A clean recon command center that installs itself, pulls in its scanner tools, and turns raw security output into readable results.
nmap • dig • whatweb • httpx • sslscan • subfinder • nuclei • OpenRouter AI
🇬🇧 English Documentation • 🇮🇷 مستندات فارسی
Pick the guide you prefer, then watch the hands-on video where we introduce ReconKit, run a real scan, and show what the dashboard/report workflow feels like in a terminal.
ReconKit is built by Team CynetX as a practical tool for cleaner recon, better reports, and easier security workflows. If the project gets real support — stars, feedback, issues, shares, testing on different systems, and useful ideas — we will keep improving it with new versions, cleaner modules, better presets, stronger reports, and more polished AI analysis.
If ReconKit helps your workflow, the best support is simple:
- ⭐ Star the GitHub repository
- 🧪 Test it on your lab/VPS and report bugs
- 💡 Suggest features that would actually help operators
- 📣 Share it with people who still read raw tool output by hand
More support means more updates, better releases, and a stronger ReconKit for everyone.
ReconKit is a practical recon workspace for people who want useful answers without juggling ten terminals. Give it a domain or IP, and it brings together tools like nmap, dig, whatweb, httpx, sslscan, nuclei, and more — then turns the output into clean tables, notes, reports, and optional AI analysis.
It is built to feel simple on a fresh machine: run the one-command installer, let ReconKit install itself and its scanner toolchain automatically, then start with reconkit. Beginners get a guided console; experienced operators still get fast one-shot commands and exportable evidence.
Safety note: ReconKit is for assets you own or have explicit permission to test. It does not run brute force, exploit payloads, malware, persistence, evasion, or destructive actions.
- 🕹️ Console-first workflow: run
reconkitand work with simple commands likeset target,show options,run, andmission. - 🛰️ Real recon tools, cleaner experience: DNS, nmap, WHOIS, web fingerprinting, TLS checks, passive discovery, screenshots, and template checks.
- 🧠 AI analyst mode: send normalized scan evidence to OpenRouter and get a clear defensive analysis in English.
- 📊 Reports without the mess: export console output, JSON, Markdown, HTML, raw artifacts, and scan diffs.
- 🧩 Zero-to-ready installer: installs ReconKit and automatically attempts to install its scanner tools with native package managers, Go, Python, and PATH setup.
- 🧼 Human-readable output: aligned tables, wrapped columns, quick-take notes, and practical next steps.
ReconKit keeps the terminal clean and readable: target summary, DNS intelligence, ports, web/TLS notes, extra tooling, reports, and AI analysis stay organized in one place.
Linux / macOS:
curl -fsSL https://raw.githubusercontent.com/icynetx/RconKIT/main/scripts/install.sh | shThe installer downloads ReconKit, installs the reconkit command, tries to install the scan tools it uses, updates PATH where possible, and continues with clear notes if an optional tool is unavailable on your OS.
For the smoothest first test, use a fresh VPS or clean Linux VM so the automatic installer can prove the full setup from zero.
reconkitFrom there, work naturally:
reconkit(no-target)> help
reconkit(no-target)> set target example.com
reconkit(example.com)> set mode balanced
reconkit(example.com)> set modules mission
reconkit(example.com)> enable no_whois
reconkit(example.com)> run
reconkit(example.com)> exit
reconkit example.com
reconkit example.com --deep --ai --ai-out ai-report.md -o scan.json -t 120
reconkit example.com --mission --raw-dir artifacts -o scan.json --markdown report.md --html report.html
# Pick a clear scan preset instead of memorizing tool flags
reconkit example.com --mission --scan-preset full
# Build your own guided preset once, then reuse it
reconkit --preset-create
reconkit example.com --scan-preset mypreset --cmd
# Open the local web panel
reconkit --webRun reconkit with no arguments and you get a guided console instead of a wall of flags. Set your target once, adjust the scan style, and run whenever you are ready.
