Trained in Open Source Intelligence, you use your knowledge of where information exists on the
Internet to find as much information about SUCK as we can. We want to become one with these Cyber
Kittens, find their secrets, understand their verbiage, and find their employees.

Recon-NG :

image-avqjny

Recon-NG is a great tool for querying Open Source Intelligence (OSINT) for passive information
about a company. This should be one of the first places you start before you pentest any organization.
It can give you a lot of information about IP space, naming conventions, locations, users, email
addresses, possible password leaks, and more.

How to use Recon-ng :

first we need to downlowd script in your distribution from Git Hub.open terminal,and type,

wget git clone https://bitbucket.org/LaNMaSteR53/recon-ng.git

and it will download all required files in your distribution.  now go to Download folder  > Rightclick >open in terminal.

or Go to terminal type.

py /root/recon-ng/recon-ng

How to Use Recon-ng:

● workspaces add [Company Name – example SUCK_Company]
● add domains [DOMAIN – example suck.testlab]
● add companies
● use recon/domains-hosts/bing_domain_web
○ Look through Bing for domain names
● run
● use recon/domains-hosts/google_site_web
○ Look through Google for domain names● run
● use recon/domains-hosts/baidu_site
○ Look through Baidu (Chinese Search Engine) for domain names
● run
● use recon/domains-hosts/brute_hosts
○ Brute-force subdomains
● run
● use recon/domains-hosts/netcraft
○ Look at netcraft for domain names
● run
● use recon/hosts-hosts/resolve
○ Resolve all the domain names to IP
● run
● use recon/hosts-hosts/reverse_resolve
○ Resolve all the IPs to hostnames/domain names
● run
● use discovery/info_disclosure/interesting_files
○ Look for a few files on the identified domains
● run
● keys add ipinfodb_api [KEY ]
○ This is where you add your infodb API key from earlier
● use recon/hosts-hosts/ipinfodb
○ Find the location of the IPs that were discovered
● run
● use recon/domains-contacts/whois_pocs
○ Find email addresses from the whois lookup
● run
● use recon/domains-contacts/pgp_search
○ Look through the public PGP store for email addresses
● run
● use recon/contacts-credentials/hibp_paste
○ This will check all of the email accounts you have gathered against
the “Have I Been PWN’ed” website. This will let you know if there
are potentially leaked passwords that you might be able to use.
● run
● use reporting/html
○ Create a report
● set CREATOR HP2
● set CUSTOMER HP2
● run
● exit
● firefox /root/.recon-ng/workspaces/SUCK_Company/results.html

Thank you any query please comment below and keep learning.