A professional Monokai-themed GUI wrapper for 12 essential security reconnaissance tools with 60+ automated workflows, advanced features, API integrations, and comprehensive security hardening.
This tool is for AUTHORIZED security testing, penetration testing, CTF challenges, and educational purposes ONLY.
- β Only scan systems you own or have explicit written permission to test
- β Use in authorized penetration testing engagements
- β CTF competitions and security research
- β Unauthorized scanning is illegal and unethical
By using this tool, you agree to use it responsibly and legally.
- β 60+ Pre-defined Workflows - Basic, advanced, active-focused, and specialized attack patterns automated
- β Passive/Active Mode Selection - Choose passive-only, active-only, or both modes per workflow
- β Smart Mode Auto-Selection - Workflows automatically select appropriate mode based on available steps
- β Sequential Execution - Multi-tool chains with progress tracking
- β Smart Conditions - Steps execute based on previous results (HTTP, HTTPS, SMB, SSH detection)
- β Target Validation - Workflow-specific format checking
- β Interactive Progress - Real-time status updates with PASSIVE/ACTIVE step indicators
- β SQLmap Tab - Full SQL injection testing with level/risk controls, tamper scripts, and database enumeration
- β Shellz - Reverse shell generator for 16+ languages (Bash, Python, PowerShell, PHP, etc.)
- β Encoders - Base64, URL, Hex, Binary, ROT13, Unicode encoding + MD5/SHA hashing
- β Decoders - Decode Base64, URL, Hex, Binary, ROT13, Unicode, and JWT tokens
- β LOLOL - Living Off The Land reference with GTFOBins (Linux), LOLBAS (Windows), and LOLAD (Active Directory)
- β Help - Comprehensive application guide and cheat sheets
- β Wordlist Path Configuration - Set default wordlist directory
- β Custom Tools Path - Configure paths to custom tools
- β Output Directory - Set default output location
- β UI Preferences - Auto-save, timestamps, confirm exit options
- β TCPDump Interface Dropdown - Auto-detect and select network interfaces
- β Improved Cheat Sheets - Better formatting and readability
- β Scrollable Settings - All settings in organized sections
- β Fixed Shodan API Key Validation - Now accepts valid alphanumeric API keys
- β Fixed Browse Wordlist Buttons - Correctly update the target entry field
- β Improved Input Validation - Enhanced security across all inputs
- β Command Injection Prevention - Comprehensive protection
- β Timeout Controls - Total and per-step timeout enforcement
- β Secure Execution - All subprocess calls use shell=False
Basic Workflows:
- π― Full Network Reconnaissance - Nmap (full port + vuln) β DNS β Gobuster β Nikto β SQLmap β Shodan
- π Web Application Deep Scan - Nmap (web scripts) β Nikto β Gobuster β feroxbuster β SQLmap β Shodan
- π‘ Domain Intelligence Gathering - DNSrecon (std + brt) β Shodan β GitHarvester
- π₯οΈ Windows/SMB Enumeration - Nmap (SMB scripts + vuln) β enum4linux β MSF Version β MSF Shares β MS17-010
- βοΈ Cloud Asset Discovery - AWSBucketDump β GitHarvester β Shodan
- β‘ Quick Host Discovery - Nmap (fast) β Nikto (quick)
Advanced Attack Workflows:
- π’ AD Reconnaissance - Nmap (AD ports) β enum4linux β MSF LDAP β Kerberos
- π Web Application Pentesting - Nmap β Nikto β Gobuster β feroxbuster β Vhost β SQLmap
- π΄ External Perimeter Assessment - DNS β Subdomain β Shodan β Nmap β GitHarvester
- π Internal Network Sweep - Host Discovery β Service Enum β Windows β MSF
- π API Security Assessment - Nmap β Gobuster (API) β feroxbuster β Nikto
- π Credential Hunting - GitHarvester β Shodan β Nmap β MSF FTP
- π SSL/TLS Assessment - Nmap (SSL scripts) β Nikto HTTPS β Shodan
- π Network Services Audit - Full Port Scan β Version Detection β Nikto β SMB β SSH
- π₯· Stealth Reconnaissance - Slow Nmap β DNS β Shodan β GitHub
- π¦ Full Stack Assessment - DNS β Nmap β Nikto β Gobuster β enum4linux β Shodan β Git
