CyberCheatsheets

Recon-ng Cheat Sheet

Modular reconnaissance framework with workspaces, modules, and API-driven OSINT collectors.

Reconnaissance & OSINTautomationframeworkmodularosintUpdated 2026-06-02

Overview

Recon-ng is a Metasploit-style CLI for OSINT: manage workspaces per target, load modules for contacts, hosts, breaches, and export to reporting formats. Ideal when you need repeatable, note-friendly recon sessions.

Authorized testing only. Modules call third-party APIs and may store sensitive data in the local database—secure your machine and respect data handling requirements.

Install

sudo apt install -y recon-ng

or

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng && pip install -r REQUIREMENTS
recon-ng

Essential commands

Start framework

recon-ng

Inside console:

marketplace search
marketplace install all
keys list
keys add shodan_api YOUR_KEY

Common workflows

New workspace and domain —

workspaces create target_corp
workspaces select target_corp
db insert domains
domain.example.com

Run modules —

modules load recon/domains-hosts/hackertarget
run
modules load recon/domains-contacts/whois_pocs
run
show hosts
show contacts

Export results —

export hosts /tmp/hosts.csv
export contacts /tmp/contacts.csv

Marketplace refresh —

marketplace refresh
marketplace install recon/domains-hosts/certificate_transparency

Flags reference

workspaces create/select/list

Per-engagement DB

db insert domains

Add seed domain

modules search/load

Find and load module

run / info / options

Execute / help / set options

show hosts/contacts/domains

View tables

keys add/list

API key management

marketplace install

Install modules

export

CSV export

spool

Log commands to file

High-value modules

Subdomains from certificate transparency logs

modules load recon/domains-hosts/certificate_transparency

Enumerate hosts via HackerTarget (no API key)

modules load recon/domains-hosts/hackertarget

Brute-force subdomains from a wordlist

modules load recon/domains-hosts/brute_hosts

Check emails against known breaches (HaveIBeenPwned)

modules load recon/contacts-credentials/hibp_breach

Resolve hosts to IPs

modules load recon/hosts-hosts/resolve

Find points of contact via Whois

modules load recon/domains-contacts/whois_pocs

Quick one-liners

Run an entire session non-interactively from a resource file

recon-ng -w target_corp -r commands.rc

Set a module option then run, in one console flow

options set SOURCE example.com

Generate an HTML report of all findings

modules load reporting/html

Search the marketplace for modules by keyword

marketplace search hackertarget

Show which installed modules need API keys

marketplace search --installed

Tips

  • Configure API keys once in keys.db—modules fail silently without them.
  • Use separate workspaces per client to avoid data crossover.
  • Prefer dedicated tools (subfinder, amass) for scale; recon-ng excels at chained OSINT.
  • Recon-ng 5.x marketplace differs from legacy 4.x—verify module paths.

References

Chuletas relacionadas