🔍 ReconX

Unified Reconnaissance & Vulnerability Assessment Framework

Automated reconnaissance lifecycle for penetration testing and bug bounty hunting

Installation • Quick Start • Features • API Keys • Usage

---

📋 Table of Contents

• Overview
• Features
• Architecture
• Installation
• API Keys Configuration
• Quick Start
• Usage Examples
• Modules
• Output Formats
• Troubleshooting

---

🎯 Overview

ReconX is a Linux-based, terminal-driven reconnaissance and vulnerability assessment framework designed for penetration testers and bug bounty hunters. It automates the full reconnaissance lifecycle from passive information gathering to active vulnerability scanning.

Why ReconX?

✅ Modular Design - Six specialized modules for comprehensive reconnaissance
✅ API Optional - Works perfectly without API keys using 7+ free sources
✅ Flexible Intensity - 5 robustness levels from quick to aggressive
✅ Bug Bounty Safe - Dedicated mode with rate limiting and safe defaults
✅ Multi-Format Reports - Export to MD, HTML, JSON, CSV, or PDF
✅ Interactive & CLI - Menu-driven interface or command-line operation

---

✨ Features

┌─────────────────────────────────────────────────────────────┐
│                    ReconX Feature Stack                     │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  📡 Passive Recon     →  Subdomain enumeration (10+ tools) │
│  🌐 DNS Analysis      →  Zone transfers, DNSSEC, records   │
│  🔍 Active Scanning   →  Port scanning, service detection  │
│  🌍 Web Discovery     →  Directory fuzzing, tech detection │
│  🔐 Enumeration       →  CMS detection, WordPress/Joomla   │
│  🛡️  Vuln Assessment  →  Nuclei templates, CVE scanning    │
│  📊 Reporting         →  5 export formats with metrics     │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Robustness Levels

Level	Name	Description	Tools Used	Speed
1	Quick	Fast basic scan	Subfinder, crt.sh	⚡⚡⚡
2	Light	Standard recon	+Assetfinder, APIs	⚡⚡
3	Normal	Balanced approach	+Amass, passive DNS	⚡
4	Thorough	Deep enumeration	+All sources, brute	🐌
5	Aggressive	Maximum depth	+Chaos, Censys, all	🐌🐌

---

🏗️ Architecture

ReconX/
├── reconx.sh              # Main execution script
├── install.sh             # Installation script
├── config/
│   ├── reconx.conf        # Main settings (robustness, logging)
│   └── tools.conf         # API keys & tool configurations
├── modules/
│   ├── passive.sh         # Subdomain enumeration
│   ├── dns.sh             # DNS analysis
│   ├── active.sh          # Port & service scanning
│   ├── web.sh             # Web application discovery
│   ├── enum.sh            # CMS & technology detection
│   ├── vuln.sh            # Vulnerability assessment
│   └── report.sh          # Report generation
├── utils/
│   ├── colors.sh          # Terminal colors
│   ├── logger.sh          # Logging system
│   ├── api_validator.sh   # API key validation
│   └── config_wizard.sh   # Interactive configuration
├── wordlists/             # Custom wordlists
└── output/                # Scan results

---

📦 Installation

Automated Installation

# Clone the repository
git clone https://github.com/adinathgorakhdubile/ReconX.git
cd ReconX

# Run installer (requires sudo)
sudo chmod +x install.sh
sudo ./install.sh

# The installer will:
# ✓ Install system dependencies
# ✓ Install Go-based tools (subfinder, amass, httpx, etc.)
# ✓ Install Python tools (theHarvester, wpscan)
# ✓ Set up configuration files
# ✓ Create symlink for global access

Post-Installation

# Verify installation
reconx --version

# Run configuration wizard (optional)
reconx --config-wizard

# Validate API keys (if configured)
reconx --validate-keys

Manual Dependencies

If you prefer manual installation:

# System packages
sudo apt update
sudo apt install -y curl jq nmap masscan nuclei nikto sqlmap git golang-go python3 python3-pip

# Go tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/owasp-amass/amass/v4/...@master
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

# Python tools
pip3 install theHarvester wpscan

---

🔑 API Keys Configuration

Required API Keys (All Optional!)

ReconX works perfectly fine without any API keys using free sources. API keys simply enhance results.

