A powerful command-line interface for managing continuous reconnaissance and anomaly detection for bug bounty programs.
The Recontronic CLI is the primary interface for interacting with the Recontronic Platform - a continuous reconnaissance and anomaly detection system purpose-built for bug bounty hunting. The CLI provides real-time monitoring, intelligent alerting, and comprehensive program management capabilities.
- Program Management: Add, list, and manage bug bounty programs
- Scan Control: Trigger manual scans and monitor progress in real-time
- Anomaly Tracking: Query and review detected security anomalies
- Live Dashboard: Real-time TUI dashboard with streaming updates
- Statistics: Live platform metrics and performance data
- Configuration: Simple configuration management for server endpoints and credentials
- Go 1.21 or higher
- Access to a Recontronic Platform server (REST API and gRPC endpoints)
- API key for authentication
# Clone the repository
git clone https://github.com/yourusername/recontronic-cli-client.git
cd recontronic-cli-client
# Build the binary (using Makefile - recommended)
make build
# Or build manually
go build -o recon-cli main.go
# Install to GOPATH/bin (using Makefile)
make install
# Or move to your PATH manually
sudo mv recon-cli /usr/local/bin/go install github.com/yourusername/recontronic-cli-client@latest# Set server endpoints
recon-cli config set server http://your-server:8080
recon-cli config set grpc-server your-server:9090
recon-cli config set api-key your-api-key-hererecon-cli program add \
--name "Example Corp" \
--platform hackerone \
--scope "*.example.com,*.example.io" \
--frequency 1hrecon-cli scan trigger --program-id 1 --type passiverecon-cli anomalies list --min-priority 70 --unreviewedrecon-cli dashboardThe CLI provides a complete reconnaissance workflow for bug bounty hunting. Follow these steps in order for best results:
Find all subdomains for your target domain
# Basic subdomain enumeration
./recon-cli recon subdomain example.com
# With custom timeout for slow tools
./recon-cli recon subdomain example.com --timeout 15mSample Output:
Finding subdomains for example.com
Mode: Passive reconnaissance (safe, no active scanning)
Running crt.sh...
✓ crt.sh found 445 subdomains (3.2s)
Running subfinder...
✓ subfinder found 789 subdomains (12.4s)
Running assetfinder...
✓ assetfinder found 234 subdomains (8.1s)
Summary:
Total unique subdomains: 808
Sources used: crt.sh, subfinder, assetfinder
✓ Results saved to ~/.recon-cli/results/example.com/subdomains_20251103_120534.json
- Tools Used: crt.sh, subfinder, amass, assetfinder
- Output: List of all discovered subdomains
- Saved To:
~/.recon-cli/results/example.com/subdomains_*.json - Typical Results: 100-1000+ subdomains depending on target size
Find which subdomains are alive and accessible
# Basic verification (default: 10 concurrent, 10s timeout)
./recon-cli recon verify example.com
# Faster scanning with higher concurrency
./recon-cli recon verify example.com --concurrency 50 --timeout 5s
# Conservative scanning (slower but more reliable)
./recon-cli recon verify example.com --concurrency 5 --timeout 30sSample Output:
Verifying subdomains for example.com
Mode: Passive verification (DNS + HTTP probing)
Progress: 156/808 verified (19.3%) [29.4s elapsed]
Summary:
Total subdomains: 808
Alive: 156 (19.3%)
Dead: 652 (80.7%)
Duration: 45.2s
Sample alive hosts:
https://www.example.com - 200 OK - "Example Domain - Official Site"
https://api.example.com - 403 Forbidden - "Access Denied"
https://mail.example.com - 200 OK - "Webmail Login"
https://admin.example.com - 401 Unauthorized - "Authentication Required"
http://dev.example.com - 200 OK - "Development Server"
✓ Results updated in ~/.recon-cli/results/example.com/subdomains_20251103_120534.json
- What It Does:
- DNS resolution check
- HTTP/HTTPS probing (tries HTTPS first, falls back to HTTP)
- Extracts HTTP status codes
- Captures HTML page titles
- Measures response times
- Output: List of alive hosts with status codes and titles
- Typical Results: 10-30% of subdomains are usually alive
Get domain registration and infrastructure information
# Basic WHOIS lookup
./recon-cli recon whois example.com
# Output as JSON for parsing
./recon-cli recon whois example.com --json
# Show raw WHOIS output
./recon-cli recon whois example.com --raw
# Custom timeout (default: 30s)
./recon-cli recon whois example.com --timeout 60sSample Output:
Looking up WHOIS information for example.com
Mode: Passive reconnaissance (WHOIS query)
✓ Results saved to ~/.recon-cli/results/example.com/
Domain: example.com
Registrar: MarkMonitor Inc.
