I Built a Zero-Dependency Recon Toolkit in Pure Python (and You Should Too)
Here's a hot take: your recon pipeline doesn't need Go, Rust, or 47 system dependencies.
I just shipped a fully functional bug bounty recon toolkit — subdomain enumeration, live host probing, vulnerability scanning — all in pure Python. No subfinder. No amass. No httpx. Not even requests.
Just the Python standard library. Running on a $35 Raspberry Pi. 24/7.
The Problem with Modern Recon Tooling
Every security researcher knows the pain:
# The typical "quick" recon setup
brew install go rust cmake
# Wait 20 minutes...
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/owasp-amass/v4/...@master
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# 47 brew dependencies later...
Before you've even started your engagement, you've spent an hour installing toolchains. And if (when) Go breaks, you're debugging $GOPATH instead of finding bugs.
What if recon could be as simple as:
git clone https://github.com/ulnit/bb-automation-kit
cd bb-automation-kit
python3 bb_kit.py --help
# Done. You're hunting.
What It Does
The toolkit has three core modules, each pure Python:
1. Subdomain Enumeration
# Uses crt.sh certificate transparency logs + DNS brute force
# Zero external dependencies — just urllib and socket
python3 bb_kit.py enum tesla.com
# Output:
# [+] Enumerating subdomains for tesla.com...
# [+] Found 47 subdomains via crt.sh
# [+] 12 live hosts confirmed
# api.tesla.com
# auth.tesla.com
# shop.tesla.com
# ...
Under the hood, it queries the crt.sh API, parses the JSON with json.loads(), deduplicates with set(), and resolves with socket.getaddrinfo(). No magic — just clean, readable code.
2. Live Host Probing
# Concurrent TCP probes to check which hosts are alive
# Uses concurrent.futures for parallelism
python3 bb_kit.py probe api.example.com www.example.com app.example.com
# [+] Probing 3 hosts...
# [+] api.example.com:443 — OPEN (TLS: Let's Encrypt)
# [+] www.example.com:443 — OPEN (TLS: Cloudflare)
# [-] app.example.com:443 — CLOSED
3. Vulnerability Scanning
# Quick passive scan — checks headers, TLS config, common misconfigs
python3 bb_kit.py scan https://example.com
# [+] Scanning https://example.com...
# [+] Server: nginx/1.24.0
# [!] Missing: Content-Security-Policy
# [!] Missing: X-Frame-Options
# [+] TLS 1.3: Enabled
# [+] HSTS: Strict-Transport-Security present (max-age=31536000)
Why Pure Python Matters
| Tool | Language | External Dependencies | Install Time |
|---|---|---|---|
| subfinder | Go | Go toolchain + modules | ~5 min |
| amass | Go | Go toolchain + modules | ~8 min |
| httpx | Go | Go toolchain + modules | ~3 min |
| bb-automation-kit | Python | None (stdlib) | 0 min |
No pip install. No virtualenv. No build chains. Just python3 bb_kit.py.
This means it runs anywhere Python 3.8+ exists — which is everywhere:
- 🥧 Raspberry Pi — $35 passive recon box running 24/7
- ☁️ AWS Lambda — serverless recon with zero cold-start overhead
- 🐳 Alpine Docker — 23MB image vs 400MB Go-based alternatives
- 🏢 Corporate machines — no admin rights needed, no
go install
Real-World Example: Scanning a Bug Bounty Target
Here's a complete workflow against a real bug bounty program (redacted):
# Step 1: Enumerate subdomains
$ python3 bb_kit.py enum target.com
[+] crt.sh returned 312 certificates
[+] Extracted 89 unique subdomains
[+] DNS resolution: 73 live
# Step 2: Probe live hosts
$ python3 bb_kit.py probe $(cat targets.txt)
[+] Probing 73 hosts on port 443...
[+] 51 hosts responding
[+] 12 hosts on non-standard ports (8080, 8443, 3000)
# Step 3: Quick vulnerability scan on interesting targets
$ python3 bb_kit.py scan https://admin.target.com
[!] Directory listing enabled on /backup/
[!] .git directory exposed at /.git/HEAD
[!] Debug mode active (DEBUG=True in response headers)
Time from git clone to first finding: 4 minutes.
The Architecture
bb-automation-kit/
├── bb_kit.py # Main CLI entry point
├── engine/
│ ├── enum.py # crt.sh + DNS brute force
│ ├── probe.py # TCP connect + TLS fingerprinting
│ └── scan.py # Header analysis + misconfig detection
├── wordlists/
│ └── subdomains.txt # 5,000 common subdomains
└── output/ # Results directory
Everything is designed to be readable by a human — no abstract factory patterns, no over-engineered class hierarchies. If you can read Python, you can read this codebase.
Pro Features
While the free tier handles up to 100 domains/day, the Pro version ($15 one-time) unlocks:
- 🔄 Concurrent scanning — scan 50 hosts in parallel with
ThreadPoolExecutor - 📊 JSON/CSV export — pipe results into your reporting pipeline
- 🎯 Custom wordlists — plug in your own subdomain lists
- 📬 Slack/Discord webhooks — get notified when scans finish
Why I Built This
I run 20+ AI products on a single Raspberry Pi — every megabyte of RAM and every CPU cycle counts. I couldn't afford Go toolchains or Rust compilers chewing through my Pi's resources. So I built my own toolkit.
Turns out, Python's standard library is surprisingly capable:
-
urllib.request→ HTTP/S requests -
socket+ssl→ TCP connections with TLS inspection -
concurrent.futures→ Parallel scanning without async complexity -
json+csv→ Structured output for reporting pipelines
Get It
👉 GitHub: ulnit/bb-automation-kit — Star it, fork it, break it, improve it.
👉 Go Pro — $15 One-Time — Unlock concurrent scanning, JSON export, webhooks, and priority support.
👉 Full AI Product Store — 20+ products, all running on a single $35 Raspberry Pi.
Stop installing toolchains. Start finding bugs.
💝 Support open-source security tools: paypal.me/ulnit
Top comments (0)