whiterabb17/r3ngine

V3 Beta Release is now operational!

Phoenix: From the Ashes even Stronger

Official v3 Rebirth: The Ultimate Web Reconnaissance & Vulnerability Scanner 🚀

New V3 Dashboard

   

r3ngine 3.2.0: The Phoenix Rebirth

r3ngine 3.2.0 marks the official rebirth and production stabilization of the project. This version features the new Cyberpunk Phoenix identity, Human-in-the-Loop OSINT Staging, and a Reinforced Security Discovery Stack. Most significantly, v3.2.0 completes the full migration from Celery to Temporal — replacing the legacy at-most-once task broker with a durable workflow engine that provides crash-safe scan execution, full replay history, and pause/resume signaling. Built on the massive v3.0 core, it represents a complete architectural overhaul designed for the modern threat landscape.


Attack Path Modeling Engine


r3NgineMobileSOC: Beta Release Out Now

| Dashboard | Geo-Tactical Map | Scan Details | Scan Orchestration | | :---: | :---: | :---: | :---: | | | | | | 

r3Ngine Plugins: Alpha Release Out Now

| Active Directory | | :---: | | | | Active Exploitation | | :---: | | | | Exploit Readiness Layer | | :---: | | |   ## Table of Contents * [About r3ngine](#about-r3ngine) * [Workflow](#workflow) * [Features](#features) * [Enterprise Support](#enterprise-support) * [Quick Installation](#quick-installation) * [Administration & Recovery](#-administration--recovery) * [Installation Video](#installation-video-tutorial) * [Community-Curated Videos](#community-curated-videos) * [Screenshots](#screenshots) * [What's new in reNgine](https://github.com/whiterabb17/r3ngine/releases) * [Contributing](#contributing) * [r3ngine Support](#r3ngine-support) * [Support and Sponsoring](#support-and-sponsoring) * [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities) * [License](#license)  ## About reNgine reNgine is not an ordinary reconnaissance suite; it's a game-changer! We've turbocharged the traditional workflow with groundbreaking features that ease your reconnaissance game. reNgine redefines the art of reconnaissance with highly configurable scan engines, recon data correlation, continuous monitoring, GPT powered Vulnerability Report, Project Management and role based access control etc. 🦾   reNgine has advanced reconnaissance capabilities, harnessing a range of open-source tools to deliver a comprehensive web application reconnaissance experience. With its intuitive User Interface, it excels in subdomain discovery, pinpointing IP addresses and open ports, collecting endpoints, conducting directory and file fuzzing, capturing screenshots, and performing vulnerability scans. To summarize, it does end-to-end reconnaissance. With WHOIS identification and WAF detection, it offers deep insights into target domains. Additionally, reNgine also identifies misconfigured S3 buckets and find interesting subdomains and URLS, based on specific keywords to helps you identify your next target, making it a go-to tool for efficient reconnaissance. 🗃️    Say goodbye to recon data chaos! reNgine seamlessly integrates with a database, providing you with unmatched data correlation and organization. Forgot the hassle of grepping through json, txt or csv files. Plus, our custom query language lets you filter reconnaissance data effortlessly using natural language like operators such as filtering all alive subdomains with `http_status=200` and also filter all subdomains that are alive and has admin in name `http_status=200&name=admin` 🔧   reNgine offers unparalleled flexibility through its highly configurable scan engines, based on a YAML-based configuration. It offers the freedom to create and customize recon scan engines based on any kind of requirement, users can tailor them to their specific objectives and preferences, from thread management to timeout settings and rate-limit configurations, everything is customizable. Additionally, reNgine offers a range of pre-configured scan engines right out of the box, including Full Scan, Passive Scan, Screenshot Gathering, and the OSINT Scan Engine. These ready-to-use engines eliminate the need for extensive manual setup, aligning perfectly with reNgine's core mission of simplifying the reconnaissance process and enabling users to effortlessly access the right reconnaissance data with minimal effort. 