Recon-ng Review
CLI-based web reconnaissance framework modeled after Metasploit
Quick Verdict
Penetration testers and technical OSINT practitioners who prefer a CLI workflow and are already familiar with Metasploit-style frameworks
Pros
- + Free and open source — no licensing costs
- + Familiar interface for anyone who knows Metasploit
- + Modular design — install only the modules you need
- + Strong for automated subdomain and email harvesting
- + Scripting support for automated workflows
Cons
- − CLI-only — no graphical interface
- − Module marketplace less active than SpiderFoot
- − Steeper learning curve than GUI-based alternatives
- − Less maintained than SpiderFoot in recent years
What Recon-ng Is
Recon-ng is a Python-based open source framework. Recon-ng is used for web reconnaissance, mostly. It is designed like Metasploit, with workspaces, modules, and options. You load a module, tweak settings, and then run it. Results are stored in a database.
There is no GUI, no onboarding process, and no tutorials. The framework is for practitioners only. Modules can be added to extend the framework. Data sources are public. You run reconnaissance tasks.
Core Workflow
# Launch Recon-ng
recon-ng
# Create/load a workspace
[recon-ng][default] > workspaces create target_company
# Search available modules
[recon-ng][target_company] > marketplace search
# Install a module
[recon-ng][target_company] > marketplace install recon/domains-hosts/google_site_web
# Load and run
[recon-ng][target_company] > modules load recon/domains-hosts/google_site_web
[recon-ng][target_company][google_site_web] > options set SOURCE targetdomain.com
[recon-ng][target_company][google_site_web] > run
The results are stored in a local SQLite database, where you can query them or export them directly.
Module Categories
Recon-ng modules are categorized by I/O type. Names tell you what they take in and put out.
Modules are grouped as follows: Modules are categorized into auxiliary, data, exploitation, gathering, reporting, and utilities.
Auxiliary modules have no input, no output, and something happens. Data modules have optional input and enrich or manipulate data. Exploitation modules require input, take a target, and do something. Gathering modules require input and crawl or scrape data. Reporting modules require input and send findings somewhere. Utilities modules have optional input and are helper tools.
Each module's name follows a pattern: [type]_[function]_[protocol]. You can guess what a module does from its name.
Some examples are: maltego_trusted_import, ipinfodb. maltego_trusted_import is a trusted import from Maltego. ipinfodb provides geolocation from IP addresses.
You load modules with modules load [name]. You view them with modules list.
| Category | Example | Function |
|---|---|---|
domains-hosts |
google_site_web | Domain → subdomains/hosts |
domains-contacts |
whois_pocs | Domain → contact info |
hosts-hosts |
resolve | Hostname → IP resolution |
hosts-ports |
shodan_hostname | Host → open ports |
contacts-contacts |
pgp_search | Email → related contacts |
profiles-profiles |
twitter_shares | Social profile expansion |
locations-pushpins |
flickr | Location → photos |
When to Use Recon-ng vs SpiderFoot
Recon-ng and SpiderFoot are open source recon frameworks. Both help you gather intel.
Recon-ng offers a command-line workflow, allowing you to control every query, and is scriptable, with a familiarity for those who use Metasploit.
SpiderFoot provides auto-correlation across sources, a visual interface, easy module setup, and quick deployment.
Some users utilize both frameworks, leveraging Recon-ng for precise collection and SpiderFoot for broad scans, including precise collection with Recon-ng and broad scans with SpiderFoot, SpiderFoot.
Installation
pip3 install recon-ng
recon-ng
Getting Started with Recon-ng
To get started with Recon-ng, clone the repository.
git clone https://github.com/lanmaster53/recon-ng
Navigate into the Recon-ng directory.
cd recon-ng
Install the required packages.
pip3 install -r REQUIREMENTS
Run Recon-ng by executing
./recon-ng
Managing API Keys
You add API keys for individual modules. The command to do this is:
keys add <service> <key>
Limitations
Maintenance concerns. Recon-ng's development pace has slowed, some modules are outdated. API changes break others.
Recon-ng has a command-line interface only, with no web interface or GUI. You need to be comfortable in a terminal.
Recon-ng does not have a correlation engine, so it doesn't link findings for you, unlike SpiderFoot. You do the analysis.
Verdict
Recon-ng is a solid tool, free for experienced hands, not a beginner's playground. SpiderFoot does more.
Recon-ng shines in scripted workflows, precise recon. That's its sweet spot. If you've got skills, it pays off.
New to OSINT frameworks? Start with SpiderFoot, get comfortable, then come back. Recon-ng's control is there.
See Also
Further Reading
Tool Relationships
Similar Tools
Shodan
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
RTL-SDR Blog V4
The standard $40 software-defined radio dongle for ADS-B aircraft tracking, AIS ship tracking, and weather satellite imagery.
SingleFile
Archive any web page — including JavaScript-rendered content — into a single self-contained HTML file that opens identically offline and can be cryptographically verified.
urlscan.io
Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-03-31. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →