Introducing r3conwhal3: Your Go-To Recon Automation Framework

İbrahim Taha İstikbal
5 min readJun 16, 2024




r3conwhal3 is a multifunctional recon automation framework designed to streamline the reconnaissance phase of web application security assessments. By filtering collected data and processing it into actionable information, r3conwhal3 enhances the efficiency of security testing workflows.

Key Features

Comprehensive Recon Chain

  • Passive Subdomain Enumeration: This technique involves discovering subdomains without directly interacting with the target’s infrastructure, thereby minimizing detection risks. r3conwhal3 leverages tools such as subfinder, assetfinder, amass and subkill3r(built-in subdomain harvester) to gather a comprehensive list of subdomains. These tools query various public sources, DNS databases and APIs to compile an extensive list of subdomains associated with the target domain.
Passive Subdomain Enumeration Module
  • Active Subdomain Enumeration: This technique involves directly querying the DNS infrastructure of the target to discover subdomains. This method is more intrusive but often yields more accurate and up-to-date results. r3conwhal3 uses tools like puredns for resolving and bruteforcing subdomains, and gotator for DNS permutations. By actively querying DNS records and performing permutations on known subdomains, r3conwhal3 ensures a thorough discovery process, uncovering subdomains that might not be listed in public databases. This process helps in identifying potential entry points that could be overlooked if only passive enumeration methods were used.
Active Subdomain Enumeration Module
  • Various Web Operations: This module in r3conwhal3 are designed to interact with discovered subdomains to gather further intelligence. Tools like httpx are used to filter live domains from the gathered subdomains, ensuring only active targets are considered for further analysis. Gowitness captures screenshots of these live domains, providing a visual overview of their content and structure. Additionally, ffuf is used for directory discovery and fuzzing, revealing hidden paths, files, and potentially sensitive directories within the target domains. These operations are crucial for understanding the web footprint of the target and identifying potential vulnerabilities.
Web Operations Module
  • Vulnerability Scanning: This module focuses on identifying specific security weaknesses within the discovered subdomains based upon the gathered intellegince. r3conwhal3 integrates subzy to check for subdomain takeover vulnerabilities, where an attacker could potentially hijack an unclaimed subdomain. This module ensures that common vulnerabilities are identified early, allowing security professionals to address them before they can be exploited by malicious actors. By automating this process, r3conwhal3 helps in maintaining a proactive security posture.
Vulnerability Scanning Module

Optimized Performance

  • Concurrency-Based Approach: Utilizes concurrency to maximize resource utilazation, speeding up to the reconnaissance process.
  • Resource Optimization: Ensures that system resources are used efficiently, allowing for faster scans.

Full Customization with Simple Config File

  • Easy Setup: Simple setup and configuration make it accessible to both beginners and experienced users.
  • Customizable Workflow: Offers extensive configuration options to tailor the recon process to specific neeeds.

💿 Installation

To install the r3conwhal3, follow these steps:


  • Prerequisites: Ensure Go >= 1.21.1+ is installed and paths are correctly set ($GOPATH, $GOROOT).
  1. Run the following command to get the r3conwhal3:
go install -v

2. Run the following command to install dependencies:

wget ""
chmod +x
  • See the wiki for getting more detail about installation process.

Docker Image 🐳

  • Pull the image
docker pull literallyethical/r3conwhal3
  • Run the container
docker run -it -v </path/to/folder>:/app/results -p 8080:8080 --rm literallyethical/r3conwhal3 run -d <target-domain>  -o /app/results

Specify the OutputFolder to saving results for later and choose a target domain to enumerate. For detail information, please refer to the Docker documentation.

⚙️ Configuration

  • The config.env file enables control over the entire execution of the automation chain.
  • You can find the default configuration file on here.
  • The configuration of r3conwhal3 is straightforward, you can set up the config.env file with the desired parameters according to your neeeds.
  • It is possible to set various scanning modes, tool options, personalized wordlists etc. See the wiki for detail explanation guide about config options.


r3conwhal3 [run] [galery] options

Running Locally

Running the scan with default(ALL) options

r3conwhal3 run -A -d <domain>

Running the scan with custom options

r3conwhal3 run  -d <domain> [-c <path-to-config-dir>] [-outDir <path-to-out-dir>]

Performing only passive scan & web_ops

r3conwhal3 run  -pw -d <domain>

Performing quick vulnerability scan on all gathered subdomains

r3conwhal3 run -pav -d <domain>

Starting r3conwhal3 web galery for inspecting previous scan results

r3cnwhal3 galery -p <path-to-the-screenshot-directory>
  • You can find previously gathered screenshots on $OUTDIR/screenshots(defaultOUTDIR:”$HOME/user/r3conwhal3/results/<target-domain+timestamp>”).

Running The Docker Container 🐳

  • Run the container
docker run -it -v </path/to/folder>:/app/results -p 8080:8080 --rm literallyethical/r3conwhal3 run -d <target-domain>  -o /app/results
  • Specify the OutputFolder to saving results for later and choose a target domain to enumerate. For detail information, please refer to the Docker documentation.

Why Use r3conwhal3

Here are a few reasons why r3conwhal3 should be your go-to tool for reconnaissance:

  1. Efficiency: Automates multiple recon tasks, saving you time and effort.
  2. Accuracy: Provides precise and actionable insights by intelligently analyzing collected data.
  3. Flexibility: Customizable to fit various recon needs.
  4. Performance: Optimized for speed and resource usage, ensuring quick results even for large-scale scans.

Use Cases

Bug Bounty Hunting

Bug bounty hunters can leverage r3conwhal3 to efficiently gather subdomains, enumerates services running on the background, detect common vulnerabilities, hence increasing their chances of finding high-value bugs with the collected intellegince.

Penetration Testing

As a penetration tester, you need to gather comprehensive information about your target quickly. r3conwhal3 automates this process, allowing you to focus on exploiting vulnerabilities rather than spending hours on manual recon.

Security Research

Security researchers can use r3conwhal3 to automate data collection across multiple targets, helping them identify trends and common vulnerabilities in web applications.

Corporate Security

Corporations can easily integrate r3conwhal3 into their security pipelines thanks to its docker image, to continuously monitor their assets while enhancing their overall workflows, ensuring that any new vulnerabilities are quickly identified and addressed.

Contribution and Support

We welcome contributions from the community to help improve r3conwhal3. If you encounter any issues or have suggestions for new features, please open an issue on our GitHub repository. Your feedback and contributions are highly valued and will help us enhance the tool further.

If you find r3conwhal3 helpful, don’t forget to leave a star on our GitHub repository. Your support is greatly appreciated!



İbrahim Taha İstikbal

I have a passion for technology and cybersecurity. I regularly write about cybersecurity, and I am eager to continue learning and growing in the field.