A versatile network reconnaissance CLI written in Rust. Started as a curl clone and grew into a multi-protocol investigation tool covering HTTP(S), TLS certificate inspection, DNS, WHOIS, ping, traceroute, barcode encode/ decode, file compression and archiving, Markdown / HTML / PDF conversion, and a full Rhai script engine that exposes every protocol probe and helper for automation.
recon https://example.com/ # curl-style HTTP request
recon example.com --cert # inspect server's TLS cert chain
recon example.com --dns A,MX,TXT # DNS in one shot
recon --spf --dmarc --dkim example.com # email-protection sweep
recon --script my-flow.rhai # Rhai scripts with full HTTP/probe access- 40+ URL schemes: HTTP(S), FTP(S), SCP, SFTP, TFTP, Gopher, Telnet, SSH, IMAP(S), POP3(S), SMTP(S), MQTT(S), Redis, Memcached, LDAP(S), RTSP(S), DICT, NTP, IPFS/IPNS, WS(S), TCP, UDP, file, …
- TLS at the protocol level: certificate inspection, CRL revocation checking, client cert mTLS, CA pinning, HSTS persistence.
- Browser fingerprint impersonation (opt-in feature, 0.77.0): mimic Chrome, Firefox, Safari, Edge, mobile, or OkHttp at the JA3 / JA4 / H2 fingerprint level via BoringSSL. See Browser fingerprint impersonation below.
- Email protection sweep: SPF, DMARC, DKIM, MTA-STS, TLS-RPT, BIMI in
one command (
recon --spf --dmarc --dkim --mta-sts --tls-rpt --bimi). - Document conversion: Markdown → HTML, Markdown → PDF, HTML → PDF with cover pages, ToC, page breaks, and PDF metadata.
- Codecs and crypto: hash (10 algorithms), encode / decode (base64, base32, hex, URL, percent, …), encrypt / decrypt (age, PGP shellout), compress / decompress (gzip, brotli, zstd, lz4, snappy, deflate, xz, zlib), archive / extract (zip, tar, tar.gz, …), barcode encode / decode (QR, DataMatrix, Aztec, PDF417, MaxiCode, plus 1D codes).
- Rhai script engine: every CLI feature is also a script binding —
http(),dns(),ping(),tcp_connect(),mqtt_pub(), … with a sticky-sessionbrowser()for stateful flows. - Curl compatibility: most curl flags work as you'd expect (
-X,-H,-d,-L,-o,-I,-K,-u,-x,--data-binary,--retry,--time-cond,--xattr,-EmTLS,-nnetrc, …). See docs/curl-parity-matrix.md.
brew tap codedeviate/cli
brew install recon # default rustls build
# or, with BoringSSL-based browser fingerprint impersonation:
brew install recon-impersonateThe two formulas install the same recon binary and conflict; pick one.
The crate is published as recon-cli (the bare recon name has been
parked since 2019). The installed binary is still recon:
cargo install recon-cli # default build
cargo install recon-cli --features impersonate # with impersonationgit clone https://github.com/codedeviate/recon.git
cd recon
make install # installs to ~/.cargo/bin
# or with the impersonate feature (BoringSSL, ~5–10 MB extra binary,
# slow first build):
make install-impersonateBuild only without installing:
make release # default build (rustls-only)
make release-impersonate # release build + browser fingerprint
# impersonation featuremake help lists every target.
# Verbose request with header capture
recon https://api.example.com/v1/items -i
# POST JSON
recon -X POST https://api.example.com/items \
-H 'Content-Type: application/json' \
-d '{"name":"thing"}'
# Inspect a TLS cert chain (works on expired or self-signed certs)
recon https://example.com --cert
# Multiple DNS record types in one query
recon --dns A,AAAA,MX,TXT,DNSKEY example.com
# Email-protection aggregate report
recon --spf --dmarc --dkim --mta-sts --tls-rpt --bimi example.com
# WHOIS with two-hop registrar referral
recon --whois example.com
# Save a markdown document as PDF with ToC and cover page
recon --md-to-pdf README.md \
--toc --gfm --doc-title 'recon README' \
-o README.pdf
# Run a Rhai script
recon --script script/dns.rhai example.com A,MXFor more examples grouped by feature area:
recon --examples # ~60 sections of curated scenarios
recon --help <topic> # long-form reference (e.g. tls, proxy, mqtt, jwt)
recon --flags # alphabetical curl-style flag indexrecon 0.77.0 added an opt-in Cargo feature impersonate that pulls in
rquest (BoringSSL) plus
rquest-util so recon can mimic a
real browser's TLS+H2 fingerprint instead of its default
reqwest+rustls signature. Useful when a server uses JA3 / JA4
fingerprinting or HTTP/2 SETTINGS-frame analysis to distinguish bots from
real browsers.
make install-impersonate # one-time, installs feature-on binary
recon --impersonate chrome_131 https://example.com/
recon --impersonate firefox_128 https://tls.peet.ws/api/all
recon --impersonate safari_ios_17.4.1 https://example.com/--ja3 / --ja4 / --http2-fingerprint are reserved in the CLI for
forward-compatibility but error at runtime in v1; named profiles cover
the captcha-testing use case. See recon --help impersonate for the full
profile list and v1 incompatibility rules.
- docs/MANUAL.md — the long-form user manual.
Mirrored to
docs/MANUAL.pdf(committed). - CHANGELOG.md — every release, keep-a-changelog format.
- HISTORY.md — design rationale per feature: why the approach, what was rejected, what was deferred.
- OUT-OF-SCOPE.md — what recon won't do, and why.
- docs/curl-parity-matrix.md — recon
↔ curl
--versionfeature mapping. - script/README.md — Rhai script gallery,
one focused
.rhaiper binding module. recon --help [topic]— built-in topic-organised help.recon --examples— curated runnable scenarios.
make ci # default-feature: fmt-check + clippy + test
make ci-impersonate # ci + a parallel build/test pass with the
# impersonate feature (BoringSSL)MIT. Repository at https://github.com/codedeviate/recon.