|

Recon-ng Tutorial: Build a Hacker’s Search Engine with OSINT Automation (Ethical, Hands-On Guide)

ByInnoVirtuoso

Before the first packet flies, smart hackers and security pros do one thing very well: reconnaissance. When you know the terrain—domains, subdomains, emails, hosts, tech stacks—you reduce guesswork and increase signal. Recon-ng turns that tedious discovery work into a fast, automated system that feels like building your own hacker-style search engine.

If you’ve ever wished your recon could be consistent, repeatable, and organized, you’re in the right place. In this tutorial, you’ll learn how to set up Recon-ng in Kali Linux, how its workspaces and modules fit together, how to add API keys, and how to orchestrate automated OSINT collection for domains, emails, and hosts. We’ll also walk through real-world examples, plus practical tips to stay ethical and legal.

Here’s why that matters: Accurate recon de-risks engagements, cuts false positives, and helps you focus your energy where it counts.

Let’s dive in.

What Is Recon-ng? The OSINT Framework That Automates Discovery

Recon-ng is a modular, command-line framework for open-source intelligence (OSINT). It ships with Kali Linux and gives you a structured way to gather public data from dozens of sources—search engines, certificate logs, DNS data, breach data services, and more.

Think of it like Lego for OSINT: – Workspaces are your projects. – Modules are your building blocks (each module queries a source or transforms data). – A central database stores everything. – API keys plug you into premium data sources.

Recon-ng’s payoff is speed and repeatability. You can build a pipeline once, then run it every time you start a new assessment.

Authoritative sources to explore: – Recon-ng on Kali Tools: kali.org/tools/recon-ng – Official repository and docs: github.com/lanmaster53/recon-ng – OSINT Framework (for broader context): osintframework.com

Start with Ethics and Scope (Non-Negotiable)

Recon is powerful. Used carelessly, it can cross legal or ethical lines. Keep it clean: – Only test assets you own or have explicit written permission to assess. – Follow program rules on bug bounty platforms like HackerOne’s disclosure guidelines and Bugcrowd’s responsible disclosure. – Respect rate limits and terms of service for APIs you use. – Document consent and scope; log your actions. – Avoid collecting, storing, or sharing personal data without a lawful basis.

If you’re practicing, use reserved domains such as example.com or example.org (see IANA reserved names). Let me be clear: this guide is for ethical, authorized security work and education only.

Install and Launch Recon-ng on Kali Linux

If you’re on a current Kali image, Recon-ng is typically included. If not, it’s easy to add.

Steps: 1. Update your package index: sudo apt update 2. Install Recon-ng if needed: sudo apt install recon-ng 3. Launch the console: recon-ng 4. Check version and environment with help and show info

You’ll land in a familiar, Metasploit-style interface. That’s by design—it keeps complex workflows simple.

If you prefer source installation or want the latest updates, consult the official repo: github.com/lanmaster53/recon-ng

Recon-ng Core Concepts: The Building Blocks

Before you run modules, get comfortable with the model.

  • Workspaces: Separate projects that isolate data and settings. You can switch between clients or investigations without mixing results.
  • Modules: Pluggable tasks that collect or transform data. Categories include domains, hosts, contacts, and vulnerabilities. Some modules hit public endpoints; others use API keys for deeper data.
  • Keys: API credentials for providers like Shodan, SecurityTrails, VirusTotal, Have I Been Pwned, and more. You add them once, and modules that need them will use them automatically.
  • Data Store: Recon-ng writes results to a local database. You can query, export, and pivot from prior results without re-running modules.
  • Marketplace: Where you search and install modules. It’s like an app store for OSINT.
  • Sources and Pivots: Many modules take a generic source (e.g., a domain) and output discoveries (subdomains, hosts, emails) that then feed the next module.

Once you see how data flows from one module to the next, Recon-ng clicks.

Set Up Your First Project (Safe, Repeatable Workflow)

We’ll walk through a clean flow. Use a domain you own or a reserved example domain.

Create a Workspace

  • Start Recon-ng: recon-ng
  • Create or load a workspace: workspaces create my_first_recon or workspaces load my_first_recon
  • Confirm it’s active: workspaces list

Why it matters: Workspaces prevent cross-contamination between projects and preserve audit trails.

Add a Target Domain

  • Seed the database with your initial scope. Add your domain as the source.
  • In many modules, the SOURCE option sets the domain you’re investigating. Use a placeholder during practice, e.g., example.com.

Tip: Stick to a single domain at first. You can widen later (e.g., include multiple TLDs or known subsidiaries) once your workflow is stable.

