GarudRecon - Recon Automation Framework
GarudRecon is an automated reconnaissance framework designed for asset discovery, vulnerability detection, and continuous monitoring. It leverages a wide range of open-source tools to scan domains, collect subdomains, and check for various vulnerabilities such as:
- XSS (Cross-Site Scripting)
- SQLi (SQL Injection)
- LFI (Local File Inclusion)
- RCE (Remote Code Execution)
- IIS misconfigurations
- Subdomain Takeover
- Open Redirects
- Swagger UI exposures
- .git directory leaks
- JavaScript secrets and more.
The tool supports scoped recon with flexible modes like smallscope, mediumscope,
and largescope, depending on your coverage needs. You can customize scans,
exclude specific functions, provide configuration files, and automate cron jobs
for continuous monitoring.
I created GarudRecon in 2022 but I deleted because some of api keys leaked here someone forked GarudRecon
After that i tried in python, golang but i did'nt liked "String Concatenation", so i came back to bash again.
Note: Switch to the root user first (instead of using
sudo su) before running the installation command.
This helps avoid permission and environment-related issues.If any tool fails to install during the script execution, install it manually.
Make sure your shell is set to bash.
- If you getting this error
# Then install go manually
curl -s "https://gist.githubusercontent.com/rix4uni/c412ca956ea3bfa114bf4b615a9762bc/raw/91e9c8c93afbad3f16bdc41eb581f3e428dea9df/go.sh" | bash && source ~/.bashrc
# Now run this command
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/configure)
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/configure)
- Very help if we installing on github actions or 100 1GB vps
👉 Non-interactive without update:
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/configure) 5
# Executes: garudrecon install -f CRONJOBS👉 Non-interactive with update:
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/configure) 5 --update
# Executes: garudrecon install -f CRONJOBS --update👉 Interactive mode (no args):
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/configure)
# Interactive prompts as beforewget -q https://github.com/rix4uni/GarudRecon/archive/refs/tags/v0.1.1.zip
unzip v0.1.1.zip
cd GarudRecon
bash configure
git clone --depth 1 https://github.com/rix4uni/GarudRecon.git
cd GarudRecon
bash configure
👉 Non-interactive without update:
bash configure 5
# Executes: garudrecon install -f CRONJOBS👉 Non-interactive with update:
bash configure 5 --update
# Executes: garudrecon install -f CRONJOBS --update👉 Interactive mode (no args):
bash configure
# Interactive prompts as beforegarudrecon -h
GarudRecon - Recon Automation Framework
GarudRecon is an automated reconnaissance framework designed for asset discovery,
vulnerability detection, and continuous monitoring. It leverages a wide range of
open-source tools to scan domains, collect subdomains, and check for various
vulnerabilities such as:
• XSS (Cross-Site Scripting)
• SQLi (SQL Injection)
• LFI (Local File Inclusion)
• RCE (Remote Code Execution)
• IIS misconfigurations
• Subdomain Takeover
• Open Redirects
• Swagger UI exposures
• .git directory leaks
• JavaScript secrets and more.
The tool supports scoped recon with flexible modes like smallscope, mediumscope,
and largescope, depending on your coverage needs. You can customize scans,
exclude specific functions, provide configuration files, and automate cron jobs
for continuous monitoring.
Usage:
garudrecon [command]
Available Commands:
install Set up the tool and dependencies
smallscope Run minimal recon for subdomain (e.g. support.domain.com)
mediumscope Perform moderate recon with optional vulnerability checks for wildcard domain (e.g. *.domain.com)
largescope Full-scale recon for deep visibility for organisation
cronjobs Automate recurring recon tasks
Flags:
-h, --help help for garudrecon
-v, --version Display the current version
Use "garudrecon [command] --help" for more information about a command.
garudrecon install -h
This command sets up GarudRecon by installing the required tools and dependencies for a specified reconnaissance function. It supports installation for various predefined scopes such as SMALLSCOPE, MEDIUMSCOPE, LARGESCOPE, WORKFLOW, and CRONJOBS, or you can install everything at once using ALL.
You can also provide a custom configuration file and enable verbose output for more detailed installation logs.
