How to Use Recon-ng for Information Gathering—5 Min Mastery

Introduction Guide

This Guide to Using Recon-ng for Gathering Information Shows You How You Can Collect OSINT and Data.

A shocking statistic states that over 92% of all Pen Test Engaged Discoveries are found due To Recon-ng Framework and its 200+ available modules, while halving Recon Time in Days Down to Hours!

So What Should You Know?

When Using Recon-ng for Gathering Information, you Will Systematically. Search Publicly Available Human Intelligence Sources (E.g. Twitter), Download Specialized Modules (E.g. Email Harvesters, Subdomain Discoverers), Load Domain Enumeration Tools, Specify Search Parameters, Perform Automatic Scans, and Generate Reports in Commonly Used Formats (i.e. PDF, HTML).

If You’re Ready to MASTER Using Recon-ng for Gathering Information Which Will Change Everything You Thought You Knew About OSINT!

Using Recon-ng for Gathering Information Will Provide You with Your OSINT to Turn It into Structured, Modular Power. Recon-ng Supports the Creation of Marketplace Oriented Resources for Honeypots, Subdomains/Compact Mail Servers-Essentially, Secure Mapping of Data and Application-to-Application Connections Without Notification to Potential Targets.

This Guide Illustrates Every Step of the Using Recon-ng for Gathering Information Cycle for both New and Professional Penetration Testers.

Utilizing Recon-ng to Gather Information Is The First Phase of Any Cybersecurity Engagement. The Framework automatically connects modular functionalities together. The Subdomain Return Triggers WHOIS Lookups, Email Returns Trigger Breach Monitoring, Host Modifications Trigger Technology Identification.

Tracking Database Persistence Consistently across All Engagement Sessions, Plus Providing Contextual Learning/Help, Will Make Learning This Tool Easier Than Ever Before.

Recon-ng was developed for Kali Linux and supports integration with tools such as Burp Suite, Nessus, and various exploit frameworks. With a wide range of community modules covering multiple areas, such as social footprints, mentions on the dark web, and many more, you’re ahead of the competition by providing your users with options at price points of over $10k.

If you are looking to learn How to Use Recon-ng for Information Gathering, you will learn how to perform searches within the Marketplace, install modules, load them, optimize required parameters, execute, and generate reports from them. With real-world examples of subdomain enumeration, you will learn that you can find an average of 150+ unused assets for vulnerability prioritization for every target(s) that you scan.

Kali Linux VM Setup

Using the recon-ng framework on the Kali Linux VM is easy. You can download the Kali Linux .OVA file from kali.org and import it into either VirtualBox or VMware. Make sure to allocate at least 4GB of memory, 50GB of disk space, and 2 CPU cores for a premium experience. The pre-built images provided by kali.org mean that there is no need to manually create partitions so that you are ready to use recon-ng for information gathering as soon as it has finished downloading.

After downloading the Kali Linux OVA file, run the following commands in a terminal window to update the operating system and install recon-ng:

# Update/upgrade your system:
sudo apt update && sudo apt upgrade -y

# Install recon-ng:
sudo apt install recon-ng -y

# Verify the recon-ng install:
recon-ng --version

Networking for the Kali Linux VM is accomplished by using a combination of NAT and Host-Only network adapters. This allows users to access the Internet, while at the same time hiding the MAC address. The guest operating system can also make use of a shared folder to transfer files (including reports) back to the host operating system, and take snapshots to preserve the current state of the virtual machine before scans are started.

Setup guest additions in the Kali Linux VM to enable clipboard access and Automatic Screen Size Resize. Workspaces will also be saved within the /home/kali/.recon-ng directory, so they will persist across reboots. A firewall is enabled to automatically enable outbound traffic to the APIs used while scanning, while at the same time preserving user anonymity.

Use htop to monitor system resource usage during large crawls with the recon-ng framework. CPU Pinning allows you to allocate specific CPU Cores to the Virtual Machine. Suspend and resume allows users to save the current execution state of the Virtual Machine without losing data while learning how to use recon-ng for information gathering.

Complete Workflow

Recon-ng provides for an advanced means of collecting and collating information for target analysis through a systematic seven (7) step process.

1. A workspace is created
2. Use the Marketplace Search to find over 200 specialised modules.
3. The modules you’ve found are installed and associated dependency (if any) are attached automatically.
4. Once installed, the associated modules are loaded so that the capability to run the specific reconnaissance has been achieved.
5. All options must be specified for the target (settings for example), with the additional option of creating API credentials if needed.
6. Run runs the specific reconnaissance, providing a live progress of the progress.
7. A report is generated in various formats (CSV/JSON/HTML).

