ReconFlow - Automated Reconnaissance Framework

ReconFlow is a high-performance automated reconnaissance framework for bug bounty hunting and security assessments. It enumerates attack surface (subdomains, ports, directories, JS assets) and enriches results with vulnerability signals.

Features

Core Features

• Subdomain Enumeration: Passive + active enumeration with multiple tools
  • subfinder, amass, assetfinder
  • crt.sh scraping, DNS bruteforce
• Live Host Detection: HTTP probing with httpx
  • Status codes, titles, technologies
• Port Scanning: Fast + deep scanning
  • masscan (fast), nmap (service detection)
• Directory Bruteforcing: Intelligent scanning with ffuf
  • Auto-calibration, wildcard detection
• JS Collection & Analysis: Crawling + secret detection
  • katana, gau, waybackurls
  • Regex patterns for API keys, tokens, endpoints

Advanced Features

• CVE & Service Mapping: Correlate services with known vulnerabilities
• Subdomain Takeover Detection: Fingerprint-based identification
• Technology Fingerprinting: Wappalyzer-style detection
• Cloud Asset Discovery: S3, Azure, GCP storage detection
• DNS Analysis: Zone transfer checks, dangling DNS
• Correlation Engine: Links findings across stages

Pipeline Stages

1. Subdomain Enumeration
2. DNS Analysis (Zone Transfer, CNAME, Takeover)
3. Live Host Detection
4. Port Scanning (masscan + nmap)
5. Directory Bruteforcing
6. JS Collection
7. JS Analysis
8. Technology Fingerprinting
9. CVE Mapping
10. Correlation & Reporting

Quick Start

Docker (Recommended)

# Build the Docker image
docker build -t reconflow .

# Run a basic scan
docker run --rm -it \
  --cap-add NET_RAW --cap-add NET_ADMIN \
  -v $(pwd)/output:/app/output \
  reconflow scan -d example.com --full

# Resume an interrupted scan
docker run --rm -it \
  --cap-add NET_RAW --cap-add NET_ADMIN \
  -v $(pwd)/output:/app/output \
  reconflow resume -d example.com

Docker Compose

# Start the container
docker-compose up reconflow

# Run a scan
docker-compose run reconflow scan -d example.com --full

# View results
ls -la output/example.com/

Native Installation

# Install Go 1.24+
# Clone and build
git clone https://github.com/yourrepo/reconflow.git
cd reconflow
go mod download
go build -o reconflow ./cmd/reconflow

# Run
./reconflow scan -d example.com --full

Usage

Commands

# Start a new scan
reconflow scan -d example.com --full

# Resume interrupted scan
reconflow resume -d example.com

# Check tool installation
reconflow install --check

# Install all tools
reconflow install --all

# Show version
reconflow version

Output

Results are saved to output/<domain>/:

output/example.com/
├── state.db              # SQLite database with all findings
├── subdomains.txt        # Discovered subdomains
├── live.txt              # Live hosts
├── ports.json            # Open ports
├── dirs.txt              # Discovered directories
├── js/                   # JavaScript files
├── findings.json         # Security findings
├── summary.json          # Scan summary
└── logs/                 # Stage logs

Docker Configuration

Required Capabilities

For full functionality, run with:

docker run --rm -it \
  --cap-add NET_RAW \
  --cap-add NET_ADMIN \
  --cap-add SYS_NICE \
  --cap-add SYS_RESOURCE \
  reconflow scan -d example.com

VPN Support (Stealth Scanning)

# Start with VPN
docker-compose --profile vpn up reconflow-vpn

Development Mode

# Start dev container
docker-compose --profile dev up reconflow-dev

# Access shell
docker exec -it reconflow-dev /bin/bash

Configuration

Default configuration is in internal/config/config.go. Create a custom config:

{
  "general": {
    "timeout": 30,
    "retries": 3
  },
  "subdomain": {
    "brute_force": true,
    "wordlist": "/wordlists/subdomains.txt"
  },
  "portscan": {
    "fast_scan": true,
    "deep_scan": true,
    "top_ports": 1000
  },
  "ratelimit": {
    "enabled": true,
    "requests_per_sec": 100
  },
  "concurrency": {
    "subdomain_enum": 20,
    "live_check": 50,
    "dir_brute": 50
  }
}

Required Tools

The framework uses these external tools:

Tool	Purpose	Required
subfinder	Subdomain enumeration	Yes
httpx	HTTP probing	Yes
masscan	Fast port scanning	Yes
nmap	Service detection	Yes
ffuf	Directory bruteforcing	Yes
katana	Web crawling	Yes
dnsx	DNS toolkit	Yes
gau	Historical URLs	Yes
waybackurls	Wayback data	Yes
assetfinder	Domain finder	Yes
amass	Advanced enumeration	No
gowitness	Screenshots	No

Architecture

cmd/reconflow/          # Main entry point
internal/
├── bootstrap/          # Tool validation & installation
├── config/             # Configuration management
├── pipeline/           # Pipeline orchestration
│   └── stages/         # Individual scan stages
├── state/              # Database & state management
├── worker/             # Worker pool for concurrency
├── utils/              # Utilities (dedup, proxy, rate limiting)
└── output/             # Output file generation

Resume & State Management

ReconFlow supports pause/resume:

# Ctrl+C during scan saves state
# Resume with:
reconflow resume -d example.com

# Skip to specific stage
reconflow scan -d example.com --resume-stage=portscan

Rate Limiting & Evasion

# Set rate limit
reconflow scan -d example.com --rate 50

# Use proxy
reconflow scan -d example.com --proxy http://proxy:8080

# Rotate proxies
reconflow scan -d example.com --proxy-list proxies.txt

API Keys (Optional)

For enhanced subdomain enumeration, configure API keys:

# Subfinder API keys
mkdir -p ~/.config/subfinder
# Add your API keys to provider-config.yaml

License

MIT License - See LICENSE file for details.

Contributing

1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Push to the branch
5. Open a Pull Request

Disclaimer

This tool is for authorized security testing only. Unauthorized scanning may be illegal. Always obtain proper authorization before using.