Skip to content
/ Recon Public

Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities. Created based on @OFJAAAH and @jhaddix methodologies


Notifications You must be signed in to change notification settings


Repository files navigation

πŸ‘‘ Recon πŸ‘‘

The step of recognizing a target in both Bug Bounties and Pentest can be very time-consuming. Thinking about it, I decided to create my own recognition script with all the tools I use most in this step. All construction of this framework is based on the methodologies of @ofjaaah and @Jhaddix. These people were my biggest inspirations to start my career in Information Security and I recommend that you take a look at their content, you will learn a lot!

Usage πŸ’‘

Help Menu

Basic usage

❯ ./ -d -w /path/to/your/wordlist.txt

Quiet mode

❯ ./ -d -w /path/to/your/wordlist.txt -q

Recommended usage

❯ ./ -d -w /path/to/your/wordlist.txt -g [github_api_key] -s [shodan_api_key] -f


Help menu πŸ”Ž

Option Value
-h, --help Look at the complete help menu
-w Path to your wordlist. Some wordlists I've already added by default to ./wordlists
-f Fuzzing mode. When passing this argument, the Fuzzing step to confirm possible vulnerabilities will be added. Directory Fuzzing will remain enabled regardless of whether the argument is passed or not. I recommend not to use this if you want to do a recon faster.
-g GitHub API Key. This parameter is used when searching for subdomains
-s Shodan API Key. This parameter is used to automate the search for domains associated with your target(Requires API Key premium). If you don't have it, you can do the searches manually and the dorks are saved in the output folder.
-o Your output folder. If you don't specify the parameter, all the results of the script will be saved in a folder with your target's name inside the script path
-q Quiet mode. All banners and details of the script's execution will not be shown in the terminal, but everything that is executed in normal mode is executed as well. You will be able to see all the results in detail in your output folder

Features βœ…

ASN Enumeration

Subdomain Enumeation

Alive Domains

WAF Detect

Domain organization

  • Regular expressions

Subdomain Takeover

DNS Lookup

Discovering IPs

DNS Enumeration and Zone Transfer

Favicon Analysis

Directory Fuzzing

Google Hacking

GitHub Dorks

Credential Stuffing


Port Scan

Link Discovery

Endpoints Enumeration and Finding JS files


  • Nuclei βž” I used all the default templates

403 Forbidden Bypass




  • My GrepVuln function

Open Redirect

  • My GrepVuln function



I made a script that automates the installation of all tools. I tried to do it with the intention of having compatibility with the most used systems in Pentest and Bug Bounty.

git clone
cd Recon/
chmod +x
chmod +x

Please DO NOT remove any of the files inside the folder, they are all important!

Installation script tested on:

  • Kali Linux
  • Arch Linux
  • BlackArch Linux
  • Ubuntu
  • Parrot Security

Poject Mindmap



Recon was entirely coded with ❀ by @Dirsoooo and it is released under the MIT license.

Buy me a coffee β˜•

If you liked my job and want to support me in some way, buy me a coffee 😁


Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities. Created based on @OFJAAAH and @jhaddix methodologies