| Command | What it does |
|---|---|
help or ? |
Shows console commands. |
show options |
Shows current target, profile, modules, report paths, and flags. |
show modules |
Shows module presets. |
show deps |
Prints dependency status. |
show ai |
Shows AI endpoint, model, prompt, and safe config values. |
set target example.com |
Sets the target domain, IP, or URL. |
set mode fast |
Sets scan mode: fast, balanced, or deep. |
set modules mission |
Sets module preset or comma-separated modules. |
set ports 80,443,8080 |
Uses custom ports. |
unset ports |
Clears custom ports and returns to defaults. |
set timeout 120 |
Sets per-tool timeout in seconds. |
set raw_dir artifacts |
Sets raw artifact output directory. |
set json scan.json |
Sets JSON output path. |
set markdown report.md |
Sets Markdown output path. |
set html report.html |
Sets HTML output path. |
set extra --scan-preset mypreset --cmd |
Adds advanced CLI options to the next console run. |
enable ai / disable ai |
Enables/disables AI analysis. |
enable aggressive |
Enables heavier safe checks when tools exist. |
enable no_whois |
Skips WHOIS. |
enable show_commands |
Shows exact tool commands in output. |
disable aggressive |
Turns off an enabled boolean option. |
run or scan |
Runs the scan using current options. |
quick example.com |
Runs a fast safe scan immediately. |
mission example.com |
Runs the full mission workflow. |
install |
Installs required + optional tools best-effort. |
web |
Starts the local web panel on 127.0.0.1:8080. |
web 0.0.0.0 8080 |
Starts the web panel on a custom host/port. |
uninstall |
Removes the installed reconkit command launcher. |
uninstall purge |
Removes command plus local ReconKit config/install directory when safe. |
dryrun |
Shows dependency install plan without installing. |
test ai |
Tests OpenRouter endpoint/model/API key. |
ai init |
Creates/updates recon_config.json with default AI settings. |
ai set model openrouter/free |
Saves an AI config value from the console. |
ai set endpoint_url https://openrouter.ai/api/v1/chat/completions |
Saves the AI endpoint URL. |
ai set-file system_prompt prompt.txt |
Loads a long system prompt from a text file. |
shell <command> |
Runs a local shell command. |
clear |
Clears the screen and redraws the console banner. |
exit, quit, q |
Leaves the console. |
The one-command installer is the recommended path. It downloads ReconKit, installs the reconkit command, installs required and optional scanner tools where possible, refreshes PATH, and falls back to ZIP download if GitHub clone is slow or blocked.
curl -fsSL https://raw.githubusercontent.com/icynetx/RconKIT/main/scripts/install.sh | shIf GitHub git clone is slow on your network, shorten the clone timeout so the installer quickly falls back to ZIP:
curl -fsSL https://raw.githubusercontent.com/icynetx/RconKIT/main/scripts/install.sh | RECONKIT_GIT_TIMEOUT=10 shIf you only want the ReconKit command and do not want external tools installed automatically:
curl -fsSL https://raw.githubusercontent.com/icynetx/RconKIT/main/scripts/install.sh | RECONKIT_SKIP_TOOLS=1 shIf you want required tools only, without optional tools:
curl -fsSL https://raw.githubusercontent.com/icynetx/RconKIT/main/scripts/install.sh | RECONKIT_INSTALL_OPTIONAL=0 shAfter installation, open a new terminal if needed:
reconkit
reconkit --check-deps
reconkit scanme.nmap.org -M safe --no-whois -t 90Recommended first test: run it on a fresh VPS/VM so the automatic installer can prove the full setup from zero.
Use this if you already downloaded/cloned the repository or your network blocks the one-command installer:
cd RconKIT
python3 recon.py --self-install --user
reconkit --install-deps --with-optional
reconkit --check-depsFor development or local testing without installing the command:
python3 recon.py --help
python3 recon.py example.com -M safe --no-whois| System | Recommended install |
|---|---|
| Kali / Ubuntu / Debian | curl -fsSL .../scripts/install.sh | sh |
| Fedora / RHEL-like | curl -fsSL .../scripts/install.sh | sh |
| Arch Linux | curl -fsSL .../scripts/install.sh | sh |
| Alpine Linux | curl -fsSL .../scripts/install.sh | sh |
| macOS | curl -fsSL .../scripts/install.sh | sh |
Remove only the installed reconkit command launcher and ReconKit PATH block:
reconkit --uninstallPreview uninstall without changing anything:
reconkit --uninstall --dry-runRemove the command plus local ReconKit config/presets and the ~/.reconkit install directory when ReconKit is installed there:
reconkit --uninstall --purgeInside the interactive console you can also run:
reconkit(no-target)> uninstall
reconkit(no-target)> uninstall purge
Uninstall does not remove shared system tools such as nmap, curl, go, or python, because those may be used by other software.
