User Guide
Rekono supports the execution of the following hacking tools:
| Tool | Stage | Description |
|---|---|---|
| theHarvester | OSINT | Get OSINT information like subdomains or emails |
| EmailHarvester | OSINT | Get emails from public sources |
| EmailFinder | OSINT | Get emails from public sources |
| Nmap | Host discovery and port enumeration | Get up hosts, open ports and details about running services |
| Sslscan | Service analysis | Analysis of vulnerabilities in TLS configuration |
| SSLyze | Service analysis | Analysis of vulnerabilities in TLS configuration |
| SSH Audit | SSH service analysis | Analysis of vulnerabilities in SSH services |
| SMBMap | SMB service analysis | Enumeration of SMB shares |
| Dirsearch | HTTP service analysis | Enumeration of endpoints in web services |
| Gobuster | HTTP service analysis | Enumeration of endpoints, VHOST and subdomains in web services |
| GitLeaks & GitDumper | HTTP service analysis | Get code from exposed Git repositories and then find hardcoded credentials in the source code |
| Log4j Scan | HTTP service analysis | Check if a web service is vulnerable to Log4Shell |
| Spring4Shell Scan | HTTP service analysis | Check if a web service is vulnerable to SpringShell |
| CMSeeK | HTTP service analysis | Get information about the CMS used by a web service |
| OWASP JoomScan | HTTP service analysis | Analysis of web services that use Joomla as CMS |
| OWASP ZAP | HTTP service analysis | Analysis of vulnerabilities in web services |
| Nikto | HTTP service analysis | Analysis of vulnerabilities in web services |
| Nuclei | HTTP service analysis | Analysis of vulnerabilities in web services |
| SearchSploit | Exploitation | Look for public exploits |
| Metasploit | Exploitation | Look for public exploits |
The tools and the configurations supported by Rekono can be reviewed and executed from the tools page:
Processes are sets of tools and configurations, called steps, that are executed together by Rekono using the output of the first executions as input in the next ones. Rekono includes some default processes, but they can be created and modified dynamically, so that, the auditors could use custom processes to find the specific findings that they are looking for. All the processes can be used by all users because they are considered shared hacking resources and they can be handled in the processes page.
After one process is created, new steps can be easily added to it using the next form, where it's only needed to select one tool and one configuration:
Some hacking tools use wordlists to look for findings in the target, so that, Rekono also includes wordlist management features in the wordlists page:
Rekono includes some Kali Linux wordlists by default, but auditors can create their own wordlist, so that they can customize their scans to find just what they are looking for. As the processes, wordlists are also shared hacking resources, so all auditors can use all of them.
Rekono targets are handled under a project scope and they could be an IP address, a domain, a network, a subnetwork or an IP range. Multiple targets could be created at the same time using the creation form in this way:
For each target, the auditor can also define the ports to scan and the credentials to use for authentication:
Moreover, the auditors can add known information about the target like technologies or CVEs. This kind of information is usually provided by other tool executions within process context, but sometimes the auditors could need to execute some tools that needs this information independently. For example, Metasploit needs CVEs as input and SearchSploit needs technology name and version as input to look for known exploits. This extra information can be introduced in the following target forms:
Tasks request the execution of one tool or process against specific targets. One task will produce all the needed tool executions to scan each target with all requested hacking resources. The task are highly customizable, at first, it's needed to choose one target or multiple targets, a process or a tool and a configuration to execute and the intensity of the executions. In the next picture, the Active Analysis process is selected to be executed with Normal intensity:
If one of the tools that are going to be executed accept a wordlist as input, the following tab is displayed to allow the auditor to choose one or multiple wordlists to use during executions:
By default, tasks are executed as soon as possible dependending on the work load in the executions workers. However, auditors can schedule tasks at specific dates and times:
Or they can schedule tasks at after specific amount of time:
Morever, if auditors need to check targets periodically, they can configure the tasks to be executed periodically with specific interval:
Finally after creating a new task, auditors can follow the progress and check the results of the executions in the task page. For example, the execution of Active Analysis process:
In this page, the auditors can check the findings obtained by each tool execution as well as the original tool output. It's normal to get some executions with Skipped status because some tools can't be executed depending on the target conditions. For example, SSH audit can't be executed against targets that doesn't expose SSH services.
Findings obtained during executions can be reviewed in the findings tab:
In this page, when one finding is selected its details and related findings are showed. For example, in this case, one host and one port are selected. It's also possible to show all findings of specific types using the filter located at top right of the page. Findings can be disabled manually by the users, so that, it's easy to differenciate false positives or unrelevant findings from the relevant ones.