Features | Screenshots | Installation | Configuration | Usage | AI Features | Commands
A comprehensive subdomain enumeration and vulnerability scanning framework with AI-powered features, origin IP discovery, and crash recovery.
- Multi-source Subdomain Enumeration - Passive and active discovery from 16+ sources
- Batched Vulnerability Scanning - Checkpoint-based Nuclei scans with resume support
- Origin IP Discovery - Find real IPs behind CDN/WAF using Shodan and SecurityTrails
- Origin IP Aggressive Scan - Automatic Nuclei scan against origin IPs with WAF-bypass templates
- Port Scanning - Discover web services on non-standard ports with naabu
- Screenshot Capture - Automated screenshots of live hosts with gowitness
- Subdomain Takeover Detection - Identify vulnerable CNAME records with subjack
- Crash Recovery - Checkpoint system to resume interrupted scans
- AI Wordlist Generation - Uses Claude to generate intelligent, context-aware wordlists
- AI Vulnerability Triage - Risk-prioritized analysis with attack chain identification
- AI URL Filtering - Smart filtering of historical URLs by exploit likelihood
- Historical URL Mining (GAU) - Automatic discovery of forgotten endpoints from Wayback, OTX, URLScan
- Origin IP Discovery - Find real IPs behind CDN/WAF using Shodan (discovered 64 new findings in testing!)
- Battle Plan Generation - Automated
targets/folder with prioritized next steps and ready-to-use target files - Rich CLI Interface - Real-time progress display with detailed statistics
Track all your scans with detailed statistics:
View all completed scans with subdomain counts, live hosts, findings, and scan dates
Beautiful, interactive HTML reports with severity breakdown:
Findings organized by severity with CVSS scores, CVE references, remediation links, and tags
Intelligent vulnerability analysis with business impact assessment:
Prioritized risk items with evidence, exploit details, business impact, attack chains, and remediation steps
Discover forgotten endpoints and parameters:
URLs categorized by type with parameter extraction and status codes
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 1: ENUMERATION β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Passive Enumeration β
β βββ Subfinder (APIs: VirusTotal, SecurityTrails, etc.) β
β βββ crt.sh (Certificate Transparency logs) β
β βββ Shodan (SSL certificate CN extraction) β
β β
β AI Wordlist Generation (--ai flag) β
β βββ Claude generates targeted prefixes based on: β
β β’ Historical subdomains from CT logs & Wayback Machine β
β β’ Detected naming patterns and technologies β
β β’ Industry-specific conventions β
β β
β Active Enumeration β
β βββ DNS Bruteforce (puredns + massdns) β
β βββ Permutation Generation (alterx) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 2: VALIDATION β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β DNS Resolution β
β βββ Resolve all discovered subdomains to IP addresses β
β β
β Port Scanning (naabu) β
β βββ Scan 80+ common web ports to find services on non-standard ports β
β β
β Runs in PARALLEL: β
β β β
β β HTTP Probing (httpx) β
β β βββ Validate live hosts with status codes, titles, technologies β
β β β
β β Subdomain Takeover Detection (subjack) β
β β βββ Check CNAME records against known vulnerable fingerprints β
β β β
β β GAU Historical URL Mining (automatic) β
β β βββ Mine Wayback Machine, OTX, URLScan for historical URLs β
β β βββ Categorize by vulnerability type (SQLi, SSRF, LFI, XSS, RCE) β
β β βββ Generate gau_findings.html report β
β β β
β Screenshot Capture (gowitness) β
β βββ Capture screenshots of all live hosts β
β βββ Generate interactive gallery (screenshots_gallery.html) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 3: VULNERABILITY SCANNING β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Smart Host Filtering β
