I've always been into offensive security. Watching people do CTFs on YouTube got me hooked early, I loved how it requires networking knowledge, programming, and critical thinking all at once. This year, finishing my CS degree, I decided to stop watching and build something.
The result is PyRecon-Suite, a modular Python recon toolkit with four modules: subdomain enumeration, TCP port scanning, PHP webshell detection, and HTTP header analysis. Nothing revolutionary, but building it taught me more than I expected, and it found something on my own infrastructure I didn't know was there.
How it works
Single CLI entry point, four subcommands:
python main.py subdomain --target example.com --wordlist wordlists/subdomains.txt
python main.py portscan --target example.com --ports 1-1000
python main.py phpshell --target http://example.com --wordlist wordlists/shells.txt
python main.py httpheader --target https://example.com
Subdomain enumeration resolves each wordlist entry as a hostname via DNS using socket.gethostbyname(). Not HTTP requests, DNS. A subdomain can exist without a web server, so HTTP would miss it entirely. 100 concurrent threads, 1000 subdomains in under 2 seconds. One thing worth noting is that running too many threads too aggressively will get you rate limited or blocked by the target's DNS infrastructure. The default is 100 but dropping it to 30-50 on targets with stricter rate limiting is the safer move.
Port scanner uses socket.connect_ex() which returns an error code instead of raising an exception, cleaner for scanning at scale. Grabs service banners on open ports, so you get output like:
[+] 22 -> SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
That version string is enough to start looking up CVEs.
PHP shell detector fetches paths from a wordlist and checks response bodies for signatures like eval(, base64_decode(, system(, shell_exec(. These functions have basically no legitimate use in production code, so a match is a genuine flag.
HTTP header analyzer checks seven security headers and flags missing ones by severity. It also extracts Server and X-Powered-By headers since leaking your exact server version is always worth noting.
The unexpected part
While testing the subdomain module against my own domain using a random wordlist I found online, this came back:
[+] test.guppynodes.com -> 197.x.x.x
I didn't recognize it. Opened it in a browser and found an HPE iLO 4 management panel sitting on the public internet.
iLO 4 is HPE's remote server management interface, remote console access, power control, hardware monitoring. The panel had rate limiting enabled so we weren't fully exposed, but it still had no business being reachable from the outside world. Someone patient enough could have worked with it.
Took about ten minutes to fix once I knew it was there. Firewall rules, external access blocked, done.
Built a tool to find exposures on other systems. Found one on my own first.
One thing that actually clicked
I've used ThreadPoolExecutor before but never properly understood when to use it versus ProcessPoolExecutor. Working on this it finally made sense.
Python's GIL means threads can't run CPU-bound code in parallel. But for network I/O like DNS lookups and TCP connections, threads spend most of their time waiting. The GIL releases during that wait, so other threads run. Threads are the right tool here. Processes are for CPU-bound work like cryptography or image processing. Simple distinction once you see it in practice.
What's next
The repo is at github.com/RyZeDZ/PyRecon-Suite. On the roadmap: HTML report generation, a fullscan mode chaining all modules, CVE lookup on banner results, and better DNS resolver control.
Use it on infrastructure you own.
Top comments (0)