# Footprinting with Recon-NG ![](/files/730797e251a9e9bea34348b0172bb8068f13236f) On startup `recon-ng` we find an empty framework. The first thing we must do is install `modules` that enable different types of functionality in `recon-ng` (we can think of them as extensions or plugins). To see the available commands we use the command `help`: ![](https://i.imgur.com/CEy5WaL.png) ## Using Modules With any framework that uses modules or extensions we must know which commands are available so we can search for, install and remove modules when we no longer need them. ### Searching Modules in the Marketplace To search which modules are available for recon-ng, we have the command `marketplace search`, with which recon-ng will show a list of modules available to be installed: ![](https://i.imgur.com/po2xQvD.png) The list of available modules is quite extensive, and we see that among the details we have `path`, `version`, `status`, `updated.` ![](https://i.imgur.com/ek70rM8.png) Additionally we have two columns called `D` and `K` that indicate if the module has Dependencies (D) or if it requires a key (K), as is for example the case of `shodan_ip`. ### Adding API keys If the module we try to use requires an API key, we can add it to recon-ng as follows: `keys add shodan_api {API_KEY}`: ![](https://i.imgur.com/mXiwAuk.png) > The added keys are stored in the file `keys.db` in the folder where recon-ng is installed. ### Installing Modules To be able to install modules, we have the command `marketplace`. To install a module, for example `shodan_ip`. We use the following command: `marketplace install shodan_ip`: ![](https://i.imgur.com/OVZdn4k.png) This way we leave the selected module installed. ### Loading and configuring Modules It is necessary to load the module you want to use, in this case: `modules load shodan_ip`. Similar to other frameworks like `metasploit`. In recon-ng modules have different options that we must set in order to run them. To see the required (and optional) options of the selected module we use the following command: `options list`: ![](https://i.imgur.com/rTwi9v7.png) If we run the command `info`, we can see the different types of options that can be set and their current values. Additionally we get a detail of which values we can set for the option `SOURCE`. ![](https://i.imgur.com/RO4Q1lN.png) ### Setting Options To set options we use the command `options set {OPTION_NAME}`, in this case the module needs that `SOURCE` is set. The source in our case is the target IP (obtained on shodan.io): ![](https://i.imgur.com/viuIMVx.png) ### Running the Module At this point we are ready to run the module, for that we use the command `run`: ![](https://i.imgur.com/KGshirb.png) As we can see the module performs a scan of the target and returns certain details about it. If we enter the command `show ports` we can see the list of ports discovered during the scan: ![](https://i.imgur.com/WYdsnOx.png) It is also possible to use other modules that return other types of information. For example we can install the module `whois_pocs`, configure it and run it: ![](https://i.imgur.com/4j4YsH3.png) This way we perform a simple scan using `shodan` to obtain open ports and then using the module `whois_opcs` we obtained information from `whois` in an additional scan. ## Workspaces in Recon-ng It is important to keep in mind that recon-ng allows us to organize our information in different `workspaces` or work spaces. The advantage of this is that we can have our information separated for example, by targets or clients for whom we are doing reconnaissance. This way it is very simple to have a space for example for everything related to our reconnaissance tasks for `microsoft.com` and in another workspace have everything related to `udemy.com`. The use of workspaces is very simple as we see below: ![](https://i.imgur.com/qaG8pnp.png) * `workspaces list` lets us see all existing workspaces. * `workspaces create {WORKSPACE_NAME}` allows us to create a new one. * `workspaces load {WORKSPACE_NAME}` allows us to load and mark a given workspace as active. * `workspaces remove {WORKSPACE_NAME}` allows us to delete a workspace. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tzero86.gitbook.io/tzero86/footprinting-and-reconnaissance/untitled-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.