Service	Free Tier	Purpose	Get API Key
Shodan	100 results/month	IP/port intelligence	shodan.io/account
VirusTotal	4 req/min	Subdomain discovery	virustotal.com/gui/join-us
SecurityTrails	50 req/month	Historical DNS data	securitytrails.com/app/signup
Censys	250 queries/month	Certificate transparency	search.censys.io/register
Chaos	Free for PD	ProjectDiscovery dataset	chaos.projectdiscovery.io
WPScan	25 req/day	WordPress vulnerabilities	wpscan.com/api

Configuration Methods

Method 1: Interactive Wizard (Recommended)

# Launch configuration wizard
./reconx.sh --config-wizard

# Follow the prompts to enter API keys

Method 2: Manual Configuration

Edit config/tools.conf:

nano config/tools.conf

Add your API keys:

# API Keys
SHODAN_API_KEY="your_shodan_api_key_here"
VIRUSTOTAL_API_KEY="your_virustotal_api_key_here"
SECURITYTRAILS_API_KEY="your_securitytrails_api_key_here"
CENSYS_API_ID="your_censys_id_here"
CENSYS_API_SECRET="your_censys_secret_here"
CHAOS_API_KEY="your_chaos_api_key_here"
WPSCAN_API_TOKEN="your_wpscan_token_here"

Method 3: Validate Keys

# Validate configured API keys
./reconx.sh --validate-keys

# Output:
# ✓ Shodan API key is valid
# ✓ VirusTotal API key is valid
# ○ SecurityTrails API key not configured

Free Reconnaissance Sources (No API Required)

• crt.sh - Certificate Transparency logs
• RapidDNS - DNS records aggregator
• AlienVault OTX - Open Threat Exchange
• Anubis DB - Subdomain database
• URLScan.io - URL scanning service
• CertSpotter - Certificate monitoring
• Riddler.io - DNS data
• CommonCrawl - Web crawl data

---

🚀 Quick Start

Basic Scan

# Simple reconnaissance
./reconx.sh -t example.com

# With specific robustness level
./reconx.sh -t example.com -r 3

# Bug bounty safe mode
./reconx.sh -t example.com --bugbounty

Interactive Mode

# Launch interactive menu
./reconx.sh -i

# Navigate menu:
# 1. Enter target domain
# 2. Select modules to run
# 3. Choose robustness level
# 4. Configure export format
# 5. Start scan

---

💻 Usage Examples

Example 1: Basic Passive Reconnaissance

# Quick subdomain enumeration only
./reconx.sh -t example.com --passive -r 2

# Output: output/example.com/subdomains.txt

Example 2: Full Reconnaissance with All Modules

# Comprehensive scan with normal intensity
./reconx.sh -t example.com --all -r 3

# Runs all modules:
# → Passive reconnaissance
# → DNS analysis
# → Active scanning
# → Web discovery
# → Enumeration
# → Vulnerability assessment

Example 3: Bug Bounty Mode

# Safe mode with rate limiting
./reconx.sh -t example.com --bugbounty -r 2

# Bug bounty safe settings:
# ✓ Rate limit: 10 req/sec
# ✓ Nmap timing: T2 (polite)
# ✓ Limited port range
# ✓ No aggressive scans

Example 4: Specific Modules

# DNS analysis only
./reconx.sh -t example.com --dns

# Web discovery + vulnerability scanning
./reconx.sh -t example.com --web --vuln

# Active scanning with aggressive mode
./reconx.sh -t example.com --active -r 5

Example 5: Custom Export Formats

# Export to HTML
./reconx.sh -t example.com --all --export html

# Export to all formats (MD, HTML, JSON, CSV, PDF)
./reconx.sh -t example.com --all --export all

# Export with full report
./reconx.sh -t example.com --all --report

Example 6: Advanced Options

# Custom output directory
./reconx.sh -t example.com -o /tmp/recon --all

# With specific wordlist
./reconx.sh -t example.com --web -w wordlists/custom.txt

# Parallel execution (default: 10 jobs)
./reconx.sh -t example.com --all --parallel 20

# With notifications (Slack/Discord)
./reconx.sh -t example.com --all --notify

---

🧩 Modules

1. 📡 Passive Reconnaissance (--passive)

Purpose: Subdomain enumeration without touching target

Tools Used:

• Subfinder
• Assetfinder
• Amass (passive mode)
• crt.sh
• Shodan (if API configured)
• VirusTotal (if API configured)
• RapidDNS, AlienVault, Anubis

Output: output/<target>/subdomains.txt

./reconx.sh -t example.com --passive -r 3

---

2. 🌐 DNS Analysis (--dns)

Purpose: Deep DNS enumeration and analysis

Features:

