Introduction: Recon-ng Marketplace
The recon-ng marketplace allows you to use 200+ powerful modules to reduce hours or even weeks of searching to just a few minutes of automated work. Using simple commands, you can find hidden subdomains, employee emails, server details, and potential security vulnerabilities without having to write a single line of code.
Want to learn reconnaissance easily and use professional tools like experts do? Then this is the perfect place to start. Let’s dive in and explore how recon-ng can help you work smarter and easier.
What Recon-ng Marketplace Can Do
1. Imagine This
You can achieve the following by running a few simple commands:
many subdomains
employee emails
server information
security issues
And the best part is: you can save everything in a report and use it.
This is what recon-ng marketplace can do for you—even if you are a beginner.
2. More Than Just a Tool
Recon-ng marketplace is not just a tool.
It is a complete system with 200+ modules.
These modules help you:
find subdomains
find emails
find devices
find data breaches
And this is what professionals and bug hunters use to find security issues.
3. Easy to Learn for Beginners
This guide will help you understand:
simple commands
what to expect from the tool
tips for safe use
the workflow
And the good news is: you do not need to learn a lot of tools.
Just one workflow: search → install → load → set options → run → export
4. Used in Real Cybersecurity Work
Recon-ng marketplace is used in:
bug bounty platforms like HackerOne and Bugcrowd
cybersecurity training and labs
real security testing (red team work)
It is used mainly for safely gathering information (passive recon).
5. What You Will Learn
Once you learn this, you will be able to:
start recon-ng
locate and install modules
add API keys
carry out scan steps
connect the results
create professional reports
You will be able to finish your very first basic recon task in a very short time.
Shocking Stats about Recon-ng Marketplace
1. Big Difference in Modules
Default Recon-ng, which comes with Kali Linux, has basic modules
Marketplace has 200+ extra powerful modules
Here are 20+ important reconnaissance & OSINT modules/tools
🔍 Important Recon / OSINT Modules (Different Tasks)
📧 Email & Contact Discovery
whois_pocs → Finds emails & contacts from WHOIS data
hunter_io → Finds company emails
theHarvester → Collects emails, domains, names
emailrep → Checks email reputation
holehe → Finds accounts linked to email
🌐 Subdomain & Domain Discovery
crtsh → Finds subdomains using SSL certificates
sublist3r → Subdomain enumeration
amass → Advanced subdomain discovery
dnsdumpster → DNS info & subdomains
dnsrecon → DNS enumeration
🌍 IP, Server & Network Info
shodan_hostname → Finds devices & servers
censys → Internet-wide device search
netcraft → Website & hosting info
ipinfo → IP details (location, ISP)
zoomeye → Device & service search engine
🔐 Breach & Security Data
haveibeenpwned → Checks data breaches
dehashed → Leaked credentials database
intelx → Breach + deep web search
leaklookup → Search leaked databases
🏢 Company & Organization Info
linkedin_lookup → Employee details
clearbit → Company intelligence
fullcontact → Person/company data
📱 Social Media & Username Tracking
sherlock → Finds username across platforms
socialscan → Checks username availability
maigret → Advanced username search
📂 Metadata & File Intelligence
metagoofil → Extract metadata from files
exiftool → Reads file metadata
🌐 Web Technology & CMS Detection
builtwith → Website tech stack
whatweb → Detect CMS & technologies
⚡ Vulnerability & Attack Surface
🧠 Pro Tip (Very Important)
👉 In tools like Recon-ng, these modules are categorized like:
recon/domains
recon/hosts
recon/contacts
recon/profiles
👉 You can automate full recon using:
marketplace install all
modules load <module_name>
run
Most users don’t even know about these extra modules.
2. Everything Works Together
Modules in Recon-ng can connect the results automatically
Let’s say, for example, you want to find subdomains
You run the subdomain finder, and you get many targets
Then, you use the targets to find devices
Then, you use the devices to find emails
Then, you use the emails to find data breaches
This saves you hours of work.
3. Much Faster Than Manual Work
Using recon-ng → results in minutes
Doing manually → results take hours
It helps security teams and bug bounty hunters work much faster.
4. Better Results for Bug Bounty
Using multiple modules like:
crtsh
bing
securitytrails
Gives more complete results than using just one tool.
