GarudRecon
GarudRecon automates domain recon with top open-source tools to discover assets, enumerate subdomains, and detect XSS, SQLi, LFI, RCE & more.
Install / Use
/learn @rix4uni/GarudReconREADME
GarudRecon
GarudRecon is a comprehensive bash-based reconnaissance automation framework that streamlines the asset discovery and vulnerability assessment process for security professionals and bug bounty hunters. This tool orchestrates over 80+ open-source security tools to provide thorough reconnaissance capabilities across multiple attack vectors.
Table of Contents
- Core Capabilities
- Flexible Reconnaissance Modes
- Advanced Features
- History
- Prerequisites
- Installation
- Quick Start
- Usage
- Configuration
- Troubleshooting
- FAQ
- Contributing
- Operating Systems Supported
- Tools
- Thanks
Core Capabilities
GarudRecon excels in automated discovery and vulnerability detection across several key areas:
Asset Discovery & Enumeration
- Subdomain enumeration using 20+ tools including subfinder, amass, and chaos
- Certificate transparency monitoring through multiple CT log sources
- DNS enumeration with advanced bruteforcing and permutation techniques
- Port scanning with naabu, masscan, and nmap integration
- Virtual host discovery and web technology fingerprinting
Vulnerability Detection
- Cross-Site Scripting (XSS) detection with multiple payload sets
- SQL injection testing through automated parameter fuzzing
- Local File Inclusion (LFI) and Remote Code Execution (RCE) checks
- Subdomain takeover vulnerability scanning
- Open redirect detection and validation
- Exposed .git directories and sensitive file discovery
Flexible Reconnaissance Modes
The framework provides three distinct operational modes tailored to different engagement scopes:
- SmallScope Mode - Designed for focused subdomain reconnaissance (e.g., support.domain.com) with deep vulnerability analysis on a limited attack surface.
- MediumScope Mode - Comprehensive wildcard domain scanning (e.g., *.domain.com) with balanced coverage and performance optimization.
- LargeScope Mode - Organization-wide reconnaissance for maximum asset discovery and extensive vulnerability coverage.
- CidrScope Mode - ⚠️ Coming Soon - CIDR-based reconnaissance for IP range scanning
- Workflow Mode - Chain multiple tools into a reusable pipeline so you can run complex scans with a single command.
- Fleet Mode - Distribute work across many VPS instances — split input automatically and run workflows in parallel on 100+ hosts.
- CronJobs Mode - Schedule and monitor recurring recon tasks (subdomains, open ports, JS leaks, templates, alerts).
Advanced Features
Automated Monitoring
- Continuous subdomain monitoring with change detection
- Port state change notifications
- JavaScript file monitoring for new endpoints
- Automated scheduled reconnaissance via cron integration
Intelligent Resource Management
- RAM-optimized configurations for different system specifications
- VPS deployment optimization settings
- Parallel processing with configurable thread limits
- Custom wordlist generation based on target characteristics
History
I originally created GarudRecon in 2022, but I later removed it after some API keys were accidentally leaked. Despite this, someone forked the project and preserved it here.
Afterwards, I experimented with rewriting GarudRecon in Python and Go, but I found the heavy string concatenation in those languages unappealing. In the end, I decided to return to Bash, which felt simpler and more natural for me.
