Advanced OSINT framework for scanning IP addresses, emails, websites, and organizations to find information from different sources. Aggregates data from Shodan, Censys, social media, DNS, and more.
Installation
Prerequisites
| Requirement | Details |
|---|
| Python 3.7+ | Core language requirement |
| pip | Python package manager |
| Virtual environment | Recommended for isolation |
| Internet connection | Required for API calls |
Install from GitHub
git clone https://github.com/bhavsec/reconspider.git
cd reconspider
pip install -r requirements.txt
Install from PyPI
pip install reconspider
Verify Installation
python reconspider.py --version
Virtual Environment Setup
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
API Configuration
Supported APIs
| Service | API Key Required | Purpose |
|---|
| Shodan | Yes | Search internet-connected devices |
| Censys | Yes | Certificate and host data |
| VirusTotal | Yes | File and URL reputation |
| Hunter.io | Yes | Email discovery and verification |
| Clearbit | Yes | Company and person data |
| EmailHunter | Yes | Business email finder |
| GitHub | Optional | Repository and user data |
| Twitter/X | Optional | Social media reconnaissance |
Add API Keys
# Set environment variables
export SHODAN_API_KEY="your_shodan_key"
export CENSYS_API_ID="your_censys_id"
export CENSYS_API_SECRET="your_censys_secret"
export VIRUSTOTAL_API_KEY="your_vt_key"
export HUNTER_API_KEY="your_hunter_key"
Configuration File (config.yaml)
# ~/.config/reconspider/config.yaml
api_keys:
shodan: "your_shodan_key"
censys_id: "your_censys_id"
censys_secret: "your_censys_secret"
virustotal: "your_vt_key"
hunter: "your_hunter_key"
clearbit: "your_clearbit_key"
timeout: 30
retry_attempts: 3
output_format: json # json, csv, txt
IP Address Scanning
Basic IP Reconnaissance
| Command | Description |
|---|
python reconspider.py -i <ip> | Scan single IP address |
python reconspider.py -i <ip> -s shodan | Query Shodan for IP |
python reconspider.py -i <ip> -s censys | Query Censys for IP |
python reconspider.py -i <ip> -s all | Aggregate all sources |
IP Scanning Examples
# Basic IP scan
python reconspider.py -i 8.8.8.8
# Shodan scan only
python reconspider.py -i 93.184.216.34 -s shodan
# Censys scan with output file
python reconspider.py -i 93.184.216.34 -s censys -o ip_report.json
# Multiple IPs
python reconspider.py -i 8.8.8.8,1.1.1.1 -o dns_servers.json
# IP range scanning
python reconspider.py -i "192.168.1.0/24" -s shodan
IP Reconnaissance returns:
Hostname and reverse DNS
ISP and organization
Geographic location (country, city)
Hosting provider
Open ports and services
Running software versions
SSL certificate details
Domain history
Blacklist status
Domain & Website Scanning
Basic Domain Reconnaissance
| Command | Description |
|---|
python reconspider.py -d <domain> | Scan domain |
python reconspider.py -d <domain> --dns | DNS enumeration |
python reconspider.py -d <domain> --certs | Certificate transparency scan |
python reconspider.py -d <domain> --subdomains | Subdomain enumeration |
Domain Scanning Examples
# Full domain scan
python reconspider.py -d example.com
# DNS records only
python reconspider.py -d example.com --dns
# Certificate transparency logs
python reconspider.py -d example.com --certs
# Subdomain enumeration
python reconspider.py -d example.com --subdomains -o subdomains.txt
# Scan with Censys
python reconspider.py -d example.com -s censys
# Check for zone transfer vulnerability
python reconspider.py -d example.com --axfr
DNS Records Returned
| Record Type | Information |
|---|
| A | IPv4 addresses |
| AAAA | IPv6 addresses |
| CNAME | Canonical names |
| MX | Mail exchange servers |
| TXT | Text records (SPF, DKIM, DMARC) |
| NS | Nameservers |
| SOA | Start of authority |
| SRV | Service records |
Certificate Data
Certificate Transparency returns:
Issuer details
Issue and expiration dates
Domain names and SANs
Subject and subject alt names
Signature algorithm
Public key information
Revocation status
Email Harvesting
Email Discovery
| Command | Description |
|---|
python reconspider.py -e <email> | Scan email address |
python reconspider.py -d <domain> --emails | Harvest emails from domain |
python reconspider.py -o <organization> --emails | Find org emails |
Email Harvesting Examples
# Email verification
python reconspider.py -e john@example.com
# Harvest emails from domain
python reconspider.py -d example.com --emails
