RECON-NG

FOR EDUCATIONAL PURPOSES ONLY

Recon-ng is a modular, open-source web reconnaissance framework written in Python. Think of it as the Metasploit of recon. It's CLI-driven, database-backed, and designed for automation of OSINT (Open Source Intelligence) gathering.

In the underground, information is leverage, and recon-ng turns passive recon into a surgical operation. While script kiddies run whois and nslookup, recon-ng gives you scalable recon with structured data you can feed into your attack pipeline.

You’re not just gathering domains — you’re profiling targets, pivoting off their infrastructure, chaining data points to build an actionable pre-exploitation picture.

Core Capabilities That Make It Dangerous

Capability	Black Hat Use
Modular System	Dozens of plug-and-play modules — use only what you need. Think recon/domains-hosts/bing_domain_web or contacts-credspills.
Workspace Management	Set up isolated recon workspaces per target. Keeps your intel clean and organized.
Database Integration	Auto-stores results in an internal database. Perfect for later correlation or feeding into phishing kits, exploit dev, or password spray tools.
API Integration	Uses public APIs (Shodan, HaveIBeenPwned, GitHub, etc.) — stealthy, passive, and completely anonymous if proxied properly.
Chained Modules	You can chain modules — i.e., enumerate subdomains → resolve to IPs → scan for exposed services, all within recon-ng.

Workflow

Setup Workspace

workspaces create targetcorp

Import Target Domain

add domains targetcorp.com

Enumerate Subdomains

recon/domains-hosts/brute_hosts
run

Resolve to IPs

recon/hosts-hosts/resolve
run

Discover Contacts

recon/hosts-contacts/whois_pocs
run

Pull Breached Creds

recon/contacts-credentials/hibp_pwned
run

Now you’ve got:

• Valid subdomains

• IP ranges

• Email addresses of employees

• Breached creds

Feed that into:

• A phishing campaign

• Credential stuffing attacks

• VPN brute-force

• Pivot into DevOps leaks (GitHub, GitLab, S3 buckets)

Anonymity Layer Integration

Expert black hats always obfuscate intel gathering:

• Route recon-ng traffic via ProxyChains + Tor + dynamic proxies

• Rotate API keys using disposable accounts

• Feed data into custom recon DBs to correlate with Shodan, Censys, etc.

In expert hands, it becomes the intelligence arm of your attack kill chain. It reduces time-to-pwn by front-loading contextual data, so you waste zero time on noisy scans or dead vectors.

Combine it with:

• theHarvester (manual recon)

• Amass (graph-based enum)

• Custom Python tooling

• and you’ve got a dark recon suite that maps entire digital footprints before you ever touch a target port.

Workspace Isolation + Proxies

proxychains recon-ng

Inside recon-ng:

workspaces create targetcorp
set TIMEOUT 15
set MAX_THREADS 10

You can also rotate proxies through proxychains.conf with dynamic lists (more below).

Seed Target Domain

add domains targetcorp.com

Subdomain Enurmeration

Start with passive, low-footprint modules

use recon/domains-hosts/bing_domain_web
run

use recon/domains-hosts/brute_hosts
run

use recon/domains-hosts/google_site_web
run

use recon/domains-hosts/netcraft
run

Followed by resolution

use recon/hosts-hosts/resolve
run

Extract employees and emails

use recon/domains-contacts/whois_pocs
run

use recon/domains-contacts/google_mails
run

use recon/domains-contacts/jigsaw
run

Now that you have contacts

use recon/contacts-credentials/hibp_pwned
run

You’ve just found valid email addresses + exposed creds from public breaches. These can be used in:

• Password spraying

• MFA exhaustion

• Social engineering lures

Pull down public code and secrets

use recon/domains-vulnerabilities/github_push
run

Check commits, emails, and leaked tokens from their developers. You’ll often find:

• .env files

• AWS credentials

• Slack or SMTP creds

Combine this with a GitHub dork scanner or use GitRob for deeper exploration.

