Recon-ng: The Web Reconnaissance Framework for Automated OSINT
Notion•9 min read
Kali-ToolTutorialCybersecuritySecurityLinuxDeveloper-Tools
What is Recon-ng?
Recon-ng is a full-featured, modular web reconnaissance framework written in Python. Created by Tim Tomes (LaNMaSteR53), it provides a powerful environment for conducting open-source web-based reconnaissance quickly and thoroughly. If you've used Metasploit, Recon-ng will feel immediately familiar — it uses the same module-based architecture, but instead of exploits, it provides reconnaissance modules.
Recon-ng automates the tedious OSINT collection process. Rather than manually querying crt.sh, then Shodan, then WHOIS, then HackerTarget — you load modules, set targets, and let Recon-ng populate a structured database of hosts, contacts, credentials, and more.
In OSINT and penetration testing, Recon-ng is the framework that ties individual tools together. It stores everything in a local database, tracks data relationships, and generates professional reports.
Legal Notice: Recon-ng queries publicly available data sources. Always ensure your reconnaissance activities are authorized.
Installation
On Kali Linux (Pre-installed)
recon-ngInstall on Other Systems
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
python3 recon-ngFirst Launch
recon-ngExpected Output:
_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/
/\\\\\\\\\\\\\\\
/\\\\ /\\\\
/\\\\ /\\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
/\\\\
/\\\\
/\\\\\\\\\\\\\\\\
www.lanmaster53.com
[recon-ng v5.1.2, Tim Tomes (@lanmaster53)]
[76 modules available]
[recon-ng][default] > Workspaces
Workspaces keep investigations separate. Each workspace has its own database.
Create a New Workspace
workspaces create tesla_investigationOutput:
[recon-ng][tesla_investigation] >List Workspaces
workspaces listOutput:
+---------------------------+
| Workspaces |
+---------------------------+
| default |
| tesla_investigation |
+---------------------------+Switch Workspace
workspaces select defaultDelete a Workspace
workspaces remove old_projectThe Database
Recon-ng stores all collected data in a structured SQLite database with these tables:
- domains — Target domains
- companies — Company names
- hosts — Discovered hostnames and IPs
- contacts — People (names, emails, titles)
- credentials — Leaked credentials
- netblocks — IP ranges
- ports — Open ports on hosts
- vulnerabilities — Known vulns
- profiles — Social media profiles
- repositories — Code repositories
- pushpins — Geolocations
Add a Target Domain
db insert domainsInteractive prompt:
domain (TEXT): tesla.com
notes (TEXT):
[*] 1 rows affected.View Stored Data
show domainsOutput:
+---------------------------------------------+
| domains |
+---------------------------------------------+
| rowid | domain | notes | module |
+---------------------------------------------+
| 1 | tesla.com | | user_defined |
+---------------------------------------------+
[*] 1 rows returnedShow All Tables
show hosts
show contacts
show credentials
show netblocksQuery the Database Directly
db query SELECT * FROM hosts WHERE ip_address IS NOT NULLModule System
Modules are the core of Recon-ng. They're organized into categories.
