Reconnoitre: The Reconnaissance Automation Tool That Teaches You Not To Need It

Hook

Most security tools aim to become indispensable. Reconnoitre's own creator recommends you graduate to something better. Yet with 2,192 GitHub stars, thousands still use this "training wheels" tool—and there's a compelling reason why.

Context

Before automation tools like Reconnoitre, junior penetration testers faced a brutal learning curve during OSCP certification preparation. You'd run an Nmap scan, stare at open ports (21, 80, 139, 445), and freeze—what enumeration commands should you run next? Which tools apply to which services? How do you organize results across dozens of target machines without losing track?

Reconnoitre emerged from this frustration in the OSCP lab trenches. Rather than just automating scans, it acts as a teaching assistant: it runs reconnaissance, organizes output into logical directory structures, and most importantly, generates recommendation files containing the exact commands you should run next based on discovered services. It's reconnaissance automation that scaffolds learning, creating a bridge between reading about penetration testing methodology and executing it under exam pressure. The tool transforms chaotic enumeration into repeatable workflows while explicitly showing you the commands it would run, making the methodology transparent rather than magical.

Technical Insight

Reconnoitre's architecture revolves around a command orchestration pattern that wraps external tools (Nmap, enum4linux, nikto, dirb) in Python subprocess calls, then parses their output to generate contextualized recommendations. The core workflow begins with reconnoitre.py, which accepts target ranges and spawns worker threads for parallel execution.

The directory structure it creates is deliberately exam-oriented. For each target IP, you get:

10.11.1.5/
├── scans/          # Raw tool output
├── exploits/       # Exploit code staging area
├── loot/           # Extracted credentials, hashes
└── proof.txt       # Screenshot/flag placeholder

This mirrors the evidence collection structure expected in OSCP reporting, training muscle memory for documentation practices.

The service detection logic lives in service_scan.py, which parses Nmap XML output and triggers specialized enumeration based on discovered ports. Here's a simplified example of how it generates recommendations:

def generate_recommendations(target_ip, services):
    recommendations = []
    
    if 80 in services or 443 in services:
        recommendations.append(
            f"nikto -h {target_ip} -o {target_ip}/scans/nikto.txt"
        )
        recommendations.append(
            f"dirb http://{target_ip} /usr/share/wordlists/dirb/common.txt "
            f"-o {target_ip}/scans/dirb.txt"
        )
    
    if 139 in services or 445 in services:
        recommendations.append(
            f"enum4linux -a {target_ip} | tee {target_ip}/scans/enum4linux.txt"
        )
        recommendations.append(
            f"smbclient -L //{target_ip}/ -N"
        )
    
    if 161 in services:
        recommendations.append(
            f"snmp-check {target_ip} -c public"
        )
    
    return recommendations

This recommendation engine is Reconnoitre's secret pedagogical weapon. Rather than silently executing commands, it writes them to _commands.txt files that you can review, understand, and manually execute. It's teaching enumeration methodology through generated examples.

The multi-threading implementation uses Python's concurrent.futures.ThreadPoolExecutor to parallelize host scanning, though it's relatively basic compared to modern async patterns:

from concurrent.futures import ThreadPoolExecutor

def scan_targets(target_list, threads=5):
    with ThreadPoolExecutor(max_workers=threads) as executor:
        executor.map(scan_host, target_list)

The tool supports two scan profiles: quick reconnaissance (--quick) runs TCP SYN scans on common ports, while comprehensive mode adds UDP scanning and more thorough service fingerprinting. The quick mode completes in minutes for lab ranges, making it practical for timed exam scenarios.

Reconnoitre also includes virtual host discovery for web servers, attempting to identify name-based virtual hosting configurations by analyzing HTTP headers and making requests with different Host headers—useful when multiple web applications share an IP in lab environments.

What makes this architecture interesting isn't sophistication (it's intentionally simple), but rather its transparency. Every action generates human-readable command files. Every scan stores raw output. The tool never hides what it's doing, which paradoxically teaches you to eventually replace it with custom scripts or tools like the author's own Interlace.

Gotcha

Reconnoitre's biggest limitation is itself: the author explicitly states it "pales in functionality" compared to Interlace and recommends it primarily for OSCP preparation. This isn't false modesty—the tool truly shows its age in several ways.

The service detection logic relies on hard-coded port-to-service mappings rather than intelligent fingerprinting. If SSH runs on port 2222 instead of 22, Reconnoitre won't generate SSH enumeration recommendations. The generated commands reference specific wordlist paths (/usr/share/wordlists/dirb/common.txt) that may not exist on non-Kali distributions, causing recommendations to fail silently if you're on a different platform. The tool also has no built-in rate limiting or evasion capabilities—it runs scans at full speed, which can trigger IDS/IPS systems or overwhelm target hosts in real engagements.

Another sharp edge: Reconnoitre assumes all external tools (nmap, nikto, enum4linux, snmp-check) are installed and in your PATH. There's minimal error handling if a tool is missing or returns unexpected output. You'll get cryptic Python tracebacks rather than helpful "please install nikto" messages. The recommendation files it generates can also become outdated quickly as enumeration best practices evolve—for instance, it still suggests tools like dirb when many testers have moved to feroxbuster or ffuf for directory brute-forcing. You're learning 2017-era methodology, which overlaps significantly with OSCP requirements but may not reflect current professional practices.

Verdict

Use if: You're preparing for the OSCP certification and want a tool that automates reconnaissance while transparently showing you the enumeration methodology. Reconnoitre excels at creating organized workspaces, generating command references, and establishing repeatable workflows for exam-style lab environments. It's genuinely valuable as a learning tool that scaffolds the transition from theory to practice. Also use it if you're teaching penetration testing fundamentals and want students to see the connection between service discovery and targeted enumeration commands. Skip if: You need production-grade reconnaissance automation, custom workflow flexibility, or modern tool integration. The author himself recommends moving to Interlace for professional work, and actively maintained alternatives like AutoRecon offer better service fingerprinting and tool coverage. Also skip if you're working beyond entry-level certifications or in environments where outdated enumeration techniques could miss critical vulnerabilities. Reconnoitre is training wheels by design—effective for learning to ride, but you'll want real wheels eventually.