🚧 Warning 🚧
This is a live development project, until the first stable release (1.0) it will be constantly updated in master branch, so if you have detected any bug, you can open an issue or ping me over Telegram or Twitter and I will try to do my best :)
ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.
- Installation Guide 📖
- Requires Golang > 1.14 installed and paths correctly set ($GOPATH,$GOROOT)
▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw
▶ chmod +x *.sh
▶ ./install.sh
▶ ./reconftw.sh -d target.com -a
- It is highly recommended, and in some cases essential, to set your API keys or env variables:
- amass config file (
~/.config/amass/config.ini
) - subfinder config file (
~/.config/subfinder/config.yaml
) - GitHub tokens file (
~/Tools/.github_tokens
) Recommended > 5, see how to create here - favup API (
shodan init <SHODAN-API-KEY>
) - SSRF Server var (
COLLAB_SERVER
env var) - Blind XSS Server var (
XSS_SERVER
env var) - Notify config file (
~/.config/notify/notify.conf
)
- amass config file (
TARGET OPTIONS
Flag | Description |
---|---|
-d | Target domain (example.com) |
-l | Target list (one per line) |
-x | Exclude subdomains list (Out Of Scope) |
MODE OPTIONS
Flag | Description |
---|---|
-a | Perform full recon |
-s | Full subdomain scan (Subs, tko and probe) |
-w | Perform web checks only without subs (-l required) |
-i | Check whether tools required are present or not |
-v | Verbose/Debug Mode |
-h | Show help section |
GENERAL OPTIONS
Flag | Description |
---|---|
--deep | Deep scan (Enable some slow options for deeper scan) |
--fs | Full scope (Enable the widest scope * .domain. * options) |
-o | Output directory |
To perform a full recon on single target (may take a significant time)
▶ ./reconftw.sh -d example.com -a
To perfrom a full recon on a list of targets
▶ ./reconftw.sh -l sites.txt -a -o /output/directory/
Perform full recon with more intense tasks (VPS intended)
▶ ./reconftw.sh -d example.com -a --deep -o /output/directory/
Perform a wide scope recon on a target (may include false positives)
▶ ./reconftw.sh -d example.com -a --fs -o /output/directory/
Check whether all required tools are present or not
▶ ./reconftw.sh -i
Show help section
▶ ./reconftw.sh -h
- Google Dorks (degoogle_hunter)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder and bufferover)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
- Sub TKO (subjack and nuclei)
- Web Prober (httpx)
- Web screenshot (webscreenshot)
- Template scanner (nuclei)
- Port Scanner (naabu)
- Url extraction (waybackurls, gau, gospider, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (XSStrike)
- Open redirect (Openredirex)
- SSRF (asyncio_ssrf.py)
- CRLF (crlfuzz)
- Github (GitDorker)
- Favicon Real IP (fav-up)
- Javascript analysis (LinkFinder, scripts from JSFScan)
- Fuzzing (ffuf)
- Cors (Corsy)
- SSL tests (testssl)
- Multithread in some steps (Interlace)
- Custom output folder (default under Recon/target.tld/)
- Run standalone steps (subdomains, subtko, web, gdorks...)
- Polished installer compatible with most distros
- Verbose mode
- Update tools script
- Raspberry Pi support
- Docker support
- CMS Scanner (CMSeeK)
- Out of Scope Support
- LFI Checks
- Notification support for Slack, Discord and Telegram (notify)
These are the next features that would come soon, take a look at all our pending features and feel free to contribute:
- Notification support
- HTML Report
- In Scope file support
- ASN/CIDR/Name allowed as target
You can support this work buying me a coffee:
For their great feedback, support, help or for nothing special but well deserved: