts-credentials/hibp_breach
- [recon-ng][default][hibp_breach] > show info
- Name: Have I been pwned? Breach Search
- Path: modules/recon/contacts-credentials/hibp_breach.py
- Author: Tim Tomes (@LaNMaSteR53) & Tyler Halfpop (@tylerhalfpop)
- Description:
- Leverages the haveibeenpwned.com API to determine if email addresses are associated with breached
- credentials. Adds compromised email addresses to the 'credentials' table.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][hibp_breach] > #12
- [34m[*][m Command: #12
- [recon-ng][default][hibp_breach] > load recon/contacts-credentials/hibp_paste
- [recon-ng][default] > load recon/contacts-credentials/hibp_paste
- [recon-ng][default][hibp_paste] > show info
- Name: Have I been pwned? Paste Search
- Path: modules/recon/contacts-credentials/hibp_paste.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the haveibeenpwned.com API to determine if email addresses have been published to various
- paste sites. Adds compromised email addresses to the 'credentials' table.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- DOWNLOAD True yes download pastes
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Paste sites supported: Pastebin, Pastie, or Slexy
- [recon-ng][default][hibp_paste] > #12
- [34m[*][m Command: #12
- [recon-ng][default][hibp_paste] > load recon/contacts-credentials/pwnedlist
- [recon-ng][default] > load recon/contacts-credentials/pwnedlist
- [recon-ng][default][pwnedlist] > show info
- Name: PwnedList Validator
- Path: modules/recon/contacts-credentials/pwnedlist.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages PwnedList.com to determine if email addresses are associated with leaked credentials. Adds
- compromised email addresses to the 'credentials' table.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL ORDER BY email
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][pwnedlist] > #12
- [34m[*][m Command: #12
- [recon-ng][default][pwnedlist] > load recon/contacts-domains/migrate_contacts
- [recon-ng][default] > load recon/contacts-domains/migrate_contacts
- [recon-ng][default][migrate_contacts] > show info
- Name: Contacts to Domains Data Migrator
- Path: modules/recon/contacts-domains/migrate_contacts.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Adds a new domain for all the hostnames associated with email addresses stored in the 'contacts'
- table.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * This modules considers that everything after the first element could contain other hosts besides
- the current. Therefore, hosts > 2 domains deep will create domains > 2 elements in length.
- [recon-ng][default][migrate_contacts] > #12
- [34m[*][m Command: #12
- [recon-ng][default][migrate_contacts] > load recon/contacts-profiles/fullcontact
- [recon-ng][default] > load recon/contacts-profiles/fullcontact
- [recon-ng][default][fullcontact] > show info
- Name: FullContact Contact Enumerator
- Path: modules/recon/contacts-profiles/fullcontact.py
- Author: Quentin Kaiser (@qkaiser, contact[at]quentinkaiser.be) and Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests contact information and profiles from the fullcontact.com API using email addresses as
- input. Updates the 'contacts' and 'profiles' tables with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT email FROM contacts WHERE email IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][fullcontact] > #12
- [34m[*][m Command: #12
- [recon-ng][default][fullcontact] > load recon/credentials-credentials/adobe
- [recon-ng][default] > load recon/credentials-credentials/adobe
- [recon-ng][default][adobe] > show info
- Name: Adobe Hash Cracker
- Path: modules/recon/credentials-credentials/adobe.py
- Author: Ethan Robish (@EthanRobish) and Tim Tomes (@LaNMaSteR53)
- Description:
- Decrypts hashes leaked from the 2013 Adobe breach. First, the module cross references the leak ID to
- identify Adobe hashes in the 'password' column of the 'creds' table, moves the Adobe hashes to the
- 'hash' column, and changes the 'type' to 'Adobe'. Second, the module attempts to crack the hashes
- by comparing the ciphertext's decoded cipher blocks to a local block lookup table (BLOCK_DB) of
- known cipher block values. Finally, the module updates the 'creds' table with the results based on
- the level of success.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- BLOCK_DB /usr/share/recon-ng/data/adobe_blocks.json yes JSON file containing known Adobe cipher blocks and plaintext
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS 'Adobe'
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Hash types supported: Adobe's base64 format
- * Hash database from: http://stricture-group.com/files/adobe-top100.txt
- * A completely padded password indicates that the exact length is known.