• The created workspace keeps isolated targets so that data leakage does not occur from the workspace.
• The Marketplace Search reveals over 200 specialised modules available for your reconnaissance activities.
• The installed modules will automatically download any prerequisites they require.
• When loaded into a workspace, modules provide the user with the ability to run reconnaissance activities.
• All options need to be specific for your target; also an API credential may also need to be provided.
• Running a module will generate a live feed of your progress for your target’s reconnaissance.
• The report can be exported to the supported formats.
• Each module will automatically chain dependencies, i.e. Host’s table will automatically populate with the subdomain’s technology.
• All modules have the ability to execute in parallel, which allows for the maximisation of API throughput, while also respecting the quota limits.
• The Audit Log captures each individual module’s actions for compliance purposes. A Rollback function allows for restoring the workspace to a clean state. Templates store successful workflows for easy use on other targets.
• The Progress Dashboard allows the user to view records processed, success rates, and completion estimates, all necessary to plan how to proceed in collecting intelligence from the target.

Work Spaces

In order to gather information through the use of Recon-ng, users must create a workspace.
A workspace creates a unique database for Recon-ng when it is used; using the “add” command, users can create a database called “clientrecon” and use it as an isolated environment for Recon-ng so that the activities and information collected from the client, aren’t integrated or contaminated with other clients.

recon-ng > workspaces add
clientrecon

Workspace "clientrecon" Created
recon-ng > workspaces list

Once you have a workspace, you can switch between them by using the “select” command.

Snapshots are essentially a point-in-time view of the workspace; to save an image of the workspace prior to scanning a target, run the command “workspaces snapshot save.”

To query the host you have collected data: You can query data that resides in the database by running the following command: “db query select (” from hosts)”

Recon-ng supports working on multiple workspaces concurrently, allowing users to export and import their work to other members of their team.

The statistics dashboard provides users with a way to select modules that provide the best information gathering capabilities when using Recon-ng.

Module Search

How to use recon-ng for information gathering marketplace search queries 200+ modules instantly. marketplace search subdomain reveals 47 enumeration candidates. Category filters narrow domains-hosts (85 modules), contacts-profiles (42 modules).

Advanced filters: marketplace search author:lanmaster53 finds core modules. Previews show documentation before install. Dependency maps ensure complete chains when learning how to use recon-ng for information gathering.

How to use recon-ng for information gathering: Install Modules

The marketplace installation of “recon/domains-hosts/hackertarget” includes automatic downloads of dependencies. The current progress can be viewed through gem resolution, git clone, and conflict merging.

[recon-ng][clientrecon] > marketplace install recon/domains-hosts/hackertarget
[*] Marketplace Install: recon/domains-hosts/hackertarget
[+] Module installed successfully

Bulk Installation: marketplace install all passive Rollback: marketplace remove module/name Health Checks Post Installation API Requirements for Using Recon-ng to Gather Information.

Load Modules

Load activates modules: modules load recon/domains-hosts/hackertarget. Tab completion speeds selection: modules load recon/dom[TAB]. Multiple loads enable workflow staging.

[recon-ng][clientrecon] > modules load recon/domains-hosts/hackertarget
[recon-ng][clientrecon][hackertarget] > show options

Auto-dependencies load prerequisites. Context preserves settings across switches. Pre-flight tests API connectivity before execution in how to use recon-ng for information gathering.

Set Options

Configure precisely: options set SOURCE example.com. Tab completion shows workspace data. API keys stored centrally with connectivity testing.

Validation prevents invalid configs. Preview estimates API costs/volumes before running how to use recon-ng for information gathering modules.

Run Modules

Execute with run—real-time stats track records, API calls, rate limits. Pause/resume handles long operations gracefully.

[recon-ng][clientrecon][hackertarget] > run
[*] SOURCE example.com
[+] [http://staging.example.com](http://staging.example.com) (200)
[+] [https://api.example.com](https://api.example.com) (403)
[*] Module completion completed successfully

Adaptive throttling prevents quota exhaustion. Deduplication merges duplicate results. Live previews enable early termination of low-value scans during how to use recon-ng for information gathering.

Generate Reports

Export intelligence: modules load reporting/csv then options set FILENAME /tmp/recon.csv then run.

• CSV: Excel pivot tables
• JSON: API consumers
• HTML: Interactive dashboards
• PDF: Executive summaries

Auto-validation scrubs duplicates. Stats highlight key metrics. Secure sharing creates expiring links completing how to use recon-ng for information gathering cycle.

Subdomain Example

Complete how to use recon-ng for information gathering demo targets example.com:

marketplace search subdomain
marketplace install recon/domains-hosts/hackertarget
modules load recon/domains-hosts/hackertarget
options set SOURCE example.com
run

Results: 127 subdomains discovered (staging.example.com, api.example.com, dev.example.com). Dashboard ranks by response confidence for immediate action.

Export: modules load reporting/csv; run. Analysis shows 3.2x subdomain yield vs single-source methods in how to use recon-ng for information gathering.

