GarudRecon is a comprehensive bash-based reconnaissance automation framework that streamlines the asset discovery and vulnerability assessment process for security professionals and bug bounty hunters. This tool orchestrates over 80+ open-source security tools to provide thorough reconnaissance capabilities across multiple attack vectors.
- Core Capabilities
- Flexible Reconnaissance Modes
- Advanced Features
- History
- Prerequisites
- Installation
- Quick Start
- Usage
- Configuration
- Troubleshooting
- FAQ
- Contributing
- Operating Systems Supported
- Tools
- Thanks
GarudRecon excels in automated discovery and vulnerability detection across several key areas:
Asset Discovery & Enumeration
- Subdomain enumeration using 20+ tools including subfinder, amass, and chaos
- Certificate transparency monitoring through multiple CT log sources
- DNS enumeration with advanced bruteforcing and permutation techniques
- Port scanning with naabu, masscan, and nmap integration
- Virtual host discovery and web technology fingerprinting
Vulnerability Detection
- Cross-Site Scripting (XSS) detection with multiple payload sets
- SQL injection testing through automated parameter fuzzing
- Local File Inclusion (LFI) and Remote Code Execution (RCE) checks
- Subdomain takeover vulnerability scanning
- Open redirect detection and validation
- Exposed .git directories and sensitive file discovery
The framework provides three distinct operational modes tailored to different engagement scopes:
- SmallScope Mode - Designed for focused subdomain reconnaissance (e.g., support.domain.com) with deep vulnerability analysis on a limited attack surface.
- MediumScope Mode - Comprehensive wildcard domain scanning (e.g., *.domain.com) with balanced coverage and performance optimization.
- LargeScope Mode - Organization-wide reconnaissance for maximum asset discovery and extensive vulnerability coverage.
- CidrScope Mode -
β οΈ Coming Soon - CIDR-based reconnaissance for IP range scanning - Workflow Mode - Chain multiple tools into a reusable pipeline so you can run complex scans with a single command.
- Fleet Mode - Distribute work across many VPS instances β split input automatically and run workflows in parallel on 100+ hosts.
- CronJobs Mode - Schedule and monitor recurring recon tasks (subdomains, open ports, JS leaks, templates, alerts).
Automated Monitoring
- Continuous subdomain monitoring with change detection
- Port state change notifications
- JavaScript file monitoring for new endpoints
- Automated scheduled reconnaissance via cron integration
Intelligent Resource Management
- RAM-optimized configurations for different system specifications
- VPS deployment optimization settings
- Parallel processing with configurable thread limits
- Custom wordlist generation based on target characteristics
I originally created GarudRecon in 2022, but I later removed it after some API keys were accidentally leaked. Despite this, someone forked the project and preserved it here.
Afterwards, I experimented with rewriting GarudRecon in Python and Go, but I found the heavy string concatenation in those languages unappealing. In the end, I decided to return to Bash, which felt simpler and more natural for me.
Before installing GarudRecon, ensure you have:
- Root access (switch to root user, not
sudo su) - Bash shell (verify with
echo $SHELL) - Internet connection for downloading tools and dependencies
- Minimum 4GB RAM (8GB+ recommended for large scans)
- Sufficient disk space (at least 10GB free for tools and output)
Click to view cloud provider referral links
Note: Switch to the root user first (instead of using
sudo su) before running the installation command.
This helps avoid permission and environment-related issues.If any tool fails to install during the script execution, install it manually.
Make sure your shell is set to bash.
Note: Docker support is coming soon. For now, please use the Git Clone or prebuilt binaries installation method.
# Install directly via curl (recommended for quick setup)
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/setup)
git clone --depth 1 https://github.com/rix4uni/GarudRecon.git
cd GarudRecon
bash setup
wget -q https://github.com/rix4uni/GarudRecon/archive/refs/tags/v0.1.2.zip
unzip v0.1.2.zip
cd GarudRecon
bash setup
Note: The
setupscript automatically downloads and installs pre-built binaries from GarudReconBinary nightly releases for faster installation.
