Professional Reconnaissance Framework for Kali Linux
ReconMaster is the most advanced, beautiful, and intelligent reconnaissance framework ever created for bug bounty hunters and penetration testers. It combines multiple industry-leading security tools into a single, cohesive interface with stunning visual design and intelligent automation.
- 🎨 Beautiful Interface - Professional ASCII art and color-coded output
- 🤖 Intelligent Automation - Smart workflow suggestions and automated sequences
- 🔧 Multi-Tool Integration - Seamlessly combines 12+ reconnaissance tools
- 📊 Comprehensive Reporting - Detailed summaries with actionable insights
- 🛡️ Smart Error Handling - Graceful fallbacks and helpful guidance
- ⚡ Performance Optimized - Parallel processing and intelligent timeouts
- 🎯 Beginner-Friendly - Clear menus and helpful hints throughout
- 🔍 JS Endpoint Extraction (LinkFinder + custom JS parser + secret finder)
- 🧩 Parameter Discovery (ParamSpider + Arjun merging engine)
- 🗂️ Advanced Directory Fuzzing (FFUF with recursion + smart extensions)
- 🛰️ API Fuzzing (Kiterunner with automatic wordlist selection)
- 📸 Screenshot Capture (Gowitness automation)
- 🔬 Tech Stack Fingerprinting (WhatWeb JSON output)
- 💣 SQLi Auto-Exploitation (SQLMap batch scanning)
⚠️ Subdomain Takeover Check (Subzy + CNAME fallback engine)- 🌐 Deep URL Enumeration (Hakrawler deep crawl)
- 🧠 Deep Recon Mode (11-step chained modules)
Deep Recon Mode executes 11 modules automatically, including:
- URL Collection
- Advanced URL Enum
- JS Endpoint Extraction
- Parameter Discovery
- Directory Fuzzing
- API Fuzzing
- Subdomain Takeover Check
- GF Filters
- Tech Scan
- SQLMap Scan
- DNS Bruteforce
- Screenshot Capture
Run it with:
sudo reconmaster Select: D
# Download and run installation script
git clone https://github.com/shlokkokk/ReconMaster
cd ReconMaster
sudo chmod +x install.sh
sudo ./install.sh# Start ReconMaster
sudo reconmaster
# Quick workflow
1. Select option 'C' to set domain
2. Enter your target (e.g., example.com)
3. Select option '9' for full automated recon
4. Review results in output-domain.com/| Option | Module | Description | Tools Used |
|---|---|---|---|
| 1 | Subdomain Enumeration | Discover subdomains using multiple sources | Subfinder, Amass, Assetfinder |
| 2 | DNS Resolution | Resolve DNS records for subdomains | DNSx |
| 3 | Alive Hosts Check | Identify live web servers | HTTPx |
| 4 | Fast Port Scan | Quick port discovery | Naabu (fallback to Nmap) |
| 5 | Full Port Scan | Comprehensive service detection | Nmap |
| 6 | URL Collection | Gather endpoints from multiple sources | Katana, Gau, Waybackurls |
| 7 | WAF Detection | Identify Web Application Firewalls | Wafw00f |
| 8 | Vulnerability Scan | Automated vulnerability assessment | Nuclei |
| Option | Function | Description |
|---|---|---|
| 9 | Full Automated Recon | Complete reconnaissance sequence with progress tracking |
| C | Change Domain | Switch to a different target domain |
| I | Initialize Tools | Check and install required tools |
| H | Help System | Comprehensive help and usage guide |
| Q | Quit | Exit ReconMaster |
| Option | Module | Description | Tools Used |
|---|---|---|---|
| 10 | Parameter Discovery | Find hidden GET/POST parameters | ParamSpider, Arjun |
| 11 | JS Endpoint Extraction | Extract JS endpoints + secrets | LinkFinder, custom parser |
| 12 | Directory Fuzzing | Recursive fuzzing with smart extensions | FFUF |
| 13 | API Fuzzing | Bruteforce API endpoints | Kiterunner (kr) |
| 14 | Subdomain Takeover Check | Detect takeover risks using CNAME + Subzy | Subzy, dig |
| 15 | Advanced URL Enumeration | Deep crawling beyond base URL | Hakrawler |
| 16 | Screenshot Capture | Take screenshots of alive hosts | Gowitness |
| 17 | DNS Bruteforce | High-speed subdomain bruteforce | MassDNS |
| 18 | GF Filters | Extract XSS/SQLi/LFI/SSRF/etc. patterns | gf |
| 19 | Technology Scan | Fingerprint tech stack details | WhatWeb |
