A tool to help you in scans of infrastructure. It scans a bundle of sites and puts the results in a directory for each site analyzed.
Let us do the important but tedious job of mapping the network and doing the reconnaissance. After that, just read the outputs and try to hack them!
Post en Medium (Español): Do Recon Raccoon Tool - Una herramienta para realizar el reconocimiento automatizado en pruebas de penetración
By order:
- Create a log file for all the assets
- In case of any error or interruptions you can trace the bug to fix it
- Check interfaces available in the system
- Keeps the visibility about the network interfaces used during the process.
- Create a directory for each active scanned
- All the evidence will be organized in its own directory.
- Makes a nslookup search
- Map the domain name and IP addresses
- Makes a traceroute
- An easy way to traces the path of packets across a network and a simple way to identify if the asset isn’t reached correctly
- Makes a nmap --top-ports scan
- A faster scan that provides you information to start to work in the manual scan.
- Makes a nmap -sV scan, just for the discovered open ports
- A faster scan that provides you information to start to work in the manual scan.
- Makes a nmap scan for all ports
- A complete scan of the asset.
- Makes a nmap -sC scan just for the discovered open ports
- A deep scan of the asset.
- Makes a nmap --script vuln scan with the discovered open ports
- A deep scan of the asset to find vulnerabilities.
- Make reports:
- All open ports
- All open ports with versions
- CVEs reported by nmap (beta)
- nmap
- traceroute
- nslookup
Install requirements
sudo apt update && sudo apt install nmap traceroute dnsutilsgit clone https://github.com/elcaza/do_recon.git
cd do_recon
./do_recon.sh input_file.txtgit clone https://github.com/elcaza/do_recon.git
cd do_recon
sudo cp do_recon.sh /usr/local/bin/
do_recon.sh input_file.txtsudo rm /usr/local/bin/do_recon.sh./do_recon.sh stop* Delete all folders and log files in the current path, be careful!
./do_recon.sh reset├── 10-03-2025.log
├── 1.scanme.nmap.org
│ ├── 1.scanme.nmap.org_1000.gnmap
│ ├── 1.scanme.nmap.org_1000.nmap
│ ├── 1.scanme.nmap.org_1000.xml
│ ├── 1.scanme.nmap.org_all_ports.gnmap
│ ├── 1.scanme.nmap.org_all_ports.nmap
│ ├── 1.scanme.nmap.org_all_ports.xml
│ ├── 1.scanme.nmap.org_nslookup.txt
│ ├── 1.scanme.nmap.org_sc.gnmap
│ ├── 1.scanme.nmap.org_sc.nmap
│ ├── 1.scanme.nmap.org_script_vulnes.gnmap
│ ├── 1.scanme.nmap.org_script_vulnes.nmap
│ ├── 1.scanme.nmap.org_script_vulnes.xml
│ ├── 1.scanme.nmap.org_sc.xml
│ ├── 1.scanme.nmap.org_sv.gnmap
│ ├── 1.scanme.nmap.org_sv.nmap
│ ├── 1.scanme.nmap.org_sv.xml
│ ├── 1.scanme.nmap.org_traceroute.txt
│ └── open_top_ports.txt
├── 2.demo.testfire.net
│ ├── 2.demo.testfire.net_1000.gnmap
│ ├── 2.demo.testfire.net_1000.nmap
│ ├── 2.demo.testfire.net_1000.xml
│ ├── 2.demo.testfire.net_all_ports.gnmap
│ ├── 2.demo.testfire.net_all_ports.nmap
│ ├── 2.demo.testfire.net_all_ports.xml
│ ├── 2.demo.testfire.net_nslookup.txt
│ ├── 2.demo.testfire.net_sc.gnmap
│ ├── 2.demo.testfire.net_sc.nmap
│ ├── 2.demo.testfire.net_script_vulnes.gnmap
│ ├── 2.demo.testfire.net_script_vulnes.nmap
│ ├── 2.demo.testfire.net_script_vulnes.xml
│ ├── 2.demo.testfire.net_sc.xml
│ ├── 2.demo.testfire.net_sv.gnmap
│ ├── 2.demo.testfire.net_sv.nmap
│ ├── 2.demo.testfire.net_sv.xml
│ ├── 2.demo.testfire.net_traceroute.txt
│ └── open_top_ports.txt
├── report
│ ├── all_cve_beta.txt
│ ├── all_open_ports.txt
│ └── all_open_ports_version.txtIt's required setting a number ID and “dot (.)” before the URL site
1.site1.com
2.site2.org.com
3.anothersite.com
4.example.com
5.example2.com
6.other.es
Do not use in input file:
/
/path
http://
https://### Setting log file
LOGFILE=$(date '+%d-%m-%Y')".log"
### Setting the new line separator
NEW_LINE="======================================="
### Scan options (true || false)
CHECK_INTERFACE=true
CREATE_DIRECTORY=true
DO_NSLOOKUP=true
DO_TRACE=true
DO_NMAP_TOP_PORTS=true
DO_NMAP_SV=true
DO_NMAP_ALL_PORTS=true
DO_NMAP_SC=true
DO_NMAP_SCRIPT_VULNES=true
REPORT_ALL_OPEN_PORTS=true
### Variables for the nmap scan
NMAP_DELAY=5
+ Delay in seconds before to run another nmap scan
NMAP_TIMEOUT=0
+ Timeout 0 = No timeout. Any else, timeout in seconds
TOP_PORTS=1000
MAX_RETRIES=1
MIN_RATE=500
T=-T3
+ -T0, -T1, -T2, -T3, -T4, -T5
+ Default -T3# $DO_NMAP_TOP_PORTS
timeout $NMAP_TIMEOUT nmap --vv $T -Pn --open --top-ports $TOP_PORTS --max-retries $MAX_RETRIES -oA $FILE"_"$TOP_PORTS $SITE
# $DO_NMAP_SV
timeout $NMAP_TIMEOUT nmap --vv $T -Pn --open -sV --max-retries $MAX_RETRIES -p $PORTS -oA $FILE"_sv" $SITE
# $DO_NMAP_ALL_PORTS
timeout $NMAP_TIMEOUT nmap --vv $T -Pn --open -p- --max-retries $MAX_RETRIES --min-rate $MIN_RATE -oA $FILE"_all_ports" $SITE
# $DO_NMAP_SC
timeout $NMAP_TIMEOUT nmap --vv $T -Pn --open -sV -sC --max-retries $MAX_RETRIES -p $PORTS -oA $FILE"_sc" $SITE
# $DO_NMAP_SCRIPT_VULNES
timeout $NMAP_TIMEOUT nmap --vv $T -Pn --open -sV --script vuln --max-retries $MAX_RETRIES -p $PORTS -oA $FILE"_script_vulnes" $SITE