Search for Modules
marketplace searchOutput (abbreviated):
+-----------------------------------------------------------------------------------------------------------+
| Marketplace |
+-----------------------------------------------------------------------------------------------------------+
| Path | Version | Status | D | K | Description |
+-----------------------------------------------------------------------------------------------------------+
| discovery/info_disclosure/cache_snoop | 1.1 | not installed | | | DNS Cache Snooping |
| exploitation/injection/command_injector | 1.0 | not installed | | | Remote Command Injection|
| import/csv_file | 1.1 | not installed | | | CSV File Importer |
| import/nmap | 1.1 | not installed | | | Nmap XML Output Import |
| recon/companies-contacts/bing_linkedin_cache | 1.0 | not installed | | * | Bing LinkedIn Cache |
| recon/companies-multi/github_miner | 1.1 | not installed | | * | Github Resource Miner |
| recon/contacts-contacts/mailtester | 1.0 | not installed | | | MailTester Email Verify |
| recon/domains-contacts/whois_pocs | 1.1 | not installed | | | WHOIS POC Lookup |
| recon/domains-hosts/bing_domain_web | 1.1 | not installed | | * | Bing Domain Web |
| recon/domains-hosts/brute_hosts | 1.0 | not installed | | | DNS Hostname Brute Force|
| recon/domains-hosts/certificate_transparency | 1.2 | not installed | | | Certificate Transparency|
| recon/domains-hosts/hackertarget | 1.1 | not installed | | | HackerTarget Lookup |
| recon/domains-hosts/shodan_hostname | 1.1 | not installed | | * | Shodan Hostname Lookup |
| recon/domains-hosts/threatminer | 1.0 | not installed | | | ThreatMiner DNS |
| recon/hosts-hosts/resolve | 1.0 | not installed | | | Hostname Resolver |
| recon/hosts-hosts/reverse_resolve | 1.0 | not installed | | | Reverse Resolver |
| recon/hosts-ports/shodan_ip | 1.0 | not installed | | * | Shodan IP Lookup |
| reporting/html | 1.0 | not installed | | | HTML Report Generator |
| reporting/json | 1.0 | not installed | | | JSON Report Generator |
| reporting/xlsx | 1.0 | not installed | | | XLSX Report Generator |
+-----------------------------------------------------------------------------------------------------------+
D = Has Dependencies, K = Requires API KeyInstall a Module
marketplace install recon/domains-hosts/certificate_transparencyOutput:
[*] Module installed: recon/domains-hosts/certificate_transparency
[*] Reloading modules...Install All Modules
marketplace install allLoad a Module
modules load recon/domains-hosts/certificate_transparencyOutput:
[recon-ng][tesla_investigation][certificate_transparency] >View Module Info
infoOutput:
+-----------------------------------------------------------+
| Name: Certificate Transparency |
| Author: Tim Tomes (@lanmaster53) |
| Version: 1.2 |
| Description: |
| Queries the crt.sh certificate transparency database |
| for subdomains of a given domain. |
+-----------------------------------------------------------+
| Options: |
| Name | Current Value | Required | Description |
| SOURCE | default | yes | source of input |
+-----------------------------------------------------------+
| Source Options: |
| default = query the "domains" table |
| <string> = a single domain |
| <path> = path to file with one domain per line |
+-----------------------------------------------------------+Run a Module
runExpected Output:
-----------
TESLA.COM
-----------
[*] Querying crt.sh for certificate transparency data...
[*] [host] aca.tesla.com (<blank>)
[*] [host] accounts.tesla.com (<blank>)
[*] [host] api.tesla.com (<blank>)
[*] [host] api-internal.tesla.com (<blank>)
[*] [host] auth.tesla.com (<blank>)
[*] [host] blog.tesla.com (<blank>)
[*] [host] ca.tesla.com (<blank>)
[*] [host] charging.tesla.com (<blank>)
[*] [host] cloud.tesla.com (<blank>)
[*] [host] cn.tesla.com (<blank>)
[*] [host] dev.tesla.com (<blank>)
...
-------
SUMMARY
-------
[*] 47 total (47 new) hosts found.Notice the data is automatically added to the hosts table.
Key Modules by Category
Subdomain Discovery
# Certificate Transparency
modules load recon/domains-hosts/certificate_transparency
run
# HackerTarget
modules load recon/domains-hosts/hackertarget
run
# DNS Brute Force
modules load recon/domains-hosts/brute_hosts
run
# ThreatMiner
modules load recon/domains-hosts/threatminer
run
# Bing (requires API key)
modules load recon/domains-hosts/bing_domain_web
runContact / Email Discovery
# WHOIS Points of Contact
modules load recon/domains-contacts/whois_pocs
run
# Bing LinkedIn Cache (requires API key)
modules load recon/companies-contacts/bing_linkedin_cache
runHost Reconnaissance
# Resolve hostnames to IPs
modules load recon/hosts-hosts/resolve
run
# Reverse DNS lookup
modules load recon/hosts-hosts/reverse_resolve
run
# Shodan port lookup (requires API key)
modules load recon/hosts-ports/shodan_ip
runCredential Discovery
# Check for breached credentials
modules load recon/contacts-credentials/hibp_breach
run
# Check paste sites
modules load recon/contacts-credentials/hibp_paste
runAPI Key Management
Many modules require API keys from third-party services.
