Intelligent Reconnaissance & Vulnerability Assessment Framework
Project description
๐ก๏ธ Nexus-REC
The Intelligent Reconnaissance & Vulnerability Assessment Framework
Nexus-REC is a modular reconnaissance and vulnerability assessment engine built for Red Teams, Bug Bounty Hunters, and Security Researchers. It integrates 539+ specialized techniques โ from passive OSINT to active exploitation โ into a single, automated workflow driven by a context-aware Smart Scan engine.
Quick Start ยท Capabilities ยท Smart Scan ยท Installation ยท Usage ยท Architecture ยท Reports ยท Arabic README
Why Nexus-REC?
The gap between shipping code and testing it is where vulnerabilities slip through. Most reconnaissance tools are:
- โ Single-purpose โ one tool for subdomains, another for JS analysis, another for cloud buckets
- โ Static โ run the same checks on every target regardless of technology stack
- โ Noisy โ no awareness of WAF, rate limits, or security challenges
- โ Poor reporting โ raw terminal output with no structured evidence
Nexus-REC solves this with a unified pipeline that fingerprints the target first, then builds a smart plan based on what it finds โ running only the relevant modules, respecting security boundaries, and producing structured JSON + Markdown + PDF reports with full evidence preservation.
What Makes It Different
| Capability | Nexus-REC | Typical Tools |
|---|---|---|
| Stack-aware scanning | Detects framework (Next.js, Laravel, ASP.NET) and runs targeted checks | Blind scans |
| Smart plan engine | Adapts module selection based on real-time fingerprinting | Fixed checklist |
| 539+ techniques | Recon, exploitation, cloud, mobile, API docs, email security, and more | 10โ50 checks |
| Structured reports | JSON + Markdown + PDF with full evidence | Raw terminal output |
| Safety gates | WAF detection, security challenge handling, rate-limit awareness | No awareness |
| Multi-language | English + Arabic interfaces and documentation | English only |
๐ Engine Stats
| Scanners | Modules | Patterns |
|---|---|---|
| 539+ | 29 | 39+ |
๐ Capabilities
Nexus-REC ships 29 modules organized across reconnaissance, exploitation, infrastructure, and stack-specific analysis. Each module is independently runnable and contributes findings to a unified report.
Reconnaissance
| Module | Category | Highlights |
|---|---|---|
| Basic Recon | ๐ | WAF detection (13 engines), technology stack (30+ frameworks), security headers audit, CSP parsing, HTML metadata extraction |
| Subdomain Enumeration | ๐ | Certificate transparency (crt.sh), DNS brute force (incl. bkapi, student, teacher patterns), JS-based extraction, backend IP discovery |
| DNS, SSL & Ports | ๐ | Wildcard detection, SSL certificate parsing, 25-port scan, DNSSEC check |
| DNS Detritus | ๐๏ธ | Legacy DNS record mapping, Cloudflare stale record resolution, historical subdomain discovery |
| Cloud Recon | โ๏ธ | AWS S3/CloudFront, Azure Blob Storage, Cloudflare detection, cache poisoning assessment |
| Azure Cloud Recon | โ๏ธ | Azure App Service detection, Front Door identification, IP Restriction detection (x-ms-forbidden-ip), Blob Storage enumeration, App Service subdomain scanning |
| JavaScript Analysis | ๐ | API endpoint extraction, webpack chunk parsing, secret/token harvesting, AWS Amplify config extraction (AppSync, Cognito, S3) |
| Well-Known Files | ๐ | robots.txt, security.txt, llms.txt & ai.txt parsing for intelligence gathering |
| Email Security | ๐ง | MX record enumeration, SPF/DMARC/DKIM analysis, email provider identification, security scoring |
| Salesforce Detection | โ๏ธ | Instance detection via headers/HTML, subdomain probing, API version enumeration, unauthenticated endpoint checks |
| API Doc Discovery | ๐ | ASP.NET Web API Help Page parsing, generic API documentation discovery, controller/action extraction, auth requirement analysis |
Exploitation & Vulnerability Assessment
| Module | Category | Highlights |
|---|---|---|
| Vulnerability Scanner | ๐ด | SQLi, XSS, IDOR (PII-aware), SSRF, XXE, auth bypass, mass assignment, payment data leak |
| Business Logic | โ๏ธ | Price manipulation, race conditions, coupon abuse, logic flow bypass |
| Registration Security | ๐ | Registration endpoint discovery, OTP requirement check, role manipulation detection (admin escalation), safe vs. elevated role comparison |
