Recon-ng is an open-source intelligence (OSINT) gathering tool and a full-featured web reconnaissance framework written in Python. It is designed to streamline the process of harvesting information from open sources during reconnaissance phases in cyber security, ethical hacking, bug bounty hunting, and penetration testing. The tool provides an interactive command-line interface similar to Metasploit, making it familiar for users experienced with that framework.

It focuses exclusively on web-based reconnaissance and is not intended for exploitation or social engineering tasks.

Recon-ng emphasises modules, allowing users to install, load, and run specific modules for targeted data collection, with built-in database interaction for storing and managing reconnaissance results. Developed by Tim Tomes (lanmaster53), it is maintained as free software with community contributions encouraged, particularly from Python developers.

Features

Recon-ng offers a list of features tailored for efficient OSINT and reconnaissance:

  1. Analytics and Version Control: Optional analytics reporting and version checks (disabled by default in some distributions like Debian/Kali).

  2. Command-Line and Web Interfaces: Primary CLI usage, with additional tools like recon-cli for non-interactive runs and recon-web for a web-based UI and API.

  3. Convenience Functions: Interactive help, command completion, and options for stealth mode (disabling passive requests) or accessible outputs.

  4. Reporting and Export: Modules for generating reports in formats like CSV, JSON, XML, and HTML. Includes spooling output to files for logging.

  5. Marketplace for Modules: A built-in marketplace to search, install, and manage modules from remote repositories.

  6. API Key Management: Secure storage and use of third-party API keys (e.g., for Shodan, Bing) to enhance module capabilities.

  7. Workspace Management: Supports creating isolated work-spaces for different projects to organise data without overlap.

  8. Database Integration: Built-in database for storing reconnaissance data, with commands to insert, query, export, and manage records (e.g., hosts, domains, contacts).

  9. Modular Architecture: A completely modular framework with independent modules that can be easily added, updated, or removed. This allows for customisation and extension by developers.

The framework includes around 76 recon modules, 8 reporting modules, 2 import modules, 2 exploitation modules, and 2 discovery modules, totalling over 90 modules for tasks like domain enumeration, vulnerability scanning, and social media profiling.

Installation

Installation varies by operating system. Use this as a guide but please note these might be outdated depending on when you are reading this. Installation as of 2025:

Windows: Use Python and pip, or install via Windows Subsystem for Linux (WSL) following Linux steps.

Ubuntu/Linux Distributions: Clone from GitHub and install dependencies:

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS

Run with ./recon-ng or add to PATH.

Kali Linux: Pre-installed in many versions, but update with:

sudo apt update && sudo apt install recon-ng

This installs version 5.1.2 or later, with dependencies like Python 3 and related libraries.

Configuration files are stored in ~/.recon-ng/, including keys.db for APIs and modules/ for code.

Usage Guide

Recon-ng is launched via the command line with recon-ng or ./recon-ng from the cloned directory. It opens a shell with a prompt like [recon-ng][default] >. Use -w workspace to load/create a workspace on startup, or -r filename to run commands from a resource file.

Workflow typically involves:

  1. Creating/loading a workspace.
  2. Installing/searching modules via the marketplace.
  3. Loading a module.
  4. Setting options (e.g., target domain).
  5. Running the module.
  6. Viewing/exporting results.

The web interface is started with recon-web, providing API access at /api/.

Domain Reconnaissance Using Recon-ng

This workflow demonstrates a step-by-step process for performing domain reconnaissance on a target like example.com. It covers workspace setup, module installation and usage, API key management, data collection, and reporting/export.

Always ensure you have permission to scan targets

Step 1

Launch Recon-ng and Create a Workspace. Workspace's isolate projects to prevent data overlap.

Launch Recon-ng:

./recon-ng  # Or just 'recon-ng' if in PATH

You'll see the prompt [recon-ng][default] >.

