Recon-ng is a full-featured OSINT framework that automates open source intelligence gathering — used by ethical hackers, pentesters, and security researchers worldwide.
// Core Features
Recon-ng provides a powerful, modular environment to conduct open source web-based reconnaissance quickly, thoroughly, and efficiently.
Independent modules for every recon task — from domain enumeration to contact harvesting. Install only what you need via the built-in module marketplace.
Every piece of gathered intelligence is automatically saved in a workspace-specific SQLite database. Query, export, and analyze your findings any time.
Isolate different engagements with dedicated workspaces. Each workspace maintains its own database, module settings, and API key configuration.
Seamlessly integrate with Shodan, Censys, GitHub, VirusTotal, and more. Manage all your API keys from a single centralized key management interface.
Automate entire recon workflows with resource files. Record command sequences and replay them for repeatable, consistent intelligence gathering pipelines.
Export results in multiple formats including CSV, JSON, and HTML. Visualize your data with recon-web — the built-in analytics and reporting interface.
// Workflow
Recon-ng is designed around a simple, repeatable reconnaissance workflow that scales from single targets to enterprise-level engagements.
Clone from source or use the pre-installed version on Kali Linux. Run recon-ng to enter the interactive console.
Organize each engagement in its own isolated workspace with a dedicated database and module configuration.
Search the marketplace, install targeted modules, configure your source, and run to automatically gather and store intelligence.
Generate structured reports in CSV or HTML. Visualize findings in recon-web or export to Maltego and SpiderFoot.
// Module Categories
Every module is organized by the type of intelligence it gathers or the task it performs, making it easy to build focused recon pipelines.
// Quick Start
Install recon-ng on any Linux or macOS system with Python 3. Pre-installed on Kali Linux — just update and go.
// Use Cases
From solo researchers to red teams, recon-ng adapts to every intelligence-gathering scenario.
Map subdomains, discover exposed hosts, enumerate email addresses, and gather IP geolocation data before any engagement begins — all from a single framework.
Quickly enumerate large target scopes. Discover subdomains, pull WHOIS contacts, and find leaked credentials that other hunters miss.
Link companies to infrastructure, map corporate hierarchies, and correlate email addresses, social profiles, and IP data into a structured investigation database.
Automate the entire recon phase with resource scripts. Feed results directly into downstream tools via CSV export for full red team workflow integration.
Combine Shodan, Censys, and GitHub API integrations to build rich, structured threat profiles and track infrastructure changes over time.
Record command sequences into resource files for fully reproducible research. Share modules with the community via the open marketplace.
// FAQ
Everything you need to know about recon-ng before getting started.
Recon-ng is used for Open Source Intelligence (OSINT) gathering during the reconnaissance phase of ethical hacking and penetration testing. It automates the collection of publicly available information about domains, hosts, email addresses, IP ranges, credentials, and more.
Yes. Recon-ng is completely free and open source, released on GitHub. You can use it for personal research, professional security testing, and contribute your own modules back to the community.
Recon-ng is primarily designed for Linux and macOS. It can be run on Windows via WSL (Windows Subsystem for Linux) or in a Docker container. It comes pre-installed on Kali Linux, making Kali the most convenient platform.
While recon-ng has a similar look and feel to Metasploit, it serves a completely different purpose. Recon-ng is designed exclusively for passive and active web-based reconnaissance and OSINT gathering. It is not an exploitation framework.
Many modules work without any API keys. However, some powerful modules that integrate with third-party services like Shodan, Censys, or GitHub require API keys. Manage all keys using the built-in keys command.
Recon-ng is for ethical and authorized security testing only. Using it against systems you do not own or have explicit written permission to test is illegal in most jurisdictions.
// Get Started Today
Recon-ng is free, open source, and ready to use on Kali Linux. Clone the repo and run your first recon in under five minutes.
// Knowledge Base
Step-by-step guides, tutorials, and deep-dives for ethical hackers, OSINT professionals, and security researchers at every level.
Featured Guide
Beginner · 8 min read
Everything you need to know about recon-ng — what it is, why security professionals rely on it, how it compares to other OSINT tools, and exactly how to get started in under 10 minutes.
All Tutorials
A complete, step-by-step installation guide for every platform — including dependency setup, Python environment, and first-run configuration.
Discover the most powerful modules for domain enumeration, contact harvesting, subdomain discovery, and vulnerability detection — with real command examples.
Learn how to isolate engagements, back up databases, restore snapshots, and manage multiple target projects simultaneously.
A practical workflow for bug bounty hunters — from scope setup to subdomain enumeration, email harvesting, and reporting findings.
Unlock recon-ng's full potential by adding third-party API keys — Shodan, Censys, GitHub, VirusTotal and more — step by step.
An objective, feature-by-feature comparison of the three most popular OSINT frameworks so you can choose the right tool.
Build fully automated intelligence-gathering pipelines. Record, replay, and schedule complete recon workflows from the command line.
New to OSINT? Learn what Open Source Intelligence is, why it matters in cybersecurity, and how recon-ng fits into the bigger reconnaissance picture.
All the essential recon-ng commands in one place — from launching the framework to running modules, querying the database, and generating reports.
Isolate recon-ng in a Docker container for maximum portability and security. Includes Dockerfile, volume mounting, and running modules from a container.
Master recon-ng's reporting layer — CSV, JSON, HTML, and pushpin reports. Turn raw database intelligence into polished, shareable deliverables.
A platform-specific guide for running recon-ng on HackerOne and Bugcrowd programs — scope parsing, wildcard targets, and out-of-scope safeguards.
Understand the fundamental difference between passive OSINT (recon-ng) and active network scanning (Nmap) — and why every pro uses both.