- π Vulnerability Assessment - Nmap (vuln) β Nikto β MSF SMB β Shodan
- ποΈ Database Discovery - Nmap (DB ports) β MySQL β MSSQL β Shodan
- π§ Mail Server Reconnaissance - DNS MX β Nmap (mail) β SMTP Enum β Shodan
- π SQL Injection Assessment - Nmap β Nikto β Gobuster β SQLmap
Active-Focused Workflows:
- β‘ Aggressive Full Port Scan - Complete 65535 TCP + UDP scan with aggressive service detection
- β‘ Web Application Pentesting Suite - Comprehensive active web security testing
- β‘ Exploitation Reconnaissance - Identify exploitable services and vulnerabilities
- β‘ Credential Audit - Active credential testing across services
- β‘ Database Pentest - Active database security testing
- β‘ Firewall Evasion Test - ACK, FIN, NULL, Xmas scans for firewall rule detection
- β‘ Service Exploitation Prep - Identify vulnerable services for exploitation
- β‘ Web Vulnerability Hunter - Active web vulnerability scanning and testing
- β‘ Network Pivot Discovery - Identify potential pivot points in network
- β‘ API Exploitation Prep - Active API security testing and enumeration
Specialized Industry Workflows (25+):
- π IoT/SCADA Security - Industrial control system reconnaissance
- π₯ Healthcare Infrastructure - HIPAA-focused security assessment
- π³ PCI Compliance - Payment card environment scanning
- π Educational Network - Campus infrastructure assessment
- ποΈ Government/Defense - Hardened network reconnaissance
- And many more...
- π Nmap - Network mapper with NSE script support
- π‘ DNSrecon - DNS enumeration and reconnaissance
- π¦ TCPdump - Packet capture and network analysis
- π Gobuster - Directory/DNS brute-forcing
- π Nikto - Web server vulnerability scanning
- π SQLmap - Automatic SQL injection detection and exploitation
- π¦ feroxbuster - Fast recursive web content discovery
- π Shodan - Internet-connected device search (API required)
- π GitHarvester - GitHub repository OSINT
- βοΈ AWSBucketDump - AWS S3 bucket enumeration
- π₯οΈ enum4linux - SMB/Windows enumeration
- π₯ Metasploit - Framework auxiliary/scanner modules
# Core tools (Included in most pentesting distros)
sudo apt update
sudo apt install nmap gobuster nikto metasploit-framework sqlmap
# Additional tools for v3.0
sudo apt install dnsrecon enum4linux tcpdump
# feroxbuster (Rust-based, may need manual installation)
# Download from: https://github.com/epi052/feroxbuster/releases
wget https://github.com/epi052/feroxbuster/releases/download/v2.10.1/feroxbuster_amd64.deb
sudo dpkg -i feroxbuster_amd64.deb
# Shodan CLI (Python package)
pip3 install shodan
# GitHarvester (Clone from GitHub)
git clone https://github.com/metac0rtex/GitHarvester
# Update path in code: line ~2187
# AWSBucketDump (Clone from GitHub)
git clone https://github.com/jordanpotti/AWSBucketDump
# Update path in code: line ~2260- Python 3.6 or higher
- tkinter (usually included with Python)
# Verify Python installation
python3 --version
# If tkinter is missing (Ubuntu/Debian)
sudo apt install python3-tk- Shodan API Key: Required for Shodan tool
- Get key from: https://account.shodan.io/
- Configure in Settings tab after launch
- Run Install Scripts for Dependencies
.\install_windows.ps1./install_linux.sh- Clone the repository
git clone https://github.com/aingram702/Recon-Superpowers.git
cd Recon-Superpowers- Make the script executable
chmod +x recon_superpower.py- Verify tool installations
nmap --version
gobuster version
nikto -Version
dnsrecon --version
enum4linux --version
feroxbuster --version
shodan info # Requires API keypython3 recon_superpower.py- Left Sidebar: 12 tools + Settings (click to switch)
- Center Panel: Tool-specific configuration options
- Right Panel: Real-time command output
- Bottom Bar: Status indicator
Workflows automate multi-tool reconnaissance by chaining tools together in intelligent sequences. Perfect for comprehensive assessments without manual intervention.
