Let's do a basic query to illustrate how Recon-ng works:

1. To start Recon-NG from Kali Linux, use the Applications menu (Applications | 01 - Information Gathering | recon-ng) or type the recon-ng command in a Terminal:

2. We will be presented with a command-line interface. To see the modules we have available, we can issue the show modules command.

3. Let's say we want to search all of the subdomains of a domain and the DNS server doesn't respond to zone transfer. We can brute force the subdomains; to do that, we first load the brute_hosts module: use recon/domains-hosts/brute_hosts.
4. To learn the options we need to configure when using any module, we use the show options command.
5. To assign a value to an option, we use the command set: set source zonetransfer.me.
6. Once we have set all the options, we issue the run command to execute the module:

7. It will take some time for the brute force to complete and it will display lots of information. Once it finishes, we can query the Recon-ng database to get the discovered hosts (show hosts):