Choose and Install Modules

Recon-ng’s marketplace lets you search for what you need: – Search: marketplace search domain or marketplace search hosts – Install: marketplace install <module_name> – See what’s available: marketplace search (broad list)

Common categories you’ll likely use: – Domains-to-hosts: subdomain enumeration from cert logs, search engines, or APIs. – Hosts-to-IPs: resolve discovered names to IP addresses. – Domains-to-contacts: email discovery from WHOIS or public sources. – Hosts-to-technologies: fingerprint tech stacks via headers or certificate metadata.

Because module names and availability change over time, rely on marketplace search and the module’s built-in info screen to confirm options and requirements.

Add API Keys (Optional but Powerful)

Many high-value modules require API keys. Examples: – Shodan: internet-exposed assets shodan.io – VirusTotal: passive DNS, file and URL intelligence virustotal.com – SecurityTrails: DNS history and infra mapping securitytrails.com – Have I Been Pwned: breach data lookups haveibeenpwned.com

In Recon-ng, you add keys once: – Use keys add <provider> <key> – Verify with keys list

Note: Always comply with each provider’s terms and rate limits. Abuse can get you blocked fast.

Run Modules in a Logical Order

Good recon is about sequence. You start broad, then go deep where the signal is.

A common flow: 1. Domain enrichment: enumerate subdomains from multiple sources. 2. Host resolution: convert hostnames to IPs; deduplicate. 3. Certificate and web data: inspect SSL SANs, headers, robots.txt, sitemap entries. 4. Contact discovery: collect emails found in WHOIS or public pages (use responsibly). 5. Pivot: new domains, additional hosts, or related organizations discovered in step 1–4.

Each module includes prompts like: – use <module_path>options set SOURCE example.comrun

After each run, check: – show hosts, show domains, show contacts to see stored results. – Export data to a CSV for reporting.

Reminder: Keep your scope tight. Don’t creep into unrelated domains or personal identifiers unless explicitly authorized and necessary.

Review Results and Pivot Intelligently

Recon-ng shines when you pivot methodically: – Found a subdomain on a different TLD? Add it as a new source for the next round. – Found emails for your own corporate domain? Use them to test email security posture (with permission), not to harass or spam. – Resolved hosts to IPs that sit in a cloud provider? Consider whether those IP ranges are in-scope before proceeding.

The goal is not to collect everything. The goal is to collect the right things for your engagement.

Automate Your OSINT Like a Search Engine

Here’s where Recon-ng turns into a personal OSINT machine.

  • Build repeatable pipelines: Decide your standard module order for every engagement (e.g., enumerate subdomains via cert logs, resolve to IPs, fingerprint). Then run that same pipeline per workspace.
  • Use resource scripts: Recon-ng supports scripted command sequences to reduce keystrokes and human error. Capture your typical workflow into a simple text file and execute it on new workspaces.
  • Make exports a habit: Export hosts, domains, and contacts to CSV or JSON after each major step. It helps with reporting and saves time if you need to re-run later.
  • Schedule runs thoughtfully: If you’re monitoring your own assets over time, run your pipeline on a schedule and diff results. New subdomains or tech changes often signal shadow IT or configuration drift.

This is how you turn scattered data into living intelligence.

Real-World Use Cases (Defensive and Authorized)

Let’s anchor this in reality. Below are practical, ethical scenarios.

1) Pre-Engagement Pentest Recon – Objective: Build a clean asset inventory for scoping and attack surface mapping. – Approach: Enumerate subdomains, resolve to IPs, fingerprint tech stacks. Export as a starting appendix for your report. – Why it helps: Reduces scope misses; you avoid testing the wrong thing or overlooking an exposed, out-of-date asset.

2) Brand and Impersonation Monitoring – Objective: Detect lookalike domains and phishing infrastructure targeting your org. – Approach: Track cert logs and passive DNS for new domains similar to your brand. Flag risky strings or suspicious hosts. – Why it helps: Early warnings enable faster takedowns and user alerts.

3) Incident Response Enrichment – Objective: Accelerate triage with context on suspicious hosts, domains, or emails. – Approach: Feed IOCs into Recon-ng to pull historical DNS, SSL info, and related hosts. Use results to inform containment decisions. – Why it helps: Cuts investigation time; responders act with more confidence.

4) Third-Party Risk Spot-Checks – Objective: Understand a vendor’s public exposure before onboarding or during periodic reviews. – Approach: Enumerate externally facing assets and technologies that a vendor publicly exposes (within policy and permission). – Why it helps: Informs risk decisions and vendor questionnaires with facts.

Best Practices: Get More Signal, Less Noise

A few lessons that save headaches: – Start simple. Two or three high-signal modules beat 20 noisy ones. – Document as you go. Capture command sequences, versions, and module settings in your workspace notes. – Respect rate limits. Stagger runs and use caching where possible. – Deduplicate results. Recon-ng stores data, but you should normalize and dedupe before conclusions. – Validate with a second source. Don’t assume one feed is clean. Confirm critical findings via another module or service. – Keep a clean chain of custody. Timestamp exports, store in version control, and protect sensitive data. – Mind privacy. Avoid collecting personal data unless it’s essential and in-scope. Follow your org’s data handling policies.

Troubleshooting Common Snags

  • Module not found or failing: Use marketplace search to confirm its name, read info, and install dependencies. Some modules change or get deprecated.
  • Empty results: Check your SOURCE, ensure API keys are set, and verify that the target actually has data in that feed.
  • API errors or throttling: Confirm your key, plan level, and rate limits on the provider’s dashboard. Add delays between runs if necessary.
  • Duplicate entries: Expect overlap across sources. Use Recon-ng’s database views and your own exports to dedupe.
  • Scope creep: If results lead you outside agreed scope, pause. Get written approval before proceeding.

Recon-ng vs. Other OSINT Tools

It’s not about one tool to rule them all. It’s about fit.

  • Recon-ng: Modular, CLI-focused, great for repeatable pipelines and structured exports.
  • Amass: Excellent at DNS enumeration and graphing relationships. Consider running both. github.com/owasp-amass/amass
  • SpiderFoot: Web UI with broad data sources and dashboards; good for visual analysis. spiderfoot.net
  • Maltego: Powerful link analysis and transforms; best for complex relationship mapping. maltego.com

Many teams run Recon-ng alongside Amass and SpiderFoot, then consolidate output in a central notebook or SIEM for analysis.

Recommended Resources and Further Learning

A Sample “First Pipeline” You Can Adapt

Below is a safe, high-level sequence you can tailor to your workspace and scope: 1. Create workspace and set your domain as the source. 2. Install modules for domain-to-host enumeration and certificate transparency lookups. 3. Add API keys for one or two providers you trust (e.g., SecurityTrails, VirusTotal). 4. Run subdomain enumeration; resolve to IPs; export hosts. 5. Fingerprint web servers (headers, titles) to spot tech stacks or misconfigurations. 6. Optionally, gather contacts from WHOIS for your own domain (respecting privacy and policy). 7. Export everything to CSV; dedupe; sanity-check with a second tool. 8. Write down what worked and what didn’t. Turn your steps into a resource script for next time.

Keep the focus on your own assets or authorized test scope. That’s how you stay safe, legal, and useful.

Key Takeaways

  • Recon-ng turns OSINT into a structured, automated workflow. You’ll move faster with fewer mistakes.
  • Workspaces, modules, and API keys are the core pieces. Learn them once; reuse forever.
  • Start small and ethical. Only collect what you need, with permission, and document your process.
  • Combine Recon-ng with other tools to validate and enrich results.

If you found this helpful, explore more practical OSINT guides or subscribe for defensive recon playbooks, tool comparisons, and hands-on workflows you can trust.

FAQ: Recon-ng, OSINT, and Ethical Use

What is Recon-ng used for? – Recon-ng is an OSINT framework that automates gathering public data about domains, hosts, emails, and related infrastructure. It’s used by security professionals for authorized reconnaissance, scoping, and intelligence enrichment.

Is Recon-ng legal to use? – Yes—when used ethically and with permission. You should only target assets you own or have written authorization to assess. Respect API terms and privacy laws.

Does Recon-ng come with Kali Linux? – Yes, Recon-ng is included in most current Kali releases. If it’s missing, install it via sudo apt install recon-ng or use the official GitHub repository.

Do I need API keys to use Recon-ng? – Not always. Some modules use public sources. However, many high-value modules require keys (e.g., Shodan, VirusTotal, SecurityTrails), which improve depth and accuracy.

Can Recon-ng replace Amass, SpiderFoot, or Maltego? – Not entirely. Each tool has strengths. Recon-ng is great for modular, repeatable pipelines; Amass excels at DNS enumeration; SpiderFoot offers dashboards; Maltego shines in relationship mapping. Many teams use them together.

How do I export results from Recon-ng? – Recon-ng stores results in its database. You can use built-in export options or query the data and save to CSV/JSON for reporting. Export early and often for versioning and analysis.

What’s the best module to start with? – Start with domain-to-host (subdomain) enumeration and host resolution modules. They create the base inventory you can build on.

Can I use Recon-ng without Kali Linux? – Yes. It’s a Python-based tool you can run on other Linux distros and even macOS with the right dependencies. Check the official repo for installation guidance.

How do I stay within legal scope during recon? – Get written permission, define scope clearly, log actions, and stick to the plan. For bug bounties, follow the program’s rules and never test off-limits assets. See HackerOne disclosure guidelines and Bugcrowd responsible disclosure.

What should I do if a module returns no results? – Verify your source, ensure API keys are valid, check provider rate limits, and try a second module or data source. Not all domains have rich public data; that’s normal.

How do I learn more about OSINT sources? – Start with the curated OSINT Framework and the documentation of providers like Shodan and VirusTotal. Experiment, document what works, and build your own playbook over time.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!