Let's do a basic query to illustrate how Recon-ng works:
- To start Recon-NG from Kali Linux, use the Applications menu (Applications | 01 - Information Gathering | recon-ng) or type the recon-ng command in a Terminal:
- We will be presented with a command-line interface. To see the modules we have available, we can issue the show modules command.
- Let's say we want to search all of the subdomains of a domain and the DNS server doesn't respond to zone transfer. We can brute force the subdomains; to do that, we first load the brute_hosts module: use recon/domains-hosts/brute_hosts.
- To learn the options we need to configure when using any module, we use the show options command.
- To assign a value to an option, we use the command set: set source zonetransfer.me.
- Once we have set all the options, we issue the run command to execute the module:
- It will take some time for the brute force to complete and it will display lots of information. Once it finishes, we can query the Recon-ng database to get the discovered hosts (show hosts):