Mastering Recon-ng| What is Recon-ng and how can ethical hackers use it for OSINT?

Recon‑ng is one of the most popular open‑source frameworks for open‑source intelligence (OSINT) gathering in penetration testing. Written in Python, it feels much like Metasploit’s console, but instead of payloads and exploits, you have modules that harvest publicly available data about domains, people, IP ranges, and more.

Whether you’re a bug‑bounty hunter, red‑teamer, or SOC analyst, mastering Recon‑ng can super‑charge your reconnaissance phase—saving hours of manual Googling and API calls. This guide walks you through everything from installation to automation and real‑world workflows.

Why Recon‑ng?

Installation & Setup

Requirements

• Python 3.8+

  
  

• git

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
python3 recon-ng

Tip: Use a dedicated Python virtual environment (python3 -m venv) to avoid dependency clashes.

Understanding Workspaces

Workspaces keep projects separate—ideal for juggling multiple clients.

workspaces add acme
workspaces select acme

All tables (hosts, contacts, creds) are now stored in an acme.db SQLite file under data/. Switch workspaces anytime without losing context.

 Core Module Categories

 Typical Recon‑ng Workflow

1. Add Target Domain

   
   

   add domains example.com
   

2. Gather Sub‑Domains (Passive)

   use recon/domains-hosts/bruteforce
   set SOURCE example.com
   run
   

3. Enumerate IPs & Geo Data

   use recon/hosts-hosts/resolve
   run
   use recon/hosts-hosts/ipinfodb
   run
   

4. Find E‑mails & Breaches

   use recon/hosts-contacts/whois_pocs
   run
   use recon/contacts-credentials/hibp_breach
   run
   

5. Export & Report

   use reporting/csv
   set FILENAME acme_recon.csv
   run
   

API Keys & Configuration

Many modules require API keys (Shodan, BinaryEdge, Censys). Store them once:

keys add shodan_api YOURKEYHERE
keys list

Keys are saved in ~/.recon-ng/recon-ng.rc, so they work across workspaces.

 Automation with Resource Scripts

Create a simple file quick_recon.rc:

workspaces select $1
add domains $1
modules load recon/domains-hosts/hackertarget
run
modules load recon/domains-vulnerabilities/xssed
run
exit

Run it:

recon-ng -r quick_recon.rc --domain acme.com

Great for CI/CD pipelines or bug‑bounty mass scanning.

Writing Custom Modules (Python 101)

from recon.core.module import BaseModule

class Module(BaseModule):
    meta = {
        'name': 'Reverse IP Lookup',
        'author': 'You',
        'description': 'Gets domains sharing an IP',
        'options': (
            ('source', '', True, 'IP address'),
        ),
    }

    def module_run(self, ip):
        url = f"https://api.hackertarget.com/reverseiplookup/?q={ip}"
        resp = self.request(url)
        for domain in resp.text.splitlines():
            self.insert_hosts(domain=domain)
            self.alert(f'Found {domain}')

Save under modules/recon/hosts-hosts/reverseip.py, restart Recon‑ng, and voilà—your own module!

Integrating Recon‑ng with Other Tools

 Best Practices & Gotchas

• Rate Limits: Respect third‑party APIs—add delays with sleep 2 between modules.

• Legal Boundaries: Passive reconnaissance ≠ permission to scan aggressively. Always get client consent.

• Data Hygiene: Clean up duplicate entries with dedup hosts and dedup contacts.

• Version Control: Keep custom modules in Git for team sharing and updates.

 Pros & Cons of Recon‑ng

 Real‑World Use Cases

1. Bug Bounty Recon – Automate subdomain discovery and breach checks before manual testing.

2. Third‑Party Risk Assessments – Quickly enumerate suppliers’ public‑facing assets.

3. Threat Intel Feeds – Collect domain/IP intel for enrichment in SIEMs.

4. Blue‑Team Validation – Run Recon‑ng against your own organization to see what attackers can passively learn.

 Key Takeaways

• Recon‑ng is a powerhouse for OSINT and reconnaissance with a familiar Metasploit‑style interface.

