Skip to main content

AI-assisted recon toolkit for bug bounty hunters and security researchers

Project description

ReconForge

 ____  _____ ____ ___  _   _ _____ ___  ____   ____ _____
|  _ \| ____/ ___/ _ \| \ | |  ___/ _ \|  _ \ / ___| ____|
| |_) |  _|| |  | | | |  \| | |_ | | | | |_) | |  _|  _|
|  _ <| |__| |__| |_| | |\  |  _|| |_| |  _ <| |_| | |___
|_| \_\_____\____\___/|_| \_|_|   \___/|_| \_\\____|_____|

Python License: MIT PRs Welcome GitHub stars GitHub issues

AI-assisted recon toolkit for bug bounty hunters and security researchers

ReconForge combines practical recon automation with AI triage prompts so authorized testers can move from raw findings to prioritized hypotheses faster. Built for speed, reliability, and ease of use.

โœจ Features

  • ๐Ÿ”Ž Subdomain Discovery - Find subdomains from certificate transparency data via crt.sh
  • โšก Concurrent Port Scanning - Fast multi-port scanning with ThreadPoolExecutor
  • ๐Ÿงฌ Technology Detection - Identify tech stacks from headers, cookies, and body signals
  • ๐Ÿงญ Scope Checking - Validate targets against exact hosts, wildcards, IP ranges, and CIDR blocks
  • ๐Ÿ“„ Markdown Reports - Professional reports with findings, technologies, and collection notes
  • ๐Ÿค– AI Triage Prompts - Structured prompts for analyzing HTTP responses, auth flows, APIs, and more
  • ๐ŸŽจ Rich Terminal Output - Beautiful tables, status indicators, and progress spinners
  • ๐Ÿš€ Production Ready - Comprehensive tests, CI/CD, and error handling

๐Ÿš€ Quick Start

Installation

# Install from PyPI (coming soon)
pip install reconforge

# Or install from source
git clone https://github.com/ferasbusiness666/ReconForge.git
cd ReconForge
pip install .

Basic Usage

# Discover subdomains
reconforge subdomains -d example.com

# Scan common ports
reconforge portscan -t api.example.com

# Detect technologies
reconforge techdetect -u https://api.example.com

# Check scope
reconforge scopecheck -t targets.txt -s scope.txt

# Generate full report
reconforge report -d example.com --output report.md

๐Ÿ“– Detailed Usage

Subdomain Discovery

Discover subdomains using certificate transparency logs:

reconforge subdomains -d example.com

Output:

       Subdomains for example.com
โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ #  โ”ƒ Subdomain         โ”ƒ
โ”กโ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚ 1  โ”‚ api.example.com   โ”‚
โ”‚ 2  โ”‚ login.example.com โ”‚
โ”‚ 3  โ”‚ www.example.com   โ”‚
โ””โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
Total: 3

Port Scanning

Scan common ports with concurrent scanning for speed:

# Default: scan common ports (80, 443, 8080, 8443, 22, 21, 3306, 6379)
reconforge portscan -t api.example.com

# Custom ports
reconforge portscan -t api.example.com --ports 80,443,3000,5000

Output:

            Port scan for api.example.com
โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ Port โ”ƒ Status    โ”ƒ Banner / Note                   โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚   80 โ”‚ ๐ŸŸข open   โ”‚ HTTP/1.1 301 Moved Permanently  โ”‚
โ”‚  443 โ”‚ ๐ŸŸข open   โ”‚ No banner                       โ”‚
โ”‚ 8080 โ”‚ ๐Ÿ”ด closed โ”‚ Connection refused              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Technology Detection

Fingerprint web technologies from HTTP headers and response body:

reconforge techdetect -u https://api.example.com

Output:

Final URL: https://api.example.com/
HTTP status: 200

Detected Technologies
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ Technology              โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚ nginx                   โ”‚
โ”‚ HSTS                    โ”‚
โ”‚ Content Security Policy โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Scope Checking

Validate targets against your bug bounty scope:

reconforge scopecheck -t targets.txt -s scope.txt

scope.txt:

example.com
*.example.com
192.0.2.0/24

targets.txt:

api.example.com
login.example.com
thirdparty.net
192.0.2.50

Output:

In-Scope Targets
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ Target            โ”ƒ Reason                     โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚ api.example.com   โ”‚ matched wildcard *.example.com โ”‚
โ”‚ 192.0.2.50        โ”‚ matched CIDR 192.0.2.0/24 โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Out-of-Scope Targets
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ Target             โ”ƒ Reason                โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚ thirdparty.net     โ”‚ no scope rule matched โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Generate Report

Create a comprehensive markdown report combining all findings:

reconforge report -d example.com --output report.md

See examples/example_report.md for a sample report.

๐Ÿค– AI Triage Prompts

ReconForge includes a library of AI-assisted triage prompts in prompts/ai_triage.md for analyzing:

  • HTTP responses and headers
  • Authentication and session flows
  • Sensitive and admin-looking endpoints
  • JavaScript routes and feature flags
  • API authorization patterns
  • Parameter anomalies
  • Finding prioritization

Important: Always remove secrets, tokens, and proprietary data before pasting into any AI system.

๐Ÿ›  Development

Setup Development Environment

git clone https://github.com/ferasbusiness666/ReconForge.git
cd ReconForge
python -m venv venv
source venv/bin/activate
pip install -r requirements-dev.txt
pip install -e .

Running Tests

# All tests
pytest

# With coverage
pytest --cov=reconforge

# Specific test file
pytest tests/test_subdomains.py -v

Code Quality

# Format code
black reconforge tests

# Lint
flake8 reconforge tests

# Type check
mypy reconforge

# Sort imports
isort reconforge tests

๐Ÿ“‹ Project Structure

reconforge/
  __init__.py           # Package metadata
  cli.py               # CLI commands
  subdomains.py        # Subdomain discovery
  portscan.py          # Port scanning with concurrency
  techdetect.py        # Technology detection
  scopecheck.py        # Scope validation
  report.py            # Report generation
prompts/
  ai_triage.md         # AI triage prompt library
tests/
  test_*.py            # Unit tests
examples/
  example_report.md    # Sample generated report
.github/workflows/
  ci.yml               # GitHub Actions CI/CD
requirements.txt       # Runtime dependencies
requirements-dev.txt   # Development dependencies
setup.py              # Package configuration

๐ŸŽฏ Why ReconForge?

Avoid Out-of-Scope Mistakes

Bug bounty scope can include exact hosts, wildcard subdomains, and IP ranges while excluding third-party systems. ReconForge's scope checker separates in-scope and out-of-scope targets before testing.

Reduce Manual Recon Time

Manual recon means jumping between CT logs, socket checks, browser tabs, and notes. ReconForge provides an auditable workflow for common first-pass tasks with easy-to-copy output.

Bring AI Into Recon

ReconForge includes model-agnostic AI triage prompts that help analyze findings while keeping final validation in your hands.

๐Ÿ”’ Security & Ethics

ReconForge is intended only for systems you own or have explicit permission to test. You are responsible for:

  • Following program scope and rules of engagement
  • Complying with all applicable laws and regulations
  • Respecting rate limits and terms of service
  • Using only on authorized targets

๐Ÿ“ License

MIT License - see LICENSE for details.

๐Ÿค Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

๐Ÿ“š Resources

๐Ÿ™ Acknowledgments

Built with โค๏ธ for the security research community.


Questions? Open an issue or check the discussions.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reconforge-1.0.0.tar.gz (37.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

reconforge-1.0.0-py3-none-any.whl (38.3 kB view details)

Uploaded Python 3

File details

Details for the file reconforge-1.0.0.tar.gz.

File metadata

  • Download URL: reconforge-1.0.0.tar.gz
  • Upload date:
  • Size: 37.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for reconforge-1.0.0.tar.gz
Algorithm Hash digest
SHA256 c93630e94eefe143451c663e44b3e597d615f21352bd268bf86cd90da410a7b2
MD5 9a74434207a7debc31b7fa5f18d904a6
BLAKE2b-256 84463154aa4c7bb0dc3837194734a6b8311450aa1d5dd9e5664ed73f3aa425df

See more details on using hashes here.

File details

Details for the file reconforge-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: reconforge-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 38.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for reconforge-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 db3b97d8dc73daba6da73ed2b6e9398b7e58f672205116bb2c476e6fd4d1bbb8
MD5 fd3c944ce9c93bc947289ce8d203a15c
BLAKE2b-256 d2999e3750c7b742a739059b423f0a3eb2a44e36019d190045445f19600d96f4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page