vipulraj01/reconx

GitHub: vipulraj01/reconx

Stars: 0 | Forks: 0

██████╗ ███████╗ ██████╗ ██████╗ ███╗ ██╗██╗ ██╗ ██╔══██╗██╔════╝██╔════╝██╔═══██╗████╗ ██║╚██╗██╔╝ ██████╔╝█████╗ ██║ ██║ ██║██╔██╗ ██║ ╚███╔╝ ██╔══██╗██╔══╝ ██║ ██║ ██║██║╚██╗██║ ██╔██╗ ██║ ██║███████╗╚██████╗╚██████╔╝██║ ╚████║██╔╝ ██╗ ╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ v2.0 **Automated Recon & Vulnerability Scanner for Bug Bounty Hunters** [![GitHub stars](https://img.shields.io/github/stars/vipulraj01/reconx?style=for-the-badge&color=yellow)](https://github.com/vipulraj01/reconx/stargazers) [![License](https://img.shields.io/badge/License-MIT-blue?style=for-the-badge)](https://github.com/vipulraj01/reconx/blob/main/LICENSE) [![Issues](https://img.shields.io/github/issues/vipulraj01/reconx?style=for-the-badge&color=red)](https://github.com/vipulraj01/reconx/issues) [![Shell](https://img.shields.io/badge/Shell-Bash-121011?style=for-the-badge&logo=gnu-bash&logoColor=white)](https://www.gnu.org/software/bash/) [**Getting Started**](#-getting-started) · [**How It Works**](#-how-it-works) · [**Usage**](#-usage) · [**Toolchain**](#%EF%B8%8F-toolchain)

## 💡 What is ReconX? **ReconX** is a fully automated bug bounty reconnaissance and vulnerability scanning framework. Point it at a target domain and it handles the entire pipeline — from subdomain discovery all the way to exploitable vulnerability detection. Instead of manually chaining dozens of tools together, ReconX orchestrates **25+ security tools** into a single streamlined workflow: Target Domain → Subdomains → Alive Hosts → Endpoints → Parameters → Vulnerabilities ## ⚡ Key Capabilities

### 🔍 Reconnaissance - **Passive subdomain enumeration** via 9 sources (assetfinder, subfinder, amass, findomain, crt.sh, hackertarget, riddler, certspotter, Sublist3r) - **Active subdomain brute-forcing** with gobuster & amass using curated wordlists - **DNS resolution** and alive host filtering via dnsx & httpx - **Visual recon** — automated screenshots with aquatone

### 🎯 Vulnerability Detection - **XSS** — kxss reflection detection + dalfox confirmed exploitation - **SQL Injection** — automated sqlmap scans with risk level 3 - **SSRF** — AWS metadata endpoint probing - **LFI** — path traversal payload injection - **Open Redirect** — openredirex + custom payload testing - **CRLF Injection** — crlfuzz header injection - **Subdomain Takeover** — subjack fingerprint scanning - **Multi-scanner** — nuclei templates (info → critical)

