Find what others don’t.
Thoroughly map and understand your target web application or API while you perform your security testing, providing you with more endpoints to test as you go. Reconnaissance is the foundation of effective security testing, and Recon++ makes that process easy and seamless.
See more, find more.
I'm never running burp without this again
Just spent a few hours playing with Recon++ in the lab… First impression is “OMG, I’m never running burp without this again”. One of my biggest problems is keeping track of what I’ve already seen… No longer an issue when all of my requests are saved in a database. Speaking of databases… anyone working on a talk about hunting for bugs using bento and browser data? What about doing the same thing, but against mobile app requests? Ok, I’m exhausted and excited…. it’s time to go to bed.
Great work Omniprismatic Inc., I’m excited to have this tool in my kitbag! (Also, ask the lawyers if it’s ok to use it in a talk someday)
What does Recon++ do?
Recon++ acts as an augmentation to your current security testing workflow that passively collects a tremendous amount of data about web applications and APIs while you work. This data basically provides you with everything you need to know about how an application works, including function calls (URL paths), input values (parameters), state (cookies, header keys), and output results (HTTP response codes). Furthermore, this data can be filtered based on URL scheme (e.g. “http”, “https”), response code (e.g. 302, 500, 200 etc.), and request type (e.g. “GET”, “POST”, “PUT”, etc.).
All data that we collect about an application can be queried from a robust REST-based API as well, which allows you to use it to automate other testing activities as well with our data as input. For example – using our collection of domains and paths for further crawling of an application or API, or discovering all paths in an application that require authorization by searching for paths with 403 HTTP response codes.
Recon++ is designed to thoroughly map your target web application or API while you perform your security testing, providing you with more endpoints to test as you go. Reconnaissance is the foundation of effective security testing, and Recon++ makes that process easy and seamless.
What does Recon++ NOT do?
Recon++ does NOT perform port scanning. Instead, the tool focuses on the application layer in the OSI networking model, and complete discovery and mapping of web applications and APIs.
Recon++ does NOT generate any traffic or perform any active testing against your targets. Rest assured that you will never bring down a target application because of our tool.
How does it work?
Each Recon++ server acts as both a DNS server and a transparent proxy. The DNS server allows us to point all traffic for target applications (defined by domain wildcard values; for example –
***.example.com, which targets “example.com” and all subdomains beneath it) towards our transparent proxy, which passively monitors all traffic between your computer and the target server. For encrypted traffic, the proxy generates TLS certificates on the fly using a trusted root CA that is installed on your system as a part of the installation process. This position on the network allows us to collect and categorize every data point about an application in one place, so that you can truly understand how an application works.
A brief overview of Recon++ in action
For applications outside of the browser that use restrictive certificate pinning measures, Recon++ will bypass the transparent proxy, allowing you to continue to use the application without collecting request and response data.
There will be a brief delay (usually 5-15 seconds) the first time you access these applications, as the tool determines that there is certificate pinning and updates its DNS records accordingly.
Note that HTTP public key pinning (HPKP) in modern browsers does not restrict Recon++, as long as you have our root CA certificate in your system trust store.
Other services that use DNS
Other network-based services that use DNS to lookup hosts are currently not supported with Recon++. Some examples include SMB and NTP.
Future releases will progressively implement support for these services.
Web applications and APIs running on ports other than 80 and 443
Recon++ does not currently support web applications and APIs that operate on non-standard HTTP ports.
Future releases may provide a way to define operating ports for specific target hosts.
Due to the fact that Recon++ operates as a transparent proxy, all SSL/TLS testing performed through the tool will be performed against the Recon++ server and not against the intended target. In order to perform SSL/TLS testing against your target hosts, you must either temporarily add those hosts to the whitelist on the configuration page, or reset your DNS setting on your computer to not use the Recon++ DNS server until you’ve completed the SSL/TLS tests.
Tips & Tricks
Different ways to get the most out of Recon++.
1. Use with a web crawler
Recon++ operates passively based on data it observes and analyzes over time. By sending more traffic for your target domains through the proxy, you will drastically increase the coverage and visibility you get from the tool. This is particularly helpful in the case of targeted security testing, where you have permission to send more traffic to the target domain.
2. Use alongside your regular tooling
Recon++ operates as a transparent proxy fronted by a DNS server deliberately so that you do not require any additional configuration in your existing security tooling to augment it with Recon++. By passing your regular testing traffic through the tool, you gain additional insight into your target application that you may not get from your security tool of choice.
3. Use with a team
By teaming up with other Recon++ customers and sharing the same database instance, you instantly amplify all your results and maintain a thorough record of all web applications and APIs you may be testing together. This is the perfect use case for a team of penetration testers or security researchers doing bug bounties.
4. It’s for developers too
Recon++ is not just a security tool for penetration testers and security researchers, it is also a performance tool for developers! Want to discover application failures and track their root cause? In the Recon++ web UI (
https://<Recon++ server IP>:1337), try filtering your domain data by response code, looking for
500 response codes. This will show you all the inputs that precipitated the server error, so that you can hunt down the root cause of the issue. This is a tactic often employed by security testers as well, because if they can find a way to break your application, it often means there is a security vulnerability behind it.