OPEN SOURCE · FREE · PYTHON

Web Reconnaissance
Built for the Real World

Recon-ng is a full-featured OSINT framework that automates open source intelligence gathering — used by ethical hackers, pentesters, and security researchers worldwide.

100+
Recon Modules
5
Module Categories
100%
Open Source
10+
Years Active

// Core Features

Everything You Need for
Professional Reconnaissance

Recon-ng provides a powerful, modular environment to conduct open source web-based reconnaissance quickly, thoroughly, and efficiently.

🧩

Modular Architecture

Independent modules for every recon task — from domain enumeration to contact harvesting. Install only what you need via the built-in module marketplace.

🗄️

SQLite Database Storage

Every piece of gathered intelligence is automatically saved in a workspace-specific SQLite database. Query, export, and analyze your findings any time.

🏢

Workspace Management

Isolate different engagements with dedicated workspaces. Each workspace maintains its own database, module settings, and API key configuration.

🔑

Third-Party API Integration

Seamlessly integrate with Shodan, Censys, GitHub, VirusTotal, and more. Manage all your API keys from a single centralized key management interface.

📜

Script & Automation Support

Automate entire recon workflows with resource files. Record command sequences and replay them for repeatable, consistent intelligence gathering pipelines.

📊

Flexible Reporting

Export results in multiple formats including CSV, JSON, and HTML. Visualize your data with recon-web — the built-in analytics and reporting interface.

// Workflow

From Zero to Intel in Four Steps

Recon-ng is designed around a simple, repeatable reconnaissance workflow that scales from single targets to enterprise-level engagements.

01

Install & Launch

Clone from source or use the pre-installed version on Kali Linux. Run recon-ng to enter the interactive console.

02

Create Workspace

Organize each engagement in its own isolated workspace with a dedicated database and module configuration.

03

Install & Run Modules

Search the marketplace, install targeted modules, configure your source, and run to automatically gather and store intelligence.

04

Export & Report

Generate structured reports in CSV or HTML. Visualize findings in recon-web or export to Maltego and SpiderFoot.

// Module Categories

100+ Modules Across Five Categories

Every module is organized by the type of intelligence it gathers or the task it performs, making it easy to build focused recon pipelines.

recon/Passive OSINT — domains, hosts, contacts, credentials, IP data
discovery/Active scanning — information disclosure, interesting file detection
exploitation/Injection testing — command injection, XPath brute forcing
import/Bulk data ingestion — import target lists from external files
reporting/Output generation — CSV, JSON, HTML, and pushpin reports
custom/User-defined modules — extend with your own Python plugins

// Quick Start

Up and Running in Minutes

Install recon-ng on any Linux or macOS system with Python 3. Pre-installed on Kali Linux — just update and go.

bash — Installation
# Clone from source
$ git clone https://github.com/lanmaster53/recon-ng.git
$ cd recon-ng && pip3 install -r REQUIREMENTS
$ python3 recon-ng

# On Kali Linux (pre-installed)
$ sudo apt-get update && sudo apt-get install recon-ng
$ sudo recon-ng
recon-ng — Basic Workflow
# Create a workspace for your target
[recon-ng][default] > workspaces create my_project

# Search & install a module
[recon-ng][my_project] > marketplace install recon/domains-hosts/bing_domain_web

# Load, configure, and run
[recon-ng][my_project] > modules load bing_domain_web
[recon-ng][my_project][bing_domain_web] > options set SOURCE example.com
[recon-ng][my_project][bing_domain_web] > run

// Use Cases

Built for Security Professionals

From solo researchers to red teams, recon-ng adapts to every intelligence-gathering scenario.

Penetration Testing

Comprehensive Pre-Attack Recon

Map subdomains, discover exposed hosts, enumerate email addresses, and gather IP geolocation data before any engagement begins — all from a single framework.

Bug Bounty Hunting

Surface More Attack Area

Quickly enumerate large target scopes. Discover subdomains, pull WHOIS contacts, and find leaked credentials that other hunters miss.

OSINT Investigations

Deep-Dive Intelligence Gathering

Link companies to infrastructure, map corporate hierarchies, and correlate email addresses, social profiles, and IP data into a structured investigation database.

Red Team Operations

Automated Recon Pipelines

Automate the entire recon phase with resource scripts. Feed results directly into downstream tools via CSV export for full red team workflow integration.

Threat Intelligence

Target Profiling at Scale

Combine Shodan, Censys, and GitHub API integrations to build rich, structured threat profiles and track infrastructure changes over time.

Security Research

Reproducible Research Workflows

Record command sequences into resource files for fully reproducible research. Share modules with the community via the open marketplace.

// FAQ

Frequently Asked Questions

Everything you need to know about recon-ng before getting started.

Recon-ng is used for Open Source Intelligence (OSINT) gathering during the reconnaissance phase of ethical hacking and penetration testing. It automates the collection of publicly available information about domains, hosts, email addresses, IP ranges, credentials, and more.