Select the workspace:

workspaces select <example_recon>

Now the prompt changes to [recon-ng][example_recon] >.

Create a new workspace:

workspaces create example_recon

Step 2

Install and Explore Modules via Marketplace. Modules extend Recon-ng's capabilities for specific tasks.

Search for modules (related to domains):

marketplace search domains

This lists modules like recon/domains-hosts/hackertarget, recon/domains-contacts/whois_pocs, etc.

Install an IP geolocation module:

marketplace install recon/hosts-hosts/ipinfodb

Install a WHOIS contacts module:

marketplace install recon/domains-contacts/whois_pocs

Install a subdomain enumeration module:

marketplace install recon/domains-hosts/hackertarget

Reload modules if needed:

modules reload

Step 3

Some modules need API keys for third-party services like Shodan or IPinfoDB. You can set up some API keys as an optional step.

Obtain the keys from each service you require (some keys require payment). This example is from shodan.io.

Sign up and get the key: https://developer.shodan.io/api/requirements

Add the key:

keys add shodan_api YOUR_SHODAN_API_KEY

List keys to verify:

keys list

Keys are stored securely in ~/.recon-ng/keys.db.

Step 4

Load, Configure, and Run Modules for Reconnaissance. Perform targeted data gathering such as:

IP Geolocation:

Load:

modules load recon/hosts-hosts/ipinfodb

Set an IP from previous results (e.g., from subdomains):

options set SOURCE 192.0.2.1

Run:

run

This provides location details like country, latitude/longitude.

WHOIS Contacts Gathering:

Load:

modules load recon/domains-contacts/whois_pocs

Set source:

options set SOURCE example.com

Run:

run

This pulls point-of-contact info like emails and names from WHOIS data.

Subdomain Enumeration:

Load the module:

modules load recon/domains-hosts/hackertarget

Set the target:

options set SOURCE example.com

Run it:

run

This queries HackerTarget for subdomains (e.g., discovers api.example.com, vpn.example.com with IPs).

Step 5:

View and Manage Collected Data. Data is stored in the workspace's database.

List notes:

notes list

Add notes for context:

notes add subdomain_note "Found potential vuln on api.example.com"

View schema for database structure:

db schema

View contacts:

show contacts

View hosts (subdomains/IPs):

show hosts

Step 6

Generate reports, export data and summarise findings for analysis.

Spool output to a file for logging:

spool on example_log.txt
run  # Run a module
spool off

Export database to CSV:

db export csv example_data.csv

Load and run:

modules load reporting/csv
run

This exports data to a CSV file.

Install a reporting module:

marketplace install reporting/csv

Step 7

Exit and Cleanup.

Remove workspace if done:

workspaces remove example_recon

Exit the module context:

back

Exit Recon-ng:

exit

This workflow can be automated with resource files (e.g. save commands in a .rc file and run recon-ng -r file.rc). For real-world use chain modules (e.g. use subdomains from one as input for geolocation in another) on targets like bug bounty domains.

Always check for module updates with marketplace refresh.

Recon-ng Command Reference for OSINT

Recon-ng Command Reference for OSINT

Recon-ng is a powerful open-source intelligence (OSINT) gathering tool designed for web-based reconnaissance. Its command-line interface, similar to Metasploit, provides a modular framework for ethical hackers, penetration testers, and bug bounty hunters. Below is a comprehensive list of Recon-ng commands, categorized for ease of use, as of version 5.1.2. These commands manage the framework, modules, workspaces, and data, enabling efficient OSINT workflows.

Note: Always use Recon-ng ethically and with permission, as some modules interact with third-party APIs that have rate limits or legal restrictions.

Command Categories

Recon-ng commands are grouped into categories for framework management, workspace handling, module interaction, and database/data operations. Use the help command in the Recon-ng shell to view all available commands interactively.

1. Framework Commands

These commands control the overall Recon-ng environment and session.

