MAXMAP: Your automated recon sidekick.

I remember the nights when recon meant opening six terminal tabs, copy-pasting subdomains from one tool to another, normalizing URLs by hand, and still wondering what I'd missed. That workflow was killing my curiosity and my edge. So I built MAXMAP: a single-command pipeline that runs your entire attack-surface discovery from start to finish, the way a human would, just faster and without the burnout.

What MAXMAP Actually Does

MAXMAP isn't just a script that chains tools together. It's a battle tested reconnaissance workflow wrapped in bash. You feed it a domain, and it delivers everything you need to start hunting:

• Every subdomain from passive sources (subfinder + crt.sh).
• Only the live ones, filtered through httpx.
• Open ports across the estate, discovered with naabu.
• Service and version data from a targeted nmap scan.
• Hidden directories brute-forced with dirsearch.
• Historical URLs and parameters extracted by gau.
• JavaScript files ripped from those endpoints, then cleaned with uro.

All of this lands in a single timestamped report folder. No mess, no manual merging, no "where did I save that file" moments.

The Pipeline

Every step feeds the next without human intervention. Here's the flow:

text

Subfinder → crt.sh → Live Host Detection → Port Scan → Nmap → Dirsearch → GAU → JS Extraction → Normalization → Clean Reports

Subfinder → crt.sh → Live Host Detection → Port Scan → Nmap → Dirsearch → GAU → JS Extraction → Normalization → Clean Reports

Deduplication happens automatically. Dead hosts are ignored early. Timeouts are built in so a single unresponsive server doesn't stall the whole operation. It feels like turning on a surveillance radar over a target's entire internet presence.

Using It Is Painfully Simple

Clone the repo, make it executable, and run it.

bash

git clone https://github.com/IssanPy/MAXMAP.git
cd MAXMAP
chmod +x maxmap.sh
./maxmap.sh target.com

git clone https://github.com/IssanPy/MAXMAP.git
cd MAXMAP
chmod +x maxmap.sh
./maxmap.sh target.com

Miss a dependency? MAXMAP installs it for you on the first run if you let it. You don't need to chase Go tools or Python packages manually. It's built to work on a fresh Kali install.

What You're Left With

After the scan, you'll have a directory like maxmap_reports/target.com_2026-05-28_14-32/ containing:

• all_subdomains.txt — every subdomain discovered.
• subdomains_alive_urls.txt — live HTTP/HTTPS URLs ready for fuzzing.
• naabu_ports.txt — open ports across all hosts.
• nmap_full.txt — service banners and versions.
• directory.txt — interesting directories and files.
• filterparam.txt — unique parameters waiting for injection tests.
• jsfiles_uro.txt — clean JavaScript URLs begging to be crawled.

It's not raw telemetry, it's a curated attack surface, organized for immediate action. Whether you're hunting IDORs, XSS, info leaks, or subdomain takeovers, everything you need is already sitting in that folder.

Why It Matters

Recon is where most bugs are found, but it's also where most hunters burn out before they even start testing. MAXMAP removes the repetitive grind so you can spend your time doing the part that actually matters: thinking like an attacker and exploiting the weaknesses the scan uncovered. I wrote this tool because I was tired of the noise. I wanted one command that answered the question "What the hell is actually out there?" and gave me a clean map of the territory. Now I start every hunt with MAXMAP, and within minutes I know more about the target than most people learn in hours.

Get Started

The code is open-source under MIT. If you believe recon should be fast, complete, and human centric, give it a star and take it for a spin.

MAXMAP on GitHub

Screenshots:

Recon hard. Hunt clean. Let the machine do the grunt work.

Recon hard. Hunt clean. Let the machine do the grunt work.