Recon-NG How-To I

Reconnaissance is the first step in pentesting. Not only that, it’s the step in which we’ll have to spend most of out time. There are a number of tools to help us with this task. In this story I’m going to talk about Recon-NG

Recon-NG is one open source tool to facilitate our task of information gathering. In this brief tutorial I’ll demonstrate how to use it.

From Tim Tomes bitbucket’s repository: “Recon-NG is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion”.


If you’re using Kali Linux — and I strongly advise you to if you’re thinking of pentesting seriously — Recon-NG is installed by default.

Major Linux distributions have Recon-NG in their repositories. If it’s Debian based there should be a DEB package. If it’s Red Hat based, search for a RPM. If you’re using Arch or anything else you can always built it from source.

To start, open a terminal window to enter in console mode. Type:

$ recon-ng

Ignore the red lines (we’ll cover that later).


Recon-NG uses workpaces to help organize collected information according to our workflow. The command is ‘workspaces’ and its options are list, add, select and delete.

Add workspace

Let’s do some reconnaissance on medium. We’ll first create a workspace ‘medium’ and the domain’’.

> workspace add medium
> add domains
> show domains

List workspaces

The ‘list’ option displays available workspaces created in Recon-NG:

> workspace list

Select workspace

To navigate to the default workspace just type the command:

> workspace select default

Notice the change in the brackets from medium to default.

Delete workspace

To delete just type:

> workspaces delete medium

API Keys

Recon-NG as a modular architecture and some of its modules require an API key. Let’s start by viewing available and installed keys:

> keys list

To acquire API keys go to the respective URL and create an account. You can use the following page. Some modules are more interesting than others. My personal favorites are Builtin, Google, IPInfoDB and Shodan.

Once you have your key, just add it with

> keys add module_name API_Key
> exit
$ recon-ng

You’ll notice that the error list gets shorter when starting Recon-NG.