Reconnoitre – Open-Source Reconnaissance and Service Enumeration Tool
Reconnoitre is an open-source reconnaissance tool that automates multithreaded information gatherin 2025-11-10 01:0:0 Author: www.darknet.org.uk(查看原文) 阅读量:0 收藏

Reconnoitre is an open-source reconnaissance tool that automates multithreaded information gathering and service enumeration. It structures your results, generates follow-up recommendations, and is widely used in OSCP-style labs and red team environments. Built by Codingo, it focuses on reliable, repeatable recon automation.

Reconnoitre - Open-Source Reconnaissance and Service Enumeration Tool

Overview

Reconnoitre removes the manual overhead from early-stage reconnaissance. It performs host discovery, port and service scanning, directory setup, and next-step generation. The tool outputs a consistent directory layout with scans, notes, and proof files — enabling structured recon and easier collaboration across teams.

Features

  • Multithreaded scanning for fast host and service enumeration.
  • Automatic directory structure — creates per-host folders for scans, loot, and proofs.
  • Protocol coverage including TCP, UDP, SNMP, and virtual host discovery.
  • Built for training and red-team use — integrates into lab-style workflows (e.g., OSCP, HTB, Proving Grounds).
  • Open source and actively maintained under GPL-3.0.

Installation

The installation commands below are taken verbatim from the project’s README. Run them only in authorised test environments.

# Clone the repository

git clone https://github.com/codingo/Reconnoitre.git

# Install the tool into your environment

python3 setup.py install

# Once installed, run Reconnoitre

reconnoitre <args>

Usage

These usage examples are also taken verbatim from the README. Adjust paths and scopes to your environment before running.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

# Basic usage

Usage:

  reconnoitre -t TARGET_HOSTS -o OUTPUT_DIRECTORY [options]

Examples:

# Scan a single host, create directories and discover services:

reconnoitre -t 192.168.1.5 -o /root/Documents/labs/ --services

# Common flags:

-h, --help                 Display help message and exit

-t TARGET_HOSTS            Set a single host, IP range, or file containing hosts.

-o OUTPUT_DIRECTORY        Directory where results are written.

-w WORDLIST                Optional custom wordlist for compiled commands or attacks.

--pingsweep                Discover live hosts via ping sweep.

--dns, --dnssweep          Find DNS servers among targets.

--snmp                     Discover SNMP hosts.

--services                 Perform a service scan and write recommendations.

--hostnames                Identify target hostnames and write to hostnames.txt.

--virtualhosts             Discover virtual hosts using the wordlist.

--quiet                    Suppress headers, output only essential data.

--quick                    Run a quick scan and move to next target.

--no-udp                   Disable UDP scanning.

Attack Scenario

Objective: build a structured reconnaissance baseline for internal labs or early engagement mapping.

  1. Deploy Reconnoitre on an isolated analysis host or VM.
  2. Run a ping sweep to find live targets using --pingsweep, then launch --services to enumerate ports and protocols.
  3. Review generated per-host folders for findings, nmap results, and suggested follow-up commands.
  4. Validate open services manually using tools like Nmap or the dnmap distributed Nmap framework.

Red Team Relevance

Reconnoitre provides a baseline for reconnaissance standardisation. New operators can run consistent scans, store data in predictable structures, and hand off results cleanly to exploitation teams. It is beneficial for OSCP preparation and internal red-team exercises, where disciplined recon improves efficiency.

Extend its outputs with automation or combine it with broader recon aggregators such as Sn1per for multi-phase scanning. Use results as feed data for scripting frameworks or dashboards that track discovered hosts and services.

Detection and Mitigation

  • Monitor scanning patterns: alert on aggressive TCP/UDP enumeration and host sweeps matching Reconnoitre’s cadence.
  • Limit egress: restrict network ranges accessible from CI or developer machines to prevent misuse of internal scanners.
  • Deploy honeypots: detect and fingerprint scanners through bait services to generate indicators of compromise.
  • Track fingerprints: log port-scan metadata (user-agent strings, Nmap signatures, timing) for future correlation.
  • Harden pipelines: use CI/CD gating tools like Anteater to prevent unauthorised scanner installs.

Comparison

While tools like Sn1per or AutoRecon perform similar roles, Reconnoitre stands out for its simplicity and clarity. It doesn’t try to do everything — it focuses on reliable network discovery and structured output, making it ideal for reproducible workflows and training scenarios.

Conclusion

Reconnoitre remains a foundational reconnaissance tool for ethical hackers and red teams. It bridges the gap between manual scanning and full automation by structuring output intelligently and embedding best practices into every run. Use it in isolated environments, audit your scans, and feed results into downstream tooling for correlation and reporting.

You can read more or download Reconnoitre here: https://github.com/codingo/Reconnoitre


文章来源: https://www.darknet.org.uk/2025/11/reconnoitre-open-source-reconnaissance-and-service-enumeration-tool/
如有侵权请联系:admin#unsafe.sh