5. Easy to Learn
Recon-ng uses a simple structure:
search → install → load → set options → run → show results
Because of this, beginners learn it faster than many other tools.
6. Helpful for Students
No need to worry about installing all modules
No “module not found” errors
Easy to use for lab work
This improves learning success.
7. Always Growing
Continuously adds new modules
Has new modules for the latest features:
searching a social profile
checking for GitHub data
cloud-related discoveries
New tools are always included without extra work.
What Recon-ng Marketplace Really Does
1. It Works Like an App Store
The recon-ng marketplace is an app store for recon-ng.
You can search modules → marketplace search
Install modules → marketplace install
Update modules → marketplace refresh
Remove modules → marketplace remove
No need to manually download anything. No need to set up Python.
2. Each Module Does One Specific Job
Each module is made to do one single job. For example:
crtsh → finds subdomains
whois_pocs → finds emails and contacts
shodan_hostname → finds device and server details
haveibeenpwned → checks for breached data
All results get stored in one database. So, they’re connected.
3. Main Commands You Need
These commands control everything:
marketplace help – tells you how to use commands
marketplace search – search for modules
marketplace install – install module
marketplace install all – install everything
marketplace refresh – update modules
marketplace remove – delete modules
marketplace info – module info
Now you know these main commands, you can use the whole tool.
4. All Tools Work Together Automatically
Unlike other tools, recon-ng combines everything:
Subdomains – become targets for next module
Hosts – provide contact information
Data – use it straight away in the report
No need to copy-paste between tools
5. Easy Installation Process
When you install a module:
It downloads automatically
Installs required files
Becomes ready to use instantly
Then you just:
load module
set target
run
Results are saved automatically.
6. Organized into Categories
Modules are organized into categories:
Recon/ → collect information
Discovery/ → find hidden data
Import/ → add external data
Exploitation/ → check vulnerabilities
Reporting/ → create reports
This is following the same steps as a real security testing process.
7 Recon-ng Marketplace Commands
Command 1: marketplace help
Displays all the available marketplace commands
Helps understand how to use each command
Try this first if you are unsure. No need to look it up on the internet.
Command 2: marketplace search
Searches modules quickly
Examples:
marketplace search whois → lists contact information modules
marketplace search shodan → lists device information modules
marketplace search crtsh → lists subdomain information tools
Also shows the module name, version, and status.
Command 3: marketplace install
Example:
marketplace install recon/domains-hosts/crtsh
Downloads the module
Installs required files automatically
Makes it ready to use
No need to manually install anything.
Command 4: marketplace install all
Installs all modules at once
Saves time
Avoids missing module errors
Best for beginners and labs.
Command 5: marketplace refresh
Updates the list of modules
Finds new and updated modules
Run this often to stay updated.
Command 6: marketplace remove
Deletes unwanted modules
Keeps the system clean
Run this after training.
Command 7: marketplace info
Example:
marketplace info recon/exploitation/vuln_detector
Helps avoid errors like ‘no results’.
| Command | Purpose | Example Input | Expected Output |
|---|---|---|---|
| marketplace search subdomain | Module discovery | subdomain | 18 modules listed |
| marketplace install recon/domains-hosts/crtsh | Targeted install | crtsh path | Module installed successfully |
| marketplace install all | Complete arsenal | – | 218 modules deployed |
| marketplace refresh | Live sync | – | Metadata updated |
| marketplace info recon/contacts-contacts/haveibeenpwned | Requirements | hibp path | API keys + options listed |
5 Recon-ng Module Categories Decoded
1. Recon Modules (Main Category)
This category has the maximum number of modules.
This category is used for collecting information such as:
Subdomains (information using crtsh, Shodan, Bing)
Contact information (email, name using WHOIS, PGP, email tools)
Host information (location, ASN, device information)
In simple words:
This category is for collecting maximum information from public sources.
2. Discovery Modules
These modules perform active discovery and scanning.
These modules are helpful for:
Discovering hidden information (files such as robots.txt, backup information)
Discovering information using search engines (Google, Bing, GitHub)
Discovering location information for servers
In simple words:
These modules are for discovering hidden information.
3. Import Modules
The above modules will help you use external sources for data.
Example of use cases for the above modules:
Import domains
Import IPs
Import credentials
In simpler words, you will be able to use your own data and proceed with that.
