Home Blog

How to Use Recon-ng? Your Step-by-Step Guide

What Is Recon-ng?

Recon-ng is a free-to-use OSINT tool designed specifically for reconnaissance activities. It can also be used to find specific information or identify a vulnerable part of the security system. Recon-ng was written in Python, which makes it accessible and understandable even for inexperienced devs. 

One thing to take into account is the modularity of the instrument. Recon-ng is built with modular blocks, which allows the users to extend its functionality by adding or developing their own modules. Hence, the user can easily adapt the tool to serve your specific requirements. 

Start searching

Recon-ng Modules Overview

Recon-ng modules are the building blocks of the framework, providing specific functionalities for different reconnaissance requests. Here are some of the types of tools you can find via the “marketplace search” of the tool: 

Discovery Modules 

Such extensions are useful for studying subdomains of a targeted domain using methods like brute-force enumeration and search engine queries, among others. 

Exploitation Modules 

The goal of these instruments is to take advantage of vulnerabilities available in the system. 

Import Modules

Import modules are used to load external or custom tools into Recon-ng. This allows users to extend the functionality of the framework by integrating third-party tools or creating their own.

Reporting Modules 

These modules are used to organize convenient reports based on previous reconnaissance findings, which are used for further analysis. They can be presented in different forms, such as HTML or CSV. 

Recon Modules 

These instruments are focused on reconnaissance and information gathering. Recon tools are designed to discover and enumerate various aspects of a target, such as subdomains, hosts, and network services.

How to Use Recon-ng for OSINT

Even though Recon-ng is a relatively simple tool, it might not be intuitively understandable how to use it. Here’s a step-by-step breakdown of how you can use the instrument’s modules with ease:

  1. First of all, install Recon-ng from Kali Linux. 
  2. Insert “./recon-ng” to load the console. 
  3. Type in “help” to start the work with the software. Then, you have to settle the workspace to kick off the OSINT investigation and store the data in it. 
  4. Now, you will be ready to install the modules depending on what service you are looking for. Type in “marketplace help” in order to be able to navigate and control the modules. 
  5. Insert “marketplace search” to select a particular tool that suits your purpose. You can also request more details about a specific enhancement after finding it in the list. Pay attention to the subcategory, update time, versions or other info that describes the instrument. 
  6. Use the command “run” to activate the module you’ve installed. 
  7. After that, you will be able to see the table called “hosts” after typing in a “show hosts” command to see the result of the research. That is the basic path of using advanced tools for OSINT via Recon-ng. 

Your Recon-ng Cheat Sheet

Since the instrument has a varied range of possible use options, there are more interesting Recon-ng features and easter eggs to discover beyond what meets the eye on the surface. We will only list a few amusing services that Recon-ng modules can provide. 

For Better Performance Recon-ng Requires These API 

Recon-ng supports various APIs and data sources to gather information during the reconnaissance phase. These APIs can deliver valuable data for different modules within the instrument. Some of the most popular APIs are: 

  • Google API. This one is pretty self-explanatory and works well for scanning search engine results. The API works best to find domains or subdomains. 
  • BuiltWith API. The tool is useful in order to explore the technical side of the website. This API allows finding out the technology utilized to maintain a site without any host interaction. 
  • Shodan API. In a nutshell, this tool allows searching through an enormous Internet of Technology database to find needed data. 
  • Hackertarget API. This API is related to cybersecurity and penetration testing. It works for finding hostnames and collecting subdomains. 
  • Hunter.io API. It operates to find email addresses associated with a domain. This API extracts contact info from the Internet profiles and stores data in case it might be useful. 

Recon-ng Command List

Moreover, remember to learn these basic commands that will help you navigate the software effortlessly: 

  • “modules” to list available options.
  • “keys” to display keys for the loaded module.
  • “db” to display information from the database.
  • “help” to show the help terminal. 
  • “dashboard” to overview the outcome of the search. 
  • “marketplace” to open up this menu.
  • “options” to manage the session. 

The Benefits of Recon-ng 

Overall, Recon-ng has various perks that make it stand out as a must-have tool for an OSINT investigation. One of the benefits is its modular architecture, which is entry-friendly and convenient. Other advantages are the ability to automate database research, install APIs, gain access to a massive data library and put all search findings in order using different workspaces. Even if you are not a pro, Recon-ng will be fairly accessible.

The Drawbacks of Recon-ng Using

Even though Recon-ng is generally a well-appraised tool, it is important to recognize its limitations. For instance, new users should be ready for a very simple design with no convenient graphical interface. Moreover, due to the mere number and variety of the modules, the result accuracy is not consistent for all the services.

Conclusion 

In spite of its shortcomings, Recon-ng is a great starting point for conducting different types of OSINT searches. This instrument is flexible in use and customizable, so you can turn it into a helping tool to support any specific type of investigation.

Try for free