Reconnaissance with Recon-ng

Intro to Recon-ng

Reconnaissance is the first and arguably the most critical phase of any penetration test. It is the first step of the Attacker’s Methodology, and depending on how it is done will define how the test proceeds. This information gathering phase can be done countless different ways, but if it is not done correctly, you end up with very limited information and visibility to your target. Every pentester has their own style and approach to recon, and some do it better than others. One problem with recon, however, is that it takes a long time to do it right. To perform my recon work, I use a very powerful framework called Recon-ng, written by Tim Tomes. The team who maintains this tool have a personal BitBucket where you can take a look at recon-ng on the source-level.

This tool is modular and highly functional. Where Recon-ng really shines is how flexible it can be, as the framework provides all of the necessary interactions between APIs and web scraping tools and compiles it all into a verbose database. The information gathered through recon-ng is all pulled from public and private sources, allows you to import raw data into the database with very simple SQL-like syntax, perform analysis on each data type, and create relationships between this data in order to gather a massive amount of information on your target in relatively short order.

This five part series will go over the modules that I use personally, as well as highlight the functionality of this tool in order to be of benefit to penetration testers who struggle with information gathering and balk at the idea of having to do things manually. After discovering recon-ng, I have grown to love the tool and am frequently working on developing my own modules for it in order to further improve and add to its incredible set of features. I’ll leave it up to the code-warriors among you to decide what you want to do with this tool, but being that it is readily open-source and easy to work with, add plugins to, or even fork your own version.

Recon-ng Fundamentals

As I mentioned, recon-ng uses plugins and modules to make it easy to add your own tools and functions to the framework. Recon-ng is included in the Kali repository and is actively maintained by LaNMaSteR53. While I disapprove of his camel-cased name, I must say how impressive the tool is in every aspect.

The first thing you will probably notice about recon-ng after starting it up and typing the command “help” is that it interacts suspiciously similar to a certain special exploitation framework. *cough*metasploit*cough* This should make working with the tool very easy and familiar to experienced pentesters.

recon-ng banner

The first thing I do when running up a recon-ng session is I create a new workspace to save my work in. Because of recon-ng’s design, each workspace saves its database separately from every other one, so it is easy to keep your work segregated between engagements, clean up and delete the information when it is no longer needed.  When you first add a workspace, you will immediately receive a warning (if you haven’t already) that you are missing a ton of API keys and be greeted with a scary-looking wall of red text. For the moment, don’t worry about that, as we will get to the API functionality later on in the series, just know that most of the tool is reliant on external APIs and public sources, so some of the more powerful modules will not work right out of the starting gate.

Next, it is time to decide on your target. I normally do this by adding their domain name because that is the easiest thing to do and is probably the first piece of information you’ll have on your target. Let’s try Microsoft as an example.

As you can see, adding domains (or any piece of information) to your workspace database is very simple, and pretty much plug-and-play. At this point, I’d like to point out that recon-ng fully supports tab auto-complete for all of its contexts, so if you have a rough idea what you’re looking for, you can usually tab auto-complete anything you want.

You’ll notice I used the show command to display the domains in my database. Let’s try just the show-command with tab autocomplete

Nice! The show command works exactly as it does within metasploit, and you can easily parse through any piece of information in your database. Since our database is actually pretty bare (we only have one domain) we need to go out and grab some information. When you run the command “show modules” you will get a list of every module within recon-ng (hint hint: it’s a lot!).

Recon’s modules are organized by the following naming convention:


Let’s try to use recon/domains-contacts/whois_pocs to grab some information on the target.

Before we do anything, we should use the show info command to determine if there are any parameters we need to set, as well as get some information about the module itself.

If you look, you can see the description of the module which explains the purpose of the module, and just below that, you can see what options you need to set. As you can see here, the SOURCE option is already set for you with a default value which operates in a SQL-esque syntax. Most of these options will be set up for you. It is rare that you would ever really need to change the default options, but you can extend the power of recon-ng much farther if you know how to use it properly. We can get into the advanced use cases of why you would want to do this later in the series, but for now, let’s just run our module and get that juicy whois data.

whois output

After about five minutes, recon-ng was able to pull down a pretty sizeable chunk of data. Although most of the output is fabricated by Microsoft, this shows how quickly and effectively Recon-ng pulls and parses data into its database. The best part of these tools is that the database builts upon itself. The different modules, if run in the correct order, will yield a vast amount of data in an extremely short amount of time. In part 2, we will cover more specific and useful modules and what order to use them to get the most bang for your buck.

This is enough information to get you started operating on different engagements with recon-ng, and like most tools, it just takes practice getting used to it. Recon-ng uses primarily passive analysis tools for all of its information gathering, and none of these tools are invasive or destructive, so it is safe to use Recon-ng and its DEFAULT modules against practically any organization. The only consideration that should be made is that companies do not typically appreciate having their information scraped off the internet. As a courtesy, consider the impact you are having on others when using tools and as always, never use the information you gather for malicious purposes or misuse it in any way which breaks the law. Do no harm, and all that. As the tester, you bear the full responsibility of your actions. Consider this my disclaimer 😉

I hope you enjoyed the first of what will hope to be a comprehensive tutorial series on the use of Recon-ng. Happy hacking!


True Demon

True Demon

Information Security Research Analyst at SecureState
Research Analyst, Penetration Tester, Forensic Analyst, and lover of the electron and the switch.
True Demon

Latest posts by True Demon (see all)