LazyRecon: Reconnaissance Process Automator

LazyRecon: Reconnaissance Process Automator

LazyRecon is a script which automates some of the boring tasks of reconnaissance and information gathering. LazyRecon automatically runs the different reconnaissance methods with a single command which allows it to be easily used as part of automated workflows.

Important: Be aware that this tool generates a substantial amount of traffic.

LazyRecon: Reconnaissance Process Automator

After giving a target to LazyRecon, it will automatically grab all subdomains, find any CNAME records and scrape for data. In addition to this, it will perform port scanning, gather DNS information and generate a HTML report detailing all the revealed information. After all of this has been complete, the user will know what their next step should be and what points can be targeted for exploitation.


  • Create a dated folder with recon notes
  • Find any CNAME records pointing to unused cloud services like aws
  • Get dns information about every subdomain
  • Perform dirsearch for all subdomains
  • Grab subdomains using Sublist3r or dns bruteforcing using massdns
  • Directory search module (multithreaded up to 10 subdomains scanned at a time)
  • Enhanced html reports with the ability to search for strings, endpoints, reponse sizes or status codes
  • Subdomain exclusion by using option -e like this: -e,
LazyRecon Report

Supported Platforms:

  • Linux


  • Go version 1.10+
Recommended: It’s recommended to run Lazyrecon on VPS with 1VCPU and 2GB RAM.


Run the following commands:

$ git clone 
$ cd bbht
$chmod +x
$ ./

LazyRecon Usage

Move to the installation directory and enter the following command:

$ ./ -d 
 _     ____  ____ ___  _ ____  _____ ____  ____  _
/ \   /  _ \/_   \\  \///  __\/  __//   _\/  _ \/ \  /|
| |   | / \| /   / \  / |  \/||  \  |  /  | / \|| |\ ||
| |_/\| |-||/   /_ / /  |    /|  /_ |  \__| \_/|| | \||
\____/\_/ \|\____//_/   \_/\_\\____\\____/\____/\_/  \|
Recon started on 
Listing subdomains using sublister...
Checking certspotter...
Starting Massdns Subdomain discovery this may take a while
Traceback (most recent call last):
  File "/home/cyberpunk/tools/massdns/scripts/", line 8, in 
    for lines in open(sys.argv[1]):
IOError: [Errno 2] No such file or directory: '/home/cyberpunk/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt'
Massdns finished...
Started dns records check...
Looking into CNAME Records...
Excluding domains (if you set them with -e)...
Subdomains that have been excluded from discovery:
Starting discovery...
Probing for live hosts...
cat: ./ No such file or directory
Total of 1 live subdomains were found
Starting aquatone scan...
./ line 148: aquatone: command not found
Scraping wayback for data...
Wordlist saved to /
Starting dirsearch...
wc: /home/cyberpunk/tools/dirsearch/reports//: Is a directory
Scan for finished successfully
Scan completed in : 2 minutes and 15 seconds.
Documentation Box
Download Box