ReconKit is meant to be beginner-friendly on a new system. It checks what is already installed, detects the package manager, installs its scan tools automatically where possible, adds Go/ReconKit bin directories to PATH, and keeps the scan usable even if an optional tool is not available for that OS.
| Platform | Providers |
|---|---|
| Debian/Ubuntu/Kali | apt |
| Fedora/RHEL-like | dnf |
| Arch | pacman |
| Alpine | apk |
| macOS | brew |
| Cross-platform fallback | go install, pipx, python -m pip --user |
Preview install commands:
reconkit --install-deps --with-optional --dry-runInstall required tools only:
reconkit --install-depsInstall required + optional tools:
reconkit --install-deps --with-optionalCheck status:
reconkit --check-deps| Category | Tools |
|---|---|
| Core | nmap, dig, host, nslookup, whois |
| Web fingerprinting | whatweb, httpx / httpx-toolkit, curl |
| WAF/TLS | wafw00f, sslscan, testssl.sh |
| Passive discovery | subfinder, amass |
| HTTP crawling/screenshots | katana, gowitness |
| Template checks | nuclei |
| Reporting helper | jq |
Optional tools improve coverage, but ReconKit does not break just because one package is unavailable on a specific OS. It reports what happened and keeps the workflow moving.
| Mode | Command | Use when |
|---|---|---|
fast |
reconkit example.com |
You want quick DNS + common-port nmap results. |
balanced |
reconkit example.com -m balanced |
You want broader common service coverage. |
deep |
reconkit example.com -m deep or --deep |
You want nmap service/version/default-script detection with fallback discovery. |
Use -M / --modules to decide how much ReconKit should do beyond the core DNS + nmap workflow.
| Module | What it runs |
|---|---|
none |
Core DNS + nmap only. |
dns / dns-tools |
host, nslookup summaries. |
dns-deep |
Safe DNS AXFR validation with dig axfr. |
passive / subdomains |
Passive discovery with subfinder and amass when installed. |
web |
Web fingerprinting with whatweb, httpx, and WAF check with wafw00f. |
http |
web + HTTP header checks and shallow crawl. |
http-detail |
curl headers and katana shallow crawl when installed. |
tls / ssl |
TLS checks with sslscan or testssl.sh. |
screenshots / shots |
Web screenshot with gowitness. |
templates / nuclei |
Safe nuclei template checks when installed. |
safe |
dns-tools, web, tls. Default. |
all |
safe, passive, dns-deep, http-detail. |
full |
all, screenshots, templates. |
mission |
Same as full; designed for full workflow scans. |
Examples:
reconkit example.com -M none
reconkit example.com -M web,tls,http-detail
reconkit example.com -M passive,dns-deep
reconkit example.com --missionReconKit keeps the CLI simple. Instead of exposing dozens of low-level flags, use one clear preset and let ReconKit tune nmap, httpx, nuclei, and katana for that workflow.
| Preset | Best for | What it changes |
|---|---|---|
quick |
Fast first look | Faster nmap/http probing, shallow web checks. |
standard |
Default recon | Balanced settings for normal external assessment. |
full |
Longer assessment | More patient retries/timeouts, deeper web crawl. |
web |
Web-focused checks | Web tooling gets more time and crawl depth. |
vuln |
Template checks | Nuclei/http checks use conservative concurrency and retries. |
Examples:
reconkit example.com --scan-preset quick
reconkit example.com --mission --scan-preset full
reconkit example.com -M web,http-detail --scan-preset web
reconkit example.com --templates --scan-preset vulnCustom presets are for operators who want one clean command instead of retyping tool flags. Create a preset once, save tool-specific arguments, then run it later with only a target and --scan-preset. Presets are stored in recon_presets.json.