β βββ Skip 404 (Not Found) hosts - no content to scan β
β βββ Skip 500+ (Server Error) hosts - unreliable targets β
β βββ Keep 401/403 hosts - may have auth bypass vulnerabilities β
β β
β Nuclei Batched Scan β
β βββ Checkpoint/resume support (recovers from interruption) β
β βββ Smart host filtering (skip 404/500+ hosts) β
β βββ Configurable severity filters (critical, high, medium) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 4: ANALYSIS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Origin IP Discovery (Shodan + SecurityTrails) - POWERFUL! β
β βββ Find real IPs behind Cloudflare/CDN using: β
β β’ SSL Certificate CN matching (Shodan) β
β β’ Favicon hash correlation (Shodan) β
β β’ Historical DNS records (SecurityTrails) β
β β
β Origin IP Aggressive Scan (automatic when origins found) β
β βββ Nuclei scan directly against origin IPs bypassing WAF: β
β β’ Uses Host header spoofing to reach target domain β
β β’ Aggressive templates: CVEs 2023-2025, RCE, LFI, SSRF, SQLi, XSS β
β β’ Detects version disclosure hidden by CDN (nginx, PHP, etc.) β
β β’ Higher rate limits (150 rps) - no CDN throttling β
β βββ Discovered 64 NEW findings by bypassing WAF in real testing! β
β β
β AI Vulnerability Triage (--ai-triage flag) β
β βββ Risk-prioritized analysis of all findings β
β βββ Attack chain identification β
β βββ Executive summary generation β
β βββ Remediation priorities β
β βββ AI-powered GAU URL filtering: β
β β’ Ranks URLs by exploit likelihood (RCE > SSRF > LFI > SQLi) β
β β’ Deduplicates similar endpoints β
β β’ Selects top high-value URLs for testing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OUTPUT β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β output/<domain>/ β
β βββ scan_info.json # Scan metadata and statistics β
β βββ subdomains.txt # All discovered subdomains β
β βββ hosts.json # Live hosts with HTTP details β
β βββ findings.json # Nuclei vulnerability findings β
β βββ report.html # Main HTML report β
β βββ screenshots/ # Host screenshots (gowitness) β
β βββ screenshots_gallery.html # Interactive screenshot gallery β
β βββ gau_findings.html # Historical URLs by category β
β βββ triage_report.html # AI triage analysis (if --ai-triage) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Install required external tools:
# Go tools (ProjectDiscovery suite)
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install github.com/projectdiscovery/alterx/cmd/alterx@latest
go install github.com/d3mondev/puredns/v2@latest
# GAU - GetAllUrls (historical URL mining)
go install github.com/lc/gau/v2/cmd/gau@latest
# Gowitness - Screenshot capture
go install github.com/sensepost/gowitness/v3@latest
# Subjack - Subdomain takeover detection
go install github.com/haccer/subjack@latest
# massdns (C program)
sudo apt install massdns # Kali/Debian
# OR compile from source:
# git clone https://github.com/blechschmidt/massdns.git && cd massdns && make && sudo make install
# Update Nuclei templates
nuclei -update-templates# Clone repository
git clone https://github.com/reconductor/reconductor-v2.git
cd reconductor-v2
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install in development mode
pip install -e .
# Verify installation
reconductor check-toolsSet via environment variables - NEVER put API keys in config files!
# For enhanced enumeration and origin IP discovery
export SHODAN_API_KEY="your_shodan_api_key"
export SECURITYTRAILS_API_KEY="your_securitytrails_api_key"
# For AI features (choose one provider)
export ANTHROPIC_API_KEY="sk-ant-..." # Anthropic Claude
export OPENAI_API_KEY="sk-..." # OpenAI
export GEMINI_API_KEY="..." # Google Gemini
export GROQ_API_KEY="..." # GroqReconDuctor uses YAML configuration files. The default config is config/default.yaml.
