ReconFTW is a tool designed to perform automated identification on a target, performing one of the best toolkits for scanning and finding vulnerabilities.
Installation instructions
- Installation Guide ?
- Required Golang > 1,14 installed and the routes must be set correctly ( $GOPATH , $ GOROOT )
▶ git clone https://github.com/six2dez/reconftw ▶ cd reconftw ▶ chmod + x *.sh ▶ ./install.sh ▶ ./reconftw.sh -d target.com -a
- It is highly recommended, and in some cases necessary, to define the API keys or the env variables:
- amass config file (~ / .config / amass / config.ini)
- config subfinder file (~ / .config / subfinder / config.yaml)
- GitHub Badge File (~ / Tools / .github_tokens) Recommended> 5, see how to create here
- SSRF Server var (COLLAB_SERVER env var)
- Blind XSS Server var (XSS_SERVER env var)
- Configuration file notification ( ~/.config/notify/notify.conf)
Use
TARGET OPTIONS
Flags | Description |
---|---|
-d | Targeting area (example.com) |
-l | Goal list (one per line) |
-x | Exclude subdomain list (Out of range) |
OPERATION OPTIONS
Flags | Description |
---|---|
-a | Perform full recognition |
-s | Full subdomain scan (Subs, tko and probe) |
-w | Perform web checks (-l required) |
-i | Check if the required ones are available tools or not |
-v | Verbose / debugging |
-h | Show help section |
GENERAL OPTIONS
Flags | Description |
---|---|
–Deep | Deep Scan (Enable some slow options for deeper scan) |
- fs | Full range (Enable wider field * .domain. * Choices) |
-o | Output directory |
Run ReconFTW
To perform full recognition on a single target (may take significant time)
▶ ./reconftw.sh -d example.com -a
Perform full recognition with more intensive work (intended for VPS)
▶ ./reconftw.sh -d example.com -a --deep -o / output / directory /
Check if all the required tools are available or not
▶ ./reconftw.sh -i
Show help section
▶ ./reconftw.sh -h
Video example
Specifications
- Google dorks (degoogle_hunter)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate of transparency (crtfinder and bufferover)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
- Sub TKO (subzy and cores)
- Web Prober (httpx)
- Web screenshot (webscreenshot)
- Template scanner (cores)
- Port Scanner (naabu)
- Url extraction (waybackurls, left, gospider, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (XSStrike)
- Open redirect (Openredirex)
- SSRF (asyncio_ssrf.py)
- CRLF(crlfuzz)
- Github (GitDorker)
- Favicon Real IP (fav-up)
- Javascript analysis (Link Finder, scripts from JSFScan)
- Fuzzing (fuf)
- Cors (corsy)
- SSL tests (testssl)
- Multithread in some steps (interlace)
- Custom output folder (default under Recon / target.tld /)
- Run standalone steps (subdomains, subtko, web, gdorks...)
- Polished installer compatible with most distros
- Verbose mode
- Update tools script
- Raspberry Pi support
- Docker support
- CMS Scanner (CMSeeK)
- Out of Scope Support
- LFI Checks
- Notification support for Slack, Discord and Telegram (notify)
Mindmap / Workflow
here.
Information on installing and using the program, you will find