Command Description
help Displays all available commands with brief descriptions.
back Exits the current module or context, returning to the previous level.
exit Exits the Recon-ng framework entirely.
dashboard Shows a summary of activity and collected data in the current workspace.
keys list Lists all stored API keys for third-party services.
keys add <key_name> <value> Adds an API key (e.g., keys add shodan_api YOUR_KEY).
keys remove <key_name> Removes a specified API key.
shell Executes system shell commands from within Recon-ng.
spool on <filename> Starts logging output to a specified file (e.g., spool on output.txt).
spool off Stops logging output to the file.
script <filename> Runs a script of Recon-ng commands from a resource file.

2. Workspace Commands

Workspaces isolate projects to keep data organized. Each workspace has its own database.

Command Description
workspaces create <name> Creates a new workspace (e.g., workspaces create project1).
workspaces list Lists all available workspaces.
workspaces select <name> Switches to the specified workspace.
workspaces remove <name> Deletes the specified workspace and its data.

3. Module Commands

These commands manage Recon-ng's modular system, including searching, installing, and running modules.

Command Description
marketplace search <keyword> Searches the module marketplace (e.g., marketplace search ssl).
marketplace info <module> Displays details about a specific module.
marketplace install <module> Installs a module from the marketplace (e.g., marketplace install recon/domains-hosts/hackertarget).
marketplace remove <module> Removes an installed module.
marketplace refresh Refreshes the module marketplace to check for updates.
modules search <keyword> Searches installed modules (e.g., modules search hackertarget).
modules load <module> Loads a module for use (e.g., modules load recon/domains-hosts/hackertarget).
options set <option> <value> Sets a module option (e.g., options set SOURCE example.com).
options list Lists available options for the loaded module.
run Executes the loaded module with configured options.
info Shows detailed information about the loaded module.

4. Database and Data Commands

These commands manage the database and collected data within a workspace.

Command Description
db insert <table> Manually inserts data into a database table (e.g., db insert hosts).
db export <format> <filename> Exports database data to a file (e.g., db export csv data.csv).
db schema Displays the database schema for the current workspace.
show hosts Lists stored hosts (e.g., subdomains and IPs).
show domains Lists stored domains.
show contacts Lists stored contact information (e.g., emails, names).
show credentials Lists stored credentials (if collected).
show profiles Lists stored social media profiles.
notes add <name> <text> Adds a note to the workspace (e.g., notes add vuln "Potential XSS on api.example.com").
notes list Lists all notes in the workspace.
notes view <name> Displays a specific note's content.

Usage Notes

  • Startup Flags: Launch Recon-ng with --stealth for passive mode or --no-analytics to disable analytics reporting. Use -w <workspace> to load a workspace or -r <filename> to run a resource file.
  • Non-Interactive Mode: Use recon-cli -m <module> -x for single module execution.
  • Web Interface: Start with recon-web for a browser-based UI and API access at /api/.
  • Module Dependencies: Some modules require API keys (marked 'K') or external dependencies ('D'). Check with marketplace info <module>.

Example Workflow

To perform subdomain enumeration on example.com:


workspaces create example_recon
marketplace install recon/domains-hosts/hackertarget
modules load recon/domains-hosts/hackertarget
options set SOURCE example.com
run
show hosts
db export csv subdomains.csv

Further Resources

For advanced usage, module development, or updates, visit the Recon-ng GitHub Wiki. Ensure compliance with legal and ethical guidelines when using Recon-ng, especially with third-party APIs.

Generated on August 25, 2025, based on Recon-ng version 5.1.2 documentation and community resources.

Recon-ng Required APIs for OSINT Modules

Required APIs for Recon-ng Modules

Many Recon-ng modules require API keys from third-party services to access enhanced data for open-source intelligence (OSINT) tasks. Below is a list of commonly required APIs, their purposes, example modules that depend on them, and how to obtain the keys. This is based on Recon-ng version 5.1.2 documentation and community resources. Note that not all modules require APIs, and some services offer free or paid tiers with varying rate limits. Always check module requirements using marketplace info <module>.