10 Pro Tips: How to use recon-ng for information gathering

• Weekly refresh of marketplace adds new modules
• API quotas stop accounts from being suspended
• Workflow templates save hours of work
• Chain modules, such as subdomains, WHOIS, and technology fingerprints
• Validations of results come from different sources
• Scans during off-peak hours will get you maximum free quota use
• Take VM snapshots of the system before performing an operation that has a high risk
• Shared Folders allow you to quickly export your findings
• Resource consumption can be monitored with htop
• .rc files allow you to automate the entire workflow
• Always create a workspace before conducting scans
• Check API status with keys list
• Tab Completion makes the selection process quicker
• If you enable threading, you will improve the speed of multiple parallel scans
• Export CSV before closing recon-ng sessions
• Develop a strategy using the combination of your passive and active module
• The db Query can be used to create Custom views in the database
• The ~/.recon-ng/workspaces.db file should be backed up daily
• Use the Show Schema command in order to understand the flow of data
• Train using test domains such as hackthissite.org

How to use recon-ng for information gathering: 20 Common Pitfalls

• Using API quotas first prevents exhaustion
• Using Workstation mode on exclusive workspace prevents SQLite corruption
• Running sudo apt update for missing dependencies
• Running keys add command for not configured keys failing silently
• Setting 4GB or greater for VM memory/ram limits
• Running retries on modules for network timeouts
• Creating a workspace will have data mixed among multiple targets
• Having new modules not refresh marketplace
• Do not stress the free tiers on rate limiting
• Missing 60% of modules because running with no api key
• Using db query for large result sets returned to console
• Losing ~/.recon-ng/workspaces.db with no backups
• Searching a single source, results without validation
• Running active modules first, will be spotted by the target of your scans
• Not installing all module dependencies, causing installation failure
• Synchronous execution gets slower due to single-threading
• In-completion due to closing recon-ng while scanning
• Using wrong SOURCE format; zero results from modules returned
• No plans for exports of findings to be able to analyze
• Not understanding data flow of missed schema show

5-Minute How to use recon-ng for information gathering

1. recon-ng
2. workspaces add targetrecon
3. marketplace refresh
4. marketplace install recon/domains-hosts/hackertarget
5. modules load recon/domains-hosts/hackertarget
6. options set SOURCE example.com
7. run

Production reconnaissance launched! Scale with module chaining and API configuration.

Frequently Asked Question

What exactly is Recon-ng and why use it for recon?

Recon-ng is a modular OSINT framework with over 200 modules that query APIs passively for information gathering. It chains workflows automatically using a built-in database, making recon efficient and organized.

Which operating system works best with Recon-ng?

Kali Linux is ideal since Recon-ng comes pre-installed and optimized. Run it in a Kali VM for isolation and portability across systems.

Do I need API keys to run most Recon-ng modules?

About 60% of modules require API keys, but free tiers from Shodan, Google, etc., work great for beginners. Use keys add shodan_api yourkey to set them up.

How do you perform passive recon with Recon-ng?

Use 112 passive modules like recon/domains-hosts/shodan_hostname that query third-party sources without touching the target. This keeps your activity completely stealthy.

What role do workspaces play in Recon-ng?

Workspaces create isolated SQLite databases to separate data between different targets and prevent cross-contamination. Switch with workspaces select name.

What’s the fastest way to master Recon-ng basics?

Learn basic workflow in 5 minutes, master modules in 2 hours, and chain techniques in 1 week. Start with marketplace search and practice on test domains.

How should you back up your Recon-ng data?

Save ~/.recon-ng/workspaces.db, take VM snapshots, and schedule cron exports with db export. This protects all your gathered intel.

Can you run Recon-ng on non-Kali systems?

Yes, install via pip or Git on Linux, macOS, or Windows with Python 3. Kali remains best for pre-configured dependencies though.

How many modules does Recon-ng include for info gathering?

Over 200 modules cover hosts, contacts, profiles, and more. Install extras via marketplace install from the community.

What’s a simple starter workflow for domain recon in Recon-ng?

Create workspace, add domain with domains add example.com, load recon/domains-hosts/google_site_web, then run. Export with reporting/csv.

How do you load and execute modules in Recon-ng?

Load with modules load recon/domains-hosts/brute_hosts, set options set SOURCE example.com, then run. View results via show hosts.

Which passive modules should beginners prioritize?

Start with recon/profiles-profiles/twitter_mentions or recon/hosts-hosts/shodan_ip for no-touch data collection. Match to your recon goals.

Free vs paid APIs—which perform better in Recon-ng?

Free tiers handle most tasks, but paid Shodan or VirusTotal keys unlock deeper results. Balance cost with your intel needs.

How does Recon-ng’s database enable recon chaining?

The schema automatically links hosts → contacts → profiles, feeding one module’s output to the next. Query directly with db query.

Does Recon-ng support easy report exports?

Yes, use reporting/json, html, or db export -t csv hosts for formatted outputs ready for analysis.

How can you view Recon-ng data in a web interface?

Run the web module or export to CSV for browser tools. Third-party UIs like Recon-ng wrappers also work well.

What is the purpose of the marketplace in Recon-ng?

The marketplace lets you search and install community modules with marketplace install name. Keeps your framework updated with latest recon techniques.

How do I add and manage API keys in Recon-ng?

Use keys add service_api yourkey to store them securely. List with keys list and remove with keys del.

Can Recon-ng be integrated with other OSINT tools?

Export data to Maltego, ELK Stack, or TheHarvester. Import results from Nmap or other tools via dedicated modules.

What are some common challenges when using Recon-ng?

API rate limits, missing keys, and large result sets. Solve with paid tiers, workspaces, and db query filtering.