Recon-ng: Open Source Intelligence (OSINT) Reconnaissance Framework

Recon-ng is a reconnaissance framework that can perform open source web-based information gathering for a given target. Recon-ng is loaded with different type of modules, such as reconnaissance, reporting, import, discovery, and exploitation modules.

The type of information that can be gathered with these modules include contacts, credentials, social media profiles, and a handful of other information like IP, reverse IP, WHOIS information, and ports information.  Recon-ng can also look for certain vulnerabilities in a target web application, such as cross-site scripting, PunkSPIDER, and GHDB (Google Hacking Database).

Installing Recon-ng

Installing Recon-ng

To install Recon-ng, first clone the framework using the following command.

git clone https://[email protected]/LaNMaSteR53/recon-ng.git

In the next step, move to the Recon-ng directory and run the REQUIRMENTS file.

cd recon-ng
pip install -r REQUIREMENTS

How Recon-ng Works

Recon-ng can be set into action using the following command.


The help menu can be explored as follows.

./recon-ng –h

./recon-ng –h

In order to explore the modules, run the following command. The command displays all the modules along with the path required to run each module.

show modules

In order to use any module, just type the following command.

use <module path>

Similarly, to set the target domain, use the following syntax.

set source <target domain>

For example, if we want to run the XSSED vulnerabilities test module, we can do so in the following manner.

use recon/domains-vulnerabilities/xssed
set source

The tool runs the defined module and displays the results on the screen as shown below.

The tool runs the defined module and displays the results on the screen as shown below.

We can try other modules using the same approach. There are certain modules like Shodan, Facebook, Twitter, Instagram etc that require API keys to fetch results. The API key for such modules can be added using the following command.

keys add <module_api> <api key here>

For example, we have Shodan API key as SH1254AKD. We can add this API key as follows.

keys add shodan_api SH1254AKD

In order to see the configured keys in Recon-ng, use the following command.

keys list

According to GitHub:

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.

Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules are simple and take little more than a few minutes. See the Development Guide for more information.


For more hacking tips, you should also check out this great article.