Context-Aware Subdomain Enumerator with intelligent classification and Nuclei integration
npm install cod3x-reconContext-Aware Subdomain Enumerator with intelligent classification, risk scoring, and Nuclei integration.
- š Multi-Source Enumeration: Certificate Transparency (crt.sh), DNS bruteforce, wordlist-based discovery
- šÆ Smart Probing: HTTP/HTTPS fingerprinting, TLS inspection, endpoint discovery
- š§ Intelligent Classification: Pattern-based risk scoring with extensible rules engine
- š Plugin System: Extensible architecture for custom integrations
- ā” Performance Optimized: Connection pooling, caching, bounded concurrency
- š”ļø Nuclei Integration: Automated vulnerability scanning on discovered assets
- š Multiple Output Formats: Text, JSON, SARIF for CI/CD integration
``bash`
npm install -g cod3x-recon
Or from source:
`bash`
git clone https://github.com/cxdexx/cod3x-recon.git
cd cod3x-recon
npm install
npm run build
npm link
`bash`
cod3x scan -d example.com
`bash`
cod3x scan -d example.com \
--concurrency 20 \
--timeout 5000 \
--format json \
--export results.json \
--run-nuclei \
--plugins ./plugins/custom-plugin
| Option | Description | Default |
|--------|-------------|---------|
| -d, --domain | Target domain (required) | - |-c, --concurrency
| | Concurrent requests | 10 |-t, --timeout
| | Request timeout | 3000 |-f, --format
| | Output format (text\|json\|sarif) | text |-e, --export
| | Export results to file | - |--run-nuclei
| | Run Nuclei scans on live hosts | false |--plugins
| | Load custom plugins | [] |-q, --quiet
| | Suppress output | false |
`
[+] Enumerating subdomains for example.com...
[+] Found 127 subdomains from crt.sh
[+] DNS verification: 89 live hosts
[+] Probing hosts...
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā HIGH RISK FINDINGS ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā admin.example.com [192.168.1.10] ā
ā Status: 200 OK ā
ā Risk Score: 85/100 ā
ā Categories: admin-panel, directory-listing ā
ā Notes: Exposed admin panel with directory listing ā
ā ā
ā api-staging.example.com [10.0.0.5] ā
ā Status: 200 OK ā
ā Risk Score: 75/100 ā
ā Categories: staging, api, cors-unsafe ā
ā Notes: CORS wildcard (*) policy detected ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
[+] Scan complete: 89 hosts, 12 high-risk findings
`
Create custom plugins to extend COD3X:RECON functionality:
`typescript
// plugins/my-plugin/index.ts
import { Plugin, SubdomainResult, ProbeResult } from 'cod3x-recon';
export const plugin: Plugin = {
name: 'my-custom-plugin',
version: '1.0.0',
hooks: {
onSubdomainFound: async (subdomain: SubdomainResult) => {
console.log([Plugin] Found: ${subdomain.hostname});`
},
onProbeResult: async (result: ProbeResult) => {
if (result.statusCode === 200) {
// Custom logic here
}
},
onClassify: (result: ProbeResult) => {
// Add custom classification rules
if (result.headers['x-custom-header']) {
return {
categories: ['custom-category'],
riskScore: 50,
notes: 'Custom header detected',
};
}
return null;
},
},
};
Load your plugin:
`bash`
cod3x scan -d example.com --plugins ./plugins/my-plugin
`
src/
āāā cli/ # CLI interface (Commander.js)
āāā core/ # Core enumeration engine
ā āāā enumerator.ts # Multi-source subdomain discovery
ā āāā probe.ts # HTTP/HTTPS probing
ā āāā classifier.ts # Risk scoring and classification
ā āāā cache.ts # LRU caching layer
āāā plugins/ # Plugin system
āāā nuclei/ # Nuclei integration
āāā utils/ # Shared utilities
`bash`
npm install
npm run dev
`bash`
npm test # Run tests
npm run test:watch # Watch mode
`bash`
npm run lint # ESLint
npm run format # Prettier
`bash`
npm run build # Compile TypeScript
Place custom wordlists in templates/wordlists/:
`
templates/wordlists/
āāā common-subdomains.txt
āāā api-endpoints.txt
āāā admin-paths.txt
Add custom Nuclei templates in src/nuclei/templates/:
`yaml``
id: custom-check
info:
name: Custom Security Check
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/admin"
matchers:
- type: status
status:
- 200
1. Adjust Concurrency: Increase for faster scans, decrease for rate-limited targets
2. Enable Caching: Reduces redundant DNS/HTTP requests
3. Use Wordlist Filtering: Smaller wordlists = faster enumeration
4. Skip Nuclei: Disable for quick reconnaissance
- Always obtain authorization before scanning
- Respect rate limits and robots.txt
- Use VPN/proxy for sensitive assessments
- Sanitize outputs before sharing
Contributions welcome! Please:
1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Submit a pull request
MIT License - see LICENSE file for details
Built with ā¤ļø by the CODEX Security Team
This tool is for authorized security testing only. Unauthorized access to computer systems is illegal. Users are responsible for complying with applicable laws.