Recon-ng: The Web Reconnaissance Framework for Automated OSINT
Notion•9 min read
Kali-ToolTutorialCybersecuritySecurityLinuxDeveloper-Tools
What is Recon-ng?
Recon-ng is a full-featured, modular web reconnaissance framework written in Python. Created by Tim Tomes (LaNMaSteR53), it provides a powerful environment for conducting open-source web-based reconnaissance quickly and thoroughly. If you've used Metasploit, Recon-ng will feel immediately familiar — it uses the same module-based architecture, but instead of exploits, it provides reconnaissance modules.
Recon-ng automates the tedious OSINT collection process. Rather than manually querying crt.sh, then Shodan, then WHOIS, then HackerTarget — you load modules, set targets, and let Recon-ng populate a structured database of hosts, contacts, credentials, and more.
In OSINT and penetration testing, Recon-ng is the framework that ties individual tools together. It stores everything in a local database, tracks data relationships, and generates professional reports.
Legal Notice: Recon-ng queries publicly available data sources. Always ensure your reconnaissance activities are authorized.
Installation
On Kali Linux (Pre-installed)
recon-ngInstall on Other Systems
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
python3 recon-ngFirst Launch
recon-ngExpected Output:
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\\\\\\\\\\\\\\\
/\\\\ /\\\\
/\\\\ /\\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
/\\\\
/\\\\
/\\\\\\\\\\\\\\\\
www.lanmaster53.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[76 modules available]
[recon-ng][default] > Workspaces
Workspaces keep investigations separate. Each workspace has its own database.
Create a New Workspace
workspaces create tesla_investigationOutput:
[recon-ng][tesla_investigation] >List Workspaces
workspaces listOutput:
+---------------------------+
| Workspaces |
+---------------------------+
| default |
| tesla_investigation |
+---------------------------+Switch Workspace
workspaces select defaultDelete a Workspace
workspaces remove old_projectThe Database
Recon-ng stores all collected data in a structured SQLite database with these tables:
- domains — Target domains
- companies — Company names
- hosts — Discovered hostnames and IPs
- contacts — People (names, emails, titles)
- credentials — Leaked credentials
- netblocks — IP ranges
- ports — Open ports on hosts
- vulnerabilities — Known vulns
- profiles — Social media profiles
- repositories — Code repositories
- pushpins — Geolocations
Add a Target Domain
db insert domainsInteractive prompt:
domain (TEXT): tesla.com
notes (TEXT):
[*] 1 rows affected.View Stored Data
show domainsOutput:
+---------------------------------------------+
| domains |
+---------------------------------------------+
| rowid | domain | notes | module |
+---------------------------------------------+
| 1 | tesla.com | | user_defined |
+---------------------------------------------+
[*] 1 rows returnedShow All Tables
show hosts
show contacts
show credentials
show netblocksQuery the Database Directly
db query SELECT * FROM hosts WHERE ip_address IS NOT NULLModule System
Modules are the core of Recon-ng. They're organized into categories.
Search for Modules
marketplace searchOutput (abbreviated):
+-----------------------------------------------------------------------------------------------------------+
| Marketplace |
+-----------------------------------------------------------------------------------------------------------+
| Path | Version | Status | D | K | Description |
+-----------------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | | | DNS Cache Snooping |
| exploitation/injection/command_injector | 1.0 | not installed | | | Remote Command Injection|
| import/csv_file | 1.1 | not installed | | | CSV File Importer |
| import/nmap | 1.1 | not installed | | | Nmap XML Output Import |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | | * | Bing LinkedIn Cache |
| recon/companies-multi/github_miner | 1.1 | not installed | | * | Github Resource Miner |
| recon/contacts-contacts/mailtester | 1.0 | not installed | | | MailTester Email Verify |
| recon/domains-contacts/whois_pocs | 1.1 | not installed | | | WHOIS POC Lookup |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | | * | Bing Domain Web |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | | | DNS Hostname Brute Force|
| recon/domains-hosts/certificate_transparency | 1.2 | not installed | | | Certificate Transparency|
| recon/domains-hosts/hackertarget | 1.1 | not installed | | | HackerTarget Lookup |
| recon/domains-hosts/shodan_hostname | 1.1 | not installed | | * | Shodan Hostname Lookup |
| recon/domains-hosts/threatminer | 1.0 | not installed | | | ThreatMiner DNS |
| recon/hosts-hosts/resolve | 1.0 | not installed | | | Hostname Resolver |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | | | Reverse Resolver |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | | * | Shodan IP Lookup |
| reporting/html | 1.0 | not installed | | | HTML Report Generator |
| reporting/json | 1.0 | not installed | | | JSON Report Generator |
| reporting/xlsx | 1.0 | not installed | | | XLSX Report Generator |
+-----------------------------------------------------------------------------------------------------------+
D = Has Dependencies, K = Requires API KeyInstall a Module
marketplace install recon/domains-hosts/certificate_transparencyOutput:
[*] Module installed: recon/domains-hosts/certificate_transparency
[*] Reloading modules...Install All Modules
marketplace install allLoad a Module
modules load recon/domains-hosts/certificate_transparencyOutput:
[recon-ng][tesla_investigation][certificate_transparency] >View Module Info
infoOutput:
+-----------------------------------------------------------+
| Name: Certificate Transparency |
| Author: Tim Tomes (@lanmaster53) |
| Version: 1.2 |
| Description: |
| Queries the crt.sh certificate transparency database |
| for subdomains of a given domain. |
+-----------------------------------------------------------+
| Options: |
| Name | Current Value | Required | Description |
| SOURCE | default | yes | source of input |
+-----------------------------------------------------------+
| Source Options: |
| default = query the "domains" table |
| <string> = a single domain |
| <path> = path to file with one domain per line |
+-----------------------------------------------------------+Run a Module
runExpected Output:
-----------
TESLA.COM
-----------
[*] Querying crt.sh for certificate transparency data...
