https://github.com/aenoshrajora/shadow-recon

Shadow Recon is an automated reconnaissance tool that combines top OSINT and scanning tools into a single seamless process. Ideal for pentesters and bug bounty hunters who want to automate their recon process.
https://github.com/aenoshrajora/shadow-recon

pyhton python-automation python-script reconnaissance reconnaissance-framework

Last synced: 12 months ago
JSON representation

Shadow Recon is an automated reconnaissance tool that combines top OSINT and scanning tools into a single seamless process. Ideal for pentesters and bug bounty hunters who want to automate their recon process.

• Host: GitHub
• URL: https://github.com/aenoshrajora/shadow-recon
• Owner: aenoshrajora
• License: gpl-3.0
• Created: 2025-04-25T15:51:19.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-25T16:01:47.000Z (about 1 year ago)
• Last Synced: 2025-05-19T13:14:05.942Z (about 1 year ago)
• Topics: pyhton, python-automation, python-script, reconnaissance, reconnaissance-framework
• Language: Python
• Homepage:
• Size: 562 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Shadow Recon

`An easy-to-use python tool to perform subdomain enumeration, endpoints recon and much more`

The purpouse of this tool is helping bug hunters and pentesters during reconnaissance

## Installation:

If you want to install it:

```sh

git clone https://github.com/aenoshrajora/Shadow-Recon

cd Shadow-Recon

pip install -r requirements.txt

```

## Help Panel:

```

Shadow-Recon - Automating reconnaissance

options:

  -h, --help            show this help message and exit

  -d DOMAIN, --domain DOMAIN

                        domain to search its subdomains

  -o OUTPUT, --output OUTPUT

                        file to store the scan output

  -t TOKEN, --token TOKEN

                        api token of hunter.io to discover mail accounts and employees

  -p, --portscan        perform a fast and stealthy scan of the most common ports

  -a, --axfr            try a domain zone transfer attack

  -m, --mail            try to enumerate mail servers

  -e, --extra           look for extra dns information

  -n, --nameservers     try to enumerate the name servers

  -i, --ip              it reports the ip or ips of the domain

  -6, --ipv6            enumerate the ipv6 of the domain

  -w, --waf             discover the WAF of the domain main page

  -b, --backups         discover common backups files in the web page

  -s, --subtakeover     check if any of the subdomains are vulnerable to Subdomain Takeover

  -r, --repos           try to discover valid repositories and s3 servers of the domain (still improving it)

  -c, --check           check active subdomains and store them into a file

  --secrets             crawl the web page to find secrets and api keys (e.g. Google Maps API Key)

  --enum                stealthily enumerate and identify common technologies

  --whois               perform a whois query to the domain

  --wayback             find useful information about the domain and his different endpoints using The Wayback Machine and other services

  --all                 perform all the enumeration at once (best choice)

  --quiet               don't print the banner

  --version             display the script version

```

## Usage:

- A list of examples to use the tool in different ways 

> Most basic usage to dump all the subdomains

```sh

python3 shadow-recon.py -d example.com

```

> Enumerate subdomains and store them in a file

```sh

python3 shadow-recon.py -d example.com --output domains.txt

```

> Don't show banner

```sh

python3 shadow-recon.py -d example.com --quiet

```

> Enumerate specifics things using parameters

```sh

python3 shadow-recon.py -d example.com -n -p -w -b --whois --enum # You can use other parameters, see help panel

```

> Perform all the recon functions (recommended)

```sh

python3 shadow-recon.py -d domain.com --all

```

## Features:

:ballot_box_with_check: Enumerate subdomains using passive techniques (like **subfinder**)

:ballot_box_with_check: A lot of extra queries to enumerate the DNS

:ballot_box_with_check: Domain Zone transfer attack

:ballot_box_with_check: WAF type detection

:ballot_box_with_check: Common enumeration (CMSs, reverse proxies, jquery...)

:ballot_box_with_check: Whois target domain

:ballot_box_with_check: Subdomain Takeover checker

:ballot_box_with_check: Scan common open ports

:ballot_box_with_check: Check active subdomains (like **httprobe**)

:ballot_box_with_check: Wayback machine support to enumerate endpoints (like **waybackurls**)

:ballot_box_with_check: Email harvesting

## Todo:

- Compare results with other tools such as **subfinder**, **gau**, **httprobe**...

- Improve code and existings functions

## Demo:

> Simple query to find valid subdomains



## Third part

The tool uses different services to get subdomains in different ways

The WAF detector was modified and adapted from [CRLFSuite](https://github.com/Nefcore/CRLFsuite) concept <3

All DNS queries use **dns-python** at 100%, no **dig** or any extra tool needed

Email harvesting functions is done using **Hunter.io** API with personal token (free signup)

Copyright © 2025-26, *Aenosh Rajora*