| Auth Security Scanner | ๐ | Unauthenticated PII leak detection (phone, email, name exposure), admin endpoint probing, API auth enforcement comparison |
| Cookie & Session | ๐ช | JWT decoding, HS256 offline secret cracking, security flag audit, session ID analysis |
| Endpoint Discovery | ๐ | Path enumeration, parameter discovery, hidden endpoint detection |
Infrastructure & Platform
| Module | Category | Highlights |
|---|---|---|
| Admin Deep Scan | ๐ | Admin subdomain discovery, interface deep scanning, path enumeration (active/aggressive modes only) |
| Backend API Scan | ๐ | Backend host discovery from JS, follow-up API scanning, cross-origin API analysis |
| GraphQL Recon | ๐ธ๏ธ | Introspection check, error-based schema harvesting, Apollo CSRF preflight check, batching analysis, AppSync multi-auth detection |
| CORS Deep Scan | ๐ | Origin reflection, credential+wildcard detection, preflight analysis, method enumeration |
| OpenAPI / Swagger | ๐ | Spec discovery (YAML/JSON), endpoint extraction, auth requirement mapping |
| Server Leak Detection | ๐ก | Leaky header analysis, server timing metadata, environment fingerprinting, version disclosure, internal region detection |
Stack-Specific
| Module | Stack | Highlights |
|---|---|---|
| Next.js Deep Inspection | ๐ Next.js | Middleware bypass, SSG/SSR leak, build manifest route extraction, JS chunk harvesting, Turbopack detection, Sentry, proxy scan |
| Laravel Deep Inspection | ๐ Laravel | Debug mode detection, Boost package analysis, WAF/OpenResty identification, Coolify detection, server audit |
| Atlassian Stack | ๐ท Atlassian | Jira info disclosure, anonymous endpoint check, dashboard content leak, Confluence/Bitbucket detection, Azure App Proxy detection, SAML SSO |
| Supabase RLS | ๐ข๏ธ Supabase | Row-Level Security policy testing, anon key exposure check |
| Supabase RPC | ๐ข๏ธ Supabase | Remote Procedure Call enumeration, exposed function discovery |
| Supabase Storage | ๐ข๏ธ Supabase | Storage bucket audit, public bucket detection, misconfiguration analysis |
Mobile
| Module | Category | Highlights |
|---|---|---|
| APK / Mobile Analysis | ๐ฑ | APK/AAB download and analysis, DEX decompiling, API endpoint extraction, hardcoded secret discovery |
๐ง Smart Scan Logic
The Smart Scan is the core differentiator โ it adapts the module pipeline to each target automatically.
How It Works
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Phase 0: Fingerprint โ
โ (Basic Recon - ALWAYS) โ
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Analyze: Stack, WAF, โ
โ Headers, CSP, HTML, JS โ
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Build Smart Plan โ
โ (29 modules โ subset) โ
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Execute Selected Steps โ
โ + Expand if new signals โ
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Generate Reports โ
โ (JSON + Markdown + PDF) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Decision Rules
The smart planner evaluates these signals after fingerprinting:
| Signal | Effect |
|---|---|
| Next.js detected | Enables Next.js deep inspection (build routes, chunks, proxy) |
| Laravel detected | Enables Laravel debug/boost/Coolify checks |
| Supabase detected | Enables RLS testing, RPC enumeration, storage audit |
| ASP.NET / IIS detected | Enables Azure Cloud Recon, API Doc Discovery |
| GraphQL / Apollo detected | Enables GraphQL introspection and CSRF checks |
| Registration/Auth endpoints found | Enables Registration Security Analysis |
| API endpoints detected | Enables Auth Security & PII leak scanner |
| Payment gateway in CSP | Enables Payment Gateway Recon |
| Salesforce indicators | Enables Salesforce Instance Detection |
| JavaScript framework found | Enables JS analysis, secret scanning, APK checks |
| CORS headers present | Enables CORS deep configuration scan |
| WAF / Security Challenge | Skips HTTP-heavy modules, focuses on passive DNS/infra |
| Active/aggressive mode | Enables admin_scan, business logic, full vulnerability scanning |
Every decision is recorded in the report metadata (smart_plan_reasons, smart_skip_reasons) so you know exactly why each module was included or excluded.
