Skip to content

Raccoon - Offensive Reconnaissance Tool Cheatsheet

Raccoon - Offensive Reconnaissance Tool Cheatsheet

A high-performance offensive security tool for automated reconnaissance. Combines DNS enumeration, WHOIS lookups, TLS analysis, port scanning, subdomain discovery, URL fuzzing, and WAF detection in a single tool with asynchronous performance.

Legal Notice: Only use Raccoon against targets you have explicit written authorization to test. Unauthorized scanning is illegal.

Installation

Method	Command
pip (Stable)	`pip install raccoon-scanner`
pip3 (Python 3.5+)	`pip3 install raccoon-scanner`
From source	`git clone https://github.com/evyatarmeged/Raccoon.git && cd Raccoon && python setup.py develop`
Docker	`docker build -t raccoon . && docker run raccoon example.com`

Prerequisites

Dependency	Purpose	Install
Nmap	Port scanning	`sudo apt install nmap` / `brew install nmap`
OpenSSL	TLS/SSL analysis	Usually pre-installed
coreutils (macOS)	Timeout support	`brew install coreutils`

Basic Usage

# Basic scan of a target
raccoon example.com

# Full scan with service detection
raccoon -f example.com

# Scan with output directory
raccoon -o /path/to/output example.com

# Quick scan skipping Nmap
raccoon --skip-nmap-scan example.com

# Quiet mode (minimal output)
raccoon -q example.com

Scan Options

DNS and Subdomain Enumeration

Command	Description
`raccoon example.com`	Default DNS records: A, MX, NS, CNAME, SOA, TXT
`raccoon -d A,AAAA,MX example.com`	Query specific DNS record types
`raccoon --no-sub-enum example.com`	Skip subdomain enumeration
`raccoon --subdomain-list subs.txt example.com`	Use custom subdomain wordlist

Port Scanning

Command	Description
`raccoon example.com`	Default Nmap scan
`raccoon -sc example.com`	Run with Nmap scripts (service detection scripts)
`raccoon -sv example.com`	Run with service version detection
`raccoon -f example.com`	Full scan (both -sc and -sv flags)
`raccoon -p 80,443,8080 example.com`	Scan specific ports
`raccoon -p 1-1000 example.com`	Scan port range
`raccoon --vulners-nmap-scan example.com`	Perform vulnerability assessment scan
`raccoon --vulners-path /path/to/script example.com`	Custom nmap_vulners.nse script path
`raccoon --skip-nmap-scan example.com`	Skip port scanning entirely

Web Application Scanning

Command	Description
`raccoon example.com`	Default URL fuzzing with built-in wordlist
`raccoon -w /path/to/wordlist.txt example.com`	Use custom wordlist for URL fuzzing
`raccoon -T 50 example.com`	Use 50 threads for fuzzing (default: 25)
`raccoon -fr example.com`	Follow HTTP redirects during fuzzing
`raccoon --no-url-fuzzing example.com`	Disable URL/directory discovery
`raccoon --ignored-response-codes 403,500 example.com`	Custom ignored HTTP status codes
`raccoon --tls-port 8443 example.com`	Custom TLS port (default: 443)

Privacy and Proxy Options

Command	Description
`raccoon --tor-routing example.com`	Route all traffic through Tor (port 9050)
`raccoon --proxy http://proxy:8080 example.com`	Use a specific proxy
`raccoon --proxy-list proxies.txt example.com`	Random proxy rotation from list
`raccoon -c "session:abc123" example.com`	Add custom cookies (key:value format)

Output Options

Command	Description
`raccoon -o ./results example.com`	Save results to specified directory
`raccoon -q example.com`	Suppress console output
`raccoon --skip-health-check example.com`	Skip initial target availability check

Complete Flag Reference

Flag	Long Form	Description
`-d`	`--dns-records`	DNS record types to query (comma-separated)
`-o`	`--outdir`	Output directory for results
`-q`	`--quiet`	Suppress output
`-w`	`--wordlist`	Custom fuzzing wordlist
`-T`	`--threads`	Thread count (default: 25)
`-sc`	`--scripts`	Run Nmap service detection scripts
`-sv`	`--services`	Run Nmap version detection
`-f`	`--full-scan`	Full Nmap scan (-sc + -sv)
`-p`	`--port`	Custom port range
`-fr`	`--follow-redirects`	Follow HTTP redirects
`-c`	`--cookies`	Add cookies (key:value)
	`--tor-routing`	Route through Tor
	`--proxy`	HTTP proxy address
	`--proxy-list`	File with proxy list
	`--no-url-fuzzing`	Skip URL discovery
	`--no-sub-enum`	Skip subdomain enumeration
	`--skip-nmap-scan`	Skip port scanning
	`--skip-health-check`	Skip availability check
	`--vulners-nmap-scan`	Vulnerability assessment
	`--subdomain-list`	Custom subdomain wordlist
	`--tls-port`	Custom TLS port
	`--ignored-response-codes`	HTTP codes to ignore
	`--version`	Show version
	`--help`	Show help

Scan Modules (Automatic)

Raccoon automatically performs these checks during a scan:

Module	What It Does
DNS Enumeration	Queries configured DNS record types
WHOIS Lookup	Retrieves domain registration info
TLS/SSL Analysis	Checks certificate details and cipher suites
Port Scanning	Nmap scan with optional scripts and version detection
Subdomain Discovery	Enumerates subdomains using wordlist
URL Fuzzing	Discovers hidden directories and files
WAF Detection	Identifies web application firewalls
Web App Recon	Analyzes web technologies and headers

Common Workflows

# Quick recon — skip heavy scanning
raccoon --skip-nmap-scan example.com

# Comprehensive audit
raccoon -f --vulners-nmap-scan -T 50 -o ./audit_results example.com

# Stealthy scan through Tor
raccoon --tor-routing -T 5 -q example.com

# Subdomain-focused discovery
raccoon --no-url-fuzzing --subdomain-list large_subs.txt example.com

# Web app directory bruteforce only
raccoon --skip-nmap-scan --no-sub-enum -w /usr/share/wordlists/dirb/big.txt example.com

# Docker scan with results saved to host
docker run -v $(pwd)/results:/home/raccoon raccoon example.com -o /home/raccoon

Output Structure

Results are saved in the output directory organized by scan type:

results/
├── dns_records.txt
├── whois.txt
├── tls_info.txt
├── nmap_scan.txt
├── subdomains.txt
├── url_fuzzing.txt
├── waf_detection.txt
└── web_recon.txt

Resources