AI-assisted recon toolkit for bug bounty hunters and security researchers
Project description
ReconForge
____ _____ ____ ___ _ _ _____ ___ ____ ____ _____
| _ \| ____/ ___/ _ \| \ | | ___/ _ \| _ \ / ___| ____|
| |_) | _|| | | | | | \| | |_ | | | | |_) | | _| _|
| _ <| |__| |__| |_| | |\ | _|| |_| | _ <| |_| | |___
|_| \_\_____\____\___/|_| \_|_| \___/|_| \_\\____|_____|
AI-assisted recon toolkit for bug bounty hunters and security researchers
ReconForge combines practical recon automation with AI triage prompts so authorized testers can move from raw findings to prioritized hypotheses faster. Built for speed, reliability, and ease of use.
โจ Features
- ๐ Subdomain Discovery - Find subdomains from certificate transparency data via crt.sh
- โก Concurrent Port Scanning - Fast multi-port scanning with ThreadPoolExecutor
- ๐งฌ Technology Detection - Identify tech stacks from headers, cookies, and body signals
- ๐งญ Scope Checking - Validate targets against exact hosts, wildcards, IP ranges, and CIDR blocks
- ๐ Markdown Reports - Professional reports with findings, technologies, and collection notes
- ๐ค AI Triage Prompts - Structured prompts for analyzing HTTP responses, auth flows, APIs, and more
- ๐จ Rich Terminal Output - Beautiful tables, status indicators, and progress spinners
- ๐ Production Ready - Comprehensive tests, CI/CD, and error handling
๐ Quick Start
Installation
# Install from PyPI (coming soon)
pip install reconforge
# Or install from source
git clone https://github.com/ferasbusiness666/ReconForge.git
cd ReconForge
pip install .
Basic Usage
# Discover subdomains
reconforge subdomains -d example.com
# Scan common ports
reconforge portscan -t api.example.com
# Detect technologies
reconforge techdetect -u https://api.example.com
# Check scope
reconforge scopecheck -t targets.txt -s scope.txt
# Generate full report
reconforge report -d example.com --output report.md
๐ Detailed Usage
Subdomain Discovery
Discover subdomains using certificate transparency logs:
reconforge subdomains -d example.com
Output:
Subdomains for example.com
โโโโโโณโโโโโโโโโโโโโโโโโโโโ
โ # โ Subdomain โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ 1 โ api.example.com โ
โ 2 โ login.example.com โ
โ 3 โ www.example.com โ
โโโโโโดโโโโโโโโโโโโโโโโโโโโ
Total: 3
Port Scanning
Scan common ports with concurrent scanning for speed:
# Default: scan common ports (80, 443, 8080, 8443, 22, 21, 3306, 6379)
reconforge portscan -t api.example.com
# Custom ports
reconforge portscan -t api.example.com --ports 80,443,3000,5000
Output:
Port scan for api.example.com
โโโโโโโโณโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Port โ Status โ Banner / Note โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ 80 โ ๐ข open โ HTTP/1.1 301 Moved Permanently โ
โ 443 โ ๐ข open โ No banner โ
โ 8080 โ ๐ด closed โ Connection refused โ
โโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Technology Detection
Fingerprint web technologies from HTTP headers and response body:
reconforge techdetect -u https://api.example.com
Output:
Final URL: https://api.example.com/
HTTP status: 200
Detected Technologies
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Technology โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ nginx โ
โ HSTS โ
โ Content Security Policy โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scope Checking
Validate targets against your bug bounty scope:
reconforge scopecheck -t targets.txt -s scope.txt
scope.txt:
example.com
*.example.com
192.0.2.0/24
targets.txt:
api.example.com
login.example.com
thirdparty.net
192.0.2.50
Output:
In-Scope Targets
โโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Target โ Reason โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ api.example.com โ matched wildcard *.example.com โ
โ 192.0.2.50 โ matched CIDR 192.0.2.0/24 โ
โโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Out-of-Scope Targets
โโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโ
โ Target โ Reason โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ thirdparty.net โ no scope rule matched โ
โโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโ
Generate Report
Create a comprehensive markdown report combining all findings:
reconforge report -d example.com --output report.md
See examples/example_report.md for a sample report.
