# Automating Recon ## Frameworks * [FinalRecon](https://github.com/thewhiteh4t/FinalRecon): A Python-based reconnaissance tool offering a range of modules for different tasks like SSL certificate checking, Whois information gathering, header analysis, and crawling. Its modular structure enables easy customisation for specific needs. * [Recon-ng](https://github.com/lanmaster53/recon-ng): A powerful framework written in Python that offers a modular structure with various modules for different reconnaissance tasks. It can perform DNS enumeration, subdomain discovery, port scanning, web crawling, and even exploit known vulnerabilities. * [theHarvester](https://github.com/laramies/theHarvester): Specifically designed for gathering email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers, and the SHODAN database. It is a command-line tool written in Python. * [SpiderFoot](https://github.com/smicallef/spiderfoot): An open-source intelligence automation tool that integrates with various data sources to collect information about a target, including IP addresses, domain names, email addresses, and social media profiles. It can perform DNS lookups, web crawling, port scanning, and more. * [OSINT Framework](https://osintframework.com/): A collection of various tools and resources for open-source intelligence gathering. It covers a wide range of information sources, including social media, search engines, public records, and more. ## FinalRecon `FinalRecon` offers a wealth of recon information: * `Header Information`: Reveals server details, technologies used, and potential security misconfigurations. * `Whois Lookup`: Uncovers domain registration details, including registrant information and contact details. * `SSL Certificate Information`: Examines the SSL/TLS certificate for validity, issuer, and other relevant details. * `Crawler`: * HTML, CSS, JavaScript: Extracts links, resources, and potential vulnerabilities from these files. * Internal/External Links: Maps out the website's structure and identifies connections to other domains. * Images, robots.txt, sitemap.xml: Gathers information about allowed/disallowed crawling paths and website structure. * Links in JavaScript, Wayback Machine: Uncovers hidden links and historical website data. * `DNS Enumeration`: Queries over 40 DNS record types, including DMARC records for email security assessment. * `Subdomain Enumeration`: Leverages multiple data sources (crt.sh, AnubisDB, ThreatMiner, CertSpotter, Facebook API, VirusTotal API, Shodan API, BeVigil API) to discover subdomains. * `Directory Enumeration`: Supports custom wordlists and file extensions to uncover hidden directories and files. * `Wayback Machine`: Retrieves URLs from the last five years to analyse website changes and potential vulnerabilities. ```bash git clone https://github.com/thewhiteh4t/FinalRecon.git cd FinalRecon pip3 install -r requirements.txt chmod +x ./finalrecon.py ./finalrecon.py --help ``` Usage: ```bash ./finalrecon.py --headers --whois --url http://inlanefreight.com ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/web-information-gathering/automating-recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.