List Required Keys
keys listOutput:
+----------------------------------------------+
| Keys |
+----------------------------------------------+
| Name | Value | Status |
+----------------------------------------------+
| bing_api | | not set |
| builtwith_api | | not set |
| censys_api | | not set |
| censys_secret | | not set |
| github_api | | not set |
| google_api | | not set |
| google_cse | | not set |
| hashes_api | | not set |
| hunter_api | | not set |
| ipinfodb_api | | not set |
| shodan_api | | not set |
| virustotal_api | | not set |
+----------------------------------------------+Add an API Key
keys add shodan_api YOUR_SHODAN_API_KEY
keys add github_api YOUR_GITHUB_TOKEN
keys add virustotal_api YOUR_VT_KEYOutput:
[*] Key 'shodan_api' added.Reporting
Generate HTML Report
modules load reporting/html
options set FILENAME /root/reports/tesla_report.html
options set CREATOR "Security Team"
options set CUSTOMER "Tesla Investigation"
runGenerate JSON Report
modules load reporting/json
options set FILENAME /root/reports/tesla_report.json
runGenerate Excel Report
modules load reporting/xlsx
options set FILENAME /root/reports/tesla_report.xlsx
runReal-World OSINT Workflow
Complete Automated Recon Pipeline
# Step 1: Create workspace
workspaces create target_recon
# Step 2: Add target domain
db insert domains
# Enter: target.com
# Step 3: Subdomain enumeration (run multiple modules)
modules load recon/domains-hosts/certificate_transparency
run
back
modules load recon/domains-hosts/hackertarget
run
back
modules load recon/domains-hosts/threatminer
run
back
# Step 4: Resolve all discovered hosts
modules load recon/hosts-hosts/resolve
run
back
# Step 5: Contact discovery
modules load recon/domains-contacts/whois_pocs
run
back
# Step 6: Port enumeration via Shodan
modules load recon/hosts-ports/shodan_ip
run
back
# Step 7: Check for breached credentials
modules load recon/contacts-credentials/hibp_breach
run
back
# Step 8: Review collected data
show hosts
show contacts
show credentials
show ports
# Step 9: Generate report
modules load reporting/html
options set FILENAME /root/reports/target_full_recon.html
runRecon-ng Resource File (Automation)
Create a file auto_recon.rc:
workspaces create auto_target
db insert domains
target.com
modules load recon/domains-hosts/certificate_transparency
run
back
modules load recon/domains-hosts/hackertarget
run
back
modules load recon/hosts-hosts/resolve
run
back
show hostsRun it:
recon-ng -r auto_recon.rcUseful Commands Reference
Summary
Recon-ng is the OSINT framework that brings structure and automation to reconnaissance. Instead of running a dozen individual tools and manually correlating results, Recon-ng provides a unified database, modular architecture, and professional reporting — making it the backbone of any serious OSINT investigation.
Key Takeaways:
- Use workspaces to keep investigations separate and organized
- Install all modules with
marketplace install allto have everything available - Start with
certificate_transparencyandhackertargetmodules (no API keys needed) - Use
resolveto convert hostnames to IPs after subdomain discovery - Configure API keys for Shodan, VirusTotal, and GitHub to unlock powerful modules
- Use resource files (
.rc) to automate repetitive recon pipelines - Generate HTML/JSON/XLSX reports for professional deliverables
- Think of Recon-ng as the central hub that feeds into Nmap (scanning), Sherlock (social), and Metasploit (exploitation)
Share this post
Help this article travel further
8share actions ready
One tap opens the share sheet or pre-fills the post for the platform you want.