๐ค AI Triage Prompts
ReconForge includes a library of AI-assisted triage prompts in prompts/ai_triage.md for analyzing:
- HTTP responses and headers
- Authentication and session flows
- Sensitive and admin-looking endpoints
- JavaScript routes and feature flags
- API authorization patterns
- Parameter anomalies
- Finding prioritization
Important: Always remove secrets, tokens, and proprietary data before pasting into any AI system.
๐ Development
Setup Development Environment
git clone https://github.com/ferasbusiness666/ReconForge.git
cd ReconForge
python -m venv venv
source venv/bin/activate
pip install -r requirements-dev.txt
pip install -e .
Running Tests
# All tests
pytest
# With coverage
pytest --cov=reconforge
# Specific test file
pytest tests/test_subdomains.py -v
Code Quality
# Format code
black reconforge tests
# Lint
flake8 reconforge tests
# Type check
mypy reconforge
# Sort imports
isort reconforge tests
๐ Project Structure
reconforge/
__init__.py # Package metadata
cli.py # CLI commands
subdomains.py # Subdomain discovery
portscan.py # Port scanning with concurrency
techdetect.py # Technology detection
scopecheck.py # Scope validation
report.py # Report generation
prompts/
ai_triage.md # AI triage prompt library
tests/
test_*.py # Unit tests
examples/
example_report.md # Sample generated report
.github/workflows/
ci.yml # GitHub Actions CI/CD
requirements.txt # Runtime dependencies
requirements-dev.txt # Development dependencies
setup.py # Package configuration
๐ฏ Why ReconForge?
Avoid Out-of-Scope Mistakes
Bug bounty scope can include exact hosts, wildcard subdomains, and IP ranges while excluding third-party systems. ReconForge's scope checker separates in-scope and out-of-scope targets before testing.
Reduce Manual Recon Time
Manual recon means jumping between CT logs, socket checks, browser tabs, and notes. ReconForge provides an auditable workflow for common first-pass tasks with easy-to-copy output.
Bring AI Into Recon
ReconForge includes model-agnostic AI triage prompts that help analyze findings while keeping final validation in your hands.
๐ Security & Ethics
ReconForge is intended only for systems you own or have explicit permission to test. You are responsible for:
- Following program scope and rules of engagement
- Complying with all applicable laws and regulations
- Respecting rate limits and terms of service
- Using only on authorized targets
๐ License
MIT License - see LICENSE for details.
๐ค Contributing
Contributions are welcome! See CONTRIBUTING.md for guidelines.
๐ Resources
- Bug Bounty Platforms - Find authorized programs
- OWASP Testing Guide - Testing methodology
- PortSwigger Web Security - Security training
๐ Acknowledgments
Built with โค๏ธ for the security research community.
Questions? Open an issue or check the discussions.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file reconforge-1.0.0.tar.gz.
File metadata
- Download URL: reconforge-1.0.0.tar.gz
- Upload date:
- Size: 37.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c93630e94eefe143451c663e44b3e597d615f21352bd268bf86cd90da410a7b2
|
|
| MD5 |
9a74434207a7debc31b7fa5f18d904a6
|
|
| BLAKE2b-256 |
84463154aa4c7bb0dc3837194734a6b8311450aa1d5dd9e5664ed73f3aa425df
|
File details
Details for the file reconforge-1.0.0-py3-none-any.whl.
File metadata
- Download URL: reconforge-1.0.0-py3-none-any.whl
- Upload date:
- Size: 38.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
db3b97d8dc73daba6da73ed2b6e9398b7e58f672205116bb2c476e6fd4d1bbb8
|
|
| MD5 |
fd3c944ce9c93bc947289ce8d203a15c
|
|
| BLAKE2b-256 |
d2999e3750c7b742a739059b423f0a3eb2a44e36019d190045445f19600d96f4
|