ALLRECON is a comprehensive, modular reconnaissance framework designed for bug bounty hunters and security researchers. It automates the entire recon workflow with parallel execution, intelligent error handling, and extensive customization options.
- Modular Architecture: Clean separation of concerns with reusable modules
- Parallel Execution: Run multiple tools simultaneously for 60-70% faster scans
- Configuration System: YAML-based config with profiles (quick, deep)
- Comprehensive Logging: Multiple log levels with file and console output
- Error Handling: Graceful failure recovery and detailed error messages
- Progress Tracking: Real-time progress indicators and job statistics
- crt.sh certificate transparency logs
- SubFinder (passive subdomain discovery)
- Assetfinder (cross-platform subdomain finder)
- dnsx (brute-force and resolver)
- DNS resolution and validation
- HTTP/HTTPS service detection
- Subdomain takeover detection (subzy, subjack)
- Multi-source JS file discovery (gau, waybackurls, katana, robots.txt)
- Endpoint extraction (LinkFinder)
- Secret detection (SecretFinder + custom regex)
- API key extraction
- GF pattern matching (API keys, AWS keys, sensitive data)
- Historical URL gathering (gau, waybackurls)
- URL validation (FFUF)
- Custom wordlist generation
- Parameter extraction
- GF pattern matching (XSS, SQLi, LFI, SSRF, IDOR, etc.)
- CORS misconfiguration detection
- Nuclei - CVEs, vulnerabilities, misconfigurations
- XSS - kxss + dalfox scanning
- SQLi - SQLMap integration
- LFI - Local file inclusion detection
- Open Redirect - OpenRedireX scanning
- Summary text reports
- Scan statistics and metrics
- File location mapping
- Scan duration tracking
- Bash 4.0+
- Go 1.19+ (for Go-based tools)
- Python 3.6+ (for Python tools)
- curl, jq, grep, sed, awk
# Clone or download ALLRECON
cd /path/to/ALLRECON
# Check dependencies
chmod +x install.sh
./install.sh --check
# Install missing tools
./install.sh --install
# Run ALLRECON
chmod +x allrecon.sh
./allrecon.shFor detailed installation instructions, see INSTALLATION.md
# Interactive menu (default)
./allrecon.sh
# Single domain reconnaissance
Select option [1] and enter domain: example.com
# Massive recon with subdomains
Select option [2] and enter domain: example.com# Use custom configuration
./allrecon.sh --config my-config.yaml
# Use quick scan profile
./allrecon.sh --profile quick
# Enable debug logging
./allrecon.sh --log-level DEBUG
# Disable parallel execution
./allrecon.sh --no-parallel
# Disable colors (for piping)
./allrecon.sh --no-colorFor more examples, see USAGE.md
example.com/
βββ domain_enum/ # Subdomain enumeration results
β βββ crt.txt
β βββ subfinder.txt
β βββ assetfinder.txt
β βββ dnsx.txt
β βββ all.txt
βββ final_domains/ # Resolved and validated domains
β βββ domains.txt
β βββ httpx.txt
βββ js/ # JavaScript analysis
β βββ all_js.txt
β βββ endpoints.txt
β βββ secrets.txt
β βββ api_keys.txt
βββ waybackurls/ # URL collection
β βββ wayback.txt
β βββ valid.txt
βββ gf/ # GF pattern results
β βββ xss.txt
β βββ sqli.txt
β βββ lfi.txt
βββ vulnerabilities/ # Vulnerability scan results
β βββ cors/
β βββ xss_scan/
β βββ sqli/
β βββ LFI/
β βββ openredirect/
βββ nuclei_scan/ # Nuclei results
β βββ cves.txt
β βββ vulnerabilities.txt
β βββ misconfiguration.txt
βββ takeovers/ # Subdomain takeover results
βββ report.txt # Summary report
ALLRECON uses YAML configuration files for flexibility:
# config/default.yaml
scan:
threads: 30
timeout: 300
parallel_enabled: true
max_parallel_jobs: 5
logging:
level: "INFO"
file: "logs/allrecon.log"Quick Scan (--profile quick):
- Fast, essential tools only
- Limited to subfinder, httpx, nuclei
- Timeout: 60s
Deep Scan (--profile deep):
- Comprehensive, all tools
- Increased parallelism
- Timeout: 3600s
Create custom profiles in config/profiles/
allrecon.sh (Main Entry Point)
βββ lib/
β βββ colors.sh # Color management
β βββ logger.sh # Logging system
β βββ utils.sh # Utility functions
β βββ parallel.sh # Parallel execution
β βββ validators.sh # Input validation
β βββ config_parser.sh # YAML config parser
βββ modules/
βββ subdomain_enum.sh # Subdomain discovery
βββ js_analysis.sh # JavaScript analysis
βββ vuln_scan.sh # Vulnerability scanning
βββ url_collection.sh # URL gathering
βββ reporting.sh # Report generation
ALLRECON can run multiple tools concurrently:
- Job pooling with configurable max workers
- Progress tracking
- Timeout handling
- Resource monitoring
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
MIT License - See LICENSE file for details
Muzakir Lone
Thanks to all the amazing tool creators:
- ProjectDiscovery team (subfinder, httpx, nuclei, katana, dnsx)
- Tom Hudson (assetfinder, gau, waybackurls, anew, qsreplace, unfurl, gf)
- Various security researchers for specialized tools
This tool is for authorized security testing only. Always obtain proper permission before testing any systems you don't own.
Version 2.0.0 - Complete rewrite with modular architecture, parallel execution, and professional tooling.