After installation, you can immediately start using GarudRecon:
# Small scope scan (single subdomain)
garudrecon smallscope -d support.example.com
# Medium scope scan (wildcard domain)
garudrecon mediumscope -d example.com
# Large scope scan (organization-wide)
garudrecon largescope -d example
# Workflow mode
garudrecon workflow ls
# CronJobs mode
garudrecon cronjobs -d example.com -f MONITOR_SUBDOMAINFor more detailed usage examples, see the Usage section below.
GarudRecon uses configuration files located in configuration/ directory. The main configuration file is garudrecon.cfg.
- API Keys: Configure API keys for various services (subfinder, amass, chaos, etc.)
- Thread Limits: Adjust parallel processing threads based on your system resources
- Output Directories: Customize where scan results are stored
- Tool Paths: Specify custom paths if tools are installed in non-standard locations
To use a custom configuration file:
garudrecon mediumscope -d example.com -c /path/to/custom.cfgSmallScope Mode
Quick recon for a single host or subdomain (e.g. support.domain.com).
Lightweight, fast checks β ideal for a single target when you want quick visibility without a full-scale scan.
Usage:
garudrecon smallscope [flags]
Flags:
-d, --domain Scan a domain (e.g. support.domain.com)
-ef, --exclude-functions Exclude a function from running (e.g. WAYMORE)
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume support.domain.com or --resume support.domain.com_1). Skips functions already completed in resume.cfg.
-h, --help help for smallscope
Example:
# Full recon
garudrecon smallscope -d support.domain.com
# Recon with XSS only
garudrecon smallscope -d support.domain.com -rx
# Recon with SQLi only
garudrecon smallscope -d support.domain.com -rs
# Exclude functions manually
garudrecon smallscope -d support.domain.com -ef "GOSPIDER,WAYMORE"
# Combined
garudrecon smallscope -d support.domain.com -rx -ef "WAYMORE"
# Skips functions already completed in resume.cfg.
garudrecon smallscope -d support.domain.com -rx --resume support.domain.com_1MediumScope Mode
Moderate recon for a wildcard domain (e.g. *.domain.com) with optional vuln checks.
Balanced scan depth: discovers subdomains, does basic service/port checks and optional lightweight vulnerability checks.
Usage:
garudrecon mediumscope [flags]
Flags:
-d, --domain Scan a domain (e.g. domain.com)
-ef, --exclude-functions Exclude a function from running (e.g. AMASS)
-s, --recon-subdomain Run Subdomain Enumeration only
-a, --active Run Active Subdomain Enumeration also (e.g. puredns, altdns)
-su, --recon-subdomainurls Run Subdomain Enumeration + Url Crawling only
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-oos, --outofscope Exclude outofscope subdomains from a list (e.g. domain.com.oos)
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume domain.com or --resume domain.com_1). Skips functions already completed in resume.cfg.
-h, --help help for mediumscope
Example:
# Full recon with all vulnerability scan
garudrecon mediumscope -d domain.com
# Recon Subdomain Enumeration only
garudrecon mediumscope -d domain.com -s
# Run Active Subdomain Enumeration also (e.g. puredns, altdns)
garudrecon mediumscope -d domain.com -s -a
# Recon Subdomain Enumeration + Url Crawling only
garudrecon mediumscope -d domain.com -su
# Recon with XSS only
garudrecon mediumscope -d domain.com -rx
# Recon with SQLi only
garudrecon mediumscope -d domain.com -rs
# Exclude functions manually
garudrecon mediumscope -d domain.com -ef "SUBFINDER,AMASS"
# Combined
garudrecon mediumscope -d domain.com -rx -ef "AMASS"
# Skips functions already completed in resume.cfg.
garudrecon mediumscope -d domain.com -rx --resume domain.com_1LargeScope Mode
Full-scale recon for an organization.
