ronin-recon is a micro-framework and tool for performing reconnaissance. ronin-recon uses multiple workers which process different value types (ex: IP, host, URL, etc) and produce new values. ronin-recon contains built-in recon workers and supports loading additional 3rd-party workers from Ruby files or 3rd-party git repositories. ronin-recon has a unique queue design and uses asynchronous I/O to maximize efficiency.
- Uses asynchronous I/O and fibers.
- Supports defining recon modules as plain old Ruby class.
- Provides built-in recon workers for:
- IP range enumeration.
- DNS lookup of host-names.
- Querying nameservers.
- Querying mailservers.
- DNS reverse lookup of IP addresses.
- DNS SRV record enumeration.
- DNS subdomain enumeration.
- Service/port scanning with
nmap. - Enumerates the Common Name (
CN) andsubjectAltNames within all SSL/TLS certificates. - Web spidering.
- HTTP directory enumeration.
- Supports loading additional recon modules from Ruby files or from installed 3rd-party git repositories.
- Builds a network graph of all discovered assets.
- Provides a simple CLI for listing workers or performing recon.
- Supports many different output file formats:
- TXT
- CSV
- JSON
- NDJSON
- GraphViz DOT
- Does not require API keys to run.
- Not just a script that runs a bunch of other recon tools.
$ ronin-recon
Usage: ronin-recon [options]
Options:
-V, --version Prints the version and exits
-h, --help Print help information
Arguments:
[COMMAND] The command name to run
[ARGS ...] Additional arguments for the command
Commands:
help
run
test
worker
workers
List all available recon workers:
$ ronin-recon workers
dns/lookup
dns/mailservers
dns/nameservers
dns/srv_enum
dns/subdomain_enum
dns/suffix_enum
net/cert_enum
net/cert_grab
net/ip_range_enum
net/service_scan
web/dir_enum
web/spiderPrint info about a specific recon worker:
$ ronin-recon worker dns/lookup
[ dns/lookup ]
Summary: Looks up the IPs of a host-name
Description:
Resolves the IP addresses of domains, host names, nameservers,
and mailservers.
Accepts:
* domains
* hosts
* nameservers
* mailservers
Run the recon engine on a single domain:
$ ronin-recon run --domain example.comRun the recon engine on a single host-name:
$ ronin-recon run --host www.example.comRun the recon engine on a single IP address:
$ ronin-recon run --ip 1.1.1.1Run the recon engine on an IP range:
$ ronin-recon run --ip-range 1.1.1.1/24Run the recon engine on multiple targets:
$ ronin-recon run --domain example1.com --domain example2.com --host secret.foo.example1.com --host secret.bar.example2.com --ip-range 1.1.1.1/24require 'ronin/recon/engine'
domain = Ronin::Recon::Values::Domain.new('github.com')
Ronin::Recon::Engine.run([domain], max_depth: 3) do |value,parent|
case value
when Ronin::Recon::Values::Domain
puts "Found domain #{value} for #{parent}"
when Ronin::Recon::Values::Nameserver
puts "Found nameserver #{value} for #{parent}"
when Ronin::Recon::Values::Mailserver
puts "Found mailserver #{value} for #{parent}"
when Ronin::Recon::Values::Host
puts "Found host #{value} for #{parent}"
when Ronin::Recon::Values::IP
puts "Found IP address #{value} for #{parent}"
end
end- Ruby >= 3.0.0
- thread-local ~> 1.0
- async-io ~> 1.0
- async-dns ~> 1.0
- async-http ~> 0.60
- wordlist ~> 1.0
- ronin-support ~> 1.0
- ronin-core ~> 0.1
- ronin-repos ~> 0.1
- ronin-masscan ~> 0.1
- ronin-nmap ~> 0.1
- ronin-web-spider ~> 0.2
$ gem install ronin-recongem 'ronin-recon', '~> 0.1'gem.add_dependency 'ronin-recon', '~> 0.1'You can configure nmap and masscan to run without sudo by setting their
capabilities:
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which masscan)- Fork It!
- Clone It!
cd ronin-recon/bundle installgit checkout -b my_feature- Code It!
bundle exec rake specgit push origin my_feature
ronin-recon - A micro-framework and tool for performing reconnaissance.
Copyright (c) 2023 Hal Brodigan (postmodern.mod3@gmail.com)
ronin-recon is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
ronin-recon is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with ronin-recon. If not, see https://www.gnu.org/licenses/.