Modular reconnaissance framework with workspaces, modules, and a database backend — the Metasploit of OSINT.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
pipx (recommended)
pipx install recon-ng
Linux (apt)
sudo apt install recon-ng
Source
git clone https://github.com/lanmaster53/recon-ng && cd recon-ng && pip install -r REQUIREMENTS
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Start interactive shell
recon-ng
Create workspace
workspaces create target
Install all modules
marketplace install all
Set domain + run subdomain enum
modules load recon/domains-hosts/hackertarget; options set SOURCE target.com; run
Export to HTML
modules load reporting/html; options set CREATOR you; run
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Workspaces are SQLite databases — switch with
workspaces load NAME. Keeps engagements isolated. marketplace search+marketplace installthe modules you need; the default install is bare.- API keys with
keys add NAME VALUEpersist across sessions. - Modules are runnable as headless scripts:
recon-ng -r script.rcfor CI integration.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Many modules abandoned — check
marketplace info MODULEfor last-update date. - Database can balloon to GB+ on big domains — periodic
db drop+ restart helps. - API key management is per-workspace; clone keys with
keys export+ import to new workspace.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- spiderfoot — newer, web UI, similar mission.
- OSINTgram for Instagram-specific.
India context and engagement notes
Best fit when you need REPRODUCIBLE recon — the workspace + script approach is auditable, which matters for CERT-In incident reports and forensic-grade engagements.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.