Skip to main content
  1. All Posts/

reconftw

Tools Shell

reconFTW


<p>
  </a><br /> <a rel="nofollow noopener" target="_blank" href="https://hub.docker.com/r/six2dez/reconftw"></p> 
  
  <p>
    </a>
  </p>
  
  <h3 align="center" dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content-summary" class="anchor" aria-hidden="true" href="#summary"></a>Summary
  </h3>
  
  <p>
    <strong>ReconFTW</strong> automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.<br /> ReconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records&#8230;) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.<br /> It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.<br /> So, what are you waiting for? Go! Go! Go! đŸ’Ĩ
  </p>
  
  <h2 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content--table-of-contents" class="anchor" aria-hidden="true" href="#-table-of-contents"></a>📔 Table of Contents
  </h2>
  
  <ul dir="auto">
    <li>
      <a rel="nofollow noopener" target="_blank" href="#-installation">đŸ’ŋ Installation:</a></p> <ul dir="auto">
        <li>
          <a rel="nofollow noopener" target="_blank" href="#a-in-your-pcvpsvm">a) In your PC/VPS/VM</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#b-docker-image--3-options">b) Docker Image đŸŗ (3 options)</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#c-terraform--ansible">c) Terraform + Ansible</a>
        </li>
      </ul>
    </li>
    
    <li>
      <a rel="nofollow noopener" target="_blank" href="#%EF%B8%8F-config-file">⚙ī¸ Config file:</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#usage">Usage:</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#example-usage">Example Usage:</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#axiom-support-cloud">Axiom Support: ☁ī¸</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#bbrf-support-computer">BBRF Support: đŸ’ģ</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#sample-video">Sample video:</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#fire-features-fire">đŸ”Ĩ Features đŸ”Ĩ</a></p> <ul dir="auto">
        <li>
          <a rel="nofollow noopener" target="_blank" href="#osint">Osint</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#subdomains">Subdomains</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#hosts">Hosts</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#webs">Webs</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#vulnerability-checks">Vulnerability checks</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#extras">Extras</a>
        </li>
      </ul>
    </li>
    
    <li>
      <a rel="nofollow noopener" target="_blank" href="#mindmapworkflow">Mindmap/Workflow</a></p> <ul dir="auto">
        <li>
          <a rel="nofollow noopener" target="_blank" href="#data-keep">Data Keep</a></p> <ul dir="auto">
            <li>
              <a rel="nofollow noopener" target="_blank" href="#main-commands">Main commands:</a>
            </li>
          </ul>
        </li>
        
        <li>
          <a rel="nofollow noopener" target="_blank" href="#how-to-contribute">How to contribute:</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#need-help-information_source">Need help? ℹī¸</a>
        </li>
        <li>
          <a rel="nofollow noopener" target="_blank" href="#support-this-project">Support this project</a></p> <ul dir="auto">
            <li>
              <a rel="nofollow noopener" target="_blank" href="#buymeacoffee">Buymeacoffee</a>
            </li>
            <li>
              <a rel="nofollow noopener" target="_blank" href="#digitalocean-referral-link">DigitalOcean referral link</a>
            </li>
            <li>
              <a rel="nofollow noopener" target="_blank" href="#github-sponsorship">GitHub sponsorship</a>
            </li>
          </ul>
        </li>
      </ul>
    </li>
    
    <li>
      <a rel="nofollow noopener" target="_blank" href="#sponsors-%EF%B8%8F">Sponsors ❤ī¸</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#thanks-pray">Thanks 🙏</a>
    </li>
    <li>
      <a rel="nofollow noopener" target="_blank" href="#disclaimer">Disclaimer</a>
    </li>
  </ul>
  
  <h1 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content--installation" class="anchor" aria-hidden="true" href="#-installation"></a>đŸ’ŋ Installation:
  </h1>
  
  <h2 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content-a-in-your-pcvpsvm" class="anchor" aria-hidden="true" href="#a-in-your-pcvpsvm"></a>a) In your PC/VPS/VM
  </h2>
  
  <blockquote>
    <p>
      You can check out our wiki for the installation guide Installation Guide 📖
    </p>
  </blockquote>
  
  <ul dir="auto">
    <li>
      Requires <a rel="nofollow noopener" target="_blank" href="https://golang.org/dl/">Golang</a> > <strong>1.15.0+</strong> installed and paths correctly set (<strong>$GOPATH</strong>, <strong>$GOROOT</strong>)
    </li>
  </ul>
  
  <pre>git clone https://github.com/six2dez/reconftw

cd reconftw/ ./install.sh ./reconftw.sh -d target.com -r

  <h2 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content-b-docker-image--3-options" class="anchor" aria-hidden="true" href="#b-docker-image--3-options"></a>b) Docker Image đŸŗ (3 options)
  </h2>
  
  <ul dir="auto">
    <li>
      Pull the image
    </li>
  </ul>
  
  <pre>$ docker pull six2dez/reconftw:main</pre>
  
  <ul dir="auto">
    <li>
      Run the container
    </li>
  </ul>
  
  <pre class="notranslate"><code>$ docker run -it --rm 

-v “${PWD}/OutputFolder/”:’/reconftw/Recon/’ six2dez/reconftw:main -d example.com -r

  <p>
    However, if you wish to:
  </p>
  
  <ol dir="auto">
    <li>
      Dynamically modify the behaviour & function of the image
    </li>
    <li>
      Build your own container
    </li>
    <li>
      Build an Axiom Controller on top of the official image
    </li>
  </ol>
  