- Click π Workflows in the sidebar
- Select a workflow from the dropdown
- Review the workflow steps in the preview pane
- Enter your target (format depends on workflow)
- Click βΆ RUN WORKFLOW
- Monitor progress in real-time
- Review consolidated results in console output
Best for: Unknown networks, comprehensive assessment
Target: IP address or network range
Duration: ~20-40 minutes
Steps:
- Nmap port scan (ports 1-1000, SYN scan)
- Gobuster directory enum (if HTTP detected)
- Nikto vulnerability scan (if HTTP detected)
- DNSrecon DNS enumeration
Example Targets:
192.168.1.110.0.0.0/24scanme.nmap.org
Best for: Web applications, API endpoints
Target: URL
Duration: ~30-60 minutes
Steps:
- Nikto web scan (all checks)
- Gobuster directory brute force
- feroxbuster recursive deep scan
- Shodan lookup for domain/IP
Example Targets:
http://example.comhttps://192.168.1.100
Best for: Domain reconnaissance,OSINT
Target: Domain name
Duration: ~15-30 minutes
Steps:
- DNSrecon standard enumeration
- DNSrecon subdomain brute force
- Shodan infrastructure search
- GitHarvester GitHub references
Example Targets:
example.comsubdomain.example.org
Best for: Windows hosts, Active Directory
Target: IP address
Duration: ~10-20 minutes
Steps:
- Nmap SMB port scan (135,139,445)
- enum4linux comprehensive enumeration
- Metasploit SMB version detection
Example Targets:
192.168.1.10dc01.domain.local
Best for: Cloud security assessment
Target: Organization name
Duration: ~15-25 minutes
Steps:
- AWS S3 bucket enumeration
- GitHarvester credential search
- Shodan organization infrastructure
Example Targets:
MyCompanyexample-corp
Best for: Fast initial reconnaissance
Target: IP address or hostname
Duration: ~5-10 minutes
Steps:
- Nmap fast port scan (T5 timing)
- Nikto quick web scan (if HTTP detected)
Example Targets:
192.168.1.1webserver.local
π Security:
- Target validation before execution
- Command injection prevention
- Workflow timeout: 2 hours max
- Step timeout: 30 minutes max
π Progress Tracking:
- Real-time step counter
- Progress bar with percentage
- Elapsed time display
- Current tool indicator
π― Smart Execution:
- Conditional steps (e.g., "if HTTP detected")
- Previous result parsing
- Error handling with continue/stop options
- Thread-safe execution
πΎ Results:
- Consolidated output in console
- Step-by-step results
- Export to file available
- Copy to clipboard
Enhanced with NSE Script Support
- Select Nmap from sidebar
- Enter target (IP, hostname, or CIDR)
- Choose scan type
- Set port range (e.g.,
1-1000,80,443,8080) - Select timing template (T3 Normal is default)
- NEW: Choose NSE script category or enter custom script
- Click RUN SCAN
Scan Types:
-sS- TCP SYN Scan (default, stealthy)-sT- TCP Connect Scan (full connection)-sU- UDP Scan-sV- Version Detection-O- OS Detection-A- Aggressive Scan (OS + version + scripts + traceroute)-sn- Ping Scan (host discovery only)-sA- ACK Scan (firewall rule detection)-sF- FIN Scan (stealthy, evades some firewalls)-sN- NULL Scan (no flags set)-sX- Xmas Scan (FIN, PSH, URG flags)
NSE Script Categories:
default- Default scriptsvuln- Vulnerability detectiondiscovery- Network discoveryauth- Authentication testingexploit- Exploit checkssafe- Safe scripts only- Custom - Enter your own script name
Example Targets:
scanme.nmap.org- Nmap's official test server192.168.1.0/24- Network range10.0.0.1- Single host
Requires API Key
- Configure API key in Settings tab first
- Select Shodan from sidebar
- Choose search type:
search- Query-based searchhost- Specific IP lookup
- Enter search query
- Optional: Add facets (e.g.,
country,org,port) - Set result limit
- Click RUN SCAN
Example Queries:
apache port:443- Apache servers on port 443nginx country:US- Nginx servers in United Statesport:22 'SSH-2.0'- SSH serversproduct:MySQL- MySQL databases
Security: Private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x) are blocked
