Pown Recon - A Powerful Target Reconnaissance Framework Powered By Graph Theory


[![](https://4.bp.blogspot.com/-RrIY7vWwKFE/XFBaD6coD6I/AAAAAAAAOAE/-1Y-8eN0GsAHcAZv2eMy11KHbvOC2XSBgCLcBGAs/s640/pown-recon_3_01.png)](<https://4.bp.blogspot.com/-RrIY7vWwKFE/XFBaD6coD6I/AAAAAAAAOAE/-1Y-8eN0GsAHcAZv2eMy11KHbvOC2XSBgCLcBGAs/s1600/pown-recon_3_01.png>) Pown Recon is a target [reconnaissance framework](<https://www.kitploit.com/search/label/Reconnaissance%20Framework>) powered by graph theory. The benefit of using graph theory instead of flat table representation is that it is easier to find the relationships between different types of information which comes quite handy in many situations. Graph theory algorithms also help with diffing, searching, like finding the shortest path, and many more interesting tasks. **Quickstart** This tool is meant to be used as part of [Pown.js](<https://github.com/pownjs/pown>) but it can be invoked separately as an independent tool. If installed globally as part of Pown invoke like this: $ pown recon Otherwise, install this module from the root of your project: $ npm install @pown/recon --save Once done, invoke pown recon like this: $ ./node_modules/.bin/pown-cli recon You can also use Pown to invoke it locally: $ POWN_ROOT=. pown recon **Usage** > **WARNING**: This pown command is currently under development and as a result will be subject to breaking changes. pown recon [options] <command> Target recon Commands: pown recon transform <transform> Perform inline transformation [aliases: t] pown recon select <expression> Perform a selection [aliases: s] pown recon diff <fileA> <fileB> Perform a diff between two recon files [aliases: d] Options: --version Show version number [boolean] --debug Debug mode [boolean] --help Show help [boolean] **Transform** pown recon transform <transform> Perform inline transformation Commands: pown recon transform archiveindex [options] <nodes...> Obtain a commoncraw index for specific URL. [aliases: archive_index, arci] pown recon transform awsiamendpoints [options] <nodes...> Enumeration AWS IAM Endpoints [aliases: aws_iam_endpoints, awsie] pown recon transform builtwithscraperelationships [options] <nodes...> Performs scrape of builtwith relationships [aliases: builtwith_scrape_relationships, bwsr] pown recon transform cloudflarednsquery [options] <nodes...> Query CloudFlare DNS API [aliases: cloudflare_dns_query, cfdq] pown recon transform commoncrawlindex [options] <nodes...> Obtain a commoncraw index for specific URL. [aliases: commoncrawl_index, cci] pown recon transform crtshdomainreport [options] <nodes...> Obtain crt.sh domain report which helps enumerating potential target subdomains. [aliases: crtsh_domain_report, crtshdr] pown recon transform dockerhublistrepos [options] <nodes...> List the first 100 DockerHub repositories [aliases: dockerhub_list_repos, dhlr] pown recon transform githublistrepos [options] <nodes...> List the first 100 GitHub repositories [aliases: github_list_repos, ghlr] pown recon transform githublistmembers [options] <nodes...> List the first 100 GitHub members in org [aliases: github_list_members, ghlm] pown recon transform gravatar [options] <nodes...> Get gravatar pown recon transform hackertargetreverseiplookup [options] <nodes...> Obtain reverse IP information from hackertarget.com. [aliases: hackertarget_reverse_ip_lookup, htril] pown recon transform hibpreport [options] <nodes...> Obtain haveibeenpwned.com breach report. [aliases: hibp_report, hibpr] pown recon transform pkslookupkeys [options] <nodes...> Look the the PKS database at pool.sks-keyservers.net which pgp.mit.edu is part of. [aliases: pks_lookup_keys, pkslk] pown recon transform riddleripsearch [options] <nodes...> Searches for IP references using F-Secure riddler.io. [aliases: riddler_ip_search, ris] pown recon transform riddlerdomainsearch [options] <nodes...> Searches for Domain references using F-Secure riddler.io. [aliases: riddler_domain_search, rds] pown recon transform threatcrowddomainreport [options] <nodes...> Obtain threatcrowd domain report which helps enumerating potential target subdomains and email addresses. [aliases: threatcrowd_domain_report, tcdr] pown recon transform threatcrowdipreport [options] <nodes...> Obtain threatcrowd ip report which helps enumerating virtual hosts. [aliases: threatcrowd_ip_report, tcir] pown recon transform urlscanliveshot [options] <nodes...> Generates a liveshot of any public site via urlscan. [aliases: usls] pown recon transform wappalyzerprofile [options] <nodes...> Enumerate technologies with api.wappalyzer.com [aliases: wappalyzer_profile, wzp] pown recon transform whatsmynamereport [options] <nodes...> Find social accounts with whatsmyname database. [aliases: wmnr] pown recon transform zoomeyescrapesearchresults [options] <nodes...