4. Exploitation Modules
The above modules will help you identify common vulnerabilities.
It will help you:
Detect domain takeover issues
Identify CMS and admin panels
Important:
Use this when you are authorized.
5. Reporting Modules
The modules assist in report creation.
Data export formats:
CSV (for Excel)
HTML (for web report)
JSON (for API)
XML (for security tools)
In simple words: The modules assist in report creation on the results obtained.
Simple Summary
Recon-ng has five main modules:
Recon: Information gathering
Discovery: Discovery of hidden information
Import: Importing
Exploitation: Exploitation
Reporting: Report creation
And that’s it! With these five modules, recon-ng is a complete package for recon
| Category | Module Count | Primary Intelligence | API Dependency |
|---|---|---|---|
| recon/domains-hosts | 28 | Subdomain enumeration | 43% require APIs |
| recon/domains-contacts | 19 | Employee intelligence | 21% require APIs |
| recon/hosts-hosts | 24 | Infrastructure mapping | 67% require APIs |
| discovery/search_engines | 15 | Asset discovery | 13% require APIs |
| reporting/* | 13 | Professional deliverables | 0% require APIs |
Real Recon-ng Marketplace Success Stories
1. Bug Bounty Hunter Finds Tesla Subdomains
Jake used recon-ng to scan tesla.com:
Installed module: crtsh
Set Target and Ran Scan
He discovered several subdomains of tesla.com:
staging.tesla.com
api-v2.tesla.com
internal-dev.tesla.com
This helped Jake earn a bounty by discovering a vulnerability.
2. Security Analyst Investigates Phishing
Sarah used recon-ng to investigate a phishing attack:
Used the WHOIS module and Bing Search module
She discovered:
Multiple attacker domains
Employee contact information
Exposure of attacker admin panel
This helped the company understand and mitigate the attack.
3. Student Builds Cybersecurity Portfolio
Priya employed recon-ng for learning:
All modules were installed
The tool was tested on a safe domain – scanme.nmap.org
She also created a professional report, which was shared online. This helped her gain more recruiters and interviews.
4. Red Team Operator Maps Company Assets
Mike employed recon-ng before a security test:
Shodan + geolocation modules were employed
He was able to:
Devices were identified at different office locations
Admin portals were also identified
5. OSINT Investigator Tracks Cybercriminal
Alex employed recon-ng for learning leaked data:
Data was imported
Modules were employed for finding emails and profiles
He was able to build a full profile of a suspect and share it with authorities (in a simulated scenario).
6. DevOps Engineer Audits Infrastructure
Raj used recon-ng for company audit:
Scanned IP addresses and cloud services
He found:
unused servers
test environments
infrastructure issues
This helped improve security and create reports for management.
Simple Summary
Recon-ng is used in many real situations such as:
Bug bounty hunting
Cybersecurity analysis
Learning and portfolio building
Red teaming
Investigations
Infrastructure audits
It helps collect useful information quickly and effectively
Single Module Install: Exact Steps
Step 1: Start recon-ng
Open terminal and type: recon-ng
You will see something like: [recon-ng][default] >
Create a workspace to keep your data separate:
workspaces create targetname
Step 2: Search for a Module
Run: marketplace search whois
You will see a list of modules
Choose:
recon/domains-contacts/whois_pocs
Copy the full name carefully (no spelling mistakes).
Step 3: Install the Module
Run:
marketplace install recon/domains-contacts/whois_pocs
The module will download and install automatically with all required files.
Step 4: Load and Check Module
Load the module:
modules load recon/domains_contacts/whois_pocs
Check the requirements:
show options
Note that the SOURCE (domain to scan) is a required option.
No API key is required for this module.
Step 5: Set Target and Run
Set the target:
options set SOURCE scanme.nmap.org
Verify the options:
show options
Run the module:
run
Note that the information will be gathered and saved automatically.
Step 6: View Results
View the results:
show contacts
Go back:
back
Note the emails, names, and organizations found.
Bulk Install: Install 200+ Modules in an Instant
1. Install All Recon-ng Modules at Once
You may install all Recon-ng modules with a command:
marketplace install all
This command installs all modules such as:
crtsh (subdomain finder)
shodan_hostname (device information)
whois_pocs (contacts)
bing_domain_web
haveibeenpwned
securitytrails
netcraft
…200+ modules!
