A modular, concurrent security reconnaissance tool written in Go.
Reconix runs a series of passive and active recon phases against a target domain or URL: DNS resolution, WHOIS lookup, subdomain enumeration, port scanning, HTTP probing, web crawling, JavaScript endpoint extraction, path fuzzing, and template-based vulnerability detection.
- Go 1.21 or later
git clone https://github.com/reconixlabs/reconix-go
cd reconix-go
go build -o reconix ./cmd/reconix
reconix [flags] <target>
Arguments
| Argument | Description |
|---|---|
<target> |
Domain name or full URL (e.g. example.com or https://example.com) |
Flags
| Flag | Default | Description |
|---|---|---|
-config |
config/config.yaml |
Path to the YAML configuration file |
Examples
# Run against a domain using the default config
reconix example.com
# Run with a custom config file
reconix -config /etc/reconix/config.yaml example.com
# Run against a full URL
reconix https://staging.example.com
The default config file is config/config.yaml. All fields are optional; built-in defaults
are applied for any value that is missing or zero.
# Number of concurrent workers in the thread pool.
threads: 20
# HTTP request timeout in seconds.
timeout: 10
# Directory containing YAML detection templates.
templates_dir: templates
# Path to a custom wordlist for path fuzzing.
# Leave empty to use the built-in embedded wordlist.
fuzz_wordlist: ""
# TCP ports probed during the port-scan phase.
ports:
- 80
- 443
- 8080
- 8443
- 8000
- 3000If the config file does not exist the tool starts with defaults and continues normally.
Reconix executes the following phases in order:
- Passive recon - DNS A/AAAA lookup, filtered WHOIS output, subdomain brute-force using the embedded wordlist.
- Port scan - TCP dial on the configured port list.
- HTTP probe - Single GET against the base URL to confirm the target is reachable.
- Crawl - Follows
<a>and<script>tags on the same host; URL parameters on discovered pages are extracted and printed. - JS extraction - Fetches every
.jsURL found during crawl and extracts quoted path strings from the source. - Path fuzzing - Probes the base URL with a wordlist of common paths. Reports 200, 401, and 403 responses.
- Template scan - Runs all YAML templates found under
templates_dirand reports matches.
Templates follow a simple YAML format similar to Nuclei.
id: exposed-env-file
info:
name: Exposed .env File
description: Detects publicly accessible .env files.
severity: high
requests:
- method: GET
path:
- /.env
- /.env.local
matchers:
- type: word
words:
- APP_KEY=
- DB_PASSWORD=
- type: status
status:
- 200
- type: regex
regex:
- "(?i)secret[_-]?key\\s*="Supported matcher types: word, status, regex.
Place templates anywhere under the templates/ directory tree. The included categories are:
templates/exposures/- Exposed sensitive filestemplates/misconfig/- Misconfiguration checkstemplates/cves/- CVE-specific probes
cmd/reconix/ CLI entry point
config/ YAML configuration files
internal/
config/ Config struct, loader, and defaults
engine/ Orchestration engine and worker pool
httpclient/ Shared HTTP client used by all modules
logger/ Banner and log helpers
scanner/ Individual scan modules
data/ Embedded wordlists (subdomains, paths)
templates/ Template loader, parser, and executor
pkg/output/ Result formatters (JSON, table, Markdown)
templates/ Built-in detection templates
See LICENSE.