Skip to main content

Intelligent Reconnaissance & Vulnerability Assessment Framework

Project description

Nexus-REC Banner

๐Ÿ›ก๏ธ Nexus-REC

The Intelligent Reconnaissance & Vulnerability Assessment Framework

Version License Python PyPI CI


Nexus-REC is a modular reconnaissance and vulnerability assessment engine built for Red Teams, Bug Bounty Hunters, and Security Researchers. It integrates 539+ specialized techniques โ€” from passive OSINT to active exploitation โ€” into a single, automated workflow driven by a context-aware Smart Scan engine.

Quick Start ยท Capabilities ยท Smart Scan ยท Installation ยท Usage ยท Architecture ยท Reports ยท Arabic README


Why Nexus-REC?

The gap between shipping code and testing it is where vulnerabilities slip through. Most reconnaissance tools are:

  • โŒ Single-purpose โ€” one tool for subdomains, another for JS analysis, another for cloud buckets
  • โŒ Static โ€” run the same checks on every target regardless of technology stack
  • โŒ Noisy โ€” no awareness of WAF, rate limits, or security challenges
  • โŒ Poor reporting โ€” raw terminal output with no structured evidence

Nexus-REC solves this with a unified pipeline that fingerprints the target first, then builds a smart plan based on what it finds โ€” running only the relevant modules, respecting security boundaries, and producing structured JSON + Markdown + PDF reports with full evidence preservation.

What Makes It Different

Capability Nexus-REC Typical Tools
Stack-aware scanning Detects framework (Next.js, Laravel, ASP.NET) and runs targeted checks Blind scans
Smart plan engine Adapts module selection based on real-time fingerprinting Fixed checklist
539+ techniques Recon, exploitation, cloud, mobile, API docs, email security, and more 10โ€“50 checks
Structured reports JSON + Markdown + PDF with full evidence Raw terminal output
Safety gates WAF detection, security challenge handling, rate-limit awareness No awareness
Multi-language English + Arabic interfaces and documentation English only

๐Ÿ“Š Engine Stats

Scanners Modules Patterns
539+ 29 39+

๐Ÿš€ Capabilities

Nexus-REC ships 29 modules organized across reconnaissance, exploitation, infrastructure, and stack-specific analysis. Each module is independently runnable and contributes findings to a unified report.

Reconnaissance

Module Category Highlights
Basic Recon ๐Ÿ” WAF detection (13 engines), technology stack (30+ frameworks), security headers audit, CSP parsing, HTML metadata extraction
Subdomain Enumeration ๐ŸŒ Certificate transparency (crt.sh), DNS brute force (incl. bkapi, student, teacher patterns), JS-based extraction, backend IP discovery
DNS, SSL & Ports ๐Ÿ”’ Wildcard detection, SSL certificate parsing, 25-port scan, DNSSEC check
DNS Detritus ๐Ÿ—‘๏ธ Legacy DNS record mapping, Cloudflare stale record resolution, historical subdomain discovery
Cloud Recon โ˜๏ธ AWS S3/CloudFront, Azure Blob Storage, Cloudflare detection, cache poisoning assessment
Azure Cloud Recon โ˜๏ธ Azure App Service detection, Front Door identification, IP Restriction detection (x-ms-forbidden-ip), Blob Storage enumeration, App Service subdomain scanning
JavaScript Analysis ๐Ÿ“œ API endpoint extraction, webpack chunk parsing, secret/token harvesting, AWS Amplify config extraction (AppSync, Cognito, S3)
Well-Known Files ๐Ÿ“„ robots.txt, security.txt, llms.txt & ai.txt parsing for intelligence gathering
Email Security ๐Ÿ“ง MX record enumeration, SPF/DMARC/DKIM analysis, email provider identification, security scoring
Salesforce Detection โ˜๏ธ Instance detection via headers/HTML, subdomain probing, API version enumeration, unauthenticated endpoint checks
API Doc Discovery ๐Ÿ“š ASP.NET Web API Help Page parsing, generic API documentation discovery, controller/action extraction, auth requirement analysis