๐ฆ Installation
From PyPI (Recommended)
pip install nexus-rec
From Source
git clone https://github.com/ihsanalapsi/Nexus-REC.git
cd Nexus-REC
pip install -r requirements.txt
Verify the environment:
python3 nexus_rec.py --check-deps
๐ Quick Start
Start an interactive scan:
python3 nexus_rec.py
This walks you through:
- Target domain or URL
- Scan mode:
safe,active, oraggressive - Stealth mode
- Redacted report export
- Authorization confirmation (for active/aggressive modes)
- Scan profile selection
Non-Interactive (CI/CD)
# Quick fingerprint
nexus-rec example.com --modules basic --auto
# Full smart scan
nexus-rec example.com --auto
# Authorized vulnerability assessment
nexus-rec example.com --scan-mode active --i-have-authorization --auto
# Specific modules only
nexus-rec example.com --modules basic,js,vuln,registration --auto
โ๏ธ CLI Reference
| Option | Purpose |
|---|---|
target |
Domain or URL (e.g., example.com or https://example.com) |
--auto |
Non-interactive mode โ skip all prompts |
--modules |
Comma-separated module list (bypasses profile selector) |
--scan-mode safe |
Default โ no state-changing payloads |
--scan-mode active |
Authorized active vulnerability checks |
--scan-mode aggressive |
Higher-noise authorized checks |
--i-have-authorization |
Required for active/aggressive modes |
--stealth |
Lower concurrency, add request delays |
--redact-report |
Also write a shareable redacted JSON report |
--debug |
Full Python tracebacks for troubleshooting |
--check-deps |
Verify required/optional dependencies |
Available Modules
basic, subdomain, cloud, js, graphql, secrets, vuln, business, cookies, dns,
endpoints, payment, supabase_rls, supabase_rpc, supabase_storage, wellknown,
apk, dns_detritus, admin_scan, backend_scan, nextjs, laravel, atlassian,
cors, openapi, server_leaks, api_docs, email_recon, salesforce,
registration, azure_cloud, auth_security
๐ Project Architecture
nexus_rec.py # Orchestration engine (CLI, pipeline, reporting)
โโโ modules/
โ โโโ core/ # Config, pipeline, module loader, summary, reporter, CLI
โ โโโ recon/
โ โ โโโ fingerprint/ # Basic recon, WAF, technology detection
โ โ โโโ web/ # JS, cookies, secrets, GraphQL, CORS, payment, server leaks
โ โ โโโ infra/ # DNS, subdomains, cloud, admin scan, email, Azure
โ โ โโโ platforms/ # Supabase (RLS, RPC, storage)
โ โ โโโ mobile/ # APK analysis
โ โโโ exploit/ # Vulnerability scanner, business logic, registration, auth
โ โโโ stack/ # Next.js, Laravel, Atlassian
โโโ tests/ # Smoke tests (registry, smart plan, CLI, dependencies)
โโโ results/ # Per-scan output (JSON, MD, PDF)
โโโ requirements.txt
๐ Reports
Each scan produces a timestamped folder:
results/YYYYMMDD_HHMMSS-domain/
โโโ raw_report.json # Complete evidence (redactable)
โโโ redacted_report.json # Only with --redact-report
โโโ security_report.md # Human-readable Markdown
โโโ security_report.pdf # Portable PDF version
Reports include:
- Executive summary with target metadata, scan coverage, and module decisions
- Technologies detected with evidence sources
- Security headers audit
- Smart plan decisions (why each module ran or was skipped)
- Findings overview with counts per module
- Detailed sections for each module that produced results
- Raw JSON evidence for automation and deep inspection
๐ Safety Model
| Mode | Behavior |
|---|---|
safe (default) |
Read-only reconnaissance; no state-changing payloads; skips admin scans and business logic |
active |
Authorized vulnerability testing with payloads; requires --i-have-authorization |
aggressive |
Authorized high-noise checks (race conditions, replay attacks); requires --i-have-authorization |
- All raw findings are preserved locally
--redact-reportstrips sensitive values (tokens, keys, credentials) for sharing- WAF/CDN detection can gate HTTP-heavy modules automatically
๐งฏ Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
Vercel Security Challenge |
Target returns edge security page | Retry later, use authorized IP, or run passive modules |
Invalid module(s) |
Unknown module name | Check the valid module list above |
Dependency check warning |
Missing optional package | Run pip install -r requirements.txt |
| Unexpected error | Runtime exception | Re-run with --debug for full traceback |
โ ๏ธ Ethical Disclaimer
This tool is intended for authorized security testing and educational research only. You must have explicit, written permission from the system owner before using Nexus-REC against any target. Unauthorized use is illegal.
๐ Documentation
- Arabic README (README.ar.md) โ Full documentation in Arabic
- GitHub Issues โ Bug reports and feature requests
Developed by Ihsan Alapsi ยท Software Engineer & Cyber Security Researcher
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nexus_rec-1.0.0.1.tar.gz.
File metadata
- Download URL: nexus_rec-1.0.0.1.tar.gz
- Upload date:
- Size: 497.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f03282b6986b68e80785caffddee6b8240555398354aa174b695a3600539bf53
|
|
| MD5 |
540a4a3064268905acefab6354251292
|
|
| BLAKE2b-256 |
0b80c5569791072ab54028a712ab20fed0f337a05c81be50d03efd1fe79a2a50
|
File details
Details for the file nexus_rec-1.0.0.1-py3-none-any.whl.
File metadata
- Download URL: nexus_rec-1.0.0.1-py3-none-any.whl
- Upload date:
- Size: 519.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
604adf0cbc5c414fc568d19dae710faf68c43af11743474520f4e19c46001672
|
|
| MD5 |
c27733830b098d5c3958c86632e3ec71
|
|
| BLAKE2b-256 |
2af5d4a728d011b0177f5a4e8a272bd915bc65d1539781f7fb3dfa18bad9bd3f
|