Recon-ng: Profiler Module

My newest recon-ng module, “profiler”,  is going to really blow you away. It doesn’t do anything miraculous like crypto or ZigBee or SCADA but it does make it easy for you to get information about users on the Internet.

Here is the basic premise: you want to find out if a certain user name exists on a bunch ‘o web sites. You enter those names into the recon-ng profiles table and then run the profiler module. It’ll send requests out to each site it knows about (over 160 right now!) and will see if that user name exists. Cool huh? Not revolutionary but, for lazy guys like me, helpful.

So, picture you are doing some research on “Kim Kelly”. I have no idea who that really is…it is just a name I picked. You may create a MindMap file that looks like the below:

Before using the module, you do need to do some work to find the user names that you will feed to the module (see content on the left of the above picture). Google/DuckDuckGo to your heart’s content but get those names.

Grab recon-ng from

NOTE: For Recon-ng version 5 commands look directly after this. The original blog used and shows content for Recon-ng version 4.

Version 5:

  • workspaces create test1
  • modules load profiler
  • db insert profiles dreadpirateroberts~~~~
  • db insert profiles farmboywesley~~~~
  • run
  • Once it is done, type: "show profiles" (no quotes) to see the results.

The OLD Recon-ng version 4:

Here is what I’ve done in the picture below:

  • Create a new workspace to separate my data – workspaces add kimkelly
  • Query the “profiles” table to see if there is any existing data there (there is not) – show profiles
  • Add the usernames I’ve found from the MindMap into the profiles table – add profiles name~~~~
  • Looking once more at the profiles table content to ensure I didn’t fat finger anything – show profiles
  • Load the profiler module – use profiler
  • Run the module – run

Now we run the module and look at the output. Green text means that it may have found a hit. Keep in mind that there may be LOTS of people using that same username on the Interwebs so it is important that you visit the site and corroborate the information to ensure that it is YOUR target and not some other person.

Once it finishes looking for the first user name, it’ll switch to the next one.

Let it run and, when it finishes, look at your results in the profiles table (show profiles). Sorry the picture below is such a small picture but it is very wide due to one of the sites.

Now visit each site and get your additional data! You may also want to use the recon-ng reporting/csv or reporting/xlsx (soon to be released!) modules to output this content to a file.

5 thoughts on “Recon-ng: Profiler Module

  1. It'd be cool if given a name, it also searches (although it'd be hard to match for exact names). But, to take it a step further, once the call sign is found, add or their home address.

  2. That does sound cool. The intent of the profiler module is just checking if a user account exists or not on a given site. Since there are over 180 sites that it checks, I'm sure that additional information could be scraped from each of those to allow an investigator to pivot from the new data. I don't have the cycles to make Profiler that involved. Perhaps you would want to create the module for ARRL and submit it to

  3. Hey Micah,

    I attended your presentation at the BSides conference last weekend. Very awesome stuff. I find myself drawn to it. lol.

    I have a few questions for you first being, do you intend to release a walk-through of the collecting and organizing usable data with the use of Burp Suite? like you were doing with the user id, names, activities and so on.

    And the second is. You mentioned the use of Do you have or know of a small walk-through for that. I downloaded and started playing around with it, but the webpages that opens is running a few xml errors.

    Thanks in advance for your guidance.

  4. Glad you enjoyed the BSides Charm (Baltimore) talk. They should be posting the talk video in the coming weeks.

    As for the Burp Suite “Grep Extract” in the Intruder module, Portswigger's site ( has the help pages on this. And the nVisium blog ( has a good write up on this too.

    As for recon-ng's PushPin modules, this ( YouTube video should start you out. Keep in mind that you will need to get the API keys from your target sites (Twitter, YouTube…) before you run the module. Tim Tomes (@lanmaster53) the creator of recon-ng has a good doc page at!acquiring-api-keys about how to get the different keys.

    Hope this helps you be successful!

Comments are closed.

Up ↑

%d bloggers like this: