Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. Cyber Security Associates Limited, will not be held responsible for any criminal charges brought against any individuals misusing the information in these projects to break the law.
Please ensure you are using the latest SD Card image which is available here.
This project aims to provide an insight into how the tool Recon-ng works to map a domain and provide valuable information for a penetration tester to discover vulnerable services. This tool is typically used in the first ‘reconnaissance’ phase of the 5 phases of “ethical” hacking.
There are different types of penetration testing, firstly, white box testing is known to the target and all information has been provided to the tester including domains, IP addresses, locations. Black box testing is when no information is provided to the tester and they must do all the work to discover the domains that are controlled by the client. Finally, there is grey box testing where a limited amount of information is provided for the tester, usually this is to limit the scope of a test, so the tester doesn’t accidentally gain access to a mission critical item of infrastructure and have an impact on its operation/functionality.
There are different methods of collecting information on a target and one of the easiest ways is to examine their online presence. A website can reveal a significant amount of information on a targets internal infrastructure, for example, if there is a web portal that accesses an organisations intranet then an attacker would focus on that area of the website and attempt to gain access to it. If a website has a WordPress admin page then the attacker knows that the website was created using WordPress and depending on the version of WordPress there are specific attacks that will work against it.
A domain is a collection of devices (usually servers) working together and sharing a common part of the IP address. Depending on the needs of the domain organisation they might have zero subdomains or 1000’s. Large organisations have 100’s of subdomains to segment access to different geographical locations, different services, different intranet access. When imagining a subdomain think of a large filing cabinet, the entire cabinet is the domain and the subdomains are the individual drawers in the cabinet. One advantage of using a subdomain is to divide services and thus to prevent an attacker from easily pivoting from one service to another. Another advantage is the increase in the response speed of the subdomain. Or put more simply, when a client is trying to access the subdomain they can go straight to it without having to run through a single domain.
When a tester is scoping out a target website it is important that they understand how it is laid out and what services can be accessed via the website. This is where tools like recon-ng become very useful. There are methods of mapping out an entire subdomain with tools like dirbuster but these tools are limited to using the processing power of the Raspberry Pi and can take a long time running against a word list. An alternate method is to use recon-ng which has a Application Programming Interface (API) that accesses an external tool and uses its processing power instead of the internal processing power. This makes mapping an entire domain very fast and provides the tester with information like IP addresses associated with the domain and subdomain. Recon-ng works in a similar manner to Metasploit, it is a framework that exploits and scans. It can be applied and configured very easily.
Suggested Year Group
This project is designed to be completed by students over the age of 14. There are some subjects they should understand such as how servers work, networking and simple understanding of the internet.
Stress the explicit nature of the disclaimer on the student worksheet;
Instruct the students about recon-ng;
Introduce how recon-ng can be used to map a domain to discover how large or small it might be;
Instruct the students about how important the information they are collecting is to an attacker and provide context;
Provide the students time to practice with the tools they are learning about in this project.
Component Number (Peli Case)
(Base) 4 & 5
(Level 1) 3
(Level 1) 3
(Level 1) 3
(Level 1) 5
(Level 1) 1
Component Number (Box Case)
Raspberry Pi + Case
Kali SD Card
Power Supply Unit
Stress to the students that this project is for educational purposes only, and that this information should not be used outside the classroom and should NEVER be used for malicious purposes. There are more ways to use recon-ng and different tools and techniques to scan a domain, once a penetration tester has this information it will inform them as to how to progress with the rest of the test when looking at this aspect of the test. If they are able to compromise the domain then they could have a way into the rest of the network. Having as much information at the beginning of a test, even if its found through the testers own work is vital in informing the rest of the test.