π¦ ClawHub
Recon Quick
by @hostilespider
Fast OSINT and reconnaissance presets using bbot and nmap. One-command subdomain enumeration, port scanning, and web fingerprinting for bug bounty recon.
TERMINAL
clawhub install recon-quickπ About This Skill
name: recon-quick description: Fast OSINT and reconnaissance presets using bbot and nmap. One-command subdomain enumeration, port scanning, and web fingerprinting for bug bounty recon. metadata: {"openclaw":{"emoji":"π","requires":{"bins":["bbot","nmap"]},"install":[{"id":"bbot","kind":"pipx","packages":["bbot"],"label":"Install bbot via pipx"}]}}
Recon Quick β Fast OSINT Presets
One-command recon using bbot and nmap. Preset workflows for common bug bounty recon tasks.
Prerequisites
pipx install bbot
nmap: apt install nmap / brew install nmap
Quick Start
# Full subdomain enumeration + web probe
python3 {baseDir}/scripts/recon.py target.com --preset fullJust subdomains
python3 {baseDir}/scripts/recon.py target.com --preset subdomainsQuick port scan top 100
python3 {baseDir}/scripts/recon.py target.com --preset ports
Presets
| Preset | What it does | Time |
|--------|-------------|------|
| subdomains | Subdomain enum via bbot | 2-10 min |
| ports | Top 100 ports + service detection | 1-5 min |
| web | HTTP probe + tech fingerprint | 2-5 min |
| full | Subdomains + ports + web + nuclei | 10-30 min |
| passive | Passive recon only (DNS, certs, APIs) | 1-3 min |
Options
--preset PRESET β Recon preset (default: subdomains)--output DIR β Output directory (default: ./recon-output)--json β Output as JSON--threads N β Thread count (default: 10)--wordlist FILE β Custom wordlist for subdomain brute--proxy URL β Proxy for web requestsOutput Structure
recon-output/
βββ target.com/
β βββ subdomains.txt # Discovered subdomains
β βββ live-hosts.txt # Alive HTTP services
β βββ ports.txt # Open ports
β βββ tech-fingerprints.txt # Detected technologies
β βββ nuclei-findings.txt # Vulnerability scan results
β βββ full-report.json # Everything combined
Integration with Bug Bounty
# Run recon, generate report
python3 recon.py target.com --preset full --output ./bounties/target
bb-report-template --type recon --target target.com -o report.md
Notes
--proxy socks5://127.0.0.1:9050 for Torπ‘ Examples
# Full subdomain enumeration + web probe
python3 {baseDir}/scripts/recon.py target.com --preset fullJust subdomains
python3 {baseDir}/scripts/recon.py target.com --preset subdomainsQuick port scan top 100
python3 {baseDir}/scripts/recon.py target.com --preset ports
βοΈ Configuration
--preset PRESET β Recon preset (default: subdomains)--output DIR β Output directory (default: ./recon-output)--json β Output as JSON--threads N β Thread count (default: 10)--wordlist FILE β Custom wordlist for subdomain brute--proxy URL β Proxy for web requestsπ Tips & Best Practices
--proxy socks5://127.0.0.1:9050 for Tor