# **The Ultimate Guide to Recon-ng: Professional Web Reconnaissance Framework**
Recon-ng is a modular web reconnaissance framework developed by Tim Tomes, widely recognized as one of the most powerful open-source intelligence (OSINT) collection tools for penetration testing and red team operations. Its Metasploit-inspired design provides security professionals with a standardized reconnaissance workflow.
## **1. Core Advantages of Recon-ng**
### **Architectural Features**
- **Modular design**: 200+ pluggable reconnaissance modules
- **Unified workspace**: Centralized project data management
- **Automation capabilities**: Supports workflow scripting
- **Multi-source integration**: Built-in interfaces for 30+ data sources
- **Standardized output**: Structured data reporting
```mermaid
pie
title Module Category Distribution
"Information Gathering" : 45
"Data Processing" : 25
"Credential Enumeration" : 15
"Network Mapping" : 10
"Reporting" : 5
```
## **2. Installation & Initialization**
### **Installation Methods**
```bash
# Kali Linux (pre-installed)
sudo apt install recon-ng
# Manual installation
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng && pip install -r REQUIREMENTS
```
### **Workspace Management**
```bash
# Launch and create workspace
recon-ng
workspaces create pentest_company
```
## **3. Core Module Breakdown**
### **Information Gathering Modules**
| Module Path | Description |
|-------------|-------------|
| `recon/domains-hosts/brute_hosts` | Subdomain brute-forcing |
| `recon/domains-hosts/certificate_transparency` | Certificate Transparency log queries |
| `recon/domains-hosts/google_site_web` | Google site search |
### **Data Processing Modules**
```bash
# Deduplication module
modules load reporting/deduplicate
# JSON export
modules load reporting/json
```
## **4. Practical Workflows**
### **Enterprise Asset Discovery**
```bash
workspaces create acme_corp
db insert domains acme.com
modules load recon/domains-hosts/brute_hosts
options set SOURCE acme.com
run
```
### **Employee Information Gathering**
```bash
modules load recon/companies-contacts/namechk
options set SOURCE acme.com
run
```
### **Automated Report Generation**
```bash
modules load reporting/html
options set CREATOR "Security Team"
run
```
## **5. Advanced Techniques**
### **API Key Configuration**
```bash
keys add virustotal_api YOUR_API_KEY
keys add shodan_api YOUR_API_KEY
```
### **Custom Module Development**
```python
from recon.core.module import BaseModule
class MyModule(BaseModule):
def run(self):
self.alert('Custom module executed!')
```
### **Workflow Automation**
```bash
# Save workflow
workflows backup acme_workflow
# Execute workflow
workflows load acme_workflow
```
## **6. Defense Strategies**
### **Enterprise Protection Recommendations**
- **Monitor data leaks**: Deploy Certificate Transparency log monitoring
- **Limit public information**: Control WHOIS information exposure
- **Employee training**: Prevent social engineering
- **Regular audits**: Review digital footprints
### **Detection Methods**
- Analyze abnormal API call patterns
- Monitor sensitive data search behavior
- Deploy threat intelligence platforms
## **7. Learning Resources**
### **Official Documentation**
- [GitHub Wiki](https://github.com/lanmaster53/recon-ng/wiki)
- [Module Index](https://github.com/lanmaster53/recon-ng/tree/master/modules)
### **Hands-on Courses**
- "Professional OSINT Techniques" (OSINT Dojo)
- "Red Team Reconnaissance Methodology" (SANS SEC587)
> **Legal Notice**: Recon-ng should only be used for authorized testing. Unauthorized reconnaissance activities may violate laws such as the Computer Misuse Act.
Through its standardized workflows and extensive module library, Recon-ng transforms fragmented reconnaissance tasks into systematic intelligence collection processes. Whether for penetration testing, bug bounty programs, or threat intelligence analysis, mastering Recon-ng has become a core skill for modern security professionals.