Usage:
garudrecon install [flags]
Flags:
-f, --function Function to run (e.g. MEDIUMSCOPE)
-c, --config Custom configuration file path
-up, --update Update all tools to latest version
-v, --verbose enable verbose mode
-h, --help help for install
Example:
garudrecon install -f SMALLSCOPE
garudrecon install -f MEDIUMSCOPE
garudrecon install -f LARGESCOPE
garudrecon install -f WORKFLOW
garudrecon install -f CRONJOBS
garudrecon install -f ALL
garudrecon install -f ALL --update
garudrecon smallscope -h
Performs a minimal reconnaissance on the target domain, typically scoped as support.domain.com. This includes port scanning, url crawling, vulnerability checks (like XSS, SQLi, LFI, etc.).
Usage:
garudrecon smallscope [flags]
Flags:
-d, --domain Scan a domain (e.g. support.domain.com)
-ef, --exclude-functions Exclude a function from running (e.g. WAYMORE)
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume support.domain.com or --resume support.domain.com_1). Skips functions already completed in resume.cfg.
-h, --help help for smallscope
Example:
# Full recon
garudrecon smallscope -d support.domain.com
# Recon with XSS only
garudrecon smallscope -d support.domain.com -rx
# Recon with SQLi only
garudrecon smallscope -d support.domain.com -rs
# Exclude functions manually
garudrecon smallscope -d support.domain.com -ef "GOSPIDER,WAYMORE"
# Combined
garudrecon smallscope -d support.domain.com -rx -ef "WAYMORE"
# Skips functions already completed in resume.cfg.
garudrecon smallscope -d support.domain.com -rx --resume support.domain.com_1
garudrecon mediumscope -h
Performs a medium-level reconnaissance on the target domain, typically scoped as *.domain.com. This includes subdomain enumeration, vulnerability checks (like XSS, SQLi, LFI, etc.), and optional filtering of out-of-scope subdomains.
Usage:
garudrecon mediumscope [flags]
Flags:
-d, --domain Scan a domain (e.g. domain.com)
-ef, --exclude-functions Exclude a function from running (e.g. AMASS)
-s, --recon-subdomain Run Subdomain Enumeration only
-a, --active Run Active Subdomain Enumeration also (e.g. puredns, altdns)
-su, --recon-subdomainurls Run Subdomain Enumeration + Url Crawling only
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-oos, --outofscope Exclude outofscope subdomains from a list (e.g. domain.com.oos)
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume domain.com or --resume domain.com_1). Skips functions already completed in resume.cfg.
-h, --help help for mediumscope
Example:
# Full recon with all vulnerability scan
garudrecon mediumscope -d domain.com
# Recon Subdomain Enumeration only
garudrecon mediumscope -d domain.com -s
# Run Active Subdomain Enumeration also (e.g. puredns, altdns)
garudrecon mediumscope -d domain.com -s -a
# Recon Subdomain Enumeration + Url Crawling only
garudrecon mediumscope -d domain.com -su
# Recon with XSS only
garudrecon mediumscope -d domain.com -rx
# Recon with SQLi only
garudrecon mediumscope -d domain.com -rs
# Exclude functions manually
garudrecon mediumscope -d domain.com -ef "SUBFINDER,AMASS"
# Combined
garudrecon mediumscope -d domain.com -rx -ef "AMASS"
# Skips functions already completed in resume.cfg.
garudrecon mediumscope -d domain.com -rx --resume domain.com_1
garudrecon workflow -h
Run workflow scan (e.g. 1 vuln on all programs like mass vuln scan).
Usage:
garudrecon workflow [flags]
Flags:
-i, --input Pass the input
-o, --output Location where you want to save output
-v, --verbose enable verbose mode
-h, --help help for cronjobs
Example:
garudrecon workflow amass --input <domain> --output <file> [--verbose]
garudrecon workflow ls
garudrecon workflow ls [module]
garudrecon workflow cat [module]
garudrecon workflow add [module]
garudrecon workflow edit [module]
garudrecon workflow delete [module]
Check invalid
for f in modules/*.json; do
echo -n "Checking $f ... "
jq empty "$f" && echo "✅ OK" || echo "❌ INVALID"
done
garudrecon cronjobs -h
This command runs scheduled reconnaissance tasks on a specified domain, such as monitoring subdomains, ports, JavaScript files, and live hosts. It supports various monitoring functions and can be customized with configuration files and verbose output.