- [recon-ng][default][adobe] > #12
- [34m[*][m Command: #12
- [recon-ng][default][adobe] > load recon/credentials-credentials/bozocrack
- [recon-ng][default] > load recon/credentials-credentials/bozocrack
- [recon-ng][default][bozocrack] > show info
- Name: PyBozoCrack Hash Lookup
- Path: modules/recon/credentials-credentials/bozocrack.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Google for the value of a hash and tests for a match by hashing every word in the resulting
- page using all hashing algorithms supported by the 'hashlib' library. Updates the 'credentials'
- table with the positive results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Inspired by the PyBozoCrack script: https://github.com/ikkebr/PyBozoCrack
- [recon-ng][default][bozocrack] > #12
- [34m[*][m Command: #12
- [recon-ng][default][bozocrack] > load recon/credentials-credentials/hashes_org
- [recon-ng][default] > load recon/credentials-credentials/hashes_org
- [recon-ng][default][hashes_org] > show info
- Name: Hashes.org Hash Lookup
- Path: modules/recon/credentials-credentials/hashes_org.py
- Author: Tim Tomes (@LaNMaSteR53) and Mike Lisi (@MikeCodesThings)
- Description:
- Uses the Hashes.org API to perform a reverse hash lookup. Updates the 'credentials' table with the
- positive results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Hash types supported: MD5, MD4, NTLM, LM, DOUBLEMD5, TRIPLEMD5, MD5SHA1, SHA1, MYSQL5, SHA1MD5,
- DOUBLESHA1, RIPEMD160
- [recon-ng][default][hashes_org] > #12
- [34m[*][m Command: #12
- [recon-ng][default][hashes_org] > load recon/credentials-credentials/leakdb
- [recon-ng][default] > load recon/credentials-credentials/leakdb
- [recon-ng][default][leakdb] > show info
- Name: leakdb Hash Lookup
- Path: modules/recon/credentials-credentials/leakdb.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Uses the leakdb hash database to perform a reverse hash lookup. Updates the 'credentials' table with
- the positive results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT hash FROM credentials WHERE hash IS NOT NULL AND password IS NULL AND type IS NOT 'Adobe'
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Hash types supported: MD4, MD5, MD5x2, MYSQL 3, MYSQL 4, MYSQL 5, RIPEMD160, NTLM, GOST, SHA1,
- SHA1x2, SHA224, SHA256, SHA384, SHA512, WHIRLPOOL
- [recon-ng][default][leakdb] > #12
- [34m[*][m Command: #12
- [recon-ng][default][leakdb] > load recon/domains-contacts/pgp_search
- [recon-ng][default] > load recon/domains-contacts/pgp_search
- [recon-ng][default][pgp_search] > show info
- Name: PGP Key Owner Lookup
- Path: modules/recon/domains-contacts/pgp_search.py
- Author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
- Description:
- Searches the MIT public PGP key server for email addresses of the given domain. Updates the
- 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Inspiration from theHarvester.py by Christan Martorella: cmarorella[at]edge-seecurity.com
- [recon-ng][default][pgp_search] > #12
- [34m[*][m Command: #12
- [recon-ng][default][pgp_search] > load recon/domains-contacts/salesmaple
- [recon-ng][default] > load recon/domains-contacts/salesmaple
- [recon-ng][default][salesmaple] > show info
- Name: SalesMaple Contact Harvester
- Path: modules/recon/domains-contacts/salesmaple.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests contacts from the SalesMaple API using domains as input. Updates the 'contacts' table with
- the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][salesmaple] > #12
- [34m[*][m Command: #12
- [recon-ng][default][salesmaple] > load recon/domains-contacts/whois_pocs
- [recon-ng][default] > load recon/domains-contacts/whois_pocs
- [recon-ng][default][whois_pocs] > show info
- Name: Whois POC Harvester
- Path: modules/recon/domains-contacts/whois_pocs.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the
- 'contacts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][whois_pocs] > #12
- [34m[*][m Command: #12
- [recon-ng][default][whois_pocs] > load recon/domains-credentials/pwnedlist/account_creds
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/account_creds
- [recon-ng][default][account_creds] > show info
- Name: PwnedList - Account Credentials Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/account_creds.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the PwnedList API for credentials associated with the given usernames. Updates the
- 'credentials' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT username FROM credentials WHERE username IS NOT NULL and password IS NULL ORDER BY username
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * API Query Cost: 1 query per request.
- [recon-ng][default][account_creds] > #12
- [34m[*][m Command: #12
- [recon-ng][default][account_creds] > load recon/domains-credentials/pwnedlist/api_usage
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/api_usage
- [recon-ng][default][api_usage] > show info
- Name: PwnedList - API Usage Statistics Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/api_usage.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the PwnedList API for account usage statistics.
- Options:
- No options available for this module.
- [recon-ng][default][api_usage] > #12
- [34m[*][m Command: #12
- [recon-ng][default][api_usage] > load recon/domains-credentials/pwnedlist/domain_creds
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/domain_creds
- [recon-ng][default][domain_creds] > show info
- Name: PwnedList - Pwned Domain Credentials Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/domain_creds.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the PwnedList API to fetch all credentials for a domain. Updates the 'credentials' table
- with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * API Query Cost: 10,000 queries per request plus 1 query for each account returned.
- [recon-ng][default][domain_creds] > #12
- [34m[*][m Command: #12
- [recon-ng][default][domain_creds] > load recon/domains-credentials/pwnedlist/domain_ispwned
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/domain_ispwned
- [recon-ng][default][domain_ispwned] > show info
- Name: PwnedList - Pwned Domain Statistics Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/domain_ispwned.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the PwnedList API for a domain to determine if any associated credentials have been
- compromised. This module does NOT return any credentials, only a total number of compromised
- credentials.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * API Query Cost: 1 query per request.
