Ready to Start Your Career?

Recon-ng: The Advanced Open-Source Recon Framework

Jawady Muhammad Habib's profile image

By: Jawady Muhammad Habib

July 19, 2017


Information Gathering – Intro

Gathering information AKA reconnaissance phase is the first step when conducting a penetration testing operation.

Actually, it is the most time-consuming phase of the overall work by gathering information about a given target. This will be the intro to a series of episodes (articles) which will cover some IG tools dedicated to extracting available data on the Internet, from the target itself and some public resources as well. The goal of these lessons is simulating as much as possible what a black hat hacker does and I hope this will be useful for you.

As mentioned earlier, reconnaissance is one of the most important phases responsible for conducting a successful penetration testing. Thus, it is unquestionable that its techniques must be one of the first steps penetration testers learn when they intend to scan systems for vulnerabilities. The problem with traditional IG techniques is that they are definitely time-consuming, the time usually pen testers, unlike attackers, do not have ! hence the need for a tool which allows us to speed up advanced reconnaissance gave birth to a powerful tool named Recon-ng which is:

regarded as one of the top tools for open source reconnaissance

source : LaNMaSteR53/recon-ng repository.

Now what is Recon-ng?

Recon-ng is a full featured web reconnaissance framework written in Python. Whereas MSF (Metasploit Framework) is an awesome Framework designed to allow pen testers to automate the process of exploiting known vulnerabilities, it is a modular utility to support gathering information through a Metasploit-like experience.

Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.

Now buckle up your seat belts and let’s dive into this amazing Framework.

Let’s begin our tutorial:

In order to start getting our feet wet with Recon-ng, we need to understand first that the preloaded modules in it are categorized in several categories, and they are:

Discovery – Exploitation – Import -Recon – Reporting

Now we basically know how RN looks like.

Moving on to the installation and usage

Currently, if you’re using an up-to-date Kali Linux distribution, you have already RN installed as you can check in The Kali Linux tools listing and so if you are using any similar distribution like parrot …

However, if you are using another Linux distribution, you need to manually install it:


§  git clone

§  cd recon-ng

§  pip install -r REQUIREMENTS

§  ./recon-ng

§  For displaying help:

§  ./recon-ng -h

Then cd recon-ng/

And to execute ‘./recon-ng’

In order to discover how is the usage we type : ‘help’ in our prompt or ‘?’:

Now, fimiliar with what Recon-ng capabilities we’re going to show you how to manage your api keys in RN.But first why API keys ? and what are they from the first place?

Before diving deep into  this Framework , we need to first know that there are tools in RN which are dependent on using APIs and managing it’s tokens or keys which are required is a must . Working with modules is out of this lesson’s scope as we will cover that in a later course .

So, what is an API ?

API is the acronym of ‘application program interface . It is a set of tools, protocols and routines for more efficiently abuilding efficient software . It makes it easier to develop programs by providing building blocks a programmer puts together . Personally I like to think of it as a plug you connect to whenever you need help facilitating your work by using others’ resources .

Why do we need APIs in Recon-ng ?

As mentionned earlier, coders need sometimes to use these APIs in order to exploit the issuers’ resources … so does Recon-ng . In fact some modules are totally based on bing API and to properly work they need tokens provided by the owners of these APIs and the purpose of using them is to protect access to the management API .

A more precise definition is provided by auth0 here source:

The Access Token, commonly referred to as access_token in code samples, is a credential that can be used by a client to access an API. The access_token should be used as a Bearer credential and transmitted in an HTTP Authorization header to the API. Auth0 uses access tokens to protect access to the Auth0 Management API.

Now after knowing what are APIs and their keys, and the link between them and Recon-ng modules, let’s start managing them.

First things first, let’s view our keys list by issuing ‘keys list’ command in our RN prompt:

If you’re using the framework for the first time it should look something like that , and we can notice that we have no keys added!!

Now let’s populate that list with some keys. I'm going to show you how to add twitter api key, and almost the same process is for the rest of the keys.

Visit the twitter api website: and login.


Create a new app.Fill the form and agree.


Go to ‘keys and access tokens area’ and then ... 


... copy the keyGo to the Recon-ng prompt and issue this command:

‘keys add ‘ + $api_name + $key

Congratulations, now our key was successfully added!

Now to sum up

We learned what is Recon-ng and it’s untilities. We discovered the built-in commands. We discovered what are APIs and their keys and why are they used by this framework and how to add keys for modules later use which require keys. This lesson was about Recon-ng 101, only fundamentals to prepare the platform for later use … which will be covered in the next lesson. 

I hope that you learned something new today and that my article will help you in the future conduct a successful penetration test process .

Brought to you by : Jawady Muhammad Habib  My blog:


Schedule Demo