Apps & Packages

recon-ng – Web Reconnaissance Framework (part 1)

In this first of a 2-part article we examine recon-ng which is a Web Reconnaissance Framework. It is an intelligence gathering tool aimed at reducing time spent harvesting information.

In a previous article, Network Scanning Tools (part 2), we briefly covered recon-ng which is described as:

… a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.


Another description is that recon-ng is an:

Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.


Below are some of the main features of recon-ng:

  • Database Interaction – provides an interface to the underlying database using SQL (Structured Query Language). This includes a graphical representation of the schema.
  • Recording Commands – series of commands can be recorded to file and then repeatedly executed.
  • Configuration Persistence – settings for modules are stored locally per workspace and loaded dynamically to avoid repeatedly setting them.
  • Workspaces – help users conduct multiple engagements with each workspace having its own database instance and module settings.
  • Module Marketplacerecon-ng does not include any modules by default so these need to be searched for, analyzed, installed and if needed removed. Modules can also be disabled.
  • Database Snapshots – data obtained during reconnaissance can be backed up and restored to help prevent corruption or unexpected resource behavior.
  • Analysis & Reportingrecon-web is a web interface for analyzing and visualizing data stored in the database. This data can also be exported in a variety of formats.

Further details on these and other features can be found here.

Tool Usage

The synopsis or syntax of recon-ng is as follows:

recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics] [--no-marketplace] [--stealth] [--accessible] [--version]

Below are some of the most common command settings:

  • -w workspace
    • load/create a workspace
  • -r filename
    • loads commands from a resource file
  • –no-version
    • disable version check
  • –no-analytics
    • disable analytics reporting
  • –no-marketplace
    • disable remote module management
  • –stealth
    • disable all passive requests
  • –accessible
    • use accessible output when available
  • –version
    • displays the current version

Test Environment

For the purposes of this article we will be using recon-ng v5.1.1 installed on a Kali Linux 2021.2 virtual machine running within VirtualBox 6.1.


1) Initial startup, list commands & run shell commands

When recon-ng is started for the first time the banner, sponsor, version and author will be displayed. Pressing the Tab button twice will list the available command options within the tool:

By issuing the ‘shell’ command it is possible to run Linux commands:

Running the ‘help’ command lists explanations of each command and by issuing ‘help <topic>’ the description and usage of an individual command is shown:

2) Using Workspaces

Issuing the command ‘workspaces’ shows the command description and usage which is the ability to create, list, load & remove workspaces. Running the command ‘workspaces list’ shows the only workspace that exists is ‘default’ for a new installation:

Below we will create a new workspace called ‘recon-zds’ which will automatically be selected. We then list all workspaces, load ‘default’ and remove ‘recon-zds’:

3) Backups using Snapshots

Workspaces can be backed up and restored using the ‘snapshots’ command. The options available are to list, load, remove & take a snapshot of the workspace data at a specific moment in time. Below are examples of the commands to show the command description & options then taking a snapshot, listing them and removing one:

4) Marketplace for Modules

The ‘marketplace’ command allows the searching for modules together with displaying information about them, performing an install and removal.

Using the ‘marketplace search’ command without a search string lists all the available modules:

A search for modules that match specific criteria can be performed:

Summary details on a particular module can be examined then it can be installed as follows:

5) Using Modules

Using the ‘modules’ command we can load, reload and search for modules. Once loaded we can view detailed information on it:

Using the ‘options’ command we can list, set and unset individual options for the module:

Once the options have been set then the module can be ‘run’:

In part 2 of this article we will continue to look at recon-ng functionality with further examples.

Leave a Reply