Raccoon is an offensive security tool for reconnaissance and information gathering. This vulnerability scanning tool can extract useful information about the target host, such as:
- DNS records (details/mapping), WHOIS records, Port scanning, URL fuzzing, TLS data (version, ciphers, certificates), Subdomains enumeration, WAF (Web Application Firewall) information;
- Web Server information, CMS information, enumeration of sensitive files, email addresses, robots.txt, available HTML forms, cookies, sitemap information, etc.
Raccoon: Reconnaissance, Information Gathering and Vulnerability Scanning Tool
Raccoon’s scans are mostly independent, so they don’t rely on each other’s results. Thanks to Python’s asyncio, scans are performed asynchronously. This tool also supports Tor/proxy for anonymous routing. Check out the SecLists repository to see default wordlists for URL fuzzing and subdomain discovery.
- DNS details
- DNS visual mapping using DNS dumpster
- WHOIS information
- TLS Data – supported ciphers, TLS versions, certificate details and SANs
- Port Scan
- Services and scripts scan
- URL fuzzing and dir/file detection
- Subdomain enumeration – uses Google dorking, DNS dumpster queries, SAN discovery and bruteforce
- Web application data retrieval:
- CMS detection
- Web server info and X-Powered-By
- robots.txt and sitemap extraction
- Cookie inspection
- Extracts all fuzzable URLs
- Discovers HTML forms
- Retrieves all Email addresses
- Scans target for vulnerable S3 buckets and enumerates them for sensitive files
- Detects known WAFs
- Supports anonymous routing through Tor/Proxies
- Uses asyncio for improved performance
- Saves output to files – separates targets by folders and modules by files
Nmap– it’s necessary to install it before running Raccoon, since Raccoon uses Nmap to scan ports, as well as some other Nmap scripts and features.
OpenSLL– is also neccessary for TLS/SSL scans.
Python 3.5+– required.
Clone the GitHub repository:
git clone https://github.com/evyatarmeged/Raccoon.git cd Raccoon python raccoon_src/main.py
Or run the following for the latest stable version (you may need to use
pip3 install raccoon-scanner , since Raccoon requires
pip install raccoon-scanner # To run: raccoon [OPTIONS]
# Build the docker image docker build -t evyatarmeged/raccoon . # Run a scan, As this a non-root container we need to save the output under the user's home which is /home/raccoon docker run --name raccoon evyatarmeged/raccoon:latest -t example.com -o /home/raccoon
Usage: raccoon [OPTIONS] Options: --version Show the version and exit. -t, --target TEXT Target to scan [required] -d, --dns-records TEXT Comma separated DNS records to query. Defaults to: A,MX,NS,CNAME,SOA,TXT --tor-routing Route HTTP traffic through Tor (uses port 9050). Slows total runtime significantly --proxy-list TEXT Path to proxy list file that would be used for routing HTTP traffic. A proxy from the list will be chosen at random for each request. Slows total runtime -c, --cookies TEXT Comma separated cookies to add to the requests. Should be in the form of key:value Example: PHPSESSID:12345,isMobile:false --proxy TEXT Proxy address to route HTTP traffic through. Slows total runtime -w, --wordlist TEXT Path to wordlist that would be used for URL fuzzing -T, --threads INTEGER Number of threads to use for URL Fuzzing/Subdomain enumeration. Default: 25 --ignored-response-codes TEXT Comma separated list of HTTP status code to ignore for fuzzing. Defaults to: 302,400,401,402,403,404,503,504 --subdomain-list TEXT Path to subdomain list file that would be used for enumeration -sc, --scripts Run Nmap scan with -sC flag -sv, --services Run Nmap scan with -sV flag -f, --full-scan Run Nmap scan with both -sV and -sC -p, --port TEXT Use this port range for Nmap scan instead of the default --vulners-nmap-scan Perform an NmapVulners scan. Runs instead of the regular Nmap scan and is longer. --vulners-path TEXT Path to the custom nmap_vulners.nse script.If not used, Raccoon uses the built-in script it ships with. -fr, --follow-redirects Follow redirects when fuzzing. Default: False (will not follow redirects) --tls-port INTEGER Use this port for TLS queries. Default: 443 --skip-health-check Do not test for target host availability --no-url-fuzzing Do not fuzz URLs --no-sub-enum Do not bruteforce subdomains --skip-nmap-scan Do not perform an Nmap scan -q, --quiet Do not output to stdout -o, --outdir TEXT Directory destination for scan output --help Show this message and exit.