Open Source Intelligence (OSINT), Part 2: Using recon-ng to Identify the Same Profile across Multipl

Welcome back, my aspiring cyber warriors!

The Internet is the largest data repository the world has ever known! Open Source Intelligence or OSINT is the way to gather and unlock the intelligence embedded in all that data.

In recent years, a brand new reconnaissance framework has become available to us that leverages many of the tools we are already using, but makes them far more powerful. Rather than manually searching for the data from innumerable data sets, recon-ng enables you to automate your data searches saving you time and energy.

recon-ng, was developed by Tim Tomes while at Black Hills Information Security. He developed it as a Python script and tried to model its usage after Metasploit, making it easy for a pentester with Metasploit skills to use recon-ng with a very short learning curve

It is built into Kali, so there's no need to download or install anything.

Let's explore its many and powerful capabilities a bit here.

Step #1: Fire Up Kali and Open a Terminal

The first step, of course, is to fire up Kali and open a terminal like below.

Step #2: Start recon-ng

To start recon-ng, we simply need to enter the command "recon-ng" at the command line.

kali > recon-ng

When recon-ng starts you will be greeted by it's splash screen and a menu of the types of modules and their number. These modules include;

1. Recon Modules

2. Reporting Modules

3. Import Modules

4. Exploitation Modules

5. Discovery Modules

Next, let's find out what commands we can use in recon-ng by entering help at the recon-ng prompt.

[recon][default] > help

If you have used Metasploit, you can see many of the same commands such as use, set, show, search, etc.

To see all the modules in recon-ng, we can simply enter "show modules".

[recon][default] > show modules

Step #3: API (Application Programming Interface) Keys

recon-ng is capable of using a number of online resources such as Facebook, Twitter, Instagram, Google, Bing, LinkedIn and others. To use these resources, you simply need to obtain an API key and enter it. For a list of API keys that recon-ng can use, enter "keys list".

[recon][default] > keys list

So, once we obtained our Facebook API key, we simply need to add that key to use Facebook for reconnaissance.

[recon][default] > keys add facebook_api 123456

[recon][default] > keys list

Now, you are ready to use Facebook's API to connect to Facebook and do your recon searches there.

Step #5: Profiler

recon-ng has numerous modules for finding information available on the web. Let's take a look at just one module here, profiler (we'll examine others in future tutorials).

Let's assume that you are looking for a person who uses the profile name "Occupytheweb" and want to find out whether they use that same profile on other sites. recon-ng has a module for that!

It's called the 'profiler' and we can find it at recon/profiles-profiles/profiler. To use this module, simply enter;

[recon][default] > use recon/profiles-profiles/profiler

To learn more about this module, then enter;

[recon][default] > show info

We can see in the screenshot above that it takes a profile name and searches for that profile name through numerous web sites for that same name.

To begin our search, we simply enter the profile we are looking for;

[recon][default] > set source occupytheweb

and then enter;

[recon][default] > run

The profiler module then searches through numerous web sites seeking matches of this profile name. In this case, it found 9 matches! It should be pointed out these may not all be the same person, but simply the same profile name.

In my earlier tutorial on finding information on Twitter using twint, we searched the tweets of the smarmy second-term U.S. congressman from Florida, Matt Gaetz. Let's try a similar search for the sycophantic Mr. Gaetz with profiler and see whether he has other accounts under his same twitter profile, mattgaetz.

Let's set the source to "mattgaetz".

[recon][default] > set source mattgaetz

Then, enter "run".

[recon][default] >run

Within seconds, recon-ng returns numerous accounts using this same profile.

Next, of course, we can go to those accounts to find more information on the target of our recon.

When we go to account of Matt Gaetz on flickr (flickr.com/photos/mattgaetz) we see photos of Mr. Gaetz impersonating a public servant for his 0 followers.


recon-ng is an excellent tool for automating the extraction of the cornucopia of information and intelligence from the web. In this case, we used the profiler module to look for the use of the same profile in numerous websites. This can be an effective way to find accounts where the target may reveal additional information about themselves that can be useful in social engineering attacks and forensic investigations.

For more on recon-ng, check out the tutorial on determining the anti-virus of the target using recon-ng here.

3,242 views0 comments