ReconKit Documentation
ReconKit is a free, open-source, native macOS app for domain reconnaissance. It replaces the dozen tools and browser tabs you'd normally juggle — dig, whois, openssl, nmap, crt.sh and more — with one scan that compiles DNS, subdomains, SSL, HTTP, ports, WHOIS, and reputation into a single ranked report you can export to PDF. Every probe runs locally on your Mac.
Overview
ReconKit answers one question: what does the public internet already know about this domain? It bundles the checks a security reviewer runs by hand — DNS hygiene, certificate health, security headers, exposed services, registration data, and reputation — into one click.
- Native & local — a sandboxed SwiftUI app. Scans run from your machine; nothing is sent to a ReconKit server (there isn't one).
- Free & open source — MIT licensed, source on GitHub.
- Requirements — macOS 13 (Ventura) or later, Apple Silicon or Intel.
NoteReconKit performs passive, surface-level reconnaissance against publicly reachable endpoints. Only scan domains you own or are authorized to assess.
Installation
- Download
ReconKit.dmgfrom the latest release (≈2.2 MB). - Open the DMG and drag ReconKit into
/Applications. - The first launch needs one extra step (see below), then it opens normally forever after.
Gatekeeperv1.0.0 is signed with an Apple Development certificate, not yet notarized. On first launch macOS may say it "cannot be opened." Right-click the app → Open → Open to approve it once. This is expected and only required the first time.
Your First Scan
- Launch ReconKit and type a domain (e.g.
example.com) into the bar. - Press ⌘N or click Scan. All modules run in parallel.
- Results stream into category tabs; the Overview tab summarizes the most important findings and the security score.
Want to see a full report without hitting the network? Load the built-in demo scan with ⇧⌘D — a canned scan of example.com that exercises every module.
The 8 Scan Modules
Each scan populates up to eight categories. The Overview is a roll-up; the other seven do the actual probing.
Overview
A digest of the run: target, reachability, and the highest-priority warnings pulled from the other modules.
Subdomains
Discovers subdomains from publicly-logged TLS certificates via Certificate Transparency logs (crt.sh), then checks which ones currently resolve. See Subdomain Discovery.
DNS
Resolves A, AAAA, MX, NS, TXT, and SOA records and evaluates mail/security hygiene: SPF, DMARC, DNSSEC, and CAA presence.
SSL
Reads the leaf certificate — subject, issuer, validity window, days remaining — and reports which TLS versions the server accepts (flagging TLS 1.3 / 1.2 support).
HTTP
Fetches the site and inspects status/redirect chain, security headers (HSTS, CSP, X-Content-Type-Options, and friends), the Server banner, and a best-effort tech-stack guess.
Ports
Attempts a TCP handshake against 15 common ports. For a handful of plaintext services it reads the greeting banner. Ports checked:
| Port | Service | Port | Service |
|---|---|---|---|
21 | FTP | 3306 | MySQL |
22 | SSH | 3389 | RDP |
25 | SMTP | 5432 | PostgreSQL |
53 | DNS | 6379 | Redis |
80 | HTTP | 8080 | HTTP-alt |
110 | POP3 | 8443 | HTTPS-alt |
143 | IMAP | 27017 | MongoDB |
443 | HTTPS |
Banner grabbing is attempted on the plaintext greeters: 21, 22, 25, 110, 143.
WHOIS
Queries WHOIS over port 43 (following the IANA referral to the authoritative registry) for registrar, creation/expiry dates, and domain status.
Reputation
Checks the domain against threat-intel sources — Have I Been Pwned, URLhaus, and VirusTotal. See Reputation Sources.
Reading the Report
Every finding carries one of four severities, color-coded throughout the UI:
| Severity | Meaning |
|---|---|
| Pass | Secure / good — the check passed. |
| Info | A neutral fact (e.g. an A record's value). |
| Warning | Worth a look — a gap or weak configuration. |
| Issue | A likely problem that should be addressed. |
Each category shows a one-line summary and a badge reflecting its worst finding. Warnings and issues that have remediation advice are collected into a prioritized action plan, worst-first.
Security Score & Grade
ReconKit distills the findings into a single 0–100 score, starting at 100 and subtracting penalties:
- Each Issue (critical):
−18 - Each Warning:
−6 - Pass / Info findings: no penalty
The score maps to a letter grade and rating:
| Score | Grade | Rating |
|---|---|---|
| 90–100 | A | Strong |
| 80–89 | B | Strong |
| 70–79 | C | Fair |
| 60–69 | D | Fair |
| < 60 | F | At Risk |
The bundled demo scan, for reference, lands at 70 / 100 — Grade C, Fair.
VirusTotal Integration
VirusTotal reputation lookups use your own API key — ReconKit ships without one so your usage stays under your account.
- Create a free account at virustotal.com and copy your API key from your profile.
