// PROJECT
Recon Script v1.0
Bash automation that chains subdomain enumeration, port scanning, and directory discovery into a single repeatable recon workflow.
Problem
Reconnaissance is one of the most overlooked phases in bug bounty hunting and penetration testing — and one of the most consequential. It's also a phase I found inconsistent in my own workflow: running the same set of commands manually is repetitive, error-prone, and easy to skip steps on. So I built a Bash script to chain the recon tools I reach for most often into one repeatable pass — partly to save time, partly to learn shell scripting.
Approach
The script takes a target domain as input, scaffolds a working directory tree (subdomains/, screenshots/, scans/, directories/), and runs each tool in sequence — writing every result to disk for later review.
Tools chained together:
- CURL — HTTP headers →
scans/curl.txt - NMAP — port and service scan →
scans/nmap.txt - subfinder + assetfinder — passive subdomain enumeration →
subdomains/found_subdomain.txt - httprobe — filters to alive subdomains →
subdomains/alive_subdomains.txt - gowitness — screenshots of every alive subdomain →
screenshots/ - dirb / ffuf — directory enumeration (left commented in v1; ffuf with the DirBuster wordlist is what I personally use)
ASCII banners and color-coded [+] status lines mark each phase so the live output stays scannable as the script runs.
The script
#!/bin/bash
<< comment
This handy recon tool combines a bunch of different methods
for finding subdomains, directories, and more. It helps you
get a clear picture of how a web application is set up,
making it easier to see the whole layout and spot any
potential issues.
Disclaimer:
This script is intended for educational purposes and authorized security testing only.
The author is not responsible for any misuse or damage caused by this tool.
Users are responsible for ensuring they have proper authorization before running
any security scans. Always verify the scope of your testing to ensure compliance
with relevant laws and policies.
By using this tool, you agree to use it responsibly and in accordance with all
applicable laws and regulations. The author disclaims all liability for any actions
taken based on the information provided by this tool.
comment
# Declare variables
domain=$1
RED="\033[1;31m"
YELLOW="\033[0;33m"
WHITE="\033[0;37m"
RESET="\033[0m"
LINE="\033[0;37m----------------------------------------------------------\033[0m"
# Declare domain paths
subdomain_path=$domain/subdomains
screenshot_path=$domain/screenshots
scan_path=$domain/scans
directory_path=$domain/directories
# Initialize domain directories if needed
if [ ! -d "$domain" ]; then
mkdir $domain
fi
if [ ! -d "$subdomain_path" ]; then
mkdir $subdomain_path
fi
if [ ! -d "$screenshot_path" ]; then
mkdir $screenshot_path
fi
if [ ! -d "$scan_path" ]; then
mkdir $scan_path
fi
if [ ! -d "$directory_path" ]; then
mkdir $directory_path
fi
# Service Enum ASCII
echo -e "${YELLOW}
_
___ ___ _ ___ _(_)__ ___ ___ _ _ _ _ _ __
(_-</ -_) '_\ V / / _/ -_) / -_) ' \ || | ' \\
/__/\___|_| \_/|_\__\___| \___|_||_\_,_|_|_|_|
${RESET}"
echo -e "$LINE"
# CURL Scan
echo -e "${WHITE} [+] Executing CURL ... ${RESET}"
curl -I $domain > $scan_path/curl.txt
# NMAP Scan (PLEASE COMPLY WITH SCOPE RULES IF USING ON A LIVE SOURCE)
# Refer to the NMAP manual if trying to be less intrusive
echo -e "${WHITE} [+] Executing NMAP ... ${RESET}"
nmap $domain > $scan_path/nmap.txt
echo -e "$LINE"
# Directory Enum ASCII
# Feel free to use dirbuster and ffuf, I personally use ffuf /usr/share/wordlist/dirbuster/
echo -e "${YELLOW}
_ _ _
__| (_)_ _ ___ __| |_ ___ _ _ _ _ ___ _ _ _ _ _ __
/ _\` | | '_/ -_) _| _/ _ \ '_| || | / -_) ' \ || | ' \\
\__,_|_|_| \___\__|\__\___/_| \_, | \___|_||_\_,_|_|_|_|
|__/
${RESET}"
echo -e "$LINE"
# dirb scan
echo -e "${WHITE} [+] Executing dirb ... ${RESET}"
# dirb https://$domain > $directory_path/dirb.txt
# Subdomain Enumeration ASCII
# Feel free to use AMASS BUT IT TAKES WAYYY TOO LONG
echo -e "${YELLOW}
_ _ _
____ _| |__ __| |___ _ __ __ _(_)_ _ ___ _ _ _ _ _ __
(_-< || | '_ \/ _\` / _ \ ' \/ _\` | | ' \ / -_) ' \ || | ' \\
/__/\_,_|_.__/\__,_\___/_|_|_\__,_|_|_||_| \___|_||_\_,_|_|_|_|
${RESET}"
echo -e "$LINE"
# subfinder
echo -e "${WHITE} [+] Executing subfinder ... ${RESET}"
subfinder -d $domain > $subdomain_path/found_subdomain.txt
# assetfinder
echo -e "${WHITE} [+] Executing assetfinder ... ${RESET}"
assetfinder $domain | grep $domain >> $subdomain_path/found_subdomain.txt
# Find alive subdomains (httprobe)
echo -e "${WHITE} [+] Finding alive subdomains (HTTPROBE) ... ${RESET}"
cat $subdomain_path/found_subdomain.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive_subdomains.txt
# Screenshot alive subdomains (gowitness)
echo -e "${WHITE} [+] Taking screenshots of alive subdomains (GOWITNESS) ... ${RESET}"
gowitness file -f $subdomain_path/found_subdomain.txt -P $screenshot_path/ --no-http
echo -e "$LINE"
echo -e "${YELLOW}
___ ___ ___ ___ _ _ _ ___ _ ___ _
/ __|/ _ \ / _ \| \ | | | | | |/ __| |/ / | |
| (_ | (_) | (_) | |) | | |_| |_| | (__| ' <|_|_|
\___|\___/ \___/|___/ |____\___/ \___|_|\_(_|_)
${RESET}"
echo -e "$LINE"Outcome
v1 turned an ad-hoc command sequence into a one-shot tool. Things I learned along the way: declaring user input, scaffolding directories programmatically, and chaining open-source recon tools without seams showing in the output.
The biggest pain point: when nothing prints for a while, there's no way to tell whether the script is hung or whether (e.g.) nmap is just slow on a particular target. v2.0 will tackle that — likely a progress indicator plus flags to opt in or out of specific phases.