Recon-ng#

Recon-ng is a menu-based OSINT framework for automating information gathering. It ships with Kali Linux and other penetration-testing distributions, and it is also available from the project repository at https://github.com/lanmaster53/recon-ng ↗.

It works as a modular framework in a similar way to Metasploit or SET. Modules run inside isolated workspaces, and each module keeps its own option set. That makes it easy to repeat investigations without mixing results between targets or customers. Recon-ng can query third-party sources such as Shodan, Twitter, Instagram, Flickr, YouTube, Google, and GitHub. Some sources require API keys, which you manage with the keys add and keys list commands.

Core Workflow#

Recon-ng is easiest to use when you think in terms of four stages: create a workspace, inspect available modules, install the ones you need, and then run them against a source. The framework supports tab completion, and pressing Tab twice shows available commands or options at the current prompt.

Start Recon-ng#

Open a terminal and start the framework with:

recon-ng

text

When Recon-ng starts, the prompt changes to show the active workspace. The initial screen also shows the current module counts.

View Help and Workspace Commands#

Use help to list the built-in commands:

[recon-ng][default] > help
Commands (type [help|?] ):
---------------------------------
back           Exits the current context
dashboard      Displays a summary of activity
db             Interfaces with the workspace's database
exit           Exits the framework
help           Displays this menu
index          Creates a module index (dev only)
keys           Manages third party resource credentials
marketplace    Interfaces with the module marketplace
modules        Interfaces with installed modules
options        Manages the current context options
pdb            Starts a Python Debugger session (dev only)
script         Records and executes command scripts
shell          Executes shell commands
show           Shows various framework items
snapshots      Manages workspace snapshots
spool          Spools output to a file
workspaces     Manages workspaces

text

Workspaces keep investigations separate. Common workspace commands include:

workspaces help
workspaces list
workspaces create test
workspaces remove [workspace_name]
back

text

back returns to the main Recon-ng prompt from inside a workspace.

Modules and Marketplace#

Modules are Python programs that extend the framework. Some are already installed, while others are downloaded from the marketplace. The marketplace is a public GitHub repository, and the search output uses two important columns: D means the module has dependencies, and K means the module requires an API key.

Search the marketplace with:

[recon-ng][default] > marketplace search

text

You can refresh the module index with:

[recon-ng][default] > marketplace refresh

text

Use keyword searches to narrow the results. For example, searching for bing returns several modules that can help with OSINT collection:

[recon-ng][default] > marketplace search bing

text

From the Bing results, recon/domains-hosts/bing_domain_web is a useful module that does not require dependencies or API keys.

To learn more about a module, use marketplace info followed by the full module path.

Installing Modules#

Install a module from the marketplace with:

[recon-ng][default] > marketplace install recon/domains-hosts/bing_domain_web

text

After installation, verify it with:

[recon-ng][default] > modules search

text

The same process can be repeated for the hackertarget module.

Running Modules#

Load a module before using it:

[recon-ng][default] > modules load hackertarget

text

Once loaded, the prompt changes to include the module name. The info command shows the module name, version, author, description, and options. For hackertarget, the only option is SOURCE.

Set the target source with:

[recon-ng][default][bing_domain_web] > options set SOURCE hackxor.net

text

Then run the module:

[recon-ng][default][bing_domain_web] > run

text

Module output is stored in the workspace database, so you can inspect it later with dashboard and show.

[recon-ng][default][bing_domain_web] > dashboard
[recon-ng][default][bing_domain_web] > show hosts

text

Recon-ng stores discovered subdomains as hosts. In the example workflow, nine were discovered by one module run. A later comparison with the Bing-based module found six subdomains, which matched the hackertarget result at the time of writing.

Web Interface#

Recon-ng also provides a web interface for browsing workspace data and exporting tables for reports.

Start it with:

[recon-ng][default] > recon-web

text

Then open the URL shown in the terminal output in a browser tab. The interface opens to the default workspace first; use the orange workspace selector at the top of the page to switch between workspaces.

Walkthrough#

1. Create a Workspace#

Recon-ng uses workspaces to isolate investigations. Start the program, review the available commands, and create a workspace named test.

The prompt changes after the workspace is created, and help shows the commands available in that context. Use back to exit the workspace and return to the main prompt.

2. Inspect Installed Modules#

Recon-ng is modular, so modules search is the quickest way to see what is currently installed. If nothing has been added yet, the module list will be empty.

3. Explore the Marketplace#

The marketplace lets you search available modules, inspect their requirements, and decide what to install. The key fields in the marketplace output are the category path, version, install status, update date, and the D and K flags.

For example, a search for bing shows modules such as recon/domains-hosts/bing_domain_web, recon/domains-hosts/bing_domain_api, and recon/hosts-hosts/bing_ip.

4. Install a Module#

After finding the module you want, install it from the marketplace and then verify it appears in modules search.

5. Load and Run a Module#

Load the chosen module, inspect its info, set the required SOURCE option, and then run it. The output is stored in the database and can be reviewed later with dashboard or show hosts.

6. Compare Results#

Running both the hackertarget and bing_domain_web modules is a good way to compare coverage. In the example lab, both found six subdomains, while another run reported nine hosts in the workspace database.

7. Use the Web UI#

The web interface is a convenient way to review workspace data after collection. It is especially useful when you want to inspect the same results from a browser instead of the CLI.

Example Output Notes#

[recon-ng][default] > marketplace refresh
[*] Marketplace index refreshed.

text

[recon-ng][default] > marketplace search bing

text

[recon-ng][default] > marketplace install recon/domains-hosts/bing_domain_web
[*] Module installed: recon/domains-hosts/bing_domain_web
[*] Reloading modules...

text

[recon-ng][default] > modules search

text

[recon-ng][default][bing_domain_web] > info
Name: Bing Hostname Enumerator
Author: Tim Tomes (@lanmaster53)
Version: 1.1
Description: Harvests hosts from Bing.com by using the 'site' search operator.
Options:
  SOURCE  source of input

text

[recon-ng][default][bing_domain_web] > options set SOURCE h4cker.org
[recon-ng][default][bing_domain_web] > run
---------- H4CKER.ORG ----------
[*] Host: bootcamp.h4cker.org
[*] Host: webapps.h4cker.org
[*] Host: lpb.h4cker.org
[*] Host: malicious.h4cker.org
------- SUMMARY -------
[*] 4 total (0 new) hosts found.

text