- Select DNSrecon from sidebar
- Enter domain name
- Choose scan type:
std- Standard enumerationaxfr- Zone transfer attemptbrt- Brute force subdomainsrvl- Reverse lookupsrv- SRV record enumerationcrt- crt.sh searchzonewalk- DNSSEC zone walk
- For brute force: Select wordlist
- Optional: Specify custom nameserver
- Click RUN SCAN
- Select enum4linux from sidebar
- Enter target IP address
- Choose enumeration options:
- All Enumeration (-a) - Comprehensive scan (recommended)
- OR select specific: Users, Shares, Groups, Password Policy
- Optional: Provide credentials for authenticated scan
- Click RUN SCAN
What it enumerates:
- User lists
- Share lists
- Group information
- Password policies
- Domain information
- Select GitHarvester from sidebar
- Enter GitHub search query
- Optional: Custom regex pattern for filtering
- Optional: Filter by user/organization
- Optional: Filter by project
- Choose sort order (best/new/old)
- Click RUN SCAN
Example Searches:
filename:shadow path:etc- Shadow filesextension:pem private- Private keyspassword filename:config- Config files with passwordsAWS_ACCESS_KEY- AWS credentials
Security: Regex patterns validated to prevent ReDoS attacks
Fast Rust-based Scanner
- Select feroxbuster from sidebar
- Enter target URL (include
http://orhttps://) - Select wordlist file
- Specify extensions (e.g.,
php,html,txt,asp,aspx) - Set thread count (default 50, max 100)
- Set recursion depth (default 4)
- Click RUN SCAN
Features:
- Recursive scanning
- Fast multi-threading
- Extension filtering
- Auto-filtering 404s
- Select AWS S3 from sidebar
- Specify bucket list file
- Optional: Grep keywords file for filtering
- Optional: Enable "Download Files" (use responsibly)
- Set thread count (default 5, max 20)
- Click RUN SCAN
Use Cases:
- Bucket enumeration
- Permission testing
- Data discovery
- Security audits
Requires sudo/root privileges
- Select TCPdump from sidebar
- Enter network interface (e.g.,
eth0,wlan0) - Enter BPF filter (e.g.,
port 80,host 192.168.1.1) - Set packet count limit
- Optional: Specify output PCAP file
- Enable verbose mode if desired
- Click RUN SCAN (will prompt for sudo password)
Example Filters:
port 80- HTTP traffictcp and port 443- HTTPS traffichost 192.168.1.1 and port 22- SSH to specific hosticmp- ICMP (ping) traffic
Security: Interface names and BPF filters are validated. Only simple filters allowed.
- Select Gobuster from sidebar
- Enter target URL (must include
http://orhttps://) - Choose mode (Directory, DNS, or Virtual Host)
- Select wordlist file
- Set threads (default 10)
- Specify file extensions
- Click RUN SCAN
Common Wordlists on Kali:
/usr/share/wordlists/dirb/common.txt/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/usr/share/seclists/Discovery/Web-Content/common.txt
- Select Nikto from sidebar
- Enter target URL (e.g.,
http://example.com) or hostname/IP - Port is auto-detected from URL; only specify if using hostname/IP without URL scheme
- SSL is auto-detected for
https://URLs; manually enable for non-URL targets - Choose scan tuning (x = all tests, or combine like "124" for multiple)
- Click RUN SCAN
Note: When using a full URL (http:// or https://), Nikto auto-detects the port and SSL settings.
Scan Tuning Options:
1- Interesting files2- Misconfiguration3- Information disclosure4- Injection vulnerabilities (XSS/SQLi)6- XSS vulnerabilities9- SQL injectionx- All tests (comprehensive)
- Select Metasploit from sidebar
- Choose auxiliary/scanner module
- Enter target (RHOSTS)
- Configure ports (for port scanners)
- Set thread count
- Add extra options (KEY=VALUE format)
- Click RUN SCAN
Available Module Categories:
- Port Scanners (TCP/SYN)
- Service Detection (SMB, SSH, HTTP, FTP, MySQL, PostgreSQL)
- Service Enumeration (shares, users, SNMP)
Security Note: Only auxiliary/scanner modules allowed - no exploitation.