- [recon-ng][default][domain_ispwned] > #12
- [34m[*][m Command: #12
- [recon-ng][default][domain_ispwned] > load recon/domains-credentials/pwnedlist/leak_lookup
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/leak_lookup
- [recon-ng][default][leak_lookup] > show info
- Name: PwnedList - Leak Details Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/leak_lookup.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the local database for information associated with a leak ID. The 'leaks_dump' module must
- be used to populate the local database before this module will execute successfully.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT leak FROM credentials WHERE leak IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][leak_lookup] > #12
- [34m[*][m Command: #12
- [recon-ng][default][leak_lookup] > load recon/domains-credentials/pwnedlist/leaks_dump
- [recon-ng][default] > load recon/domains-credentials/pwnedlist/leaks_dump
- [recon-ng][default][leaks_dump] > show info
- Name: PwnedList - Leak Details Fetcher
- Path: modules/recon/domains-credentials/pwnedlist/leaks_dump.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the PwnedList API for information associated with all known leaks. Updates the 'leaks' table
- with the results.
- Options:
- No options available for this module.
- Comments:
- * API Query Cost: 1 query per request.
- [recon-ng][default][leaks_dump] > #12
- [34m[*][m Command: #12
- [recon-ng][default][leaks_dump] > load recon/domains-domains/brute_suffix
- [recon-ng][default] > load recon/domains-domains/brute_suffix
- [recon-ng][default][brute_suffix] > show info
- Name: DNS Public Suffix Brute Forcer
- Path: modules/recon/domains-domains/brute_suffix.py
- Author: Marcus Watson (@BranMacMuffin)
- Description:
- Brute forces TLDs and SLDs using DNS. Updates the 'domains' table with the results.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- SUFFIXES /usr/share/recon-ng/data/suffixes.txt yes path to public suffix wordlist
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * TLDs: https://data.iana.org/TLD/tlds-alpha-by-domain.txt
- * SLDs: https://raw.github.com/gavingmiller/second-level-domains/master/SLDs.csv
- [recon-ng][default][brute_suffix] > #12
- [34m[*][m Command: #12
- [recon-ng][default][brute_suffix] > load recon/domains-hosts/baidu_site
- [recon-ng][default] > load recon/domains-hosts/baidu_site
- [recon-ng][default][baidu_site] > show info
- Name: Baidu Hostname Enumerator
- Path: modules/recon/domains-hosts/baidu_site.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from Baidu.com by using the 'site' search operator. Updates the 'hosts' table with
- the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][baidu_site] > #12
- [34m[*][m Command: #12
- [recon-ng][default][baidu_site] > load recon/domains-hosts/bing_domain_api
- [recon-ng][default] > load recon/domains-hosts/bing_domain_api
- [recon-ng][default][bing_domain_api] > show info
- Name: Bing API Hostname Enumerator
- Path: modules/recon/domains-hosts/bing_domain_api.py
- Author: Marcus Watson (@BranMacMuffin)
- Description:
- Leverages the Bing API and "domain:" advanced search operator to harvest hosts. Updates the 'hosts'
- table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- LIMIT 0 yes limit total number of api requests (0 = unlimited)
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][bing_domain_api] > #12
- [34m[*][m Command: #12
- [recon-ng][default][bing_domain_api] > load recon/domains-hosts/bing_domain_web
- [recon-ng][default] > load recon/domains-hosts/bing_domain_web
- [recon-ng][default][bing_domain_web] > show info
- Name: Bing Hostname Enumerator
- Path: modules/recon/domains-hosts/bing_domain_web.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
- results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][bing_domain_web] > #12
- [34m[*][m Command: #12
- [recon-ng][default][bing_domain_web] > load recon/domains-hosts/brute_hosts
- [recon-ng][default] > load recon/domains-hosts/brute_hosts
- [recon-ng][default][brute_hosts] > show info
- Name: DNS Hostname Brute Forcer
- Path: modules/recon/domains-hosts/brute_hosts.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Brute forces host names using DNS. Updates the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- SOURCE mcetcolloquium.in yes source of input (see 'show info' for details)
- WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][brute_hosts] > #12
- [34m[*][m Command: #12
- [recon-ng][default][brute_hosts] > load recon/domains-hosts/builtwith
- [recon-ng][default] > load recon/domains-hosts/builtwith
- [recon-ng][default][builtwith] > show info
- Name: BuiltWith Enumerator
- Path: modules/recon/domains-hosts/builtwith.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the BuiltWith API to identify hosts, technologies, and contacts associated with a domain.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- SHOW_ALL True yes display technologies
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][builtwith] > #12
- [34m[*][m Command: #12
- [recon-ng][default][builtwith] > load recon/domains-hosts/google_site_api
- [recon-ng][default] > load recon/domains-hosts/google_site_api
- [recon-ng][default][google_site_api] > show info
- Name: Google CSE Hostname Enumerator
- Path: modules/recon/domains-hosts/google_site_api.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the Google Custom Search Engine API to harvest hosts using the 'site' search operator.
