Reconscan is a tool for:
- Subdomain domain discovery
- NMAP scan
- Nuclei scan
- HTTP enabled scan
- Screenshot scan
- Directory scan
- Web terminal console
I strongly recommend to run this tool using the docker image. If you want to run in local environment, you need to install subfinder, httpx, nuclei, nmap, EyeWitness in your local system.
git clone https://github.com/weev3/reconscan;cd reconscan
then
docker build -t reconscan .
or
docker pull kminthein/reconscan
docker run --name=reconscan -t -p 80:80 -d reconscan
If you cannot browse the reconscan then you can run
docker run --name=reconscan -t --network=host -d reconscan
docker exec -ti reconscan bash
This step is required due to some restrictions. I tried to run laravel job inside docker entrypoint but failed to find some files after running.
Run below command inside docker container. If you want to create mutiple thread, run below command multiple times in different sessions. You can use tmux ..etc.
php /home/reconscan/artisan queue:work --timeout=0
This tool is written with laravel so you need install laravel compatible packages like composer, php, mysql-server. Once you install them, you can run below command.
git clone https://github.com/weev3/reconscan;cd reconscan
You need to change your project directory in .env file. In below example, your projects will be save in /tmp/projects/ directory.
...
CONSOLE_USER_NAME =reconscan
CONSOLE_USER_PASSWORD =reconscan
PROJECT_DIR = /tmp/projects/
composer update && composer install
php artisan key:generate && php artisan cache:clear && php artisan migrate:fresh
php artisan serve
In another terminal run
php /home/reconscan/artisan queue:work --timeout=0
Once above steps are done, you can start browsing to http://127.0.0.1.
You must register your first account by visting http://127.0.0.1/register
Each project can have multiple domain and each domain can have multiple subdomains.
You can create your project by clicking Projects nav bar.
You can create domain by clicking view link for each project.
Once you created domain. You can scan all the subdomain avaiables by clicking scan button. Please note that all scan need to run php /home/reconscan/artisan queue:work --timeout=0
.
Reconscan will start finding subdomains and http enabled domains.
Currently 5 scan options availabe and these are
If you want to add your own directory list, you can add in resources/wordlists folder.
Things to add in future....
- Issue tracking
- Shodan scanning
- Secret discovery
- Code review using codeql
Feel free to use this tool and please submit PR if you found any issue.