How to enumerate the sub-domain with recon-ng

หมวดหมู่ Footprinting and Reconnaissance

บทนำ (Overview)

จากบทความก่อนหน้า How to enumerate the sub-domain with Netcraft อธิบายถึงการรวบรวม Sub-domain โดยใช้ “Netcraft” มาในบทความนี้ก็ยังใช้ “Netcraft” แต่ใช้ผ่านโปรแกรมที่เรียกว่า “recon-ng” นอกจากนี้ตัวโปรแกรม “recon-ng” ยังมี “Module” อื่น ๆ อีกมากมายสำหรับการรวบรวมข้อมูลสำหรับ “Web” และ “Web Server”

ขั้นตอน (Steps)

  1. ใช้งาน “Kali linux”
  2. เรียก “Command prompt” และใช้คำสั่งดังนี้ 
    recon­‐ng
  3. ถ้าพบว่า “version” มันไม่ “update” แล้วดังภาพให้โหลดตัวใหม่มาใช้งาน 
    root@kali:~# recon-ng

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    

                      [recon-ng v3.1.1, Tim Tomes (@LaNMaSteR53)]                       

[64] Recon modules
[7]  Discovery modules
[4]  Reporting modules
[2]  Exploitation modules

Your version of Recon-ng is out of date. Would you like to continue anyway? [Y]:
  4. เข้าไปที่เว็บไซต์ https://bitbucket.org/LaNMaSteR53/recon-ng/src
  5. แล้วคลิกเมนู “Clone” จากนั้นเอาไปดาวน์โหลดใน “Command Prompt” ของ “Kali” โดยใช้คำสั่ง 
    git clone https://bitbucket.org/LaNMaSteR53/recon-ng.git
  6. เมื่อดาวน์โหลดเสร็จสิ้นลองตรวจสอบโปรแกรมตามไดเรกทอรีข้างล่าง 
    root@kali:~# ls -l
total 418576
drwxr-xr-x  3 root root        4096 Feb 12 08:07 Desktop
drwxr-xr-x  6 root root        4096 Feb 27 22:39 recon-ng
root@kali:~# cd recon-ng/
root@kali:~/recon-ng# ls -l
total 72
drwxr-xr-x 2 root root  4096 Feb 27 22:39 data
-rw-r--r-- 1 root root 35141 Feb 27 22:39 LICENSE
drwxr-xr-x 7 root root  4096 Feb 27 22:39 modules
-rw-r--r-- 1 root root  2083 Feb 27 22:39 README.md
drwxr-xr-x 5 root root  4096 Feb 27 22:39 recon
-rwxr-xr-x 1 root root  3358 Feb 27 22:39 recon-cli
-rwxr-xr-x 1 root root  2003 Feb 27 22:39 recon-ng
-rwxr-xr-x 1 root root  3072 Feb 27 22:39 recon-rpc
-rw-r--r-- 1 root root   146 Feb 27 22:39 REQUIREMENTS
-rw-r--r-- 1 root root   299 Feb 27 22:39 VERSION
  7. จากนั้นเปิดโปรแกรม “version” ใหม่อีกครั้งโดยใช้คำสั่ง 
    root@kali:~/recon-ng# python recon-ng
[!] Module 'reporting/xml' disabled. Dependency required: 'dicttoxml'.
[!] Module 'reporting/xlsx' disabled. Dependency required: 'xlsxwriter'.
[!] Module 'recon/domains-contacts/metacrawler' disabled. Dependency required: 'PyPDF2'.
[!] Module 'recon/domains-credentials/pwnedlist/account_creds' disabled. Dependency required: 'aes'.
[!] Module 'recon/domains-credentials/pwnedlist/domain_creds' disabled. Dependency required: 'aes'.
                                                                                        
    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.7.3, Tim Tomes (@LaNMaSteR53)]                       

[76] Recon modules
[5]  Reporting modules
[5]  Disabled modules
[2]  Import modules
[2]  Exploitation modules
  8. เราจะเก็บรวบรวมข้อมูล จะต้องใช้ “Module” ของ “Recon” ดังนั้นลองตรวจสอบว่ามี Module อะไรบ้าง โดยใช้คำสั่ง 
    [recon-ng][default] > use recon
[*] Multiple modules match 'recon'.

  Recon
  -----
    recon/companies-contacts/indeed
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-contacts/linkedin_auth
    recon/companies-multi/github_miner
    recon/companies-multi/whois_miner
    recon/companies-profiles/bing_linkedin
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/credentials-credentials/leakdb
    recon/domains-contacts/pgp_search
    recon/domains-contacts/salesmaple
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/baidu_site
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/vpnhunter
    recon/domains-hosts/yahoo_domain
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ip_neighbor
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/hosts-hosts/ssltools
    recon/hosts-locations/migrate_hosts
    recon/hosts-ports/shodan_ip
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/instagram
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/netblocks-ports/censysio
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/linkedin
    recon/profiles-profiles/linkedin_crawl
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter
    recon/profiles-repositories/github_repos
    recon/repositories-vulnerabilities/gists_search
    recon/repositories-vulnerabilities/github_dorks
  9. ลองคัดเลือกในส่วนย่อยลงไปอีก เฉพาะเกี่ยวกับ “Domain” 
    [recon-ng][default] > use recon/domains
[*] Multiple modules match 'recon/domains'.