## 🔄 How It Works ReconX executes a multi-stage pipeline. Each stage feeds into the next: ┌─────────────────────────────────────────────────────────────────┐ │ STAGE 1: DISCOVER │ │ assetfinder → subfinder → amass → findomain → crt.sh → ... │ │ gobuster (active) → amass brute (active) │ │ ↓ │ │ STAGE 2: FILTER │ │ dnsx (resolve) → httpx (alive) → aquatone (screenshot) │ │ ↓ │ │ STAGE 3: CRAWL │ │ waymore → endpoint collection → urldedupe (dedup) │ │ ↓ │ │ STAGE 4: CLASSIFY │ │ gf patterns → XSS params | SQLi params | SSRF params | ... │ │ ↓ │ │ STAGE 5: EXPLOIT │ │ dalfox (XSS) | sqlmap (SQLi) | nuclei | crlfuzz | subjack │ │ ↓ │ │ STAGE 6: REPORT │ │ Summary → /vulnerabilities/ → /nuclei/ → /subdomains/ │ └─────────────────────────────────────────────────────────────────┘ ## 🚀 Getting Started ### Prerequisites - **Linux** (Debian/Ubuntu recommended — Kali, Parrot, etc.) - **Root access** (tools are installed system-wide) - **Go 1.22+**, **Python 3**, **Ruby**, **Git** ### Installation git clone https://github.com/vipulraj01/reconx.git cd reconx/ chmod +x reconx install.sh sudo mv reconx /usr/bin/ sudo ./install.sh The installer will automatically: - Install all system dependencies (git, python3, go, jq, chromium, etc.) - Download and compile 20+ Go/Python security tools - Fetch wordlists from SecLists and other sources - Configure gf patterns for parameter classification - Set up nuclei templates ## 📖 Usage ### Basic Syntax ### Flags | Flag | Description | Default | |------|-------------|---------| | `-d` | Target domain | — | | `-o` | Output directory | `reconx-` | | `-t` | Number of threads | `100` | | `-b` | Blind XSS (BXSS) callback server | Disabled | | `-x` | File with out-of-scope domains to exclude | — | | `-f` | File with pre-collected subdomains (skips enumeration) | — | | `-a` | Run full pipeline (recon + vuln scan) | Recon only | | `-v` | Print version | — | | `-h` | Show help | — | ### Examples **Subdomain enumeration only (default):** sudo reconx -d example.com **Full recon + vulnerability scanning:** sudo reconx -d example.com -a -o example_output sudo reconx -d example.com -a -t 250 -b your_callback.oast.fun **Exclude out-of-scope domains:** echo "internal.example.com" > exclude.txt sudo reconx -d example.com -a -x exclude.txt **Skip enumeration — provide your own subdomains:** sudo reconx -d example.com -f /path/to/subdomains.txt -a ## 📂 Output Structure After a scan, ReconX generates organized output: reconx-/ ├── subdomains/ │ ├── domains.txt # All discovered subdomains │ ├── subdomains.txt # Resolved subdomains │ ├── alivesub.txt # HTTP-alive subdomains │ ├── alwithouthttp.txt # Alive subs (no protocol prefix) │ ├── title.txt # Page titles + status codes │ ├── endpoints.txt # All crawled endpoints │ └── aquatone/ # Screenshots & HTML report ├── patterns/ │ ├── xss.txt # XSS-prone parameters │ ├── sqli.txt # SQLi-prone parameters │ ├── ssrf.txt # SSRF-prone parameters │ ├── lfi.txt # LFI-prone parameters │ ├── rce.txt # RCE-prone parameters │ └── openredirect.txt # Redirect-prone parameters ├── vulnerabilities/ │ ├── xss.txt # Confirmed XSS │ ├── xss_dalfox.txt # Dalfox XSS results │ ├── lfi.txt # Confirmed LFI │ ├── ssrf.txt # Confirmed SSRF │ ├── crlf.txt # CRLF injection results │ ├── openredirect.txt # Open redirects │ ├── openredirex.txt # OpenRedireX results │ ├── takeover.txt # Subdomain takeover │ └── sqlmap/ # SQLmap output per target └── nuclei/ ├── info.txt # Informational findings ├── low.txt # Low severity ├── medium.txt # Medium severity ├── high.txt # High severity └── critical.txt # Critical findings ## 🛠️ Toolchain ReconX integrates the following open-source tools: | Category | Tools | |----------|-------| | **Subdomain Discovery** | [subfinder](https://github.com/projectdiscovery/subfinder), [assetfinder](https://github.com/tomnomnom/assetfinder), [amass](https://github.com/OWASP/Amass), [findomain](https://github.com/Findomain/Findomain), [Sublist3r](https://github.com/hxlxmjxbbxs/SUBLIST3R_V2.0), crt.sh, hackertarget, riddler, certspotter | | **Active Brute-force** | [gobuster](https://github.com/OJ/gobuster), [amass](https://github.com/OWASP/Amass) | | **DNS & HTTP Probing** | [dnsx](https://github.com/projectdiscovery/dnsx), [httpx](https://github.com/projectdiscovery/httpx) | | **Visual Recon** | [aquatone](https://github.com/michenriksen/aquatone) | | **Endpoint Crawling** | [waymore](https://github.com/xnl-h4ck3r/waymore), [gau](https://github.com/lc/gau), [waybackurls](https://github.com/tomnomnom/waybackurls) | | **Parameter Filtering** | [gf](https://github.com/tomnomnom/gf), [uro](https://github.com/s0md3v/uro), [qsreplace](https://github.com/tomnomnom/qsreplace), [urldedupe](https://github.com/ameenmaali/urldedupe) | | **XSS Scanning** | [kxss](https://github.com/Emoe/kxss), [dalfox](https://github.com/hahwul/dalfox) | | **SQL Injection** | [sqlmap](https://github.com/sqlmapproject/sqlmap) | | **Multi-Scanner** | [nuclei](https://github.com/projectdiscovery/nuclei) | | **Other Vulns** | [crlfuzz](https://github.com/dwisiswant0/crlfuzz), [subjack](https://github.com/haccer/subjack), [openredirex](https://github.com/devanshbatham/openredirex) | | **Utilities** | [anew](https://github.com/tomnomnom/anew), [jq](https://github.com/stedolan/jq) | ## ⚠️ Disclaimer ## 📄 License This project is licensed under the [MIT License](LICENSE).

**If you find ReconX useful, consider giving it a ⭐** Made by [@vipulraj01](https://github.com/vipulraj01)