badchars/recon0

GitHub: badchars/recon0

一站式 Bug Bounty 侦查流水线,将子域名枚举到漏洞扫描的 9 个阶段编排为单命令执行,支持无头浏览器爬取、DSL 规则检测机密泄露和 LLM 智能分析。

Stars: 0 | Forks: 0

Go Docker License CDP Providers DSL Rules

recon0

一站式 Bug Bounty 侦查流水线
从子域名枚举到漏洞扫描 — 编排式、可恢复、LLM 增强。

快速开始流水线提供者DSL 引擎API配置Docker

**recon0** 是一个用 Go 编写的模块化侦查框架,它将 9 个阶段的流水线 —— 子域名枚举、DNS 解析、HTTP 探测、无头浏览器爬取、端口扫描、端点发现、机密分析、情报聚合和漏洞扫描 —— 编排为一个单一命令。 ``` recon0 run target.com ``` ### 为什么选择 recon0? - **单一二进制,零配置** —— 自动检测 CPU/RAM,解析工具路径,以合理的默认值运行 - **9 阶段流水线** —— 每个阶段为下一阶段提供输入;门控阶段在结果为零时提前停止 - **无头浏览器爬取** —— 通过 `chromedp` 原生使用 Chrome DevTools Protocol;HAR 捕获,JS 提取,多轮点击交互 - **60+ DSL 规则** —— 基于 regex 的机密、token 和云资产检测,涵盖 JS 文件、HAR 主体和 HTTP 头 - **技术感知的主动探测** —— 指纹识别技术栈(Spring Boot, WordPress, Django, Go, .NET, Laravel, Node.js)然后发起针对性探测 - **LLM 智能** —— 可选的 OpenAI/Ollama 增强:关联发现、排列攻击路径优先级、过滤误报 - **可恢复** —— `--from-stage` 从上次中断处继续;状态持久化到 JSON - **分布式** —— `serve` 模式通过 REST API + 持久化作业队列暴露接口,用于远程提交扫描 - **3 个依赖** —— `chromedp`, `cdproto`, `yaml.v3` —— 仅此而已 ## 流水线 ``` Domain | v ┌────────────────────────────────────────────────────────────────────────────┐ │ 1. ENUM subfinder+amass Passive subdomain enumeration │ │ 2. RESOLVE dnsx ◄── DNS gate: 0 results = stop │ │ 3. PROBE httpx + tlsx HTTP probing, tech fingerprint, TLS │ │ 4. CRAWL cdpcrawl Headless Chrome + HAR + JS capture │ │ 5. PORTSCAN naabu TCP port scanning (optional) │ │ 6. DISCOVER discover Endpoint extraction from HAR/JS │ │ 7. ANALYZE analyzer DSL engine: secrets, tokens, paths │ │ 8. COLLECT collector Intelligence report + LLM analysis │ │ 9. VULN nuclei + probe Vulnerability scanning + probes │ └────────────────────────────────────────────────────────────────────────────┘ | v runs/-/ ├── input/domains.txt ├── output/ │ ├── subdomains.txt (enum) │ ├── alive.txt (resolve) │ ├── live-hosts.txt (probe — JSON lines: url, status, tech, cdn) │ ├── urls.txt (crawl) │ ├── ports.txt (portscan) │ ├── endpoints.json (discover) │ ├── findings.json (analyze — DSL matches) │ ├── intel.json (collect — full intelligence report) │ └── findings.txt (vuln — nuclei + active probe results) ├── har/ (raw HAR files from crawl) ├── js/ (extracted JS files) ├── raw/ (per-provider raw output) ├── logs/pipeline.log └── state.json (execution state — resumable) ``` ### 阶段数据流 | 阶段 | 输入 | 输出 | 门控? | |-------|-------|--------|-------| | `enum` | `domains.txt` | `subdomains.txt` | | | `resolve` | `subdomains.txt` | `alive.txt` | 是 — 如果 0 个存活则停止流水线 | | `probe` | `alive.txt` | `live-hosts.txt` | | | `crawl` | `live-hosts.txt` | `urls.txt` + `har/` + `js/` | | | `portscan` | `alive.txt` | `ports.txt` | | | `discover` | `har/` | `endpoints.json` | | | `analyze` | `har/` + `js/` | `findings.json` | | | `collect` | `output/*` | `intel.json` | | | `vuln` | `live-hosts.txt` | `findings.txt` | | ## 安装 ### 一行命令安装(推荐) ``` curl -sSL https://raw.githubusercontent.com/badchars/recon0/main/install.sh | bash ``` 检测 操作系统/架构,下载最新版本,验证 SHA256 校验和,安装到 `/usr/local/bin/`。 ### Go 安装 ``` go install github.com/badchars/recon0/cmd/recon0@latest ``` ### 手动下载 从 [Releases](https://github.com/badchars/recon0/releases) 获取适用于您平台的二进制文件: ``` curl -sL https://github.com/badchars/recon0/releases/latest/download/recon0-linux-amd64.tar.gz | tar xz sudo mv recon0 /usr/local/bin/ ``` ## 快速开始 ### 从源码运行 ``` # 构建 git clone https://github.com/badchars/recon0.git cd recon0 make build # 安装外部工具 (ProjectDiscovery suite) go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest go install github.com/owasp-amass/amass/v4/...@master # 运行 ./recon0 run target.com ``` ### Docker (包含所有依赖) ``` docker pull ghcr.io/badchars/recon0:latest # 基本扫描 docker run --rm -v $(pwd)/runs:/data/runs ghcr.io/badchars/recon0 run target.com # 使用自定义 config docker run --rm \ -v $(pwd)/runs:/data/runs \ -v $(pwd)/recon0.yaml:/data/recon0.yaml \ ghcr.io/badchars/recon0 run target.com --config /data/recon0.yaml ``` Docker 镜像预装了所有 ProjectDiscovery 工具、Chromium 和 nuclei 模板。 ### 验证提供者 ``` $ recon0 providers Provider Stage Status Binary ────────────────────────────────────────────────── amass enum enabled /usr/local/bin/amass subfinder enum enabled /usr/local/bin/subfinder dnsx resolve enabled /usr/local/bin/dnsx httpx probe enabled /usr/local/bin/httpx tlsx probe enabled /usr/local/bin/tlsx cdpcrawl crawl enabled (built-in) naabu portscan enabled /usr/local/bin/naabu discover discover enabled (built-in) analyzer analyze enabled (built-in) collector collect enabled (built-in) activeprobe vuln enabled (built-in) nuclei vuln disabled /usr/local/bin/nuclei ``` ## CLI 参考 ``` recon0 — bug bounty recon pipeline Usage: recon0 run [flags] Execute the pipeline recon0 serve [flags] Start API server + job queue worker recon0 scan [flags] Submit a scan to a remote server recon0 status [RUN_ID] [flags] Show scan status recon0 list List all runs recon0 providers List registered providers recon0 update [--check] Self-update to latest release recon0 uninstall [--purge] Remove recon0 from system recon0 version Show version ``` ### `run` 标志 | 标志 | 简写 | 默认值 | 描述 | |------|-------|---------|-------------| | `--program NAME` | `-p` | domain | 将扫描归组在项目名称下 | | `--config PATH` | `-c` | `recon0.yaml` | 配置文件路径 | | `--from-stage STAGE` | `-f` | | 从特定阶段恢复 | ### `serve` 标志 | 标志 | 简写 | 默认值 | 描述 | |------|-------|---------|-------------| | `--config PATH` | `-c` | `recon0.yaml` | 配置文件路径 | | `--port PORT` | | `8484` | API 监听端口 | ### `scan` 标志 | 标志 | 简写 | 默认值 | 描述 | |------|-------|---------|-------------| | `--program NAME` | `-p` | domain | 项目名称 | | `--remote HOST:PORT` | `-r` | `localhost:8484` | 远程服务器地址 | ### `update` 标志 | 标志 | 默认值 | 描述 | |------|---------|-------------| | `--check` | `false` | 仅检查更新,不安装 | ### `uninstall` 标志 | 标志 | 默认值 | 描述 | |------|---------|-------------| | `--purge` | `false` | 同时删除所有扫描数据 (`runs/`) 和配置文件 | ### 示例 ``` # 基本扫描 recon0 run example.com # 在 Bug Bounty Program 下组织 recon0 run example.com --program hackerone-example # 从 Analyze 阶段恢复 (复用之前的数据) recon0 run example.com --program hackerone-example --from-stage analyze # 启动 Daemon recon0 serve --port 9090 # 将远程扫描加入队列 recon0 scan example.com --remote 10.0.0.5:9090 # 检查状态 recon0 status --remote 10.0.0.5:9090 ``` ## 提供者 ### 外部工具 (CLI 二进制) | 提供者 | 阶段 | 工具 | 用途 | |----------|-------|------|---------| | `subfinder` | enum | [subfinder](https://github.com/projectdiscovery/subfinder) | 被动子域名枚举,来自 100+ 来源 | | `amass` | enum | [amass](https://github.com/owasp-amass/amass) | OWASP 子域名枚举 — DNS, 抓取, 证书, APIs | | `dnsx` | resolve | [dnsx](https://github.com/projectdiscovery/dnsx) | DNS 解析, A/AAAA/CNAME 记录, 接管检查 | | `httpx` | probe | [httpx](https://github.com/projectdiscovery/httpx) | HTTP 探测, 状态码, 技术指纹识别, CDN 检测 | | `tlsx` | probe | [tlsx](https://github.com/projectdiscovery/tlsx) | TLS 证书提取, SAN 枚举, 过期检查 | | `naabu` | portscan | [naabu](https://github.com/projectdiscovery/naabu) | SYN/CONNECT 端口扫描, Top-N 端口 | | `nuclei` | vuln | [nuclei](https://github.com/projectdiscovery/nuclei) | 基于模板的漏洞扫描 | ### 内置提供者(无需外部二进制) | 提供者 | 阶段 | 用途 | |----------|-------|---------| | `cdpcrawl` | crawl | 通过 Chrome DevTools Protocol (CDP) 进行无头 Chromium 爬取。捕获完整的 HAR 档案,提取 JS 文件,执行多轮点击和导航交互。通过浏览器上下文进行 Cookie 隔离。 | | `discover` | discover | 解析 HAR 请求日志和 JavaScript 文件,以提取 API 端点、HTTP 方法、查询参数和请求主体。按 method+URL 去重。 | | `analyzer` | analyze | 针对 JS 文件、HAR 主体、HTTP 头和发现的端点运行 DSL 规则引擎。检测机密、token、云资产、配置错误和有趣的路径。 | | `collector` | collect | 将所有阶段输出聚合为结构化的情报报告 (`intel.json`)。可选择通过 OpenAI 或 Ollama 进行 LLM 分析增强。 | | `activeprobe` | vuln | Go 原生 HTTP 探测器。根据 httpx 技术指纹发送针对性请求 —— Spring Boot actuator, WordPress wp-config, Laravel debug, Go pprof, .NET elmah, CORS origin reflection 等。 | ### 提供者架构 ``` type Provider interface { Name() string Stage() string OutputType() string // "txt", "json", "jsonl" Check() error // verify binary exists Run(ctx context.Context, opts *RunOpts) (*Result, error) } ``` 提供者通过 `init()` 注册。流水线为每个阶段查询注册表,运行启用的提供者(根据阶段配置顺序或并行),合并输出,应用去重,并将结果提供给下一阶段。 ## DSL 引擎 内置 DSL 引擎使用 60 多条基于正则表达式的规则扫描 JS 文件、HAR 响应主体、HTTP 头和发现的端点,并具有误报过滤功能。 ### 规则类别 | 类别 | 规则数 | 严重性 | 示例 | |----------|-------|----------|---------| | **机密与 Tokens** | 20 | Critical/High | AWS keys, GitHub PATs, Slack tokens, Stripe keys, JWTs, private keys | | **云资产** | 22 | Medium/Info | S3 buckets, Azure Blob, GCP Storage, Firebase, Cloudflare R2, Supabase | | **HTTP 头** | 8 | Low-High | CORS 配置错误, 缺少 CSP, 服务器版本泄露, debug 头 | | **有趣路径** | 12 | Info-Critical | 管理面板, .env 文件, .git 暴露, Spring Actuator, Go pprof, source maps | | **响应内容** | 4 | Medium-High | 堆栈跟踪, SQL 错误, 内部 IP | ### 规则格式 规则定义在 YAML (`internal/dsl/rules/default.yaml`) 中: ``` rules: - id: aws-access-key name: "AWS Access Key ID" severity: critical pattern: "(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" source: [js, har] tags: [secret, aws] - id: generic-api-key name: "Generic API Key" severity: medium pattern: "(?i)(?:api[_\\-]?key|apikey)[\\s=:\"']+[A-Za-z0-9_\\-]{20,}" source: [js, har] tags: [secret, generic] false_positive: ["(?i)example|placeholder|your[_-]?api|xxx|replace|TODO"] ``` ### 自定义规则 通过配置添加您自己的规则: ``` providers: analyzer: enabled: true custom_rules: /path/to/my-rules.yaml ``` ## 主动探测 `activeprobe` 提供者根据 httpx 检测到的技术指纹发送针对性的 HTTP 请求。这不是盲目的模糊测试 —— 探测是基于实际运行的内容选择的。 | 技术栈 | 探测 | 示例 | |------------|--------|---------| | **通用** (所有主机) | `.env`, `.git/HEAD`, `server-status`, `robots.txt`, `.well-known` | 配置泄露, 源代码暴露 | | **Spring Boot** | `/actuator/env`, `/actuator/heapdump`, `/actuator/configprops` | 环境变量转储, 堆内存, 配置 | | **WordPress** | `wp-config.php.bak`, `xmlrpc.php`, `wp-json/wp/v2/users` | 备份泄露, 用户枚举 | | **Node.js** | `package.json`, `/graphql` introspection | 依赖泄露, schema 暴露 | | **Laravel/PHP** | `telescope`, `_debugbar`, `phpinfo()` | 调试面板, 信息泄露 | | **Django** | `/admin/`, `__debug__/` | 管理面板, 调试工具栏 | | **.NET** | `elmah.axd`, `trace.axd`, `web.config` | 错误日志, 配置泄露 | | **Go** | `/debug/pprof/`, `/debug/vars` | Profiler, 运行时变量 | | **CORS** | Origin reflection test | 配置错误的 CORS 策略 | ## LLM 智能 `collector` 阶段可选择通过 LLM 分析增强情报报告。启用后,它会将聚合的侦查数据发送到 OpenAI 兼容的 API 并接收: 1. **关键发现** —— 将机密与主机清单和技术栈关联 2. **误报评估** —— 利用上下文(CDN, 技术, 来源)过滤噪音 3. **攻击场景** —— 前 3-5 个攻击路径及其具体主机和端点 4. **子域名接管风险** —— 分析 CNAME 链以查找悬空引用 5. **建议** —— 优先级排序的后续步骤 ``` providers: collector: enabled: true llm_enabled: true llm_provider: openai # or "ollama" for local models llm_model: gpt-4o llm_api_key: sk-... # or RECON0_LLM_API_KEY env var llm_base_url: "" # custom endpoint (Ollama: http://localhost:11434/v1) llm_max_tokens: 4096 ``` ## API 使用 `recon0 serve` 启动 API 服务器。所有端点均返回 JSON。 | Method | Endpoint | 描述 | |--------|----------|-------------| | `GET` | `/api/health` | 健康检查 | | `GET` | `/api/status` | 当前扫描状态(或最近一次) | | `GET` | `/api/status/:run_id` | 按运行 ID 查询状态 | | `GET` | `/api/runs` | 列出所有运行及其摘要 | | `GET` | `/api/logs/:run_id?lines=N` | 查看日志文件尾部(默认:100 行) | | `POST` | `/api/scan` | 将新扫描加入队列 | | `GET` | `/api/queue` | 列出队列中的作业 | | `DELETE` | `/api/queue/:id` | 移除队列中的作业 | ### 将扫描加入队列 ``` curl -X POST http://localhost:8484/api/scan \ -H 'Content-Type: application/json' \ -d '{"domain": "example.com", "program": "bugbounty-1"}' ``` ``` { "queue_id": "a1b2c3d4", "position": 1, "domain": "example.com", "program": "bugbounty-1", "status": "pending" } ``` ### 检查状态 ``` curl http://localhost:8484/api/status ``` ``` { "job_id": "bugbounty-1-20260306-143022", "program": "bugbounty-1", "domain": "example.com", "status": "running", "started_at": "2026-03-06T14:30:22Z", "current_stage": "crawl", "stages": { "enum": {"status": "completed", "results": 247}, "resolve": {"status": "completed", "results": 189}, "probe": {"status": "completed", "results": 142}, "crawl": {"status": "running", "results": 38} } } ``` ## 配置 recon0 按以下顺序加载配置:当前目录下的 `recon0.yaml`,`--config` 标志,环境变量。
配置参考(点击展开) ``` # 常规 output_dir: ./runs # Scan output directory resume: true # Resume incomplete scans automatically disk_min_gb: 20 # Minimum free disk space (GB) url_cap: 2000000 # Max URLs to process # 资源管理 resources: auto: true # Auto-detect CPU/RAM (cgroup-aware) max_threads: 0 # 0 = auto (based on CPU cores) max_rate: 5000 # Global max requests/sec # 日志记录 log: level: info # debug | info | warn | error format: color # color | json | plain file: true # Write pipeline.log per run # Status API + Job Queue api: enabled: true port: 8484 listen: 0.0.0.0 # 127.0.0.1 for local only # 提供商 providers: subfinder: enabled: true timeout: 30 # Timeout in minutes # all: true # Use all passive sources # recursive: true # Recursive enumeration amass: enabled: true timeout: 30 # Timeout in minutes (passive mode) dnsx: enabled: true # retry: 3 # record_types: [a, aaaa, cname] # takeover_check: true httpx: enabled: true ports: [80, 443, 8080, 8443, 8000, 8081, 8888, 3000, 5000, 9090] # store_response: true # follow_redirect: true tlsx: enabled: true # san: true # Extract Subject Alternative Names # jarm: true # JARM fingerprinting cdpcrawl: enabled: true headless: true # false = visible browser (debug) timeout_per_page: 30s click_depth: 2 # Rounds of click interaction max_concurrent_tabs: 5 user_agent: "Mozilla/5.0 ..." viewport_width: 1920 viewport_height: 1080 naabu: enabled: true top_ports: 100 # scan_type: s # SYN scan (needs NET_RAW) discover: enabled: true # Endpoint extraction from HAR/JS analyzer: enabled: true # custom_rules: /path/to/rules.yaml collector: enabled: true llm_enabled: false llm_provider: openai # openai | ollama llm_model: gpt-4o llm_api_key: "" # or RECON0_LLM_API_KEY llm_base_url: "" llm_max_tokens: 4096 activeprobe: enabled: true timeout: 10s max_concurrent: 20 skip_generic: false # Skip generic probes skip_cors: false # Skip CORS checks nuclei: enabled: false # Enable manually for filtered targets severity: [medium, high, critical] # custom_templates: ~/nuclei-custom/ # exclude_tags: [dos, fuzz] ```
