How to Use Recon-ng Tool for OSINT, Bug Bounty Hunting, and Cybersecurity Reconnaissance with Complete Commands, API Setup, and Real-World Examples

Looking to master Recon-ng for cybersecurity reconnaissance and open-source intelligence (OSINT)? This complete tutorial on how to use Recon-ng walks you through everything from installation and essential commands to real-world examples of modules like domain enumeration, email harvesting, and host discovery. Whether you're a bug bounty hunter, ethical hacker, or a cybersecurity student, you'll learn how to use API keys, manage workspaces, explore the module marketplace, and perform passive and active recon with Recon-ng. This guide also includes essential Recon-ng commands, module configurations, and step-by-step instructions to automate recon tasks for real-world targets.

  Security   Apr 9, 2025   122  Add to Reading List
How to Use Recon-ng Tool for OSINT, Bug Bounty Hunting, and Cybersecurity Reconnaissance with Complete Commands, API Setup, and Real-World Examples

Introduction to Recon-ng

Recon-ng is a powerful Open Source Intelligence (OSINT) tool used by cybersecurity professionals for gathering publicly available data. Its interface is similar to Metasploit, offering a modular and scriptable environment that makes automation of reconnaissance easy and efficient.

In this guide, you’ll learn how to use Recon-ng effectively — from installation and workspace creation to using advanced modules, managing API keys, and exporting reports.

Getting Started with Recon-ng

To start using Recon-ng, first run it from the terminal: 

test@ubuntu:~/recon-ng/$ ./recon-ng

Once the tool launches, use the built-in help command to see available options: 

[recon-ng][default] > help

Essential Recon-ng Commands

Here are some core Recon-ng commands to get you started:

Command Description
back Exit the current module or context
dashboard View project summary and status
db insert Insert manual records into the database
db export csv Export collected data to a CSV file
db schema View database table schema
exit Exit the framework
keys Manage third-party API keys
load Load a module
marketplace Install, update, or search modules
modules search Search modules by keyword
modules load Load specific modules
options set Set required module input
run Run the currently loaded module
script Run automation scripts
shell Run system shell commands
show hosts Display discovered hosts
show domains Show discovered domains
show credentials Show gathered credentials
show profiles View user profile information
spool on/off Start or stop spooling output to file
workspaces create Create and switch workspaces
notes add/view Add or view workspace notes

Working with Workspaces

Workspaces help manage and isolate recon data for different projects.

Create a New Workspace:

[recon-ng][default] > workspaces create tesla_project

Switch to the Workspace:

[recon-ng][default] > workspaces select tesla_project

List Existing Workspaces:

[recon-ng][default] > workspaces list

Exploring the Recon-ng Marketplace

The marketplace contains dozens of built-in modules to automate your recon work.

List All Marketplace Modules:

[recon-ng][tesla_project] > marketplace search

Install a Specific Module:

[recon-ng][tesla_project] > marketplace install recon/domains-hosts/hackertarget

Check Installed Modules:

[recon-ng][tesla_project] > modules list

Running Recon-ng Modules (With Examples)

Example 1: Subdomain Enumeration via Hackertarget

[recon-ng][tesla_project] > modules load recon/domains-hosts/hackertarget
[recon-ng][tesla_project][hackertarget] > options set SOURCE tesla.com
[recon-ng][tesla_project][hackertarget] > run

Example 2: WHOIS Lookup

[recon-ng][tesla_project] > modules load recon/domains-contacts/whois_pocs
[recon-ng][tesla_project][whois_pocs] > options set SOURCE tesla.com
[recon-ng][tesla_project][whois_pocs] > run

Example 3: IP Geolocation Using IPinfo

[recon-ng][tesla_project] > marketplace install recon/hosts-hosts/ipinfodb
[recon-ng][tesla_project] > modules load recon/hosts-hosts/ipinfodb

[recon-ng][tesla_project][ipinfodb] > options set SOURCE 104.119.104.74
[recon-ng][tesla_project][ipinfodb] > run

Managing API Keys in Recon-ng

Some modules require third-party API keys.

Add an API Key (Example: Shodan):

  1. Get your API from: https://shodan.io

  2. Add it to Recon-ng: 

[recon-ng][tesla_project] > keys add shodan_api YOUR_API_KEY

List Stored API Keys:

[recon-ng][tesla_project] > keys list

Viewing and Managing Collected Data

View Hosts:

[recon-ng][tesla_project] > show hosts

View Domains:

[recon-ng][tesla_project] > show domains

View Contacts:

[recon-ng][tesla_project] > show contacts

View User Profiles:

[recon-ng][tesla_project] > show profiles

Exporting Reports and Output

Export Data to CSV:

[recon-ng][tesla_project] > db export csv tesla_data.csv

Spool Output to File:

[recon-ng][tesla_project] > spool on tesla_output.txt

[recon-ng][tesla_project] > run

[recon-ng][tesla_project] > spool off

Using Notes and Documentation

You can document your findings directly inside Recon-ng.