  <p>
    Please refer to the Docker documentation.
  </p>
  
  <h2 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content-c-terraform--ansible" class="anchor" aria-hidden="true" href="#c-terraform--ansible"></a>c) Terraform + Ansible
  </h2>
  
  <p>
    Yes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if you want to know how to do it, you can check the guide here
  </p>
  
  <h1 dir="auto">
    <a rel="nofollow noopener" target="_blank" id="user-content-ī¸-config-file" class="anchor" aria-hidden="true" href="#%EF%B8%8F-config-file"></a>⚙ī¸ Config file:
  </h1>
  
  <blockquote>
    <p>
      You can find a detailed explanation of the configuration file here 📖
    </p>
  </blockquote>
  
  <ul dir="auto">
    <li>
      Through <code>reconftw.cfg</code> file the whole execution of the tool can be controlled.
    </li>
    <li>
      Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.
    </li>
  </ul>
  
  <p>
    👉 Click here to view default config file 👈
  </p>
  
  <pre>#################################################################
reconFTW config file >

reconFTW config file #

#################################################################

General values>

General values #

tools=~/Tools # Path installed tools SCRIPTPATH="$( cd “$(dirname “$0”)” >/dev/null 2>&1 ; pwd -P )" # Get current script’s path profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile reconftw_version=$(git rev-parse –abbrev-ref HEAD)-$(git describe –tags) # Fetch current reconftw version generate_resolvers=false # Generate custom resolvers with dnsvalidator update_resolvers=true # Fetch and rewrite resolvers before DNS resolution proxy_url=“http://127.0.0.1:8080/” # Proxy url install_golang=true # Set it to false if you already have Golang configured and ready #dir_output=/custom/output/path

Golang Vars (Comment or change on your own)>

Golang Vars (Comment or change on your own) #

export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

Tools config files>

Tools config files #

#NOTIFY_CONFIG=~/.config/notify/provider-config.yaml # No need to define AMASS_CONFIG=~/.config/amass/config.ini GITHUB_TOKENS=${tools}/.github_tokens #CUSTOM_CONFIG=custom_config_path.txt # In case you use a custom config file, uncomment this line and set your files path

APIs/TOKENS - Uncomment the lines you want removing the ‘#’ at the beginning of the line>

APIs/TOKENS - Uncomment the lines you want removing the ‘#’ at the beginning of the line #

#SHODAN_API_KEY=“XXXXXXXXXXXXX” #WHOISXML_API=“XXXXXXXXXX” #XSS_SERVER=“XXXXXXXXXXXXXXXXX” #COLLAB_SERVER=“XXXXXXXXXXXXXXXXX” #slack_channel=“XXXXXXXX” #slack_auth=“xoXX-XXX-XXX-XXX”

File descriptors>

File descriptors #

DEBUG_STD="&>/dev/null" # Skips STD output on installer DEBUG_ERROR=“2>/dev/null” # Skips ERR output on installer

Osint>

Osint #

OSINT=true # Enable or disable the whole OSINT module GOOGLE_DORKS=true GITHUB_DORKS=true GITHUB_REPOS=true METADATA=true # Fetch metadata from indexed office documents EMAILS=true # Fetch emails from differents sites DOMAIN_INFO=true # whois info REVERSE_WHOIS=true # amass intel reverse whois info, takes some time IP_INFO=true # Reverse IP search, geolocation and whois METAFINDER_LIMIT=20 # Max 250

Subdomains>

Subdomains #

RUNAMASS=true RUNSUBFINDER=true SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module SUBPASSIVE=true # Passive subdomains search SUBCRT=true # crtsh search SUBNOERROR=true # Check DNS NOERROR response and BF on them SUBANALYTICS=true # Google Analytics search SUBBRUTE=true # DNS bruteforcing SUBSCRAPING=true # Subdomains extraction from web crawling SUBPERMUTE=true # DNS permutations PERMUTATIONS_OPTION=gotator # The alternative is “ripgen” (faster, not deeper) GOTATOR_FLAGS="-depth 1 -numbers 3 -mindup -adv -md" # Flags for gotator SUBTAKEOVER=false # Check subdomain takeovers, false by default cuz nuclei already check this SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries DEEP_RECURSIVE_PASSIVE=10 # Number of top subdomains for recursion SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve ZONETRANSFER=true # Check zone transfer S3BUCKETS=true # Check S3 buckets misconfigs REVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP) TLS_PORTS=“21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,992,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003” INSCOPE=false # Uses inscope tool to filter the scope, requires .scope file in reconftw folder

Web detection>

Web detection #

WEBPROBESIMPLE=true # Web probing on 80/443 WEBPROBEFULL=true # Web probing in a large port list WEBSCREENSHOT=true # Webs screenshooting VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header NMAP_WEBPROBE=true # If disabled it will run httpx directly over subdomains list, nmap before web probing is used to increase the speed and avoid repeated requests UNCOMMON_PORTS_WEB=“81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672”

You can change to aquatone if gowitness fails, comment the one you don’t want>

You can change to aquatone if gowitness fails, comment the one you don’t want #

AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot

Host>

Host #

FAVICON=true # Check Favicon domain discovery PORTSCANNER=true # Enable or disable the whole Port scanner module PORTSCAN_PASSIVE=true # Port scanner with Shodan PORTSCAN_ACTIVE=true # Port scanner with nmap CDN_IP=true # Check which IPs belongs to CDN

Web analysis>

Web analysis #

WAF_DETECTION=true # Detect WAFs NUCLEICHECK=true # Enable or disable…