💎  Subscans: Subscan is a game-changing feature in reNgine, setting it apart as the only open-source tool of its kind to offer this capability. With Subscan, waiting for the entire pipeline to complete is a thing of the past. Now, users can swiftly respond to newfound discoveries during reconnaissance. Whether you've stumbled upon an intriguing subdomain and wish to conduct a focused port scan or want to delve deeper with a vulnerability assessment, reNgine has you covered. 📃   PDF Reports: In addition to its robust reconnaissance capabilities, reNgine goes the extra mile by simplifying the report generation process, recognizing the crucial role that PDF reports play in the realm of end-to-end reconnaissance. Users can effortlessly generate and customize PDF reports to suit their exact needs. Whether it's a Full Scan Report, Vulnerability Report, or a concise reconnaissance report, reNgine provides the flexibility to choose the report type that best communicates your findings. Moreover, the level of customization is unparalleled, allowing users to select report colors, fine-tune executive summaries, and even add personalized touches like company names and footers. With GPT and LLM integration, your reports aren't just a report; with Assessment Overviews, Executive Briefs, Final Conclusions, remediation steps, and impacts, you get a 360-degree view of the vulnerabilities you've uncovered. 🔖    Say Hello to Projects! reNgine 3.0 introduces many many more powerful additions to really boost your recon experience. Checkout all the features below. ⚙    Roles and Permissions! In reNgine 3.0, we've taken your web application reconnaissance to a whole new level of control and security. Now, you can assign distinct roles to your team members—Sys Admin, Penetration Tester, and Auditor—each with precisely defined permissions to tailor their access and actions within the reNgine ecosystem. - 🔐 Sys Admin: Sys Admin is a superuser that has permission to modify system and scan related configurations, scan engines, create new users, add new tools etc. Superuser can initiate scans and subscans effortlessly. - 🔍 Penetration Tester: Penetration Tester will be allowed to modify and initiate scans and subscans, add or update targets, etc. A penetration tester will not be allowed to modify system configurations. - 📊 Auditor: Auditor can only view and download the report. An auditor can not change any system or scan related configurations nor can initiate any scans or subscans. 🧭  **Continuous Monitoring**: r3ngine's automated monitoring engine ensures your targets are under constant scrutiny. Schedule scans at regular intervals and receive real-time alerts via Discord, Slack, and Telegram for new subdomains, vulnerabilities, or asset changes. ⚡  **Adaptive Stress & Resilience Engine (ASRE)**: r3ngine v3 introduces the **Adaptive Stress & Resilience Engine (ASRE)**, a production-grade endpoint testing suite designed to evaluate the stability and resilience of target infrastructure. Unlike traditional scanners, ASRE orchestrates high-performance tools like `k6`, `wrk`, `hping3`, and `Locust` directly within your reconnaissance workflow. It provides real-time telemetry ingestion into the Attack Surface Graph (Neo4j), allowing you to visualize how endpoints behave under load and identify potential bottlenecks or denial-of-service vulnerabilities before they become critical failures.  ## Workflow ### Temporal Scan Pipeline (v3.2.0) The full scan pipeline is orchestrated by `MasterScanWorkflow` on Temporal. Every tier boundary is a hard synchronisation point — no tier starts until all activities in the previous tier have completed and their results are persisted to the database. flowchart TD START([▶ Scan Initiated]) --> TP subgraph S0["⚙️ Step 0 — Target Setup"] direction TB TP[TargetProfilingActivity] --> LC[LoadCheckpointActivity] end LC --> F1(( )) F1 --> SD & AI & FW & OS & SF subgraph T1["🔍 Tier 1 — Discovery · all parallel"] direction TB SD[RunSubdomainDiscoveryActivity] AI[RunAmassIntelDiscoveryActivity] FW[RunFirewallVPNScanActivity] OS["RunGenericTaskActivity · osint"] SF["RunGenericTaskActivity · spiderfoot_scan\n─ requires yaml spiderfoot_scan block"] end SD & AI & FW & OS & SF --> J1(( )) J1 --> PDR[ParseDiscoveryResultsActivity] PDR --> CP1{{"⏸ Pause Checkpoint"}} CP1 --> F2(( )) F2 --> HC & PS subgraph T2["🌐 Tier 2 — HTTP Crawl · Port Scan · all parallel"] direction TB HC["RunHTTPCrawlActivity\n─ global config · feeds Tiers 3 & 4"] --> PHC[ParseHTTPCrawlResultsActivity] PS[RunPortScanActivity] end PHC & PS --> J2(( )) J2 --> FU subgraph T3["🔗 Tier 3 — URL Fetching · sequential"] direction TB FU[RunFetchURLActivity] end FU --> DFF subgraph T4["📁 Tier 4 — Directory & File Fuzzing · sequential"] direction TB DFF[RunDirFileFuzzActivity] --> PFF[ParseFuzzResultsActivity] end PFF --> PER[ParseEnumerationResultsActivity] PER --> CP2{{"⏸ Pause Checkpoint"}} CP2 --> F3(( )) F3 --> WAD & WD & SEC subgraph T5["🔬 Tier 5 — Analysis · all parallel"] direction TB WAD[RunWebAPIDiscoveryActivity] WD[RunWAFDetectionActivity] SEC[RunSecretScanningActivity] end WAD & WD & SEC --> J3(( )) J3 --> PAR[ParseAnalysisResultsActivity] PAR --> CP3{{"⏸ Pause Checkpoint"}} CP3 --> F4(( )) F4 --> NUC & WB & BF & SS subgraph T6["🎯 Tier 6 — Assessment · BruteForcing · WAFBypass · Nuclei · Screenshot · all parallel"] direction TB subgraph NP["NucleiPlannerWorkflow · child workflow"] direction TB NUC[RunVulnerabilityScanActivity] end WB[RunWAFBypassActivity] BF[RunBruteForceScanActivity] SS[RunScreenshotActivity] end SS & NUC & WB & BF --> J4(( )) J4 --> PASM[ParseAssessmentResultsActivity] PASM --> CP4{{"⏸ Pause Checkpoint"}} CP4 --> CV subgraph T7["🧠 Tier 7 — Intelligence · sequential"] direction TB CV[CorrelateVulnerabilitiesActivity] --> CR[CalculateRiskScoresActivity] CR --> GI["GenerateImpactAssessmentActivity\n─ requires enable_ai_impact_analysis: true"] GI --> SG["SyncGraphActivity · APME + Neo4j\n─ requires attack_path_modeling.enabled: true"] end SG --> SN[SendScanNotificationActivity] SN --> DONE([✓ Scan Complete])  ## Features ### 🧠 Intelligence & AI Hub r3ngine is an AI-native reconnaissance suite, moving beyond simple tool automation to intelligent analysis. * **Centralized AI Management**: A unified management interface supporting **OpenAI, Anthropic (Claude 3), Google Gemini, and local Ollama models**. * **Vulnerability Impact Intelligence**: Automated generation of detailed impact narratives, remediation strategies, and remediation priorities using LLMs, visualized through interactive **Cytoscape.js attack paths** and a state-aware **Impact Explorer** with real-time assessment monitoring and persistent synchronization. * **PII Gate Security**: Advanced privacy layer that anonymizes sensitive reconnaissance data (IPs, emails, hostnames) before sending it to external LLMs, ensuring enterprise-grade data protection. * **GPT Attack Surface Generator**: Automated generation of target profiles and high-value asset identification. * **Dynamic Model Discovery**: Real-time fetching of available models with hardware requirement insights for local deployments. * **Natural Language Querying**: Perform complex database lookups using intuitive, human-like operators. ### 🛠️ Advanced Scan & Execution Engines ### 🕵️ Surgical Reconnaissance & OSINT * **Advanced Web API Discovery**: Dedicated pipeline featuring Kiterunner, Arjun, ParamSpider, LinkFinder, and InQL. * **Deep Pursuit OSINT Engine**: A modernized, high-performance modular pipeline replacing heavy Spiderfoot scans with surgical discovery. Features email pivoting (**holehe**), cross-platform social profile mapping (**maigret**), social presence discovery (**gosearch**), tactical identity permutation (**username-anarchy**), and a custom **Playwright-driven Social Intelligence Engine** that mimics human behavior to identify corporate personnel under high OpSec. * **OSINT Intelligence Dashboard**: Aggregated view of