Recon-ng Web Reconnaissance Framework Cheat Sheet
Overview
Recon-ng is a full-featured web reconnaissance framework written in Python. It provides a powerful environment for conducting open source web-based reconnaissance quickly and thoroughly. The framework features independent modules, database interaction, built-in convenience functions, interactive help, and command completion. It's designed to be modular, allowing users to easily add custom modules and extend functionality.
⚠️ Legal Notice: Only use Recon-ng on targets you own or have explicit permission to test. Unauthorized reconnaissance may violate terms of service and local laws.
Installation
Kali Linux Installation
# Recon-ng is pre-installed on Kali Linux
recon-ng --help
# Update to latest version
sudo apt update
sudo apt install recon-ng
# Alternative: Install from GitHub
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip3 install -r REQUIREMENTS
Ubuntu/Debian Installation
# Install dependencies
sudo apt update
sudo apt install python3 python3-pip git
# Clone repository
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
# Install Python dependencies
pip3 install -r REQUIREMENTS
# Make executable
chmod +x recon-ng
# Create symlink for global access
sudo ln -s $(pwd)/recon-ng /usr/local/bin/recon-ng
Docker Installation
# Pull official Docker image
docker pull lanmaster53/recon-ng
# Run with Docker
docker run -it --rm lanmaster53/recon-ng
# Build from source
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
docker build -t recon-ng .
# Run custom build with volume mount
docker run -it --rm -v $(pwd)/data:/recon-ng/data recon-ng
Python Virtual Environment
# Create virtual environment
python3 -m venv recon-ng-env
source recon-ng-env/bin/activate
# Clone and install
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS
# Run Recon-ng
python3 recon-ng
Basic Usage
Starting Recon-ng
# Start interactive mode
recon-ng
# Start with specific workspace
recon-ng -w workspace_name
# Run specific module
recon-ng -m recon/domains-hosts/hackertarget
# Execute commands from file
recon-ng -r commands.txt
# Show version and exit
recon-ng --version
Core Commands
# Help system
help
help modules
help <command>
# Workspace management
workspaces list
workspaces create <name>
workspaces select <name>
workspaces delete <name>
# Module management
modules search
modules search <keyword>
modules load <module>
modules reload
# Database operations
db schema
db query <sql>
db insert <table> <data>
db delete <table> <conditions>
Workspace Management
Creating and Managing Workspaces
# List available workspaces
[recon-ng][default] > workspaces list
# Create new workspace
[recon-ng][default] > workspaces create example_com
# Select workspace
[recon-ng][default] > workspaces select example_com
# Show current workspace
[recon-ng][example_com] > workspaces list
# Delete workspace
[recon-ng][example_com] > workspaces delete old_workspace
Database Schema
# View database schema
[recon-ng][example_com] > db schema
# Common tables:
# - domains: Target domains
# - hosts: Discovered hosts/IPs
# - contacts: Email addresses and contacts
# - credentials: Found credentials
# - leaks: Data breach information
# - locations: Geographic information
# - netblocks: IP ranges
# - ports: Open ports
# - profiles: Social media profiles
# - repositories: Code repositories
# - vulnerabilities: Security vulnerabilities
Manual Data Entry
# Add domain
[recon-ng][example_com] > db insert domains example.com
# Add host
[recon-ng][example_com] > db insert hosts 192.168.1.1 example.com
# Add contact
[recon-ng][example_com] > db insert contacts John Doe john.doe@example.com
# View data
[recon-ng][example_com] > show domains
[recon-ng][example_com] > show hosts
[recon-ng][example_com] > show contacts
Module System
Module Categories
# Discovery modules
modules search discovery
# Exploitation modules
modules search exploit
# Import modules
modules search import
# Recon modules
modules search recon
# Reporting modules
modules search reporting
Loading and Using Modules
