Short & focused: an interactive Bash script that prompts for a target domain, runs passive + light active recon (subdomain enum, probing, URL gathering, light fuzzing, quick nmap), and saves results into a timestamped folder.
Install these tools on your Linux/macOS box (or WSL on Windows). The script checks for presence and exits if missing:
- subfinder (passive subdomain enumeration)
- httpx (probe hosts for HTTP/HTTPS)
- gau and waybackurls (gather historical URLs)
- ffuf (directory fuzzing)
- nmap (service detection)
- Optional but recommended: gf (pattern filters)
A common wordlist (e.g. /usr/share/wordlists/dirb/common.txt) for ffuf (or set your own)
basic tools (Debian/Ubuntu) sudo apt update && sudo apt install -y nmap ffuf
ProjectDiscovery tools (example via Go) ensure $GOPATH/bin is in your PATH
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/lc/gau/v2/cmd/gau@latest go install github.com/tomnomnom/waybackurls@latest
gf (optional) go install github.com/tomnomnom/gf@latest
Clone this repo, make the script executable, and run it: git clone https://github.com/th3hash/recon_script/ cd recon_script/ chmod +x one_shot_recon_interacti.sh ./one_shot_recon.sh
./one_shot_recon.sh Enter target domain: example.com (script runs and saves outputs to example.com_recon_YYYYMMDD_HHMMSS/)
- The script is configured with safe, conservative defaults (non-intrusive nmap flags, light ffuf run). Adjust wordlists/flags if you have scoped permission.
- Always confirm authorization (scope) before running recon/scans.
- This is a starter automation — adapt it to your workflow and toolset.