DiscordRecon server allows you to do your reconnaissance process from your discord server.
- DiscordRecon is a cool discord bot working on your server to make it easy to do recon from your discord server. the bot has been linked with many tools like: nuclei, findomain, assetfinder, subfinder, arjun, paramspider, waybackurls, dirsearch and gitgraber. you can use all of these tools via the bot using only discord commands. also, discord recon allows you to automate subdomains collection process. it's using assetfinder, findomain and subfinder to collect subdomains, sort them using python function. then filter them using httpx. and the output is getting saved on the server. anytime you want to use this data for nuclei scans or any other scans that wiil be added soon. you can just call the scan function and it will use the subdomains that got saved before.
- download discord-recon source code using
git clone https://github.com/demon1a/discord-recon/
cd discord-recon/
- make sure you have both
python3
,golang
andpip3
on your system. - run discord-recon tools installer from the main folder and make sure there's no errors using:
sudo bash ./bin/installer.sh
- modify your
settings.py
file with the options you like - add your discord webhook url into notify config
- edit gitgraber config and add your github token and discord webhook
- run
app.py
with the command:python3 app.py
and feel free to open an issue if something isn't working
note: running discord-recon on a vps will be much cooler, since it uses a lot of internet and memory based on your usage. and you don't really want to harm your machine.
note: discord-recon has been tested only on linux, and most of the commands on the code are based on bash, it's not possible to run discord-recon on windows os
DISCORD_TOKEN
- your discord bot tokenUSER
- path to your os userRECON_PATH
- path to your recon dataADMIN_ROLE
- the admin role name on your serverDEBUG
- debug modeCOMMANDS_PREFIX
- the perfix of all bot commandsADMIN_CHANNEL
- admin channel id for important messages.DISABLE_NUCLEI_INFO
- disable nuclei from sending inf bugsNUCLEI_WEBHOOK
- the webhook nuclei will be using to post bugsDEFAULT_DISCORD_WEBHOOK
- the default discord-webhook discord-recon gonna send results withTOOLS
- paths for the tools names inside your systemRCE
- command injection protection. don't ever remove one of it's items.
.exec
- execute shell commands on the server..sudo
- give discord roles to users.unsudo
- remove discord roles from users.compile
- execute a python3 code on the server.shutdown
- shutdown the bot.restart
- restart the bot..ip
- get the domain ip.dig
- run dig.prips
- genrate ips from a company ip range.nslookup
- run nslookup.whois
- run whois.statuscode
- get status codes of subdomain/url.dirsearch
- start dirsearch scan.arjun
- start arjun scan.gitgraber
- start gitgraber scan.waybackurls
- start waybackurls.subfinder
- start subfinder.assetfinder
- start assetfinder.findomain
- start findomain.paramspider
- start paramspider.trufflehog
- start trufflehog.gitls
- start gitls.recon
- read internal recon file.subdomains
- collect subdomains.show
- show targets we have on the database.count
- show subdomains/hosts count in the database..history
- show the users commands from the logs..nuclei
- perform nuclei scan on collected subdomains.subjack
- perform subjack scan on collected subdomains.subjs
- run subjs on collected subdomains.smuggler
- run smuggler on collected subdomains.
- i did already run the bot on my own discord server, you can join using this url: https://discord.gg/rbkqk86x2g. at the time of writing this, discord-recon is fully free for all users and doesn't require supporting to get access into some tools, but that might get changed soon when we update our service.
- sure you can. just open an issue with the tool name. and it will be added in both. the source code and the our discord server.
- chmod x bin/clean.sh
- bin/clean.sh
-
we care about discord-recon security specially because it interacts with the internal server and any security issues can result in server-side issues, if you think that you found a security issue on discord-recon with working proof of concept on the bot on our server. then you can report this issue via huntr to get awarded and help me fixing the issue by sumitting code fixes, otherwise you can just open an issue with it on github or email me at my personal email and i will respond asap.
-
it's really not safe to run discord-recon from your system with high privileges, i would suggest creating a user with low privileges and run the bot from it, then give the user the access into the tools.
- in case you see that discord-recon is helpful. giving the project a β will be great. but you can always support discord-recon via the sponser links on the project, to keep it active and updated with more server resources to serve many users as possible.
- @0xwise64 - reported security issues on discord-recon, helped with the development process
- @ry0tak - reported security issues on discord-recon
- @omarbdrn - reported security issues on discord-recon
- assetfinder - @tomnomnom
- subfinder - @projectdiscovery
- findomain - @findomain
- arjun - @s0md3v
- dirsearch - @maurosoria
- gitgraber - @hisxo
- waybackurls - @tomnomnom
- nuclei - @projectdiscovery
- nuclei-templates - @projectdiscovery
- subjack - @haccer
- subjs - @lc
- smuggler - @defparam
- httpx - @projectdiscovery
- notify - @projectdiscovery
- paramspider - @devanshbatham
- trufflehog - @trufflesecurity
- gitls - @hahwul