# Copy example config to local (local.yaml is gitignored)
cp config/example.yaml config/local.yaml
# Edit with your preferences
nano config/local.yamlReconDuctor supports 6 LLM providers for AI features:
If you have Claude Code installed:
# config/local.yaml
llm:
primary_provider: claude_code
primary_model: sonnet # Options: sonnet, opus, haikullm:
primary_provider: ollama
primary_model: llama3.2
api_base: http://localhost:11434# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh
ollama pull llama3.2llm:
primary_provider: anthropic
primary_model: claude-3-haiku-20240307export ANTHROPIC_API_KEY="sk-ant-..."llm:
primary_provider: openai
primary_model: gpt-4o-miniexport OPENAI_API_KEY="sk-..."llm:
primary_provider: gemini
primary_model: gemini-1.5-flashexport GEMINI_API_KEY="your-api-key"llm:
primary_provider: groq
primary_model: llama-3.3-70b-versatileexport GROQ_API_KEY="your-api-key"Customize vulnerability scanning:
nuclei:
severity:
- critical
- high
- medium
exclude_tags:
- fuzz
- dos
- intrusive
- sqli # Remove to enable SQLi testing
- xss # Remove to enable XSS testing
- rce # Remove to enable RCE testing
rate_limit: 150
bulk_size: 25
concurrency: 25
disable_interactsh: trueAdaptive WAF-aware throttling:
rate_limit:
initial_rate: 30.0 # Starting requests/sec
min_rate: 1.0 # Minimum when backing off
backoff_factor: 0.5 # Reduce by 50% on WAF detection
recovery_factor: 1.1 # Increase by 10% when stable# Basic full scan
reconductor scan example.com
# Full scan with all AI features (recommended for thorough assessment)
reconductor scan example.com --ai --ai-triage
# Quick passive scan only
reconductor scan example.com --passive-only# Basic scan (all phases, includes GAU automatically)
reconductor scan example.com
# Scan with AI wordlist generation
reconductor scan example.com --ai
# Scan with AI vulnerability triage + URL filtering
reconductor scan example.com --ai-triage
# Complete assessment with all AI features
reconductor scan example.com --ai --ai-triage
# Skip vulnerability scanning (enumeration + validation only)
reconductor scan example.com --no-nuclei
# Custom output directory
reconductor scan example.com -o ./results
# Passive enumeration only (no bruteforce, no GAU)
reconductor scan example.com --passive-only
# Adjust rate limiting
reconductor scan example.com --rate-limit 50# Continue from checkpoint
reconductor continue example.com
# Continue and run AI triage on findings
reconductor continue example.com --ai-triage
# Continue but skip nuclei scanning
reconductor continue example.com --no-nuclei# Subdomain enumeration only
reconductor enumerate example.com
# HTTP probe a list of targets
reconductor probe targets.txt
# Nuclei scan a list of targets
reconductor nuclei targets.txt
# Generate AI wordlist
reconductor ai-wordlist example.com
# Run AI triage on existing scan
reconductor triage example.com
# Run GAU standalone
reconductor gau example.com
# GAU with AI filtering
reconductor gau example.com --ai
# Find origin IPs behind CDN (Shodan required)
reconductor origin-ips example.com# Check tool availability
reconductor check-tools
# List all completed scans
reconductor list-scans
# Show version
reconductor --version
# Show help
reconductor --help| Option | Description |
|---|---|
--output, -o |
Output directory for results |
--phase, -p |
Start from specific phase (0=all) |
--passive-only |
Only run passive enumeration |
--no-nuclei |
Skip vulnerability scanning |
--ai |
Enable AI wordlist generation |
--ai-triage |
Enable AI triage + GAU URL filtering |
--rate-limit, -r |
Requests per second (default: 30) |
--quiet, -q |
Minimal output mode |
| Option | Description |
|---|---|
--no-nuclei |
Skip vulnerability scanning on resume |
--ai-triage |
Run AI triage on findings |
| Option | Description |
|---|---|
--output, -o |
Output directory containing scan results |
| Option | Description |
|---|---|
--output, -o |
