Weaponizing Automation: Crafting a custom recon pipeline for pentesters | Cyber Codex

Streamline your reconnaissance workflow with a fully automated pipeline designed to deliver precise, actionable intelligence at scale.

Reconnaissance is the lifeblood of offensive security. Whether you’re a penetration tester, bug bounty hunter, or red teamer, the difference between a mediocre engagement and a legendary find often comes down to how well you map the attack surface.

Manual recon is slow, repetitive, and error-prone. The pros don’t just run a tool and call it a day — they build pipelines that continuously collect, filter, and prioritize intel.

Here, we’ll build a fully automated recon pipeline from subdomains enumerations to directory brute-forcing using a combination of open-source tools and custom scripting. By the end, you’ll have a repeatable system you can run against any scope in minutes.

Why automated recon?

Imagine this: You’re on a bug bounty program with 20+ in-scope domains. Running Amass manually on each one would take hours. By the time you get results, someone else has already claimed the low-hanging fruit. Automation removes the bottleneck.

Benefits:

• Speed: Find assets faster than competitors.

• Consistency: Avoid human errors and forgotten steps.

• Scalability: Run the same pipeline across hundreds of targets.

• Professionalism: Automation = repeatable methodology for clients.

Pipeline Architecture

[Target Input & Scope Validation]
        ↓
[Passive Recon]
  - Subdomain Enumeration (APIs, OSINT)
  - ASN & IP Range Mapping
  - Tech Stack Fingerprinting (Passive)
        ↓
[Active Recon]
  - DNS Resolution & Zone Transfer Checks
  - Service Discovery (Masscan/Nmap)
  - Web Asset Detection (HTTPx, Wappalyzer)
        ↓
[Content & Endpoint Discovery]
  - Directory Bruteforce (FFUF, Dirsearch)
  - Parameter Discovery & Crawling
        ↓
[Vulnerability Intelligence Layer]
  - CVE Matching
  - Banner & Version Analysis
  - Leaked Secrets/Exposure Scanning
        ↓
[Reporting & Data Enrichment]
  - JSON/Markdown Export
  - Threat Intel Tagging
  - Automated Notifications (Slack/Discord)

Tool Stack

Lab Setup

Prerequisites:

• VM or Cloud VPS: Ubuntu 22.04 recommended

• Install Go (for many tools):

sudo apt update && sudo apt install -y golang

• Install Tools:

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/OWASP/Amass/v3/...@master
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
sudo apt install masscan nmap ffuf -y

Tip: Create a dedicated recon box with all your tools pre-instaled and configured. Containerize it with Docker later.

Building the Pipeline

Step 1: Subdomain Enumeration

# subdomains.sh
#!/bin/bash
domain=$1
subfinder -d $domain -o subs1.txt
amass enum -d $domain -o subs2.txt
cat subs1.txt subs2.txt | sort -u > all_subs.txt
echo "[+] Subdomain enumeration complete. Found $(wc -l < all_subs.txt) subdomains."

Run:

chmod +x subdomains.sh
./subdomains.sh example.com

Step 2: DNS Resolution

dnsx -l all_subs.txt -o live_subs.txt

This filters out dead subdomains leaving only live hosts.

Step 3: Port Scanning

Quick scan with Masscan:

masscan -p1-65535 -iL live_subs.txt --rate 1000 -oG ports.txt

Then feed results into Nmap for service detection:

nmap -iL live_subs.txt -p80,443,8080,22 -sV -oN nmap_results.txt

Step 4: Directory Bruteforce

ffuf -u https://FUZZ.example.com -w /usr/share/wordlists/dirb/common.txt -o fuzz.json

Turn fuzz.json into a clean report:

cat fuzz.json | jq '.results[] | {url, status}'

Full Scale Recon Automation Pipeline

Either you can build the pipeline manually like above, or use my automation pipeline which is publicly available with features including logs, custom wordlists, reports, and modular automation, making full-scale reconnaissance faster, cleaner, and more professional.

GitHub - aenoshrajora/recon-pipeline: A modular Python-based recon framework for red teaming and bug bounty engagements. Features include subdomain enumeration, DNS resolution, port scanning, web fingerprinting, directory brute-forcing, screenshots, vulnerability intelligence, customizable wordlists, detailed logs, and timestamped reports. Fully automated and easy to extend.GitHub

Closing Words

Automation is how elite hackers scale their impact. A single script can replace hours of tedious enumeration, freeing you to focus on finding actual vulnerabilities.