Created: 1995-08-14T04:00:00Z
Updated: 2024-08-13T07:01:38Z
Expires: 2025-08-13T04:00:00Z
Name Servers:
- a.iana-servers.net
- b.iana-servers.net
Status:
- clientDeleteProhibited
- clientTransferProhibited
- clientUpdateProhibited
- serverDeleteProhibited
- serverTransferProhibited
- serverUpdateProhibited
Registrar URL: http://www.markmonitor.com
- Information Gathered:
- Registrar details
- Creation, update, and expiry dates
- Authoritative nameservers
- Domain status (locked, unlocked, etc.)
- Why It Matters: Helps validate scope and understand domain infrastructure
Organize and export your findings
# List all results for all domains
./recon-cli recon results list
# View all subdomains for a specific domain
./recon-cli recon results view example.com
# View only alive subdomains
./recon-cli recon results view example.com --alive-only
# Filter by HTTP status code
./recon-cli recon results view example.com --status 200
# Filter by discovery source
./recon-cli recon results view example.com --source subfinder
# Limit results
./recon-cli recon results view example.com --alive-only --limit 50
# Export to CSV (great for spreadsheet analysis)
./recon-cli recon results export example.com --format csv --alive-only
# Export to JSON (for tool integration)
./recon-cli recon results export example.com --format json --alive-only
# Export to Markdown (for reporting)
./recon-cli recon results export example.com --format markdown
# Export with custom output path
./recon-cli recon results export example.com --format csv --output ~/reports/example.csv
# Combine multiple filters
./recon-cli recon results export example.com --format csv --alive-only --status 200Sample Output (list):
Results for all domains:
example.com/
2025-11-03 12:05 subdomains (808 total, 156 alive) ✓ verified
2025-11-03 12:15 whois Registrar: MarkMonitor Inc.
tesla.com/
2025-11-01 01:40 subdomains (808 total) ⚠ not verified
basecamp.com/
2025-11-01 02:50 subdomains (133 total, 23 alive) ✓ verified
Sample Output (export CSV):
Exporting results for example.com...
Format: CSV
Filters: alive-only
✓ Exported 156 subdomains to ~/.recon-cli/exports/example.com_20251103_121830.csv
Get detailed DNS records for all alive subdomains
# DNS enumeration for all alive subdomains (default)
./recon-cli recon dns example.com
# Query specific record types
./recon-cli recon dns example.com --types A,AAAA,MX,TXT
# DNS enumeration for all subdomains (not just alive)
./recon-cli recon dns example.com --alive-only=false
# Export DNS results to CSV
./recon-cli recon results export example.com --type dns --format csv
# High-speed scanning
./recon-cli recon dns example.com --concurrency 50 --timeout 3s
# Check for subdomain takeover opportunities (enabled by default)
./recon-cli recon dns example.com --check-takeoverSample Output:
Enumerating DNS records for basecamp.com
Mode: Passive DNS enumeration
✓ Results saved to ~/.recon-cli/results/basecamp.com/
Summary:
Subdomains queried: 23
A records: 50
AAAA records: 0
CNAME records: 3
MX records: 3
TXT records: 8
NS records: 10
Unique IPs: 18
Duration: 3s
Key Findings:
✓ No obvious subdomain takeover risks detected
☁️ Cloud providers detected: Cloudflare
📧 Mail servers found: 3 MX records
Providers: basecamp.com
🔒 Security records: SPF (yes), DMARC (no), DKIM (no)
Sample DNS Records:
SUBDOMAIN RECORD TYPE VALUE CLOUD
3.basecamp.com A 104.18.12.81 Cloudflare
www.updates.basecamp.com CNAME ext-cust.squarespace.com
storage.basecamp.com A 104.18.17.127 Cloudflare
... and 13 more records (see JSON results for complete data)
What This Provides:
- A/AAAA Records: IP addresses (IPv4/IPv6) - map subdomains to actual hosts for port scanning
- MX Records: Mail servers - identify email infrastructure targets
- TXT Records: SPF, DMARC, DKIM verification records - find security misconfigurations
- NS Records: Authoritative nameservers - understand DNS infrastructure
- CNAME Records: Subdomain aliases - detect potential subdomain takeover opportunities 💰
- Cloud Providers: Automatic identification (AWS, Azure, GCP, Cloudflare, Akamai, Fastly)
- Takeover Detection: Checks for 15+ vulnerable services (herokuapp, github.io, s3, azurewebsites, etc.)