# Load a module
[recon-ng][example_com] > modules load recon/domains-hosts/hackertarget
# Show module info
[recon-ng][example_com][hackertarget] > info
# Show module options
[recon-ng][example_com][hackertarget] > options list
# Set module options
[recon-ng][example_com][hackertarget] > options set SOURCE example.com
# Run module
[recon-ng][example_com][hackertarget] > run
# Go back to main menu
[recon-ng][example_com][hackertarget] > back
Popular Reconnaissance Modules
# DNS enumeration
modules load recon/domains-hosts/hackertarget
modules load recon/domains-hosts/threatcrowd
modules load recon/domains-hosts/certificate_transparency
# Subdomain discovery
modules load recon/domains-hosts/google_site_web
modules load recon/domains-hosts/bing_domain_web
modules load recon/domains-hosts/netcraft
# Host enumeration
modules load recon/hosts-hosts/resolve
modules load recon/hosts-ports/shodan_hostname
modules load recon/netblocks-hosts/shodan_net
# Contact harvesting
modules load recon/domains-contacts/whois_pocs
modules load recon/domains-contacts/metacrawler
modules load recon/contacts-contacts/fullcontact
# Social media profiling
modules load recon/profiles-profiles/twitter
modules load recon/contacts-profiles/fullcontact
API Key Management
Setting Up API Keys
# Show required API keys
[recon-ng][example_com] > keys list
# Add API key
[recon-ng][example_com] > keys add shodan_api <your_api_key>
[recon-ng][example_com] > keys add google_api <your_api_key>
[recon-ng][example_com] > keys add bing_api <your_api_key>
# Remove API key
[recon-ng][example_com] > keys remove shodan_api
# Show configured keys
[recon-ng][example_com] > keys list
Common API Services
# Shodan (for host/port information)
keys add shodan_api <shodan_api_key>
# Google Custom Search (for web searches)
keys add google_api <google_api_key>
keys add google_cse <custom_search_engine_id>
# Bing Search API
keys add bing_api <bing_api_key>
# FullContact (for contact information)
keys add fullcontact_api <fullcontact_api_key>
# Hunter.io (for email discovery)
keys add hunter_api <hunter_api_key>
# SecurityTrails (for DNS data)
keys add securitytrails_api <securitytrails_api_key>
# VirusTotal (for domain/IP reputation)
keys add virustotal_api <virustotal_api_key>
Advanced Reconnaissance Workflows
Domain Reconnaissance Workflow
#!/bin/bash
# recon-ng-domain-workflow.sh
DOMAIN="$1"
WORKSPACE="$2"
if [ $# -ne 2 ]; then
echo "Usage: $0 <domain> <workspace>"
exit 1
fi
# Create Recon-ng resource script
cat > domain_recon.rc << EOF
workspaces create $WORKSPACE
workspaces select $WORKSPACE
db insert domains $DOMAIN
# DNS enumeration
modules load recon/domains-hosts/hackertarget
options set SOURCE $DOMAIN
run
modules load recon/domains-hosts/threatcrowd
options set SOURCE $DOMAIN
run
modules load recon/domains-hosts/certificate_transparency
options set SOURCE $DOMAIN
run
# Subdomain discovery
modules load recon/domains-hosts/google_site_web
options set SOURCE $DOMAIN
run
modules load recon/domains-hosts/bing_domain_web
options set SOURCE $DOMAIN
run
# Contact harvesting
modules load recon/domains-contacts/whois_pocs
options set SOURCE $DOMAIN
run
modules load recon/domains-contacts/metacrawler
options set SOURCE $DOMAIN
run
# Host resolution
modules load recon/hosts-hosts/resolve
run
# Port scanning (if Shodan API available)
modules load recon/hosts-ports/shodan_hostname
run
# Generate report
modules load reporting/html
options set FILENAME $WORKSPACE_report.html
run
show domains
show hosts
show contacts
EOF
echo "Running Recon-ng domain reconnaissance for $DOMAIN"
recon-ng -r domain_recon.rc
Company Intelligence Gathering
# Create company intelligence script
cat > company_recon.rc << 'EOF'
workspaces create company_intel
workspaces select company_intel
# Add company domain
db insert domains company.com
# Employee enumeration
modules load recon/domains-contacts/whois_pocs
options set SOURCE company.com
run
modules load recon/domains-contacts/metacrawler
options set SOURCE company.com
run
# Social media profiling
modules load recon/contacts-profiles/fullcontact
run