Exploitation & Vulnerability Assessment

Module Category Highlights
Vulnerability Scanner ๐Ÿ”ด SQLi, XSS, IDOR (PII-aware), SSRF, XXE, auth bypass, mass assignment, payment data leak
Business Logic โš–๏ธ Price manipulation, race conditions, coupon abuse, logic flow bypass
Registration Security ๐Ÿ” Registration endpoint discovery, OTP requirement check, role manipulation detection (admin escalation), safe vs. elevated role comparison
Auth Security Scanner ๐Ÿ”‘ Unauthenticated PII leak detection (phone, email, name exposure), admin endpoint probing, API auth enforcement comparison
Cookie & Session ๐Ÿช JWT decoding, HS256 offline secret cracking, security flag audit, session ID analysis
Endpoint Discovery ๐Ÿ”— Path enumeration, parameter discovery, hidden endpoint detection

Infrastructure & Platform

Module Category Highlights
Admin Deep Scan ๐Ÿ” Admin subdomain discovery, interface deep scanning, path enumeration (active/aggressive modes only)
Backend API Scan ๐Ÿ”— Backend host discovery from JS, follow-up API scanning, cross-origin API analysis
GraphQL Recon ๐Ÿ•ธ๏ธ Introspection check, error-based schema harvesting, Apollo CSRF preflight check, batching analysis, AppSync multi-auth detection
CORS Deep Scan ๐ŸŒ Origin reflection, credential+wildcard detection, preflight analysis, method enumeration
OpenAPI / Swagger ๐Ÿ“– Spec discovery (YAML/JSON), endpoint extraction, auth requirement mapping
Server Leak Detection ๐Ÿ“ก Leaky header analysis, server timing metadata, environment fingerprinting, version disclosure, internal region detection

Stack-Specific

Module Stack Highlights
Next.js Deep Inspection ๐Ÿ’Ž Next.js Middleware bypass, SSG/SSR leak, build manifest route extraction, JS chunk harvesting, Turbopack detection, Sentry, proxy scan
Laravel Deep Inspection ๐Ÿ’Ž Laravel Debug mode detection, Boost package analysis, WAF/OpenResty identification, Coolify detection, server audit
Atlassian Stack ๐Ÿ”ท Atlassian Jira info disclosure, anonymous endpoint check, dashboard content leak, Confluence/Bitbucket detection, Azure App Proxy detection, SAML SSO
Supabase RLS ๐Ÿ›ข๏ธ Supabase Row-Level Security policy testing, anon key exposure check
Supabase RPC ๐Ÿ›ข๏ธ Supabase Remote Procedure Call enumeration, exposed function discovery
Supabase Storage ๐Ÿ›ข๏ธ Supabase Storage bucket audit, public bucket detection, misconfiguration analysis

Mobile

Module Category Highlights
APK / Mobile Analysis ๐Ÿ“ฑ APK/AAB download and analysis, DEX decompiling, API endpoint extraction, hardcoded secret discovery

๐Ÿง  Smart Scan Logic

The Smart Scan is the core differentiator โ€” it adapts the module pipeline to each target automatically.

How It Works

         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
         โ”‚   Phase 0: Fingerprint   โ”‚
         โ”‚   (Basic Recon - ALWAYS) โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
                    โ–ผ
         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
         โ”‚  Analyze: Stack, WAF,    โ”‚
         โ”‚  Headers, CSP, HTML, JS  โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
                    โ–ผ
         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
         โ”‚  Build Smart Plan        โ”‚
         โ”‚  (29 modules โ†’ subset)   โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
                    โ–ผ
         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
         โ”‚  Execute Selected Steps  โ”‚
         โ”‚  + Expand if new signals โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
                    โ–ผ
         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
         โ”‚  Generate Reports        โ”‚
         โ”‚  (JSON + Markdown + PDF) โ”‚
         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Decision Rules

