FinalRecon

Installation

# Clone the repository
git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon

# Install dependencies
pip3 install -r requirements.txt

# Make executable (optional)
chmod +x finalrecon.py

# Run help
python3 finalrecon.py -h

Full Scan Mode

Run complete reconnaissance against a target domain.

# Full scan on target domain
python3 finalrecon.py --url example.com

# Full scan with detailed output
python3 finalrecon.py --url example.com -v

# Full scan and save results to file
python3 finalrecon.py --url example.com -o results.txt

# Full scan with timeout (seconds)
python3 finalrecon.py --url example.com --timeout 30

Headers Module

Analyze HTTP response headers for security information and misconfiguration.

# Basic header analysis
python3 finalrecon.py --url example.com -t headers

# Show detailed header info
python3 finalrecon.py --url example.com -t headers -v

# Headers with custom port
python3 finalrecon.py --url example.com:8080 -t headers

# Export headers to JSON
python3 finalrecon.py --url example.com -t headers --format json

Header Analysis Checks:

Security headers (X-Frame-Options, X-Content-Type-Options, CSP)
Server information and version disclosure
Cookie attributes and httponly flags
CORS headers and origin restrictions

WHOIS Module

Retrieve domain registration and ownership information.

# WHOIS lookup
python3 finalrecon.py --url example.com -t whois

# WHOIS with verbose output
python3 finalrecon.py --url example.com -t whois -v

# Extract registrant details
python3 finalrecon.py --url example.com -t whois --verbose

# Save WHOIS data
python3 finalrecon.py --url example.com -t whois -o whois_results.txt

Information Extracted:

Domain registrar and registration date
Registrant, admin, and tech contact details
Name servers
Domain expiration date
DNSSEC status

SSL Certificate Module

Extract and analyze SSL/TLS certificate information.

# SSL certificate analysis
python3 finalrecon.py --url example.com -t ssl

# Detailed certificate info
python3 finalrecon.py --url example.com -t ssl -v

# Check certificate chain
python3 finalrecon.py --url example.com -t ssl --verbose

# Custom port for HTTPS
python3 finalrecon.py --url example.com:8443 -t ssl

Certificate Details:

Subject and issuer information
Valid from/to dates and expiration
Certificate CN and SANs (Subject Alternative Names)
Public key algorithm and strength
Serial number and signature algorithm

Crawler Module

Spider website to discover pages, links, and structure.

# Crawl website
python3 finalrecon.py --url example.com -t crawl

# Crawl with depth limit
python3 finalrecon.py --url example.com -t crawl --depth 3

# Crawl specific number of pages
python3 finalrecon.py --url example.com -t crawl --max-pages 50

# Crawl and save site map
python3 finalrecon.py --url example.com -t crawl -o sitemap.txt

# Crawl excluding specific paths
python3 finalrecon.py --url example.com -t crawl --exclude "/admin,/login"

Crawler Output:

Discovered URLs and pages
Links and internal structure
Static assets (JS, CSS, images)
Form endpoints and methods

DNS Module

Perform DNS enumeration and lookup.

# DNS lookup
python3 finalrecon.py --url example.com -t dns

# Detailed DNS records
python3 finalrecon.py --url example.com -t dns -v

# Query specific record type
python3 finalrecon.py --url example.com -t dns --record-type A

# Common DNS queries
python3 finalrecon.py --url example.com -t dns --all

DNS Records Checked:

A records (IPv4 addresses)
AAAA records (IPv6 addresses)
MX records (mail servers)
NS records (name servers)
TXT records (SPF, DMARC, DKIM)
CNAME records
SOA records

Subdomain Enumeration

Discover subdomains using multiple techniques.

# Basic subdomain enumeration
python3 finalrecon.py --url example.com -t subdomain

# Aggressive subdomain search
python3 finalrecon.py --url example.com -t subdomain --aggressive

# Using wordlist for brute force
python3 finalrecon.py --url example.com -t subdomain --wordlist subdomains.txt

# Save subdomains to file
python3 finalrecon.py --url example.com -t subdomain -o subdomains.txt

# Subdomain with DNS resolution
python3 finalrecon.py --url example.com -t subdomain --dns-resolver 8.8.8.8

Enumeration Methods:

Certificate transparency logs
DNS queries and zone transfers
Search engine scraping
Brute force with wordlists
Passive reconnaissance databases

Directory Searching

Discover hidden directories and files on target web server.