Run this and ReconKit asks for everything step by step: preset name, base preset, mode, then custom args for each tool. Leave a tool blank to skip it.
reconkit --preset-createYou can also provide the name first and let the wizard ask the rest:
reconkit --preset-create corpfull| Mode | Behavior | Best use |
|---|---|---|
append |
Keeps ReconKit defaults and adds your args. | Small additions like headers, tags, or --reason. |
replace |
For configured tools, uses your args instead of ReconKit defaults. Other tools still use normal behavior. | You want custom nmap/httpx/nuclei style but keep the full workflow. |
only |
Runs only tools configured inside the preset; unconfigured tools are skipped. | You want a preset to fully control what runs. |
reconkit --preset-create corpfull --preset-base full --preset-strategy append --preset-desc "Corp full scan" \
--preset-add 'nmap=--reason' \
--preset-add 'httpx=-H "X-ROE-ID: ACME-2026"' \
--preset-add 'nuclei=-tags cves'Use only when you want ReconKit to run just the tools you configured. Placeholders are replaced at runtime.
reconkit --preset-create myweb --preset-strategy only \
--preset-add 'nmap=-sV -Pn -p 80,443 -oN - {target}' \
--preset-add 'httpx=-silent -title -status-code -u {url}' \
--preset-add 'nuclei=-silent -tags cves -u {url}'
reconkit example.com --scan-preset myweb --cmdUseful placeholders:
| Placeholder | Replaced with |
|---|---|
{target} |
Normalized target domain/IP. |
{domain} |
Same domain-style target value. |
{url} |
First detected web URL for web tools. |
{out_dir} |
Artifact directory for tools like gowitness. |
Manage presets:
reconkit --preset-list
reconkit --preset-show corpfull
reconkit --preset-delete corpfullSupported custom-argument tools:
nmap, dig, host, nslookup, whois, whatweb, httpx, wafw00f, nikto, sslscan, testssl.sh, subfinder, amass, curl, katana, gowitness, nuclei
| Switch | Example | Explanation |
|---|---|---|
target |
reconkit example.com |
Domain, IP, or URL to scan. |
-h, --help |
reconkit --help |
Show help and examples. |
-m, --mode, --profile |
-m balanced |
Scan mode: fast, balanced, deep. |
-p, --ports |
-p 80,443,8080 |
Custom nmap ports/ranges. |
-M, --modules |
-M web,tls |
Extra modules or presets. |
-A, --aggressive |
-A |
Enables heavier safe checks when tools exist, such as nikto/testssl.sh. |
-t, --timeout |
-t 120 |
Per-tool command timeout in seconds. |
-o, --json |
-o scan.json |
Save normalized JSON report. |
--markdown, --md |
--markdown report.md |
Save Markdown report. |
--html |
--html report.html |
Save standalone HTML report. |
--raw-dir |
--raw-dir artifacts |
Save raw tool outputs/artifacts. |
--diff |
--diff old.json |
Compare current scan with previous JSON. |
--deep |
--deep |
Alias for -m deep. |
--mission |
--mission |
Enables the full mission module set. |
--passive |
--passive |
Adds passive subdomain discovery modules. |
--http-detail |
--http-detail |
Adds HTTP headers and shallow crawl. |
--screenshots |
--screenshots |
Captures screenshot with gowitness when installed. |
--templates, --nuclei |
--templates |
Runs nuclei templates when installed and authorized. |
--scan-preset |
--scan-preset corpfull |
Built-in or saved custom scan preset. |
--preset-list |
--preset-list |
List built-in and saved presets. |
--preset-show |
--preset-show corpfull |
Show a saved preset. |
--preset-create |
--preset-create or --preset-create corpfull |
Create a custom preset interactively. |
--preset-base |
--preset-base full |
Base preset for a custom preset. |
--preset-strategy |
--preset-strategy only |
Custom preset behavior: append, replace, or only. |
--preset-add |
--preset-add 'nmap=--reason' |
Add tool-specific args non-interactively. Repeatable. |
--preset-desc |
--preset-desc "Corp scan" |
Description for a custom preset. |
--preset-delete |
--preset-delete corpfull |
Delete a saved custom preset. |
--cmd, --show-commands |
--cmd |
Shows exact commands ReconKit executed. |
--explain |
--explain |
Shows a switch guide in the scan output. |
--no-color |
--no-color |
Disables ANSI colors. Useful for CI/log files. |
--color |
--color |
Forces ANSI colors even when auto-detection would disable them. |
--no-whois |