modules load recon/profiles-profiles/twitter
run
# Technology stack identification
modules load recon/domains-hosts/hackertarget
options set SOURCE company.com
run
# Infrastructure discovery
modules load recon/hosts-ports/shodan_hostname
run
modules load recon/netblocks-hosts/shodan_net
run
# Generate comprehensive report
modules load reporting/html
options set FILENAME company_intelligence.html
run
show summary
EOF
Automated Reconnaissance Script
#!/usr/bin/env python3
# automated-recon.py
import subprocess
import json
import time
import os
class ReconNGAutomation:
def __init__(self, workspace_name):
self.workspace = workspace_name
self.results = \\\\{\\\\}
def create_workspace(self):
"""Create and select workspace"""
commands = [
f"workspaces create \\\\{self.workspace\\\\}",
f"workspaces select \\\\{self.workspace\\\\}"
]
return commands
def add_domains(self, domains):
"""Add domains to workspace"""
commands = []
for domain in domains:
commands.append(f"db insert domains \\\\{domain\\\\}")
return commands
def run_reconnaissance_modules(self, target_type="domains"):
"""Run reconnaissance modules based on target type"""
modules = \\\\{
"domains": [
"recon/domains-hosts/hackertarget",
"recon/domains-hosts/threatcrowd",
"recon/domains-hosts/certificate_transparency",
"recon/domains-hosts/google_site_web",
"recon/domains-contacts/whois_pocs"
],
"hosts": [
"recon/hosts-hosts/resolve",
"recon/hosts-ports/shodan_hostname"
],
"contacts": [
"recon/contacts-profiles/fullcontact",
"recon/contacts-contacts/fullcontact"
]
\\\\}
commands = []
for module in modules.get(target_type, []):
commands.extend([
f"modules load \\\\{module\\\\}",
"run",
"back"
])
return commands
def generate_reports(self):
"""Generate various reports"""
commands = [
"modules load reporting/html",
f"options set FILENAME \\\\{self.workspace\\\\}_report.html",
"run",
"back",
"modules load reporting/json",
f"options set FILENAME \\\\{self.workspace\\\\}_data.json",
"run",
"back"
]
return commands
def create_resource_script(self, domains, output_file="auto_recon.rc"):
"""Create complete resource script"""
all_commands = []
# Setup workspace
all_commands.extend(self.create_workspace())
# Add domains
all_commands.extend(self.add_domains(domains))
# Run reconnaissance
all_commands.extend(self.run_reconnaissance_modules("domains"))
all_commands.extend(self.run_reconnaissance_modules("hosts"))
all_commands.extend(self.run_reconnaissance_modules("contacts"))
# Generate reports
all_commands.extend(self.generate_reports())
# Add summary commands
all_commands.extend([
"show domains",
"show hosts",
"show contacts",
"show profiles"
])
# Write to file
with open(output_file, 'w') as f:
for command in all_commands:
f.write(command + '\n')
return output_file
def run_automation(self, domains):
"""Run complete automation"""
script_file = self.create_resource_script(domains)
print(f"Running automated reconnaissance for \\\\{len(domains)\\\\} domains")
print(f"Workspace: \\\\{self.workspace\\\\}")
print(f"Script: \\\\{script_file\\\\}")
try:
result = subprocess.run(
['recon-ng', '-r', script_file],
capture_output=True,
text=True,
timeout=3600 # 1 hour timeout
)
if result.returncode == 0:
print("Reconnaissance completed successfully")
self.parse_results()
else:
print(f"Error: \\\\{result.stderr\\\\}")
except subprocess.TimeoutExpired:
print("Reconnaissance timed out")
except Exception as e:
print(f"Error running reconnaissance: \\\\{e\\\\}")
def parse_results(self):
"""Parse and summarize results"""
json_file = f"\\\\{self.workspace\\\\}_data.json"
if os.path.exists(json_file):
try:
with open(json_file, 'r') as f:
data = json.load(f)
print("\n=== Reconnaissance Summary ===")
for table, records in data.items():
if records:
print(f"\\\\{table.title()\\\\}: \\\\{len(records)\\\\} found")
# Show sample data
if len(records) > 0:
sample = records[0]
print(f" Sample: \\\\{sample\\\\}")
except Exception as e:
print(f"Error parsing results: \\\\{e\\\\}")
def main():
import sys
if len(sys.argv) < 3:
print("Usage: python3 automated-recon.py <workspace> <domain1> [domain2] ...")