- Select Settings from sidebar
- Shodan API Key: Enter your 32-character alphanumeric API key
- Process Timeout: Set max scan duration (default 3600s)
- Max Output Lines: Memory management (default 10000)
- Click SAVE SETTINGS
Settings are saved to: ~/.recon_superpower/config.json
Ctrl+R- Run ScanCtrl+S- Save OutputCtrl+L- Clear ConsoleCtrl+F- Search in OutputCtrl+C- Copy Selection/AllCtrl+Q- Quit ApplicationESC- Stop Running Scan
- Always start with less aggressive scans
- Monitor target system load
- Respect rate limits
- Save results for documentation
- Use scan profiles for consistency
- Use NSE scripts for deeper reconnaissance
- Combine
-sVwith--script vulnfor vulnerability assessment - Start with quick scan, then deep scan on interesting ports
- Use
-Pnto skip ping if host seems down
- Narrow searches with facets
- Use
net:filter for specific networks - Combine multiple filters (e.g.,
product:nginx country:US) - Be aware of query credit limits
- Try zone transfer (axfr) first - often reveals everything
- Use large wordlists for brute force (be patient)
- Combine with other OSINT for subdomain discovery
- Start with smaller wordlists
- Adjust threads based on target capacity
- Use
-kto skip SSL verification - Save results immediately - scans can be interrupted
- Run with minimal privileges when possible
- Use specific filters to reduce noise
- Limit packet count to avoid huge files
- Analyze PCAP files with Wireshark
# Check if tool is installed
which nmap
which shodan
which dnsrecon
# Install missing tools
sudo apt install <tool-name># Run with sudo for packet capture
sudo python3 recon_superpower.py
# Or set capabilities (Nmap only)
sudo setcap cap_net_raw,cap_net_admin=eip $(which nmap)- Verify API key is correct (32 hex characters)
- Check account has available query credits
- Ensure network connectivity to Shodan API
- Clone repositories as shown in Prerequisites
- Update script paths in code (see comments in build_command method)
# Test tkinter
python3 -m tkinter
# Install if missing
sudo apt install python3-tk- Input Validation: All user inputs validated
- Command Injection Prevention: Whitelisting and sanitization
- Path Traversal Protection: Restricted file operations
- API Key Protection: Environment variables (not command-line)
- Private IP Blocking: Prevents SSRF attacks
- Resource Limits: Thread counts, timeouts, output size
- ReDoS Prevention: Regex pattern validation
- API keys stored in
~/.recon_superpower/config.json(plain text, local file) - Scan history stored locally
- No telemetry or external reporting
- All tool data stays on your system
- Get authorization - Always obtain written permission
- Rate limiting - Don't overwhelm targets
- Legal compliance - Know your jurisdiction's laws
- Data security - Protect discovered information
- Responsible disclosure - Report vulnerabilities properly
- Click πΎ SAVE to save console output
- Default:
recon_output_YYYYMMDD_HHMMSS.txt - Contains full output including commands
- π€ EXPORT button offers multiple formats:
- Text (
.txt) - JSON (
.json) - XML (
.xml) - HTML (
.html) - Styled with dark theme
- Text (
- π SEARCH - Find text in output with highlighting
- π COPY - Copy selected text or all output
Edit these variables in the code to customize colors:
self.bg_primary = "#0a0e27" # Main background
self.bg_secondary = "#151b3d" # Panel background
self.bg_tertiary = "#1e2749" # Sidebar background
self.accent_green = "#00ff41" # Primary accent (active elements)
self.accent_cyan = "#00d9ff" # Secondary accent (headers)
self.accent_red = "#ff0055" # Alert/stop color- Lines of Code: 11,000+
- Methods: 100+
- Security Validations: 40+
- Integrated Tools: 12 reconnaissance tools
- Feature Tabs: 7 (SQLmap, Shellz, Encoders, Decoders, LOLOL, Help, Workflows)
- File Size: ~400KB
- Workflows: 60+ automated reconnaissance patterns
- Nmap Scan Types: 11 (including ACK, FIN, NULL, Xmas for firewall evasion)
- Condition Handlers: 4 (HTTP, HTTPS, SMB, SSH detection)
Contributions welcome! Areas for improvement:
- Additional tool integrations
- More NSE script templates
- Enhanced UI features
- Additional export formats
- Automated testing
MIT License - See LICENSE file for details.
