Commands¶
recon-pipeline
provides a handful of commands:
All other available commands are inherited from cmd2.
tools¶
Usage: tools [-h] {install, uninstall, reinstall, list} ...
Sub-commands:¶
install¶
Install any/all of the libraries/tools necessary to make the recon-pipeline function
tools install [-h]
{go, gobuster, subjack, masscan, amass, seclists, waybackurls,
exploitdb, searchsploit, recursive-gobuster, webanalyze,
luigi-service, aquatone, tko-subs, all}
Positional Arguments¶
tool | Possible choices: go, gobuster, subjack, masscan, amass, seclists, waybackurls, exploitdb, searchsploit, recursive-gobuster, webanalyze, luigi-service, aquatone, tko-subs, all which tool to install |
uninstall¶
Remove the already installed tool
tools uninstall [-h]
{go, gobuster, subjack, masscan, amass, seclists, waybackurls,
exploitdb, searchsploit, recursive-gobuster, webanalyze,
luigi-service, aquatone, tko-subs, all}
Positional Arguments¶
tool | Possible choices: go, gobuster, subjack, masscan, amass, seclists, waybackurls, exploitdb, searchsploit, recursive-gobuster, webanalyze, luigi-service, aquatone, tko-subs, all which tool to uninstall |
reinstall¶
Uninstall and then Install a given tool
tools reinstall [-h]
{go, gobuster, subjack, masscan, amass, seclists, waybackurls,
exploitdb, searchsploit, recursive-gobuster, webanalyze,
luigi-service, aquatone, tko-subs, all}
Positional Arguments¶
tool | Possible choices: go, gobuster, subjack, masscan, amass, seclists, waybackurls, exploitdb, searchsploit, recursive-gobuster, webanalyze, luigi-service, aquatone, tko-subs, all which tool to reinstall |
database¶
Usage: database [-h] {list, delete, attach, detach} ...
scan¶
Usage: scan [-h] (--target-file TARGET_FILE | --target TARGET)
[--exempt-list EXEMPT_LIST] [--results-dir RESULTS_DIR]
[--wordlist WORDLIST] [--interface INTERFACE] [--recursive]
[--rate RATE] [--top-ports TOP_PORTS | --ports PORTS]
[--threads THREADS] [--scan-timeout SCAN_TIMEOUT] [--proxy PROXY]
[--extensions EXTENSIONS] [--sausage] [--local-scheduler]
[--verbose]
scantype
Positional Arguments¶
scantype | which type of scan to run |
Named Arguments¶
--target-file | file created by the user that defines the target’s scope; list of ips/domains |
--target | ip or domain to target |
--exempt-list | list of blacklisted ips/domains |
--results-dir | directory in which to save scan results (default: recon-results) Default: “recon-results” |
--wordlist | path to wordlist used by gobuster (default: /home/docs/.local/recon-pipeline/tools/seclists/Discovery/Web-Content/common.txt) |
--interface | which interface masscan should use (default: tun0) |
--recursive | whether or not to recursively gobust (default: False) Default: False |
--rate | rate at which masscan should scan (default: 1000) |
--top-ports | ports to scan as specified by nmap’s list of top-ports (only meaningful to around 5000) |
--ports | port specification for masscan (all ports example: 1-65535,U:1-65535) |
--threads | number of threads for all of the threaded applications to use (default: 10) |
--scan-timeout | scan timeout for aquatone (default: 900) |
--proxy | proxy for gobuster if desired (ex. 127.0.0.1:8080) |
--extensions | list of extensions for gobuster (ex. asp,html,aspx) |
--sausage | open a web browser to Luigi’s central scheduler’s visualization site (see how the sausage is made!) Default: False |
--local-scheduler | |
use the local scheduler instead of the central scheduler (luigid) (default: False) Default: False | |
--verbose | shows debug messages from luigi, useful for troubleshooting (default: False) Default: False |
status¶
Usage: status [-h] [--port PORT] [--host HOST]
Named Arguments¶
--port | port on which the luigi central scheduler’s visualization site is running (default: 8082) Default: “8082” |
--host | host on which the luigi central scheduler’s visualization site is running (default: localhost) Default: “127.0.0.1” |
view¶
Usage: view [-h]
{targets, web-technologies, endpoints, nmap-scans,
searchsploit-results, ports} ...
Sub-commands:¶
targets¶
List all known targets (ipv4/6 & domain names); produced by amass
view targets [-h] [--vuln-to-subdomain-takeover]
[--type {ipv4, ipv6, domain-name}] [--paged]
Named Arguments¶
--vuln-to-subdomain-takeover | |
show targets identified as vulnerable to subdomain takeover Default: False | |
--type | Possible choices: ipv4, ipv6, domain-name filter by target type |
--paged | display output page-by-page (default: False) Default: False |
web-technologies¶
List all known web technologies identified; produced by webanalyze
view web-technologies [-h] [--paged] [--host HOST] [--type TYPE]
[--product PRODUCT]
Named Arguments¶
--paged | display output page-by-page (default: False) Default: False |
--host | filter results by host |
--type | filter results by type |
--product | filter results by product |
endpoints¶
List all known endpoints; produced by gobuster
view endpoints [-h] [--headers] [--paged] [--plain]
[--status-code STATUS_CODE] [--host HOST]
Named Arguments¶
--headers | include headers found at each endpoint (default: False) Default: False |
--paged | display output page-by-page (default: False) Default: False |
--plain | display without status-codes/color (default: False) Default: False |
--status-code | filter results by status code |
--host | filter results by host |
nmap-scans¶
List all known nmap scan results; produced by nmap
view nmap-scans [-h] [--paged] [--commandline] [--host HOST]
[--nse-script NSE_SCRIPT] [--port PORT] [--product PRODUCT]
Named Arguments¶
--paged | display output page-by-page (default: False) Default: False |
--commandline | display command used to scan (default: False) Default: False |
--host | filter results by host |
--nse-script | filter results by nse script type ran |
--port | filter results by port scanned |
--product | filter results by reported product |
searchsploit-results¶
List all known searchsploit hits; produced by searchsploit
view searchsploit-results [-h] [--paged] [--fullpath] [--host HOST]
[--type TYPE]
Named Arguments¶
--paged | display output page-by-page (default: False) Default: False |
--fullpath | display full path to exploit PoC (default: False) Default: False |
--host | filter results by host |
--type | filter results by exploit type |