Skip to content

TheLeopard65/Reconductor

BranchesTags

Repository files navigation

Reconductor - Automated DNS Reconnaissance Framework

Reconductor is a modular, automated reconnaissance tool designed to streamline the information‑gathering phase of penetration testing and bug bounty engagements. It integrates multiple OSINT sources and active discovery utilities to perform:

  • Passive subdomain enumeration (crt.sh, Amass, Subfinder, Assetfinder)
  • Active DNS brute‑forcing (dnscan or Python fallback)
  • IP resolution (dnsx or Python fallback)
  • Technology stack detection (Wappalyzer)

The tool produces well‑structured, timestamped outputs, reduces manual effort, and respects ethical guidelines.

Features

  • Passive Enumeration
    • crt.sh - certificate transparency logs
    • Amass (OWASP) - extensive passive sources
    • Subfinder - fast, configurable passive discovery
    • Assetfinder - simple and effective
  • Active Brute‑forcing
    • Uses dnscan if available, else falls back to multi‑threaded Python resolver
  • Merge & Filter
    • Automatically deduplicates results and validates subdomains against target(s)
  • IP Resolution
    • dnsx (preferred) or Python dnspython resolver
  • Technology Detection
    • Wappalyzer integration (HTTP/HTTPS)
  • Auto‑Merge
    • No need to manually specify --merge before resolve or wappalyzer - it runs automatically when required.
  • Timestamped Output
    • Each scan creates output/scan_YYYYMMDD_HHMMSS/ with module‑specific subdirectories.
  • Docker Ready
    • All external tools are pre‑installed in the container image.

Installation

Option 1: Local (Kali / Debian / Ubuntu)

1. Clone the repository

git clone https://github.com/TheLeopard65/reconductor.git
cd reconductor

2. Set up a Python virtual environment

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

3. Install external tools (optional but recommended)

If you want to use Amass, Subfinder, Assetfinder, dnsx, and dnscan, install them manually or use the provided setup script:

# Install Go (required for most tools)
sudo apt install golang -y
export PATH=$PATH:$HOME/go/bin

# Install each tool
go install -v github.com/owasp-amass/amass/v4/...@master
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

# Install dnscan
git clone https://github.com/rbsec/dnscan.git /opt/dnscan
pip install -r /opt/dnscan/requirements.txt
sudo ln -s /opt/dnscan/dnscan.py /usr/local/bin/dnscan

First‑run setup for Amass:
Amass downloads large geolocation data files (~800 MB) on its first execution. To avoid delays during actual scans, run a dummy command once:

amass enum -passive -d example.invalid -o /dev/null

Option 2: Docker (everything included)

make build        # Build the reconductor:latest image
make test         # Quick test on scanme.nmap.org

The Docker image includes all external tools pre‑installed and pre‑configured.

🚀 Usage

Basic Syntax

python reconductor.py -d <domain> [options]

Examples

Run all passive enumeration tools + auto‑merge + resolve + wappalyzer

python reconductor.py -d example.com -a --amass --subfinder --assetfinder -r --wappalyzer

Only passive enumeration (crt.sh + Amass + Subfinder)

python reconductor.py -d example.com --crtsh --amass --subfinder

Active brute‑force with custom wordlist

python reconductor.py -d example.com --bruteforce -w /path/to/wordlist.txt

Scan multiple domains from a file

python reconductor.py -l domains.txt -a --amass --subfinder

Merge an external subdomain list and then resolve

python reconductor.py -d example.com -f my_subs.txt -r

Command Line Options

Option Description
-d, --domain Single target domain
-l, --domlist File containing one domain per line
-w, --wordlist Custom wordlist for brute‑forcing
-f, --userfile User‑provided subdomain file to merge
-r, --resolve Perform IP resolution (dnsx or fallback)
--wappalyzer Run technology detection on merged subdomains
--amass Enable Amass passive enumeration
--subfinder Enable Subfinder passive enumeration
--assetfinder Enable Assetfinder passive enumeration
--crtsh Run only crt.sh module
--bruteforce Run only DNS brute‑force module
--merge Run only merge/filter step
--resolve-only Run only IP resolution (requires existing subdomains.txt)
-a, --all Run full workflow: passive (crt.sh) + brute‑force + merge. Add tool‑specific flags to extend.
-h, --help Show help message

Note: The --all flag runs crt.sh, brute‑force, and merge by default. To include Amass, Subfinder, or Assetfinder, you must explicitly add their flags.

Output Structure

Each scan creates a timestamped directory inside output/:

output/
└── scan_2026-04-12_13-51-38-639890/
    ├── config.txt                     # Scan parameters
    ├── subdomains.txt                 # Final valid subdomains
    ├── all_subdomains.txt             # Raw merged list (before filtering)
    ├── crtsh/
    │   └── crtsh.txt
    ├── amass/
    │   └── amass.txt
    ├── subfinder/
    │   └── subfinder.txt
    ├── assetfinder/
    │   └── assetfinder.txt
    ├── bruteforce/
    │   └── bruteforce.txt
    ├── resolve/
    │   └── ips.txt                    # subdomain -> IP mapping
    └── wappalyzer/
        └── wappalyzer.json            # Technology detection results

Docker Usage

The Makefile simplifies Docker operations:

make build        # Build the image
make test         # Run a quick test on scanme.nmap.org
make shell        # Get an interactive shell inside the container
make clean        # Remove output/ directory contents

Manual Docker run:

docker run --rm -v $(pwd)/output:/app/output reconductor:latest -d example.com -a --amass -r

The container runs as a non‑root user (reconductor) and uses the bundled wordlist at /app/wordlist.txt.

Requirements

Python Dependencies (requirements.txt)

python-Wappalyzer
beautifulsoup4
setuptools<81
dnspython
requests
colorama
pyfiglet
lxml

External Tools (optional for local install)

  • Amass (go install)
  • Subfinder (go install)
  • Assetfinder (go install)
  • dnsx (go install)
  • dnscan (git clone + pip)

If any external tool is missing, Reconductor will fall back to Python‑based implementations (slower but functional).

Troubleshooting

Issue Solution
Amass failed with exit status 123 First‑run data download was interrupted. Run the dummy command once: amass enum -passive -d example.invalid -o /dev/null.
ModuleNotFoundError: No module named 'Wappalyzer' Install python-Wappalyzer (already in requirements).
pkg_resources error Ensure setuptools<81 is installed (pinned in requirements).
Wordlist not found Provide a custom wordlist with -w or install seclists (sudo apt install seclists).
Docker container can't write output The container runs as UID 1000. Ensure the host output/ directory is writable by your user.
Subfinder/Amass not found in PATH Install them (see Installation section) or run inside Docker.

Legal & Ethical Use

Important: Reconductor is intended for authorised security assessments only.
Do not scan any domain without explicit written permission.
The developer and ITSOLERA Pvt. Ltd. are not liable for any misuse of this tool.

All activities must comply with applicable laws and ethical cybersecurity guidelines.

License

MIT License - see LICENSE file.

Acknowledgments

Happy hunting - stay legal, stay ethical.

About

A modular, lightweight DNS reconnaissance framework written in Python3.

Topics

dns bruteforce python3 recon wappalyzer crtsh ip-resolution

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages