Lazyrecon - Tool To Automate Your Reconnaissance Process In An Organized Fashion

Lazyrecon is a subdomain discovery tool that finds and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing, brute-force and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.

  • Super fast asynchronous execution
  • CI/CD ready
  • HTML/pdf reports
  • Discord integration
  • Background listen server
  • Domain name, list of domains, IP, CIDR input - notations support
  • Teardown and program exit housekeeping


This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

  • Creates a dated folder with recon notes for a target
  • Grabs subdomains using subfinder, assetfinder, gau, waybackurls, github-subdomains
  • Additionally finds new subdomains through alterations and permutations using dnsgen
  • Searches subnets and new assets using math Mode
  • Filters out live subdomains from a list of hosts using shuffledns
  • Checks 1-200,8000-10000 for http(s) probes using httpx
  • Gets visual part using headless chromium
  • Performs masscan on live servers
  • Scanns for known paths and CVEs using nuclei
  • Shots for SSRF/LFI/SQLi based on wayback machine's data
  • Checks for potential request smuggling vulnerabilities using smuggler
  • Performs ffuf supercharged by interlace using custom WordList based on the top10000.txt
  • Generates report and send it to Discord

The point is to get a list of live IPs (in form of socket addresses), attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.

  • Linux & Mac tested

python >= 3.7pip3 >= 19.0go >= 1.14

CI/CD way

You can use stateful/stateless build agent (worker). There is no additional time is required for provisioning. It may look tricky cause masscan/nmap/naabu root user required.

  1. Fill in these required environment variables inside: ./lazyconfig:
access token here export DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token} export GOPATH=$HOMEDIR/go export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/bin export GO111MODULE=on ">
export HOMEUSER= # your normal, non root user: e.g.: kaliexport HOMEDIR= # user's home dir e.g.: /home/kaliexport STORAGEDIR= # where output saved, e.g.: ${HOMEDIR}/lazytargetsexport GITHUBTOKEN=XXXXXXXXXXXXXXXXXX # a personal access token hereexport DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token}export GOPATH=$HOMEDIR/goexport PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/binexport GO111MODULE=on
  1. Enable new environment source ./lazyconfig
  2. Call sudo -E ./install.sh
  3. Execute sudo -E ./lazyrecon.sh "hackerone.com"

Github Actions way

Customize .github/workflows/test-recon-action.yaml using DISCORDWEBHOOKURL and GITHUBTOKEN secrets, enable --discord to receive a report:

  - name: Install & Recon    env:      GO111MODULE: on      DISCORDWEBHOOKURL: ${{ secrets.DISCORDWEBHOOKURL }}      GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}    run: |      export HOMEDIR=$HOME      export HOMEUSER=$RUNNER_USER      export STORAGEDIR="${HOMEDIR}"/lazytargets      sudo -E ./install.sh      sudo -E ./lazyrecon.sh "hackerone.com" --quiet --discord

Hard way

Config your environment variables and dependencies using INSTALL.MD

If you faced with some issues, feel free to join Discord, open PR or file the bug.


Execute with sudo because of masscan:

â–¶ sudo -E ./lazyrecon.sh tesla.com --wildcard
Parameter Description Example
--wildcard Subdomains reconnaissance '*.tesla.com' (default) ./lazyrecon.sh tesla.com --wildcard
--single One target instance 'tesla.com' ./lazyrecon.sh tesla.com --single
--ip Single IP of the target machine ./lazyrecon.sh --single --ip
--list List of subdomains to process for ./lazyrecon.sh "./testa.txt" --list
--cidr Perform network recon, CIDR notation ./lazyrecon.sh "" --cidr
--mad Wayback machine's stuff ./lazyrecon.sh tesla.com --mad
--fuzz SSRF/LFI/SQLi fuzzing ./lazyrecon.sh tesla.com --mad --fuzz
--alt Additionally permutate subdomains (*.tesla.com only) ./lazyrecon.sh tesla.com --wildcard --alt
--brute Basic directory bruteforce (time sensitive) ./lazyrecon.sh tesla.com --single --brute
--discord Send notifications to discord ./lazyrecon.sh tesla.com --discord
--quiet Enable quiet mode ./lazyrecon.sh tesla.com --quiet

  1. Use dnsperftest to know your best resolvers
  2. Run ./lazyrecon.sh
  3. Check output reports of chromium, nuclei, masscan, server_log, ssrf, lfi
  4. Explore file upload vulnerabilities
  5. Perform Google, Trello, Atlassian, Github, Bitbucket dorking
  6. Check JS sources for credentials, API endpoints
  7. Investigate XHR requests, fuzz parameters and variables
  8. Check exploit-db.com for target-specific CVE
  9. GET/POST Bruteforce for directories: fuzbo0oM-top10000 --> raft --> target specific
  10. Continue bruteforcing using custom Headers (X-Custom-IP-Authorization:; X-Original-URL:)
  11. Try bypass 401/403 errors using notable methods (%23, /%2e/, admin.php%2500.md etc)
  12. Look for XSS xsscrapy.py or XSSTRON


This project was inspired by original v1.0 Ben Sadeghipour and aimed to implement some of the best practices like Mechanizing the Methodology, TBHM, Subdomain Takeovers, Request Smuggling, SSRF, LFI and Bruteforce based on Custom wordlist.

Notable articles
  1. IDOR: https://www.aon.com/cyber-solutions/aon_cyber_labs/finding-more-idors-tips-and-tricks/?utm_source=newsletter&utm_medium=email&utm_campaign=bug_bytes_110_scope_based_recon_finding_more_idors_how_to_hack_sharepoint&utm_term=2021-02-17
  2. SSRF: https://notifybugme.medium.com/finding-ssrf-by-full-automation-7d2680091d68 and https://rez0.blog/hacking/2019/11/29/rce-via-imagetragick.html

  • aquatone replaced by headless chromium async script based on performance
  • Sublist3r replaced with subfinder based on Twitter discussion
  • nmap replaced with masscan based on its features and Twitter duscussion, use helpers/nmap_nse_ifile.sh by hands using masscan_output.gnmap as input
  • smuggler forked from its original aimed to get lightweight solution included this PR
  • grep meg's output for Location in order to exclude 301/302 status codes (replaced with httpx -fc 301,302 approach)
  • httpx -ip used without dnsprobe based on @pdiscoveryio Twitter answer
  • altdns used based on Scrutiny on the bug bounty
  • massdns fully replaced with shuffledns because of issue
  • bounty-targets-data
  • local listen server approach replaced with interactsh
  • WIP: you can track activity in Projects To Do board

Acknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.

Disqus Comments