Yes. Recon-ng is completely free and open source, released on GitHub. You can use it for personal research, professional security testing, and contribute your own modules back to the community.

Recon-ng is primarily designed for Linux and macOS. It can be run on Windows via WSL (Windows Subsystem for Linux) or in a Docker container. It comes pre-installed on Kali Linux, making Kali the most convenient platform.

While recon-ng has a similar look and feel to Metasploit, it serves a completely different purpose. Recon-ng is designed exclusively for passive and active web-based reconnaissance and OSINT gathering. It is not an exploitation framework.

Many modules work without any API keys. However, some powerful modules that integrate with third-party services like Shodan, Censys, or GitHub require API keys. Manage all keys using the built-in keys command.

Recon-ng is for ethical and authorized security testing only. Using it against systems you do not own or have explicit written permission to test is illegal in most jurisdictions.

// Get Started Today

Start Gathering Intelligence
in Minutes

Recon-ng is free, open source, and ready to use on Kali Linux. Clone the repo and run your first recon in under five minutes.

Clone Here

// Knowledge Base

The Recon-ng
Learning Hub

Step-by-step guides, tutorials, and deep-dives for ethical hackers, OSINT professionals, and security researchers at every level.

14
Tutorials
100%
Free
2025
Updated
Terminal installation recon-ngInstallation

How to Install Recon-ng on Kali Linux, Ubuntu & macOS

A complete, step-by-step installation guide for every platform — including dependency setup, Python environment, and first-run configuration.

⏱ 6 min readRead →
Server room recon-ng modulesModules

Top 10 Recon-ng Modules Every OSINT Professional Must Know

Discover the most powerful modules for domain enumeration, contact harvesting, subdomain discovery, and vulnerability detection — with real command examples.

⏱ 10 min readRead →
Matrix code workspace managementAdvanced

Recon-ng Workspace Management: Organize Recon Like a Pro

Learn how to isolate engagements, back up databases, restore snapshots, and manage multiple target projects simultaneously.

⏱ 7 min readRead →
Code bug bounty hunting recon-ngBug Bounty

How to Use Recon-ng for Bug Bounty Hunting in 2025

A practical workflow for bug bounty hunters — from scope setup to subdomain enumeration, email harvesting, and reporting findings.

⏱ 12 min readRead →
API integration code recon-ngAdvanced

Integrating Shodan, Censys & GitHub API Keys in Recon-ng

Unlock recon-ng's full potential by adding third-party API keys — Shodan, Censys, GitHub, VirusTotal and more — step by step.

⏱ 9 min readRead →
Security tools comparisonComparison

Recon-ng vs SpiderFoot vs Maltego: Which OSINT Tool Wins?

An objective, feature-by-feature comparison of the three most popular OSINT frameworks so you can choose the right tool.

⏱ 11 min readRead →
Automation circuits recon-ng scriptsAutomation

Automating OSINT with Recon-ng Resource Scripts

Build fully automated intelligence-gathering pipelines. Record, replay, and schedule complete recon workflows from the command line.

⏱ 8 min readRead →
OSINT beginner roadmap learning pathBeginner

Understanding OSINT: A Beginner's Complete Roadmap to Recon

New to OSINT? Learn what Open Source Intelligence is, why it matters in cybersecurity, and how recon-ng fits into the bigger reconnaissance picture.

⏱ 7 min readRead →
Beginner recon-ng commands quick referenceBeginner

Recon-ng Commands Cheat Sheet: Complete Beginner Quick Reference

All the essential recon-ng commands in one place — from launching the framework to running modules, querying the database, and generating reports.

⏱ 5 min readRead →
Docker container setup for recon-ngInstallation

Running Recon-ng in Docker: Complete Container Setup Guide

Isolate recon-ng in a Docker container for maximum portability and security. Includes Dockerfile, volume mounting, and running modules from a container.

⏱ 8 min readRead →
Data reporting and export from recon-ngModules

Recon-ng Reporting Modules: Export Your Intel Like a Pro

Master recon-ng's reporting layer — CSV, JSON, HTML, and pushpin reports. Turn raw database intelligence into polished, shareable deliverables.

⏱ 6 min readRead →
HackerOne Bugcrowd bug bounty recon workflowBug Bounty

Recon-ng for HackerOne & Bugcrowd: Real Bug Bounty Workflow

A platform-specific guide for running recon-ng on HackerOne and Bugcrowd programs — scope parsing, wildcard targets, and out-of-scope safeguards.

⏱ 10 min readRead →
Recon-ng vs Nmap passive vs active reconComparison

Recon-ng vs Nmap: Two Tools, Two Jobs — Which One When?

Understand the fundamental difference between passive OSINT (recon-ng) and active network scanning (Nmap) — and why every pro uses both.

⏱ 7 min readRead →

// Stay Updated

New Tutorials Every Week

Get the latest recon-ng guides, OSINT techniques, and cybersecurity tips delivered straight to your inbox.