CS4240/6240 β System Administration & Security
Johan Zapata & Nathan Kitchens β Clemson University
The Automated Reconnaissance & Vulnerability Report Generator is an open source security tool designed to automate the reconnaissance phase of a penetration test against a target Linux system. Instead of running each security tool manually and interpreting raw terminal output one by one, this tool chains together several industry-standard tools into a single executable workflow and produces a clean, easy-to-read HTML report at the end.
The report highlights open ports, running services, software versions, web server vulnerabilities, hidden directories, SMB shares, user accounts, and known public exploits β giving security professionals and students a fast, repeatable, and well-documented starting point for any penetration test.
Reconnaissance is the first and one of the most critical phases of any real-world penetration test. Security professionals typically have to:
- Run each tool separately from the command line
- Read through raw terminal output manually
- Piece together findings from multiple sources into a coherent report
This tool solves that problem by giving Linux users and security professionals a single command they can run to automate the entire process. The generated HTML report makes the results accessible to both technical and non-technical audiences by turning raw data into something actionable and easy to understand.
The tool performs reconnaissance across the following attack surface areas:
Identifies all open TCP ports on the target system and detects what services and software versions are running on each port. This is the foundation of any reconnaissance effort β knowing what is exposed is the first step to understanding the attack surface.
Scans any detected web server for common misconfigurations, outdated software, missing security headers, exposed admin panels, and other known web vulnerabilities. This covers both HTTP and HTTPS services.
3. Hidden Directories & Files
Enumerates hidden or unlisted directories and files on any detected web server using a wordlist-based brute force approach. This can reveal admin panels, backup files, configuration files, and other sensitive resources that are not publicly linked but are still accessible.
Enumerates any SMB (Server Message Block) file sharing services running on the target. This includes discovering shared network folders, user accounts, workgroup information, and password policies. Misconfigured SMB services are a common entry point in real-world attacks.
Cross-references all detected services and software versions against the Exploit Database (ExploitDB) to identify any publicly known exploits or CVEs that apply to the target system. This gives a direct indication of what an attacker could use against the system.
| Tool | Purpose | Language |
|---|---|---|
| Nmap | Port scanning and service/version detection | C |
| Nikto | Web server vulnerability scanning | Perl |
| Gobuster | Directory and file enumeration | Go |
| enum4linux-ng | SMB enumeration | Python |
| Searchsploit / ExploitDB | Known exploit lookup | Bash / Ruby |
| Python 3 | Report generation and JSON parsing | Python |
| Jinja2 | HTML report templating | Python |
| Bash | Main workflow orchestration | Bash |
- OS: Ubuntu 22.04 or Ubuntu 24.04 LTS
- RAM: 2GB minimum, 4GB recommended
- Disk: 20GB minimum
- Network: Host-Only VirtualBox adapter configured
- Metasploitable 2 (intentionally vulnerable Linux VM)
- RAM: 512MB
- Network: Same Host-Only VirtualBox adapter as scanner
Before running the setup script, make sure the following are available:
gitβ to clone the repositorysudo/ root access β required for installation- Internet access β required during setup to download tools
- VirtualBox with a Host-Only network configured
recon-tool/ βββ recon.sh # Main entry point β run this βββ setup.sh # Automated installer for all tools βββ modules/ β βββ nmap_scan.sh # Port and service detection β βββ nikto_scan.sh # Web vulnerability scanning β βββ gobuster_scan.sh # Directory enumeration β βββ enum4linux_scan.sh # SMB enumeration β βββ searchsploit_scan.sh # Known exploit lookup βββ report/ β βββ generate_report.py # Parses results and builds HTML report βββ results/ # Scan output saved here (auto-created) βββ README.md
git clone https://github.com/YOUR_USERNAME/recon-tool.git
cd recon-toolchmod +x setup.sh
sudo ./setup.shThe setup script will automatically:
- Install all required system packages and dependencies
- Clone and configure Nikto, ExploitDB, and enum4linux-ng
- Install required Python packages (Jinja2, Weasyprint)
- Download the Gobuster wordlist
- Verify every tool is working correctly
- Print a pass/fail summary at the end
If any tools fail to install, check /tmp/recon_setup.log for detailed error output.
sudo ./recon.sh -t <TARGET_IP>sudo ./recon.sh -t <TARGET_IP> -o ./results/my_scansudo ./recon.sh -t <TARGET_IP> -w /usr/share/wordlists/rockyou.txtsudo ./recon.sh -t <TARGET_IP> [-o <output_dir>] [-w <wordlist>] [-h]
-t Target IP address (required)
-o Output directory (default: ./results/<timestamp>)
-w Wordlist for Gobuster (default: /usr/share/wordlists/dirb/common.txt)
-h Show help messagesudo ./recon.sh -t 192.168.198.3After a completed scan, the following files are saved to results/<timestamp>/:
| File | Contents |
|---|---|
nmap_ports.txt |
Raw Nmap port discovery output |
nmap_results.txt |
Detailed Nmap service and version scan |
nikto_results.txt |
Web server vulnerability findings |
gobuster_results.txt |
Discovered directories and files |
enum4linux_results.txt |
SMB users, shares, and password policy |
searchsploit_results.txt |
Matched known exploits from ExploitDB |
services_list.txt |
Extracted service list used for exploit lookup |
report.html |
Final HTML report β open this in a browser |
- Executive Summary β four stat cards showing counts of open ports, web findings, directories, and known exploits
- Risk Score β overall severity rating (LOW / MEDIUM / HIGH / CRITICAL)
- Open Ports & Services table β port, service name, and version
- Web Vulnerabilities β Nikto findings listed individually
- Directory Enumeration β discovered paths with HTTP status codes
- SMB Enumeration β users, shares, workgroup, and password policy
- Known Exploits β matched ExploitDB entries per service
- Raw Nmap Output β full unmodified Nmap scan for reference
- TCP only β the tool currently scans TCP ports only. UDP scanning is not included as it significantly increases scan time.
- Single target β the tool scans one IP address at a time. Subnet or range scanning is not supported.
- Web scanning requires HTTP/HTTPS β Nikto and Gobuster only run if a web server is detected on ports 80, 443, or 8080. Non-standard web ports may be missed.
- Searchsploit requires local ExploitDB copy β the tool does not query the internet for exploits. It relies on the locally cloned ExploitDB database which may not always be fully up to date.
- enum4linux-ng requires SMB ports β SMB enumeration only runs if ports 139 or 445 are detected as open.
- Scan time varies β a full scan against Metasploitable 2 typically takes 5-15 minutes depending on the number of open ports and web server response time.
This tool was developed and tested using the following environment:
| Component | Details |
|---|---|
| Hypervisor | Oracle VirtualBox |
| Scanner VM | Ubuntu 24.04 LTS β IP: 192.168.198.4 |
| Target VM | Metasploitable 2 β IP: 192.168.198.5 |
| Network | VirtualBox Host-Only Adapter |
| Host OS | Windows 11 |
This tool is intended for educational purposes and authorized security testing only.
Never run this tool against systems you do not own or do not have explicit written permission to test. Unauthorized scanning of systems is illegal and unethical. The authors take no responsibility for any misuse of this tool.
This project was developed as part of a university course on System Administration and Security. It is designed to be used exclusively in a controlled lab environment against intentionally vulnerable systems such as Metasploitable 2.
Johan Zapata
Computer Science β Clemson University
CS4240/6240 β System Administration & Security
Nathan Kitchens
Computer Science β Clemson University
CS4240/6240 β System Administration & Security