Recon-ng

References

Web-based reconnaissance tool.

Examples of execution

Whois search email:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
$ recon-ng
[recon-ng][default] > use recon/domains-contacts/whois_pocs
[recon-ng][default][whois_pocs] > set SOURCE orange.com
SOURCE => orange.com
[recon-ng][default][whois_pocs] > run

----------
ORANGE.COM
----------
[*] URL: http://whois.arin.net/rest/pocs;domain=orange.com
[*] URL: http://whois.arin.net/rest/poc/ABUSE3681-ARIN
...

Try to find vuln on Open Bug Bounty:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
[recon-ng][default] > use recon/domains-vulnerabilities/xssposed
[recon-ng][default][xssposed] > set SOURCE orange.com
SOURCE => orange.com
[recon-ng][default][xssposed] > run

----------
ORANGE.COM
----------
[*] Category: XSS
[*] Example: https://www.orange.com
[*] Host: orange.com
[*] Publish_Date: 2017-09-27 12:36:50
[*] Reference: https://www.openbugbounty.org/reports/316983/
[*] Status: fixed
[*] --------------------------------------------------
...

Find sub-domains:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[recon-ng][default] > use recon/domains-hosts/google_site_web
[recon-ng][default][google_site_web] > set SOURCE orange.com
SOURCE => orange.com
[recon-ng][default][google_site_web] > run

----------
ORANGE.COM
----------
[*] Searching Google for: site:orange.com
[*] [host] www.orange.com (<blank>)
[*] [host] recargas.orange.com (<blank>)
...