Usage:
garudrecon cronjobs [flags]
Flags:
-d, --domain Domain to monitor
-f, --function Function to run (e.g. MONITOR_SUBDOMAIN)
-c, --config Custom configuration file path
-i, --interval Customize the sleep duration (e.g. 1800)
-v, --verbose enable verbose mode
-h, --help help for cronjobs
Example:
garudrecon cronjobs -d domain.com -f MONITOR_SUBDOMAIN
garudrecon cronjobs -d domain.com -f MONITOR_PORTS
garudrecon cronjobs -d domain.com -f MONITOR_ALIVESUBD
garudrecon cronjobs -d domain.com -f MONITOR_JS
garudrecon cronjobs -d domain.com -f MONITOR_JSLEAKS
| OS | Supported | Easy Install | Tested |
|---|---|---|---|
| Ubuntu | ✅ | ✅ | Ubuntu 24.04 |
| Kali | ✅ | ✅ | Kali 2025.2 |
| Debian | ✅ | ✅ | ❌ |
| Windows | ✅ | ✅ | WSL Ubuntu |
| MacOS | ✅ | ✅ | ❌ |
| Arch Linux | ✅ | ❌ | ❌ |
| NAME | 1GB RAM | 2GB RAM | 4GB RAM | 6GB RAM | 8GB RAM | 16GB RAM |
|---|---|---|---|---|---|---|
| BBOT | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| ONEFORALL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| KAEFERJAEGER | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| TRICKESTCLOUD | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| DNSXBRUTE | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| SUBWIZ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| RECURSIVESUBENUM | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| ALTDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| PUREDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| ALTERX | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| GOTATOR | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| DNSGEN | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| GOALTDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| RIPGEN | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| DMUT | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| DNSCEWL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| ALLSUBDOMAINPERMUTATIONS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| MANUAL_SUBDOMAIN_RESOLVING | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| PUREDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| SHUFFLEDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| MASSDNS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| FFUFBRUTE | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| FFUFVHOST | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| GOWITNESS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| AQUATONE | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| EYEWITNESS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| HTTPX_SS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| FFUFDIRENUM | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| DIRSEARCH | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| FEROXBUSTER | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| WFUZZ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| CRAWLEY | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| GALER | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| MSARJUN | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| X8 | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| CEWL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| UNFURL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| CUSTOM_PARAM | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| COOK | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| PYDICTOR | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| FFUF_CUSTOM_PARAM | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| VULNTECHX | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
| PYXSS | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
- BugBountyData
- subfinder
- amass
- subdog
- xsubfind3r
- findomain
- chaos
- github-subdomains
- bbot
- oneforall
- shosubgo
- assetfinder
- haktrails
- haktrailsfree
- org2asn
- ipfinder
- ipranges
- arinrange
- spk
- analyticsrelationships
- udon
- builtwithsubs
- whoxysubs
- kaeferjaeger
- trickestcloud
- cero
- certinfo
- csprecon
- cspfinder
- jsubfinder
- dnsxbrute
- subwiz
- altdns
- puredns
- alterx
- gotator
- dnsgen
- goaltdns
- ripgen
- dmut
- puredns
- shuffledns
- massdns
- dnsx
- naabu
- masscan
- rustscan
- nmap
- httpx
- subdomainfuzz
- ffuf
- favinfo
- favirecon
- gowitness
- aquatone
- eyewitness
- httpx
- ffuf
- dirsearch
- feroxbuster
- wfuzz
- emailfinder
- waymore
- hakrawler
- waybackurls
- katana
- gau
- gospider
- uforall
- cariddi
- urlfinder
- github-endpoints
- xurlfind3r
- xcrawl3r
- crawley
- GoLinkFinder
- galer
- gourlex
- pathfinder
- pathcrawler
- roboxtractor
- robotxt
- gorker
- subjs
- getJS
- jscrawler
- jsfinder
- javascript-deobfuscator
- linkfinder
- xnLinkFinder
- getjswords
- sourcemapper
- linx
- jsluice
Hidden Parameter
- paramfinder
- msarjun
- x8
- cewl
- unfurl
- cook
- pydictor
- subzy
- nuclei
- mx-takeover
- dnstake
- dig
- ftpx
- sshx
- s3scanner
- vulntechx
- pvreplace
- xsschecker
- pyxss
- gosqli
- commix
- goop
- pdftotext
- trufflehog
- secretfinder
- mantra
- shortscan
- linkinspector
- brutespray
Thanks for creating awesome tools
- https://xmind.app/m/hKKexj
- https://x.com/ADITYASHENDE17/status/1527294113552297986
- https://youtu.be/rbyifgOQIrc?t=17m38s
See Workflow in different format Workflow
