Md Samad
View GitHub
Security Recon Attack Surface Port Scanning

SubRecon

Automated attack surface mapping tool with three scan modes. Enumerates subdomains via passive recon, port-scans live hosts for exposed dangerous services, probes for exposed API docs and sensitive HTML comments, captures visual evidence with Playwright, and outputs a risk-scored dashboard with dated CSV reports.

3
Data Sources
4
Risk Levels
3
Scan Modes
System Design

Architecture

Target Domain PASSIVE RECON LAYER HackerTarget Passive DNS · API crt.sh Certificate Transparency RapidDNS DNS Enumeration Aggregation Engine Deduplicate · Validate · Merge ACTIVE PROBE LAYER Port Scanner FTP · SSH · MySQL · RDP API Doc Scanner Swagger · OpenAPI exposure HTML Comment Miner Secrets · TODOs · Credentials Playwright Screenshot Evidence Risk Scoring Engine Critical Ports / Open Dirs High Admin / Comments Medium Subdomain Type Low Old Content Streamlit Dashboard Evidence Gallery · Trend Analysis · Export
End-to-End

How it works

1
Multi-Source Passive Enumeration

Given a root domain, SubRecon concurrently queries three independent passive sources: HackerTarget for historical DNS records, crt.sh for Certificate Transparency logs (which expose subdomains issued SSL certificates historically), and RapidDNS for bulk DNS enumeration. Results are merged, deduplicated, and validated for liveness.

2
Port & Service Scanning

Each live host is asynchronously probed across high-risk ports: FTP (21), SSH (22), MySQL (3306), RDP (3389), and alternate web ports (8000, 8080, 8888). Open dangerous ports are immediately escalated to Critical severity. A dedicated SSH probe module checks for banner leakage and version exposure that can fingerprint the underlying OS.

3
API Documentation Probing

Each live subdomain is probed for exposed API documentation at common paths (/swagger.json, /openapi.json, /v2/api-docs, /v3/api-docs, /actuator/health, etc.). Exposed Swagger/OpenAPI specs reveal full endpoint inventories, authentication schemes, and request/response models - a Critical finding that exposes the entire backend contract.

4
HTML Source Comment Mining

The content analyzer fetches page source and scans HTML comments for patterns matching API keys, internal IPs, TODO/FIXME annotations, debug flags, and credential leakage. Pages with admin/dashboard/console/VPN keywords in their title are escalated to High severity. Developers frequently leave sensitive context in comments invisible to users but visible in source.

5
Playwright Screenshot Evidence

Playwright navigates to each discovered subdomain with a headless Chromium browser and captures full-page screenshots saved to a dated evidence folder. This provides visual proof of the live attack surface - login panels, admin interfaces, staging environments, and internal dashboards - without triggering active scanning alerts.

6
Risk Scoring + Dashboard

Each finding is classified into one of four severity tiers: Critical (open dangerous ports, exposed API docs, directory listing), High (sensitive HTML comments, admin/console title keywords), Medium (sensitive subdomain names like staging/vpn/db), Low (stale content from 2010-2021). The Streamlit dashboard aggregates findings by severity, renders the screenshot gallery, and exports dated CSV reports for trend tracking.

Stack

Technologies

Core
Python asyncio aiohttp requests
Recon Sources
HackerTarget API crt.sh RapidDNS
Port & Service Scanning
asyncio port scanner SSH probe tqdm colorama
Browser Automation
Playwright Chromium
UI + Reporting
Streamlit Pandas Plotly
Parsing
BeautifulSoup regex
Risk Engine
Custom Scoring Critical / High / Medium / Low