Information Gathering Tools

How To Use Recon-ng ? [Information Gathering Series]

This is the second article in the series on information gathering.

This time we will be discussing one of the most convenient and versatile  informaton gathering tools out there,Recon-ng.

It was developed by Tim Tones and here is the download link

You can clone it from the bitbucket repositories


It is an open source  passive reconnaissance framework written in python for linux.

It is an all in one tool that acts as subdomain finder, contacts harvester, email harvester, geo location finder, vulnerability finder and a host of other things.

It has its own built in modules and it works by gathering information from different sources.

In order to utilize all the sources and modules we need to pay API keys, some are exensive , some of them are free and some of the modules don’t require API keys at all.

We will discuss them later in the article.

Most people that use recon-ng are using a linux based platform, mostly kali linux so we will go  step by step through the proceess of  installing recon-ng and using it on kali linux.

Firstly we will need to use git  which is  preinstalled in Kali.


 I had it already downloaded and installed  so i had to cancel it midway but you will need to navigate into the folder using the cd command where it is downloaded and  invoke the python script with the command

The screen shot provides a glimpse on how it looks like.

Now it is time for us.

Now we can use the help option to to look at all the availabe commands.

Lets try that



In order to view all the modules we need to type in the command show modules, which displays all the available modules in the frame work.

Lets try that


Recon-ng uses API keys which is short for application programming interfaces in order to interact with the concerned application and extract the  required information.

To put it simply we are asking for permission from the respective organization to use the services of their applications.

This is done so to prevnt the abuse of their service.

In order to display the available API keys we need to type in the command keys list.

This lists out the keys.

Lets try that


While I have not added any keys yet but the command to add keys is

keys add <the application name> <keys> .

I just added a dummy 23456 key to show how the command works.

The process of finding the API keys is the most time consuming one.

We have to register ourselves with respective services and request for the key.

In order to keep things interesting we will skip the part and let you decide which  API keys suits your needs.

Facebook, Google, Shodan, Twitter, Instagram, LinkedIn and Bing provide API keys for free.

Here is a useful link to find required API

Ok, now we come to the reconnaissance part, first we need to create a workspace which creates seperate database for each of our target.

Each  of this database will contain all the information extracted about each target.

To list out the available workspaces we use the command workspaces lists, to add a new workspaces we use the command

workspaces add <target name>



Here we set hackeroyale as the name of the workspaces.

Now we select the workspace with the command workspaces

select <name of the workspace>.

Now lets try  running a few modules against it.

First lets add the domains with the command

add domains <domain name>


 Now lets start running modules against the target, first lets  resolve the domain  name with the command use resolve, it will list the availabe modules related to resolving the domain name.


This concludes the first part of the article.

The 2nd part will cover modules for different information extraction.

Till then happy hunting.


Comment Now !