Recon Dominator
Automated full-scope reconnaissance from a single domain or domain list.
What It Does
Passive and active reconnaissance covering DNS, WHOIS, SSL/TLS, subdomain enumeration, port scanning, technology fingerprinting, OSINT correlation, Google dorking, and Wayback Machine analysis. Produces a structured attack surface inventory ready for enumeration and exploitation phases.
Scripts
| Script | Description |
|---|---|
passive_recon | OSINT gathering — DNS records, WHOIS, SSL certs, search engine data |
active_recon | Active scanning — subdomain enumeration, service detection, alive-host probing |
port_scanner | TCP/UDP port scanning with service version fingerprinting |
tech_fingerprint | Technology stack detection — headers, cookies, JS libs, server hints |
google_dorker | Automated Google dorking for exposed files, dirs, and sensitive data |
osint_correlator | Cross-source OSINT correlation — emails, social profiles, leaked creds |
wayback_analyzer | Wayback Machine analysis — historical endpoints, forgotten params, old JS |
tls_analyzer | TLS certificate analysis — SANs, issuer, expiry, cipher suites |
generate_report | Structured recon report with asset inventory and next-phase recommendations |
When to Use
Use at the start of any engagement when provided a domain or domain list. Run passive recon first, then active. Feeds directly into webapp-exploit-hunter, api-breaker, and cloud-pivot-finder.
Usage
RedTeamScript(skill="recon-dominator", script="passive_recon", args="--domain example.com --output results.json")