# Company email discovery
python reconspider.py -o "Acme Corp" --emails -o results.csv
# Email pattern detection
python reconspider.py -d example.com --email-pattern firstname.lastname
# Multi-domain email search
python reconspider.py -d example.com,example.net --emails --hunter
Email Sources
| Source | Details |
|---|
| Hunter.io | Business email finder |
| RocketReach | Professional profiles |
| Clearbit | Company data and emails |
| LinkedIn | Profile emails (requires auth) |
| GitHub | Developer emails |
| Public WHOIS | Domain registrant emails |
| Certificate logs | Email addresses in certs |
Phone Number Lookup
Phone Reconnaissance
| Command | Description |
|---|
python reconspider.py --phone <number> | Lookup phone number |
python reconspider.py --phone <number> --reverse | Reverse phone lookup |
python reconspider.py -d <domain> --phones | Extract phone numbers from domain |
Phone Lookup Examples
# Direct phone lookup
python reconspider.py --phone "+1-555-0123"
# Reverse lookup
python reconspider.py --phone "5550123" --reverse
# Extract from website
python reconspider.py -d example.com --phones
# Phone pattern search
python reconspider.py --phone-pattern "555-\d{4}" -d example.com
Phone Data Retrieved
Phone reconnaissance returns:
Carrier information
Location (city, state)
Phone type (mobile, landline, VOIP)
Associated names
Associated email addresses
Call history patterns
Linked social media accounts
| Command | Description |
|---|
python reconspider.py --social <username> | Search across platforms |
python reconspider.py --twitter <handle> | Twitter/X profile search |
python reconspider.py --linkedin <profile> | LinkedIn data extraction |
python reconspider.py --github <username> | GitHub profile analysis |
# Cross-platform username search
python reconspider.py --social johndoe
# Twitter profile reconnaissance
python reconspider.py --twitter @johndoe
# GitHub profile analysis
python reconspider.py --github johndoe
# LinkedIn profile scraping
python reconspider.py --linkedin johndoe
# Instagram profile search
python reconspider.py --instagram johndoe --followers
| Platform | Information Retrieved |
|---|
| Twitter/X | Followers, tweets, location, bio, links |
| GitHub | Repos, commits, followers, organizations |
| LinkedIn | Profile, connections, employment, skills |
| Instagram | Bio, followers, posts, locations, links |
| Facebook | Profile info, friends, pages, activity |
| Reddit | Post history, karma, subreddits joined |
Shodan Integration
Shodan Queries
| Command | Description |
|---|
python reconspider.py -s shodan -i <ip> | IP lookup via Shodan |
python reconspider.py --shodan-query "webcam" | Search for webcams |
python reconspider.py --shodan-query "apache" --country US | Geo-filtered search |
Shodan Search Examples
# Find exposed webcams
python reconspider.py --shodan-query "webcam" --limit 50
# Search by country
python reconspider.py --shodan-query "mongodb" --country CN
# Port-specific search
python reconspider.py --shodan-query "port:3389" --limit 100
# Service version search
python reconspider.py --shodan-query "apache/2.4"
# Vulnerable software search
python reconspider.py --shodan-query "OpenSSL/1.0.1" --country US
Shodan Filters
| Filter | Description |
|---|
port:8080 | Specific port |
country:US | Specific country |
city:Boston | Specific city |
org:Google | Organization name |
os:Linux | Operating system |
product:Apache | Software product |
before:2023-01-01 | Before date |
Censys Integration
Censys Queries
| Command | Description |
|---|
python reconspider.py -s censys -i <ip> | IP lookup via Censys |
python reconspider.py --censys-query "ip:8.8.8.8" | Direct IP query |
python reconspider.py --censys-cert <domain> | Certificate search |
Censys Search Examples
# Certificate search
python reconspider.py --censys-cert example.com
# IP with specific service
python reconspider.py -s censys -i 93.184.216.34
# Host lookup with details
python reconspider.py --censys-host 8.8.8.8
# Certificate issuer search
python reconspider.py --censys-query "issuer:\"Let's Encrypt\""
Save Results
| Command | Description |
|---|
python reconspider.py -i <ip> -o report.json | JSON output |
python reconspider.py -i <ip> -o report.csv | CSV output |
python reconspider.py -i <ip> -o report.txt | Text output |
python reconspider.py -i <ip> --html | HTML report |
# JSON format (structured)
python reconspider.py -d example.com -o domain_report.json