sys.exit(1)
workspace = sys.argv[1]
domains = sys.argv[2:]
automation = ReconNGAutomation(workspace)
automation.run_automation(domains)
if __name__ == "__main__":
main()
Database Operations
Advanced Queries
# Custom SQL queries
[recon-ng][example_com] > db query SELECT * FROM domains WHERE domain LIKE '%.example.com'
# Count records
[recon-ng][example_com] > db query SELECT COUNT(*) FROM hosts
# Join tables
[recon-ng][example_com] > db query SELECT d.domain, h.ip_address FROM domains d JOIN hosts h ON d.domain = h.host
# Export data
[recon-ng][example_com] > db query SELECT * FROM contacts WHERE email LIKE '%@example.com'
Data Import/Export
# Import from CSV
modules load import/csv_file
options set FILENAME contacts.csv
options set TABLE contacts
run
# Import from Nmap XML
modules load import/nmap
options set FILENAME nmap_scan.xml
run
# Export to various formats
modules load reporting/csv
options set FILENAME export.csv
run
modules load reporting/json
options set FILENAME export.json
run
modules load reporting/xml
options set FILENAME export.xml
run
Database Backup and Restore
# Backup workspace database
cp ~/.recon-ng/workspaces/example_com/data.db backup_example_com.db
# Restore workspace database
cp backup_example_com.db ~/.recon-ng/workspaces/example_com/data.db
# Export workspace data
[recon-ng][example_com] > modules load reporting/json
[recon-ng][example_com][json] > options set FILENAME full_backup.json
[recon-ng][example_com][json] > run
Custom Module Development
Module Template
#!/usr/bin/env python3
# custom_module.py
from recon.core.module import BaseModule
class Module(BaseModule):
meta = \\\\{
'name': 'Custom Reconnaissance Module',
'author': 'Your Name ``<your.email@example.com>``',
'version': '1.0',
'description': 'Description of what the module does',
'required_keys': ['api_key'],
'dependencies': ['requests'],
'files': [],
'options': (
('source', None, True, 'source of input (see \'show info\' for details)'),
('limit', 100, False, 'limit number of results'),
),
\\\\}
def module_run(self, sources):
"""Main module execution"""
for source in sources:
self.heading(f"Processing: \\\\{source\\\\}", level=0)
# Your reconnaissance logic here
results = self.custom_recon_function(source)
# Process results
for result in results:
self.insert_hosts(
host=result['host'],
ip_address=result['ip'],
region=result.get('region'),
country=result.get('country')
)
def custom_recon_function(self, target):
"""Custom reconnaissance function"""
# Implement your reconnaissance logic
# Return list of dictionaries with results
results = []
try:
# Example API call or data processing
response = self.request('GET', f'https://api.example.com/lookup/\\\\{target\\\\}')
data = response.json()
for item in data.get('results', []):
results.append(\\\\{
'host': item['hostname'],
'ip': item['ip_address'],
'region': item.get('region'),
'country': item.get('country')
\\\\})
except Exception as e:
self.error(f"Error processing \\\\{target\\\\}: \\\\{e\\\\}")
return results
Installing Custom Modules
# Copy module to modules directory
cp custom_module.py ~/.recon-ng/modules/recon/domains-hosts/
# Reload modules
[recon-ng][example_com] > modules reload
# Load custom module
[recon-ng][example_com] > modules load recon/domains-hosts/custom_module
# Use custom module
[recon-ng][example_com][custom_module] > options set SOURCE example.com
[recon-ng][example_com][custom_module] > run
Integration with Other Tools