Use this tool responsibly and legally.
- Nmap Reference
- Gobuster GitHub
- Nikto Documentation
- Metasploit Unleashed
- Shodan Search Guide
- DNSrecon GitHub
- feroxbuster Docs
- Nmap NSE Scripts
- OWASP Testing Guide
- HackTheBox - Legal practice environment
- TryHackMe - Guided learning paths
- SecLists - Comprehensive collection
- FuzzDB - Fuzzing patterns
- PayloadsAllTheThings
- 60+ Automated Workflows - Added 15 new active-focused workflows for penetration testing
- Smart Mode Auto-Selection - Workflows automatically select passive/active mode based on available steps
- Enhanced Nmap Scan Types - Added ACK, FIN, NULL, Xmas scans for firewall evasion testing
- Complete Condition Handler System - Added HTTPS, SMB, SSH detection (previously only HTTP)
- Fixed Widget Naming Bugs - Resolved feroxbuster, enum4linux, metasploit configuration issues
- Fixed Shodan Configuration - Corrected attribute name and type mapping
- Fixed Nikto Port Handling - Port now auto-detected from full URLs
- Fixed Nikto Tuning - Now supports combined tuning options (e.g., "124")
- Fixed Gobuster/DNSrecon - Resolved 'os' variable scoping bug that broke multiple tools
- Fixed SCAN_PROFILES - Changed from sets to tuples for predictable ordering
- Version Consistency - All version strings updated to 3.3
- Modular Architecture - Package structure with separated modules for config, core, ui, and utils
- Enhanced Shodan Tab - Comprehensive query builder with presets for common searches
- Centralized Settings - New Settings singleton class with configuration persistence
- Security Logging - Dedicated security logger with event tracking
- Input Validators - Comprehensive validation module with 15+ validator functions
- Test Suite - Added pytest-based tests for validators, config, and logging
- Code Quality Overhaul - Major refactoring with modular architecture
- Expanded Shellz Tab - Comprehensive shell categories with more payload options
- Passive/Active Scanning Modes - All workflows now support passive and active modes
- Logo and Icon Integration - Added dark hacker-themed logo and icon
- Monokai Theme - Complete UI overhaul with Monokai terminal color scheme
- 30 Workflows - Added 10 new specialized workflows (network mapper, web vuln hunter, OSINT gather, password hunt, infrastructure map, API pentest, subdomain hunter, cloud pentest, red team initial, blue team audit)
- Enhanced ASCII Banner - New stylized banner with box-drawing characters
- Improved Text Boxes - All input/output areas use Consolas font with Monokai colors
- Better Contrast - Improved readability with proper syntax highlighting
- Added 20 automated workflows (6 basic + 14 advanced attack patterns)
- New feature tabs: SQLmap, Shellz, Encoders, Decoders, LOLOL, Help
- Enhanced Settings with path configuration and UI preferences
- TCPDump interface dropdown with auto-detection
- Fixed Shodan API key validation (alphanumeric support)
- Fixed wordlist browse buttons across all tools
- Improved cheat sheet UI and formatting
- Added msfvenom payload generation to Metasploit tab
- Complete UI redesign with sidebar navigation
- Added 7 new tools (Shodan, DNSrecon, enum4linux, GitHarvester, feroxbuster, AWSBucketDump, TCPdump)
- Nmap NSE script support
- Settings tab with API key management
- Comprehensive security audit and vulnerability remediation
- Enhanced input validation across all tools
- Improved UX with hover effects
- Metasploit Framework integration
- Scan profiles
- Enhanced security
- Security hardening
- Keyboard shortcuts
- Multi-format export
- Search functionality
- Core functionality with Nmap, Gobuster, Nikto
Remember: With great power comes great responsibility. Scan ethically, scan legally, scan responsibly.
β‘ Happy (Authorized) Reconnaissance! β‘
Project: Recon-Superpowers Version: 3.3 Author: aingram702 Repository: https://github.com/aingram702/Recon-Superpowers License: MIT