emails, leaks, employees, dorks, and document metadata. * **ReconX 24/7 Monitoring**: Dedicated, domain-specific background monitoring engine for continuous asset tracking and automated findings ingestion. * **Vulnerability Scanning**: * **Nuclei**: Specialized templates and intelligence-driven targeted scanning. * **Semgrep**: Automated static analysis for discovered endpoints (JS, PHP, Env, etc.) with automated rule synchronization (OWASP Top 10, Secrets). * **WPScan**: Automated WordPress reconnaissance and vulnerability identification. * **baddns**: Automated subdomain takeover detection with critical severity mapping. * **betterleaks**: High-precision secret and leak identification in discovered assets. * **Dalfox**: Advanced XSS discovery. * **Additional Integration**: CRLFuzzer, S3Scanner, Gitleaks, Retire.js. * **WHOIS, WAF Detection, and IP Geolocation**. ### 🥷 Stealth & Operational Security (OpSec) * **Enhanced Proxy Orchestration**: Automated fetching, validation, and per-tool rotation of high-quality proxies across all discovery modules to bypass rate-limiting and WAF blocks. * **Centralized Brute-Force Orchestration**: High-performance Hydra and Medusa integration with Proxychains4. Centralizes Nmap/Nuclei targets into a unified `AuthCandidate` queue supporting **multi-service targeting (SSH, FTP, HTTP, SMB, RDP, Telnet)**, automated service mapping, and configurable `max_retries`. * **OpSec Presets**: User-Agent rotation, stealth timing, custom DNS resolvers, and WAF bypass headers. * **Hardened Scan Termination**: Centralized `abort_scan_history()` / `abort_subscan()` utility to cancel all child subscans and Temporal workflows before database updates, eliminating orphaned processes. * **Workflow Retry Cap**: Limit of 10 retries on workflows before marking as FAILED, allowing checkpoint resumes. * **Metadata Stripping**: Automated removal of sensitive information from discovered assets. ### 🎨 Visual & Administrative Interface * **Cyberpunk V3 UI**: Premium glassmorphic dashboard supporting Hacker (Cyberpunk), Hybrid (Modern Dark), and Enterprise (Professional Slate) themes. * **Interactive Subdomain Management**: Wireframes for on-demand LLM Attack Surface Analysis, targeted subscans, and TODO/Note management directly from the subdomain inventory. * **Attack Surface Map v4.0**: Interactive, high-fidelity infrastructure visualization with **Hierarchical Asset Clustering** (Domains > Subdomains > Endpoints), advanced layouts (**fCoSE** and **KLay**), semantic cluster management, and AI-driven graph search. * **Tactical GeoMap Visualization**: Custom high-performance CSS-animated markers and tooltip interactions for global asset positioning. * **Bounty Hub**: Centralized platform for managing HackerOne programs, assets, and direct vulnerability reporting. * **Automated Startup Sync**: A Redis-locked sequence ensures Attack Surface graphs and CISA KEV (Known Exploited Vulnerabilities) catalogs are synchronized immediately upon boot. * **Administrative Robustness**: * **Scan Detail Header Reorganization**: Better layout with breadcrumbs below action buttons and right-aligned controls. * **Chronological Ordering**: Standardized descending ID ordering across Scan History and Target Lists. * 📊 **Enhanced Telemetry**: Fixed HTTP status breakdown logic and stabilized Scan Summary API via target-wide cumulative data queries. * **Target Deletion API**: Resolved 404 errors by synchronizing frontend requests with the correct backend orchestration endpoint. * **Onboarding Authentication Resilience**: Fixed application crash for unauthenticated users accessing onboarding. * **Customizable Alerts**: Notifications via Slack, Discord, Telegram, and Lark. * **Screenshot Gallery**: Automated visual captures with advanced filtering and tagging. * **Export/Import**: Interoperable with other tools via JSON, CSV, and TXT. * **Configuration Portability**: Export/restore custom API keys, tool configurations, scan engines, and wordlists to/from a backup zip. * **Integrated Tools**: Chaos, TLSX, CTFR, Netlas, Katana, Medusa, baddns, betterleaks, gosearch, username-anarchy. ### ⚡ Resource Management & Efficiency * **Temporal Workflow Engine**: Replaced Celery with [Temporal](https://temporal.io) for all scan orchestration, utilizing a single `temporal-python-orchestrator` container to reduce base memory overhead. * **Durable Execution**: Automatic retry on activity failures with configurable backoff to survive container restarts and blips. * **Global Redis Caching**: Unified Redis-backed caching layer replacing per-process local memory caching for shared state efficiency. * **Deterministic Resource Limits**: Native Docker `deploy.resources` limits and reservations configured for all production services (Temporal, Ollama, Neo4j, Web) to prevent host resource starvation.  ## 🛠️ Development & Strict Type Safety The r3ngine v3 frontend is built with a "Safety-First" philosophy, enforcing strict TypeScript constraints to ensure production reliability. * **Full Strict Mode**: The entire React codebase compiles under `strict: true`, eliminating hidden null pointers and undefined property access at build time. * **Contract Integrity**: Frontend models are strictly mapped to the auto-generated OpenAPI schema (`src/types/api.ts`). We enforce `verbatimModuleSyntax` to optimize build-time tree shaking and ensure type-only imports are explicitly marked. * **Modular Architecture**: Following a feature-based structure, each module (`targets`, `scans`, `vulnerabilities`) maintains its own API hooks and types, inheriting from the global contract while providing specialized UI adaptations. * **Production Hardening**: Our CI/CD pipeline validates every commit against `tsc -b` and `vite build`. We prioritize type-safe UI components over loose `any` declarations, utilizing safe type guards and defensive casting for robust API integration.  ## Quick Installation ### Quick Setup for Ubuntu/VPS 1. Clone the repository git clone https://github.com/whiterabb17/r3ngine && cd r3ngine 2. Configure the environment nano .env **Ensure you change the `POSTGRES_PASSWORD` for security.** 3. (Optional) For non-interactive install, set admin credentials in `.env` DJANGO_SUPERUSER_USERNAME=yourUsername DJANGO_SUPERUSER_EMAIL=YourMail@example.com DJANGO_SUPERUSER_PASSWORD=yourStrongPassword If you need to carry out a non-interactive installation, you can setup the login, email and password of the web interface admin directly from the .env file (instead of manually setting them from prompts during the installation process). This option can be interesting for automated installation (via ansible, vagrant, etc.). * `DJANGO_SUPERUSER_USERNAME`: web interface admin username (used to login to the web interface). * `DJANGO_SUPERUSER_EMAIL`: web interface admin email. * `DJANGO_SUPERUSER_PASSWORD`: web interface admin password (used to login to the web interface). 4. Configure Temporal worker concurrency in `.env` (optional) TEMPORAL_MAX_CONCURRENT_ACTIVITIES=20 TEMPORAL_MAX_CONCURRENT_WORKFLOWS=10 r3ngine v3.2.0 uses [Temporal](https://temporal.io) for all scan orchestration. The `temporal-python-orchestrator` container runs a single worker that polls for workflow and activity tasks. Concurrency is controlled by the variables above; the defaults are sensible for most machines. Recommended values by available RAM: * 4GB: `TEMPORAL_MAX_CONCURRENT_ACTIVITIES=10` * 8GB: `TEMPORAL_MAX_CONCURRENT_ACTIVITIES=20` * 16GB+: `TEMPORAL_MAX_CONCURRENT_ACTIVITIES=40` The Temporal UI is available at `http://localhost:8080` for workflow inspection, history replay, and manual intervention. 5. Run the installation script: sudo ./install.sh For non-interactive install: `sudo ./install.sh -n` *Note: If needed, run `chmod +x install.sh` to grant execution permissions.