Nmap Integration
#!/bin/bash
# recon-ng-nmap-integration.sh
WORKSPACE="$1"
NMAP_OUTPUT="nmap_results.xml"
if [ $# -ne 1 ]; then
echo "Usage: $0 <workspace>"
exit 1
fi
# Export hosts from Recon-ng
cat > export_hosts.rc << EOF
workspaces select $WORKSPACE
db query SELECT DISTINCT ip_address FROM hosts WHERE ip_address IS NOT NULL
EOF
# Get IP addresses
recon-ng -r export_hosts.rc|grep -oE '([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}'|sort -u > ips.txt
if [ -s ips.txt ]; then
echo "Scanning $(wc -l < ips.txt) IP addresses with Nmap"
# Run Nmap scan
nmap -sS -sV -O -oX "$NMAP_OUTPUT" -iL ips.txt
# Import results back to Recon-ng
cat > import_nmap.rc << EOF
workspaces select $WORKSPACE
modules load import/nmap
options set FILENAME $NMAP_OUTPUT
run
EOF
recon-ng -r import_nmap.rc
echo "Nmap results imported to Recon-ng workspace: $WORKSPACE"
else
echo "No IP addresses found in workspace"
fi
Metasploit Integration
#!/bin/bash
# recon-ng-metasploit-integration.sh
WORKSPACE="$1"
MSF_WORKSPACE="$2"
if [ $# -ne 2 ]; then
echo "Usage: $0 <recon_workspace> <msf_workspace>"
exit 1
fi
# Export data from Recon-ng
cat > export_data.rc << EOF
workspaces select $WORKSPACE
modules load reporting/json
options set FILENAME recon_data.json
run
EOF
recon-ng -r export_data.rc
# Create Metasploit resource script
python3 << 'PYTHON_SCRIPT'
import json
import sys
try:
with open('recon_data.json', 'r') as f:
data = json.load(f)
with open('metasploit_import.rc', 'w') as f:
f.write(f"workspace -a \\\\{sys.argv[1]\\\\}\n")
f.write(f"workspace \\\\{sys.argv[1]\\\\}\n\n")
# Import hosts
if 'hosts' in data:
for host in data['hosts']:
if host.get('ip_address'):
f.write(f"hosts -a \\\\{host['ip_address']\\\\}")
if host.get('host'):
f.write(f" -n \\\\{host['host']\\\\}")
f.write("\n")
# Import services/ports
if 'ports' in data:
for port in data['ports']:
if port.get('ip_address') and port.get('port'):
f.write(f"services -a -p \\\\{port['port']\\\\}")
if port.get('protocol'):
f.write(f" -s \\\\{port['protocol']\\\\}")
f.write(f" \\\\{port['ip_address']\\\\}\n")
# Add notes for contacts
if 'contacts' in data:
for contact in data['contacts']:
if contact.get('email'):
f.write(f"notes -a -t email -d \"\\\\{contact['email']\\\\}\"")
if contact.get('first_name') and contact.get('last_name'):
f.write(f" -n \"\\\\{contact['first_name']\\\\} \\\\{contact['last_name']\\\\}\"")
f.write("\n")
f.write("\nworkspace\nhosts\nservices\nnotes\n")
print("Metasploit resource script created: metasploit_import.rc")
print(f"Run with: msfconsole -r metasploit_import.rc")
except Exception as e:
print(f"Error: \\\\{e\\\\}")
PYTHON_SCRIPT "$MSF_WORKSPACE"
OSINT Framework Integration
#!/usr/bin/env python3
# osint-framework-integration.py
import json
import requests
import subprocess
from pathlib import Path
class OSINTFrameworkIntegration:
def __init__(self, workspace):
self.workspace = workspace
self.results = \\\\{\\\\}
def export_recon_data(self):
"""Export data from Recon-ng workspace"""
script_content = f"""
workspaces select \\\\{self.workspace\\\\}
modules load reporting/json
options set FILENAME osint_export.json
run
"""
with open('export_script.rc', 'w') as f:
f.write(script_content)
try:
subprocess.run(['recon-ng', '-r', 'export_script.rc'], check=True)
with open('osint_export.json', 'r') as f:
self.results = json.load(f)
return True
except Exception as e:
print(f"Error exporting data: \\\\{e\\\\}")
return False
def run_additional_osint(self):
