Reconnaissance and Information Gathering Tool – Raccoon

Last Commit: 01/10/2022

Reconnaissance and Information Gathering Tool – Raccoon


Raccoon is an offensive security tool for reconnaissance and information gathering. This vulnerability scanning tool can extract useful information about the target host, such as:

  • DNS records (details/mapping), WHOIS records, Port scanning, URL fuzzing, TLS data (version, ciphers, certificates), Subdomains enumeration, WAF (Web Application Firewall) information;
  • Web Server information, CMS information, enumeration of sensitive files, email addresses, robots.txt, available HTML forms, cookies, sitemap information, etc.

Raccoon: Reconnaissance, Information Gathering  and Vulnerability Scanning Tool

Raccoon’s scans are mostly independent, so they don’t rely on each other’s results. Thanks to Python’s asyncio, scans are performed asynchronously. This tool also supports Tor/proxy for anonymous routing. Check out the SecLists repository to see default wordlists for URL fuzzing and subdomain discovery.


  • DNS details
  • DNS visual mapping using DNS dumpster
  • WHOIS information
  • TLS Data – supported ciphers, TLS versions, certificate details and SANs
  • Port Scan
  • Services and scripts scan
  • URL fuzzing and dir/file detection
  • Subdomain enumeration – uses Google dorking, DNS dumpster queries, SAN discovery and bruteforce
  • Web application data retrieval:
    • CMS detection
    • Web server info and X-Powered-By
    • robots.txt and sitemap extraction
    • Cookie inspection
    • Extracts all fuzzable URLs
    • Discovers HTML forms
    • Retrieves all Email addresses
    • Scans target for vulnerable S3 buckets and enumerates them for sensitive files
  • Detects known WAFs
  • Supports anonymous routing through Tor/Proxies
  • Uses asyncio for improved performance
  • Saves output to files – separates targets by folders and modules by files


  • Nmap – it’s necessary to install it before running Raccoon, since Raccoon uses Nmap to scan ports, as well as some other Nmap scripts and features.
  • OpenSLL – is also neccessary for TLS/SSL scans.
  • Python 3.5+ – required.


Clone the GitHub repository:

git clone
cd Raccoon
python raccoon_src/

Or run the following for the latest stable version (you may need to use pip3 install raccoon-scanner , since Raccoon requires Python 3.5+):

pip install raccoon-scanner
# To run:
raccoon [OPTIONS]

Docker installation:

# Build the docker image
docker build -t evyatarmeged/raccoon .
# Run a scan, As this a non-root container we need to save the output under the user's home which is /home/raccoon
docker run --name raccoon evyatarmeged/raccoon:latest -t -o /home/raccoon


Usage: raccoon [OPTIONS]

  --version                      Show the version and exit.
  -t, --target TEXT              Target to scan  [required]
  -d, --dns-records TEXT         Comma separated DNS records to query.
                                 Defaults to: A,MX,NS,CNAME,SOA,TXT
  --tor-routing                  Route HTTP traffic through Tor (uses port
                                 9050). Slows total runtime significantly
  --proxy-list TEXT              Path to proxy list file that would be used
                                 for routing HTTP traffic. A proxy from the
                                 list will be chosen at random for each
                                 request. Slows total runtime
  -c, --cookies TEXT             Comma separated cookies to add to the
                                 requests. Should be in the form of key:value
                                 Example: PHPSESSID:12345,isMobile:false
  --proxy TEXT                   Proxy address to route HTTP traffic through.
                                 Slows total runtime
  -w, --wordlist TEXT            Path to wordlist that would be used for URL
  -T, --threads INTEGER          Number of threads to use for URL
                                 Fuzzing/Subdomain enumeration. Default: 25
  --ignored-response-codes TEXT  Comma separated list of HTTP status code to
                                 ignore for fuzzing. Defaults to:
  --subdomain-list TEXT          Path to subdomain list file that would be
                                 used for enumeration
  -sc, --scripts                 Run Nmap scan with -sC flag
  -sv, --services                Run Nmap scan with -sV flag
  -f, --full-scan                Run Nmap scan with both -sV and -sC
  -p, --port TEXT                Use this port range for Nmap scan instead of
                                 the default
  --vulners-nmap-scan            Perform an NmapVulners scan. Runs instead of
                                 the regular Nmap scan and is longer.
  --vulners-path TEXT            Path to the custom nmap_vulners.nse script.If
                                 not used, Raccoon uses the built-in script it
                                 ships with.
  -fr, --follow-redirects        Follow redirects when fuzzing. Default: False
                                 (will not follow redirects)
  --tls-port INTEGER             Use this port for TLS queries. Default: 443
  --skip-health-check            Do not test for target host availability
  --no-url-fuzzing               Do not fuzz URLs
  --no-sub-enum                  Do not bruteforce subdomains
  --skip-nmap-scan               Do not perform an Nmap scan
  -q, --quiet                    Do not output to stdout
  -o, --outdir TEXT              Directory destination for scan output
  --help                         Show this message and exit.
Documentation Box
Download Box