AORT - All in One Recon Tool for Bug Bounty

An easy-to-use python tool to perform subdomain enumeration, endpoints recon and much more
The purpose of this tool is helping bug hunters and pentesters during reconnaissance.


It can be used in any system with python3

You can easily install AORT using pip:

pip3 install aort

To use it just type "aort" into your terminal

If you want to install it from source:

git clone
pip3 install -r requirements.txt

Help Panel:

AORT - All in One Recon Tool

  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        domain to search its subdomains
  -o OUTPUT, --output OUTPUT
                        file to store the scan output
  -t TOKEN, --token TOKEN
                        api token of to discover mail accounts and employees
  -p, --portscan        perform a fast and stealthy scan of the most common ports
  -a, --axfr            try a domain zone transfer attack
  -m, --mail            try to enumerate mail servers
  -e, --extra           look for extra dns information
  -n, --nameservers     try to enumerate the name servers
  -i, --ip              it reports the ip or ips of the domain
  -6, --ipv6            enumerate the ipv6 of the domain
  -w, --waf             discover the WAF of the domain main page
  -b, --backups         discover common backups files in the web page
  -s, --subtakeover     check if any of the subdomains are vulnerable to Subdomain Takeover
  -r, --repos           try to discover valid repositories and s3 servers of the domain (still improving it)
  -c, --check           check active subdomains and store them into a file
  --secrets             crawl the web page to find secrets and api keys (e.g. Google Maps API Key)
  --enum                stealthily enumerate and identify common technologies
  --whois               perform a whois query to the domain
  --wayback             find useful information about the domain and his different endpoints using The Wayback Machine and other services
  --all                 perform all the enumeration at once (best choice)
  --quiet               don't print the banner
  --version             display the script version


  • A list of examples to use the tool in different ways

Most basic usage to dump all the subdomains

python3 -d

Enumerate subdomains and store them in a file

python3 -d --output domains.txt

Don't show banner

python3 -d --quiet

Enumerate specifics things using parameters

python3 -d -n -p -w -b --whois --enum # You can use other parameters, see help panel

Perform all the recon functions (recommended)

python3 -d --all


☑️ Enumerate subdomains using passive techniques (like subfinder)

☑️ A lot of extra queries to enumerate the DNS

☑️ Domain Zone transfer attack

☑️ WAF type detection

☑️ Common enumeration (CMSs, reverse proxies, jquery...)

☑️ Whois target domain

☑️ Subdomain Takeover checker

☑️ Scan common open ports

☑️ Check active subdomains (like httprobe)

☑️ Wayback machine support to enumerate endpoints (like waybackurls)

☑️ Email harvesting


  • Compare results with other tools such as subfindergauhttprobe...
  • Improve code and existing functions


Simple query to find valid subdomains

Third part

The tool uses different services to get subdomains in different ways

The WAF detector was modified and adapted from CRLFSuite concept <3

All DNS queries use dns-python at 100%, no dig or any extra tool needed

Email harvesting functions is done using API with personal token (free signup)

Download AORT

Next Post Previous Post
No Comment
Add Comment
comment url