Recon-ng — Professional OSINT Guide
A single, continuous, professional explanation of Recon-ng with boxed commands and code for easy copy & paste. Transparent theme ready for Blogger.
Recon-ng is a powerful Python-based reconnaissance framework for ethical hackers that organizes your OSINT workflow in modular, repeatable steps. Everything is scoped to a workspace, which is essentially a project folder storing all discovered entities like domains, hosts, contacts, and netblocks. Modules act as building blocks performing tasks such as WHOIS queries, DNS enumeration, certificate transparency log parsing, search engine scraping, and API-based enrichment from Shodan, VirusTotal and other services. To start, clone the GitHub repository git clone https://github.com/lanmaster53/recon-ng.git or install via sudo apt install recon-ng -y and run python3 recon-ng. Inside the prompt, create a workspace using workspace create demo, select it with workspace select demo, add a domain with add domains example.com, search modules using modules search whois, and load modules via use recon/domains-contacts/whois. Set required options like set SOURCE example.com and run modules with run. Use show hosts and show contacts to inspect collected data, and export results using reporting modules (CSV, JSON, HTML) such as use reporting/csv; set SOURCE hosts; set FILENAME out.csv; run. Automation is supported via .rc resource scripts; save repeatable sequences as files and execute them with python3 recon-ng -r script.rc. Custom modules are simple Python classes that call APIs and add entities via helper methods; inspect the provided modules/ folder for examples. Recon-ng stores data in workspace-specific SQLite databases under workspaces/<name>/recon-ng.db — prefer exports and module APIs over direct DB edits. Best practices: start passive, document scope, obtain written authorization before active scanning, protect and rotate API keys, respect provider quotas, and archive workspaces after engagements. Use separate RCs for seeding, enrichment, and reporting so workflows are modular and auditable. The combination of modular architecture, API enrichment, DB-backed storage, and reporting makes Recon-ng a repeatable, professional OSINT engine.
# Quick commands reference workspace create demo workspace select demo add domains example.com use recon/domains-contacts/whois set SOURCE example.com run show hosts
# recon-playbook.rc workspace create acme_2025_10_17 workspace select acme_2025_10_17 add domains example.com # Seed: WHOIS and DNS use recon/domains-contacts/whois set SOURCE example.com run use recon/domains-hosts/dnsdumpster set SOURCE example.com run # CT logs & search engines use recon/hosts/certspotter set SOURCE example.com run use recon/domains-hosts/bing_domain_web set SOURCE example.com run # Optional enrichment (requires API keys) # keys add shodan_api YOUR_SHODAN_KEY # keys add virustotal YOUR_VT_KEY # Export results use reporting/json set SOURCE all set FILENAME acme_all.json run use reporting/html set SOURCE all set FILENAME acme_report.html run exit
from recon.core.module import BaseModule
class Module(BaseModule):
meta = {
'name': 'example/custom-module',
'author': 'you',
'description': 'Fetch data from MyAPI and add hosts',
'options': (
('SOURCE', True, 'Source domain', None),
('API_KEY', True, 'MyAPI key', None),
)
}
def run(self):
source = self.options.get('SOURCE')
api_key = self.options.get('API_KEY')
# call API, parse results, then:
# self.add_hosts('sub.example.com')