[*] [host] aca.tesla.com (<blank>)
[*] [host] accounts.tesla.com (<blank>)
[*] [host] api.tesla.com (<blank>)
[*] [host] api-internal.tesla.com (<blank>)
[*] [host] auth.tesla.com (<blank>)
[*] [host] blog.tesla.com (<blank>)
[*] [host] ca.tesla.com (<blank>)
[*] [host] charging.tesla.com (<blank>)
[*] [host] cloud.tesla.com (<blank>)
[*] [host] cn.tesla.com (<blank>)
[*] [host] dev.tesla.com (<blank>)
...
-------
SUMMARY
-------
[*] 47 total (47 new) hosts found.Notice the data is automatically added to the hosts table.
Key Modules by Category
Subdomain Discovery
# Certificate Transparency
modules load recon/domains-hosts/certificate_transparency
run
# HackerTarget
modules load recon/domains-hosts/hackertarget
run
# DNS Brute Force
modules load recon/domains-hosts/brute_hosts
run
# ThreatMiner
modules load recon/domains-hosts/threatminer
run
# Bing (requires API key)
modules load recon/domains-hosts/bing_domain_web
runContact / Email Discovery
# WHOIS Points of Contact
modules load recon/domains-contacts/whois_pocs
run
# Bing LinkedIn Cache (requires API key)
modules load recon/companies-contacts/bing_linkedin_cache
runHost Reconnaissance
# Resolve hostnames to IPs
modules load recon/hosts-hosts/resolve
run
# Reverse DNS lookup
modules load recon/hosts-hosts/reverse_resolve
run
# Shodan port lookup (requires API key)
modules load recon/hosts-ports/shodan_ip
runCredential Discovery
# Check for breached credentials
modules load recon/contacts-credentials/hibp_breach
run
# Check paste sites
modules load recon/contacts-credentials/hibp_paste
runAPI Key Management
Many modules require API keys from third-party services.
List Required Keys
keys listOutput:
+----------------------------------------------+
| Keys |
+----------------------------------------------+
| Name | Value | Status |
+----------------------------------------------+
| bing_api | | not set |
| builtwith_api | | not set |
| censys_api | | not set |
| censys_secret | | not set |
| github_api | | not set |
| google_api | | not set |
| google_cse | | not set |
| hashes_api | | not set |
| hunter_api | | not set |
| ipinfodb_api | | not set |
| shodan_api | | not set |
| virustotal_api | | not set |
+----------------------------------------------+Add an API Key
keys add shodan_api YOUR_SHODAN_API_KEY
keys add github_api YOUR_GITHUB_TOKEN
keys add virustotal_api YOUR_VT_KEYOutput:
[*] Key 'shodan_api' added.Reporting
Generate HTML Report
modules load reporting/html
options set FILENAME /root/reports/tesla_report.html
options set CREATOR "Security Team"
options set CUSTOMER "Tesla Investigation"
runGenerate JSON Report
modules load reporting/json
options set FILENAME /root/reports/tesla_report.json
runGenerate Excel Report
modules load reporting/xlsx
options set FILENAME /root/reports/tesla_report.xlsx
runReal-World OSINT Workflow
Complete Automated Recon Pipeline
# Step 1: Create workspace
workspaces create target_recon
# Step 2: Add target domain
db insert domains
# Enter: target.com
# Step 3: Subdomain enumeration (run multiple modules)
modules load recon/domains-hosts/certificate_transparency
run
back
modules load recon/domains-hosts/hackertarget
run
back
modules load recon/domains-hosts/threatminer
run
back
# Step 4: Resolve all discovered hosts
modules load recon/hosts-hosts/resolve
run
back
# Step 5: Contact discovery
modules load recon/domains-contacts/whois_pocs
run
back
# Step 6: Port enumeration via Shodan
modules load recon/hosts-ports/shodan_ip
run
back
# Step 7: Check for breached credentials
modules load recon/contacts-credentials/hibp_breach
run
back
# Step 8: Review collected data
show hosts
show contacts
show credentials
show ports
# Step 9: Generate report
modules load reporting/html
options set FILENAME /root/reports/target_full_recon.html
runRecon-ng Resource File (Automation)
Create a file auto_recon.rc:
workspaces create auto_target
db insert domains
target.com
modules load recon/domains-hosts/certificate_transparency
run
back
modules load recon/domains-hosts/hackertarget
run
back
modules load recon/hosts-hosts/resolve
run
back
show hostsRun it:
recon-ng -r auto_recon.rcUseful Commands Reference
Summary
Recon-ng is the OSINT framework that brings structure and automation to reconnaissance. Instead of running a dozen individual tools and manually correlating results, Recon-ng provides a unified database, modular architecture, and professional reporting — making it the backbone of any serious OSINT investigation.
Key Takeaways:
- Use workspaces to keep investigations separate and organized
- Install all modules with
marketplace install allto have everything available - Start with
certificate_transparencyandhackertargetmodules (no API keys needed) - Use
resolveto convert hostnames to IPs after subdomain discovery - Configure API keys for Shodan, VirusTotal, and GitHub to unlock powerful modules
- Use resource files (
.rc) to automate repetitive recon pipelines - Generate HTML/JSON/XLSX reports for professional deliverables
- Think of Recon-ng as the central hub that feeds into Nmap (scanning), Sherlock (social), and Metasploit (exploitation)