Reconnaissance with Recon-ng
1 Global Definition
Recon-ng is an open-source reconnaissance framework, written in Python, designed to automate OSINT collection during penetration testing. Its architecture is modular, allowing testers to add different modules to collect information from various sources such as search engines, social media, DNS databases, and breach repositories. Recon-ng provides a command-line interface similar to Metasploit, but its focus is on passive and active reconnaissance instead of exploitation.
1.1 Key Features
Modular Design
Dozens of plug-and-play modules targeting different OSINT sources.
- Email harvesting modules
- Subdomain and host discovery
- Username and employee profiling
Data Management
Built-in database to store collected intelligence.
- Relational data model (domains, hosts, contacts)
- Automatic cross-linking between findings
- Project-based workspaces
Integration with APIs
Works with external services for deeper intelligence.
- Shodan (device search)
- Google, Bing, and Yahoo
- HaveIBeenPwned (breach data)
Report Generation
Export results for documentation or further analysis.
- HTML reports for management
- JSON/CSV for automation
- Detailed logs for compliance
1.2 Common Modules in Detail
- whois_pocs β Collects WHOIS contact information, useful for identifying domain owners or administrators.
- google_site β Uses Googleβs search engine to find indexed subdomains or sensitive files (dorks).
- linkedin_profiles β Gathers employee data for social engineering or username enumeration.
- shodan_hostname β Queries Shodan for exposed services/devices related to the targetβs infrastructure.
- recon/domains-hosts/bing_domain_web β Finds hosts linked to a target domain via Bing searches.
- recon/contacts/pgp_search β Extracts email addresses from PGP key servers.
1.3 Workflow Example
A simple workflow for investigating target.com might look like this:
- Start Recon-ng:
recon-ng - Create a workspace:
workspaces create target - Add a domain:
add domains target.com - Load a module (e.g.,
use recon/domains-hosts/google_site) - Set module options:
set SOURCE target.com - Run the module:
run - View collected subdomains in the database:
show hosts - Export results:
report html target_report.html
1.4 Security Considerations
- Legal Risks: Some modules perform active scanning, which may be illegal without explicit authorization.
- Privacy Concerns: Data collected may include sensitive personal information (emails, phone numbers).
- Rate Limiting: APIs used (Google, LinkedIn, Shodan) often restrict queries, requiring API keys or paid tiers.
- Data Handling: Store collected information securely β leaks could aid attackers.
1.5 Strengths vs Weaknesses
Strengths:
- Automates repetitive OSINT tasks
- Highly extensible with custom modules
- Integrates with dozens of external services
Weaknesses:
- Some modules become outdated if APIs change
- Requires configuration (API keys) for best results
- Steeper learning curve compared to GUI OSINT tools
1.6 Why It Matters
Reconnaissance is the foundation of penetration testing. Recon-ng provides testers with a systematic way to gather intelligence before exploitation. The more accurate the reconnaissance, the more effective the attack simulations become. Recon-ng empowers defenders too: by using it, organizations can see what attackers might discover about them publicly and take measures to reduce exposure.