All Projects → codingo → Reconnoitre

codingo / Reconnoitre

Licence: gpl-3.0
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.

Programming Languages

116272 projects - #7 most used programming language
11148 projects

Projects that are alternatives of or similar to Reconnoitre

A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
Stars: ✭ 767 (-57.95%)
Mutual labels:  hacking, security-tools, penetration-testing, scanner, hacking-tool, security-audit, oscp, offensive-security
Automated NoSQL database enumeration and web application exploitation tool.
Stars: ✭ 1,928 (+5.7%)
Mutual labels:  hacking, security-tools, penetration-testing, scanner, hacking-tool, security-audit, enumeration, offensive-security
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (-57.51%)
Mutual labels:  kali-linux, security-tools, penetration-testing, scanner, security-scanner, enumeration, oscp, offensive-security
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-90.02%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, security-audit, enumeration, offensive-security
Easily turn single threaded command line applications into a fast, multi-threaded application with CIDR and glob support.
Stars: ✭ 760 (-58.33%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, enumeration, oscp
A high performance offensive security tool for reconnaissance and vulnerability scanning
Stars: ✭ 2,312 (+26.75%)
Mutual labels:  hacking, scanner, hacking-tool, security-scanner, enumeration, offensive-security
Vulnerability scanner using Nmap for scanning and correlating found CPEs with CVEs.
Stars: ✭ 413 (-77.36%)
Mutual labels:  hacking, security-tools, scanner, hacking-tool, security-audit, nmap
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
Stars: ✭ 162 (-91.12%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, security-audit, security-scanner
network reconnaissance toolkit
Stars: ✭ 353 (-80.65%)
Mutual labels:  kali-linux, hacking, penetration-testing, security-audit, nmap, offensive-security
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Stars: ✭ 199 (-89.09%)
Mutual labels:  hacking, security-tools, penetration-testing, enumeration, oscp
Phonia Toolkit is one of the most advanced toolkits to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with a very good accuracy.
Stars: ✭ 221 (-87.88%)
Mutual labels:  kali-linux, hacking, scanner, hacking-tool, scanning
Fully automated offensive security framework for reconnaissance and vulnerability scanning
Stars: ✭ 3,391 (+85.91%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, scanning
Cheatsheet God
Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
Stars: ✭ 3,521 (+93.04%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, oscp
Next generation web scanner
Stars: ✭ 3,503 (+92.05%)
Mutual labels:  kali-linux, hacking, security-tools, penetration-testing, scanner
🏴‍☠️ Information Gathering tool 🏴‍☠️ DNS / Subdomains / Ports / Directories enumeration
Stars: ✭ 116 (-93.64%)
Mutual labels:  hacking, security-tools, penetration-testing, hacking-tool, enumeration
Web application vulnerability scanner
Stars: ✭ 359 (-80.32%)
Mutual labels:  hacking, security-tools, hacking-tool, security-audit, security-scanner
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (-79.06%)
Mutual labels:  hacking, security-tools, penetration-testing, enumeration, nmap
Recsech is a tool for doing Footprinting and Reconnaissance on the target web. Recsech collects information such as DNS Information, Sub Domains, HoneySpot Detected, Subdomain takeovers, Reconnaissance On Github and much more you can see in Features in tools .
Stars: ✭ 173 (-90.52%)
Mutual labels:  security-tools, penetration-testing, scanner, hacking-tool, security-audit
Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework
Stars: ✭ 645 (-64.64%)
Mutual labels:  hacking, security-tools, scanner, hacking-tool, security-audit
Web path scanner
Stars: ✭ 7,246 (+297.26%)
Mutual labels:  hacking, penetration-testing, scanner, hacking-tool, enumeration


A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.

Contributions are more than welcome!

Python 3.2|3.6 License Build Status Twitter


Reconnoitre although a well loved tool I've maintained for a few years now, in my opinion, pales in functionality to building your own enumeration approach within Interlace. I strongly recommend anybody looking to take Infosec beyond the OSCP to spend some time looking into this project.


This tool is based heavily upon the work made public in Mike Czumak's (T_v3rn1x) OSCP review (link) along with considerable influence and code taken from Re4son's mix-recon (link). Virtual host scanning is originally adapted from teknogeek's work which is heavily influenced by jobertabma's virtual host discovery script (link). Further Virtual Host scanning code has been adapted from a project by Tim Kent and I, available here (link).


To install Reconnoitre first make a local copy of the repository by performing the following where you wish it to be located:

git clone

After you have done this run with the following:

python3 install

After setup has run Reconnoitre will now be in your path (as reconnoitre) and you can launch it anywhere using:

reconnoitre <args>


This tool can be used and copied for personal use freely however attribution and credit should be offered to Mike Czumak who originally started the process of automating this work.

