Recon-ng — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Modular reconnaissance framework with workspaces, modules, and a database backend — the Metasploit of OSINT.

Use case: OSINTDifficulty: IntermediateHomepage: https://github.com/lanmaster53/recon-ng

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx (recommended)

pipx install recon-ng

Linux (apt)

sudo apt install recon-ng

Source

git clone https://github.com/lanmaster53/recon-ng && cd recon-ng && pip install -r REQUIREMENTS

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Start interactive shell

recon-ng

Create workspace

workspaces create target

Install all modules

marketplace install all

Set domain + run subdomain enum

modules load recon/domains-hosts/hackertarget; options set SOURCE target.com; run

Export to HTML

modules load reporting/html; options set CREATOR you; run

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Workspaces are SQLite databases — switch with workspaces load NAME. Keeps engagements isolated.
  • marketplace search + marketplace install the modules you need; the default install is bare.
  • API keys with keys add NAME VALUE persist across sessions.
  • Modules are runnable as headless scripts: recon-ng -r script.rc for CI integration.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Many modules abandoned — check marketplace info MODULE for last-update date.
  • Database can balloon to GB+ on big domains — periodic db drop + restart helps.
  • API key management is per-workspace; clone keys with keys export + import to new workspace.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • spiderfoot — newer, web UI, similar mission.
  • OSINTgram for Instagram-specific.

India context and engagement notes

Best fit when you need REPRODUCIBLE recon — the workspace + script approach is auditable, which matters for CERT-In incident reports and forensic-grade engagements.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants