Reconnoitre: Web Application Analysis Assistant

A lot of different amateur scanners and ‘frameworks’ have already been reviewed. Usually they are quite simple (and sometimes even buggy). But anyway, it is interesting for me to get acquainted with them, since quite often they contain some kind of zest – an interesting feature that you might one day need.

Reconnoitre tool was created to automate routine actions with OSCP lab. This is a fairly simple script, and it can do the following:

  • looking for live hosts
  • for the found hosts performs a scan, enumerates a list of detected services
  • for discovered services, generates commands for launching other tools
  • can search DNS servers from a large number of hosts
  • trying to determine hostnames and virtual hosts
  • can search for devices responding to the SNMP protocol

The collected data is stored in the folder structure separately for each host – convenient when working with subnets when there are a lot of hosts.

How to install Reconnoitre in Kali Linux

The tool consists of several scripts in Python, you can perform a normal installation and run on the program name, or you can run directly from the place where the program files were downloaded.

Example of launching without installation:

git clone
cd Reconnoitre/Reconnoitre/
python2 ./ -h

Every time you want to use Reconnoitre, you will need to go to the specified folder and use python2 ./ instead of the program name (reconnoitre) as in the following commands.

To perform the installation:

git clone
cd Reconnoitre/
find . -type f -print0 | xargs -0 sed -i 's/from lib.file_helper/from file_helper/g' #fix
sudo python install
reconnoitre -h

As you can see, a small fix is used – the author used the reverse fix to be able to run without installation, but broke the program if the installation is done… Perhaps he will find a universal solution, but for now, before installing, you need to use the specified command marked #fix.

How to run Reconnoitre

There are actually three obligatory options:

  • -t – after which you need to specify a host or range of hosts. You can also specify a file with this data.
  • -o – after this option you need to specify the directory to save the results. It will create subdirectories for each host.
  • you also need to specify an option with an action, for example --pingsweep or --services or some other

Search active (live hosts) from IP range

As an example, I will analyze the neighbors. I will take the range I will save the data to the suip-neighbors folder in the current directory. To search for live hosts use the option --pingsweep. Therefore, the command is as follows:

reconnoitre -t -o suip-neighbors --pingsweep

By the way, the folder that we specify in this command to save the data will also be used in the generated commands (they will also save the data to disk), so it is recommended to specify the absolute path:

reconnoitre -t -o /home/mial/suip-neighbors --pingsweep


[*] Found 190 live hosts
[*] Created target list suip-neighbors/targets.txt

That is, found 190 live hosts (those who are online at the moment) and all of them are stored in the suip-neighbors/targets.txt file.

You can view the contents of this file:

cat suip-neighbors/targets.txt

Search for running services and generate commands for further analysis

Use the --services option to collect services. The algorithm of its work is as follows:

  • running a quick scan
  • file with new commands to run is generated for every host
  • a more accurate service scan is performed on the same host

By the way, all service scans are performed by Nmap program. So, the third stage is long, and if there are many hosts, it is very long. Therefore, you can add the option --quick to skip deep scanning.

Despite the fact that now the hosts will be taken from the targets.txt file (and if this file is not generated using the --pingsweep option, the program will fail), we still need to specify the -t option when starting up:

reconnoitre -t -o suip-neighbors --services --quick

And only after the previous command hung up the system tightly (in a virtual machine), and then hung up the system a couple of times with the 11 GB of RAM allocated to it, I understood the true meaning of -t option! In general, to speed up the process, all Nmap scans run at the same time. This program has a peak load on the RAM and on the processor. And the simultaneous launch of several hundred instances of Nmap can hang a system and it will require reboot.

Therefore, using the -t option, I split the subnet into smaller ranges:

reconnoitre -t -o suip-neighbors --services --quick

The program will create many folders and run a quick scan:

The following subfolders will be made for each host:

  • scans
  • exploit
  • loot

If I understood the description correctly, the program writes data only to scans folder. As for exploit and loot, they are made only for our convenience, and there we must save the data obtained in other ways.

Several files will be created in the scans folder – mostly Nmap scan results in various formats. But the file of the HOST_findings.txt type contains commands for subsequent analysis or attack on the found services.

An example of such a file:

That is, it contains generated commands for analyzing each service. The tools in the commands are selected based on the type of service, the port used is also taken into account, and the results can be saved to a file. For example, if the HTTP/HTTPS service is on port 1500, then it will be specified in the command to start.

Please note that the example of this file shows that the data can be duplicated – use it carefully.

Classification of the proposed commands:

  • Enumeration
  • Find users
  • Bruteforcing
  • Use nmap to automate banner grabbing and key fingerprints
  • Check out the server for web applications with the sqli vulnerability.

How to discover host names

Attempt to discover target hostnames are performed with the --hostnames option, an example of command launching:

reconnoitre -t -o suip-neighbors --hostnames


To be honest, I do not understand these results. If someone knows what WIN-344VU98D3RU, WIN-32VTGRUNTN0 and even IH999345 are, then explain, please, in the comments.

Search for virtual hosts

In order to better understand what virtual hosts are supposed to look for, the article “How to find web server virtual host” is recommended – there, by the way, tells about another program for this. But since it has the same author as Reconnoitre, then you have to think that the code is the same.