- Open ReconKit Settings and paste the key into the VirusTotal field.
- Future scans include the VirusTotal verdict (e.g. "0 of 94 vendors flag this domain").
NoteThe key is stored locally on your Mac and only ever sent to VirusTotal. Without a key, the rest of the scan still runs — only the VirusTotal line is skipped.
Reputation Sources
The Reputation module aggregates three independent sources:
- Have I Been Pwned — known breaches involving the domain.
- URLhaus (abuse.ch) — malware URLs hosted on the domain (best-effort; skipped if the service is unavailable).
- VirusTotal — multi-vendor malware/blocklist verdicts (requires your key, see above).
Subdomain Discovery
Rather than brute-forcing names, ReconKit reads Certificate Transparency logs via crt.sh. Every publicly-trusted TLS certificate is logged, so any subdomain that has ever been issued a cert shows up. ReconKit then resolves each candidate and marks which are currently live.
This is fast, quiet, and finds real hosts — including forgotten staging, dev, and old subdomains that often slip through security reviews.
Monitoring & Diff
Scans are saved to history, so you can re-scan a domain over time and compare two snapshots. The diff view highlights what changed between runs — a new open port, an expiring certificate, a header that disappeared.
Useful for tracking your own infrastructure or confirming that a fix actually landed.
PDF Export
Any report can be exported to a formatted PDF for sharing or archiving. Because the app is sandboxed, exporting prompts you to choose a save location via the standard macOS save panel.
Keyboard Shortcuts
| Action | Shortcut |
|---|---|
| New Scan | ⌘N |
| Load Demo Scan | ⇧⌘D |
| Toggle Sidebar | ⌘⌥S |
| Help / Docs | ⇧⌘/ |
Settings
The Settings window holds:
- VirusTotal API key — for reputation lookups (see above).
- Credits — acknowledgements for the data sources ReconKit queries.
- Legal links — privacy policy and terms.
Privacy & Data
- No telemetry, no accounts. ReconKit has no backend and collects nothing about you.
- Scans run locally. Probes go directly from your Mac to the target and the named third-party data sources (crt.sh, HIBP, URLhaus, VirusTotal) — never through ReconKit.
- Sandboxed. The app runs under the macOS App Sandbox with only network-client and user-selected file (for export) entitlements.
- Your key stays yours. The VirusTotal key is stored on-device and only sent to VirusTotal.
Build from Source
ReconKit is a standard Xcode project with no external dependencies.
# clone
git clone https://github.com/melxusgid/reconkit.git
cd reconkit
# open in Xcode and build, or from the CLI:
xcodebuild -project ReconKit.xcodeproj -scheme ReconKit -configuration Release buildRequirements: Xcode 15+ and macOS 13+. Select your own signing team in the project's Signing & Capabilities tab for a local signed build.
Architecture
The codebase is small and reads top-down: a SwiftUI front end over a set of independent probe modules coordinated by a single scan engine.
| File | Responsibility |
|---|---|
ReconKitApp.swift | App entry, menu commands, settings window. |
ScanCoordinator.swift | Scan orchestration, state, history. |
ScanEngine.swift | Core scanning logic; runs the modules. |
DNSClient.swift | DNS record lookups. |
HTTPProbe.swift | HTTP header & security analysis. |
NetworkProbes.swift | TCP port checks & banner grabbing. |
CertTransparency.swift | CT-log subdomain discovery. |
ReputationScanner.swift | HIBP / URLhaus / VirusTotal lookups. |
Models.swift | Findings, categories, scoring. |
ReportView.swift · ReportPDF.swift | Report display & PDF export. |
Theme.swift | Colors, fonts, the visual language. |
Troubleshooting
"ReconKit can't be opened" on first launch
Expected for the un-notarized v1 build. Right-click the app → Open → Open. Required once.
A scan returns few or no results
The target may block probes, sit behind a CDN/WAF, or not exist. Confirm the domain resolves and is reachable, and check your own network connection.
VirusTotal shows nothing
No API key is set, or the key has hit its rate limit. Add/replace the key in Settings; free-tier keys are rate-limited.
Export fails or doesn't save
The sandbox requires you to pick the destination in the save panel. Choose a folder you have write access to (e.g. Downloads or Desktop).
FAQ
Is ReconKit free?
Yes — free and open source, no accounts, no paywall.
Does it send my scans anywhere?
No. There's no ReconKit server. Probes go from your Mac directly to the target and the public data sources.
Is this a penetration test?
No. ReconKit does passive, surface-level recon — the kind of public-facing checks that precede a real assessment. For interpreted findings and remediation, a FromTheScope audit takes it further.
Which macOS versions are supported?
macOS 13 (Ventura) and later, on Apple Silicon or Intel.
Can I scan any domain?
Only scan domains you own or are authorized to assess. You are responsible for how you use the tool.