In Bug Bounty and Pentesting, Recon can take a lot of your time, which then leaves you less time for actually hunting bugs.

There are very complex tools available that try to make this process faster, however, they also end up wasting a lot of time and resources with scans and checks that do not yield any results.

That was why I decided to create my own Recon Tool, to automate my own recon process that has landed me several bugs.

The tool is called NextRecon, and it is available on my Github page.

How does it work?

NextRecon compiles some of my favorite recon procedures in a single tool. It was mainly inspired by the incredible Waybackurls script created by Tomnomnom, but with some features added to make it more suitable for my usual Recon Methodology.

My tool retrieves all the URLs stored in the Wayback Machine, as does Waybackurls, but mine expands on this concept, because after creating an output file with all of the collected URLs, it iterates through them, searching for URL parameters, and also outputs them to another file.

The idea is that you skim through the parameters, and grep the URLs file for a parameter, if you think that it has potential for being vulnerable.

For example, if you are reading through the parameters found by NextRecon and you find a parameter like “redirect_to”, which might be vulnerable to an Open Redirect vulnerability, you can grep the big URLs file for that parameter, and see all the potentially vulnerable endpoints.

Example grep command:

fgrep "redirect_to=" example.com-all_urls.txt

This way, you can explore a much larger attack surface in less time, helping you find more bugs, and helping you find them faster!

But this is not where this tool ends…

I regularly use BreachCollection to find data leaks affecting a Bug Bounty target, so, it would only make sense to incorporate BreachCollection’s API on this tool, so I can make this process even quicker!

NextRecon outputs all the available leaks for the target to a separate file, helping you stay organised in your engagements.

After you have the leaked credentials for a target, it is a matter of testing them, in case your target allows it, obviously. I found this to be the easiest method for finding bugs in 2025, and you can read more about it here.

How to Run this tool?

NextRecon is Python3 based, so you will need it to run this tool.

First, you need to clone the repository:

git clone https://github.com/juoum00000/NextRecon.git

Then, after you have moved to the NextRecon folder, you need to install this project’s requirements, like this:

pip install -r requirements.txt

After this, we need to get a BreachCollection API key, so we can supply it to NextRecon. If you are subscribed to the Researcher or Enterprise tier of BreachCollection, you can go here and create a new API Key.

If you have never created one before, you should see this:

Now, after we create an API key, we only need to add it to the config.yaml file, which should look like this:

breachcollection_api_key: YOUR_API_KEY

The correct usage of this tool follows this schema:

python3 nextrecon.py <domain> [include_subdomains:true/false]

Now, NextRecon has all it needs to run, so we can try it on a Bug Bounty target like this:

python3 nextrecon.py example.com true

You are going to see 3 new files created, one for URLs, one for URL Parameters, and another for Leaked Passwords.

Conclusion

This tool, whilst obviously simple, will be a real time saver for me, and hopefully a good helping hand for hunters who maybe have not found their first bug yet, or want to find bugs more consistently and quicker.

I plan on improving this tool in the future, so if you have any suggestions, please leave them in the comments, and I will make sure to implement them in a future release.

Follow me on medium to make sure you are updated when I do so.

Have fun!

Note: You can run NextRecon without setting up a BreachCollection API key, but then the tool loses some of its usefulness