All modules are installed automatically in a few minutes.
2. What Is Going On During Installation?
During installation, you may see modules being installed such as:
Recon modules
Discovery modules
Import modules
Exploitation modules
Reporting modules
…all modules!
All modules are installed step by step with dependencies automatically!
3. Check After Installation
After installing, check by typing:
modules search
You can also check individual modules:
modules search shodan
modules search crtsh
This ensures that all modules are available for use.
4. Why Bulk Install is Useful
For Beginners: No confusion. All set to go!
For CTF Players: All tools available before competition!
For Teachers: Same setup on all machines!
Saves time and effort.
5. Remove Unused Modules
After learning, you may want to delete unused modules:
marketplace remove <module_name>
Keep only important ones:
crtsh
whois_pocs
shodan_hostname
bing_domain_web
haveibeenpwned
6. Best Setup Method
Kali Linux Install
Run: marketplace install all
Start learning right away
No dependencies to worry about. No modules missing.
Simple Summary
Just one command to install everything
All modules work right away
Ideal for beginners and experts
Can remove modules you do not need
This gives you a full recon-ng installation right away
API Keys: Unlock the Power of Recon-ng (Easy Language)
1. What are API keys and their importance?
There are certain recon-ng modules that require API keys to operate effectively.
API keys provide a connection to powerful online tools such as:
Shodan: Device search engine
HaveIBeenPwned: Provides information on recent data breaches
Hunter: Email finder tool
VirusTotal: Scans files and domains
SecurityTrails: Provides DNS information
Netcraft: Provides information on websites
By providing API keys, you can gather much more information.
2. How to add API keys
Example command:
keys add shodan_api YOUR_API_KEY
API keys are stored securely within the recon-ng database
To list the API keys:
keys list
To check if a module needs an API key:
modules info <module_name>
3. Are free API keys enough?
Yes, for most beginners:
Shodan → limited monthly credits
HaveIBeenPwned → free lookups
VirusTotal → daily limit
Hunter.io → limited searches
SecurityTrails → daily limit
These are enough for learning and small projects.
4. Different modules need different keys
Examples:
Shodan module → needs shodan_api
HaveIBeenPwned module → needs hibp_api
SecurityTrails module → needs securitytrails_api
Use modules info to check before running.
5. Keep your API keys safe
Remove keys when not needed:
keys remove shodan_api
Don’t share your keys
Don’t upload your recon-ng database online
This keeps your accounts secure.
6. Simple workflow to use API keys
Register on the service website
Get your API key
Add key in recon-ng
Install related modules
Run modules and get results
This will help you get better and accurate results.
Simple Summary
API keys make recon-ng powerful.
Adding keys means you get more results
Free plans available
Keep them safe
Always check modules
With API keys, recon-ng is smarter and faster. It makes recon faster.
Recon-ng Best Practices
1. Always Follow Legal Rules
Only scan:
Your own websites, OR
Targets where you have permission (like bug bounty programs: HackerOne, Bugcrowd, Intigriti)
You can also practice on safe labs like:
scanme.nmap.org
hackthissite.org Always take permission before running any command.
2. Start with Passive Recon (Safe Method)
recon/ modules → use only public data (safe, no contact with target)
discovery/ modules → may send small requests
exploitation/ modules → use only when fully authorized Always start with passive methods first.
3. Use Separate Workspaces
Create a workspace for each target:
workspaces create client1
This keeps data separate and organized
Delete workspace after work:
workspaces delete client1 This prevents mixing data and keeps things clean.
4. Respect Rate Limits
APIs have limits on how many requests you can send
If you go too fast:
You might get blocked
Best Practice
Wait for a while before heavy scans
Use a VPN if you need it
5. Manage Data Properly
Always export results
reporting csv intel.csv
Delete workspace when done This ensures data is secure and not stored for too long
6. Use a Clean Lab Environment
Use Kali Linux VM for practice
Modules installation
marketplace install all
After training
Delete/reset VM This ensures a clean and secure environment
Recon-ng Universal Workflow
Follow this same step-by-step process for almost every module in recon-ng:
Launch recon-ng
Start the framework.