> Performs first page scrape on ZoomEye search results [aliases: zoomeye_scrape_search_results, zyssr] Options: --version Show version number [boolean] --debug Debug mode [boolean] --help Show help [boolean] --read, -r Read file [string] --write, -w Write file [string] **Select** pown recon select <expression> Perform a selection Options: --version Show version number [boolean] --debug Debug mode [boolean] --help Show help [boolean] --read, -r Read file [string] --write, -w Write file [string] --output-format, -o Output format [string] [choices: "table", "csv", "json"] [default: "table"] --output-fields Output fields [string] [default: ""] --output-with-ids Output ids [boolean] [default: false] **Diff** pown recon diff <fileA> <fileB> Perform a diff between two recon files Options: --version Show version number [boolean] --debug Debug mode [boolean] --help Show help [boolean] --subset, -s The subset to select [choices: "left", "right", "both"] [default: "left"] --write, -w Write file [string] --output-format, -o Output format [string] [choices: "table", "csv", "json"] [default: "table"] --output-fields Output fields [string] [default: ""] --output-with-ids Output ids [boolean] [default: false] **Transforms** * GitHub Search of Repos and Members * CloudFlare DNS API * CRTSH * DockerHub Repo Search * Gravatar URLs * Hacker Target Reverse IP Lookup * Have I Been Pwned Lookup * PKS Lookup * Urlscan Live Shot * Threatcrowd Lookup * ZoomEye Scraper * Wappalyzer * AWS Landing Pages * Builtwith * Riddler * Commoncraw * Archive.org * WhatsMyName **Tutorial** To demonstrate the power of Pown Recon and graph-based OSINT (Open Source Intelligence), let's have a look at the following trivial example. Let's start by querying everyone who is a member of Google's engineering team and contributes to their GitHub account. pown recon t -w google.network ghlm google This command will generate a table similar to this: ┌─────────┬─────────────────┬────────────────────────────────────────────┬─────────────────────────┬─────────────────────────────────────────────────────────┐ │ (index) │ type │ uri │ login │ avatar │ ├─────────┼─────────────────┼────────────────────────────────────────────┼─────────────────────────┼─────────────────────────────────────────────────────────┤ │ 0 │ 'github:member' │ 'https://github.com/3rf' │ '3rf' │ 'https://avatars1.githubusercontent.com/u/1242478?v=4' │ │ 1 │ 'github:member' │ 'https://github.com/aaroey' │ 'aaroey' │ 'https://avatars0.githubusercontent.com/u/31743510?v=4' │ │ 2 │ 'github:member' │ 'https://github.com/aarongable' │ 'aarongable' │ 'https://avatars3.githubusercontent.com/u/2474926?v=4' │ ... ... ... │ 97 │ 'github:member' │ 'https://github.com/alexv' │ 'alexv' │ 'https://avatars0.githubusercontent.com/u/30807372?v=4' │ │ 98 │ 'github:member' │ 'https://github.com/alexwhouse' │ 'alexwhouse' │ 'https://avatars3.githubusercontent.com/u/1448490?v=4' │ │ 99 │ 'github:member' │ 'https://github.com/alexwoz' │ 'alexwoz' │ 'https://avatars3.githubusercontent.com/u/501863?v=4' │ └─────────┴─────────────────┴────────────────────────────────────────────┴─────────────────────────┴─────────────────────────────────────────────────────────┘ You just created your first network! The representation is tabular for convenience but underneath we've got a model which consists of nodes connected by edges. If you are wondering what that looks like you can use [SecApps Recon](<https://recon.secapps.com/>). The [command line](<https://www.kitploit.com/search/label/Command%20Line>) does not have the necessary level of interactivity to present the complexity of graphs. The `-w google.network` command line option exported the network to a file. You can load the file directly into SecApps Recon with the file open feature. The result will look like this: [![](https://4.bp.blogspot.com/-RrIY7vWwKFE/XFBaD6coD6I/AAAAAAAAOAE/-1Y-8eN0GsAHcAZv2eMy11KHbvOC2XSBgCLcBGAs/s640/pown-recon_3_01.png)](<https://4.bp.blogspot.com/-RrIY7vWwKFE/XFBaD6coD6I/AAAAAAAAOAE/-1Y-8eN0GsAHcAZv2eMy11KHbvOC2XSBgCLcBGAs/s1600/pown-recon_3_01.png>) Now imagine that we want to query what repositories these Google engineers are working on. This is easy. First, we need to select the nodes in the graph and then transform them with the "GitHub List Repositories" transformation. This is how we do it from the command line: pown recon t ghlr -r google.network -w google2.nework -s 'node[type="github:member"]' If you don't hit GitHub API rate limits, you will be presented with this: ┌─────────┬───────────────┬──────────────────────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────┐ │ (index) │ type │ uri │ fullName │ ├─────────┼───────────────┼──────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤ │ 0 │ 'github:repo' │ 'https://github.com/3rf/2015-talks' │ '3rf/2015-talks' │ │ 1 │ 'github:repo' │ 'https://github.com/3rf/codecoroner' │ '3rf/codecoroner' │ │ 2 │ 'github:repo' │ 'https://github.com/3rf/DefinitelyTyped' │ '3rf/DefinitelyTyped' │ ... ... ... │ 1348 │ 'github:repo' │ 'https://github.com/agau4779/ultimate-tic-tac-toe' │ 'agau4779/ultimate-tic-tac-toe' │ │ 1349 │ 'github:repo' │ 'https://github.com/agau4779/worm_scraper' │ 'agau4779/worm_scraper' │ │ 1350 │ 'github:repo' │ 'https://github.com/agau4779/zsearch' │ 'agau4779/zsearch' │ └─────────┴───────────────┴──────────────────────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────┘ Since now we have two files `google.network` and `google2.network` you might be wondering what is the difference between them. Well, we have a tool for doing just that. This is how we do it. pown recon diff google.network google2.network Now we know! This feature is quite useful if you are building large recon maps and you are just curious to know what are the key differences. Imagine your cron job performs the same recon every day and you would like to know if something new just appeared which might be worth exploring further. Hello, bug bounty hunters! **[Download Pown-Recon](<https://github.com/pownjs/pown-recon>)**