CybersecurityFeatured

WebStalker — Passive & Active Reconnaissance Tool

Modular Python OSINT framework: passive recon (WHOIS, DNS, subdomain enumeration) + active scanning (nmap, HTTP headers, WAF/CMS detection) + directory fuzzing + automated JSON/TXT reports.

2025
Completed (May 2025)
1 member
View Code

Technologies Used

PythonnmapWHOISDNSOSINTHackerTarget APIAlienVault OTXReconnaissance

A modular offensive reconnaissance tool written in 100% Python for authorized penetration tests and OSINT investigations. Combines passive and active information gathering into a unified, automated reporting pipeline.

Authorized use only — designed for legal penetration testing engagements and security research.

🔍 Passive Reconnaissance

No direct interaction with the target — all data from public third-party services:

  • WHOIS — Domain registration data (registrar, creation/expiry dates, registrant)
  • DNS Enumeration — A, MX, NS, TXT, CNAME records via public resolvers
  • Subdomain Discovery — Passive enumeration via HackerTarget API and AlienVault OTX (no API key required)

📡 Active Reconnaissance

Direct interaction with the target:

  • Port Scanning — nmap integration for service/version detection
  • HTTP Header Analysis — Server, X-Powered-By, security headers (CSP, HSTS, X-Frame-Options)
  • Technology Detection — Fingerprinting of CMS (WordPress, Drupal), frameworks (Django, Laravel), WAF, and CDN

🔓 Directory Fuzzing

  • Configurable wordlist-based path enumeration
  • Targeted checks for .env, .git, backup archives, admin panels, and config files

📊 Automated Reporting

  • Structured JSON report for programmatic processing and SIEM integration
  • Human-readable TXT report for documentation and review

🏗️ Architecture

| Module | Responsibility | |--------|---------------| | passive.py | WHOIS, DNS, subdomain enumeration | | active.py | Port scan, HTTP headers, tech fingerprinting | | fuzzing.py | Directory brute-force and sensitive file detection | | report.py | JSON + TXT report generation |

Multi-threaded execution for improved performance on large port ranges and wordlists.

Challenges

  • Integrating nmap programmatically with proper error handling
  • Performing passive subdomain enumeration without paid API keys
  • Designing a modular architecture that works both standalone and chained
  • Making fuzzing efficient on large wordlists via multi-threading

Solutions

  • Used Python subprocess to call nmap with argument escaping and timeout handling
  • Leveraged HackerTarget and AlienVault OTX free APIs for subdomain enumeration
  • Defined clean input/output contracts for each module, enabling both CLI and programmatic use
  • Implemented thread pools with configurable concurrency for fuzzing performance

Outcomes

  • Complete passive + active + fuzzing recon pipeline in a single Python tool
  • Zero external API key requirements for passive phase
  • Automated JSON and TXT report generation for professional documentation
  • Modular architecture enabling easy extension with new recon modules
  • Published on GitHub: github.com/AyGoub/WebStalker