To search for virtual hosts, use the --virtualhosts option. You also need to specify the path to the dictionary with the option -w. A small dictionary is supplied with Reconnoitre, it is located at: Reconnoitre/wordlists/virtual-host-scanning.txt

Lunch example:

reconnoitre -t -o suip-neighbors -w bin/Reconnoitre/Reconnoitre/wordlists/virtual-host-scanning.txt --virtualhosts

How to find DNS servers in the specified address range

If you need to find the name server from a large array of hosts, then run Reconnoitre with the --dns option:

reconnoitre -t -o suip-neighbors --dns


So, we looked at examples of using Reconnoitre. Full list option:


                   [-p PORT] [--pingsweep] [--dns] [--services] [--hostnames]
                   [--snmp] [--quick] [--virtualhosts]
                   [--ignore-http-codes IGNORE_HTTP_CODES]
                   [--ignore-content-length IGNORE_CONTENT_LENGTH] [--quiet]

Optional arguments:

  -h, --help            show this help message and exit
  -t TARGET_HOSTS       Set a target range of addresses to target. Ex
  -o OUTPUT_DIRECTORY   Set the output directory. Ex /root/Documents/labs/
  -w WORDLIST           Set the wordlist to use for generated commands. Ex
  -p PORT               Set the port to use. Leave blank to use discovered
                        ports. Useful to force virtual host scanning on non-
                        standard webserver ports.
  --pingsweep           Write a new target.txt by performing a ping sweep and
                        discovering live hosts.
  --dns, --dnssweep     Find DNS servers from a list of targets.
  --services            Perform service scan over targets.
  --hostnames           Attempt to discover target hostnames and write to
                        0-name.txt and hostnames.txt.
  --snmp                Perform service scan over targets.
  --quick               Move to the next target after performing a quick scan
                        and writing first-round recommendations.
  --virtualhosts        Attempt to discover virtual hosts using the specified
  --ignore-http-codes IGNORE_HTTP_CODES
                        Comma separated list of http codes to ignore with
                        virtual host scans.
  --ignore-content-length IGNORE_CONTENT_LENGTH
                        Ignore content lengths of specificed amount. This may
                        become useful when a server returns a static page on
                        every virtual host guess.
  --quiet               Supress banner and headers to limit to comma dilimeted
                        results only.
  --no-udp              Disable UDP services scan over targets.

Further errors are considered that you should not have if you did everything according to this guide. However, if you missed something, the next section should help you.


PermissionError: [Errno 13] Permission denied: 'suip-neighbors'

Depending on the installation method, specifying the folder for data as a relative path may cause an error like the following:

Traceback (most recent call last):
  File "/usr/share/reconnoitre/Reconnoitre/lib/", line 7, in check_directory
FileNotFoundError: [Errno 2] No such file or directory: 'suip-neighbors'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "", line 146, in <module>
  File "", line 87, in main
  File "/usr/share/reconnoitre/Reconnoitre/lib/", line 7, in ping_sweeper
  File "/usr/share/reconnoitre/Reconnoitre/lib/", line 9, in check_directory
PermissionError: [Errno 13] Permission denied: 'suip-neighbors'

The reason for the error is that the relative path to the save folder is specified with the -o option — in this example, it is suip-neighbors. In this case for the program the working directory is a folder in which it does not have enough permissions to write. Therefore, for correction, it is recommended to specify the full path to the directory for which the current user has write permissions, for example -o /home/mial/suip-neighbors.

TypeError: a bytes-like object is required, not 'str'

Traceback (most recent call last):
  File "", line 146, in <module>
  File "", line 87, in main
  File "/usr/share/reconnoitre/Reconnoitre/lib/", line 12, in ping_sweeper
    lines = call_nmap_sweep(target_hosts)
  File "/usr/share/reconnoitre/Reconnoitre/lib/", line 27, in call_nmap_sweep
    lines = str(results).encode("utf-8").split("\n")
TypeError: a bytes-like object is required, not 'str'

This error has already been fixed in the latest version of Reconnoitre, so you just need to upgrade. If there are no updates in your repository, then download directly from GitHub:

git clone
cd Reconnoitre/Reconnoitre/
python2 ./ -h

TypeError: not all arguments converted during string formatting

When you run an SNMP scan, you may receive messages like these:

[+] Performing SNMP scans for to suip-neighbors/
   [>] Performing snmpwalk on public tree for: - Checking for System Processes
Process Process-18:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/", line 267, in _bootstrap
  File "/usr/lib/python2.7/multiprocessing/", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/", line 73, in snmp_scans
    ip_address, output_directory, ip_address)
TypeError: not all arguments converted during string formatting

To fix this, open the file:

gedit /usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/

Find the line there:

        ip_address, output_directory, ip_address)

and replace it with:

        ip_address, output_directory)

ImportError: No module named lib.file_helper

If after installation, when executing any command, you see something like the following:

Traceback (most recent call last):
  File "/usr/local/bin/reconnoitre", line 11, in <module>
    load_entry_point('Reconnoitre==1.0', 'console_scripts', 'reconnoitre')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/", line 489, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/", line 2793, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/", line 2411, in load
    return self.resolve()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/", line 2417, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/", line 7, in <module>
    from lib.find_dns import find_dns
  File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/", line 3, in <module>
    from lib.file_helper import check_directory
ImportError: No module named lib.file_helper

Then perform the installation as follows:

git clone
cd Reconnoitre/
find . -type f -print0 | xargs -0 sed -i 's/from lib.file_helper/from file_helper/g' #fix
sudo python install
reconnoitre -h

Recommended for you:

Leave a Reply

Your email address will not be published.