# Directory enumeration
python3 finalrecon.py --url example.com -t directory

# With custom wordlist
python3 finalrecon.py --url example.com -t directory --wordlist dirs.txt

# Specific file extensions
python3 finalrecon.py --url example.com -t directory --extensions php,txt,conf

# Deep directory search
python3 finalrecon.py --url example.com -t directory --depth 3

# Save results
python3 finalrecon.py --url example.com -t directory -o directories.txt

Discovery Methods:

Common directories (/admin, /config, /backup)
Common filenames and extensions
Sensitive file patterns (.env, .git, config files)
404 page fingerprinting
Status code filtering (200, 301, 302, 401, 403)

Wayback Machine Integration

Access Internet Archive for historical site data.

# Wayback Machine snapshots
python3 finalrecon.py --url example.com -t wayback

# Show snapshot timeline
python3 finalrecon.py --url example.com -t wayback -v

# Get URLs from specific year
python3 finalrecon.py --url example.com -t wayback --year 2022

# Extract historical endpoints
python3 finalrecon.py --url example.com -t wayback --get-urls

# Save Wayback data
python3 finalrecon.py --url example.com -t wayback -o wayback_results.txt

Wayback Information:

Snapshot availability timeline
Historical URLs discovered
Changed pages and structure over time
Archived versions of pages

Output Formats

Export reconnaissance results in various formats.

# Plain text output (default)
python3 finalrecon.py --url example.com -o report.txt

# JSON format
python3 finalrecon.py --url example.com --format json -o report.json

# HTML report
python3 finalrecon.py --url example.com --format html -o report.html

# CSV format for spreadsheets
python3 finalrecon.py --url example.com --format csv -o report.csv

# Verbose output to file
python3 finalrecon.py --url example.com -v -o detailed_report.txt

API Keys and Configuration

Configure external service APIs for enhanced reconnaissance.

# Set environment variables
export VIRUSTOTAL_API_KEY="your_key"
export SHODAN_API_KEY="your_key"

# Configuration file (~/.finalrecon/config.py)
cat << 'EOF' > ~/.finalrecon/config.py
VIRUSTOTAL_API_KEY = "your_key"
SHODAN_API_KEY = "your_key"
MAXCDN_API_KEY = "your_key"
EOF

# Use API keys in scans
python3 finalrecon.py --url example.com --api-key VIRUSTOTAL="key"

Supported APIs:

VirusTotal (malware analysis)
Shodan (internet scanning engine)
MaxCDN (IP reputation)

Common Recon Workflows

Quick Domain Overview

# Get basic info: headers, whois, SSL, DNS
python3 finalrecon.py --url example.com -t headers,whois,ssl,dns

Complete Target Assessment

# Run all modules for comprehensive recon
python3 finalrecon.py --url example.com \
  -t headers,whois,ssl,crawler,dns,subdomain,directory,wayback \
  -v -o full_assessment.txt

Subdomain and Crawling Focus

# Find subdomains then crawl each
python3 finalrecon.py --url example.com -t subdomain -o subs.txt
python3 finalrecon.py --url sub.example.com -t crawl

Historical Content Discovery

# Find old endpoints via Wayback, then test
python3 finalrecon.py --url example.com -t wayback -o old_urls.txt
# Review old_urls.txt and test with directory module

API Endpoint Reconnaissance

# Crawl for API endpoints, check headers for API info
python3 finalrecon.py --url api.example.com -t crawl,headers
python3 finalrecon.py --url api.example.com -t directory --extensions json,xml

Integration with Other Tools

With Burp Suite

# Export crawl results for Burp proxy
python3 finalrecon.py --url example.com -t crawl -o urls.txt
# Import into Burp: Proxy → Options → Session → URL scope

With Nmap

# Get IPs from DNS/subdomain modules, then port scan
python3 finalrecon.py --url example.com -t dns,subdomain -o ips.txt
nmap -i ips.txt -p 80,443

With OWASP ZAP

# Use FinalRecon crawl output for ZAP
python3 finalrecon.py --url example.com -t crawl -o crawl_urls.txt
# Import URLs into ZAP Scanner

With theHarvester

# Compare subdomain findings
python3 finalrecon.py --url example.com -t subdomain > final_subs.txt
theHarvester -d example.com -b all > harvester_subs.txt
# Merge and deduplicate results

With Masscan + FinalRecon

# Find subdomains with FinalRecon
python3 finalrecon.py --url example.com -t subdomain -o targets.txt

# Mass port scan discovered subdomains
masscan -iL targets.txt -p 0-65535 --rate 10000

Tips and Best Practices

Respect target permissions — only scan systems you own or have authorization to test
Use rate limiting — avoid overwhelming target servers; use --timeout and add delays
Combine modules — use multiple modules for comprehensive intelligence
Verify results — cross-check findings with manual testing
Keep wordlists updated — regularly refresh directory and subdomain wordlists
Store API keys securely — use environment variables or encrypted config files
Filter noise — review results to identify false positives and real findings
Document findings — use -o flag to maintain records of reconnaissance