Output directory (defaults to output/) |
--ai |
Use AI to filter and rank high-value URLs |
| Option | Description |
|---|---|
--output, -o |
Output directory |
Uses Claude (haiku) to generate intelligent subdomain prefixes:
- Intelligence Gathering - Fetches historical subdomains from CT logs and Wayback Machine
- Pattern Analysis - Detects naming conventions and technologies
- AI Generation - Creates targeted prefixes based on gathered intelligence
- Wordlist Combination - Merges with base wordlist, removes duplicates
Phase 1: Subdomain Enumeration
[ok] Passive Enum 2184 (subfinder:501, crt.sh:1709, shodan:120)
[ok] AI Wordlist 187 intelligent prefixes
[ok] DNS Brute +18 subdomains
Uses Claude (sonnet) to analyze and prioritize findings:
- Risk Prioritization - Groups findings by actual risk, not just severity
- Attack Chain Identification - Finds related vulnerabilities that chain together
- Executive Summary - Business-friendly overview for stakeholders
- Remediation Priorities - Ordered fix recommendations
GAU runs automatically in Phase 2 and mines URLs from:
- Wayback Machine
- OTX (Open Threat Exchange)
- URLScan
- CommonCrawl
When enabled, Claude ranks GAU URLs by exploit likelihood:
Priority Order:
- RCE/Command injection (
cmd=,exec=,shell=) - SSRF/Open redirect (
url=,redirect=,callback=) - LFI/Path traversal (
file=,path=,include=) - SQLi (
id=,uid=,page=,limit=) - Auth endpoints (oauth, saml, token)
- Debug paths (
/debug/,/trace/, phpinfo) - Sensitive files (
.env,.conf,.sql) - API endpoints (
/api/,/graphql/)
Find real IPs behind CDN/WAF protection using Shodan and SecurityTrails:
- SSL Certificate CN matching (Shodan)
- Favicon hash correlation (Shodan)
- Historical DNS records (SecurityTrails)
When origin IPs are discovered, ReconDuctor automatically runs an aggressive Nuclei scan directly against them:
- Host header spoofing - Reaches target domain via origin IP
- Aggressive templates - CVEs (2023-2025), RCE, LFI, SSRF, SQLi, XSS, default-logins
- Version detection - Finds server versions hidden by CDN (nginx, PHP, Apache, etc.)
- Higher rate limits - 150 rps since no CDN throttling
- Excludes dangerous tags - No DoS, fuzzing, or brute-force templates
Real-world result: In testing, origin IP bypass discovered 64 new findings that were hidden behind WAF protection!
output/example.com/
|-- scan_info.json # Scan metadata and statistics
|-- scan.db # SQLite checkpoint database
|-- subdomains.txt # All discovered subdomains
|-- subdomains_all.md # Formatted subdomain list
|-- subdomains_live.md # Live subdomains only
|-- live_hosts.txt # Live host URLs
|-- hosts.json # Live hosts with HTTP details
|-- findings.json # Nuclei vulnerability findings
|-- findings_summary.txt # Human-readable findings summary
|-- report.html # Main HTML report
|
|-- screenshots/ # Gowitness screenshots
| |-- screenshot_<hash>.png
| +-- ...
|-- screenshots_gallery.html # Interactive screenshot gallery
|
|-- gau_findings.html # Historical URLs by category
|-- triage_report.html # AI triage analysis (if --ai-triage)
|-- non_http_subdomains_report.html # Non-HTTP services found
|
+-- targets/ # BATTLE PLAN - Pentester action files
|-- next_steps.md # Prioritized action plan with commands
|-- fuzz_urls.txt # URLs with parameters for fuzzing
|-- sqli_candidates.txt # SQLi injection points
|-- ssrf_candidates.txt # SSRF/redirect candidates
|-- lfi_candidates.txt # LFI/path traversal candidates
|-- origin_ips.txt # Origin IPs for WAF bypass
|-- all_params.txt # All discovered parameters
+-- live_urls.txt # Live host URLs for scanning
After every scan, ReconDuctor generates an actionable battle plan in the targets/ directory. This gives pentesters ready-to-use target files and prioritized next steps.
The next_steps.md file contains:
- Prioritized actions based on findings severity
- Copy-paste commands for common tools (sqlmap, ffuf, dalfox, etc.)
