๐Ÿš€ Learn how to use Recon-ng from scratch to expert level with real-world examples, commands, API tips, and professional automation workflows.

๐Ÿง  What is Recon-ng?

Recon-ng is an open-source OSINT (Open Source Intelligence) framework written in Python that helps security researchers, red teamers, and bug bounty hunters automate reconnaissance tasks.

It mimics the Metasploit interface, offering powerful modules to collect intel like domains, hosts, credentials, social profiles, leaked data, and more โ€” all in an automated, database-backed workspace.

๐ŸŽฏ Key Features of Recon-ng

๐Ÿ”ง Feature ๐Ÿง  Description
๐Ÿงฉ Modular Design 100+ modules: domains, hosts, ports, emails, creds, companies, social, etc.
๐Ÿ—‚๏ธ Workspaces Isolated environments for different recon jobs
๐Ÿ”‘ API Key Integration Supports Google, Shodan, Censys, GitHub, Hunter.io, etc.
๐Ÿ“„ Reporting Export as CSV, JSON, HTML for documentation
๐Ÿง  Automatic DB Storage Stores all data inside a local SQLite DB
๐Ÿค– Automation Support Command-line scripting, chaining, and integration with other tools
๐Ÿ“ฆ Built-in Commands Like use, run, set, show, search, export, keys, etc.

๐Ÿง  Mastering Recon-ng V5 โ€“ Complete OSINT Automation Framework Guide

๐ŸŽฅ Reference Playlist: HackerSploit Recon-ng V5 Full Series

โš™๏ธ Installation

Kali Linux (Preinstalled)

recon-ng

Ubuntu/Debian

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip3 install -r REQUIREMENTS
./recon-ng

๐Ÿšฆ Getting Started: CLI Help Reference

Once inside the CLI, run:

[recon-ng][default] > help

๐Ÿงญ Recon-ng Command List:

Command Description
back Exit current context/module
dashboard View a summary of your workspace and modules used
db Interface with the workspace database
exit Exit the framework
help Show help menu
index Developer-only module indexing
keys Add/view/delete API keys for third-party services
marketplace Install/search available modules
modules List, load, and manage modules
options Set and unset module-specific options
pdb Python Debugger (developer tool)
script Record and play scripted sessions
shell Run system shell commands
show Show internal objects (hosts, domains, etc.)
snapshots Manage workspace snapshots
spool Save output to a file
workspaces Create/switch/delete isolated project spaces

๐Ÿ—‚๏ธ Workspace & Snapshot Setup

Create a workspace

workspaces create acme_corp
workspaces list
workspaces load acme_corp

Take a snapshot before running scans

snapshots take pre-scan

๐Ÿ” API Key Configuration

Many modules require API keys (Shodan, BinaryEdge, Bing, etc.)

Add API Key

keys add shodan_api YOUR_SHODAN_KEY

List all keys

keys list

๐Ÿงฉ Module Marketplace

Search modules

marketplace search whois

Install a module

marketplace install recon/domains-hosts/whois_pocs

Load module

modules load recon/domains-hosts/whois_pocs

Set required options

options set SOURCE example.com

Run module

run

๐Ÿงฑ Database Commands

Recon-ng stores all output in a local SQLite database.

View status of tables

db status

Query a table

db query hosts

Insert manually

db insert hosts hostname=example.com ip_address=1.2.3.4 source=manual

Export table to CSV

db export hosts

๐Ÿ“Š Real CLI Example Output

[recon-ng][acme_corp] > db query hosts

+----+-------------------+-------------+---------+
| id |     hostname      | ip_address  | source  |
+----+-------------------+-------------+---------+
| 1  | test.acme.com     | 104.26.10.3 | bing    |
| 2  | mail.acme.com     | 104.26.11.3 | bing    |
+----+-------------------+-------------+---------+

๐Ÿข Real-World Use Case (Industrial Red Team)

๐ŸŽฏ Scenario:

A cybersecurity consultant is hired by a large enterprise to assess their external exposure (no internal access). They use Recon-ng as part of the initial recon phase.

๐Ÿ”„ Workflow:

  1. Create a workspace:

    workspaces create client_enterprise

  2. Run domain reconnaissance:

    modules load recon/domains-hosts/bing
options set SOURCE client.com
run

  3. Harvest emails:

    modules load recon/contacts-credentials/theharvester
options set SOURCE client.com
run

  4. Discover IPs and Ports using Shodan:

    modules load recon/hosts-hosts/shodan_hostname
keys add shodan_api API_KEY
options set SOURCE client.com
run

  5. Export results to CSV for reporting:

    db export hosts
db export contacts

  6. Record session for audit:

    script record session1.rec
# (run modules)
script stop

  7. Present findings to client in report format.

๐Ÿ›ก๏ธ Blue Team Use Case

  • SOC team uses Recon-ng to monitor brand exposure and typosquatted domains weekly.
  • Uses automated scripts to spool outputs and alerts when new external assets appear.
  • Integration with email alerting via cronjobs and recon-ngโ€™s scripting mode.

๐Ÿ“Ž Pro Tips

Tip Details
๐Ÿ” Reuse scripts Record common recon workflows with script record and automate repeat assessments.
๐Ÿ“‚ Use workspaces Never mix multiple engagements. Keep targets isolated.
๐Ÿ” Add API keys Modules like Shodan, Censys, and Bing require keys.
๐Ÿ“œ Spool outputs Log everything for compliance using spool start.
๐Ÿ“ก Combine with Maltego Export CSV and visualize graphically.

๐Ÿงช Practice Lab Task

Try this on your own:

workspaces create testlab
marketplace install recon/domains-hosts/bing
modules load recon/domains-hosts/bing
options set SOURCE tesla.com
run
db export hosts

Expected Output:

  • A list of subdomains
  • Their IPs
  • Saved in hosts.csv

๐Ÿ“† Maintenance & Updates

# Weekly update routine
cd ~/recon-ng
git pull
pip3 install -r REQUIREMENTS --upgrade
python3 recon-cli -M  # Check module updates

๐Ÿ Final Thoughts

Recon-ng is a must-learn tool for every OSINT analyst, red teamer, and bug bounty hunter. Once mastered, it saves hours of recon effort while giving deep insights into target infrastructure, emails, and vulnerabilities.

๐Ÿ”— Resources

๐Ÿ™Œ Share Your Feedback!

If this guide helped you, share it with your OSINT friends or drop a โค๏ธ on LinkedIn.