Deep discovery and enumeration (subdomains, ports, asset correlation, extensive vuln checks) for comprehensive coverage.
Usage:
garudrecon largescope [flags]
Flags:
-d, --domain Scan a domain (e.g. domain)
-ef, --exclude-functions Exclude a function from running (e.g. AMASS)
-s, --recon-subdomain Run Subdomain Enumeration only
-a, --active Run Active Subdomain Enumeration also (e.g. puredns, altdns)
-su, --recon-subdomainurls Run Subdomain Enumeration + Url Crawling only
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-oos, --outofscope Exclude outofscope subdomains from a list (e.g. domain.oos)
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume domain or --resume domain_1). Skips functions already completed in resume.cfg.
-h, --help help for largescope
Example:
# Full recon with all vulnerability scan
garudrecon largescope -d domain
# Recon Subdomain Enumeration only
garudrecon largescope -d domain -s
# Run Active Subdomain Enumeration also (e.g. puredns, altdns)
garudrecon largescope -d domain -s -a
# Recon Subdomain Enumeration + Url Crawling only
garudrecon largescope -d domain -su
# Recon with XSS only
garudrecon largescope -d domain -rx
# Recon with SQLi only
garudrecon largescope -d domain -rs
# Exclude functions manually
garudrecon largescope -d domain -ef "SUBFINDER,AMASS"
# Combined
garudrecon largescope -d domain -rx -ef "AMASS"
# Skips functions already completed in resume.cfg.
garudrecon largescope -d domain -rx --resume domain_1CidrScope Mode
β οΈ Coming Soon: CIDR-based reconnaissance mode for IP range scanning is currently under development.
This mode will allow you to:
- Scan entire CIDR ranges for open ports and services
- Discover assets within IP ranges
- Perform vulnerability assessments on IP-based targets
Stay tuned for updates!
Coming soon
Workflow Mode
Chain multiple tools into a reusable pipeline so you can run complex scans with a single command.
Compose small steps (mapcidr β httpx β nuclei β¦) into one workflow file and execute it without manually installing or running each tool.
Usage:
garudrecon workflow [flags]
Flags:
-i, --input Pass the input
-o, --output Location where you want to save output
-v, --verbose enable verbose mode
-h, --help help for workflows
Example:
garudrecon workflow amass --input <domain> --output <file> [--verbose]
garudrecon workflow CVE-2025-0133 -i all.cidr -o CVE-2025-0133.nuclei
garudrecon workflow ls
garudrecon workflow ls [workflow]
garudrecon workflow cat [workflow]
garudrecon workflow add [workflow]
garudrecon workflow edit [workflow]
garudrecon workflow delete [workflow]To check if all workflow JSON files are valid:
for f in workflow/*.json; do
echo -n "Checking $f ... "
jq empty "$f" && echo "β
OK" || echo "β INVALID"
doneFleet Mode
Note: Progress bar and enhanced monitoring features are included. Use
fleetsetupto automate worker configuration.
- Create fleet.yaml configuration file:
# Create the configuration file
mkdir -p ~/.garudrecon
nano ~/.garudrecon/fleet.yamlAdd your credentials in YAML format:
worker:
- root@192.168.1.10:PASSWORD1
- root@192.168.1.11:PASSWORD2
- root@192.168.1.12:PASSWORD3
master:
- root@192.168.1.1:MASTER_PASSWORDNote: To avoid single/double quotes problems with passwords, you can use the password encoder
- Setup in master VPS:
Run this command directly on your master VPS (no need to clone the repo):
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/setup)- Setup in workers (run this in master VPS):
After master setup is complete, run this command on the master VPS to automatically configure all workers. The fleetsetup script will:
- Install GarudRecon on all worker VPS instances
- Set up SSH keys for passwordless communication
- Test connectivity between master and workers
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/fleetsetup)Note: Both
setupandfleetsetupcan be run directly via curl without cloning the repository.