The smart planner evaluates these signals after fingerprinting:

Signal Effect
Next.js detected Enables Next.js deep inspection (build routes, chunks, proxy)
Laravel detected Enables Laravel debug/boost/Coolify checks
Supabase detected Enables RLS testing, RPC enumeration, storage audit
ASP.NET / IIS detected Enables Azure Cloud Recon, API Doc Discovery
GraphQL / Apollo detected Enables GraphQL introspection and CSRF checks
Registration/Auth endpoints found Enables Registration Security Analysis
API endpoints detected Enables Auth Security & PII leak scanner
Payment gateway in CSP Enables Payment Gateway Recon
Salesforce indicators Enables Salesforce Instance Detection
JavaScript framework found Enables JS analysis, secret scanning, APK checks
CORS headers present Enables CORS deep configuration scan
WAF / Security Challenge Skips HTTP-heavy modules, focuses on passive DNS/infra
Active/aggressive mode Enables admin_scan, business logic, full vulnerability scanning

Every decision is recorded in the report metadata (smart_plan_reasons, smart_skip_reasons) so you know exactly why each module was included or excluded.


๐Ÿ“ฆ Installation

From PyPI (Recommended)

pip install nexus-rec

From Source

git clone https://github.com/ihsanalapsi/Nexus-REC.git
cd Nexus-REC
pip install -r requirements.txt

Verify the environment:

python3 nexus_rec.py --check-deps

๐Ÿš€ Quick Start

Start an interactive scan:

python3 nexus_rec.py

This walks you through:

  1. Target domain or URL
  2. Scan mode: safe, active, or aggressive
  3. Stealth mode
  4. Redacted report export
  5. Authorization confirmation (for active/aggressive modes)
  6. Scan profile selection

Non-Interactive (CI/CD)

# Quick fingerprint
nexus-rec example.com --modules basic --auto

# Full smart scan
nexus-rec example.com --auto

# Authorized vulnerability assessment
nexus-rec example.com --scan-mode active --i-have-authorization --auto

# Specific modules only
nexus-rec example.com --modules basic,js,vuln,registration --auto

โš™๏ธ CLI Reference

Option Purpose
target Domain or URL (e.g., example.com or https://example.com)
--auto Non-interactive mode โ€” skip all prompts
--modules Comma-separated module list (bypasses profile selector)
--scan-mode safe Default โ€” no state-changing payloads
--scan-mode active Authorized active vulnerability checks
--scan-mode aggressive Higher-noise authorized checks
--i-have-authorization Required for active/aggressive modes
--stealth Lower concurrency, add request delays
--redact-report Also write a shareable redacted JSON report
--debug Full Python tracebacks for troubleshooting
--check-deps Verify required/optional dependencies

Available Modules

basic, subdomain, cloud, js, graphql, secrets, vuln, business, cookies, dns,
endpoints, payment, supabase_rls, supabase_rpc, supabase_storage, wellknown,
apk, dns_detritus, admin_scan, backend_scan, nextjs, laravel, atlassian,
cors, openapi, server_leaks, api_docs, email_recon, salesforce,
registration, azure_cloud, auth_security

