Profile-based Nmap reconnaissance with clean, structured TXT + JSON output.
Recon is a lightweight CLI tool designed to simplify Nmap usage through profile-driven scanning. It abstracts complex Nmap scripts, improves output readability, and provides built-in service references to support practical penetration testing workflows.
It supports interactive shell and CLI shortcut mode, custom port overrides, and multi-target execution.
Recon focuses on structured output, reproducible scans, and practical operator workflows.
⚠️ Use responsibly. Only scan systems you own or have explicit permission to test.
- Removed IP/Host limit restriction
- Added custom port support for port scanning
For a complete and detailed list of available port profiles and their Nmap mappings:
➡️ View Port Scanning Profile Lists
-
Two modes
- Interactive shell: run commands inside
recon > - CLI shortcut: run directly from terminal
- Interactive shell: run commands inside
-
Port profiles
- Default / common / deep + service-specific profiles
-
Custom port scanning
- Define specific ports manually for targeted scans
-
Flexible multi-target scanning
- Scan multiple targets via
-f <file>(one IP per line) - No built-in IP/Host scanning limit
- Scan multiple targets via
-
Structured output
--txtpretty human-readable format--jsonmachine-readable results- Auto-saves to
~/recon_result/with timestamped filenames
-
Service reference (
info <service>)- Built-in enumeration checklist & tool examples
- Example:
info smb,info ssh
-
Progress & warnings
- Context-aware warnings (e.g., deep profile in file mode)
- Go (for install/build)
nmapinstalled and accessible in PATH- Standard utilities like
ping(for host check)
Some scan types (e.g., OS detection
-O, traceroute) may require elevated privileges depending on your OS/environment.
go install github.com/nartodono/recon/cmd/recon@latestIf module resolution issues occur:
GOPROXY=direct GOSUMDB=off go install github.com/nartodono/recon/cmd/recon@maingit clone https://github.com/nartodono/recon.git
cd recon
go build ./cmd/reconrecon host 192.168.1.1 --txt
recon port ssh-deep 192.168.1.1 --json
recon info smbStart Recon without arguments:
reconInside the shell:
recon > host 192.168.1.1 --txt --json
recon > port 192.168.1.1 -p 3306
recon > port vuln 192.168.1.1 --txt
recon > port ssh-deep -f list.txt
recon > info smb
recon > profile
recon > exitRun directly from terminal:
recon host 192.168.1.1 --txt --json
recon port 192.168.1.1 -p 3306
recon port web-deep 192.168.1.20 --txt --json
recon port ssh-deep -f list.txt
recon info smb
recon listIf no profile is specified:
recon port 192.168.1.1The 'default' profile will be used automatically.
By default, each service profile uses its standard port.
You can override it using -p <port>.
Example:
recon port ftp 192.168.1.10 -p 9109This allows scanning a service profile on a non-standard port.
Scan multiple targets from file (one IP per line):
recon host -f targets.txt --txt --json
recon port -f targets.txt --txt
recon port deep -f targets.txt --txt --jsonRecon provides quick service cheat-sheets to guide what to check, common misconfigurations, and example enumeration commands.
Examples:
recon info smb
recon info ssh--txt Print formatted text output
--json Print structured JSON output
Both flags can be used together.
-
Results are automatically saved to: ~/recon_result/
-
Output filenames follow:
recon-host-YYYYMMDD-HHMMSS.txtrecon-host-YYYYMMDD-HHMMSS.jsonrecon-port-YYYYMMDD-HHMMSS.txtrecon-port-YYYYMMDD-HHMMSS.json -
Recon validates required dependencies on startup (
nmap,ping)
