README
ΒΆ
βββββββ ββββββββ βββββββ βββββββ ββββ βββ βββββββββ βββββββ βββββββ βββ
ββββββββββββββββββββββββββββββββββββββ βββ ββββββββββββββββββββββββββββββ
ββββββββββββββ βββ βββ βββββββββ βββ βββ βββ ββββββ ββββββ
ββββββββββββββ βββ βββ βββββββββββββ βββ βββ ββββββ ββββββ
βββ βββββββββββββββββββββββββββββββ ββββββ βββ ββββββββββββββββββββββββββ
βββ βββββββββββ βββββββ βββββββ βββ βββββ βββ βββββββ βββββββ ββββββββ
A unified, terminal-based recon tool for bug bounty hunters and pentesters.
Combines subfinder Β· httpx Β· chaos Β· uncover Β· Wayback CDX into one powerful CLI.
β‘ Installation
One-line Install (recommended)
go install -v github.com/hackthacker/recontool@latest
Requires Go 1.21+. After install, the
recontoolbinary is available in$GOPATH/bin(or~/go/bin).
From Source
git clone https://github.com/hackthacker/recontool
cd recontool
go build -o recontool .
./recontool -h
π Quick Start
# Full automated recon pipeline (everything at once)
recontool -d example.com
# With chaos (projectdiscovery cloud key)
recontool scan -d example.com -key YOUR_PDCP_KEY
# With uncover OSINT search
recontool scan -d example.com -key PDCP_KEY -uq "ssl:example.com" -ue shodan,censys
π Commands
recontool [command] [flags]
COMMANDS:
scan Full automated recon pipeline
subfinder Run subfinder subdomain enumeration
httpx Run httpx HTTP probing
chaos Run chaos subdomain search
uncover Run uncover OSINT search
GLOBAL:
-v, --version Show version info
-h, --help Show help
-u, --update Check for updates on GitHub
π Full Pipeline β recontool scan
Runs 5 tools in sequence, saves all output inside a <domain>/ folder:
recontool scan -d example.com
Pipeline Steps
| Step | Tool | Output File |
|---|---|---|
| 1 | Wayback CDX (4 queries) | wayback_main.txt, wayback_wildcard.txt, wayback_specific.txt, wayback_sensitive.txt |
| 2 | subfinder | subfinder.txt |
| 3 | chaos (optional, needs -key) |
chaos.txt |
| 4 | httpx (all status codes) | httpx.txt, 1xx.txt, 2xx.txt, 3xx.txt, 4xx.txt, 5xx.txt |
| 5 | uncover (optional, needs -uq) |
uncover.txt |
Scan Flags
-d string target domain (required)
-key string ProjectDiscovery Cloud API key (or set PDCP_API_KEY env)
-uq string uncover search query (e.g. 'ssl:example.com')
-ue string uncover engine(s) (default: shodan)
-ul int uncover result limit (default: 100)
-sf-all use ALL subfinder sources (slow but thorough)
-sf-timeout int subfinder timeout in seconds (default: 30)
-sf-threads int subfinder goroutines (default: 10)
-hx-threads int httpx threads (default: 50)
-hx-timeout int httpx timeout (default: 10)
-hx-title show page titles in httpx results
-hx-td show technologies (wappalyzer)
-silent suppress progress logs
-o string custom output folder name
π subfinder
Full subfinder subdomain enumeration with all flags:
recontool subfinder -d example.com
recontool subfinder -d example.com -all -silent -o subs.txt
recontool subfinder -dL domains.txt -s shodan,crtsh -json
recontool subfinder -h # show all flags
| Flag | Description |
|---|---|
-d |
Domain(s) to enumerate (comma-separated) |
-dL |
File containing list of domains |
-s |
Specific sources (-s crtsh,github,shodan) |
-all |
Use all available sources (slow) |
-recursive |
Use only recursive sources |
-es |
Exclude sources |
-o |
Output file |
-oJ |
JSONL output |
-silent |
Only print subdomains |
-rl |
Rate limit (requests/sec) |
-t |
Threads (default: 10) |
-timeout |
Timeout in seconds |
-proxy |
HTTP proxy |
-config |
Config file path |
-pc |
Provider config file |
π httpx
Full HTTP probing with all flags + status-family splitting:
recontool httpx -l subfinder.txt -sc -title