--no-whois |
Skips WHOIS lookup. |
--install-deps |
--install-deps |
Installs required tools best-effort. |
--self-install, --setup |
--self-install --user |
Installs the reconkit command. |
--user |
--self-install --user |
Prefer user bin directory such as ~/.local/bin . |
--with-optional |
--install-deps --with-optional |
Also install optional recon/web/TLS tools. |
--dry-run |
--install-deps --dry-run |
Print install plan without installing. |
--check-deps |
--check-deps |
Print dependency status and exit. |
--web, --serve |
--web |
Start the local ReconKit web panel. |
--host |
--web --host 0.0.0.0 |
Host/interface for the web panel. Default: 127.0.0.1. |
--port |
--web --port 8080 |
TCP port for the web panel. Default: 8080. |
--uninstall |
--uninstall |
Remove the installed reconkit command launcher. |
--purge |
--uninstall --purge |
Also remove local config/presets and ~/.reconkit install directory when safe. |
--ai |
--ai |
Analyze scan results using recon_config.json. |
--ai-timeout |
--ai-timeout 90 |
AI request timeout in seconds. |
--ai-out |
--ai-out ai-report.md |
Save AI analysis to a file. |
--ai-init |
--ai-init |
Create/update recon_config.json with default AI settings. |
--ai-show |
--ai-show |
Show loaded AI config safely, with API keys masked. |
--ai-set |
--ai-set model=openrouter/free |
Set and save an AI config value. Can be repeated. |
--ai-set-file |
--ai-set-file system_prompt=prompt.txt |
Load and save an AI config value from a file. Useful for long prompts. |
--ai-prompt |
--ai-prompt |
Print configured AI system prompt and exit. |
--show-config |
--show-config |
Alias for --ai-show. |
--test-ai |
--test-ai |
Test AI endpoint/model/API key without scanning. |
--version |
--version |
Show ReconKit version and Team CynetX links. |
ReconKit can manage its AI settings from the CLI, so you do not need to manually edit JSON for normal setup. Settings are saved in recon_config.json.
Create the config file:
reconkit --ai-initShow the current config safely:
reconkit --ai-showSet OpenRouter endpoint and model:
reconkit --ai-set endpoint_url=https://openrouter.ai/api/v1/chat/completions
reconkit --ai-set model=openrouter/freeSet API key using an environment variable name. Direct local config is also supported, but do not commit real keys to GitHub:
reconkit --ai-set api_key_env=OPENROUTER_API_KEY
export OPENROUTER_API_KEY="YOUR_OPENROUTER_API_KEY"
# optional direct-key style
reconkit --ai-set api_key=YOUR_OPENROUTER_API_KEYSet a long system prompt from a text file:
reconkit --ai-set-file system_prompt=prompt.txtTune generation values:
reconkit --ai-set temperature=0.15 --ai-set max_tokens=5000
reconkit --ai-set continuation_rounds=5 --ai-set empty_response_retries=5Test the endpoint/model/key before scanning:
reconkit --test-aiRun an AI-assisted scan:
reconkit example.com --deep --ai --ai-out ai-report.md -o scan.jsonUseful AI config keys:
| Key | Meaning | Example |
|---|---|---|
endpoint_url |
OpenRouter-compatible chat completions endpoint. | https://openrouter.ai/api/v1/chat/completions |
model |
Model/router name. | openrouter/free |
api_key_env |
Environment variable that stores the API key. | OPENROUTER_API_KEY |
api_key |
Direct API key stored in local config. | sk-or-... |
system_prompt |
Main AI behavior and report instructions. | Use --ai-set-file system_prompt=prompt.txt |
temperature |
Creativity/variance. Lower is more consistent. | 0.15 |
max_tokens |
Maximum output size per response. | 5000 |
continuation_rounds |
Continuation attempts when output is cut. | 5 |
empty_response_retries |
Retries for empty/free-model responses. | 5 |
http_referer |
OpenRouter referer header. | https://local.reconkit |
x_title |
OpenRouter title header. | ReconKit AI Analysis |
AI output structure:
- Executive Summary
- Attack Surface Table
- Risk Assessment
- How an Attacker Might Abuse This (Defensive View)
- Recommended Next Authorized Tests
- Defensive Hardening Plan
- Top 5 Priorities
- Data Quality Notes
The AI mode is designed for defensive analysis: it explains exposure, likely risk, safe validation ideas, and hardening steps — without exploit payloads, brute-force instructions, malware, persistence, or evasion.
ReconKit also includes a built-in local web panel. It uses Python's standard library web server, so no Flask/FastAPI dependency is required.
Start it locally:
reconkit --webOpen:
http://127.0.0.1:8080
Run on a server or custom interface/port:
reconkit --web --host 0.0.0.0 --port 8080Inside the interactive console:
reconkit(no-target)> web
reconkit(no-target)> web 0.0.0.0 8080
The web panel supports:
- Starting scans with target, mode, modules, ports, preset, timeout, AI, raw artifacts, and command display options.
- Viewing scan history and opening previous reports.
- Downloading JSON, Markdown, and HTML reports.
- Creating, listing, and deleting custom presets.
- Checking dependencies and starting dependency installation.
- Viewing/editing AI config and testing the AI endpoint.
Security note: keep the panel bound to
127.0.0.1unless you intentionally run it on a trusted server/network. It is an operator panel, not a public web app.
| Output | Command | Result |
|---|---|---|
| Console | reconkit example.com |
Pretty terminal dashboard. |
| JSON | -o scan.json |
Machine-readable normalized data. |
| Markdown | --markdown report.md |
GitHub/client-friendly report. |
| HTML | --html report.html |
Standalone HTML report. |
| Raw evidence | --raw-dir artifacts |
Tool outputs and artifacts. |
| Diff | --diff old.json |
Highlights changes from a previous scan. |
| AI report | --ai-out ai-report.md |
Saved AI analysis. |
A complete report workflow can look like this:
reconkit example.com --mission --raw-dir artifacts -o scan.json --markdown report.md --html report.html --ai --ai-out ai-report.md -t 120| Problem | Fix |
|---|---|
reconkit: command not found |
Open a new terminal, then run echo $PATH. User installs usually place the command in ~/.local/bin. |
| GitHub clone is very slow | Use RECONKIT_GIT_TIMEOUT=10 with the install command so it falls back to ZIP faster. |
| Optional tools are missing | Run reconkit --install-deps --with-optional, then reconkit --check-deps. Some optional tools depend on OS package availability. |
| AI test returns empty/free-model issues | Try reconkit --test-ai, increase retries with --ai-set empty_response_retries=5, or choose a more stable OpenRouter model. |
| Output has ANSI codes in logs | Add --no-color. |
| Need exact executed commands | Add --cmd / --show-commands. |
ReconKit is built to help defenders and authorized operators understand exposure clearly. Keep it professional: scan only assets you own, manage, or have written permission to test.
By design, ReconKit avoids:
- Brute force and password spraying.
- Exploit payloads and weaponized PoCs.
- Malware, persistence, evasion, or destructive actions.
- Unauthorized access attempts.
Built with ❤️ by Team CynetX for operators who care about clean recon, readable reports, and practical security work.
© 2026 Team CynetX. All rights reserved.
- Website: https://cynetx.ir
- Telegram: https://t.me/cynetx
If ReconKit makes your workflow cleaner, give the repository a star and share it with someone who still reads raw tool output by hand.