• Workspaces, modules, and API key management streamline multi‑project handling.

• Resource scripts enable repeatable, automated recon—crucial for large engagements.

• Extend Recon‑ng with Python to tailor it exactly to your organization’s intel needs.

Master these concepts, and you’ll significantly boost your reconnaissance capabilities—putting you steps ahead of attackers and making your penetration tests more thorough and effective.

Happy hacking, and always hack responsibly!

FAQs

What is Recon-ng used for in cybersecurity?

Recon-ng is used for open-source intelligence (OSINT) gathering in ethical hacking, especially during the reconnaissance phase.

Is Recon-ng free to use?

Yes, Recon-ng is a free and open-source framework written in Python.

How does Recon-ng help ethical hackers?

It automates the collection of publicly available information about domains, emails, IPs, and infrastructure.

Does Recon-ng store data?

Yes, it stores all findings in a local SQLite database per workspace.

What programming language is Recon-ng written in?

Recon-ng is written in Python.

Can Recon-ng be used for bug bounty hunting?

Yes, it’s a favorite among bug bounty hunters for passive recon and data harvesting.

What are the core modules in Recon-ng?

Modules cover domains, hosts, contacts, credentials, vulnerabilities, and reporting.

Is Recon-ng similar to Metasploit?

Yes, it has a console interface similar to Metasploit but is focused on information gathering.

What operating systems support Recon-ng?

Recon-ng runs on Linux, macOS, and Windows (with Python 3.8+).

Can I integrate APIs with Recon-ng?

Yes, it supports API keys for services like Shodan, Have I Been Pwned, and VirusTotal.

What is a Recon-ng workspace?

It’s a project environment that separates findings into different SQLite databases.

Does Recon-ng support scripting?

Yes, you can create resource scripts to automate workflows.

How do I install Recon-ng?

Clone the GitHub repo and install the dependencies using pip.

Is Recon-ng good for team projects?

Yes, it supports modular scripts, database exports, and automation, making it ideal for teams.

What is passive reconnaissance?

Gathering data without directly interacting with the target’s infrastructure—Recon-ng specializes in this.

Can Recon-ng export reports?

Yes, it supports CSV, JSON, and XML exports for reporting purposes.

How secure is Recon-ng?

It’s a secure tool as long as used ethically and on authorized systems.

What are Recon-ng alternatives?

Maltego, SpiderFoot, theHarvester, and FOCA are some alternatives.

How do I update Recon-ng?

Pull the latest version from GitHub and reinstall dependencies if needed.

Can I use Recon-ng with Metasploit?

Yes, exported data can be imported into Metasploit for active testing.

What are Recon-ng resource scripts?

They are command sequences stored in a .rc file for automation.

Is Recon-ng CLI only?

Yes, it operates entirely through a command-line interface.

How can I extend Recon-ng?

You can write custom Python modules and drop them into the modules folder.

Does Recon-ng check for breached credentials?

Yes, it includes modules for HaveIBeenPwned and other credential leaks.

What is the best use case for Recon-ng?

Efficient passive reconnaissance during pentests and red team assessments.

Can Recon-ng find subdomains?

Yes, several modules are dedicated to subdomain enumeration.

Is Recon-ng beginner-friendly?

It has a learning curve but is simpler than many OSINT frameworks once configured.

Can Recon-ng analyze GitHub data?

Yes, there are modules to check for data leakage on GitHub repositories.

Is it legal to use Recon-ng?

Yes, when used on systems you own or have explicit permission to test.

What are the risks of using Recon-ng?

Using it on unauthorized systems can be illegal. Always follow ethical guidelines.

Is Recon-ng maintained actively?

Yes, it has an active GitHub community and regular updates.