Skip to content
Passive recon / OSINT automation script
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Passive recon / OSINT automation script:

  • Runs passive recon tools specified in config file given a TLD
  • Extracts email addresses, IP addresses, and DNS names from tool output using regex
  • Queries various OSINT sites specified in config file for TLD and saves result to specified format (default pdf)
  • Runs additional recon tools and website queries on IPs and DNS names found from initial TLD analysis
  • All identified domains, emails, ip addresses, dns names, and tool run history / output stored in sqlite database
  • Aggressive mode can be enabled for running non-passive tests on discovered hosts (e.g. screenshot and spider a website)


By default, the application runs in interactive mode allowing the user to select a project name / output directory as well as add multiple TLDs for analysis before executing scripted tasks. Optionally, a single domain can be specified as a command line parameter to immediately create a new project and execute the scripted tasks against that domain upon launch.

All scan parameters are pulled from config files so multiple configurations can be developed and specified with the -c flag. An example config file (default.example) is included and will be copied into the default path (default.cfg) upon initial launch.

Please feel free to submit PR for bugfixes or additional tools/sites/regex for default config file - any feedback, input, or improvement is greatly appreciated!

Script tested on Kali Linux as well as OSX and should function on UNIX-based systems with required dependencies.


Python Module Dependencies:

  • pyPdf (installed on Kali Linux by default)
  • elixir apt-get install python-elixir

Binary Dependencies:

  • cutycapt (installed on Kali Linux by default)

Dependencies in default tool config file:

  • webshag (installed by default on Kali 1.x but not 2.x) apt-get install webshag


  • Email domain filter currently only excludes emails not matching the active domain during TLD phase
  • HTML index page to summarize all output
  • Scrape cutycapt output for targets & emails (convert to text first?)

Copyright 2015

Matthew C. Jones, CPA, CISA, OSCP

IS Audits & Consulting, LLC -

TJS Deemer Dana LLP -

Concept based upon functionality observed in the OSINT portion of the Kali Discover script by leebaird:

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see

You can’t perform that action at this time.