- Target summary table with counts per category
Example:
# Next Steps - target.com
## Priority Actions
### 1. π΄ Validate 3 CRITICAL findings
### 2. π― Test 5 Origin IPs (WAF Bypass)
### 3. π Test 12 SQLi Candidates
### 4. π Test 8 SSRF/Redirect Candidates
### 5. π¨ Fuzz 45 URLs with Parameters| File | Description | Use Case |
|---|---|---|
fuzz_urls.txt |
URLs with parameters | Feed to ffuf, Burp Intruder |
sqli_candidates.txt |
URLs with id/user/order params | sqlmap -m, manual testing |
ssrf_candidates.txt |
URLs with redirect/url params | SSRF/open redirect testing |
lfi_candidates.txt |
URLs with file/path params | LFI/path traversal testing |
origin_ips.txt |
Origin IPs behind CDN | Direct scanning, WAF bypass |
all_params.txt |
All discovered parameters | Arjun, custom wordlists |
live_urls.txt |
All live host URLs | Feroxbuster, directory brute |
# After scan completes, start with the battle plan
cat output/target.com/targets/next_steps.md
# SQLi testing
sqlmap -m output/target.com/targets/sqli_candidates.txt --batch
# XSS testing
cat output/target.com/targets/fuzz_urls.txt | dalfox pipe
# Directory bruteforce
feroxbuster -L output/target.com/targets/live_urls.txt
# WAF bypass via origin IPs
while read ip; do curl -sk -H 'Host: target.com' "https://$ip"; done < output/target.com/targets/origin_ips.txtGAU findings are automatically categorized by vulnerability type:
| Category | Pattern Examples |
|---|---|
| SSRF Candidates | url=, redirect=, callback=, dest= |
| LFI Candidates | file=, path=, template=, include= |
| SQLi Candidates | id=, user=, search=, order= |
| XSS Candidates | q=, message=, content=, name= |
| Open Redirect | next=, return=, goto=, redir= |
| RCE Candidates | cmd=, exec=, command=, run= |
| API Endpoints | /api/, /v1/, /graphql/ |
| Auth Endpoints | /login, /oauth, /token |
| Admin Paths | /admin, /dashboard, /manage |
| Debug Paths | /debug, /phpinfo, /trace |
| Tool | Purpose | Source |
|---|---|---|
| subfinder | Passive subdomain enumeration | projectdiscovery |
| httpx | HTTP probing and validation | projectdiscovery |
| nuclei | Vulnerability scanning | projectdiscovery |
| naabu | Port scanning | projectdiscovery |
| dnsx | Fast DNS resolver | projectdiscovery |
| puredns | DNS bruteforce/resolution | d3mondev |
| massdns | Fast DNS resolver (backend) | blechschmidt |
| alterx | Subdomain permutation | projectdiscovery |
| gau | Historical URL mining | lc |
| gowitness | Screenshot capture | sensepost |
| subjack | Subdomain takeover detection | haccer |
| Service | Purpose | Required |
|---|---|---|
| Anthropic Claude | AI features (wordlist, triage, GAU) | For AI features |
| crt.sh | Certificate Transparency logs | No (free) |
| Shodan | Subdomain enum, Origin IP discovery | Optional |
| SecurityTrails | Historical DNS records for origin IP discovery | Optional |
| Wayback Machine | Historical URLs (via GAU) | No (free) |
| CommonCrawl | Historical URLs (via GAU) | No (free) |
| OTX | Historical URLs (via GAU) | No (free) |
| URLScan | Historical URLs (via GAU) | No (free) |
reconductor/
|-- core/ # Core framework
| |-- config.py # Configuration management
| |-- database.py # SQLite storage
| |-- checkpoint.py # Crash recovery
| |-- orchestrator.py # Main scan pipeline
| |-- exporter.py # Report generation
| |-- rate_limiter.py # Adaptive rate limiting
| |-- scope.py # Scope validation
| +-- logger.py # Structured logging
|
|-- models/ # Data models
| |-- subdomain.py # Subdomain model
| |-- host.py # Host model
| |-- finding.py # Vulnerability finding
| +-- scan.py # Scan state
|
|-- modules/
| |-- subdomain/ # Enumeration
| | |-- passive.py # Subfinder, crt.sh, Shodan
| | |-- puredns_wrapper.py
| | +-- alterx_wrapper.py
| |
| |-- validation/ # Host validation
| | |-- http_probe.py # httpx integration
| | |-- dns_resolve.py # DNS resolution
| | +-- port_scan.py # naabu integration