Export everything for custom analysis

export csv /root/recon/targetcorp.csv

From here, you can:

• Pipe into tools like EyeWitness for screenshots

• Use Nmap on the IPs for service discovery (only if you’re going active)

• Check Shodan / Censys for indexed service banners (anonymous)

Custom Automation Script

# fetch_proxies.py

import requests

url = 'https://api.proxyscrape.com/?request=getproxies&proxytype=http&timeout=1000&country=all&ssl=all&anonymity=elite'

with open('/etc/proxychains4/proxychains.conf', 'w') as file:
    file.write("[ProxyList]\n")
    proxies = requests.get(url).text.strip().split('\n')
    for p in proxies[:20]:
        ip, port = p.split(":")
        file.write(f"http {ip} {port}\n")

print("[+] Proxychains config updated with fresh elite proxies.")

Run this before recon to rotate IPs.

Advanced Ideas to Chain

Target Type	Add This
Web App	Feed subdomains into dirsearch, ffuf, or Burp for endpoint discovery
Employees	Use LinkedIn scraping tools or sherlock to find usernames on 50+ platforms
Git Leaks	GitRob, TruffleHog, or gitleaks on any public repo tied to the domain
IP Ranges	Use asnmap or ipinfo.io to find their ASN → map out owned CIDRs
Cloud Targets	Feed domains into S3Scanner, Bucket Finder, or CloudSploit for exposed AWS assets

Build the Kill Chain

Now that you have:

• Emails + leaked passwords

• Subdomains + IPs

• Developer leaks

• Exposed credentials

• DNS map + live assets

You’re ready to:

1. Run credential stuffing on their VPN or Outlook Web App.

2. Clone login portals for phishing.

3. Drop into their CI/CD via GitHub secrets.

4. Find a forgotten dev/test subdomain and pivot in.

OPSEC Tips

Tip	Benefit
Use tailscale or Mullvad bridge	Masks origin, drops logs
Script browser scrapers via selenium-wire over Tor	Undetectable by recon-ng logs
Never touch the target directly unless needed	Passive recon keeps you safe
Store data in local SQLite or Elastic DB for repeat analysis	Useful for multiple campaigns

Here's a full Python automation script to:

1. Fetch fresh elite proxies

2. Update proxychains.conf

3. Launch recon-ng

4. Auto-run a recon module chain via recon-ng CLI commands

5. Export the data for post-processing

Run this as root, and make sure recon-ng and proxychains4 are properly installed

#!/usr/bin/env python3

import subprocess
import requests
import os
import time

# === SETTINGS ===
TARGET_DOMAIN = "targetcorp.com"
WORKSPACE_NAME = "targetcorp"
PROXY_COUNT = 20
RECON_EXPORT_PATH = f"/root/recon/{TARGET_DOMAIN}.csv"
PROXYCHAINS_CONF = "/etc/proxychains4/proxychains.conf"

# === STEP 1: Fetch fresh proxies and update proxychains ===
def update_proxychains():
    print("[*] Fetching elite proxies...")
    url = 'https://api.proxyscrape.com/?request=getproxies&proxytype=http&timeout=1000&country=all&ssl=all&anonymity=elite'
    try:
        response = requests.get(url, timeout=10)
        proxies = response.text.strip().split('\n')[:PROXY_COUNT]
        with open(PROXYCHAINS_CONF, 'w') as f:
            f.write("[ProxyList]\n")
            for p in proxies:
                ip, port = p.strip().split(':')
                f.write(f"http {ip} {port}\n")
        print(f"[+] Updated proxychains with {len(proxies)} proxies.")
    except Exception as e:
        print(f"[!] Proxy update failed: {e}")

# === STEP 2: Create recon-ng RC script ===
def generate_recon_script():
    script = f"""
workspaces create {WORKSPACE_NAME}
add domains {TARGET_DOMAIN}

use recon/domains-hosts/bing_domain_web
run

use recon/domains-hosts/google_site_web
run

use recon/domains-hosts/netcraft
run

use recon/domains-hosts/brute_hosts
run

use recon/hosts-hosts/resolve
run

use recon/domains-contacts/whois_pocs
run

use recon/domains-contacts/google_mails
run

use recon/domains-contacts/jigsaw
run

use recon/contacts-credentials/hibp_pwned
run

use recon/domains-vulnerabilities/github_push
run

export csv {RECON_EXPORT_PATH}
exit
"""
    script_path = f"/tmp/recon-{TARGET_DOMAIN}.rc"
    with open(script_path, "w") as f:
        f.write(script)
    return script_path

