Recon-NG
A practical guide to the modular framework for automating open-source intelligence (OSINT) and web-based reconnaissance.
Recon-NG is a powerful open-source reconnaissance framework designed for information gathering during penetration tests, red team engagements, and OSINT investigations. Inspired by the Metasploit Framework’s design, Recon-NG provides a structured, modular, and scriptable environment for collecting intelligence on domains, people, companies, infrastructure, and more all through publicly available sources.
Whether you're mapping a target's external footprint, identifying exposed credentials, or collecting metadata on employees, Recon-NG automates repetitive recon tasks to accelerate and enrich your intelligence-gathering workflow.
First time seeing this?
What Recon-NG Does
Recon-NG streamlines the process of web-based reconnaissance by integrating numerous data collection modules into a centralized, command-line interface. It allows users to pass data between modules, store results in a local database, and generate detailed reports, all without writing a single line of code.
Recon-NG can perform domain discovery, WHOIS lookups, subdomain enumeration, credential harvesting, and more using APIs and scraping techniques from services like Shodan, HaveIBeenPwned, Bing, GitHub, and Twitter.
Key Features of Recon-NG
Modular Architecture
Over 100 plug-and-play modules for tasks such as DNS enumeration, breach credential search, social media mining, and metadata extraction.
Database Integration
Built-in SQLite database for storing and correlating collected intelligence during recon sessions.
API Key Management
Centralized configuration for managing API keys across modules (e.g., Google, VirusTotal, Censys).
Interactive Command-Line Interface
User-friendly CLI with auto-completion, contextual help, and commands like add, use, run, show, and query.
Workspace Support
Organize recon sessions by project or target, keeping your data structured and separated.
Reporting Capabilities
Generate comprehensive output in HTML, JSON, or CSV for documentation or sharing with your team.
Built-In Tools and Utilities
Includes utilities for URL fuzzing, geolocation, link extraction, and more all integrated into the framework.
Advanced Use Cases
Penetration Testing and Red Team Recon
Automate external enumeration before active engagement—gathering subdomains, exposed employee emails, login portals, and breach data.
OSINT Investigations
Collect actionable intelligence on individuals or organizations using publicly available sources and metadata.
Bug Bounty Hunting
Discover target infrastructure, misconfigured assets, and publicly exposed data during bug bounty assessments.
Threat Intelligence Collection
Correlate indicators of compromise with external attack surfaces using data from third-party security services.
Recon Training and Security Labs
Used in ethical hacking training programs and labs to demonstrate practical recon techniques.
Latest Updates
Recent improvements to Recon-NG include:
Python 3 support across the framework and modules
Refactored module structure for better organization and maintenance
Enhanced API key handling and validation
Improved database schema for faster lookups and modular compatibility
New modules for additional OSINT sources and automation workflows
Why It Matters
Early-stage reconnaissance sets the foundation for every successful penetration test or OSINT operation. Manual recon is time-consuming and error-prone, Recon-NG turns it into a fast, repeatable, and scalable process. By automating web-based intelligence gathering, Recon-NG helps you discover more with less effort, reducing gaps in visibility and strengthening your assessment scope.
Requirements and Platform Support
BRecon-NG runs on:
Linux (Kali Linux recommended)
macOS
Windows (via WSL or Python virtual environments)
It requires:
Python 3.x
Internet access for live OSINT collection
API keys for many modules (configurable through the CLI)
SQLite (bundled)
Recon-NG is open-source and available for free at https://github.com/lanmaster53/recon-ng, with extensive documentation, community contributions, and tutorials for practical recon workflows.