In this tutorial, we will be showing how to use Recon-ng in Kali Linux to find out what Anti-Virus (AV) software the target is using on their corporate network.
A skilled cyber actor understands that while it may not be feasible to bypass all Anti-Virus software, it is feasible to bypass a single AV software that the target is deploying on their system for a reasonable time frame.
When a clever cyber adversary can figure out what Anti-Virus program the target is using, the cyber actor may render their malware indiscernible by that particular AV program.
What is Recon-ng?
Recon-ng is a robust web reconnaissance framework that permits professional penetration testers to find out what Anti-Virus (AV) software the target is using on their network.
How Recon-ng Finds Out What The Target’s Anti-Virus Is
Recon-ng depends on transmitting iterative queries to a DNS server to establish if that particular DNS server holds a cache that contains the Anti-Virus provider’s website.
Provided that it executes, it indicates that an individual within a corporation is deploying that specific Anti-Virus software. Thus, visiting the site means updating the AV’s signatures.
If the DNS server fails to hold a cache that contains the AV provider’s site, then we can conclude that no individual in the corporation has inquired for the particular Anti-Virus provider’s website. Hence, we can presumably conclude that they are not deploying that specific AV software.
1. Open Recon-ng In Terminal
To begin, open Recon-ng in Kali Linux by going into your terminal window and type the following:
After Recon-ng starts in the terminal window, we will be welcomed with a screen that shows us the various modules provided by the useful web reconnaissance framework.
2. Show The Names For Specific Modules
To find out the names for the specific modules
Evidently, finding out the names and file paths for specific modules in separate groups illustrate more of their role in reconnaissance.
We see that the first module within “discovery” is called “cache_snoop” also known as DNS Cache Snooper.
“cache_snoop” is indeed the module we are going to be using in our tutorial.
3. Show The Names For Specific Modules
Using DNS Cache Snooper is straightforward.
To begin the reconnaissance process, type the following into the Recon-ng terminal:
After you have finished loading the DNS Cache Snooper module, proceed by typing in the following:
Under options, we see two required values:
av_domains.lst (A list of the Anti-Virus software domains)
the Name Server’s IP address (Important for target information gathering purposes).
The value under NAMESERVER will be temporarily empty until we proceed to specify a value later on.
4. Take A Look At The List Of Anti-Virus Software Domains Included With Recon-ng
Recon-ng contains a default list of Anti-Virus software domains which will be useful in determining whether the target uses one of the AV listed.
We recommend taking a look at this list provided by Recon-ng since it will undoubtedly help you familiarize the different AV providers included in the reconnaissance process.
av_domains.lst is located in: /usr/share/recon-ng/data/av_domains.lst
To see the list of AV software domains, open a new terminal window in Kali Linux and type in the following:
When you are in “/usr/share/recon-ng/data“, proceed by typing in the terminal the following:
Hence, we can see that the av_domains.
We can even add more domains to this list if we want. To do this, just open this list in a text editor to add the new domain and save the list.
You can also edit av_domains.lst by manually visiting “/usr/share/recon-ng/data” via the GUI in Kali Linux.
5. Find Out Target’s Domain Name Servers & IP Address
To find out the target’s domain name server, deploy the dig command by opening a new terminal window and typing in the following:
dig (domain name) ns
ns means we want to acquire information regarding the name server.
For instance, we can use the dig command on the Kali site.
Hence, it would look like the following:
dig kali.org ns
Therefore, we can see that the dig command shows the nameservers for the Kali site.
It’s important to take note of the name servers of the target domain so you can find out if an individual in a corporation is using any of the Anti-Virus software in your list.
To see what the IP address of a name server is, type in the following into the terminal:
ping (name server)
Hence, the example for the Kali site would be:
6. Set NAMESERVER To Target Domain’s Name Server IP Address and Run
To find out if a DNS server holds any reference of an individual in a corporation deploying AV software in your list, proceed accordingly.
Set the name server IP address for the target domain name server by typing in the following into the
set NAMESERVER (IP address)
Once the name server IP address has been set, proceed by typing in the following:
After the run command has been executed successfully, Recon-ng will tell you if any of the AV software has been deployed by an individual in a corporation.
If Recon-ng fails to find an entry for the Anti-Virus software on your list, it will respond by providing a “Not Found” message next to the Anti-Virus domain.
Significantly, this indicates that the corporation is likely deploying Anti-Virus software not provided in our Recon-ng list.
This also illustrates that any malware discovered by one of these AV software providers on the list may not be potentially discovered by the target’s AV software.
If Recon-ng finds an entry for the AV program on your list, it will respond by providing a “Snooped!” message next to the AV domain.
The above screenshot illustrates that every AV program provider had been used by an individual in a corporation at some point.
As we can see, Recon-ng is