* **reNgine can now be accessed from or if you're on the VPS ** **Unless you are on development branch, please do not access reNgine via any ports** ### Installation on Other Platforms For Mac, Windows, or other systems, refer to our detailed installation guide [https://reNgine.wiki/install/detailed/](https://reNgine.wiki/install/detailed/) ### Installation Video Tutorial ## Updating 1. To update reNgine, run: cd r3ngine && sudo ./update.sh If `update.sh` lacks execution permissions, use: sudo chmod +x update.sh  ## 🔧 Administration & Recovery ### Scan Result Recovery If the database is lost or corrupted but the `scan_results` Docker volume is intact, the `recover_scan_results` management command can reconstruct the database from the files on disk. **What is recovered** (when the corresponding output files exist): | Data | Source file(s) | |------|----------------| | Domain | Parsed from folder name (`domain_scanid`) | | ScanHistory | Folder mtime used as scan date | | Subdomains | `#id_subdomain_discovery.txt`, `subdomains_*.txt`, subscan dirs | | Ports + IpAddresses | `#id_port_scan.txt` — naabu JSONL and legacy JSON-object formats | | EndPoints | `#id_fetch_url.txt`, `urls_*.txt` | | Vulnerabilities | `*_nmap_vulns.json`, `#id_nuclei_*_module.txt` | | WAF associations | `#id_waf_detection.txt` linked to matching subdomains | **Usage** (run inside the `web` container): # Dry-run — preview what would be recovered without writing anything python manage.py recover_scan_results # Apply — write recovered records to the database python manage.py recover_scan_results --apply # Recover a single scan folder python manage.py recover_scan_results --apply --scan-dir /usr/src/scan_results/defijn.io_108 # Use a non-default results root python manage.py recover_scan_results --apply --results-root /alt/path/scan_results **Docker Compose shortcut:** docker-compose exec web python manage.py recover_scan_results --apply The command is **idempotent** — scans already tracked in the database are skipped on every run, so it is safe to re-run after partial recoveries.  ## Screenshots ### Scan Results  ### General Usage ### Initiating Subscan ### Recon Data filtering ### Report Generation ### Toolbox ### Adding Custom tool in Tools Arsenal  ## Submitting issues 1. Enable Debug Mode: - Edit `web/entrypoint.sh` in the project root - Add `export DEBUG=1` at the top of the file: #!/bin/bash export DEBUG=1 python3 manage.py migrate python3 manage.py runserver 0.0.0.0:8000 exec "$@" - Restart the web container: `docker-compose restart web` 2. View Debug Output: - Run `make logs` to see the full stack trace - Check the browser's developer console for XHR requests with 500 errors 3. Example Debug Output: web_1 | TypeError: run_command() got an unexpected keyword argument 'echo' web_1 | File "/usr/src/app/reNgine/tasks.py", line 42, in run_command web_1 | subprocess.run(cmd, **kwargs) 4. Submit Your Issue: - Include the full stack trace in your GitHub issue - Describe the steps to reproduce the problem - Mention any relevant system information 5. Disable Debug Mode: - Set `DEBUG=0` in `web/entrypoint.sh` - Restart the web container By providing this detailed information, you significantly help developers identify and fix issues more efficiently.  ## Reporting Security Vulnerabilities We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions. 1. **Do Not** disclose the vulnerability publicly on GitHub issues or any other public forum. 2. Go to the [Security tab](https://github.com/whiterabb17/r3ngine/security) of the reNgine repository. 3. Click on "Report a vulnerability" to open GitHub's private vulnerability reporting form. 4. Provide a detailed description of the vulnerability, including: - Steps to reproduce - Potential impact - Any suggested fixes or mitigations (if you have them) 5. I will review your report and respond as quickly as possible, usually within 48-72 hours. 6. Please allow some time to investigate and address the vulnerability before disclosing it to others. We are committed to working with security researchers to verify and address any potential vulnerabilities reported to us. After fixing the issue, we will publicly acknowledge your responsible disclosure, unless you prefer to remain anonymous. Thank you for helping to keep reNgine and its users safe!  ## License Distributed under the GNU GPL v3 License. See [LICENSE](LICENSE) for more information. 

Note: Parts of this README were written or refined using AI language models.