๐Ÿ“ Project Architecture

nexus_rec.py               # Orchestration engine (CLI, pipeline, reporting)
โ”œโ”€โ”€ modules/
โ”‚   โ”œโ”€โ”€ core/              # Config, pipeline, module loader, summary, reporter, CLI
โ”‚   โ”œโ”€โ”€ recon/
โ”‚   โ”‚   โ”œโ”€โ”€ fingerprint/   # Basic recon, WAF, technology detection
โ”‚   โ”‚   โ”œโ”€โ”€ web/           # JS, cookies, secrets, GraphQL, CORS, payment, server leaks
โ”‚   โ”‚   โ”œโ”€โ”€ infra/         # DNS, subdomains, cloud, admin scan, email, Azure
โ”‚   โ”‚   โ”œโ”€โ”€ platforms/     # Supabase (RLS, RPC, storage)
โ”‚   โ”‚   โ””โ”€โ”€ mobile/        # APK analysis
โ”‚   โ”œโ”€โ”€ exploit/           # Vulnerability scanner, business logic, registration, auth
โ”‚   โ””โ”€โ”€ stack/             # Next.js, Laravel, Atlassian
โ”œโ”€โ”€ tests/                 # Smoke tests (registry, smart plan, CLI, dependencies)
โ”œโ”€โ”€ results/               # Per-scan output (JSON, MD, PDF)
โ””โ”€โ”€ requirements.txt

๐Ÿ“Š Reports

Each scan produces a timestamped folder:

results/YYYYMMDD_HHMMSS-domain/
โ”œโ”€โ”€ raw_report.json         # Complete evidence (redactable)
โ”œโ”€โ”€ redacted_report.json    # Only with --redact-report
โ”œโ”€โ”€ security_report.md      # Human-readable Markdown
โ””โ”€โ”€ security_report.pdf     # Portable PDF version

Reports include:

  • Executive summary with target metadata, scan coverage, and module decisions
  • Technologies detected with evidence sources
  • Security headers audit
  • Smart plan decisions (why each module ran or was skipped)
  • Findings overview with counts per module
  • Detailed sections for each module that produced results
  • Raw JSON evidence for automation and deep inspection

๐Ÿ”Ž Safety Model

Mode Behavior
safe (default) Read-only reconnaissance; no state-changing payloads; skips admin scans and business logic
active Authorized vulnerability testing with payloads; requires --i-have-authorization
aggressive Authorized high-noise checks (race conditions, replay attacks); requires --i-have-authorization
  • All raw findings are preserved locally
  • --redact-report strips sensitive values (tokens, keys, credentials) for sharing
  • WAF/CDN detection can gate HTTP-heavy modules automatically

๐Ÿงฏ Troubleshooting

Symptom Cause Resolution
Vercel Security Challenge Target returns edge security page Retry later, use authorized IP, or run passive modules
Invalid module(s) Unknown module name Check the valid module list above
Dependency check warning Missing optional package Run pip install -r requirements.txt
Unexpected error Runtime exception Re-run with --debug for full traceback

โš ๏ธ Ethical Disclaimer

This tool is intended for authorized security testing and educational research only. You must have explicit, written permission from the system owner before using Nexus-REC against any target. Unauthorized use is illegal.


๐Ÿ“– Documentation


Developed by Ihsan Alapsi ยท Software Engineer & Cyber Security Researcher

GitHub ยท LinkedIn

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nexus_rec-1.0.0.1.tar.gz (497.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nexus_rec-1.0.0.1-py3-none-any.whl (519.9 kB view details)

Uploaded Python 3

File details

Details for the file nexus_rec-1.0.0.1.tar.gz.

File metadata

  • Download URL: nexus_rec-1.0.0.1.tar.gz
  • Upload date:
  • Size: 497.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for nexus_rec-1.0.0.1.tar.gz
Algorithm Hash digest
SHA256 f03282b6986b68e80785caffddee6b8240555398354aa174b695a3600539bf53
MD5 540a4a3064268905acefab6354251292
BLAKE2b-256 0b80c5569791072ab54028a712ab20fed0f337a05c81be50d03efd1fe79a2a50

See more details on using hashes here.

File details

Details for the file nexus_rec-1.0.0.1-py3-none-any.whl.

File metadata

  • Download URL: nexus_rec-1.0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 519.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for nexus_rec-1.0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 604adf0cbc5c414fc568d19dae710faf68c43af11743474520f4e19c46001672
MD5 c27733830b098d5c3958c86632e3ec71
BLAKE2b-256 2af5d4a728d011b0177f5a4e8a272bd915bc65d1539781f7fb3dfa18bad9bd3f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page