• Zone transfer attempts
• DNS record enumeration (A, AAAA, MX, TXT, NS, SOA)
• DNSSEC validation
• Reverse DNS lookups
• DNS brute forcing (robustness 4+)

Output: output/<target>/dns/

./reconx.sh -t example.com --dns

---

3. 🔍 Active Scanning (--active)

Purpose: Port and service discovery

Tools Used:

• Nmap
• Masscan
• RustScan (if installed)

Features:

• Port scanning (top 1000 or custom)
• Service version detection
• OS fingerprinting
• Banner grabbing

Output: output/<target>/ports.txt

./reconx.sh -t example.com --active -r 3

---

4. 🌍 Web Discovery (--web)

Purpose: Web application discovery and mapping

Tools Used:

• httpx
• ffuf
• gobuster

Features:

• Live subdomain probing
• Directory/file fuzzing
• Virtual host discovery
• Technology detection
• Screenshot capture

Output: output/<target>/web/

./reconx.sh -t example.com --web

---

5. 🔐 Enumeration (--enum)

Purpose: CMS and technology enumeration

Tools Used:

• WhatWeb
• WPScan (WordPress)
• Joomscan (Joomla)
• CMSeeK

Output: output/<target>/enum/

./reconx.sh -t example.com --enum

---

6. 🛡️ Vulnerability Assessment (--vuln)

Purpose: Automated vulnerability scanning

Tools Used:

• Nuclei
• Nikto
• SQLMap (optional)

Features:

• CVE detection
• Misconfigurations
• Known vulnerabilities
• Template-based scanning

Output: output/<target>/vulns/

./reconx.sh -t example.com --vuln

---

📊 Output Formats

Markdown (Default)

./reconx.sh -t example.com --export md

Output: output/example.com/report.md

HTML Report

./reconx.sh -t example.com --export html

Output: output/example.com/report.html
Includes interactive charts and metrics

JSON

./reconx.sh -t example.com --export json

Output: output/example.com/report.json
Machine-readable format for automation

CSV

./reconx.sh -t example.com --export csv

Output: output/example.com/report.csv
Spreadsheet-compatible

PDF

./reconx.sh -t example.com --export pdf

Output: output/example.com/report.pdf
Professional report format

All Formats

./reconx.sh -t example.com --export all

Generates all 5 formats simultaneously

---

🔧 Command Reference

Main Options

./reconx.sh [OPTIONS]

Required:
  -t, --target <domain>         Target domain

Modules:
  --passive                     Passive reconnaissance only
  --dns                         DNS analysis
  --active                      Active port scanning
  --web                         Web application discovery
  --enum                        CMS enumeration
  --vuln                        Vulnerability scanning
  --all                         Run all modules

Configuration:
  -r, --robustness <1-5>        Scan intensity (default: 3)
  --bugbounty                   Bug bounty safe mode
  -i, --interactive             Interactive menu mode
  -o, --output <dir>            Output directory
  -w, --wordlist <file>         Custom wordlist

Export:
  --export <format>             md|html|json|csv|pdf|all
  --report                      Generate full report

Utilities:
  --config-wizard               Interactive configuration
  --validate-keys               Validate API keys
  -h, --help                    Show help message
  -v, --version                 Show version

Configuration Files

# Main configuration
config/reconx.conf

# API keys and tool paths
config/tools.conf

---

🛠️ Troubleshooting

API Keys Not Working

# Validate your API keys
./reconx.sh --validate-keys

# Check configuration
cat config/tools.conf | grep API_KEY

# Reconfigure using wizard
./reconx.sh --config-wizard

Running Without API Keys

API keys are completely optional! ReconX uses 7+ free sources:

# Works perfectly without any API keys
./reconx.sh -t example.com --passive -r 3

Permission Errors

# Fix permissions
chmod +x reconx.sh
chmod +x modules/*.sh
chmod +x utils/*.sh

# For install script
sudo ./install.sh

Missing Tools

# Reinstall dependencies
sudo ./install.sh

# Manual tool installation
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Slow Scans

# Use lower robustness level
./reconx.sh -t example.com -r 1

# Enable parallel execution
./reconx.sh -t example.com --parallel 20

# Use specific modules only
./reconx.sh -t example.com --passive --dns

---

📝 License

This project is licensed under the MIT License.

---

🤝 Contributing

Contributions are welcome! Please feel free to submit pull requests.

---

⚠️ Disclaimer

This tool is for legal security testing only. Always obtain proper authorization before testing any systems. Unauthorized access to computer systems is illegal.

---

Made with ❤️ for the security community

Report Bug • Request Feature