This is my personal multi-threaded reconnaissance script written in Python for bug hunting.
If you find my work helpful and would like to show your support, you can buy me a coffee! ☕
Before using recon.py for your reconnaissance tasks, ensure you have installed all the required tools and configured the following variables in the script to achieve optimal outcomes:
github_token = "your_github_token"
dns_wordlist = "dns_wordlist.txt"
perm_wordlist = "perm_wordlist.txt"python3 recon.py scope.txtThe recon.py script performs the following tasks:
-
Active/Passive Subdomain Enumeration:
- Utilizes various tools for discovering subdomains within a specified scope.
-
Finding Valid Subdomains:
- Searches for valid subdomains.
-
Filtering Web Applications:
- Filters out web applications running on default ports 80/443 using httpx.
-
Finding Vulnerabilities:
- Uses nuclei to find low-hanging fruits and vulnerabilities, then sends output notifications to Discord, Slack, or email via notify.
-
Port Scanning and Filtering:
- Performs port scans on discovered domains using rustscan and filters out web servers running on non-default ports.
-
Asset Discovery in Cloud Environments:
- Discovers assets in cloud environments using cloudenum and sends output notifications to Discord, Slack, or email via notify.
-
Crawling Valid Assets:
- Utilizes tools like katana, hakrawler, and gospider to crawl valid discovered assets for endpoints, JavaScript files, and new subdomains.
Feel free to explore and customize these scripts and tools based on your specific needs. Contributions and feedback are welcome!
Note: I personally use this script on my Digital Ocean VPS and have not tested it on my local network.
If you're interested in trying out DigitalOcean for hosting your projects, you can sign up using this referral link. By using this link, you'll get some free credits to start with.
This repository contains a collection of tools for reconnaissance and information gathering during security assessments.
Each tool in this repository serves a specific purpose in reconnaissance and information gathering. Refer to the respective GitHub repositories for installation instructions, usage examples, and additional details about each tool.
-
dnsvalidator: A tool for validating and verifying DNS records.
-
chaos: A subdomain discovery tool that uses multiple DNS sources to discover subdomains.
-
subfinder: A tool designed to find subdomains using passive methods.
-
assetfinder: A tool for finding domains and subdomains related to a given domain.
-
crobat: A tool that leverages Sonar data to find subdomains.
-
amass: An open-source intelligence tool for discovering subdomains.
-
github-subdomains: A tool to discover subdomains from GitHub repositories.
-
oam_subs: A tool for enumerating Oracle Access Manager endpoints.
-
dnsx: A fast DNS enumeration and resolution tool.
-
dnscan: A tool to gather information about a domain including subdomains and open ports.
-
oneforall: A tool for subdomain enumeration that integrates multiple techniques.
-
Gotator: A DNS subdomain scanner with multi-threading support.
-
httpx: A fast and multi-purpose HTTP toolkit.
-
nuclei: A fast and customizable vulnerability scanner based on templates.
-
rustscan: A fast port scanner written in Rust.
-
notify: A simple tool for sending notifications via different mediums.
-
cloudenum: A tool for finding out information about cloud environments.
-
Gospider: A tool for web crawling and fingerprinting.
-
Hakrawler: A simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
-
Katana: A next-generation crawling and spidering framework.
-
anew: A tool for comparing two lists of lines in a file and outputting the differences.
Medium | YouTube | LinkedIn | Twitter | HackerOne | Facebook | Instagram
Usage of these tools for unauthorized access or any malicious activity is strictly prohibited. Use them responsibly and with proper authorization.