Add Notes:

[recon-ng][tesla_project] > notes add tesla_login_flaw "Tesla login form has no rate limiting"

View All Notes:

[recon-ng][tesla_project] > notes list

The .recon-ng Configuration Directory

The tool stores configurations in: 

~/.recon-ng/

Important Files and Folders:

File / Folder Purpose
keys.db Stores API keys
modules/ Contains module code
workspaces/ Individual project data
modules.yml Metadata of installed modules

Conclusion

Recon-ng is one of the most flexible, automated tools for cybersecurity reconnaissance and OSINT investigations. From scanning domains and subdomains to pulling contact info, IP geolocation, and credential leaks, it covers nearly every corner of the data gathering process.

Whether you’re a bug bounty hunter, ethical hacker, or security analyst, Recon-ng can supercharge your recon phase — saving you time while increasing accuracy.

Stay tuned for the next part where we’ll build a full automated recon pipeline using Recon-ng + Bash + Cron Jobs!

FAQs:

What is Recon-ng and how is it used in cybersecurity?

Recon-ng is an open-source reconnaissance tool used to gather OSINT (Open Source Intelligence) information for penetration testing and threat intelligence operations.

How can I install Recon-ng on Kali Linux or Ubuntu?

You can install it via apt install recon-ng on Kali or by cloning from GitHub and using Python on Ubuntu.

Is Recon-ng available for Windows users?

Yes, Windows users can install it using Python and pip or through the Windows Subsystem for Linux (WSL).

What is a workspace in Recon-ng and how do I create one?

A workspace in Recon-ng is a dedicated environment for a specific target. You can create one using the workspaces create command.

How do I list all available modules in Recon-ng?

Use the command show modules to list all reconnaissance modules available in Recon-ng.

How do I add a domain target for data collection?

You can add targets using add domains example.com.

What are the most useful domain-related modules in Recon-ng?

Modules like recon/domains-hosts/bing_domain_web, recon/domains-contacts/whois_pocs, and recon/domains-vulnerabilities/xssed are very useful for domain reconnaissance.

How do I run a module after selecting it in Recon-ng?

Once you use use , run it with the run command.

How do I check or set options required by a module?

Use show options to see module parameters, and set to configure them.

What is the command to see all available workspaces?

Use workspaces list to view all workspaces.

Can I delete a workspace in Recon-ng?

Yes, you can delete one using workspaces delete .

How do I import targets from a file into Recon-ng?

You can use the import /path/to/file command for bulk data input.

Which modules help gather email addresses for a domain?

Modules like recon/companies-contacts/bing_linkedin_cache and recon/domains-contacts/pgp_search are useful.

How can I find hosts associated with a domain?

Use recon/domains-hosts/ such as crtsh or bing_domain_web.

What modules help with social media reconnaissance?

Use modules like recon/profiles-profiles/namechk and recon/profiles-profiles/hackertarget.

How do I export collected data from Recon-ng?

Use export csv /path/to/file.csv to export your results in CSV format.

Is there a way to reset the Recon-ng environment?

Yes, you can use db purge to clear the current workspace data.

Can Recon-ng integrate with other tools like Shodan?

Yes, with appropriate API keys, modules like recon/hosts-hosts/shodan_hostname can be used.

How do I configure an API key in Recon-ng?

Use keys add to set it up.

Where can I find all available APIs Recon-ng supports?

Use keys list to view and manage available API services.

Can I automate multiple modules in Recon-ng?

Yes, by creating a script or using the marketplace feature to chain module executions.

How do I update Recon-ng or install new modules?

You can pull updates from the GitHub repository or use marketplace search and marketplace install.

What’s the use of the ‘marketplace’ in Recon-ng?

The marketplace allows you to browse, install, and update community-contributed modules.

Is there a way to perform brute-force username lookups in Recon-ng?

Yes, some modules like recon/profiles-accounts/hackertarget support this functionality.

How do I check subdomain records with Recon-ng?

Use modules such as recon/domains-hosts/brute_hosts or recon/domains-hosts/netcraft.

Can I use Recon-ng for geolocation tracking?

Yes, modules like recon/locations-locations/geocode help convert location data.

What are some file output formats supported by Recon-ng?

Recon-ng supports CSV, JSON, and XML outputs.

How do I clear all collected data in a Recon-ng session?

Use db schema and db purge to clean up.

Is it possible to use Recon-ng for password dumps?

While Recon-ng can discover leaks, it's not designed to collect or crack passwords directly.

Can I visualize Recon-ng results with third-party tools?

Yes, exported data can be visualized in tools like Maltego, SpiderFoot, or Excel.

Tags

Join Our Upcoming Class! Click Here to Join
Join Our Upcoming Class! Click Here to Join