Options:
--skip-install- Skip GarudRecon installation (only setup SSH keys)--skip-keys- Skip SSH key setup (only install GarudRecon)--test-only- Only test connectivity (skip installation and key setup)
Distribute work across many VPS instances β split input automatically and run workflows in parallel on 100+ hosts.
Use one command to shard data, push jobs to remote nodes, run the chosen workflow, and collect consolidated results. Perfect for massively-parallel scans.
Usage:
garudrecon fleet [flags]
Flags:
-i, --input Pass the input
-o, --output Location where you want to save output
-m, --module workflow name you want to run
-v, --verbose enable verbose mode
-h, --help help for workflows
Example:
garudrecon fleet -m <workflow> -i <wildcards> -o <file> [--verbose]
garudrecon fleet -m httpx -i subs.txt -o subs.httpx --verbose
garudrecon fleet -m subfinder -i wildcards.txt -o wildcards.subsAfter setup, test with a simple scan:
# Create test input file
echo "example.com" > subs.txt
echo "test.example.com" >> subs.txt
# Run fleet test
garudrecon fleet -m httpx -i subs.txt -o subs.httpx --verboseCronJobs Mode
Schedule and monitor recurring recon tasks (subdomains, open ports, JS leaks, templates, alerts).
Run continuous monitoring: periodic scans, delta detection, and notifications when new assets or issues appear.
Usage:
garudrecon cronjobs [flags]
Flags:
-d, --domain Domain to monitor
-f, --function Function to run (e.g. MONITOR_SUBDOMAIN)
-c, --config Custom configuration file path
-i, --interval Customize the sleep duration (e.g. 1800)
-v, --verbose enable verbose mode
-h, --help help for cronjobs
Example:
garudrecon cronjobs -d domain.com -f MONITOR_SUBDOMAIN
garudrecon cronjobs -d domain.com -f MONITOR_PORTS
garudrecon cronjobs -d domain.com -f MONITOR_ALIVESUBD
garudrecon cronjobs -d domain.com -f MONITOR_JS
garudrecon cronjobs -d domain.com -f MONITOR_JSLEAKSβ Short commands
π Short commands automatically adds in ~/.bashrc during installation:
gs="garudrecon smallscope"
gm="garudrecon mediumscope"
gl="garudrecon largescope"
gcidr="garudrecon cidrscope"
gw="garudrecon workflow"
gf="garudrecon fleet"
gc="garudrecon cronjobs"Note: Demo videos and screenshots coming soon. Check the Usage section for output examples.
For visual demonstrations, see the output screenshots in each mode's section above.
Issue: Permission denied errors
- Solution: Make sure you're running as root user (not using
sudo su). Switch to root withsu -orsudo -i.
Issue: Tools not installing
- Solution: Install failed tools manually. Check the installation logs for specific errors. Ensure you have internet connectivity and sufficient disk space.
Issue: Bash not found
- Solution: Verify your shell is bash:
echo $SHELL. If not, switch to bash:bashorchsh -s /bin/bash.
Issue: Scan stops or hangs
- Solution: Check system resources (RAM, disk space). Use
-efflag to exclude problematic functions. Use--resumeto continue interrupted scans.
Issue: API rate limits
- Solution: Configure API keys in the configuration file to increase rate limits. Some tools have free tier limitations.
- Check existing Issues
- Create a new issue with:
- Error messages
- Command used
- System information
- Relevant logs
Q: Do I need to install all tools manually?
A: No, the setup script automatically installs most tools. If any tool fails, you'll need to install it manually.
Q: Can I run scans without root access?
A: Some tools require root access for certain operations (like port scanning). It's recommended to run as root.
Q: How long do scans typically take?
