All in One Recon Tool for Bug Bounty
Alternatives To Aort
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
6 months ago46gpl-2.0Ruby
Next generation web scanner
4 days ago25mitHTML
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
9 days ago1mitRuby
⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
Pentest Tools2,652
9 months ago1Python
A collection of custom security tools for quick needs.
5 days ago1August 24, 202022gpl-3.0Python
🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.
Redteam Offensivesecurity1,630
10 months agomitPython
Tools & Interesting Things for RedTeam Ops
Sn0int1,6041215 days ago13September 08, 202144gpl-3.0Rust
Semi-automatic OSINT framework and package manager
4 months ago2September 24, 20223mitGo
a recon tool that allows searching on URLs that are exposed via shortener services
4 months ago13September 04, 202214mitGo
:vulcan_salute: Fast, modern, easy-to-use network scanner
15 days ago32June 30, 20238gpl-3.0Rust
Hidden parameters discovery suite
Alternatives To Aort
Select To Compare

Alternative Project Comparisons

All in One Recon Tool

An easy-to-use python tool to perform subdomain enumeration, endpoints recon and much more

The purpouse of this tool is helping bug hunters and pentesters during reconnaissance

If you want to know more about the tool you can read my own post in my blog (written in spanish)


It can be used in any system with python3

You can easily install AORT using pip:

pip3 install aort

To use it just type "aort" into your terminal

If you want to install it from source:

git clone
pip3 install -r requirements.txt

Help Panel:

AORT - All in One Recon Tool

  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        domain to search its subdomains
  -o OUTPUT, --output OUTPUT
                        file to store the scan output
  -t TOKEN, --token TOKEN
                        api token of to discover mail accounts and employees
  -p, --portscan        perform a fast and stealthy scan of the most common ports
  -a, --axfr            try a domain zone transfer attack
  -m, --mail            try to enumerate mail servers
  -e, --extra           look for extra dns information
  -n, --nameservers     try to enumerate the name servers
  -i, --ip              it reports the ip or ips of the domain
  -6, --ipv6            enumerate the ipv6 of the domain
  -w, --waf             discover the WAF of the domain main page
  -b, --backups         discover common backups files in the web page
  -s, --subtakeover     check if any of the subdomains are vulnerable to Subdomain Takeover
  -r, --repos           try to discover valid repositories and s3 servers of the domain (still improving it)
  -c, --check           check active subdomains and store them into a file
  --secrets             crawl the web page to find secrets and api keys (e.g. Google Maps API Key)
  --enum                stealthily enumerate and identify common technologies
  --whois               perform a whois query to the domain
  --wayback             find useful information about the domain and his different endpoints using The Wayback Machine and other services
  --all                 perform all the enumeration at once (best choice)
  --quiet               don't print the banner
  --version             display the script version


  • A list of examples to use the tool in different ways

Most basic usage to dump all the subdomains

python3 -d

Enumerate subdomains and store them in a file

python3 -d --output domains.txt

Don't show banner

python3 -d --quiet

Enumerate specifics things using parameters

python3 -d -n -p -w -b --whois --enum # You can use other parameters, see help panel

Perform all the recon functions (recommended)

python3 -d --all


☑️ Enumerate subdomains using passive techniques (like subfinder)

☑️ A lot of extra queries to enumerate the DNS

☑️ Domain Zone transfer attack

☑️ WAF type detection

☑️ Common enumeration (CMSs, reverse proxies, jquery...)

☑️ Whois target domain

☑️ Subdomain Takeover checker

☑️ Scan common open ports

☑️ Check active subdomains (like httprobe)

☑️ Wayback machine support to enumerate endpoints (like waybackurls)

☑️ Email harvesting


  • Compare results with other tools such as subfinder, gau, httprobe...
  • Improve code and existings functions


Simple query to find valid subdomains

Third part

The tool uses different services to get subdomains in different ways

The WAF detector was modified and adapted from CRLFSuite concept <3

All DNS queries use dns-python at 100%, no dig or any extra tool needed

Email harvesting functions is done using API with personal token (free signup)


If you consider this project useful, I would really appreciate supporting me by giving this repo a star or buying me a coffee.

"Buy Me A Coffee"

Copyright 2022, D3Ext

Popular Recon Projects
Popular Security Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Penetration Testing