Create Workspace (Target Isolation)workspaces create <name>
Keeps your data organized and separate.
Search for Modulemarketplace search <keyword>
Find the module you need.
Install Modulemarketplace install <module_path>
Download and set up the module.
Load Modulemodules load <module_path>
Activate the module.
Check Requirementsshow options
See what inputs (like API keys or domain) are required.
Set Target/Inputoptions set SOURCE <target>
Provide the domain or data source.
Run Modulerun
Execute the module.
View Resultsshow <table>
Check the collected data (e.g., contacts, hosts).
Export Resultsreporting csv <file_path>
Save results for later use.
Key Idea
This same pattern works for all modules.
Once you learn it, you can use any of the 200+ modules easily
| Step | Command | Purpose | Lab Example |
|---|---|---|---|
| 1 | recon-ng | Framework launch | [recon-ng][default] > |
| 2 | workspaces create target | Project isolation | [recon-ng][target] > |
| 3 | marketplace search crtsh | Module discovery | recon/domains-hosts/crtsh |
| 4 | marketplace install recon/domains-hosts/crtsh | Module deployment | Module installed successfully |
| 5 | modules load recon/domains-hosts/crtsh | Module activation | [crtsh] > |
| 6 | show options | Requirements audit | SOURCE required |
| 7 | options set SOURCE tesla.com | Target configuration | SOURCE => tesla.com |
| 8 | run | Intelligence collection | 847 hosts added |
| 9 | show hosts | Results verification | Subdomain inventory |
| 10 | reporting csv intel.csv | Professional export | CSV deliverable created |
Recon-ng Production Command Suite (Clean Format)
These are important commands used during real-world usage:
Core Commands
info→ View module documentation and detailsback→ Exit the current moduleexit→ Close the recon-ng framework
API & Configuration
keys list→ Check all added API keys
Data & Structure
show schema→ View database structure (18 tables)modules count→ Check total number of installed modules
Workspace Management
workspaces list→ View all available workspaces (projects)
Pro Tip
Use Tab key (auto-completion) to:
complete commands faster
avoid typing errors
This can make your work much faster and smoother
5-Minute Recon-ng Quickstart
Minute 1 (0:00 – 0:59) – Setup and Install First Module
Open recon-ng
workspaces create quickstart
marketplace search whois
marketplace install recon/domains_contacts/whois_pocs
You now have a “WHOIS” module installed and ready to collect basic information on a domain (we’ll use it to practice on “scanme.nmap.org”).
Minute 2 (1:00 – 1:59) – Run First Scan
modules load recon/domains_contacts/whois_pocs
show options
options set SOURCE scanme.nmap.org
run
show contacts
You should see emails, names, and organizations associated with the domain. This is a basic example of passive data collection.
Minute 3 (2:00 – 2:59) – Install Subdomain Module
back
marketplace search crtsh
marketplace install recon/domains_hosts/crtsh
modules load recon/domains_hosts/crtsh
This module will allow us to find subdomains of a given domain.
Minute 4 (3:00-3:59) – Find Subdomains
Set target: set options set SOURCE scanme.nmap.org
Run: run
View results: show hosts
Now you will see the subdomains of the target.
You now understand the process flow:
contacts → subdomains (step-by-step intelligence gathering)
Minute 5 (4:00-4:59) – Export Results
Export results: reporting csv /tmp/quickstart.csv
Check database: show schema
Exit: exit
Now you have a file with results, and you have completed a whole basic recon process.
Recon-ng Errors – Simple Fix Guide
“No such module” Error
This means the modules list is not updated.
Fix:
Execute the following: marketplace refresh
Then try the search again: marketplace search keyword
If still not fixed, try this:sudo apt reinstall recon-ng
Module shows no results
This usually means one of the two things:
API key is missing (like Shodan, HIBP)
Target has no public information
Fix:
Try running info to check the requirements
Add the required API keys (like Shodan, HIBP)
Try running a scan on scanme.nmap.org
Dependency errors (module not working properly)
Sometimes required libraries are missing.
Fix:
sudo apt install python3-pip
pip3 install -r /usr/share/recon-ng/requirements.txt
This installs missing packages like:
lxml
cryptography
psycopg2
Rate limit error (API limit exceeded)
Sometimes API allows a certain number of requests.
