xrecon

OSINT CLI tool for web reconnaissance - gather passive and active information about websites.

xrecon uses two types of reconnaissance modules to provide a comprehensive view of any target:

Passive modules gather information from public sources and third-party APIs without directly interacting with the target. These modules query DNS records, RDAP databases, and other public data sources, making them fast and stealthy.

Active modules interact directly with the target website by making HTTP requests, analyzing HTML content, and in some cases using a headless browser. These modules can detect technologies, extract metadata, scan for secrets in JavaScript files, analyze security headers, and much more.

Run modules individually with specific flags, or use -H for a full hybrid scan that combines both approaches.

Installation

xrecon is a CLI tool designed to be installed globally so you can run it from anywhere in your terminal.

Using npm

npm install -g @ariaskit/xrecon

Using pnpm

pnpm add -g @ariaskit/xrecon

From source

# Clone the repository
git clone https://github.com/JorgeRosbel/xrecon.git
cd xrecon

# Install dependencies
pnpm install

# Build the CLI
pnpm build

# Link globally
pnpm link

Playwright Setup

xrecon uses Playwright with a headless Chromium browser to scan dynamic websites (SPAs built with React, Vue, Angular, etc.).

For static sites: xrecon works out of the box — no extra setup needed.

For dynamic sites: If you see the warning below, it means Playwright's browser binary is not installed:

⚠ Warning: Dynamic content unavailable. Run "npx playwright install" to enable full scanning of dynamic sites.

To enable full scanning of dynamic sites, install the browser binary:

npx playwright install

This downloads ~150MB of Chromium and only needs to be done once. After that, xrecon will render JavaScript-heavy pages just like a real browser.

Usage

# Run all modules (hybrid mode)
xrecon example.com -H

# Run only passive modules
xrecon example.com -P

# Run specific modules
xrecon example.com -w -s -c

# Save output to file
xrecon example.com -H -oN results.json

Commands

Global Options

| Flag | Description | | --------------------------- | ------------------------------------------------ | | -H, --hybrid | Run both active and passive modules | | -P, --passive | Run only passive modules | | -oN, --output <file> | Save output to file (plain text) | | -oJ, --output-json [file] | Save output as JSON file (default: output.json) | | -oH, --output-html [file] | Save output as HTML file (default: output.html) | | -x, --proxy <url> | HTTP/SOCKS proxy URL (e.g., http://proxy:8080) | | -a, --proxy-auth <creds> | Proxy authentication (format: username:password) | | -V, --version | Show version number | | --help | Display help information |

Search & List Commands

| Command | Description | | ------------------------- | ----------------------------------------------- | | xrecon search <keyword> | Search modules by keyword, flag, or description | | xrecon list | List all available modules |

Search examples:

# Search by keyword
xrecon search tech

# Search by type (active or passive)
xrecon search passive

# Search by description
xrecon search email

List all modules

xrecon list

Passive Modules

| Flag | Module | Description | | ------------------ | ---------- | --------------------------------- | | -w, --whois | whois | Domain registration info via RDAP | | -m, --mx | mx | MX records | | -t, --txt | txt | TXT records (SPF, DKIM) | | -S, --subdomains | subdomains | Find subdomains | | -g, --geo | geo | Geolocation |

Active Modules

| Flag | Module | Description | | ----------------- | --------- | -------------------------------------------------- | | -h, --headers | headers | HTTP headers | | -c, --security | security | Security headers | | -T, --tech | tech | Detect technologies | | -W, --wplugins | wplugins | WordPress plugins | | -s, --ssl | ssl | SSL certificate info | | -O, --os | os | OS detection via TTL | | -i, --metadata | metadata | Page title and meta description | | -C, --comments | comments | Extract HTML comments | | -J, --scripts | scripts | Extract JavaScript file URLs | | -e, --emails | emails | Extract emails | | -p, --phones | phones | Extract phone numbers | | -M, --sitemap | sitemap | Sitemap URLs | | -r, --robots | robots | Robots.txt | | -l, --social | social | Social networks | | -R, --routes | routes | Public routes from sitemaps | | -k, --cookies | cookies | Detect cookies | | -K, --storage | storage | Extract localStorage/sessionStorage and JWT tokens | | -X, --jssecrets | jssecrets | Scan JS files for secrets and sensitive data | | -E, --endpoints | endpoints | Extract API endpoints from JS files and forms |

Examples

Full scan

xrecon example.com -H

Passive reconnaissance only

xrecon example.com -P

Tech detection and HTTP headers

xrecon example.com -T -h

Tech stack detection with WordPress plugins

xrecon example.com -T -W

Extract all contact information

xrecon example.com -e -p

Save results to file

xrecon example.com -H -oN scan-results.txt

Save results as JSON

xrecon example.com -H -oJ
# Saves to output.json

xrecon example.com -H -oJ scan.json
# Saves to scan.json

Save results as HTML

xrecon example.com -H -oH
# Saves to output.html

xrecon example.com -H -oH report.html
# Saves to report.html

Extract HTML comments

xrecon example.com -C

Extract JavaScript URLs

xrecon example.com -J

Scan JS files for secrets

xrecon example.com -X

Tech detection with WordPress plugins

xrecon example.com -T -W

Search for modules

# Find modules related to security
xrecon search security

# Find modules by flag
xrecon search -w

# Find modules by keyword
xrecon search email

Using Proxy

# With HTTP proxy
xrecon example.com -H -x http://proxy.example.com:8080

# With proxy and authentication
xrecon example.com -H -x http://proxy.example.com:8080 -a user:password

# With SOCKS5 proxy
xrecon example.com -H -x socks5://proxy.example.com:1080

Requirements

• Node.js >= 18
• pnpm

License

MIT License - see LICENSE file for details.