| |
| |-- scanning/ # Vulnerability scanning
| | |-- nuclei_manager.py # Parallel Nuclei workers
| | |-- takeover.py # Takeover detection
| | +-- subjack_wrapper.py # Subjack integration
| |
| |-- recon/ # Reconnaissance
| | |-- shodan_recon.py # Origin IP discovery
| | |-- gau_wrapper.py # GAU historical URL mining
| | +-- screenshot_capture.py # Gowitness screenshots
| |
| +-- ai/ # AI integration
| |-- llm_client.py # Multi-provider LLM client
| |-- wordlist_agent.py # AI wordlist generation
| |-- finding_analyzer.py # AI vulnerability triage
| +-- gau_filter_agent.py # AI GAU URL filtering
|
|-- utils/ # Utilities
| |-- executor.py # Tool execution
| |-- parser.py # Output parsing
| |-- deduplicator.py # Deduplication
| |-- validator.py # Input validation
| +-- tempfiles.py # Secure temp files
|
+-- cli.py # CLI interface (Typer + Rich)
reconductor scan target.com --passive-only# Complete assessment with all AI features
reconductor scan target.com --ai --ai-triage
# View results
firefox output/target.com/report.html # Main report
firefox output/target.com/triage_report.html # AI triage
firefox output/target.com/gau_findings.html # Historical URLs
firefox output/target.com/screenshots_gallery.html# Run AI triage on existing findings
reconductor triage target.com
# List all scans
reconductor list-scansExample output from a real scan (domain sanitized):
a.ns.example.com
api.example.com
b.ns.example.com
design.example.com
docs.example.com
events.example.com
go.example.com
gslink.example.com
example.com
info.example.com
links.example.com
mta-sts.forwarding.example.com
mta-sts.example.com
support.example.com
www.example.com
https://api.example.com
https://docs.example.com
https://gslink.example.com
https://example.com
https://mta-sts.forwarding.example.com
https://mta-sts.example.com
https://support.example.com
https://www.example.com
{
"domain": "example.com",
"status": "completed",
"duration_seconds": 104.75,
"stats": {
"subdomains_discovered": 17,
"passive_total": 17,
"subfinder_count": 16,
"crtsh_count": 15,
"dns_resolved": 11,
"open_ports": 58,
"hosts_alive": 25,
"origin_ips_found": 5,
"screenshots_captured": 25,
"gau_total_urls": 83,
"gau_unique_urls": 37,
"gau_urls_with_params": 12
}
}# Next Steps - example.com
## Priority Actions
### 1. π Test 7 SQLi Candidates
URLs with id/user/order parameters - classic injection points.
### 2. π¨ Fuzz 12 URLs with Parameters
cat targets/fuzz_urls.txt | qsreplace FUZZ | ffuf -u FUZZ -w payloads.txt
### 3. π Content Discovery on 25 Live Hosts
feroxbuster -L targets/live_urls.txt
## Target Summary
| Category | Count | File |
|------------------|-------|----------------------------|
| URLs with params | 12 | targets/fuzz_urls.txt |
| SQLi candidates | 7 | targets/sqli_candidates.txt|
| Live hosts | 25 | targets/live_urls.txt |- Start with passive scan to get initial subdomains quickly
- Use
--aifor thorough assessments - generates targeted wordlists - GAU runs automatically - historical URLs included in every full scan
- Use
--ai-triagefor reporting - creates executive summaries + filters GAU URLs - Check screenshots gallery for quick visual assessment
- Monitor rate limits - adjust with
--rate-limitif getting blocked - Review gau_findings.html - categorized URLs for manual testing
- Try origin-ips command - can bypass WAF and find hidden vulnerabilities!
- API Keys: Always use environment variables, never commit secrets
- Scope: Only scan authorized targets
- Rate Limiting: Respect target infrastructure
- Responsible Disclosure: Report vulnerabilities responsibly
MIT License
This tool is intended for authorized security testing only. Always obtain proper authorization before scanning any targets. The authors are not responsible for misuse of this tool.
ReconDuctor v2 - Built for security professionals who need comprehensive, AI-enhanced reconnaissance.