- Updates the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][google_site_api] > #12
- [34m[*][m Command: #12
- [recon-ng][default][google_site_api] > load recon/domains-hosts/google_site_web
- [recon-ng][default] > load recon/domains-hosts/google_site_web
- [recon-ng][default][google_site_web] > show info
- Name: Google Hostname Enumerator
- Path: modules/recon/domains-hosts/google_site_web.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with
- the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][google_site_web] > #12
- [34m[*][m Command: #12
- [recon-ng][default][google_site_web] > load recon/domains-hosts/netcraft
- [recon-ng][default] > load recon/domains-hosts/netcraft
- [recon-ng][default][netcraft] > show info
- Name: Netcraft Hostname Enumerator
- Path: modules/recon/domains-hosts/netcraft.py
- Author: thrapt (thrapt@gmail.com)
- Description:
- Harvests hosts from Netcraft.com. Updates the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][netcraft] > #12
- [34m[*][m Command: #12
- [recon-ng][default][netcraft] > load recon/domains-hosts/shodan_hostname
- [recon-ng][default] > load recon/domains-hosts/shodan_hostname
- [recon-ng][default][shodan_hostname] > show info
- Name: Shodan Hostname Enumerator
- Path: modules/recon/domains-hosts/shodan_hostname.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from the Shodan API by using the 'hostname' search operator. Updates the 'hosts'
- table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][shodan_hostname] > #12
- [34m[*][m Command: #12
- [recon-ng][default][shodan_hostname] > load recon/domains-hosts/ssl_san
- [recon-ng][default] > load recon/domains-hosts/ssl_san
- [recon-ng][default][ssl_san] > show info
- Name: SSL SAN Lookup
- Path: modules/recon/domains-hosts/ssl_san.py
- Author: Zach Grace (@ztgrace) zgrace@403labs.com
- Description:
- Uses the ssltools.com site to obtain the Subject Alternative Names for a domain. Updates the 'hosts'
- table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * For an alternative version see https://github.com/403labs/recon-ng_modules.
- [recon-ng][default][ssl_san] > #12
- [34m[*][m Command: #12
- [recon-ng][default][ssl_san] > load recon/domains-hosts/vpnhunter
- [recon-ng][default] > load recon/domains-hosts/vpnhunter
- [recon-ng][default][vpnhunter] > show info
- Name: VPNHunter Lookup
- Path: modules/recon/domains-hosts/vpnhunter.py
- Author: Quentin Kaiser (contact[at]quentinkaiser.be)
- Description:
- Checks vpnhunter.com for SSL VPNs, remote accesses, email portals and generic login sites. Updates
- the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][vpnhunter] > #12
- [34m[*][m Command: #12
- [recon-ng][default][vpnhunter] > load recon/domains-hosts/yahoo_domain
- [recon-ng][default] > load recon/domains-hosts/yahoo_domain
- [recon-ng][default][yahoo_domain] > show info
- Name: Yahoo Hostname Enumerator
- Path: modules/recon/domains-hosts/yahoo_domain.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from Yahoo.com by using the 'domain' search operator. Updates the 'hosts' table with
- the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][yahoo_domain] > #12
- [34m[*][m Command: #12
- [recon-ng][default][yahoo_domain] > load recon/domains-vulnerabilities/punkspider
- [recon-ng][default] > load recon/domains-vulnerabilities/punkspider
- [recon-ng][default][punkspider] > show info
- Name: PunkSPIDER Vulnerabilty Finder
- Path: modules/recon/domains-vulnerabilities/punkspider.py
- Author: Tim Tomes (@LaNMaSteR53) and thrapt (thrapt@gmail.com)
- Description:
- Leverages the PunkSPIDER API to search for previosuly discovered vulnerabltiies on hosts within a
- domain.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][punkspider] > #12
- [34m[*][m Command: #12
- [recon-ng][default][punkspider] > load recon/domains-vulnerabilities/xssed
- [recon-ng][default] > load recon/domains-vulnerabilities/xssed
- [recon-ng][default][xssed] > show info
- Name: XSSed Domain Lookup
- Path: modules/recon/domains-vulnerabilities/xssed.py
- Author: Micah Hoffman (@WebBreacher)
- Description:
- Checks XSSed.com for XSS records associated with a domain and displays the first 20 results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][xssed] > #12
- [34m[*][m Command: #12
- [recon-ng][default][xssed] > load recon/domains-vulnerabilities/xssposed
- [recon-ng][default] > load recon/domains-vulnerabilities/xssposed
- [recon-ng][default][xssposed] > show info
- Name: XSSposed Domain Lookup
- Path: modules/recon/domains-vulnerabilities/xssposed.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Checks XSSposed.com for XSS records associated with a domain.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL ORDER BY domain
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][xssposed] > #12
- [34m[*][m Command: #12
- [recon-ng][default][xssposed] > load recon/hosts-domains/migrate_hosts
- [recon-ng][default] > load recon/hosts-domains/migrate_hosts
- [recon-ng][default][migrate_hosts] > show info
- Name: Hosts to Domains Data Migrator
- Path: modules/recon/hosts-domains/migrate_hosts.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Adds a new domain for all the hostnames stored in the 'hosts' table.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * This modules considers that everything after the first element could contain other hosts besides
- the current. Therefore, hosts > 2 domains deep will create domains > 2 elements in length.