Ensure compliance with API terms of service and legal restrictions when using these services.

API Services

API Service Purpose Example Modules How to Obtain
Shodan Provides internet-connected device data, including open ports and services, for IP or domain queries. Useful for infrastructure reconnaissance. recon/hosts-hosts/shodan, recon/domains-hosts/shodan_hostname Sign up at shodan.io. Free tier available; paid plans offer more queries.
IPinfoDB Offers geolocation data for IPs, including country, city, and coordinates. recon/hosts-hosts/ipinfodb Register at ipinfodb.com for a free API key (requires account creation).
Bing Enables web and image searches for discovering related domains, contacts, or profiles. recon/domains-hosts/bing_domain_web, recon/profiles-profiles/bing_linkedin Obtain via Microsoft Azure at azure.microsoft.com. Free tier has limited queries.
Google Supports web searches and domain enumeration via Google’s search engine. recon/domains-hosts/google_site_web Get a Custom Search API key at developers.google.com/custom-search. Free tier has daily limits.
Twitter Pulls social media profiles, mentions, or geolocation data from Twitter. recon/profiles-profiles/twitter, recon/locations-pushpins/twitter Create a developer account at developer.twitter.com. Free tier available; elevated access may be needed.
Hunter.io Finds email addresses associated with a domain for contact enumeration. recon/domains-contacts/hunter_io Sign up at hunter.io. Free tier includes limited searches.
FullContact Enriches contact data with social media and demographic information. recon/contacts-profiles/fullcontact Register at fullcontact.com. Requires a paid plan for full access.
VirusTotal Checks domains or IPs for malware or security issues. recon/domains-vulnerabilities/virustotal Get a key at virustotal.com. Free tier has strict rate limits.
BuiltWith Identifies technologies used by websites, useful for profiling web infrastructure. recon/domains-hosts/builtwith Sign up at builtwith.com. Free tier available with limited queries.
Censys Provides data on internet hosts, certificates, and services. recon/domains-hosts/censys_subdomains Register at censys.io. Free tier includes limited API access.

How to Add API Keys in Recon-ng

To use these APIs, add the keys to Recon-ng’s key store:

  1. Launch Recon-ng: recon-ng
  2. Add a key: keys add <key_name> <your_api_key>
    Example: keys add shodan_api abc123xyz
  3. List keys to verify: keys list

Keys are stored securely in ~/.recon-ng/keys.db.

Notes on API Usage

  • Module-Specific Requirements: Check if a module requires an API key with marketplace info <module>. Modules marked ‘K’ in marketplace search need keys.
  • Rate Limits: Free tiers often have strict query limits (e.g., Shodan allows 1 query/second). Paid plans may be required for heavy use.
  • Ethical Use: Comply with API terms and legal restrictions to avoid violations or bans.
  • Dependencies (‘D’): Some modules require Python libraries in addition to APIs. Install via pip as indicated in marketplace info.
  • Obtaining Keys: Most services require account registration; some (e.g., FullContact) need paid subscriptions for full access.

Example Workflow with APIs

To enumerate subdomains using recon/domains-hosts/shodan_hostname:


keys add shodan_api YOUR_SHODAN_API_KEY
marketplace install recon/domains-hosts/shodan_hostname
modules load recon/domains-hosts/shodan_hostname
options set SOURCE example.com
run
show hosts

This retrieves subdomain data from Shodan if the API key is valid.

Further Notes

New modules may introduce additional API requirements. Run marketplace refresh to check for updates. For custom modules or niche APIs, consult the Recon-ng GitHub Wiki. For pricing, visit the respective service websites (e.g., shodan.io, hunter.io).

Generated on August 25, 2025, based on Recon-ng version 5.1.2 documentation and community resources.

The link has been copied!