"""Run additional OSINT tools on discovered data"""
if 'domains' in self.results:
for domain_record in self.results['domains']:
domain = domain_record.get('domain')
if domain:
print(f"Running additional OSINT for: \\\\{domain\\\\}")
# Run theHarvester
self.run_theharvester(domain)
# Run Shodan lookup
self.run_shodan_lookup(domain)
# Run certificate transparency lookup
self.run_crt_sh_lookup(domain)
def run_theharvester(self, domain):
"""Run theHarvester on domain"""
try:
cmd = ['theharvester', '-d', domain, '-l', '100', '-b', 'google,bing']
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
# Parse theHarvester output
output_file = f"theharvester_\\\\{domain.replace('.', '_')\\\\}.txt"
with open(output_file, 'w') as f:
f.write(result.stdout)
print(f"theHarvester results saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error running theHarvester for \\\\{domain\\\\}: \\\\{e\\\\}")
def run_shodan_lookup(self, domain):
"""Run Shodan lookup on domain"""
try:
# This would require Shodan API key
# Placeholder for Shodan integration
print(f"Shodan lookup for \\\\{domain\\\\} (requires API key)")
except Exception as e:
print(f"Error with Shodan lookup: \\\\{e\\\\}")
def run_crt_sh_lookup(self, domain):
"""Run certificate transparency lookup"""
try:
url = f"https://crt.sh/?q=\\\\{domain\\\\}&output=json"
response = requests.get(url, timeout=30)
if response.status_code == 200:
certs = response.json()
output_file = f"crtsh_\\\\{domain.replace('.', '_')\\\\}.json"
with open(output_file, 'w') as f:
json.dump(certs, f, indent=2)
print(f"Certificate transparency results saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error with crt.sh lookup for \\\\{domain\\\\}: \\\\{e\\\\}")
def generate_comprehensive_report(self):
"""Generate comprehensive OSINT report"""
report_file = f"comprehensive_osint_\\\\{self.workspace\\\\}.html"
html_content = f"""
<!DOCTYPE html>
<html>
<head>
<title>Comprehensive OSINT Report - \\\\{self.workspace\\\\}</title>
<style>
body \\\\{\\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}\\\\}
.section \\\\{\\\\{ margin: 20px 0; \\\\}\\\\}
.section h2 \\\\{\\\\{ color: #333; border-bottom: 2px solid #ccc; \\\\}\\\\}
table \\\\{\\\\{ border-collapse: collapse; width: 100%; \\\\}\\\\}
th, td \\\\{\\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}\\\\}
th \\\\{\\\\{ background-color: #f2f2f2; \\\\}\\\\}
</style>
</head>
<body>
<h1>Comprehensive OSINT Report</h1>
<p><strong>Workspace:</strong> \\\\{self.workspace\\\\}</p>
<p><strong>Generated:</strong> \\\\{Path().cwd()\\\\}</p>
<div class="section">
<h2>Summary</h2>
<ul>
<li>Domains: \\\\{len(self.results.get('domains', []))\\\\}</li>
<li>Hosts: \\\\{len(self.results.get('hosts', []))\\\\}</li>
<li>Contacts: \\\\{len(self.results.get('contacts', []))\\\\}</li>
<li>Profiles: \\\\{len(self.results.get('profiles', []))\\\\}</li>
</ul>
</div>
<div class="section">
<h2>Domains</h2>
<table>
<tr><th>Domain</th><th>Module</th></tr>
"""
for domain in self.results.get('domains', []):
html_content += f"""
<tr>
<td>\\\\{domain.get('domain', '')\\\\}</td>
<td>\\\\{domain.get('module', '')\\\\}</td>
</tr>
"""
html_content += """
</table>
</div>
<div class="section">
<h2>Hosts</h2>
<table>
<tr><th>Host</th><th>IP Address</th><th>Region</th><th>Country</th></tr>
"""
for host in self.results.get('hosts', []):
html_content += f"""
<tr>
<td>\\\\{host.get('host', '')\\\\}</td>
<td>\\\\{host.get('ip_address', '')\\\\}</td>