- [recon-ng][default][migrate_hosts] > #12
- [34m[*][m Command: #12
- [recon-ng][default][migrate_hosts] > load recon/hosts-hosts/bing_ip
- [recon-ng][default] > load recon/hosts-hosts/bing_ip
- [recon-ng][default][bing_ip] > show info
- Name: Bing API IP Neighbor Enumerator
- Path: modules/recon/hosts-hosts/bing_ip.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the Bing API and "ip:" advanced search operator to enumerate other virtual hosts sharing
- the same IP address. Updates the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- RESTRICT True yes restrict added hosts to current domains
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * This module only stores hosts whose domain matches an entry in the domains table.
- [recon-ng][default][bing_ip] > #12
- [34m[*][m Command: #12
- [recon-ng][default][bing_ip] > load recon/hosts-hosts/freegeoip
- [recon-ng][default] > load recon/hosts-hosts/freegeoip
- [recon-ng][default][freegeoip] > show info
- Name: FreeGeoIP
- Path: modules/recon/hosts-hosts/freegeoip.py
- Author: Gerrit Helm (G) and Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the freegeoip.net API to geolocate a host by IP address. Updates the 'hosts' table with
- the results.
- Options:
- Name Current Value Required Description
- --------- ------------- -------- -----------
- SERVERURL http://freegeoip.net yes overwrite server url (e.g. for local installations)
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Allows up to 10,000 queries per hour by default. Once this limit is reached, all requests will
- result in HTTP 403, forbidden, until the quota is cleared.
- [recon-ng][default][freegeoip] > #12
- [34m[*][m Command: #12
- [recon-ng][default][freegeoip] > load recon/hosts-hosts/ip_neighbor
- [recon-ng][default] > load recon/hosts-hosts/ip_neighbor
- [recon-ng][default][ip_neighbor] > show info
- Name: My-IP-Neighbors.com Lookup
- Path: modules/recon/hosts-hosts/ip_neighbor.py
- Author: Micah Hoffman (@WebBreacher)
- Description:
- Checks My-IP-Neighbors.com for virtual hosts on the same server. Updates the 'hosts' table with the
- results.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- RESTRICT True yes restrict added hosts to current domains
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * This module only stores hosts whose domain matches an entry in the domains table.
- * Knowing what other hosts are hosted on a provider's server can sometimes yield interesting results
- and help identify additional targets for assessment.
- [recon-ng][default][ip_neighbor] > #12
- [34m[*][m Command: #12
- [recon-ng][default][ip_neighbor] > load recon/hosts-hosts/ipinfodb
- [recon-ng][default] > load recon/hosts-hosts/ipinfodb
- [recon-ng][default][ipinfodb] > show info
- Name: IPInfoDB GeoIP
- Path: modules/recon/hosts-hosts/ipinfodb.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Leverages the ipinfodb.com API to geolocate a host by IP address. Updates the 'hosts' table with the
- results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][ipinfodb] > #12
- [34m[*][m Command: #12
- [recon-ng][default][ipinfodb] > load recon/hosts-hosts/resolve
- [recon-ng][default] > load recon/hosts-hosts/resolve
- [recon-ng][default][resolve] > show info
- Name: Hostname Resolver
- Path: modules/recon/hosts-hosts/resolve.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Resolves the IP address for a host. Updates the 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL AND ip_address IS NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Note: Nameserver must be in IP form.
- [recon-ng][default][resolve] > #12
- [34m[*][m Command: #12
- [recon-ng][default][resolve] > load recon/hosts-hosts/reverse_resolve
- [recon-ng][default] > load recon/hosts-hosts/reverse_resolve
- [recon-ng][default][reverse_resolve] > show info
- Name: Reverse Resolver
- Path: modules/recon/hosts-hosts/reverse_resolve.py
- Author: John Babio (@3vi1john), @vulp1n3, and Tim Tomes (@LaNMaSteR53)
- Description:
- Conducts a reverse lookup for each IP address to resolve the hostname. Updates the 'hosts' table
- with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][reverse_resolve] > #12
- [34m[*][m Command: #12
- [recon-ng][default][reverse_resolve] > load recon/locations-locations/geocode
- [recon-ng][default] > load recon/locations-locations/geocode
- [recon-ng][default][geocode] > show info
- Name: Address Geocoder
- Path: modules/recon/locations-locations/geocode.py
- Author: Quentin Kaiser (contact@quentinkaiser.be)
- Description:
- Queries the Google Maps API to obtain coordinates for an address. Updates the 'locations' table with
- the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT street_address FROM locations WHERE street_address IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][geocode] > #12
- [34m[*][m Command: #12
- [recon-ng][default][geocode] > load recon/locations-locations/reverse_geocode
- [recon-ng][default] > load recon/locations-locations/reverse_geocode
- [recon-ng][default][reverse_geocode] > show info
- Name: Reverse Geocoder
- Path: modules/recon/locations-locations/reverse_geocode.py
- Author: Quentin Kaiser (contact@quentinkaiser.be)
- Description:
- Queries the Google Maps API to obtain an address from coordinates.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][reverse_geocode] > #12
- [34m[*][m Command: #12
- [recon-ng][default][reverse_geocode] > load recon/locations-pushpins/flickr
- [recon-ng][default] > load recon/locations-pushpins/flickr
- [recon-ng][default][flickr] > show info
- Name: Flickr Geolocation Search
- Path: modules/recon/locations-pushpins/flickr.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Flickr for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Radius must be greater than zero and less than 32 kilometers.