Fix:
Wait for some time (usually 1 hour)
Use a different API key or account
Use VPN if needed
Database locked error
It is caused by the presence of more than one process that wants to access the database.
Fix:
Stop all recon-ng sessions
Stop the background process by typing the following in the terminal:
ps aux | grep recon-ng
Delete the database file (back up the file before doing this):
rm ~/.recon-ng/recon-ng.db
Network / connection error
It is caused by the failure of the program to connect to the internet.
Fix:
Check the internet connection by typing the following in the terminal:
ping github.com
If the internet connection is via a proxy
Simple FAQ: Recon-ng Marketplace
1. What is the recon-ng marketplace?
It is an app store inside recon-ng.
You can find, install, update, and remove tools (modules) directly from the terminal without downloading anything manually.
2. Do I need coding knowledge to use it?
No.
You just need to use basic commands like:
install module
load module
set options
run
No coding is required.
3. What modules are available?
There are 200+ modules for things like:
finding information (recon)
importing information
generating reports
You can search and see all modules inside the tool.
4. Can I install all modules at once?
Yes.
You can use the following command:
marketplace install all
This installs all modules in a few minutes and uses very little storage.
5. What if a module does not show any result?
Most likely it is because:
API key is missing
the target has no public information
You can use the info command to check the requirements.
6. Is it safe to use in real environments?
Yes, but only on authorized targets.
Some modules don’t touch the target (passive), but always take permission before using.
7. How do updates work?
Just run:
marketplace refresh
It updates modules automatically. No manual work needed.
8. Does it work on Windows?
Yes, if Python 3.10+ is installed.
But it works best on Kali Linux or inside Docker.
9. How to install it on Kali Linux?
Run:
sudo apt install recon-ng
Then install modules using the marketplace.
10. How to add API keys?
Example:
keys add shodan YOUR_API_KEY
Keys are stored safely, and modules use them automatically.
11. Can I remove modules later?
Yes.
Use:
marketplace remove <module_name>
This keeps only useful modules.
12. Is it easy to learn?
Yes.
Basic workflow:
Load module
Set target
Run
Learning the basics will only take a few minutes.
13. How is data stored?
All results are stored in a local database (SQLite).
14. Is it legal to use?
Only if:
You own the target, or
You have permission (like in bug bounty programs)
Otherwise, it is illegal.
15. Why use marketplace instead of GitHub?
Marketplace:
installs all dependencies automatically
prevents user error
is much easier
16. Can I export results?
Yes.
You can export results in:
CSV
HTML
JSON
XML
17. What are workspaces?
Workspaces help to keep data separate.
Example:
client1 data
client2 data
This ensures results do not get mixed.
18. Are free API keys enough?
Yes, for learning and small projects.
For large projects, paid plans may be required.
19. Does it connect data automatically?
Yes.
It connects:
domains
hosts
contacts
All of these get connected automatically.
20. Can I use recon-ng behind a proxy?
Yes.
Example:
recon-ng --proxy http://proxy:8080
Final Summary
Recon-ng marketplace is a beginner-friendly tool that makes it very easy to install and use various reconnaissance tools without needing to write code. It is a powerful tool and should be used in a legal and ethical manner.
Stay Connected with Coding Journey
Friends,
I’ve started Coding Journey to share tech knowledge, cybersecurity awareness, digital marketing tips, and practical tutorials to help everyone grow safely in the digital world.
If you find value in learning about: Linux & Cybersecurity Digital Marketing & SEO Online safety & scam awareness Practical tech guides
I’d really appreciate your support and follow
Official Website & Blog https://codingjourney.co.in https://codingjourney1983.blogspot.com
Follow on Social Media Facebook: https://www.facebook.com/people/Coding-journey/61585197473575/ LinkedIn: https://www.linkedin.com/in/sunil-kumar-tiwari-07b8b466 X (Twitter): https://x.com/suniltiwari4509 Instagram: https://www.instagram.com/coding9529/ Pinterest: https://in.pinterest.com/codingjourney1983/ Quora: https://www.quora.com/profile/Sunil-4966 Medium: https://medium.com/@codingjourney1983
Your one follow, like, or share really motivates me to create more helpful content
Thank you for supporting Coding Journey
Let’s learn, grow, and stay secure together.
