SubRecon
Automated attack surface mapping tool with three scan modes. Enumerates subdomains via passive recon, port-scans live hosts for exposed dangerous services, probes for exposed API docs and sensitive HTML comments, captures visual evidence with Playwright, and outputs a risk-scored dashboard with dated CSV reports.
Architecture
How it works
Given a root domain, SubRecon concurrently queries three independent passive sources: HackerTarget for historical DNS records, crt.sh for Certificate Transparency logs (which expose subdomains issued SSL certificates historically), and RapidDNS for bulk DNS enumeration. Results are merged, deduplicated, and validated for liveness.
Each live host is asynchronously probed across high-risk ports: FTP (21), SSH (22), MySQL (3306), RDP (3389), and alternate web ports (8000, 8080, 8888). Open dangerous ports are immediately escalated to Critical severity. A dedicated SSH probe module checks for banner leakage and version exposure that can fingerprint the underlying OS.
Each live subdomain is probed for exposed API documentation at common paths (/swagger.json, /openapi.json, /v2/api-docs, /v3/api-docs, /actuator/health, etc.). Exposed Swagger/OpenAPI specs reveal full endpoint inventories, authentication schemes, and request/response models - a Critical finding that exposes the entire backend contract.
The content analyzer fetches page source and scans HTML comments for patterns matching API keys, internal IPs, TODO/FIXME annotations, debug flags, and credential leakage. Pages with admin/dashboard/console/VPN keywords in their title are escalated to High severity. Developers frequently leave sensitive context in comments invisible to users but visible in source.
Playwright navigates to each discovered subdomain with a headless Chromium browser and captures full-page screenshots saved to a dated evidence folder. This provides visual proof of the live attack surface - login panels, admin interfaces, staging environments, and internal dashboards - without triggering active scanning alerts.
Each finding is classified into one of four severity tiers: Critical (open dangerous ports, exposed API docs, directory listing), High (sensitive HTML comments, admin/console title keywords), Medium (sensitive subdomain names like staging/vpn/db), Low (stale content from 2010-2021). The Streamlit dashboard aggregates findings by severity, renders the screenshot gallery, and exports dated CSV reports for trend tracking.