A Bash automation script for the Reconnaissance phase of web penetration testing.
The goal is asset discovery + normalization to generate a clean, reusable Attack Surface dataset for scanners and manual validation.
No exploitation is performed.
Nuclei scanning is optional and only runs when explicitly enabled.
This is the high-level pipeline implemented by the script:
- Passive subdomain discovery (subfinder)
- Optional DNS brute-force (dnsx, controlled by
BRUTE=1) - DNS resolution + IP extraction (dnsx)
- Live probing on common web ports (httpx) →
live_urls.txt - Host normalization →
hosts.txt - Reverse PTR lookup (best-effort) →
reverse_ptr.txt - ASN discovery (amass or fallback whois) →
asn.txt - IP/CIDR aggregation →
ips.txt - Tech fingerprinting (optional whatweb) →
tech_stack.txt - Port scanning (nmap --top-ports) →
ports.txt - VHost discovery via Host header fuzz (ffuf) →
vhosts.txt - Archived URLs (waybackurls or gau) →
wayback_urls.txt - Crawling (katana) →
katana_urls.txt - Path enumeration (ffuf) →
paths.txt - Parameter discovery (URL parsing + optional arjun) →
params.txt - API endpoint heuristics →
api.txt - Optional vulnerability scan (nuclei) → JSONL + readable summary
- (Optional) Screenshots with gowitness when
GOWITNESS=1(if integrated in your script)
sudo apt update
sudo apt install -y nmap ffuf seclists jq whois dnsutils unzip
dnsutilsprovidesdig.
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestMake sure Go bin is in PATH:
export PATH="$PATH:$(go env GOPATH)/bin"Arjun (parameter discovery):
pipx install arjun || pip install --user arjunWhatWeb (tech fingerprinting):
sudo apt install -y whatwebWaybackurls (archived URLs):
go install -v github.com/tomnomnom/waybackurls@latestgau (archived URLs alternative):
go install -v github.com/lc/gau/v2/cmd/gau@latestAmass (ASN/IP intel, optional):
sudo apt install -y amassGowitness (screenshots, optional):
go install -v github.com/sensepost/gowitness@latest./recon_automation.sh <domain> [outdir] [top_ports]Arguments:
<domain>: target domain (required)[outdir]: output directory (default:recon_<domain>)[top_ports]: Nmap top ports scope (default:2000)
Examples:
./recon_automation.sh example.com
./recon_automation.sh example.com recon_run1 1000
./recon_automation.sh example.com recon_run2 5000BRUTE=1 ./recon_automation.sh example.com
BRUTE=1 BRUTE_BIG=1 ./recon_automation.sh example.comBRUTE=1: enable DNS brute-force (requiresdnsx)BRUTE_BIG=1: use larger subdomain wordlist
EXTEND=1 ./recon_automation.sh example.comEnables deeper crawling options in katana.
Enable:
NUCLEI=1 ./recon_automation.sh example.comAdvanced usage:
NUCLEI=1 NUC_RATE=80 NUC_CONC=50 ./recon_automation.sh example.com
NUCLEI=1 NUC_SEV=critical,high,medium ./recon_automation.sh example.com
NUCLEI=1 NUC_TPL=nuclei-templates ./recon_automation.sh example.com
NUCLEI=1 NUC_TAGS=cve,misconfig ./recon_automation.sh example.comVariables:
NUC_TPL– templates path (default:nuclei-templates)NUC_SEV– severities (default:critical,high,medium)NUC_RATE– rate limit (default:50)NUC_CONC– concurrency (default:25)NUC_TAGS– include tags (optional)NUC_EXCLUDE_TAGS– excluded tags (default:dos,fuzz)
Only applicable if your script includes the gowitness stage.
GOWITNESS=1 ./recon_automation.sh example.comCommon tunables:
GOWITNESS=1 GW_FORMAT=png GW_FULLPAGE=1 GW_DELAY=5 GW_TIMEOUT=30 GW_THREADS=6 ./recon_automation.sh example.comGW_FORMAT–pngorjpeg(default:png)GW_FULLPAGE– full page screenshots (default:1)GW_DELAY– wait before screenshot (SPA/JS-heavy sites) (default:5)GW_TIMEOUT– timeout seconds (default:30)GW_THREADS– concurrency (default:6)
recon_target/
├── DNS_Recon/
├── enumeration/
├── tech/
├── urls/
├── js/
├── vuln/
├── attack_surface/
├── logs/
└── tmp/
attack_surface/
├── hosts.txt
├── ips.txt
├── ports.txt
├── vhosts.txt
├── urls.txt
├── paths.txt
├── params.txt
├── api.txt
└── summary.md
If gowitness is enabled:
attack_surface/screenshots_gowitness/
├── screenshots/
├── gowitness.sqlite3
└── gowitness.jsonl
- Passive subdomain enumeration (
subfinder) - Optional DNS brute-force (
dnsx) - DNS resolution (
dnsx) - Live probing on common web ports (
httpx) - Host normalization (
hosts.txt) - Reverse PTR lookup (best-effort)
- ASN discovery (
amassorwhois) - IP range aggregation (
ips.txt)
- Tech fingerprinting on top live URLs (
whatweb)
- Port scanning using
nmap --top-ports - Open port extraction (
host:port) - Virtual host discovery via Host header fuzzing (
ffuf)
- Archived URLs (
waybackurlsorgau) - Crawling (
katana) - Path enumeration (
ffuf) - Parameter discovery (URL parsing + optional
arjun) - JavaScript parameter hints
- API endpoint heuristics
If enabled:
- Updates templates (best-effort)
- Runs Nuclei against live URLs
- Outputs JSONL + readable text/summary
subfinderhttpxnmapffuf
SecLists under:
/usr/share/seclists
Install:
sudo apt install -y seclistsdnsxwaybackurls/gaukatanaarjunwhatwebjqamasswhoisdignucleigowitness(if enabled)
| Purpose | Wordlist |
|---|---|
| Subdomain enum | Discovery/DNS/subdomains-top1million-20000.txt |
| Subdomain brute (big) | Discovery/DNS/subdomains-top1million-110000.txt |
| VHost fuzz | Discovery/DNS/deepmagic.com-prefixes-top500.txt |
| Directory brute | Discovery/Web-Content/directory-list-2.3-medium.txt |
| Common paths | Discovery/Web-Content/common.txt |
- Use only on targets you own or have explicit authorization to test.
- Enable
BRUTE,EXTEND,NUCLEI,GOWITNESSonly when permitted. - The script prioritizes signal quality and reusable datasets over aggressive scanning.
This project is intended for educational and authorized security testing only. You are responsible for complying with applicable laws and rules of engagement.