to the site being searched. This is true of Twitter, Instagram, Google, Bing, and oth‐
ers. Once you have acquired the key, you can use the modules that require access to
the APIs. Until then, programs are blocked from querying those sources. This allows
these sites to ensure that they know who is trying to query. When you get an API key,
you have to have a login with the site and provide some sort of confirmation that you
are who you are. When you get an API key from Twitter, for example, you are
required to have a mobile phone number associated with your account, and that
mobile number is validated.
Most of the modules that you would use to do your reconnaissance for you will
require API keys. Although some modules don’t require any authentication, such as
for searching PGP keys and also for looking up whois information, a substantial
number will need API keys. In
Example 3-6
you can see a list of services that require
API keys. In some cases, you will see an API key listed where I added a key. I should
probably make clear that I have altered the key provided here.
Example 3-6. List of API keys in Recon-NG
[
recon-ng
][
default
][
twitter_mentions
]
> keys list
+---------------------------------------------------------------------+
| Name | Value |
+---------------------------------------------------------------------+
| bing_api | |
| builtwith_api | |
| censysio_id | |
| censysio_secret | |
| flickr_api | |
| fullcontact_api | |
| github_api | |
| google_api | AIzaSyRMSt3OtA42uoRUpPx7KMGXTV_-CONkE0w |
| google_cse | |
| hashes_api | |
| instagram_api | |
| instagram_secret | |
| ipinfodb_api | |
| jigsaw_api | |
| jigsaw_password | |
| jigsaw_username | |
| linkedin_api | |
| linkedin_secret | |
| pwnedlist_api | |
| pwnedlist_iv | |
| pwnedlist_secret | |
| shodan_api | |
| twitter_api | zIb6v3RR5AIltsv2gzM5DO5d42 |
| twitter_secret | l73gkqojWpQBTrk243dMncY4C4goQIJxpjAEIf6Xr6R8Bn6H |
+------------------ -------------------------------------------------+