# === STEP 3: Execute recon-ng via proxychains ===
def run_recon(script_path):
    print("[*] Running recon-ng with proxychains...")
    cmd = ["proxychains4", "recon-ng", "-r", script_path]
    subprocess.run(cmd)

# === MAIN ===
if __name__ == "__main__":
    os.makedirs(os.path.dirname(RECON_EXPORT_PATH), exist_ok=True)
    update_proxychains()
    rc_script = generate_recon_script()
    run_recon(rc_script)
    print(f"[+] Recon complete. Exported to: {RECON_EXPORT_PATH}")

Usage

sudo python3 auto_recon.py

What the script does

• Grabs 20 elite proxies and overwrites /etc/proxychains4/proxychains.conf

• Generates a custom .rc file for recon-ng

• Chains passive recon modules:

  • Subdomain + email enum

  • WHOIS, GitHub, breach lookups

• Exports everything to /root/recon/targetcorp.csv

Passive-Only Modules

recon-ng is OPSEC-safe only if you restrict yourself to modules that do not query the target's infrastructure directly.

These do not touch the target, only third-party sources instead

recon/domains-hosts/bing_domain_web
recon/domains-hosts/netcraft
recon/domains-hosts/brute_hosts (careful if misconfigured)
recon/domains-contacts/google_mails
recon/domains-contacts/whois_pocs
recon/domains-contacts/jigsaw
recon/contacts-credentials/hibp_pwned
recon/domains-vulnerabilities/github_push

Avoid

• Any module that sends requests to subdomains directly (e.g., http, ssl, dns, geo modules)

• hostnames-to-ports, hostnames-to-http type modules

Global Anonymity with ProxyChains + Tor + SOCKS5 Bridge

proxychains4 recon-ng

Inside /etc/proxychains4/proxychains.conf:

dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks5 127.0.0.1 9050
http 192.252.208.67 14287
http 198.8.94.174 39002

Never use DNS outside the proxy chain. Always set proxy_dns.

Isolation with Tailscale + Ephemeral Linux Envs

• Route recon-ng through a VPN → Tor → proxychains triple stack

• If in a lab, use Tailscale or WireGuard as the first layer for encrypted point-to-point routing

• Run recon-ng from:

  • Live ISO (Tails, Whonix)

  • Isolated Qubes VM

  • Disposable container (docker run -it --rm kalilinux/kali-rolling)

Avoid Artifact Leaks: Clean Storage + Exfil Handling

Recon-ng stores output in .recon-ng/ SQLite DB. Protect or exfil that data securely:

• Clean workspace post-run: workspaces delete NAME

• Avoid storing exports in /root/ or known locations

• Store to mounted encrypted volume:

mkdir /mnt/encrypted && cryptsetup luksOpen /dev/sdb1 stealthvol && mount /dev/mapper/stealthvol /mnt/encrypted

Exfil using scp over a hidden VPS or OnionShare

Randomization, Delays, and Noise Blending

To avoid triggering OSINT abuse alerts (like Jigsaw or WHOIS rate-limits):

set MAX_THREADS 5
set TIMEOUT 10

You can inject delays inside your .rc script:

sleep 3
run
sleep 5

Or dynamically from a Python controller that:

• Selects a random module order

• Introduces randomized sleep intervals

• Disguises automation fingerprints

Audit your OPSEC

After recon-ng is done:

• Inspect your DNS leaks:

  dig +short whoami.akamai.net @ns1-1.akamaitech.net

• Check your public IPs:

  curl ifconfig.me
  torsocks curl ifconfig.me

• Clean history:

  history -c
  shred -u ~/.recon-ng/*.db

Use iptables or firejail to ensure recon-ng only runs over Tor/proxy:

firejail --net=torproxy recon-ng

Conceptual Application

Scenario	Technique
Prepping phishing	Enumerate valid emails → correlate breaches → verify names via OSINT
Red team recon	Export recon-ng data → import into Maltego/Neo4j for visualization
Insider attacks	Use GitHub modules to clone devs' commits → leak tokens
Dark web extortion	Correlate exposed infrastructure + emails with breached forum accounts

OPSEC-Focused Script Overview

• Uses only passive recon-ng modules

• Randomizes module order

• Inserts artificial randomized delays

• Routes all traffic via proxychains (Tor + HTTP proxies)