A: Scan duration is highly variable and depends on many factors:
- Target size: Number of subdomains, endpoints, and assets discovered
- Enabled tools: Which functions are included/excluded (via
-efflag orDEFAULT_EXCLUDE_FUNCSin config) - Scan modes: NORMAL vs ADVANCED modes for various tools (configured in
garudrecon.cfg) - TIMELIMITX settings: Time limits set for individual tools (e.g.,
WAYMORE_TIMELIMITX="1h") - RAM profile: System RAM determines which tools run (1g/2g profiles exclude many tools)
- System resources: CPU, RAM, disk I/O, and network speed
- API rate limits: Some tools are limited by API quotas
A small target with minimal tools might complete in minutes, while a large organization scan with all tools enabled could take days. Check your configuration file (garudrecon.cfg) to see which tools and modes are active.
Q: Can I pause and resume scans?
A: Yes! Use the --resume flag with the scan folder name to continue interrupted scans.
Q: How do I exclude specific tools from running?
A: Use the -ef flag: garudrecon mediumscope -d example.com -ef "AMASS,SUBFINDER"
Q: Where are scan results stored?
A: Results are stored in /root/.garudrecon/scans/<domain>/ by default.
Q: Can I customize which vulnerability checks run?
A: Yes, use flags like -rx for XSS, -rs for SQLi, -rl for LFI, etc. See the Usage section for details.
Contributions are welcome! Here's how you can help:
- Report Bugs: Open an issue with detailed information
- Suggest Features: Share your ideas for improvements
- Submit Pull Requests:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
- Follow existing code style and conventions
- Test your changes thoroughly
- Update documentation as needed
- Ensure backward compatibility when possible
For more details, see CONTRIBUTING.md (if available) or open an issue to discuss your contribution.
| OS | Supported | Easy Install | Tested |
|---|---|---|---|
| Ubuntu | β | β | Ubuntu 24.04 |
| Kali | β | β | Kali 2025.2 |
| Debian | β | β | β |
| Windows | β | β | WSL Ubuntu |
| MacOS | β | β | β |
| Arch Linux | β | β | β |
- subfinder
- amass
- subdog
- xsubfind3r
- findomain
- chaos
- github-subdomains
- bbot
- shosubgo
- assetfinder
- haktrails
- haktrailsfree
- org2asn
- ipfinder
- arinrange
- spk
- analyticsrelationships
- udon
- builtwithsubs
- whoxysubs
- waymore
- hakrawler
- waybackurls
- katana
- gau
- gospider
- uforall
- cariddi
- urlfinder
- github-endpoints
- xurlfind3r
- xcrawl3r
- crawley
- GoLinkFinder
- galer
- gourlex
- pathfinder
- pathcrawler
- roboxtractor
- robotxt
Hidden Parameter
- dig (built-in system tool)
- ftpx
- s3scanner
- vulntechfinder
- pvreplace
- xsschecker
- pyxss
- gosqli
- commix
- goop
- trufflehog
- mantra
- shortscan
- linkinspector
- brutespray
Thanks for creating awesome tools
rix4uni
- gocl
- gobuild
- subdog
- stoppiracy
- oosexclude
- emailextractor
- nsfwdetector
- querygen
- haktrailsfree
- org2asn
- vulntechfinder
- sftpsender
- wordcount
- whoxysubs
- techfinder
- ip2org
- certinfo
- xsschecker
- xssrecon
- gosqli
- portmap
- tldscan
- paramfinder
- Gxss
- msarjun
- socialfinder
- waybackurlsx
- originiphunter
- GoLinkFinder
- linkinspector
- wordgen
- bbpscraper
- pvreplace
- ftpx
- subzy
- timelimitx
- jscrawler
- robotxt
- pathcrawler
- uforall
- emailfinder
- favinfo
- dlevel
- subdomainfuzz
- cspfinder
- dirless
- gitxpose
- bxssreplace
- ipfinder
- https://xmind.app/m/hKKexj
- https://x.com/ADITYASHENDE17/status/1527294113552297986
- https://youtu.be/rbyifgOQIrc?t=17m38s
See CHANGELOG.md for detailed version history and updates.
Note: Changelog file coming soon. Check releases for version updates.
See Mindmap in different format mindmap