- Summary
- Installation Instructions
- Usage
- Running reconFTW
- Sample Video
- 🔥 Features 🔥
- Mindmap/Workflow
- ⌛ Improvement plan ⌛
- Thanks
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform enumeration and finding out vulnerabilities.
- Installation Guide 📖
- Requires Golang > 1.14 installed and paths correctly set ($GOPATH, $GOROOT)
â–¶ git clone https://github.com/six2dez/reconftw
â–¶ cd reconftw
â–¶ chmod +x *.sh
â–¶ ./install.sh
â–¶ ./reconftw.sh -d target.com -a
- Through
reconftw.config
file the whole execution of the tool can be controlled. - Hunters can set various scanning modes, execution preferences, tools config files, APIs/TOKENS, personalized wordlists
Click here to view default config file
#################################################################
# reconFTW config file #
#################################################################
# TERM COLOURS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'
# General values
tools=~/Tools
NPROC=$(nproc || echo -n 1)
output=${dir}/Recon/${domain}
# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens
# APIs/TOKENS
SHODAN_API_KEY=XXXXXXXXXXXXX
XSS_SERVER=reconftw.xss.ht
COLLAB_SERVER=webhook.site/e3d6156b
findomain_virustotal_token=XXXXXXXXXXXXXXXXX
findomain_spyse_token=XXXXXXXXXXXXXXXXX
findomain_securitytrails_token=XXXXXXXXXXXXXXXXX
findomain_fb_token=XXXXXXXXXXXXXXXXX
# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"
# Steps
DORKS=true
SUBCRT=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
WEBPROBEFULL=true
WEBSCREENSHOT=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true
NUCLEICHECK=true
URL_GF=true
JSCHECKS=true
PARAMS=true
XSS=true
GITHUB=true
FAVICON=true
FUZZ=true
CMS_SCANNER=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
WORDLIST=true
# Extra features
NOTIFICATION=false
DEEP=false
FULLSCOPE=false
DIFF=false
REMOVETMP=false
## HTTP options
COOKIE=""
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"
# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
resolvers=${tools}/resolvers.txt
TARGET OPTIONS
Flag | Description |
---|---|
-d | Target domain (example.com) |
-l | Target list (one per line) |
-x | Exclude subdomains list (Out Of Scope) |
MODE OPTIONS
Flag | Description |
---|---|
-a | Perform full recon |
-s | Full subdomain scan (Subs, tko and probe) |
-g | Gentle mode (Dorks, Subs, webprobe, screenshots, ports passive, favicon, cms and cors ) |
-w | Perform web checks only without subs (-l required) |
-i | Check whether tools required are present or not |
-v | Verbose/Debug Mode |
-h | Show help section |
GENERAL OPTIONS
Flag | Description |
---|---|
--deep | Deep scan (Enable some slow options for deeper scan) |
--fs | Full scope (Enable the widest scope * .domain. * options) |
-o | Output directory |
To perform a full recon on single target (may take a significant time)
â–¶ ./reconftw.sh -d example.com -a
To perfrom a full recon on a list of targets
â–¶ ./reconftw.sh -l sites.txt -a -o /output/directory/
Perform full recon with more intense tasks (VPS intended)
â–¶ ./reconftw.sh -d example.com -a --deep -o /output/directory/
Perform a wide scope recon on a target (may include false positives)
â–¶ ./reconftw.sh -d example.com -a --fs -o /output/directory/
Check whether all required tools are present or not
â–¶ ./reconftw.sh -i
Show help section
â–¶ ./reconftw.sh -h
-
Google Dorks (degoogle_hunter)
-
Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder, tls.bufferover and dns.bufferover))
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Source Code Scraping (hakrawler)
- CNAME Records (dnsx)
-
Nuclei Sub TKO templates (nuclei)
-
Web Prober (httpx)
-
Web screenshot (webscreenshot)
-
Template scanner (nuclei)
-
Port Scanner (Active with nmap and passive with shodan-cli)
-
Url extraction (waybackurls, gau, hakrawler, github-endpoints)
-
Pattern Search (gf and gf-patterns)
-
Param discovery (paramspider and arjun)
-
XSS (XSStrike)
-
Open redirect (Openredirex)
-
SSRF (headers asyncio_ssrf.py and param values with ffuf)
-
CRLF (crlfuzz)
-
Github (GitDorker)
-
Favicon Real IP (fav-up)
-
Javascript analysis (LinkFinder, scripts from JSFScan)
-
Fuzzing (ffuf)
-
Cors (Corsy)
-
LFI Checks (manual/ffuf)
-
SQLi Check (SQLMap)
-
SSTI (manual/ffuf)
-
CMS Scanner (CMSeeK)
-
SSL tests (testssl)
-
Multithread in some steps (Interlace)
-
Broken Links Checker (manual/wget spider)
-
Gentle mode (only passive and low noise steps)
-
Docker support
-
Custom output folder
-
Polished installer compatible with most distros
-
Verbose mode
-
Diff support for continuous running (cron mode)
-
Update tools script
-
Raspberry Pi support
-
Out of Scope Support
-
Notification support for Slack, Discord and Telegram (notify)
For their great feedback, support, help or for nothing special but well deserved: