Pown Recon: Powerful Target Reconnaissance Framework

Pown Recon: Powerful Target Reconnaissance Framework

Pown Recon is an open-source reconnaissance tool that uses graph theory to find any existing relationship in given set of data on a specific target. The tool was originally designed to be used as a component of the Pown.js project, a toolkit that is used to carry out test procedures and exploitation on a security system on top of NPM and Node.js. 

  ___ ___ ___   _   ___ ___  ___
 / __| __/ __| /_\ | _ \ _ \/ __|
 \__ \ _| (__ / _ \|  _/  _/\__ \
 |___/___\___/_/ \_\_| |_|  |___/

NB: Pown Recon is the result of an almost direct copy of SecApps' excellent Recon tool.

Despite being part of secapps.com open-source initiative, Pown Recon can be launched on its own as a separate tool.

Pown Recon: Powerful Target Reconnaissance Framework Powered by Graph Theory

The use of graph theory in its reconnaissance operations makes Pown Recon one of the most powerful reconnaissance tools available. This tool extracts graph elements based on group, ID and the class in which the element belongs. Compared with other reconnaissance tools which arrange the target’s data in simple database tables, Pown Recon uses graphs to identify existing relationships in a given set of informational data tied to a specific target.

Graph theory is more effective in reconnaissance procedures because the algorithms deployed are able to identify the shortest possible route that can be used to gather information on a given target.

How Pown Recon Works as Part of SecApps Recon?


All graphs generated by Pown Recon can be previewed using SecApps Recon which can be launched from a browser, the other option is to run the following command:

$ pown modules install @pown/apps.  

For this to work @pown/apps must be installed. 


The tool can also use scripts known as Pown Scripts to generate graphs without having to save the graphs in intermediate files.

Pown scripts can be used only after selecting and naming a favorite editor, editors can be named as example.pown, scripts can be launched using:

$ pown script path/to/example.pown
Pown Recon: Generated graphs previewed in SecApps Recon
Generated graphs previewed in SecApps Recon


Pown Recon has selectors which aid in the identification and collection of the elements used in building graphs. Useful queries can be generated by combining selectors and this makes it easy to gather a large volume of information on a given target with a single run.

The queries can be made more powerful by joining a set of combined selectors using commas as follows in which all strings must be enclosed using quotation marks:

$ pown select 'node#j, edge[source = "j"]'  

If the queries are properly generated they can be used in large scale information gathering such as identifying what members of a given organization have been doing in relation to a given organizational task.


  • Ability to perform inline transformation
  • Supports remote management
  • Can add, remove, group, ungroup and traverse nodes
  • Can merge two recon files


  • GitHub Search of Repos, Gists, and Members
  • Bitbucket Search of Repos, Snippets, and Members
  • CloudFlare DNS API
  • DockerHub Repo Search
  • Gravatar URLs
  • Hacker Target Reverse IP Lookup
  • Have I Been Pwned Lookup
  • PKS Lookup
  • Urlscan Live Shot
  • Threatcrowd Lookup
  • ZoomEye Scraper
  • Wappalyzer
  • AWS IAM Pages
  • Builtwith
  • Riddler
  • CommonCraw
  • Archive.org
  • WhatsMyName
  • Utility Transforms
  • Security Trails
  • Auto Recon

Pown Recon Install

Install as part of Pown.js :

$ npm install -g pown@latest

To invoke directly from Pown run:

$ pown recon

Install from root project locally

$ npm install @pown/recon –save

After installation invoke pown cli as follows:

$ POWN_ROOT=. ./node_modules/.bin/pown-cli recon

To invoke it locally using the global pown, run the following:

$ POWN_ROOT=. pown recon


WARNING: “This pown command is currently under development and as a result will be subject to breaking changes.”
pown recon <command>

Target recon

  pown recon transform <transform>          Perform inline transformation  [aliases: t]
  pown recon select <expressions...>        Select nodes  [aliases: s]
  pown recon traverse <expressions...>      Traverse nodes  [aliases: v]
  pown recon options <command>              Manage options
  pown recon add <nodes...>                 Add nodes  [aliases: a]
  pown recon remove <expressions...>        Remove nodes  [aliases: r]
  pown recon merge <files...>               Perform a merge between at least two recon files  [aliases: m]
  pown recon diff <fileA> <fileB>           Perform a diff between two recon files  [aliases: d]
  pown recon group <name> <expressions...>  Group nodes  [aliases: g]
  pown recon ungroup <expressions...>       Ungroup nodes  [aliases: u]
  pown recon load <file>                    Load a file  [aliases: l]
  pown recon save <file>                    Save to file  [aliases: o]
  pown recon import <file>                  Import file  [aliases: i]
  pown recon export <file>                  Export to file  [aliases: e]
  pown recon remote <command>               Remote managment  [aliases: f]
  pown recon layout <name>                  Layout the graph  [aliases: r]
  pown recon summary                        Create a summary  [aliases: y]

  --version  Show version number  [boolean]
  --help     Show help  [boolean]

Pown Recon Options

pown recon options <command>

Manage options

  pown recon options list                List option  [aliases: l]
  pown recon options set <name> <value>  Set option  [aliases: s]
  pown recon options get <name>          Get option  [aliases: g]
  pown recon options delete <name>       Delete option  [aliases: d]
  pown recon options clear               Clear options  [aliases: c]

  --version  Show version number  [boolean]
  --help     Show help  [boolean]
For further info on available options/commands and examples, click on the “download” button below.

Usage Example

Querying everyone who is a member of Google’s engineering team and contributes to their GitHub account.

$ pown recon t -w google.network ghlm google

Result generated as table:

│ uri                                                     │ login                                                   │ avatar                                                  │
│ https://github.com/3rf                                  │ 3rf                                                     │ https://avatars1.githubusercontent.com/u/1242478?v=4    │
│ https://github.com/aaroey                               │ aaroey                                                  │ https://avatars0.githubusercontent.com/u/31743510?v=4   │
│ https://github.com/aarongable                           │ aarongable                                              │ https://avatars3.githubusercontent.com/u/2474926?v=4    │
│ https://github.com/alexpennace                          │ alexpennace                                             │ https://avatars1.githubusercontent.com/u/2506548?v=4    │
│ https://github.com/alexv                                │ alexv                                                   │ https://avatars0.githubusercontent.com/u/30807372?v=4   │
│ https://github.com/alexwhouse                           │ alexwhouse                                              │ https://avatars3.githubusercontent.com/u/1448490?v=4    │
Download Box