recon.py – Basic enumeration of domains and IP addresses

One of the first steps in almost every security audit is reconnaissance and enumeration.

Tools like nslookup, dig and of course nmap are essential in this phase to map out services on the local network or explore the networking settings of websites.
recon.py is designed to ease the workload on the tester and save time in this important phase of the security audit.
The script has two main sides to it, domain and services testing.

Domain testing can be performed by running for example:
./recon.py -u linux.com

The scan will start of by resolving the nameservers associated with the domain, and attempting to perform a zone transfer on them.
Next the script will do a quick subdomain bruteforce, to see if we can get additional ip addresses for the host due to misconfigurations in cloud protection
software such as cloudflare.

Finally public ip addresses for each valid subdomain found in the subdomain bruteforce are then resolved using the socket.getaddrinfo function, and
useful whois data for the ip’s is printed.
At the end of the scan, all the results will be stored in the results folder as <domain>.txt
The service scan section of the script uses nmap to enumerate services.
As with nmap, you can pass an ip, domain, or ip range in the standard nmap format for example:
./recon.py -s 192.168.0.1/24

If a range is input, the script will perform a ping scan to find live hosts within the range, then perform a service scan.
The results are output into xml files for easy importation into metasploit example:
db_import /home/user/scripts/recon/results/*.xml

Download Here