README
¶
recon-x
Web recon tool I wrote in Go. One command — passive subdomain discovery, port scan, CVE matching, WAF detection, dir brute-force, JS secret extraction, GitHub dorking, cloud bucket enumeration, TLS analysis, open redirect detection, DNS zone transfer, WHOIS lookup, and HTTP screenshots. Outputs a self-contained HTML report and optional JSON.
Install
go install github.com/bytezora/recon-x@latest
or build from source:
git clone https://github.com/bytezora/recon-x && cd recon-x
go build -o recon-x .
Usage
recon-x -target example.com
recon-x -target example.com -output report.html -json out.json -threads 100
recon-x -target example.com -no-passive -ports 80,443,8080,8443
recon-x -target example.com -github-token ghp_xxxx
-target domain to scan (required)
-output html report path (default: report.html)
-json json output (optional)
-wordlist custom subdomain wordlist
-ports comma-separated ports
-threads concurrency (default: 50)
-no-passive skip crt.sh lookup
-github-token GitHub PAT for code search dorking (optional)
-version print version
What runs
1. crt.sh passive recon
2. DNS subdomain brute-force
3. TCP port scan → banner grab → CVE match
4. HTTP fingerprint → tech stack → WAF detection
5. Directory brute-force (~80 paths)
6. JS scraping → endpoints + secrets
7. GitHub dorking → leaked keys/tokens in code
8. Cloud bucket enum → S3 / GCS / Azure
9. TLS analysis → weak ciphers, expiring certs, SAN mismatch
10. Open redirect detection → 22 params × 2 payloads
11. DNS zone transfer (AXFR) → full zone leak attempt
12. WHOIS lookup → registrar, org, country, dates
13. HTTP screenshots → headless browser, embedded in report
14. Subdomain takeover → CNAME dangling DNS check
15. CORS scan → origin reflection, wildcard+credentials
16. 403 bypass → path tricks, header injection
17. Virtual host discovery → Host header bruteforce
18. Favicon hash → Shodan MurmurHash3 fingerprint
19. ASN lookup → BGP prefix, org, country
20. GraphQL probe → endpoint discovery, introspection dump
21. Email security → SPF / DMARC / DKIM, spoofability
22. Admin panel discovery → 50+ real paths, records 200/301/302/401/403
23. SQLi detection → reflection + error-based, zero exploitation
24. Default credentials → 15 common pairs, login form detection
25. Rate limit headers → X-RateLimit-*, Retry-After detection
→ self-contained HTML report + optional JSON
Terminal UI
Report
Self-contained HTML, dark terminal style. Tabbed — subdomains, ports, HTTP, CVE, WAF, dirs, JS secrets, GitHub leaks, cloud buckets, TLS, open redirects, AXFR, WHOIS, screenshots, takeover, CORS, 403 bypass, vhosts, favicon, ASN, GraphQL, email security, admin panels, sqli, default creds, rate limit.
CVE detection
190+ signatures across 48 products — Apache, nginx, OpenSSH, Tomcat, WebLogic, Spring, Log4j, Redis, MongoDB, Elasticsearch, WordPress, Drupal, Jenkins, GitLab, Fortinet, Citrix, F5, Kubernetes and more.
Matches on banner strings, HTTP headers, response bodies and version endpoints (/actuator/info, /_cluster/stats, etc.). DB is SHA-256 protected.
WAF vendors: Cloudflare, Akamai, Imperva, AWS WAF, F5, Barracuda, ModSecurity, Fortinet, Radware.
License
MIT · use only on targets you have permission to scan.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
banner
Package banner grabs service banners from open TCP ports.
|
Package banner grabs service banners from open TCP ports. |
|
crtsh
Package crtsh queries the Certificate Transparency log at crt.sh to passively discover subdomains without sending any DNS traffic.
|
Package crtsh queries the Certificate Transparency log at crt.sh to passively discover subdomains without sending any DNS traffic. |
|
dirbust
Package dirbust brute-forces common paths against discovered HTTP services.
|
Package dirbust brute-forces common paths against discovered HTTP services. |
|
httpcheck
Package httpcheck probes HTTP/HTTPS services and fingerprints web technologies from response headers and body content.
|
Package httpcheck probes HTTP/HTTPS services and fingerprints web technologies from response headers and body content. |
|
jsscan
Package jsscan extracts JavaScript file URLs from HTTP responses, then scans those files for API endpoints and potential secrets.
|
Package jsscan extracts JavaScript file URLs from HTTP responses, then scans those files for API endpoints and potential secrets. |
|
portscan
Package portscan performs concurrent TCP port scanning across a list of resolved subdomains, with optional banner grabbing.
|
Package portscan performs concurrent TCP port scanning across a list of resolved subdomains, with optional banner grabbing. |
|
subdomain
Package subdomain performs DNS-based subdomain enumeration by brute-forcing a wordlist against the target domain.
|
Package subdomain performs DNS-based subdomain enumeration by brute-forcing a wordlist against the target domain. |
|
vulns
Package vulns — integrity.go provides SHA-256 fingerprinting of the embedded CVE database to detect silent tampering with the bundled vulnerability rules.
|
Package vulns — integrity.go provides SHA-256 fingerprinting of the embedded CVE database to detect silent tampering with the bundled vulnerability rules. |
|
waf
Package waf detects Web Application Firewalls from HTTP response headers, cookies, and body content.
|
Package waf detects Web Application Firewalls from HTTP response headers, cookies, and body content. |
|
Package ui provides the bubbletea TUI for recon-x.
|
Package ui provides the bubbletea TUI for recon-x. |