Skip to content


Recon-ng is a reconnaissance tool that is used to provide a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly. It is based on Open Source Intelligence (OSINT), which is the easiest and useful tool for reconnaissance.

Recon-ng is written in Python. Complete with database interaction, independent modules, interactive help, command completion, and built-in convenience functions.


  • what is Recon-ng?
  • Features.
  • Uses.
  • Using recon-ng.
  • Help.
  • Examples.

What is Recon-ng?

Recon-ng is a full-featured reconnaissance framework that has a similar interface to that of Metasploit(which comes in handy and easy to use). 

Recon-ng has the command-line interface which you can run on Kali Linux, also you enter a shell-like environment where you can configure options, perform recon, and output results to different report types.

The interactive console provides several helpful features, such as command completion and contextual help.


  • The free and open-source tool and can be downloaded and used for free.
  • One of the easiest and useful tools for performing reconnaissance.
  • Used for vulnerability assessment of web applications.
  • Uses the Shodan search engine to scan IoT devices.
  • Easily find loopholes in the code of website & web applications.
  •  Recon-ng has the following modules GeoIP lookup, Banner grabbing, DNS lookup, port scanning, These modules make this tool so powerful.
  •  Recon-ng can target a single domain and can find all the subdomains of that domain making work easy for pen-testers.

Uses of Recon-ng 

  • Recon-ng can be used to find the IP Addresses of a target.
  • Recon-ng can be used to look for error-based SQL injections.
  • Recon-ng can be used to find sensitive files such as robots.txt.
  • Recon-ng can be used to find information about Geo-IP lookup, Banner grabbing, DNS lookup, port scanning, sub-domain information, reverse IP using WHOIS lookup.
  • Recon-ng can be used to detects Content Management Systems (CMS) in the use of a target web application.

Using Recon-ng

Step 1: Installing Module.

Syntax to install is marketplace install whois_pocs as seen below.

[recon-ng][default] > marketplace install recon/domains-contacts/whois_pocs
[*] Module installed: recon/domains-contacts/whois_pocs
[*] Reloading modules...
[recon-ng][default] > 

Step 2: Loading Modules.


[recon-ng][default] > modules loadrecon/domains-contacts/whois_pocs

[recon-ng][default][hackertarget] >

Step 3: Set source.

Now set the source. Currently set at default (see below)


[recon-ng][default][whois_pocs] > show options/ options list


Syntax options set SOURCE

[recon-ng][default][whois_pocst] > options set SOURCE

Step 3: Run The Module.

Type run to execute the module.


[recon-ng][default][whois_pocs] > run


The help command from within a loaded module has different options to the global ‘help’.
When you are ready to explore more modules use ‘back’.

This help menu brings additional commands such as:

  • options: Manages the global context options
  • reload: Reloads the loaded module
  • run: Runs the loaded module
  • script: Records and executes command scripts.
[recon-ng][default][hacksheet]> help
Commands (type [help|?] ):
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
options        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third-party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file

Leave a Reply