# CSV format (spreadsheet)
python reconspider.py --emails -d example.com -o emails.csv
# HTML report (visual)
python reconspider.py -i 8.8.8.8 --html -o scan_report.html
# Pretty-printed output
python reconspider.py -d example.com -o results.txt --verbose
JSON Output Structure
{
"target": "example.com",
"scan_date": "2026-05-01",
"ip_info": {
"addresses": ["93.184.216.34"],
"hostname": "example.com",
"organization": "EDGECAST",
"location": {
"country": "US",
"city": "Los Angeles"
}
},
"dns_records": {
"A": ["93.184.216.34"],
"MX": ["mail.example.com"]
},
"certificates": [],
"emails": ["admin@example.com"],
"vulnerabilities": []
}
Honeypot Detection
Detect Honeypots
| Command | Description |
|---|
python reconspider.py -i <ip> --honeypot | Check if IP is honeypot |
python reconspider.py --check-reputation <ip> | Reputation check |
python reconspider.py -d <domain> --verify | Domain verification |
Honeypot Detection Examples
# Check single IP
python reconspider.py -i 192.168.1.1 --honeypot
# Batch check IPs
python reconspider.py --honeypot -f ip_list.txt
# Domain verification
python reconspider.py -d example.com --verify
# Reputation scoring
python reconspider.py -i 8.8.8.8 --reputation
# Verify email authenticity
python reconspider.py -e user@example.com --verify
Honeypot Indicators
High-risk indicators:
Response from unusual geolocation
Multiple open ports without services
Suspicious SSL certificate
Rapid response patterns
Mismatched DNS records
Known honeypot signatures
No real legitimate traffic indicators
Automated Reconnaissance Workflows
Batch Processing
# Scan multiple IPs from file
python reconspider.py -f ip_list.txt -o batch_results.json
# Harvest emails from multiple domains
python reconspider.py -f domains.txt --emails -o emails.csv
# Scan IP ranges
python reconspider.py -i "10.0.0.0/24" -o range_scan.json
Complete Organization Reconnaissance
# Full org scan workflow
python reconspider.py -o "Acme Corp" \
--emails \
--phones \
--social \
--subdomains \
-o org_report.json \
--html
Threat Intelligence Pipeline
# Automated threat hunt
python reconspider.py -f suspicious_ips.txt \
--shodan \
--honeypot \
--check-reputation \
-o threat_report.html \
--alerts
Scheduled Scanning
# Monitor domain for changes
python reconspider.py -d example.com \
--certs \
--subdomains \
--schedule "daily" \
-o monitoring.json
# Weekly organization scan
python reconspider.py -o "Target Org" \
--emails \
--phones \
--schedule "weekly" \
--notify email@example.com
Advanced Techniques
Proxy and Anonymization
# Route through proxy
python reconspider.py -i 8.8.8.8 --proxy "http://proxy:8080"
# Use SOCKS proxy
python reconspider.py -d example.com --socks-proxy "socks5://localhost:1080"
# User-Agent rotation
python reconspider.py --social johndoe --rotate-ua
Custom Filtering
# Exclude certain results
python reconspider.py -d example.com --exclude "*.internal"
# Filter by date range
python reconspider.py --certs example.com --from 2025-01-01 --to 2026-05-01
# Limit results
python reconspider.py --emails example.com --limit 100
Data Correlation
# Find overlapping targets
python reconspider.py -f domains.txt --correlate
# Link data sources
python reconspider.py -e user@example.com --link-accounts
# Timeline analysis
python reconspider.py -d example.com --timeline
Best Practices
-
Always obtain authorization — Only conduct reconnaissance on systems and organizations you own or have explicit written permission to test.
-
Respect rate limits — Use delays between requests and observe API rate limits to avoid account suspension.
-
Use VPN/Proxy — Route traffic through privacy-conscious services to protect your identity during reconnaissance.
-
Validate API keys — Test API credentials before running large scans to catch configuration issues early.
-
Document findings — Keep detailed records of scan dates, targets, findings, and methodology for reporting.
-
Verify information — Cross-reference data from multiple sources (Shodan, Censys, DNS) to ensure accuracy.
-
Filter false positives — Use honeypot detection and reputation checking to reduce noise in results.
-
Secure configuration files — Keep config.yaml and API keys in restricted directories (mode 600) to prevent exposure.
-
Start narrow, go broad — Begin with specific IP or domain, then expand to subdomains, emails, and social media.
-
Use structured output — Export to JSON or CSV for further analysis, correlation, and reporting in tools like Elasticsearch or Tableau.
