NipunDilshanSenevirathne/Recon2026-updated-from-25-

# recon2026 **Ultimate Subdomain Enumeration and HTTP Probing Framework** **Author:** Nipun Dillshan Senevirathne **Version:** 2026.1.0 **Language:** Bash **Purpose:** Elite passive subdomain enumeration, DNS resolution, and live host probing for authorized penetration testing and bug bounty reconnaissance. ## Table of Contents 1. [Overview](#overview) 2. [Features](#features) 3. [Enumeration Sources](#enumeration-sources) 4. [Requirements](#requirements) 5. [Installation](#installation) 6. [Usage](#usage) 7. [Output Files](#output-files) 8. [Pipeline Flow](#pipeline-flow) 9. [Optional API Keys](#optional-api-keys) 10. [Legal Disclaimer](#legal-disclaimer) ## Overview recon2026 is a high-performance reconnaissance framework designed for security professionals conducting authorized assessments. It aggregates subdomain data from ten independent sources in parallel, deduplicates and validates results through DNS resolution, and probes all discovered hosts for live HTTP and HTTPS services — all from a single command. The tool is intentionally designed without Amass to maintain speed. Every enumeration engine runs concurrently, meaning total runtime is bounded by the slowest single source rather than the sum of all sources. ## Features - All enumeration engines execute in parallel for maximum speed - Automatic deduplication and normalization of all collected subdomains - DNS resolution validation via `dnsx` before probing - HTTP and HTTPS probing across five common ports with 200 concurrent threads - Timestamped output directory per run — no results are ever overwritten - Live progress indicators and color-coded terminal output - Graceful interrupt handling with background job cleanup - Optional integration with GitHub and ProjectDiscovery Chaos via API keys - Dependency check at startup with per-tool installation guidance - Full operation log written to `recon2026.log` in the output directory ## Enumeration Sources The following sources are queried during each run: | # | Source | Method | |---|--------|--------| | 1 | Subfinder | Passive DNS aggregation, recursive, 100 threads | | 2 | AssetFinder | Passive subdomain discovery | | 3 | Findomain | Certificate-based enumeration | | 4 | crt.sh | Certificate Transparency log query via API | | 5 | HackerTarget | Host search API | | 6 | AlienVault OTX | Passive DNS via threat intelligence API | | 7 | RapidDNS | DNS record scraping | | 8 | Riddler.io | OSINT-based subdomain discovery | | 9 | GitHub Subdomains | GitHub dorking (requires token) | | 10 | ProjectDiscovery Chaos | Community subdomain dataset (requires API key) | Sources 9 and 10 are optional and are silently skipped if credentials are not provided. ## Requirements ### Required Tools The following tools must be installed and available in `$PATH`: - `subfinder` — projectdiscovery/subfinder - `assetfinder` — tomnomnom/assetfinder - `httpx` or `httpx-toolkit` — projectdiscovery/httpx - `dnsx` — projectdiscovery/dnsx - `anew` — tomnomnom/anew - `curl` — standard HTTP client (pre-installed on most systems) - `python3` — required for crt.sh and AlienVault JSON parsing ### Optional Tools - `findomain` — findomain/findomain - `github-subdomains` — gwen001/github-subdomains - `chaos` — projectdiscovery/chaos-client ### System Requirements - Operating System: Linux or macOS - Shell: Bash 4.0 or later - Go: 1.20 or later (for installing Go-based tools) - Internet connectivity to external APIs ## Installation ### 1. Clone or download the script git clone https://github.com/youruser/recon2026.git cd recon2026 chmod +x recon2026.sh ### 2. Install required Go-based tools go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install github.com/tomnomnom/assetfinder@latest go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest go install github.com/tomnomnom/anew@latest ### 3. Install optional tools # Findomain curl -LO https://github.com/findomain/findomain/releases/latest/download/findomain-linux chmod +x findomain-linux && mv findomain-linux /usr/local/bin/findomain # GitHub Subdomains go install github.com/gwen001/github-subdomains@latest # Chaos client go install github.com/projectdiscovery/chaos-client/cmd/chaos@latest ### 4. Ensure Go binaries are in PATH export PATH=$PATH:$(go env GOPATH)/bin Add the above line to your `~/.bashrc` or `~/.zshrc` to make it permanent. ## Usage ### Interactive mode Run the script without arguments. It will prompt for the target domain and optional API keys: ./recon2026.sh ### Direct mode Pass the target domain as a positional argument to skip the domain prompt: ./recon2026.sh example.com ### With API keys pre-set as environment variables GITHUB_TOKEN=ghp_yourtoken CHAOS_KEY=yourapikey ./recon2026.sh example.com ### Passing API keys at runtime If environment variables are not set, the tool will prompt for them interactively. Both prompts can be skipped by pressing Enter, in which case the corresponding sources are omitted from the run. ## Output Files All output is written to a timestamped directory created at the start of each run: recon_example.com_20260530_143022/ The following files are produced: | File | Description | |------|-------------| | `subdomains.txt` | All unique subdomains collected from every source, sorted and deduplicated | | `subdomains_resolved.txt` | Subdomains confirmed to resolve via DNS (produced if `dnsx` is installed) | | `subdomains_alive.txt` | Live HTTP/S hosts with status codes, titles, and detected technologies | | `recon2026.log` | Full verbose log of all tool output and errors for the run | A temporary `.tmp/` directory is created during the run to hold per-source raw output and is automatically deleted upon completion. ## Pipeline Flow The following sequence is executed on every run: 1. Dependency check | 2. Target domain input and validation | 3. Parallel enumeration across all 10 sources | 4. Merge all raw results | 5. Deduplicate, normalize, and filter invalid entries --> subdomains.txt | 6. DNS resolution via dnsx --> subdomains_resolved.txt | 7. HTTP/S probing via httpx on ports 80,443,8080,8000,8888 --> subdomains_alive.txt | 8. Summary report with counts and elapsed time Steps 3 through 5 run with full parallelism. Step 6 feeds directly into step 7, using the resolved list when available or falling back to the full deduplicated list otherwise. ## Optional API Keys ### GitHub Token Required for the `github-subdomains` module. Generates significantly more results by querying GitHub repositories and code for subdomain references. Obtain a token at: `https://github.com/settings/tokens` Required scopes: `repo`, `read:org` export GITHUB_TOKEN=ghp_yourtokenhere ### ProjectDiscovery Chaos API Key Obtain a key at: `https://chaos.projectdiscovery.io` export CHAOS_KEY=yourapikey ## Legal Disclaimer recon2026 is intended exclusively for authorized security testing, bug bounty programs, and legitimate penetration testing engagements where explicit written permission has been obtained from the target organization. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal and unethical. The author accepts no responsibility for misuse of this software. **Always obtain written authorization before conducting any reconnaissance activity.** *recon2026 — built for precision, speed, and professional security work.*