- Security Analysis: Detects SPF, DMARC, DKIM configurations
Why This Matters:
- 🎯 Maps subdomains to IP addresses ready for port scanning
- 🔍 Identifies shared infrastructure (multiple domains on same IP = similar attack surface)
- ☁️ Discovers cloud providers (AWS, Azure, GCP = different security models)
- 💰 Finds dangling CNAMEs = potential subdomain takeovers (HIGH/CRITICAL severity)
- 📧 Identifies mail infrastructure for email security testing
- 🚨 Detects security misconfigurations (missing DMARC = email spoofing)
Identify open ports and running services
# Port scanning (PLANNED - not yet implemented)
# Use external tools for now:
# Fast port scan with naabu (recommended)
cat ~/.recon-cli/exports/example.com_alive.txt | naabu -p 80,443,8080,8443 -o ports.txt
# Full port scan with nmap
nmap -iL alive_hosts.txt -p- -oA nmap_results
# Quick common ports scan
masscan -iL alive_ips.txt -p 80,443,8080,8443,3000,8000,9000 --rate 1000Common Targets:
- Web: 80, 443, 8080, 8443, 8000, 3000
- Admin panels: 9000, 10000
- Databases: 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB)
- APIs: 8081, 8082, 9090
- Security Note:
⚠️ Only scan assets within scope!
Identify frameworks, libraries, and technologies
# Technology detection (PLANNED - not yet implemented)
# Use external tools for now:
# Using httpx with technology detection
cat ~/.recon-cli/exports/example.com_alive.txt | httpx -td -title -status-code -o tech_stack.txt
# Using wappalyzer
wappalyzer https://example.com
# Check headers and identify technologies
curl -I https://example.comWhat You'll Discover:
- Web frameworks (React, Vue, Django, Rails)
- Server software (nginx, Apache, IIS)
- CDNs and WAFs (Cloudflare, Akamai, AWS CloudFront)
- CMS platforms (WordPress, Drupal, Joomla)
Run automated security checks
# Vulnerability scanning with Nuclei (PLANNED integration)
# Nuclei is already installed - use it directly for now:
# Scan all alive hosts
./recon-cli recon results export example.com --format txt --alive-only -o alive.txt
nuclei -l alive.txt -t ~/nuclei-templates/ -o vulnerabilities.txt
# Scan for specific vulnerability types
nuclei -l alive.txt -t ~/nuclei-templates/cves/ -severity critical,high
# Scan for misconfigurations
nuclei -l alive.txt -t ~/nuclei-templates/misconfiguration/
# Scan for exposed panels
nuclei -l alive.txt -t ~/nuclei-templates/exposed-panels/Check For:
- ✅ Known CVEs
- ✅ Misconfigurations
- ✅ Exposed admin panels
- ✅ Default credentials
- ✅ Information disclosure
- ✅ Missing security headers
Find hidden endpoints and files
# Content discovery (PLANNED - not yet implemented)
# Use external tools for now:
# Fast fuzzing with ffuf
ffuf -u https://example.com/FUZZ -w /path/to/wordlist.txt -o discovery.json
# Directory brute force with gobuster
gobuster dir -u https://example.com -w /path/to/wordlist.txt -o dirs.txt
# Recursive discovery with feroxbuster
feroxbuster -u https://example.com -w /path/to/wordlist.txtDiscover:
- 🔍 Admin panels, API endpoints, backup files
- 📁
.git,.env, config files,backup.sql - 🧪 Development/staging endpoints
- 📝 Documentation, changelogs, READMEs
Screenshot all alive hosts for quick review
# Visual reconnaissance (PLANNED - not yet implemented)
# Use external tools for now:
# Screenshots with gowitness (recommended)
gowitness file -f alive.txt -P screenshots/
# Screenshots with aquatone
cat alive.txt | aquatone -out aquatone_results/
# Screenshots with eyewitness
eyewitness -f alive.txt -d eyewitness_results/Benefits:
- 📸 Quickly identify interesting targets visually
- 🎯 Find login panels, admin interfaces, custom apps
- 👀 Spot unusual pages that deserve manual testing
- 📊 Generate visual reports for client deliverables
Here's a complete reconnaissance session:
# 1. Discover all subdomains
./recon-cli recon subdomain tesla.com
# Output: Found 808 unique subdomains
# 2. Find which ones are alive
./recon-cli recon verify tesla.com
# Output: 156 alive (19.3%), 652 dead (80.7%)
# 3. Get domain registration info
./recon-cli recon whois tesla.com
# Output: Registrar, nameservers, expiry date
# 4. Get DNS records for alive hosts
./recon-cli recon dns tesla.com
# Output: 142 A records, 18 unique IPs, cloud providers detected
# Potential subdomain takeover opportunities identified
# 5. Export everything for further testing
./recon-cli recon results export tesla.com --format csv --alive-only
# Output: tesla_alive_hosts.csv with 156 entries + all DNS data
# 6. Ready to attack!
# You now have:
# - 156 alive subdomains
# - 142 with IP addresses
# - Cloud provider information
# - Potential subdomain takeovers to exploit
# - Mail infrastructure to testWhat You'll Have:
- ✅ Complete subdomain inventory (808 total)
- ✅ List of alive/accessible hosts with status codes (156 alive)
- ✅ Domain registration information
- ✅ DNS records and IP mappings (142 IPs)
- ✅ Cloud provider identification (AWS, Azure, GCP, Cloudflare, etc.)
- ✅ Subdomain takeover opportunities detected
- ✅ Mail server infrastructure mapped
- ✅ Security configuration analysis (SPF, DMARC, DKIM)
- ✅ Exportable data for tools like Burp Suite, nuclei, nmap, etc.
You're now ready for Phase 3: Active Scanning (port scanning, vulnerability scanning, etc.)
# Add a new program
recon-cli program add --name "Company" --platform hackerone --scope "*.example.com"
# List all programs
recon-cli program list
# Get program details
recon-cli program get --id 1
# Delete a program
recon-cli program delete --id 1# Trigger a new scan
recon-cli scan trigger --program-id 1 --type passive
# Watch scan progress
recon-cli scan watch --scan-id 42
# List recent scans
recon-cli scan list --program-id 1 --limit 10# List anomalies
recon-cli anomalies list
# List high-priority unreviewed anomalies
recon-cli anomalies list --min-priority 80 --unreviewed
# View anomaly details
recon-cli anomalies view --id 12
# Mark anomaly as reviewed
recon-cli anomalies review --id 12 --notes "Investigated, false positive"# Launch interactive dashboard
recon-cli dashboard
# View live statistics
recon-cli stats
# Stream anomalies in real-time
recon-cli anomalies stream --min-priority 70# Set configuration values
recon-cli config set <key> <value>
# Get configuration value
recon-cli config get <key>
# List all configuration
recon-cli config list
# Initialize config file
recon-cli config initThe CLI stores configuration in ~/.recon-cli/config.yaml:
server: http://localhost:8080
grpc_server: localhost:9090
api_key: your-api-key-here
timeout: 30s
output_format: table # table, json, yaml
log_level: infoConfiguration can also be set via environment variables:
export RECON_SERVER="http://localhost:8080"
export RECON_GRPC_SERVER="localhost:9090"
export RECON_API_KEY="your-api-key"recontronic-cli-client/
├── cmd/ # Command implementations
│ ├── root.go # Root command
│ ├── program.go # Program subcommands
│ ├── scan.go # Scan subcommands
│ ├── anomalies.go # Anomaly subcommands
│ ├── dashboard.go # Dashboard TUI
│ ├── stats.go # Stats command
│ └── config.go # Config management
├── pkg/ # Reusable packages
│ ├── client/ # API clients
│ │ ├── rest.go # REST API client
│ │ └── grpc.go # gRPC client
│ ├── config/ # Configuration handling
│ │ └── config.go
│ ├── ui/ # User interface components
│ │ └── dashboard.go # Bubble Tea TUI
│ └── models/ # Data models
│ └── types.go
├── proto/ # Protocol buffer definitions
│ └── recon/v1/
├── scripts/ # Build and utility scripts
├── docs/ # Documentation
├── main.go # Entry point
└── go.mod
# Build for current platform
make build
# Build for all platforms
make build-all
# Run tests
make test
# Run linter
make lint# Run all tests
go test ./...
# Run tests with coverage
go test -cover ./...
# Run integration tests (requires server)
go test -tags=integration ./...If you're having trouble connecting to the server:
- Verify server endpoint:
recon-cli config get server - Test connectivity:
curl http://your-server:8080/health - Check API key is set:
recon-cli config get api-key - Verify firewall rules allow outbound connections
- Ensure your API key is valid
- Check if the key has expired
- Verify the key has proper permissions
- Ensure gRPC port (9090) is accessible
- Check for firewall blocking gRPC traffic
- Verify TLS/SSL configuration matches server
See CONTRIBUTING.md for development guidelines and how to submit contributions.
MIT License - See LICENSE for details.
- Documentation: docs/
- Issues: GitHub Issues
- Vision Document: early-vision-doc.md
- Recontronic Platform Server - Backend platform
- Recontronic Web UI - Web interface (future)
Built with:
- Cobra - CLI framework
- Viper - Configuration management
- Bubble Tea - TUI framework
- gRPC - RPC framework