A powerful subdomain reconnaissance tool for security researchers and penetration testers
ReconX helps you discover and analyze subdomains of target domains with advanced service detection, subdomain takeover checks, and comprehensive scanning capabilities.
- Fast subdomain enumeration using subfinder
- Detection of common services:
- Webmail systems
- Admin panels
- File managers
- Login portals
- Development endpoints
- Monitoring systems
- Database administration
- cPanel instances
- Subdomain takeover vulnerability detection
- Multi-threaded scanning for improved performance
- Beautiful console output using Rich
- JSON export capability
- Configurable service scanning
- NEW: Fully configurable through JSON files
- Add custom service paths and keywords
- Modify HTTP headers and timeouts
- Customize access denied messages
- Add new service types without code changes
ReconX Scanning in Action
Service Detection in Action
- Clone the repository:
git clone https://github.com/ampedwastaken/ReconX.git
cd ReconX- Install the required Python packages:
pip install -r requirements.txt- Install subfinder:
GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinderReconX uses JSON configuration files located in the config directory:
This file defines the services to scan for and their detection patterns:
{
"service_name": {
"paths": ["/path1", "/path2"],
"keywords": ["keyword1", "keyword2"]
}
}To add a new service:
- Open
config/services.json - Add a new service entry with paths and keywords
- Restart ReconX - the new service will be automatically available
This file contains general settings:
- HTTP headers
- Request timeout
- Maximum worker threads
- Access denied messages
- Fingerprints URL
Basic usage:
python reconx.py --domain example.comScan for specific services:
python reconx.py --domain example.com --webmail --admin --loginScan all services and check for takeover vulnerabilities:
python reconx.py --domain example.com --all --takeoverExport results to JSON:
python reconx.py --domain example.com --all --json results.json--domain: Target domain (required)--webmail: Check for webmail services--admin: Check for admin panels--filemanager: Check for file managers--login: Check for login portals--dev: Check for development endpoints--monitoring: Check for monitoring systems--dbadmin: Check for database administration panels--cpanel: Check for cPanel instances--all: Check for all services--takeover: Check for subdomain takeover vulnerabilities--json: Export results to JSON file--onlylive: Only scan live subdomains
We encourage the community to share their service scanner configurations! If you've created effective patterns for detecting specific services, please contribute them to help the entire security community.
How to Submit a Service Scanner:
- Fork the repository
- Add your service configuration to
config/services.jsonfollowing this template:
{
"your_service_name": {
"paths": [
"/common/path1",
"/common/path2"
],
"keywords": [
"unique identifier 1",
"unique identifier 2"
]
}
}- Test your configuration thoroughly
- Submit a Pull Request with:
- Description of the service
- Why these paths and keywords are effective
- Any examples of successful detections
Service Scanner Guidelines:
- Choose unique and specific paths
- Include distinctive keywords that appear in the service's interface
- Avoid generic terms that might cause false positives
- Consider common variations and implementations
- Document any specific detection nuances
Your contributions help make ReconX more powerful and comprehensive! πͺ
- Improving existing service patterns
- Adding new features
- Reporting bugs
- Enhancing documentation
- Sharing success stories and use cases
This tool is for educational and research purposes only. Users are responsible for complying with applicable laws and regulations. The author is not responsible for any misuse or damage caused by this tool.