  Recon
  -----
    recon/domains-contacts/pgp_search
    recon/domains-contacts/salesmaple
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/baidu_site
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/vpnhunter
    recon/domains-hosts/yahoo_domain
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
  10. เราจะพบ “Module” ของ “Netcraft” ลองเรียกใช้โดยใช้คำสั่งดังนี้ 
    [recon-ng][default] > use recon/domains-hosts/netcraft
[recon-ng][default][netcraft] > set
Sets module options

Usage: set<option> <value>

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)
  11. จากขั้นตอนข้างต้น เราจะใช้คำสั่ง “Set” เพื่อตรวจสอบค่าที่จำเป็นต้องตั้งเสียก่อน จาก ตัวอย่างคือ “SOURCE” ซึ่งเราต้องตั้งค่า “DOMAIN” ดังนี้ 
    [recon-ng][default][netcraft] > set SOURCE facebook.com
SOURCE => facebook.com
  12. เริ่มต้นใช้งานโดยใช้คำสั่ง “run” 
    [recon-ng][default][netcraft] > run
  13. รอให้โปรแกรมทำงานเสร็จ ดังตัวอย่างดังนี้ 
    ------------
FACEBOOK.COM
------------
[*] URL: http://searchdns.netcraft.com/?{'restriction': 'site+ends+with', 'host': 'facebook.com'}
[*] zh-tw.facebook.com
[*] www.facebook.com
[*] m.facebook.com
[*] apps.facebook.com
[*] sv-se.facebook.com
[*] static.ak.facebook.com
[*] wwww.facebook.com
[*] pt-br.facebook.com
[*] graph.facebook.com
[*] nb.facebook.com
[*] en-gb.facebook.com
[*] lm.facebook.com
[*] it-it.facebook.com
[*] fr-fr.facebook.com
[*] pl-pl.facebook.com
[*] staticxx.facebook.com
[*] h.facebook.com
[*] de-de.facebook.com
[*] l.facebook.com
[*] es-es.facebook.com
[*] Next page available! Requesting again...
[*] Sleeping to Avoid Lock-out...
[*] URL: http://searchdns.netcraft.com/?{'restriction': 'site+ends+with', 'host': 'facebook.com', 'last': 'h.facebook.com', 'from': '21'}
[*] ja-jp.facebook.com
[*] ww.facebook.com
[*] business.facebook.com
[*] qmul.facebook.com
[*] es-la.facebook.com
[*] touch.facebook.com
[*] mbasic.facebook.com
[*] pl.facebook.com
[*] nl-nl.facebook.com
[*] developer.facebook.com
[*] 0.facebook.com
[*] da-dk.facebook.com
[*] developers.facebook.com
[*] ru-ru.facebook.com
[*] vi-vn.facebook.com
[*] mobile.facebook.com
[*] connect.facebook.com
[*] api.facebook.com
[*] hu-hu.facebook.com
[*] ca-es.facebook.com
[*] Next page available! Requesting again...
[*] Sleeping to Avoid Lock-out...
[*] URL: http://searchdns.netcraft.com/?{'restriction': 'site+ends+with', 'host': 'facebook.com', 'last': 'connect.facebook.com', 'from': '41'}
[*] el-gr.facebook.com
[*] fb.facebook.com
[*] bg-bg.facebook.com
[*] fi-fi.facebook.com
[*] facebook.facebook.com
[*] sv.facebook.com
[*] th-th.facebook.com
[*] postmaster.facebook.com
[*] web.facebook.com
[*] z-m-www.facebook.com
[*] ar-ar.facebook.com
[*] de.facebook.com
[*] free.facebook.com
[*] origami.facebook.com
[*] tr-tr.facebook.com
[*] zh-hk.facebook.com
[*] www.graph.facebook.com
[*] id-id.facebook.com
[*] www.new.facebook.com
[*] m2.facebook.com
[*] Next page available! Requesting again...
[*] Sleeping to Avoid Lock-out...
[*] URL: http://searchdns.netcraft.com/?{'restriction': 'site+ends+with', 'host': 'facebook.com', 'last': 'postmaster.facebook.com', 'from': '61'}
[*] www.prod.facebook.com
[*] s-static.ak.facebook.com
[*] www.connect.facebook.com
[*] hr-hr.facebook.com
[*] beta.facebook.com
[*] x.facebook.com
[*] blog.facebook.com
[*] es.facebook.com
[*] nb-no.facebook.com
[*] ro-ro.facebook.com
[*] zh-cn.facebook.com
[*] pt-pt.facebook.com
[*] login.facebook.com
[*] fr-ca.facebook.com
[*] sl-si.facebook.com
[*] chat.facebook.com
[*] web.static.ak.facebook.com
[*] design.facebook.com

-------
SUMMARY
-------
[*] 78 total (78 new) hosts found.

ใส่ความเห็น