Prerequisites
Before installing GarudRecon, ensure you have:
- Root access (switch to root user, not
sudo su) - Bash shell (verify with
echo $SHELL) - Internet connection for downloading tools and dependencies
- Minimum 4GB RAM (8GB+ recommended for large scans)
- Sufficient disk space (at least 10GB free for tools and output)
Referral Links
<details open> <summary><b>Click to view cloud provider referral links</b></summary> <p align="center"> <a href="https://m.do.co/c/43c704381b79" target="_blank"> <img src="images/referrals/digitalocean_200.png"/> </a> </p> <p align="center"> <a href="https://login.linode.com/signup" target="_blank"> <img src="images/referrals/linode.png"/> </a> </p> <p align="center"> <a href="https://cloud.ibm.com/docs/overview?topic=overview-tutorial-try-for-free" target="_blank"> <img src="images/referrals/ibm_cloud.png"/> </a> </p> <p align="center"> <a href="https://aws.com" target="_blank"> <img src="images/referrals/aws.png"/> </a> </p> <p align="center"> <a href="https://azure.com" target="_blank"> <img src="images/referrals/azure.png"/> </a> </p> <p align="center"> <a href="https://cloud.intechdc.com/?affid=443&oid=99" target="_blank"> <img src="images/referrals/intechdc.png"/> </a> </p> </details>Installation
Note: Switch to the root user first (instead of using
sudo su) before running the installation command.
This helps avoid permission and environment-related issues.If any tool fails to install during the script execution, install it manually.
Make sure your shell is set to bash.
Docker
Note: Docker support is coming soon. For now, please use the Git Clone or prebuilt binaries installation method.
Quick Install (No Clone Required)
# Install directly via curl (recommended for quick setup)
bash <(curl -s https://raw.githubusercontent.com/rix4uni/GarudRecon/main/setup)
Using Git Clone
git clone --depth 1 https://github.com/rix4uni/GarudRecon.git
cd GarudRecon
bash setup
Download prebuilt binaries
wget -q https://github.com/rix4uni/GarudRecon/archive/refs/tags/v0.1.2.zip
unzip v0.1.2.zip
cd GarudRecon
bash setup
Note: The
setupscript automatically downloads and installs pre-built binaries from GarudReconBinary nightly releases for faster installation.
Quick Start
After installation, you can immediately start using GarudRecon:
# Small scope scan (single subdomain)
garudrecon smallscope -d support.example.com
# Medium scope scan (wildcard domain)
garudrecon mediumscope -d example.com
# Large scope scan (organization-wide)
garudrecon largescope -d example
# Workflow mode
garudrecon workflow ls
# CronJobs mode
garudrecon cronjobs -d example.com -f MONITOR_SUBDOMAIN
For more detailed usage examples, see the Usage section below.
Configuration
GarudRecon uses configuration files located in configuration/ directory. The main configuration file is garudrecon.cfg.
Key Configuration Options
- API Keys: Configure API keys for various services (subfinder, amass, chaos, etc.)
- Thread Limits: Adjust parallel processing threads based on your system resources
- Output Directories: Customize where scan results are stored
- Tool Paths: Specify custom paths if tools are installed in non-standard locations
To use a custom configuration file:
garudrecon mediumscope -d example.com -c /path/to/custom.cfg
Usage
<details open> <summary><b>SmallScope Mode</b></summary>Quick recon for a single host or subdomain (e.g. support.domain.com).
Lightweight, fast checks — ideal for a single target when you want quick visibility without a full-scale scan.
Usage:
garudrecon smallscope [flags]
Flags:
-d, --domain Scan a domain (e.g. support.domain.com)
-ef, --exclude-functions Exclude a function from running (e.g. WAYMORE)
-rx, --recon-xss Run full recon with XSS checks
-rs, --recon-sqli Run full recon with SQLi checks
-rl, --recon-lfi Run full recon with LFI checks
-rst, --recon-subtakeover Run full recon with Subdomain Takeover checks
-rr, --recon-rce Run full recon with RCE checks
-ri, --recon-iis Run full recon with IIS checks
-c, --config Custom configuration file path
-r, --resume <scan_folder> Resume stopped/uncompleted scan from /root/.garudrecon/scans/<scan_folder> (e.g., --resume support.domain.com or --resume support.domain.com_1). Skips functions already completed in resume.cfg.
-h, --help help for smallscope
Example:
# Full recon
garudrecon smallscope -d support.domain.com
# Recon with XSS only
garudrecon smallscope -d support.domain.com -rx
# Recon with SQLi only
garudrecon smallscope -d support.domain.com -rs
# Exclude functions manually
garudrecon smallsco
