I'm tired of manually running Nmap and subfinder on every new target. I want to build a Python wrapper that automates the entire recon process: subdomain enumeration, port scanning, and then taking screenshots of any active web services. What are the best libraries for this, and how do I handle the rate-limiting issues that come with aggressive automated scanning?
3 answers
Building your own recon "engine" is a great way to improve your workflow. For subdomain enumeration, you can use the sublist3r library or simply use Python’s subprocess module to call tools like subfinder and assetfinder. For port scanning, python-nmap is the standard library. To capture screenshots, I recommend using a headless browser library like playwright-python. To handle rate-limiting, you should implement a "concurrency control" using asyncio or threading, and definitely rotate your IP addresses using a proxy service. This prevents your scanner from being blocked by a WAF (Web Application Firewall) while you're trying to map out the attack surface.
Why not use an existing framework like "Axiom" which is designed exactly for distributed recon? It lets you spin up dozens of small cloud instances to perform your scans in parallel. Wouldn't that be more efficient than building a single-node script?
Make sure you store your results in a database like SQLite or PostgreSQL instead of just text files. It makes it much easier to "diff" your scans and see what has changed over time.
Margaret is correct. Tracking changes is where the money is in bug bounties. If a developer accidentally pushes a new "dev" subdomain on a Friday night, you want your script to find it and alert you immediately.
William, Axiom is powerful, but I think building your own script first is better for learning how the tools actually work. If I use asyncio for my script, can I also integrate a Slack webhook so my phone gets an alert as soon as a new subdomain is found?