recon-ng

Start the tool

$ recon-ng

$ workspaces create [workspace_name]

$ marketplace search

$ marketplace install all

$ modules load profiler

$ db insert profiles

$ run

recon-ng [options]

-h, --help
    Show the help message and exit.

--version
    Show program's version number and exit.

--no-color
    Disable colored output from the framework.

--no-meta
    Disable the startup metadata (version, author, etc.).

--debug
    Enable debug mode for more verbose output and error details.

--headless
    Run the framework in headless mode, without an interactive prompt. Useful for scripting.

--command <command>
    Execute a single framework command and exit. Used with --headless for automated tasks.

--script <file>
    Execute commands from a script file and exit. Used with --headless for automated workflows.

--workspace <workspace_name>
    Load or create a specific workspace upon startup.

recon-ng is an open-source web reconnaissance framework written in Python. It is designed to automate the painful process of information gathering during penetration tests, providing a powerful and extensible platform for Open Source Intelligence (OSINT). Much like Metasploit, recon-ng is an interactive shell where users can load modules, set options, run commands, and organize data using workspaces.

Its modular architecture allows users to perform various reconnaissance tasks, including passive information gathering (e.g., discovering subdomains, identifying email addresses, finding related hosts) using publicly available data. It integrates with numerous third-party APIs (e.g., Google, Shodan, VirusTotal), requiring users to obtain and configure API keys for full functionality. It's a critical tool for ethical hackers and security researchers to build a comprehensive picture of their target's online presence before launching more intrusive attacks.

recon-ng's full potential is realized through an interactive shell, not solely via command-line arguments. Many modules require API keys from third-party services, which need to be obtained and configured within the framework. Users should be mindful of ethical considerations and legal boundaries when performing reconnaissance, ensuring activities are authorized and within scope.

While recon-ng has startup command-line options, its primary mode of operation is an interactive shell. Users enter the framework by simply typing recon-ng, then use internal commands (e.g., show modules, use, set, run) to navigate its features.

recon-ng utilizes 'workspaces' to organize reconnaissance data. Each workspace acts as a separate database, allowing users to keep findings from different targets or projects isolated and clean. Commands like workspaces add, workspaces select, and workspaces list are used to manage them.

The framework's functionality is extended through a wide array of modules, categorized by their purpose (e.g., recon, reporting). Users can load specific modules using the use command and then configure module-specific options before execution. New modules can be easily developed and integrated.

Many powerful modules in recon-ng rely on third-party services that require API keys for access (e.g., Shodan, Censys, Hunter.io). These keys must be obtained by the user from the respective service providers and then configured within recon-ng using the keys add command to unlock the full capabilities of the framework.

recon-ng was created by Justin Seitz, also known as 'LaNMaSteR53', and first publicly released around 2012. It quickly gained traction in the cybersecurity community due to its powerful capabilities and modular design, which mirrored the success of other interactive frameworks like Metasploit. It has undergone continuous development, adapting to new OSINT techniques and integrating with an expanding list of data sources, solidifying its position as a go-to tool for penetration testers and security analysts.

nmap(1), whois(1), dig(1), amass(1), theharvester