lanmaster53/recon-ng

★ 5,577PythonAudience · ops devopsComplexity · 3/5Setup · moderate

Mindmap

mindmap
  root((recon-ng))
    What It Does
      OSINT gathering
      Domain research
      Public data collection
    Interface
      CLI framework
      Module system
      Workspace isolation
    Use Cases
      Security assessments
      Domain mapping
      Email discovery
    Audience
      Security professionals
      Pentesters

mindmap root((recon-ng)) What It Does OSINT gathering Domain research Public data collection Interface CLI framework Module system Workspace isolation Use Cases Security assessments Domain mapping Email discovery Audience Security professionals Pentesters

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Automate OSINT data collection about a target domain during a security assessment or penetration test

USE CASE 2

Look up email addresses, subdomain records, and related infrastructure for a given organization using built-in modules

USE CASE 3

Conduct the reconnaissance phase of a security engagement to map an organization's public attack surface

USE CASE 4

Extend the framework by writing a custom Python module to query a new public data source or API

Tech stack

Python

Getting it running

Difficulty · moderate Time to first run · 30min

Most data-source modules require individual API keys, run the module's info command to see which key it needs before querying.

In plain English

Recon-ng is a Python framework for gathering publicly available information about people, organizations, and websites. This type of activity is called open source intelligence, or OSINT, meaning it only collects data from sources that are already public, such as websites, databases, and APIs, rather than breaking into systems. The goal is to reduce the time it takes to pull that information together during security assessments or research. The tool is structured as a modular framework with a command-line interface. Users load individual modules that each handle a specific task, such as looking up domain records, finding email addresses, or querying specific data sources. The authors describe the interface as similar in feel to Metasploit, a well-known penetration testing platform, though Recon-ng is specifically focused on reconnaissance and information gathering rather than exploiting vulnerabilities. The README makes this separation of purpose explicit: use other tools for exploitation or social engineering, and use Recon-ng for the research phase. The framework is built to be extended. Even developers new to Python can write additional modules, and a development guide is available in the project's wiki for anyone who wants to contribute. The modular design means the core framework stays consistent while the collection of modules can grow over time. Recon-ng is free and open source. The project is sponsored by security firms and accepts donations. A companion course on the Pluralsight training platform covers how to use it in practice. The README is brief and points to the project wiki for getting started and for development documentation.

Copy-paste prompts

Prompt 1

Walk me through using recon-ng to discover email addresses and subdomains associated with a target domain, what modules do I load and what commands do I run?

Prompt 2

How do I write a custom recon-ng module in Python that queries a specific API and stores results in the framework's internal database? Show me the minimal module skeleton.

Prompt 3

I'm starting a penetration test and need to map the public attack surface of a company. Which recon-ng modules are most useful for finding subdomains, IP ranges, and employee emails?

Prompt 4

How does recon-ng's workspace system work, and how do I create separate workspaces to keep data from different client engagements isolated?

Open on GitHub → Explain another repo

← lanmaster53 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.