Cheat sheets

ReconScan: The tool to have in your pentest flow

Share this with people that should know this:

The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets.

The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from the perspective of exploitability.

In terms of real-world pentesting, these scripts are not meant to replace commercial tools such as Nessus or Nexpose, but they can complement it nicely for finding the latest vulnerabilities and their PoC exploits.

Network reconnaissance

The script runs various open-source tools in order to enumerate the services on a host. Best run under Kali Linux or similar pentesting-oriented distribution with these tools preinstalled and preconfigured.

The flow followed by the script is as follows:

  • Scan all TCP/UDP ports with nmap, service detection, minimal amount of scripts:
    • If there are unidentified services, try amap.
    • For identified software, run vulnerability analysis with
    • For identified services, run further analysis:
      • HTTP(S): nikto, dirb
      • FTP: hydra if requested
      • SMB: enum4linux, samrdump, nbtscan
      • SSH: hydra if requested
      • SNMP: onesixtyone, snmpwalk
      • DNS: attempt zone transfer (axfr) with dig
    • Additionally, all nmap scripts are run for the following services:

Results will be dumped into the results/$ip_address directory, with the $port_$service_$tool file naming scheme. The tools are mostly run simultaneously (unless one depends on the result of another) and the CLI output will be aggregated and tagged by the script, so you will see the progress and dirt found by each running script in real-time.


This script is inspired by Mike Czumak’s Recon Scan, which he wrote during his OSCP exam. Many modifications can be found on GitHub, however, I wanted to write a script from scratch, familiarizing myself with each tool and their parameterization, instead of just reusing a bunch of scripts found scattered in various repositories, leaving me none the wiser.

Why is ReconScan free

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchant-ability or fitness for a particular purpose.

Download ReconScan
Share this with people that should know this: