🔍 Recon Toolkit

This repo contains two reconnaissance scripts:

• host/recon-collect.sh → General host/URL recon (domains, DNS, IPs, SSL/TLS, headers, metadata, subdomains, dirs, etc.).
• api/api-recon.sh → API-specific recon (endpoints, parameters, fuzzing, API docs detection).

⚠️ Run only on systems/APIs you own or have permission to test.

---

📦 Install Tools

# Host recon tools
sudo ./install-recon-tools-rhel.sh

# API recon tools
sudo ./install-api-recon-tools-rhel.sh

---

🌍 Host Recon

./host/recon-collect.sh -u <url-or-host> [-o output.md] [-p quick|deep]

• -u → URL/host (e.g. https://example.com)
• -o → Markdown report (default: ./recon-report.md)
• -p → quick (default, top ports) or deep (full scan)

Finds: WHOIS, DNS, IPs, ASN, traceroute, ports (nmap/masscan), TLS (openssl/testssl/sslyze), headers, metadata, favicon hash, Wayback snapshots, subdomains, dirs, quick probes, email security.

---

📡 API Recon

./api/api-recon.sh -u <api-host-or-url> [-o output.md] [-m quick|deep]

• -u → API host or base URL (e.g. https://api.example.com)
• -o → Markdown report (default: ./api-recon-report.md)
• -m → quick or deep

Finds: Swagger/OpenAPI/GraphQL docs, endpoints (kiterunner), hidden params (Arjun), fuzzed paths & payloads (ffuf), GraphQL checks, basic header/sensitive info leaks.

---

📂 Output

• Markdown report (-o) with organized findings.
• Raw tool outputs in /tmp/recon-XXXX or /tmp/api-recon-XXXX for manual review.

---