PNPT Reconnaissance Automation Pipeline

Automate your PNPT reconnaissance workflow - from hours to minutes.

⚠️ Read Legal & Security Guidelines before use - Unauthorized scanning is illegal.

Professional 9-phase reconnaissance automation for penetration testers preparing for the Practical Network Penetration Tester (PNPT) certification.

🆕 What's New in v2.0.0 (December 2025)

✅ IP/CIDR Support - Scan IPs and networks directly (no domain required!)
✅ SMB/NFS Enumeration - Discover network shares
✅ Web File Discovery - Find hidden files with Feroxbuster/Gobuster
✅ 4x Faster - Optimized performance (~4 min vs 6-7 min)

See CHANGELOG.md for full details and migration guide.

🎯 Overview

This is a workflow automation tool that integrates industry-standard reconnaissance tools into a streamlined PNPT-focused pipeline. It orchestrates existing tools rather than replacing them.

This tool does NOT:

Invent new reconnaissance techniques
Replace existing security tools
Provide unique scanning capabilities

This tool DOES:

Automate tedious manual workflows
Reduce reconnaissance time by 10x
Provide exam-ready output structure
Simplify tool orchestration for PNPT preparation

This automation pipeline reduces reconnaissance time by 10x while maintaining professional-grade output quality.

🙏 Built With

This tool stands on the shoulders of giants. All reconnaissance capabilities come from these excellent open-source projects:

Core Tools:

ProjectDiscovery - Industry-leading security tool suite
- Subfinder - Subdomain discovery
- DNSx - Fast DNS resolution
- Httpx - HTTP probing
- Naabu - Port scanning
- Katana - Web crawling
- Nuclei - Vulnerability scanning
OWASP Amass - Advanced subdomain enumeration

v2.0 Additional Tools:

Gobuster by OJ Reeves - Directory/file discovery
Feroxbuster by Ben "epi" Risher - Fast recursive scanner (optional)
Samba Tools - SMB share enumeration
NFS Utilities - Network File System discovery

All credit for scanning capabilities goes to these incredible projects and their maintainers.

This repository simply provides workflow automation and PNPT-specific orchestration.

Key Features

✅ Complete 9-phase workflow - Target detection through vulnerability scanning
✅ IP/CIDR/Domain support - Scan single IPs, networks, or domains
✅ Share enumeration - Find SMB/NFS shares with credentials
✅ File discovery - Locate hidden files, backups, configs
✅ Intelligent automation - Handles errors gracefully, continues on failures
✅ Flexible scan modes - Quick, Default, Thorough, and Deep presets
✅ Professional output - Structured directories, comprehensive logging
✅ Zero dependencies - No jq required, pure bash + standard tools
✅ Exam-ready - Optimized for time-critical assessments

Performance

Scan Mode Performance (v2.0.0):

Quick Mode:     ~3 minutes   (was 5-15 min)
Default Mode:   ~4 minutes   (was 15-30 min)  
Thorough Mode:  ~6 minutes   (was 45-90 min)
Deep Mode:      15+ minutes  (was 2-4 hours)

Example Results (single IP target):
├─ 3 open ports identified
├─ 1 web service fingerprinted  
├─ 6 files/directories discovered
├─ 3 endpoints crawled
├─ 1 vulnerability detected
└─ Complete in ~4 minutes

Efficiency gain: 10x faster than manual reconnaissance

🚀 Quick Start

# 1. Clone repository
git clone https://github.com/mbcyberworks/pnpt-recon-automation.git
cd pnpt-recon-automation

# 2. Install dependencies
chmod +x install-pnpt-tools.sh
./install-pnpt-tools.sh

# 3. Run reconnaissance
chmod +x pnpt-recon-pipeline.sh

# Scan domain (classic)
./pnpt-recon-pipeline.sh -d target.com

# Scan IP (NEW in v2.0)
./pnpt-recon-pipeline.sh -d 10.10.10.10

# Scan network (NEW in v2.0)
./pnpt-recon-pipeline.sh -d 192.168.1.0/24

📋 Prerequisites

Operating System: Linux (Kali Linux, Ubuntu, Debian)
Go: Version 1.19+ (auto-installed by setup script)
Sudo privileges: Required for port scanning
Internet: Required for tool installation and scanning

New in v2.0:

Gobuster OR Feroxbuster - At least one required
SMBmap - Optional but recommended
NFS utilities - Optional but recommended

🛠️ Installation

Automated Installation

git clone https://github.com/mbcyberworks/pnpt-recon-automation.git
cd pnpt-recon-automation
chmod +x *.sh
./install-pnpt-tools.sh

# Restart terminal or reload shell
source ~/.bashrc

Verify Installation

subfinder -version
dnsx -version
httpx -version
naabu -version
nuclei -version
katana -version
gobuster version        # NEW in v2.0

📖 Usage

Basic Usage

# Domain scan
./pnpt-recon-pipeline.sh -d target.com

# IP scan (NEW)
./pnpt-recon-pipeline.sh -d 10.10.10.10

# Network scan (NEW)
./pnpt-recon-pipeline.sh -d 192.168.1.0/24

# Custom output directory
./pnpt-recon-pipeline.sh -d target.com -o /path/to/output

# Help
./pnpt-recon-pipeline.sh -h

Scan Modes

Mode	Duration	Ports	Use Case
`--quick`	~3 min	top-100	CTF, Quick recon
default	~4 min	top-1000	PNPT exam
`--thorough`	~6 min	top-1000	Real pentests
`--deep`	15+ min	full scan	Red team

