Skip to main content

Overview

Recon is the target management and discovery hub for your engagement. You add targets — hostnames, IP addresses, or CIDR ranges — and then run automated scans against them to build a comprehensive picture of the attack surface before you begin testing. The recon worker runs as a separate Python FastAPI service, processing scan jobs asynchronously via the BullMQ queue. This means long-running scans don’t block the UI, and you can track progress in real time.

Adding targets

To add a target to an engagement:
  1. Navigate to the Recon tab within your engagement.
  2. Click Add Target.
  3. Enter the target value:
    • Hostname: example.com
    • IP address: 192.168.1.100
    • CIDR range: 10.0.0.0/24
  4. Optionally add a label or description to identify the target.
  5. Click Add.
You can add multiple targets to a single engagement. Targets appear in a list with their current scan status.

Running automated recon scans

Once a target is added, you can trigger an automated recon scan:
  1. Click the target in the list.
  2. Click Start Scan.
  3. Select the scan profile or leave the default.
  4. Click Run.
The scan is submitted to the recon worker queue. You can monitor progress from the Scan Logs view.

What recon scans discover

Automated recon scans can enumerate:
  • Subdomains — DNS enumeration and certificate transparency log lookups to find related subdomains.
  • Open ports — TCP port scanning to identify exposed services.
  • Service fingerprinting — Identifies the software and version running on open ports.
  • Web technology detection — Identifies frameworks, CMS platforms, and server software for web targets.
  • Certificate information — TLS certificate details including SANs, expiry, and issuer.
The specific tools and techniques used depend on your recon worker configuration. Consult your deployment documentation or system administrator for details on which scanners are enabled.

Scan logs

All recon scan activity is logged. To view logs for a scan:
  1. Navigate to the Recon tab.
  2. Click Scan Logs in the sidebar.
  3. Select a scan run to view its detailed output.
Logs include timestamps, tool output, and any errors encountered during the scan. This helps you understand exactly what was run and diagnose issues.

Recon results

Scan results are organized by target and finding type. After a scan completes:
  1. Click on a target to expand its results.
  2. Browse the discovered subdomains, ports, and services.
  3. Click individual findings to see details.
You can export recon results to include in reports or share with your team.

Network agents

For internal network scanning — where the recon worker cannot directly reach targets from the internet — Pwnbook supports network agents. A network agent is a lightweight process you deploy inside the internal network. It connects out to the Pwnbook backend, receives scan tasks, executes them locally, and sends results back.

Deploying a network agent

  1. Go to the Recon tab and click Network Agents.
  2. Click Add Agent.
  3. Copy the agent registration token and installation command.
  4. Run the installation command on a host inside the target network:
curl -sSL https://pwnbook.io/agent/install.sh | bash -s -- --token YOUR_AGENT_TOKEN
  1. Once the agent connects, it appears in the Network Agents list with a Connected status.

Using a network agent for scanning

When configuring a recon scan, select the network agent from the Run via dropdown. The scan job will be routed through the selected agent, allowing you to reach internal hosts that are not publicly accessible.
Deploy multiple network agents in different network segments to cover your full internal attack surface.

Best practices

  • Run recon scans during agreed-upon testing windows to avoid alerting the client’s security monitoring.
  • Store recon results within the engagement so the full team has visibility into discovered targets.
  • Review scan logs carefully — scanner errors can indicate network filtering or WAF rules worth investigating during testing.
  • Use network agents for internal assessments instead of routing traffic through VPNs, which can add complexity and latency.