git clone https://github.com/six2dez/reconftw
cd reconftw
chmod +x *.sh
./install.sh
./reconftw.sh -d target.com -a
Important: run install script or set your tools path in the script in $tools var (line 10)
This is a simple script intended to perform a full recon on an objective with multiple subdomains. It performs multiples steps listed below:
- Tools checker
- Google Dorks (based on deggogle_hunter)
- Subdomain enumeration (multiple tools: passive, resolution, bruteforce and permutations)
- Sub TKO (subjack and nuclei)
- Probing (httpx)
- Websscreenshot (aquatone)
- Template scanner (nuclei)
- Port Scan (naabu)
- Url extraction (waybackurls and gau)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (Gxss and dalfox)
- Github Check (git-hound)
- Favicon Real IP (fav-up)
- Javascript Checks (JSFScan.sh)
- Directory fuzzing/discovery (dirsearch and ffuf)
- Cors (CORScanner)
- SSL Check (testssl)
Also you can perform just subdomain scan, webscan or google dorks. Remember webscan needs target lists with -l flag.
It generates and output in Recon/ folder with the name of the target domain, for example Recon/target.com/
- Enhance this Readme
- Customize output folder
- Interlace usage
- Notification support (Slack, Discord and Telegram)
- CMS tools (wpscan, drupwn/droopescan, joomscan)
- Any other interesting suggestion