- [recon-ng][default][flickr] > #12
- [34m[*][m Command: #12
- [recon-ng][default][flickr] > load recon/locations-pushpins/instagram
- [recon-ng][default] > load recon/locations-pushpins/instagram
- [recon-ng][default][instagram] > show info
- Name: Instagram Geolocation Search
- Path: modules/recon/locations-pushpins/instagram.py
- Author: Nathan Malcolm (@SintheticLabs) and Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Instagram for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Radius must be greater than zero and no more than 5 kilometers (5000 meters).
- [recon-ng][default][instagram] > #12
- [34m[*][m Command: #12
- [recon-ng][default][instagram] > load recon/locations-pushpins/picasa
- [recon-ng][default] > load recon/locations-pushpins/picasa
- [recon-ng][default][picasa] > show info
- Name: Picasa Geolocation Search
- Path: modules/recon/locations-pushpins/picasa.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Picasa for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][picasa] > #12
- [34m[*][m Command: #12
- [recon-ng][default][picasa] > load recon/locations-pushpins/shodan
- [recon-ng][default] > load recon/locations-pushpins/shodan
- [recon-ng][default][shodan] > show info
- Name: Shodan Geolocation Search
- Path: modules/recon/locations-pushpins/shodan.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Shodan for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Shodan 'geo' searches can take a long time to complete. If receiving connection timeout errors,
- increase the global SOCKET_TIMEOUT option.
- [recon-ng][default][shodan] > #12
- [34m[*][m Command: #12
- [recon-ng][default][shodan] > load recon/locations-pushpins/twitter
- [recon-ng][default] > load recon/locations-pushpins/twitter
- [recon-ng][default][twitter] > show info
- Name: Twitter Geolocation Search
- Path: modules/recon/locations-pushpins/twitter.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches Twitter for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][twitter] > #12
- [34m[*][m Command: #12
- [recon-ng][default][twitter] > load recon/locations-pushpins/youtube
- [recon-ng][default] > load recon/locations-pushpins/youtube
- [recon-ng][default][youtube] > show info
- Name: YouTube Geolocation Search
- Path: modules/recon/locations-pushpins/youtube.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Searches YouTube for media in the specified proximity to a location.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- RADIUS 1 yes radius in kilometers
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT latitude || ',' || longitude FROM locations WHERE latitude IS NOT NULL AND longitude IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Radius must be greater than zero and less than 1000 kilometers.
- [recon-ng][default][youtube] > #12
- [34m[*][m Command: #12
- [recon-ng][default][youtube] > load recon/netblocks-companies/whois_orgs
- [recon-ng][default] > load recon/netblocks-companies/whois_orgs
- [recon-ng][default][whois_orgs] > show info
- Name: Whois Company Harvester
- Path: modules/recon/netblocks-companies/whois_orgs.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Uses the ARIN Whois RWS to harvest Companies data from whois queries for the given netblock. Updates
- the 'companies' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][whois_orgs] > #12
- [34m[*][m Command: #12
- [recon-ng][default][whois_orgs] > load recon/netblocks-hosts/reverse_resolve
- [recon-ng][default] > load recon/netblocks-hosts/reverse_resolve
- [recon-ng][default][reverse_resolve] > show info
- Name: Reverse Resolver
- Path: modules/recon/netblocks-hosts/reverse_resolve.py
- Author: John Babio (@3vi1john)
- Description:
- Conducts a reverse lookup for each of a netblock's IP addresses to resolve the hostname. Updates the
- 'hosts' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][reverse_resolve] > #12
- [34m[*][m Command: #12
- [recon-ng][default][reverse_resolve] > load recon/netblocks-hosts/shodan_net
- [recon-ng][default] > load recon/netblocks-hosts/shodan_net
- [recon-ng][default][shodan_net] > show info
- Name: Shodan Network Enumerator
- Path: modules/recon/netblocks-hosts/shodan_net.py
- Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)
- Description:
- Harvests hosts from the Shodan API by using the 'net' search operator. Updates the 'hosts' table
- with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- LIMIT 1 yes limit number of api requests per input source (0 = unlimited)
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][shodan_net] > #12
- [34m[*][m Command: #12
- [recon-ng][default][shodan_net] > load recon/netblocks-ports/census_2012
- [recon-ng][default] > load recon/netblocks-ports/census_2012
- [recon-ng][default][census_2012] > show info
- Name: Internet Census 2012 Lookup
- Path: modules/recon/netblocks-ports/census_2012.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Queries the Internet Census 2012 data through Exfiltrated.com to enumerate open ports for a
- netblock.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * http://exfiltrated.com/querystart.php
- [recon-ng][default][census_2012] > #12
- [34m[*][m Command: #12
- [recon-ng][default][census_2012] > load recon/ports-hosts/migrate_ports
- [recon-ng][default] > load recon/ports-hosts/migrate_ports
- [recon-ng][default][migrate_ports] > show info
- Name: Ports to Hosts Data Migrator
- Path: modules/recon/ports-hosts/migrate_ports.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Adds a new host for all the hostnames stored in the 'ports' table.
