Recon-ng Cheat Sheet

Modular reconnaissance framework with workspaces, modules, and API-driven OSINT collectors.

Reconnaissance & OSINTautomationframeworkmodularosintUpdated 2026-06-02

Overview

Recon-ng is a Metasploit-style CLI for OSINT: manage workspaces per target, load modules for contacts, hosts, breaches, and export to reporting formats. Ideal when you need repeatable, note-friendly recon sessions.

Authorized testing only. Modules call third-party APIs and may store sensitive data in the local database—secure your machine and respect data handling requirements.

Install

sudo apt install -y recon-ng

git clone https://github.com/lanmaster53/recon-ng.git

cd recon-ng && pip install -r REQUIREMENTS

recon-ng

Essential commands

Start framework

recon-ng

Inside console:

marketplace search

marketplace install all

keys list

keys add shodan_api YOUR_KEY

Common workflows

New workspace and domain —

workspaces create target_corp

workspaces select target_corp

db insert domains

domain.example.com

Run modules —

modules load recon/domains-hosts/hackertarget

run

modules load recon/domains-contacts/whois_pocs

run

show hosts

show contacts

Export results —

export hosts /tmp/hosts.csv

export contacts /tmp/contacts.csv

Marketplace refresh —

marketplace refresh

marketplace install recon/domains-hosts/certificate_transparency

Flags reference

`workspaces create/select/list`	Per-engagement DB
`db insert domains`	Add seed domain
`modules search/load`	Find and load module
`run / info / options`	Execute / help / set options
`show hosts/contacts/domains`	View tables
`keys add/list`	API key management
`marketplace install`	Install modules
`export`	CSV export
`spool`	Log commands to file

High-value modules

Subdomains from certificate transparency logs

modules load recon/domains-hosts/certificate_transparency

Enumerate hosts via HackerTarget (no API key)

modules load recon/domains-hosts/hackertarget

Brute-force subdomains from a wordlist

modules load recon/domains-hosts/brute_hosts

Check emails against known breaches (HaveIBeenPwned)

modules load recon/contacts-credentials/hibp_breach

Resolve hosts to IPs

modules load recon/hosts-hosts/resolve

Find points of contact via Whois

modules load recon/domains-contacts/whois_pocs

Quick one-liners

Run an entire session non-interactively from a resource file

recon-ng -w target_corp -r commands.rc

Set a module option then run, in one console flow

options set SOURCE example.com

Generate an HTML report of all findings

modules load reporting/html

Search the marketplace for modules by keyword

marketplace search hackertarget

Show which installed modules need API keys

marketplace search --installed

Tips

Configure API keys once in keys.db—modules fail silently without them.
Use separate workspaces per client to avoid data crossover.
Prefer dedicated tools (subfinder, amass) for scale; recon-ng excels at chained OSINT.
Recon-ng 5.x marketplace differs from legacy 4.x—verify module paths.