Recon Pi

__________                          __________.__ 
\______   \ ____   ____  ____   ____\______   \__|
 |       _// __ \_/ ___\/  _ \ /    \|     ___/  |
 |    |   \  ___/\  \__(  <_> )   |  \    |   |  |
 |____|_  /\___  >\___  >____/|___|  /____|   |__|
        \/     \/     \/           \/             
                            v2.1

Original Author: @x1m_martijn

ReconPi - A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi.

Start using that Raspberry Pi -- I know you all have one laying around somewhere ;)

Version 2.1 is now also usable on your VPS, thanks to Sachin Grover for putting in a lot of work.

The latest HypriotOS image works perfect!

Easy installation

Connect to your ReconPi or VPS with SSH:

ssh pirate@192.168.2.16 [Edit IP address if needed]

Curl the install.sh script and run it: curl -L https://raw.githubusercontent.com/x1mdev/ReconPi/master/install.sh | bash

Manual installation

Connect to your ReconPi with SSH:

$ ssh pirate@192.168.2.16 [Edit IP address if needed]

Now we can set up everything, it's quite simple:

git clone https://github.com/x1mdev/ReconPi.git
cd ReconPi
./install.sh

Grab a cup of coffee since this will take a while.

Usage

After installing all of the dependencies for the ReconPi you can finally start doing some recon!

$ recon <domain.tld>

recon.sh will first gather resolvers for the given target, followed by subdomain enumeration and checking those assets for potential subdomain takeover. When this is done the IP addresses of the target are enumerated. Open ports will be discovered accompanied by a service scan provided by Nmap.

Finally the live targets will be screenshotted and evaluated to discover endpoints.

Results will be stored on the Recon Pi and can be viewed by running `python -m SimpleHTTPServer 1337" in your results directory. Your results will be accessible from any system with a browser that exists in the same network.

Make sure to add your SLACK token to the tokens.txt file if you want to get slack notification after the completion of recon process.

Sample Token.txt ($HOME/ReconPi/configs/tokens.txt)

github_subdomains_token=""

slack_url=""

findomain_spyse_token=""

findomain_virustotal_token=""

findomain_securitytrails_token=""

CHAOS_KEY=""

Config Files

** Input your API keys in these files to get better results **

Subfinder Config file path : $HOME/ReconPi/configs/config.yaml Amass Config file path : $HOME/ReconPi/configs/config.ini

Tools

Tools that will be installed:

Methodology

gatherResolvers
gatherSubdomains
checkTakeovers
getCNAME
gatherIPs
gatherScreenshots
startMeg
fetchArchive
fetchEndpoints
runNuclei
checkShodan
portScan
notifySlack

Subdomain Enumeration:

Sublert
Subfinder
assetfinder
amass
findomain (Add findomain sources token to get better result)
chaos dataset
github-subdomains
dns.bufferover.run
Mutate above Subdomains using commonspeak subdomain list
Combine and Sort above result -> Use shuffledns to resolve -> dnsgen(to mutate) -> httprobe (to get alive hosts)
Check takeover using subjack and nuclei
Get CNAME to check manually for takeovers
Use dnsprobe to gather IP, ignore if they fall in cloudflare ip range
Do masscan and then nmap scan on them, also use http-title and vulners script.
Take Screenshot for visual recon
Use gau to to get archive urls, get paramlist, jsurls, phpurls, aspxurls, and jspurls in there own files.
Get Endpoints using Linkfinder
Run Nuclei Scripts on alive hosts
Check IPs for vulnerability on Shodan
Notify on Slack channel if token is specified.
Directory Buteforcing (Not enabled, as it takes long time, it is better to do manually)

More tools will be added in the future, feel free to make a pull request!

Contributors

Sachin Grover (Twitter: @mavericknerd)
Damian Ebelties

About

ReconPi - A lightweight recon tool that performs extensive scanning with the latest tools.

https://x1m.nl/posts/recon-pi/

MIT License

Languages

Language:Shell 100.0%