- Options:
- No options available for this module.
- [recon-ng][default][migrate_ports] > #12
- [34m[*][m Command: #12
- [recon-ng][default][migrate_ports] > load recon/profiles-contacts/dev_diver
- [recon-ng][default] > load recon/profiles-contacts/dev_diver
- [recon-ng][default][dev_diver] > show info
- Name: Dev Diver Repository Activity Examiner
- Path: modules/recon/profiles-contacts/dev_diver.py
- Author: Micah Hoffman (@WebBreacher)
- Description:
- Searches public code repositories for information about a given username.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][dev_diver] > #12
- [34m[*][m Command: #12
- [recon-ng][default][dev_diver] > load recon/profiles-contacts/linkedin
- [recon-ng][default] > load recon/profiles-contacts/linkedin
- [recon-ng][default][linkedin] > show info
- Name: Linkedin Contact Crawler
- Path: modules/recon/profiles-contacts/linkedin.py
- Author: Mike Larch and Brian Fehrman
- Description:
- Harvests contact information from linkedin.com by parsing the link(s) given and adding the info to
- the 'contacts' table.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT url FROM profiles WHERE url IS NOT NULL ORDER BY url
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][linkedin] > #12
- [34m[*][m Command: #12
- [recon-ng][default][linkedin] > load recon/profiles-profiles/linkedin_crawl
- [recon-ng][default] > load recon/profiles-profiles/linkedin_crawl
- [recon-ng][default][linkedin_crawl] > show info
- Name: Linkedin Profile Crawler
- Path: modules/recon/profiles-profiles/linkedin_crawl.py
- Author: Mike Larch and Brian Fehrman (@fullmetalcache)
- Description:
- Harvests profiles from linkedin.com by visting the given link(s), crawling the "Viewers of this
- profile also viewed", parsing the pages, and adding new profiles to the 'profiles' table
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- PREVIOUS False yes include previous employees
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT url FROM profiles WHERE url IS NOT NULL ORDER BY url
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- [recon-ng][default][linkedin_crawl] > #12
- [34m[*][m Command: #12
- [recon-ng][default][linkedin_crawl] > load recon/profiles-profiles/namechk
- [recon-ng][default] > load recon/profiles-profiles/namechk
- [recon-ng][default][namechk] > show info
- Name: NameChk.com Username Validator
- Path: modules/recon/profiles-profiles/namechk.py
- Author: Tim Tomes (@LaNMaSteR53) and thrapt (thrapt@gmail.com)
- Description:
- Leverages NameChk.com to validate the existance of usernames on specific web sites and updates the
- 'profiles' table with the results.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Note: The global timeout option may need to be increased to support slower sites.
- [recon-ng][default][namechk] > #12
- [34m[*][m Command: #12
- [recon-ng][default][namechk] > load recon/profiles-profiles/profiler
- [recon-ng][default] > load recon/profiles-profiles/profiler
- [recon-ng][default][profiler] > show info
- Name: OSINT HUMINT Profile Collector
- Path: modules/recon/profiles-profiles/profiler.py
- Author: Micah Hoffman (@WebBreacher)
- Description:
- Takes each username from the profiles table and searches a variety of web sites for those users.
- Options:
- Name Current Value Required Description
- ------- ------------- -------- -----------
- SITE_DB /usr/share/recon-ng/data/profiler_sites.json yes JSON file containing known sites and response codes
- SOURCE default yes source of input (see 'show info' for details)
- Source Options:
- default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Note: The global timeout option may need to be increased to support slower sites.
- * Warning: Using this module behind a filtering proxy may cause false negatives as some of these
- sites may be blocked.
- [recon-ng][default][profiler] > #12
- [34m[*][m Command: #12
- [recon-ng][default][profiler] > load recon/profiles-profiles/twitter
- [recon-ng][default] > load recon/profiles-profiles/twitter
- [recon-ng][default][twitter] > show info
- Name: Twitter Handles
- Path: modules/recon/profiles-profiles/twitter.py
- Author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
- Description:
- Searches Twitter for users that mentioned, or were mentioned by, the given handle.
- Options:
- Name Current Value Required Description
- ------ ------------- -------- -----------
- SOURCE default yes source of input (see 'show info' for details)
- UNTIL no date-time group in the form YYYY-MM-DD
- Source Options:
- default SELECT DISTINCT username FROM profiles WHERE username IS NOT NULL AND resource='Twitter' COLLATE NOCASE
- <string> string representing a single input
- <path> path to a file containing a list of inputs
- query <sql> database query returning one column of inputs
- Comments:
- * Twitter limits searchable tweet history to ~3 days.
- [recon-ng][default][twitter] > #12
- [34m[*][m Command: #12
- [recon-ng][default][twitter] > load reporting/csv
- [recon-ng][default] > load reporting/csv
- [recon-ng][default][csv] > show info
- Name: CSV File Creator
- Path: modules/reporting/csv.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Creates a CSV file containing the specified harvested data.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- FILENAME /root/.recon-ng/workspaces/default/results.csv yes path and filename for output
- TABLE hosts yes source table of data to export
- [recon-ng][default][csv] > #12
- [34m[*][m Command: #12
- [recon-ng][default][csv] > load reporting/html
- [recon-ng][default] > load reporting/html
- [recon-ng][default][html] > show info
- Name: HTML Report Generator
- Path: modules/reporting/html.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Creates a HTML report.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- CREATOR yes creator name for the report footer
- CUSTOMER yes customer name for the report header
- FILENAME /root/.recon-ng/workspaces/default/results.html yes path and filename for report output
- SANITIZE True yes mask sensitive data in the report
- [recon-ng][default][html] > #12
- [34m[*][m Command: #12
- [recon-ng][default][html] > load reporting/json
- [recon-ng][default] > load reporting/json
- [recon-ng][default][json] > show info
- Name: JSON Report Generator
- Path: modules/reporting/json.py
- Author: Paul (@PaulWebSec)
- Version: v0.0.1
- Description:
- Creates a JSON report.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- FILENAME /root/.recon-ng/workspaces/default/results.json yes path and filename for report output
- TABLES hosts, contacts, credentials yes comma delineated list of tables
- [recon-ng][default][json] > #12
- [34m[*][m Command: #12
- [recon-ng][default][json] > load reporting/list
- [recon-ng][default] > load reporting/list
- [recon-ng][default][list] > show info
- Name: List Creator
- Path: modules/reporting/list.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Creates a file containing a list of records from the database.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- COLUMN ip_address yes source column of data for the list
- FILENAME /root/.recon-ng/workspaces/default/list.txt yes path and filename for output
- NULLS False yes include nulls in the dataset
- TABLE hosts yes source table of data for the list
- UNIQUE True yes only return unique items from the dataset
- [recon-ng][default][list] > #12
- [34m[*][m Command: #12
- [recon-ng][default][list] > load reporting/pushpin
- [recon-ng][default] > load reporting/pushpin
- [recon-ng][default][pushpin] > show info
- Name: PushPin Report Generator
- Path: modules/reporting/pushpin.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Creates HTML media and map reports for all of the PushPins stored in the database.
- Options:
- Name Current Value Required Description
- -------------- ------------- -------- -----------
- LATITUDE yes latitude of the epicenter
- LONGITUDE yes longitude of the epicenter
- MAP_FILENAME /root/.recon-ng/workspaces/default/pushpin_map.html yes path and filename for pushpin map report
- MEDIA_FILENAME /root/.recon-ng/workspaces/default/pushpin_media.html yes path and filename for pushpin media report
- RADIUS yes radius from the epicenter in kilometers
- [recon-ng][default][pushpin] > #12
- [34m[*][m Command: #12
- [recon-ng][default][pushpin] > load reporting/xlsx
- [recon-ng][default] > load reporting/xlsx
- [recon-ng][default][xlsx] > show info
- Name: XLSX File Creator
- Path: modules/reporting/xlsx.py
- Author: Tim Tomes (@LaNMaSteR53)
- Description:
- Creates an Excel compatible XLSX file containing the entire data set.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- FILENAME /root/.recon-ng/workspaces/default/results.xlsx yes path and filename for output
- [recon-ng][default][xlsx] > #12
- [34m[*][m Command: #12
- [recon-ng][default][xlsx] > load reporting/xml
- [recon-ng][default] > load reporting/xml
- [recon-ng][default][xml] > show info
- Name: XML Report Generator
- Path: modules/reporting/xml.py
- Author: Eric Humphries (@e2fsck) and Tim Tomes (@LaNMaSteR53)
- Version: v0.0.2
- Description:
- Creates a XML report.
- Options:
- Name Current Value Required Description
- -------- ------------- -------- -----------
- FILENAME /root/.recon-ng/workspaces/default/results.xml yes path and filename for report output
- TABLES hosts, contacts, credentials yes comma delineated list of tables
- [recon-ng][default][xml] > exit
Add Comment
Please, Sign In to add comment