SecurityTrails Blog · Nov 17 · by Esteban Borges

AutoRecon: A Multi-Threaded Network Reconnaissance Tool

Reading time: 6 minutes
Listen to this article

With organizations’ digital footprints growing larger and larger, network recon and the enumeration of services available over the public internet has become a critical area in the security of an organization. And given the increased number of vulnerabilities and threats targeting web applications, performing automated recon and service enumeration is ever more important.

Fortunately, using open-source and free-to-use tools such as recon-ng has streamlined this process to the point of near-automation.

Today we’ll take a look at AutoRecon, aimed at doing just that: automating your network recon and service enumeration methods.

What is AutoRecon?

AutoRecon is an open-source project built to perform network reconnaissance with automated service enumeration.

The advantage that AutoRecon provides over other information gathering and internet scanning tools is that it allows one to further process—and further act upon—information gathered directly within AutoRecon. This includes performing actions like Nmap as well as running the gathered data through other scanning tools, such as feroxbuster, sslscan, nbtscan, Nikto and more.

Take your recon to the next level Discover how SurfaceBrowser™ can unveil IP blocks, subdomains,
open ports, and SSL certificates from any company

Installing AutoRecon

Note: As its dependencies are easily available on KaliLinux, we suggest using AutoRecon on that distribution.

To begin with, ensure you have python3 and pip available.

Next, use Python pip to grab the latest version of AutoRecon and install it:

sudo python3 -m pip install git+

Next, you’ll need to install certain dependencies:

sudo apt install seclists curl enum4linux feroxbuster impacket-scripts nbtscan nikto nmap onesixtyone oscanner redis-tools smbclient smbmap snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf

Run the command autorecon –help to determine whether it’s been successfully installed:

autorecon --help

Which should then give you the following output containing various options available in AutoRecon:

Autorecon options


Getting started with AutoRecon is super simple—one can even run AutoRecon without any flags or options:


Replace with a domain name that you wish to scan.

Once the command has finished executing, it should then return the following output:

Autorecon usage

Analyzing the results

After a scan completes, AutoRecon saves the scan results in the “results” directory, inside of which a new subdirectory is created for every target being scanned by AutoRecon.

The results structure created by AutoRecon is as shown below:



├── exploit

├── loot

├── report

│ ├── local.txt

│ ├── notes.txt

│ ├── proof.txt

│ ├──

│ │ └──

│ │ ├──

│ │ ├──

│ │ ├── Manual

│ │ ├──

│ │ ├── Port Scans

│ │ │ ├── PortScan - All TCP

│ │ │ ├── PortScan - Top 100 UDP

│ │ │ └── PortScan - Top TCP

│ │ └── Services

│ │ ├── Service - tcp-22-ssh

│ │ │ └── Nmap

│ │ ├── Service - tcp-443-http

│ │ │ ├──

│ │ │ ├── Curl

│ │ │ ├── Directory

│ │ │ ├── Nmap

│ │ │ ├── SSL

│ │ │ ├──

│ │ │ └──

│ │ └── Service - tcp-80-http

│ │ ├──

│ │ ├── Curl

│ │ ├── Directory

│ │ ├── Nmap

│ │ ├──

│ │ └──

│ └── screenshots

└── scans

├── _commands.log

├── _errors.log

├── _full_tcp_nmap.txt

├── _manual_commands.txt

├── _patterns.log

├── _quick_tcp_nmap.txt

├── tcp22

│ ├── tcp_22_ssh_nmap.txt

│ └── xml

│ └── tcp_22_ssh_nmap.xml

├── tcp443

│ ├── tcp_443_https_curl.html

│ ├── tcp_443_https_feroxbuster_big.txt

│ ├── tcp_443_https_feroxbuster_common.txt

│ ├── tcp_443_https_feroxbuster_raft-large-words.txt

│ ├── tcp_443_https_nmap.txt

│ ├── tcp_443_https_screenshot.png

│ ├── tcp_443_https_whatweb.txt

│ ├── tcp_443_sslscan.html

│ └── xml

│ └── tcp_443_https_nmap.xml

├── tcp80

│ ├── tcp_80_http_curl.html

│ ├── tcp_80_http_curl-robots.txt

│ ├── tcp_80_http_feroxbuster_big.txt

│ ├── tcp_80_http_feroxbuster_common.txt

│ ├── tcp_80_http_feroxbuster_raft-large-words.txt

│ ├── tcp_80_http_nmap.txt

│ ├── tcp_80_http_screenshot.png

│ ├── tcp_80_http_whatweb.txt

│ └── xml

│ └── tcp_80_http_nmap.xml

├── _top_100_udp_nmap.txt

└── xml

├── _full_tcp_nmap.xml

├── _quick_tcp_nmap.xml

└── _top_100_udp_nmap.xml
  • The exploit directory is used to store any exploit code you run for the target being scanned.
  • The loot directory is intended to store any hashes or notable files you find on the target you’re scanning.
  • The report directory contains reports of the scan performed by AutoRecon; files are generated as follows:
    • local.txt can be used to store the local.txt flag found on targets.
    • notes.txt should contain a basic template where you can write notes for each service discovered.
    • proof.txt can be used to store the proof.txt flag found on the target.
  • The screenshots directory is used to store any screenshots you use to document the exploitation of the target.
  • The scans directory is where all results from scans performed by AutoRecon will go. This includes all commands executed by AutoRecon and whether any commands failed or succeeded as well.
  • The scans/XML directory stores scan data results in XML format (from Nmap, etc.) which can be used to easily import scan results data into other software for further processing or storing.

Further understanding the results

Finding the webserver version

With the output we gather from AutoRecon, one can find the version of the webserver running on the target system as well. Most web servers expose their name and version by default; for example, from the Nmap output:


80/tcp open http syn-ack ttl 55 nginx 1.14.0 (Ubuntu)

This tells us the webserver running on the target being scanned is Nginx 1.14.0.

Detecting operating systems

Looking even further with the output we’ve gathered above, the webserver often exposes the operating system or operating system family, too. Also, as shown above, we can see the target being scanned runs on Ubuntu.

Gathering screenshots along the way

Often, web application screenshots can tell a lot—they can expose/display errors, find web applications running on non-standard ports, show outdated running web applications, and more. AutoRecon gathers screenshots for any ports it discovers along the way.

These screenshots can be found under the path: results/DOMAIN.NAME/scans/tcpPORT

This allows one to efficiently streamline their process. Usually, one would identify open ports, then run through another tool to gather screenshots. AutoRecon, however, does this for you automatically.


AutoRecon proves to be an excellent tool for performing network reconnaissance with the automated enumeration of services. Combined with its ability to further process gathered data with other useful tools including feroxbuster, sslscan, nbtscan, and Nikto, the number of use cases for AutoRecon increases greatly.

AutoRecon also provides scan results data in the XML format, allowing for scan results to be processed to a greater extent while making logging into databases even simpler.

Esteban Borges Blog Author

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.