| 20 | SQL Injection Scan | Auto SQLMap exploitation | SQLMap |
| D | Deep Recon Mode | Runs 11 advanced modules back-to-back | ALL tools |
ReconMaster intelligently integrates industry-standard tools:
- Subdomain Discovery: Subfinder, Amass, Assetfinder
- DNS Resolution: DNSx with comprehensive record types
- HTTP Probing: HTTPx with multiple port support
- Port Scanning: Naabu for speed, Nmap for detailed analysis
- URL Discovery: Katana crawler, Gau, Waybackurls
- WAF Detection: Wafw00f with detailed fingerprinting
- Vulnerability Scanning: Nuclei with customizable templates
output-example.com/
├── subdomains.txt
├── dns_resolved.txt
├── alive.txt
├── ports_fast.txt
├── ports_full.txt
├── urls.txt
├── urls_final.txt
│
├── js_endpoints/
│ ├── js_raw_urls.txt
│ ├── js_files/
│ ├── endpoints_raw.txt
│ ├── endpoints.txt
│ └── secrets.txt
│
├── parameters/
│ ├── paramspider_raw.txt
│ ├── arjun_raw.txt
│ └── parameters_final.txt
│
├── fuzzing/
│ └── <host>/ffuf_results.txt
│
├── api_fuzzing/
│ └── <host>_kr_results.txt
│
├── takeover/
│ ├── subzy_results.txt
│ └── cname_fallback.txt
│
├── advanced_urls/
│ └── advanced_urls.txt
│
├── dns_bruteforce/
│ ├── massdns_input.txt
│ ├── massdns_raw.txt
│ └── bruteforced_subdomains.txt
│
├── screenshots/
│ └── *.png
│
├── gf/
│ ├── xss.txt
│ ├── sqli.txt
│ ├── lfi.txt
│ ├── ssrf.txt
│ ├── redirect.txt
│ └── rce.txt
│
├── sqlmap/
│ └── *.txt
│
├── tech_scan/
│ └── whatweb_results.json
│
└── summary.txt
# Start ReconMaster
sudo reconmaster
# Set target domain
[+] Enter target domain (e.g., example.com): hackerone.com
# Run subdomain enumeration
[*] Starting Subdomain Enumeration...
[✔] Found 247 unique subdomains
# Check alive hosts
[*] Checking Alive Hosts...
[✔] Found 89 alive hosts
# Run vulnerability scan
[*] Starting Vulnerability Scan...
[✔] Found 23 vulnerabilities (Critical: 2, High: 8)# Run complete reconnaissance
[*] Starting FULL AUTOMATED RECON...
Phase 1: Subdomain Enumeration ✔
Phase 2: DNS Resolution ✔
Phase 3: Alive Hosts Check ✔
Phase 4: Port Scanning ✔
Phase 5: URL Collection ✔
Phase 6: WAF Detection ✔
Phase 7: Vulnerability Scanning ✔
[✔] Recon completed in 847 seconds
[✔] Results saved to: output-hackerone.com/- Subfinder - Subdomain discovery
- Amass - Passive enumeration
- Assetfinder - Alternative subdomain finder
- DNSx - DNS resolution
- HTTPx - HTTP probing
- Naabu - Fast port scanner
- Nmap - Network mapper
- Katana - Web crawler
- Gau - Get All URLs
- Waybackurls - Archive URLs
- Wafw00f - WAF detection
- Nuclei - Vulnerability scanner
- ParamSpider – Parameter discovery
- Arjun – Hidden parameter discovery
- LinkFinder – JS endpoint extraction
- FFUF – Directory fuzzing
- Kiterunner (kr) – API fuzzing
- Gowitness – Web screenshots
- WhatWeb – Tech fingerprinting
- SQLMap – SQL injection detection
- Subzy – Subdomain takeover detection
- Hakrawler – Deep crawling
- MassDNS – DNS bruteforce
If any tools are missing, ReconMaster provides exact installation commands:
# Go tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
# APT packages
sudo apt install naabu nuclei amass- Cyan - Headers and primary information
- Green - Success states and positive results
- Red - Errors and critical findings
- Yellow - Warnings and pending actions
- Blue - Information and progress indicators
- Magenta - Special highlights
- White - Standard text and results
- ✔ Checkmarks - Completed operations
- ✘ Crosses - Failed or missing items
- → Arrows - Navigation and suggestions
- • Bullets - Lists and enumerations
- [!] Alerts - Important information
- [?] Questions - User prompts
- [*] Progress - Ongoing operations
After each operation, ReconMaster suggests logical next steps:
[*] Recommended Next Steps:
→ DNS Resolution (Option 2)
→ Alive Check (Option 3)
→ Full Recon (Option 9)
- Missing Tools - Automatic detection with install guidance
- Empty Results - Graceful handling with helpful messages
