By Suljov
ReconRunner is a tool designed to streamline and simplify directory and file brute-forcing, subdomain enumeration and sql injections. By leveraging popular tools like Gobuster, wfuzz and sqlmap, ReconRunner offers a more flexible and powerful experience with enhanced handling of wordlists, protocols, and outputs.
- come up with more idéas for features
- add feature for simple fuzzing (web)
- add flag to urlencode the payload
- add feature for simple fuzzing (web)
- Protocol Flexibility: Seamlessly switch between HTTP and HTTPS protocols.
- Custom Wordlists: Prioritize custom wordlists before default ones for a more tailored approach.
- Custom List of Wordlists: Utilize a specific list of wordlists from a configuration file.
- Create, add, or remove custom lists of wordlists to meet your needs.
- Wildcard Support: Incorporate wildcard domains easily for subdomain enumeration.
- Interactive Control: Cancel the tool anytime with CTRL + C, ensuring results are saved and temporary resources are cleaned.
- Detailed Help and Usage Instructions: Comprehensive help options for both the tool and underlying tools.
- Clean and Organized Output: Results are saved in a structured format with customization options.
git clone https://github.com/suljov/ReconRunner
cd ReconRunner
chmod +x install.sh && ./install.sh
To install ReconRunner, clone the repository and run the installation script:
$ reconrunner --help
Usage: reconrunner <enum_type> <ip> [--https] [--cw <custom_wordlist>] [--cl <custom_list>] [--wildcard <wildcard_domain>] [--extra <extra_options>] [--skip-save] [-f <file>]
Help:
--help Prints this message
dirs --help Prints all the extra options for dirs
subs --help Prints all the extra options for subs
sql --help Prints all the extra options for sql
Available types:
dirs Directory/file enumeration (tool: gobuster)
subs Subdomain enumeration (tool: wfuzz)
sql SQL Injection detection (tool: sqlmap)
Options:
<enum_type> The type of enumeration (e.g., dirs, subs, sql).
<ip> The target IP address or domain (for dirs and subs).
-u <url> The target URL (for sql).
-f <file> The request file (for sql).
--https (Optional) Use HTTPS protocol instead of HTTP.
--cw <custom_wordlist> (Optional) Use a custom wordlist instead of the default wordlists.
--cl <custom_list> (Optional) Use a custom list of wordlists from the config file.
--wildcard <wildcard_domain> (Optional) Use wildcard in the Host header for subdomain enumeration.
--extra <extra_options> (Optional) Additional options for the enumeration tool.
--skip-save (Optional) Skip saving results to files.
Configuration commands:
reconrunner config --add-wordlist <path to wordlist> --to <type>
reconrunner config --remove-wordlist <path to wordlist> --from <type>
reconrunner config --create-list <name>
reconrunner config --remove-list <name>
reconrunner config --list-info
Examples:
reconrunner dirs example.com
reconrunner dirs example.com --https
reconrunner dirs example.com --cw /path/to/custom_wordlist.txt --extra '--delay=500ms'
reconrunner subs example.com
reconrunner subs example.com --cw /path/to/custom_wordlist.txt --wildcard test-*.example.com --extra '--timeout=30 --rate=100'
reconrunner sql -u http://example.com/vulnerable.php?id=1
reconrunner sql -f /path/to/request_file.txt
reconrunner dirs example.com
reconrunner dirs example.com --https
reconrunner dirs example.com --cw /path/to/custom_wordlist.txt
reconrunner dirs example.com --cw /path/to/custom_wordlist.txt --extra '--delay=500ms'
reconrunner subs example.com
reconrunner subs example.com --https
reconrunner subs example.com --cw /path/to/custom_wordlist.txt
reconrunner subs example.com --cw /path/to/custom_wordlist.txt --extra '-fl 100'
reconrunner subs example.com --wildcard example*.com
The wildcard will be replaced with the word FUZZ
reconrunner subs example.com --cw <name of list>
reconrunner sql -u "http://example.com/vulnerable.php?id=1"
reconrunner sql -r /path/to/file.txt
The tool supports custom wordlists via a configuration file. To customize or add new wordlists:
- Edit Configuration File:
Edit the JSON file located at $HOME/.reconrunner/wordlists-config.json. You can add or remove wordlists, create custom lists, and specify wordlists for different types of enumeration.
- Commands for Configuration:
- Add Wordlist: reconrunner config --add-wordlist [path to wordlist] --to [type-of-list]
- Remove Wordlist: reconrunner config --remove-wordlist [path to wordlist] --from [type-of-list]
- Create List: reconrunner config --create-list [name]
- Remove List: reconrunner config --remove-list [name]
- List Info: reconrunner config --list-info
{
"lfi-linux": [
"/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt",
"/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt",
"/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt",
"/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt"
],
"lfi-windows": [
"/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt"
],
"dirs": [
"/usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt",
"/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt"
],
"dns": [
"/usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt",
"/usr/share/wordlists/seclists/Discovery/DNS/combined_subdomains.txt",
"/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt"
],
"sql": [
"/usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt",
"/usr/share/wordlists/wfuzz/vulns/sql_inj.txt",
"/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt",
"/usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt",
"/usr/share/wordlists/wfuzz/Injections/SQL.txt"
],
"osinjection": [],
"ssti": [],
"xss": [
"/usr/share/wordlists/wfuzz/Injections/XSS.txt"
],
"xml": [
"/usr/share/wordlists/wfuzz/Injections/XML.txt",
"/usr/share/wordlists/seclists/Fuzzing/XML-FUZZ.txt"
],
"ldap": [
"/usr/share/wordlists/seclists/Fuzzing/LDAP-active-directory-attributes.txt",
"/usr/share/wordlists/seclists/Fuzzing/LDAP-active-directory-classes.txt",
"/usr/share/wordlists/seclists/Fuzzing/LDAP-openldap-attributes.txt",
"/usr/share/wordlists/seclists/Fuzzing/LDAP-openldap-classes.txt",
"/usr/share/wordlists/seclists/Fuzzing/LDAP.Fuzzing.txt"
],
"api": []
}
ReconRunner ensures that partial results are saved and cleaned up on-the-fly. If you cancel the tool using CTRL + C, it will save results up to that point and clean temporary files.
- Gobuster: A tool by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart). GitHub Repository
- wfuzz: A tool by @xmendez. GitHub Repository
- sqlmap: A tool by Bernardo Damele A. G. (@bdamele ) & Miroslav Stampar (@stamparm). GitHub Repository