# Quick mode for CTF
./pnpt-recon-pipeline.sh -d target.com --quick

# Thorough mode for assessments
./pnpt-recon-pipeline.sh -d target.com --thorough

# Overnight deep scan
nohup ./pnpt-recon-pipeline.sh -d target.com --deep > scan.log 2>&1 &

📂 Output Structure

recon_target_TIMESTAMP/
├── SUMMARY.txt                  # Statistics and overview
├── subdomains/
│   └── all_subdomains.txt      # Unique subdomains
├── dns/
│   └── alive.txt               # Confirmed alive hosts
├── ports/
│   └── open_ports.txt          # Open ports per host
├── web/
│   ├── web_services.txt        # Web URLs
│   ├── web_services.json       # Detailed info
│   ├── directories.txt         # NEW: Full scan results
│   └── files_found.txt         # NEW: Filtered interesting files
├── shares/                     # NEW: Share enumeration
│   ├── smb_shares.txt          # SMB shares
│   └── nfs_shares.txt          # NFS exports
├── crawl/
│   └── endpoints.txt           # Discovered endpoints
├── vulnerabilities/
│   └── findings.json           # Vulnerability data
└── logs/                       # Detailed logs

📄 Reconnaissance Phases

v2.0 has 9 phases (was 6):

Target Detection - Automatic IP/CIDR/Domain identification (NEW)
Subdomain Discovery (Subfinder, Amass)
DNS Resolution (DNSx)
Port Scanning (Naabu)
Web Probing (Httpx)
Share Enumeration (SMBmap, Showmount) - NEW
File Discovery (Feroxbuster/Gobuster) - NEW
Deep Crawling (Katana)
Vulnerability Scanning (Nuclei)

⚙️ Configuration

Optional: API Keys

Enhance subdomain discovery:

nano ~/.config/subfinder/provider-config.yaml

Add keys from Shodan, GitHub, VirusTotal, etc.

Optional: Passwordless Sudo

For unattended scans:

echo "$USER ALL=(ALL) NOPASSWD: $(which naabu)" | sudo tee /etc/sudoers.d/naabu

🔍 Troubleshooting

"Command not found"

source ~/.bashrc

"Permission denied"

# Enter password when prompted, or setup passwordless sudo

Slow performance

./pnpt-recon-pipeline.sh -d target.com --quick

"Neither gobuster nor feroxbuster found"

sudo apt install gobuster
# Or: cargo install feroxbuster (faster)

🎓 PNPT Exam Tips

Start early - Let automation run while reading exam brief
Review SUMMARY.txt - Quick overview of findings
Check shares first - SMB/NFS often contain credentials (NEW)
Review files_found.txt - Focus on .bak, .old files (NEW)
Prioritize - Focus on web services and unusual ports
Manual testing - Deep dive on high-value targets
Document - Take notes continuously

🤝 Contributing

Contributions welcome! Please submit issues and pull requests.

📄 License

MIT License - See LICENSE file for details.

👨‍💻 Author

MB Cyberworks

Website: mbcyberworks.nl
Focus: PNPT certification preparation
Current: Preparing for January 2026 exam

⚠️ Legal Disclaimer

❌ UNAUTHORIZED SCANNING IS ILLEGAL

This tool performs active reconnaissance including port scanning, web probing, and vulnerability detection. Using it against systems without explicit authorization is illegal in most jurisdictions and may violate:

Computer Fraud and Abuse Act (CFAA) - United States
Computer Misuse Act - United Kingdom
Wet Computercriminaliteit - Netherlands
European Cybercrime Directive
Local laws in your jurisdiction

Potential consequences:

Criminal prosecution
Civil lawsuits
Termination from bug bounty programs
Professional sanctions

✅ AUTHORIZED USE ONLY

You may ONLY scan:

Systems you own
Systems with explicit written permission
Bug bounty programs (within scope)
Intentional practice targets

🚫 EXAMPLES OF UNAUTHORIZED USE

❌ Major corporations (Tesla, Microsoft, Google, Amazon, etc.)
❌ Government websites
❌ Financial institutions
❌ E-commerce platforms
❌ Any domain you don't own or have permission to test

When in doubt, DON'T SCAN. Get written permission first.

🙏 Acknowledgments

This tool would not exist without these outstanding open-source projects:

ProjectDiscovery Team - Subfinder, DNSx, Httpx, Naabu, Katana, Nuclei
OWASP Amass Project - Advanced subdomain enumeration
OJ Reeves - Gobuster
Ben "epi" Risher - Feroxbuster
TCM Security - PNPT certification and training

Please support the original projects - star their repositories, read their documentation, and contribute if you can.

🔗 Related Tools

AutoRecon - Multi-threaded reconnaissance
Recon-ng - Modular framework
Reconness - Continuous monitoring

Why Choose PNPT Recon Automation?

✅ PNPT-specific methodology
✅ IP/CIDR support for internal networks (NEW)
✅ SMB/NFS enumeration built-in (NEW)
✅ 4x performance improvement (v2.0)
✅ Beginner-friendly setup

🔮 Roadmap

Multi-threading for parallel scanning
Custom wordlist support
Screenshot capture
HTML/PDF report generation

⭐ Star this repo if you find it useful!

Built for the cybersecurity community by MB Cyberworks

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
RELEASE_NOTES.md		RELEASE_NOTES.md
SECURITY.md		SECURITY.md
VERSION		VERSION
install-pnpt-tools.sh		install-pnpt-tools.sh
pnpt-recon-pipeline.sh		pnpt-recon-pipeline.sh

License

mbcyberworks/pnpt-recon-automation

Folders and files

Latest commit

History

Repository files navigation