Argument Description
-h, --help Display help message and exit
-t TARGET_HOSTS Set either a target range of addresses or a single host to target. May also be a file containing hosts.
-o OUTPUT_DIRECTORY Set the target directory where results should be written.
-w WORDLIST Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks.
--pingsweep Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts.
--dns, --dnssweep Find DNS servers from the list of target(s).
--snmp Find hosts responding to SNMP requests from the list of target(s).
--services Perform a service scan over the target(s) and write recommendations for further commands to execute.
--hostnames Attempt to discover target hostnames and write to hostnames.txt.
--virtualhosts Attempt to discover virtual hosts using the specified wordlist. This can be expended via discovered hostnames.
--ignore-http-codes Comma separated list of http codes to ignore with virtual host scans.
--ignore-content-length Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess.
--quiet Supress banner and headers and limit feedback to grepable results.
--quick Move to the next target after performing a quick scan and writing first-round recommendations.
--no-udp Disable UDP service scanning, which is ON by default.

Usage Examples

Note that these are some examples to give you insight into potential use cases for this tool. Command lines can be added or removed based on what you wish to accomplish with your scan.

Scan a single host, create a file structure and discover services

reconnoitre -t -o /root/Documents/labs/ --services

An example output would look like:

[email protected]:~/# reconnoitre -t --services -o /root/Documents/labs/
(____)      An OSCP scanner

[#] Performing service scans
[*] Loaded single target:
[+] Creating directory structure for
   [>] Creating scans directory at: /root/Documents/labs/
   [>] Creating exploit directory at: /root/Documents/labs/
   [>] Creating loot directory at: /root/Documents/labs/
   [>] Creating proof file at: /root/Documents/labs/
[+] Starting quick nmap scan for
[+] Writing findings for
   [>] Found HTTP service on
   [>] Found MS SMB service on
   [>] Found RDP service on
[*] TCP quick scan completed for
[+] Starting detailed TCP/UDP nmap scans for
[+] Writing findings for
   [>] Found MS SMB service on
   [>] Found RDP service on
   [>] Found HTTP service on
[*] TCP/UDP Nmap scans completed for

Which would also write the following recommendations file in the scans folder for each target:

[*] Found HTTP service on
   [>] Use nikto & dirb / dirbuster for service enumeration, e.g
      [=] nikto -h -p 80 > /root/Documents/labs/
      [=] dirb -o /root/Documents/labs/ -r -S -x ./dirb-extensions/php.ext
      [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/ -u
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/ -t 50 
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u -s '200,204,301,307,403,500' -e > /root/Documents/labs/ -t 50 
   [>] Use curl to retreive web headers and find host information, e.g
      [=] curl -i
      [=] curl -i -s | html2text
[*] Found MS SMB service on
   [>] Use nmap scripts or enum4linux for further enumeration, e.g
      [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/' -oX '/root/Documents/labs/'
      [=] enum4linux
[*] Found RDP service on
   [>] Use ncrackpassword cracking, e.g
      [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://

Discover live hosts and hostnames within a range

reconnoitre -t -o /root/Documents/testing/ --pingsweep --hostnames

Discover live hosts within a range and then do a quick probe for services

reconnoitre -t -o /root/Documents/testing/ --pingsweep --services --quick

This will scan all services within a target range to create a file structure of live hosts as well as write recommendations for other commands to be executed based on the services discovered on these machines. Removing --quick will do a further probe but will greatly lengthen execution times.

Discover live hosts within a range and then do probe all ports (UDP and TCP) for services

reconnoitre -t -o /root/Documents/testing/ --pingsweep --services


This bare requirement for host and service scanning for this tool is to have both nbtscan and nmap installed. If you are not using host scanning and only wish to perform a ping sweep and service scan you can get away with only installing nmap. The outputted findings.txt will often recommend additional tools which you may not have available in your distribution if not using Kali Linux. All requirements and recommendations are native to Kali Linux which is the recommended (although not required) distribution for using this tool.

In addition to these requirements outputs will often refer to Wordlists that you may need to find. If you are undertaking OSCP these can be found in the "List of Recommended Tools" thread by g0tmilk. If not then you can find the majority of these online or already within a Kali Linux installation.


First step is to install docker if you do not have it installed already. Docker Installation

Basic Usage:

cd <Reconnoitre Directory>
docker build -t reconnoitre .

docker run reconnoitre -o outputdir -t

If you want files to exist locally you can mount a directory to the Docker container

cd <Reconnoitre Directory>
docker build -t reconnoitre .
mkdir /path/to/dir

docker run -v /path/to/dir:/outputdir --services -o outputdir -t
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected]