ReconX is a powerful Bash script designed for advanced subdomain reconnaissance. It automates various subdomain discovery and analysis techniques to help you gather information about a target domain, including subdomains, alive domains, potential subdomain takeovers, open ports, JavaScript file scraping, Finding parameters, Taking automatic screenshots of the alive hosts, and more.
- Subdomain discovery using tools like Assetfinder, Amass, and crt.sh.
- Verification of alive domains with HTTP and HTTPS probing.
- Detection of potential subdomain takeover vulnerabilities.
- Scanning for open ports with Naabu.
- Scraping JavaScript files from discovered subdomains using Gau.
- Scraping API keys or credentials from JavaScript files.
- Gathering Wayback data to find hidden parameters and extensions.
- Capturing screenshots of discovered subdomains using Gowitness.
- Detecting technologies used on discovered subdomains.
- Fingerprinting The Web Application Firewall on discovered subdomains.
Before using ReconX, make sure you have the following tools installed:
| assetfinder | nmap | subjack |
| amass | rustscan | waybackurls |
| jq | gowitness | httprobe |
| wafw00f | whatweb | mantra |
| subfinder |
You can install these tools using package managers or download them manually from their official sources.
wget clone https://raw.githubusercontent.com/sakibulalikhan/reconx/main/reconx && sudo mv reconx /usr/bin/ && sudo chmod +x /usr/bin/reconx && reconx-t, --target <domain> Scan a single domain
-l, --list <file> Scan a list of domains from a file
-h, --help Display this help messageTo use ReconX, just follow the below steps to run the script:
- For single domain
reconx -t terget.com- For multiple or list of domains
reconx -l domainlists.txt- Stuck? Want to know the script options?
reconx -hReplace target.com or domainlists.txt with the domain or domain lists you want to perform reconnaissance on. ReconX will create a directory structure for your results and provide detailed information about the target domain.
.
├── reconx
└── reconx_output
├── example.com
│ ├── gau
│ │ └── gauJS.txt
│ ├── gowitness
│ │ └── screenshots
│ ├── httprobe
│ │ └── alive.txt
│ ├── mantra
│ │ └── api_cred.txt
│ ├── potential_takeovers
│ │ └── potential_takeovers.txt
│ ├── scans
│ │ └── naabu-full.txt
│ ├── subdomains
│ │ └── final.txt
│ ├── technologies
│ │ └── tech_detected.txt
│ ├── waf
│ │ └── detected_waf.txt
│ └── wayback
│ ├── extensions
│ │ ├── html.txt
│ │ ├── js.txt
│ │ └── json.txt
│ ├── params
│ │ └── wayback_params.txt
│ ├── wayback_output.txt
│ └── waybackurls.txt
├── anotherexample.com
│ ├── gau
│ │ └── gauJS.txt
│ ├── gowitness
│ │ └── screenshots
│ ├── httprobe
│ │ └── alive.txt
│ ├── mantra
│ │ └── api_cred.txt
│ ├── potential_takeovers
│ │ └── potential_takeovers.txt
│ ├── scans
│ │ └── naabu-full.txt
│ ├── subdomains
│ │ └── final.txt
│ ├── technologies
│ │ └── tech_detected.txt
│ ├── waf
│ │ └── detected_waf.txt
│ └── wayback
│ ├── extensions
│ │ ├── html.txt
│ │ ├── js.txt
│ │ └── json.txt
│ ├── params
│ │ └── wayback_params.txt
│ ├── wayback_output.txt
│ └── waybackurls.txt
└── moreexample.com
├── gau
│ └── gauJS.txt
├── gowitness
│ └── screenshots
├── httprobe
│ └── alive.txt
├── mantra
│ └── api_cred.txt
├── potential_takeovers
│ └── potential_takeovers.txt
├── scans
│ └── naabu-full.txt
├── subdomains
│ └── final.txt
├── technologies
│ └── tech_detected.txt
├── waf
│ └── detected_waf.txt
└── wayback
├── extensions
│ ├── html.txt
│ ├── js.txt
│ └── json.txt
├── params
│ └── wayback_params.txt
├── wayback_output.txt
└── waybackurls.txt
Contributions are welcome! If you have any suggestions, improvements, or bug fixes, please create an issue or submit a pull request.
This project is licensed under the MIT License.