• Clears disk artifacts and logs after execution

#!/usr/bin/env python3

import subprocess
import random
import time
import os
import shutil

# === CONFIGURATION ===
TARGET_DOMAIN = "targetcorp.com"
WORKSPACE_NAME = "stealth_" + TARGET_DOMAIN.replace('.', '_')
EXPORT_PATH = f"/dev/shm/{TARGET_DOMAIN}_export.csv"
RC_SCRIPT_PATH = f"/tmp/.rc_{TARGET_DOMAIN}.tmp"
PROXYCHAINS_CONF = "/etc/proxychains4/proxychains.conf"
PASSIVE_MODULES = [
    "recon/domains-hosts/bing_domain_web",
    "recon/domains-hosts/netcraft",
    "recon/domains-hosts/brute_hosts",
    "recon/domains-contacts/whois_pocs",
    "recon/domains-contacts/google_mails",
    "recon/domains-contacts/jigsaw",
    "recon/contacts-credentials/hibp_pwned",
    "recon/domains-vulnerabilities/github_push"
]

# === STEP 1: Randomize Module Order & Add Sleep Delays ===
def generate_rc_script():
    random.shuffle(PASSIVE_MODULES)
    with open(RC_SCRIPT_PATH, "w") as f:
        f.write(f"workspaces create {WORKSPACE_NAME}\n")
        f.write(f"add domains {TARGET_DOMAIN}\n")
        for mod in PASSIVE_MODULES:
            sleep_time = random.randint(3, 8)
            f.write(f"use {mod}\n")
            f.write("run\n")
            f.write(f"sleep {sleep_time}\n")
        f.write(f"export csv {EXPORT_PATH}\n")
        f.write("exit\n")

# === STEP 2: Run recon-ng with Proxychains ===
def run_recon():
    subprocess.run(["proxychains4", "recon-ng", "-r", RC_SCRIPT_PATH])

# === STEP 3: Secure Clean-Up ===
def shred(path):
    if os.path.isfile(path):
        subprocess.run(["shred", "-u", path])
    elif os.path.isdir(path):
        for root, dirs, files in os.walk(path, topdown=False):
            for name in files:
                shred(os.path.join(root, name))
            for name in dirs:
                os.rmdir(os.path.join(root, name))
        os.rmdir(path)

def full_cleanup():
    print("[*] Cleaning up traces...")
    # Remove recon-ng history
    home = os.path.expanduser("~")
    recon_db = os.path.join(home, ".recon-ng")
    if os.path.isdir(recon_db):
        shred(recon_db)
    # Remove generated scripts/exports
    for path in [RC_SCRIPT_PATH, EXPORT_PATH]:
        if os.path.exists(path):
            shred(path)
    # Clear shell history
    subprocess.run(["history", "-c"])
    subprocess.run(["shred", "-u", os.path.expanduser("~/.bash_history")])
    print("[+] Cleanup complete.")

# === MAIN ===
if __name__ == "__main__":
    generate_rc_script()
    run_recon()
    print(f"[+] Recon complete. Export saved to {EXPORT_PATH}")
    input("[!] Press Enter to initiate full OPSEC cleanup...")
    full_cleanup()

DNS Leak Prevention

Make sure /etc/proxychains4/proxychains.conf includes:

proxy_dns
dynamic_chain
[ProxyList]
socks5 127.0.0.1 9050

Full Erasure Checklist

Artifact	Command to Erase
Shell history	history -c && shred -u ~/.bash_history
recon-ng workspace	~/.recon-ng (use shred -u -z -n 5 recursively)
Logs	journalctl --rotate && journalctl --vacuum-time=1s
Temp files	/tmp, /var/tmp, /dev/shm → shred or use tmpfs
Memory	swapoff -a && swapon -a (flush swap)
Exported data	Use EXPORT_PATH to /dev/shm or encrypted FS

Real-World Use Case Flow

• Connect to jump-box (VPS or burner Pi over cellular)

• Boot encrypted live OS (Tails or Whonix)

• Use proxychains4 with layered Tor/proxy/VPN

• Run stealth_recon.py against target

• Pipe results into temporary RAM (e.g., /dev/shm)

• Copy to external device or exfil via scp

• Initiate secure wipe