- Network Issues - Timeout management and retry logic
- Permission Errors - Clear guidance on required privileges
- Real-time Updates - Live progress indicators
- Time Estimates - Expected completion times
- Phase Completion - Clear milestone tracking
RECONMASTER SUMMARY REPORT
========================================================================
Target Domain: hackerone.com
Scan Date: 2025-11-29 14:32:18
Total Duration: 847 seconds
Output Directory: output-hackerone.com/
------------------------------------------------------------------------
DISCOVERY RESULTS
------------------------------------------------------------------------
Subdomains Discovered: 247
• File: output-hackerone.com/subdomains.txt
DNS Records Resolved: 189
• File: output-hackerone.com/dns_resolved.txt
Alive Hosts Found: 89
• File: output-hackerone.com/alive.txt
Open Ports (Fast Scan): 156
• File: output-hackerone.com/ports_fast.txt
Service Details (Full Scan): 23
• File: output-hackerone.com/ports_full.txt
URLs Collected: 1,247
• File: output-hackerone.com/urls.txt
WAF Detection Results: 67/89 hosts protected
• File: output-hackerone.com/waf_summary.txt
Vulnerabilities Found: 23
• Critical: 2
• High: 8
• File: output-hackerone.com/nuclei_output.txt
- Legal Authorization - Only scan targets you own or have permission to test
- Rate Limiting - Built-in delays and timeouts to avoid overwhelming targets
- Data Protection - All results stored locally, no external transmission
- Privacy - No telemetry or analytics collection
- Target Validation - Verify domain ownership before scanning
- Gradual Approach - Start with passive enumeration
- Rate Control - Use appropriate timeouts for target infrastructure
- Documentation - Keep detailed records of authorized testing
Ensure kr is symlinked:
ls /usr/local/bin/kr
If missing, reinstall: go install github.com/assetnote/kiterunner/cmd/kr@latest
Ensure LinkFinder path exists: ls /opt/recontools/LinkFinder/linkfinder.py
Verify binary: ls /usr/local/bin/subzy
Q: ReconMaster won't start
# Check permissions
sudo chmod +x /usr/local/bin/reconmaster
# Verify Python installation
python3 --versionQ: Missing tools after installation
# Re-run tool initialization
sudo reconmaster
# Select option 'I' to check and install toolsQ: Scan results are empty
# Check network connectivity
ping 8.8.8.8
# Verify target is reachable
nslookup example.comQ: Installation fails on non-Kali systems
# Manual installation for other distributions
# Install Go: https://golang.org/doc/install
# Install tools individually using go install commandsCreate custom configuration files for tool optimization:
# Custom wordlists
mkdir -p ~/.config/reconmaster/
echo "custom.subdomains" > ~/.config/reconmaster/wordlists.txt
# Tool configurations
export DNSX_THREADS=100
export HTTPX_TIMEOUT=15# Export results for other tools
cat output-domain.com/alive.txt | xargs -I {} nikto -h {}
# Use with Burp Suite
cat output-domain.com/urls.txt | while read url; do
curl -x http://127.0.0.1:8080 "$url"
done- RAM: 4GB minimum, 8GB recommended
- Storage: 2GB free space for tools and results
- Network: Stable internet connection for tool downloads
- CPU: Multi-core processor recommended for parallel operations
- Increase Timeouts - For slow networks or large targets
- Use Thread Control - Adjust based on system capabilities
- Selective Scanning - Focus on specific reconnaissance phases
- Result Filtering - Use grep and awk for result analysis
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
# Clone repository
git clone https://github.com/yourusername/reconmaster.git
cd reconmaster
# Install development dependencies
pip3 install -r requirements-dev.txt
# Run tests
python3 -m pytest tests/ReconMaster v2 performs high-intensity active recon modules such as:
- FFUF fuzzing
- SQLMap exploitation
- MassDNS bruteforce
- Kiterunner API fuzzing
Use ONLY on targets you have permission to test.