🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Recon Quick

by @hostilespider

Fast OSINT and reconnaissance presets using bbot and nmap. One-command subdomain enumeration, port scanning, and web fingerprinting for bug bounty recon.

Versionv1.0.0
Downloads566
TERMINAL
clawhub install recon-quick

πŸ“– About This Skill


name: recon-quick description: Fast OSINT and reconnaissance presets using bbot and nmap. One-command subdomain enumeration, port scanning, and web fingerprinting for bug bounty recon. metadata: {"openclaw":{"emoji":"πŸ”","requires":{"bins":["bbot","nmap"]},"install":[{"id":"bbot","kind":"pipx","packages":["bbot"],"label":"Install bbot via pipx"}]}}

Recon Quick β€” Fast OSINT Presets

One-command recon using bbot and nmap. Preset workflows for common bug bounty recon tasks.

Prerequisites

pipx install bbot

nmap: apt install nmap / brew install nmap

Quick Start

# Full subdomain enumeration + web probe
python3 {baseDir}/scripts/recon.py target.com --preset full

Just subdomains

python3 {baseDir}/scripts/recon.py target.com --preset subdomains

Quick port scan top 100

python3 {baseDir}/scripts/recon.py target.com --preset ports

Presets

| Preset | What it does | Time | |--------|-------------|------| | subdomains | Subdomain enum via bbot | 2-10 min | | ports | Top 100 ports + service detection | 1-5 min | | web | HTTP probe + tech fingerprint | 2-5 min | | full | Subdomains + ports + web + nuclei | 10-30 min | | passive | Passive recon only (DNS, certs, APIs) | 1-3 min |

Options

  • --preset PRESET β€” Recon preset (default: subdomains)
  • --output DIR β€” Output directory (default: ./recon-output)
  • --json β€” Output as JSON
  • --threads N β€” Thread count (default: 10)
  • --wordlist FILE β€” Custom wordlist for subdomain brute
  • --proxy URL β€” Proxy for web requests
  • Output Structure

    recon-output/
    β”œβ”€β”€ target.com/
    β”‚   β”œβ”€β”€ subdomains.txt      # Discovered subdomains
    β”‚   β”œβ”€β”€ live-hosts.txt       # Alive HTTP services
    β”‚   β”œβ”€β”€ ports.txt            # Open ports
    β”‚   β”œβ”€β”€ tech-fingerprints.txt # Detected technologies
    β”‚   β”œβ”€β”€ nuclei-findings.txt  # Vulnerability scan results
    β”‚   └── full-report.json     # Everything combined
    

    Integration with Bug Bounty

    # Run recon, generate report
    python3 recon.py target.com --preset full --output ./bounties/target
    bb-report-template --type recon --target target.com -o report.md
    

    Notes

  • bbot handles rate limiting and scope validation automatically
  • Nuclei findings are informational β€” manual verification required
  • Always check program scope before scanning
  • Use --proxy socks5://127.0.0.1:9050 for Tor
  • πŸ’‘ Examples

    # Full subdomain enumeration + web probe
    python3 {baseDir}/scripts/recon.py target.com --preset full

    Just subdomains

    python3 {baseDir}/scripts/recon.py target.com --preset subdomains

    Quick port scan top 100

    python3 {baseDir}/scripts/recon.py target.com --preset ports

    βš™οΈ Configuration

  • --preset PRESET β€” Recon preset (default: subdomains)
  • --output DIR β€” Output directory (default: ./recon-output)
  • --json β€” Output as JSON
  • --threads N β€” Thread count (default: 10)
  • --wordlist FILE β€” Custom wordlist for subdomain brute
  • --proxy URL β€” Proxy for web requests
  • πŸ“‹ Tips & Best Practices

  • bbot handles rate limiting and scope validation automatically
  • Nuclei findings are informational β€” manual verification required
  • Always check program scope before scanning
  • Use --proxy socks5://127.0.0.1:9050 for Tor