### 环境变量 | 变量 | 描述 | |----------|-------------| | `RECON0_CONFIG` | 配置文件路径 | | `RECON0_OUTPUT` | 输出目录覆盖 | | `RECON0_LOG_LEVEL` | 日志级别 (`debug`, `info`, `warn`, `error`) | | `RECON0_RESUME` | 恢复模式 (`true`/`false`) | | `RECON0_LLM_API_KEY` | OpenAI/Ollama API key | | `CHROME_PATH` | Chromium 二进制路径覆盖 | ## Docker ### 构建 ``` make docker-build ``` 多阶段 Dockerfile 生成了一个独立的镜像(~1.5 GB),包含: - recon0 二进制文件(静态编译) - 所有 ProjectDiscovery 工具 (subfinder, dnsx, httpx, tlsx, naabu, nuclei) - Chromium 浏览器 + 字体 - 预下载的 nuclei 模板 ### 作为守护进程运行 ``` docker run -d \ --name recon0 \ -p 8484:8484 \ -v $(pwd)/runs:/data/runs \ -v $(pwd)/recon0.yaml:/data/recon0.yaml \ ghcr.io/badchars/recon0 serve ``` ### 使用 SYN 进行端口扫描 ``` # naabu SYN scan 需要 NET_RAW capability docker run --rm --cap-add NET_RAW \ -v $(pwd)/runs:/data/runs \ ghcr.io/badchars/recon0 run target.com ``` ## 架构 ``` cmd/recon0/main.go CLI entry — run, serve, scan, status, list, providers internal/ ├── api/api.go REST API server (health, status, scan, queue, logs) ├── cdp/ │ ├── browser.go Chrome browser pool (allocate, release, concurrent tabs) │ ├── har.go HAR capture (network events → HAR 1.2 format) │ └── interact.go Page interaction (click, navigate, scroll, JS collection) ├── config/ │ ├── config.go YAML config loader + env overrides │ └── resources.go CPU/RAM detection (cgroup v1/v2 aware) ├── dsl/ │ ├── engine.go Rule engine (compile, match, false-positive filter) │ ├── rules.go Rule loader (YAML → compiled regex) │ ├── types.go Finding, Rule, Match types │ └── rules/default.yaml 60+ built-in detection rules ├── llm/ │ ├── client.go OpenAI-compatible chat completion client │ └── prompt.go Intelligence analysis prompt + report types ├── log/log.go Structured logger (color, JSON, plain + file output) ├── merge/merge.go Result merging + deduplication ├── pipeline/ │ ├── pipeline.go Orchestrator (stage loop, provider dispatch, progress) │ ├── stage.go 9-stage definition + input/output routing │ └── state.go Execution state (JSON persistence, Query() display) ├── provider/ │ ├── provider.go Provider interface + registry │ ├── subfinder.go Subdomain enumeration │ ├── amass.go OWASP Amass passive enumeration │ ├── dnsx.go DNS resolution + takeover checks │ ├── httpx.go HTTP probing + tech detection │ ├── tlsx.go TLS certificate extraction │ ├── cdpcrawl.go Headless browser crawling │ ├── naabu.go Port scanning │ ├── nuclei.go Vulnerability scanning │ ├── discover.go Endpoint extraction from HAR/JS │ ├── analyzer.go DSL engine wrapper │ ├── collector.go Intelligence aggregation + LLM │ ├── activeprobe.go Tech-aware HTTP probing │ └── probes.go Probe definitions by tech stack └── queue/queue.go Persistent job queue (JSON file-backed) ``` ## 情报报告 `collect` 阶段生成 `intel.json` —— 一份结构化的情报报告: ``` { "target": "example.com", "generated_at": "2026-03-06T15:42:00Z", "subdomain_count": 247, "live_host_count": 142, "open_port_count": 389, "endpoint_count": 1847, "hosts": [ { "host": "api.example.com", "url": "https://api.example.com", "ip": "52.12.34.56", "status_code": 200, "tech": ["Spring Boot", "Java", "Nginx"], "cdn": "", "server": "nginx/1.24.0", "tls_version": "TLSv1.3", "tls_issuer": "Let's Encrypt", "ports": [80, 443, 8080] } ], "findings": [ { "rule_id": "aws-access-key", "rule_name": "AWS Access Key ID", "severity": "critical", "value": "AKIA...", "source": "js", "file": "app.bundle.js" } ], "attack_surface": { "api_endpoints": ["/api/v2/users", "/graphql"], "admin_panels": ["https://admin.example.com"], "exposed_files": ["/.env", "/.git/HEAD"] }, "recommendations": ["..."], "llm_analysis": "..." } ``` ## 恢复扫描 recon0 支持从任何阶段恢复。这适用于: - 中断的扫描(Ctrl+C,网络问题) - 在添加自定义 DSL 规则后重新运行分析 - 跳过昂贵的阶段(crawl, portscan)仅重新分析数据 ``` # 初始扫描 (在 Crawl 阶段中断) recon0 run target.com --program myprogram ^C # 从停止处恢复 recon0 run target.com --program myprogram # 或跳转至特定阶段 recon0 run target.com --program myprogram --from-stage analyze ``` `--from-stage` 标志重用现有的运行目录,保留所有先前收集的数据。 ## 资源管理 recon0 自动检测系统资源并调整并发: | 池 | 计算方式 | 使用者 | |------|-------------|---------| | Full | 所有 CPU 核心 | httpx, subfinder | | Heavy | cores / 2 (min 1) | cdpcrawl, naabu | | Light | cores / 4 (min 1) | nuclei (限速) | ``` resources: auto: true # Reads /proc/cpuinfo, cgroup limits max_threads: 0 # 0 = auto, or set explicit cap max_rate: 5000 # Global requests/sec ceiling ``` 感知 cgroup v1/v2 —— 可在 Docker 和 Kubernetes 内正常运行。 ## 更新 ``` # 检查是否有可用的新版本 recon0 update --check # 下载并安装最新 Release recon0 update ``` 自我更新会从 [GitHub Releases](https://github.com/badchars/recon0/releases) 下载适合您 操作系统/架构 的正确二进制文件,验证 SHA256 校验和,并自动替换当前二进制文件。 支持的平台:`linux/amd64`, `linux/arm64`, `darwin/amd64`, `darwin/arm64`. ## 卸载 ``` # 移除 Binary recon0 uninstall # 移除 Binary + 所有扫描数据和 Config recon0 uninstall --purge ``` ## 发布 发布通过 [GoReleaser](https://goreleaser.com/) 和 GitHub Actions 自动化: ``` git tag v0.2.0 git push --tags # → GitHub Actions 构建跨平台 Binaries 并创建 Release ``` ## 构建 ``` make build # Build for current platform make build-linux # Cross-compile to Linux amd64 make test # Run tests make fmt # Format code make vet # Static analysis make docker-build # Build Docker image make docker-push # Push to GHCR make clean # Remove build artifacts ``` ## 许可证 MIT

@badchars 构建

标签:API安全, Chrome DevTools Protocol, Chromedp, DLL 劫持, DNS解析, Docker化, DSL规则, ESC6, EVTX分析, FTP漏洞扫描, Go语言, JSON输出, LLM增强, 侦察框架, 单一二进制, 大语言模型, 子域名枚举, 安全编排, 密码管理, 密钥分析, 开源项目, 情报聚合, 插件系统, 敏感信息发现, 数据泄露, 数据统计, 无头浏览器, 日志审计, 程序破解, 端口扫描, 系统安全, 自动化侦察, 自动化流水线, 请求拦截, 资产收集, 配置审计