بعد لما اتكلمنا شوية عن طرق جمع الsubdomains , دلوقتي هنجرب توول جديدة اسمها recon-ng

طب ايه هي Recon-ng ?

Recon-ng provides a command-line interface that allows users to interact with the tool and execute various modules to perform different types of reconnaissance tasks. These modules include functionalities such as DNS enumeration, port scanning, email harvesting, web scraping, and more.

زي ما عرفنا ، الtool دي عبارة عن شوية modules

Most Important Modules in recon-ng for subdomains enumeration

• recon/domains-hosts/bing_domain_web-
• recon/domains-hosts/google_site_web
  • modules load recon/domains-hosts/google_ste_web
  • info to show options
  • options set target.com
  • run
  • show hosts to get results
• recon/domains-hosts/netcraft
• recon/domains-hosts/bing_domain_api
  • Firstly add API from this website

Reverse Lookup & Network Ranges

• Network ranges be very useful to get more subdomains

How To get IP ranges ?

• step 1 : after make dig +noall +answer [microsoft.co](<http://microsoft.com>)m A we have IPs

  

• Step 2: took this IPs and go to https://whois.domaintools.com/ and inter any of this IPs

  

• Step 3 : Now we have IPs Range , go to dnsrecon and type this syntax dnsrecon -r 20.33.0.0 - 20.128.255.255 to get more inforamtion about websites in the IPs range

curl [ipinfo.io/20.103.85.33](<http://ipinfo.io/20.103.85.33>) to get information about ip