<td>\\\\{host.get('region', '')\\\\}</td>
<td>\\\\{host.get('country', '')\\\\}</td>
</tr>
"""
html_content += """
</table>
</div>
</body>
</html>
"""
with open(report_file, 'w') as f:
f.write(html_content)
print(f"Comprehensive report generated: \\\\{report_file\\\\}")
def main():
import sys
if len(sys.argv) != 2:
print("Usage: python3 osint-framework-integration.py <workspace>")
sys.exit(1)
workspace = sys.argv[1]
integration = OSINTFrameworkIntegration(workspace)
if integration.export_recon_data():
integration.run_additional_osint()
integration.generate_comprehensive_report()
else:
print("Failed to export Recon-ng data")
if __name__ == "__main__":
main()
Best Practices
Reconnaissance Methodology
1. Planning Phase:
- Define scope and objectives
- Identify target domains/organizations
- Set up proper workspace organization
- Configure API keys for enhanced data
2. Passive Reconnaissance:
- Start with DNS enumeration
- Use certificate transparency logs
- Gather contact information
- Avoid direct target interaction
3. Data Validation:
- Cross-reference findings
- Validate discovered hosts
- Verify contact information
- Check for false positives
4. Documentation:
- Maintain detailed workspace records
- Generate comprehensive reports
- Document methodology used
- Preserve evidence chain
Operational Security
#!/bin/bash
# recon-ng-opsec-checklist.sh
echo "Recon-ng OPSEC Checklist"
echo "========================"
echo "1. Network Security:"
echo " □ Use VPN or proxy"
echo " □ Rotate IP addresses"
echo " □ Monitor API rate limits"
echo " □ Use different user agents"
echo -e "\n2. Data Security:"
echo " □ Encrypt workspace databases"
echo " □ Secure API key storage"
echo " □ Use secure file permissions"
echo " □ Regular backup procedures"
echo -e "\n3. Legal Compliance:"
echo " □ Verify authorization scope"
echo " □ Respect API terms of service"
echo " □ Document all activities"
echo " □ Follow local regulations"
echo -e "\n4. Technical Measures:"
echo " □ Use isolated environment"
echo " □ Monitor system resources"
echo " □ Implement logging"
echo " □ Regular tool updates"
Troubleshooting
Common Issues
# Issue: Module not found
# Solution: Reload modules
[recon-ng][workspace] > modules reload
# Issue: API key errors
# Check API key configuration
[recon-ng][workspace] > keys list
# Issue: Database errors
# Check database schema
[recon-ng][workspace] > db schema
# Issue: No results from modules
# Verify target data exists
[recon-ng][workspace] > show domains
[recon-ng][workspace] > show hosts
Debug Mode
# Enable debug mode
recon-ng --debug
# Check module dependencies
[recon-ng][workspace] > modules load <module>
[recon-ng][workspace][module] > info
# Verify API connectivity
[recon-ng][workspace] > keys list
Performance Optimization
# Use specific modules instead of running all
# Implement delays for API rate limiting
# Use workspace-specific configurations
# Regular database maintenance
# Clean up old workspaces
[recon-ng][workspace] > workspaces delete old_workspace
# Optimize database queries
[recon-ng][workspace] > db query VACUUM
Resources
- Recon-ng GitHub Repository
- Recon-ng Wiki
- Recon-ng Module Development
- OSINT Framework
- Web Reconnaissance Methodology
This cheat sheet provides comprehensive guidance for using Recon-ng for web reconnaissance and OSINT activities. Always ensure proper authorization and legal compliance before conducting any reconnaissance activities.