recontool httpx -l hosts.txt -mc 200 -o live.txt -save-filtered
recontool httpx -u example.com -sc -json -o results.json
recontool httpx -h # show all flags
| Flag | Description |
|---|---|
-l |
Input file of hosts |
-u |
Target host(s) to probe |
-sc |
Show status code |
-title |
Show page title |
-server |
Show server name |
-td |
Show technologies (wappalyzer) |
-ct |
Show content-type |
-rt |
Show response time |
-ip |
Show host IP |
-cdn |
Show CDN/WAF |
-mc |
Match status codes (-mc 200,301) |
-fc |
Filter status codes (-fc 404,403) |
-ms |
Match response string |
-fs |
Filter response string |
-j |
JSONL output |
-o |
Output file |
-save-filtered |
Save 1xx/2xx/3xx/4xx/5xx.txt files |
-t |
Threads (default: 50) |
-timeout |
Timeout (default: 10s) |
-proxy |
HTTP/SOCKS proxy |
-fr |
Follow redirects |
π₯ chaos
ProjectDiscovery Cloud subdomain dataset:
recontool chaos -d example.com -key YOUR_PDCP_KEY
recontool chaos -dL domains.txt -key PDCP_KEY -o subs.txt
recontool chaos -d example.com -key PDCP_KEY -count
recontool chaos -h # show all flags
| Flag | Description |
|---|---|
-key |
PDCP API key (or set PDCP_API_KEY env) |
-d |
Domain to search |
-dL |
File of domains |
-count |
Show subdomain count only |
-json |
JSONL output |
-o |
Output file |
-silent |
Only print results |
Get your free API key at cloud.projectdiscovery.io
π uncover
OSINT search across 15+ engines (Shodan, Censys, Fofa, etc.):
recontool uncover -q "org:example.com" -e shodan,censys,fofa
recontool uncover -shodan "ssl:example.com" -j -o results.json
recontool uncover -fofa "domain=example.com" -l 500
recontool uncover -h # show all flags
| Flag | Description |
|---|---|
-q |
Search query |
-e |
Engine(s): shodan,fofa,censys,quake,hunter,zoomeye,netlas,criminalip,publicwww,hunterhow,google,onyphe,driftnet,daydaymap |
-asq |
Awesome search queries (e.g. jira) |
-s |
Query for shodan |
-ff |
Query for fofa |
-cs |
Query for censys |
-l |
Limit results (default: 100) |
-j |
JSONL output |
-f |
Field: ip,port,host (default: ip:port) |
-o |
Output file |
-proxy |
HTTP proxy |
Configure engine API keys in:
~/.config/uncover/provider-config.yaml
π°οΈ Wayback CDX
Automatically queries 4 Wayback Machine CDX endpoints per domain:
| File | Query |
|---|---|
wayback_main.txt |
url=www.domain/* β all archived URLs |
wayback_wildcard.txt |
url=*.www.domain/* β wildcard subdomains |
wayback_specific.txt |
url=https://www.domain/en/* β specific path |
wayback_sensitive.txt |
Filtered: xls,xml,pdf,sql,zip,env,key,pem,config,bak,log... |
π Output Structure
Running recontool -d example.com creates:
example.com/
βββ subfinder.txt β all discovered subdomains
βββ chaos.txt β chaos subdomains (if -key given)
βββ httpx.txt β ALL HTTP probe results
βββ 1xx.txt β informational (100β199)
βββ 2xx.txt β success (200β299)
βββ 3xx.txt β redirects (300β399)
βββ 4xx.txt β client errors (400β499)
βββ 5xx.txt β server errors (500β599)
βββ wayback_main.txt
βββ wayback_wildcard.txt
βββ wayback_specific.txt
βββ wayback_sensitive.txt
βββ uncover.txt β OSINT results (if -uq given)
π οΈ Requirements
- Go 1.21+
- Optional: PDCP API key for
chaos - Optional: Engine API keys in
~/.config/uncover/provider-config.yamlforuncover
π¦ Powered By
| Package | Purpose |
|---|---|
| projectdiscovery/subfinder | Subdomain enumeration |
| projectdiscovery/httpx | HTTP probing |
| projectdiscovery/chaos-client | Chaos DB subdomains |
| projectdiscovery/uncover | OSINT engine search |
| Wayback CDX API | Historical URL discovery |
π License
MIT License β see LICENSE
Documentation
ΒΆ
There is no documentation for this package.