go-recon: External recon toolkit
go-recon
This project started as some Golang scripts to automatically perform tedious processes while performing external recon, between another bunch of things. Over the time I reworked the scripts and finally decided to create much more versatile tools, in this way I would also learn to use Golang channels and concurrency.
This toolkit provides tools for different purposes (enum and exploitation) while performing external recon. I also have to say that this project is not perfect and most of the available features are designed for bug bounty and that is why, for example, some tools only check the presence of vulnerabilities but does not exploit them. Most functions are also available and can be used through the official package API for your own tools. Feel free to contribute by reporting issues or discussing ideas.
Features
This are some of the most notable features of this suite:
- Speed and concurrency
- Easy and malleable usage via CLI arguments
- Tools are designed to be combined between them
- Designed for Bug Bounty and external recon
- Multiple output formats (STDOUT, TXT, JSON, CSV)
- Take input as CLI arguments or directly from STDIN
- Direct access to official package API
- Coded in Golang to provide the best performance
Tools
Every tool starts with “gr” as acronym of GoRecon in order to distinct their names from other tools
- gr-subdomains: Enumerate subdomains of a domain using 8 different providers (passively)
- gr-urls: Find URLs (endpoints) of a domain from different sources (Wayback, AlienVault)
- gr-probe: Probe active subdomains and URLs (http and https) fastly, with custom concurrency and more
- gr-403: Try to bypass pages that return 403 status code (multiple techniques)
- gr-openredirects: Fuzz for potential open redirects on given URLs using a payload/custom list of payloads
- gr-aws: Enumerate S3 buckets for given domain using permutations, verify bucket lists and much more
- gr-waf: Identify which WAF is running on target using multiple payloads
- gr-filter: Remove useless URLs from list using inteligent filtering, create custom filter patterns
- gr-ssti: Look for potential SSTI vulnerabilities on given URLs based on multiple engines payloads
- gr-replace: Replace given keyword or parameter value with provided value from URLs of a list
- gr-secrets: Search for API keys and leaked secrets in HTML and JS pages
- gr-crawl: Fastly crawl urls for gathering URLs and JS endpoints, with custom depth and other config options
- gr-dns: Retrieve DNS info from domains
- gr-whois: Perform WHOIS query against domains
