ReconForge is a conservative reconnaissance and attack surface discovery toolkit for authorized assessments. It maps domains to DNS records, TLS certificates, HTTP/HTTPS endpoints, headers, page titles, lightweight technology signals, structured JSON, CSV, and Markdown/HTML summaries.
ReconForge is intended only for systems you own or have explicit permission to assess. It does not exploit, brute force, fuzz, crawl, or run mass internet scanning defaults.
- CLI interface built with Typer and Rich.
- Accepts a single domain or a target list.
- Supports reusable TOML project configs with
reconforge init. - Enforces optional authorized scope roots.
- Supports low bounded concurrency with conservative defaults.
- Collects DNS records through safe resolver lookups.
- Checks SPF, DMARC, CAA, and DNSSEC delegation indicators.
- Collects the presented TLS certificate on port 443.
- Probes one HTTPS and one HTTP endpoint per target.
- Captures selected headers, security header presence, response timing, content length, and HTML titles.
- Detects basic technologies from headers and common HTML markers.
- Writes structured JSON results.
- Exports a compact CSV surface summary.
- Generates Markdown and HTML attack surface summaries.
- Writes a run manifest for auditability and reproducibility.
- Prints saved result summaries with
reconforge show. - Compares scan results with
reconforge diff. - Exports a machine-readable JSON Schema with
reconforge schema. - Checks runtime health with
reconforge doctor. - Includes a restrained hacker-terminal aesthetic with ASCII accents in CLI and reports.
- Includes rate limiting, target caps, and authorized-use warnings.
- Provides synthetic demo output with no network traffic.
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -e ".[dev]"Generate a synthetic report without touching the network:
reconforge demo --output reconforge-demoDisable visual terminal accents when scripting:
reconforge demo --output reconforge-demo --no-art
reconforge scan --domain example.org --assume-authorized --no-artRun a conservative authorized scan:
reconforge scan --domain example.org --assume-authorized --output reconforge-outputPreview target normalization and scope without network activity:
reconforge scan --targets-file examples\targets.txt --scope-root example.org --dry-runUse a target list:
reconforge scan --targets-file examples\targets.txt --assume-authorized --max-targets 10 --delay 1.5Create and use a reusable project config:
reconforge init --path reconforge.toml
reconforge scan --config reconforge.toml --assume-authorizedRestrict processing to authorized roots:
reconforge scan --targets-file examples\targets.txt --scope-root example.org --assume-authorizedSkip TLS collection when you only want DNS and HTTP:
reconforge scan --domain example.org --assume-authorized --skip-tlsSummarize a saved JSON result:
reconforge show reconforge-output\results.jsonCompare two saved runs:
reconforge diff previous\results.json current\results.json --output diff.jsonExport the result schema:
reconforge schema --output docs\reconforge.schema.jsonCheck the local runtime:
reconforge doctorThe authorization flag is intentionally explicit. Without --assume-authorized, ReconForge prints the warning and exits before performing network activity.
Each run creates:
results.json: structured Pydantic-backed JSON.surface.csv: compact endpoint inventory.summary.md: readable Markdown attack surface summary.summary.html: standalone HTML report.manifest.txt: run controls, platform info, and processed targets.
ReconForge MVP intentionally avoids:
- Exploitation.
- Brute forcing.
- Subdomain enumeration by guessing.
- Port scanning.
- Crawling.
- High-concurrency probing.
- Targets outside configured scope roots when scope is provided.
- Mass internet scanning defaults.
ruff check .
pytest
python -m buildProject layout:
reconforge/
reconforge/
cli/
dns/
http/
tech/
models/
reports/
storage/
examples/
tests/
docs/
This repository includes GitHub Actions for CI and tagged releases. See docs/release.md.