Recon-ng is a full-featured web reconnaissance framework written in Python. With independent modules, database interactions, built-in feature functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and well. Recon-ng has the same look and feel as the Metasploit Framework, reducing the learning curve to take advantage of the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is specifically designed for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want a Social Engineer, we are the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng.


To start Recon-ng in Kali Linux in the terminal type.

Command: recon-ng

To add workspace type

Command: workspaces add pen_test

To add domains about which you want to gather information type

Command: add domains (here we are taking the example of CompTIA website)

To check whether the domain is added successfully type

Command: show domains

Now to check the modules available type

Command: show modules

A module is a specific task that recon-ng will execute based on the parameters you provide it. the Recon category has the most modules so far.

Command: search the domain for contact information.

Command: use recon/domains-contacts/whois_pocs

show options (it will show source option )

run (contacts & email addresses will be displayed)

Search account for evidence of compromise

Command: use recon/contacts-credentials/hibp_breach

This module search that has I been pawned ??HIBP database to see if a particular email account is known to have been affected by any major breaches in the last few years.

set source email address (enter the email address you found in the previous step to check whether I was compromised in last few years or not.)

Identify the organization’s social media presence

Command: use recon/profiles-profiles/profiler

set source comptia (here domain will be domain name without the top level domain suffix)


In the same way, you can use different modules to gather information about the organization like.

Identify organization mail based DNS Records

Command: recon/domains-hosts/mx_spf_ip


Search subdomains

Command : recon/domains-hosts/brute_hosts


At last to generate a report of your findings type

Command: use reporting /html

show options

set creator (your name)

set customer (clients name )

set filename /root/desktop/recon_report.html


Download os

1.Kali linux 

2.parrot os