- Summary
- Installation Instructions
- Usage
- Running ReconFTW
- Sample Video
- 🔥 Features 🔥
- Mindmap/Workflow
- ⌛ Improvement plan ⌛
- Thanks
ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.
- Installation Guide 📖
- Requires Golang > 1.14 installed and paths correctly set ($GOPATH, $GOROOT)
â–¶ git clone https://github.com/six2dez/reconftw
â–¶ cd reconftw
â–¶ chmod +x *.sh
â–¶ ./install.sh
â–¶ ./reconftw.sh -d target.com -a- It is highly recommended, and in some cases essential, to set your API keys or env variables:
- amass config file (
~/.config/amass/config.ini) - subfinder config file (
~/.config/subfinder/config.yaml) - GitHub tokens file (
~/Tools/.github_tokens) Recommended > 5, see how to create here - favup API (
shodan init <SHODAN-API-KEY>) - SSRF Server var (
COLLAB_SERVERenv var) - Blind XSS Server var (
XSS_SERVERenv var) - Notify config file (
~/.config/notify/notify.conf)
- amass config file (
TARGET OPTIONS
| Flag | Description |
|---|---|
| -d | Target domain (example.com) |
| -l | Target list (one per line) |
| -x | Exclude subdomains list (Out Of Scope) |
MODE OPTIONS
| Flag | Description |
|---|---|
| -a | Perform full recon |
| -s | Full subdomain scan (Subs, tko and probe) |
| -w | Perform web checks only without subs (-l required) |
| -i | Check whether tools required are present or not |
| -v | Verbose/Debug Mode |
| -h | Show help section |
GENERAL OPTIONS
| Flag | Description |
|---|---|
| --deep | Deep scan (Enable some slow options for deeper scan) |
| --fs | Full scope (Enable the widest scope * .domain. * options) |
| -o | Output directory |
To perform a full recon on single target (may take a significant time)
â–¶ ./reconftw.sh -d example.com -aTo perfrom a full recon on a list of targets
â–¶ ./reconftw.sh -l sites.txt -a -o /output/directory/Perform full recon with more intense tasks (VPS intended)
â–¶ ./reconftw.sh -d example.com -a --deep -o /output/directory/Perform a wide scope recon on a target (may include false positives)
â–¶ ./reconftw.sh -d example.com -a --fs -o /output/directory/Check whether all required tools are present or not
â–¶ ./reconftw.sh -iShow help section
â–¶ ./reconftw.sh -h
- Google Dorks (degoogle_hunter)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder, tls.bufferover and dns.bufferover))
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
- Sub TKO (subzy and nuclei)
- Web Prober (httpx)
- Web screenshot (webscreenshot)
- Template scanner (nuclei)
- Port Scanner (naabu)
- Url extraction (waybackurls, gau, gospider, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (XSStrike)
- Open redirect (Openredirex)
- SSRF (asyncio_ssrf.py)
- CRLF (crlfuzz)
- Github (GitDorker)
- Favicon Real IP (fav-up)
- Javascript analysis (LinkFinder, scripts from JSFScan)
- Fuzzing (ffuf)
- Cors (Corsy)
- SSL tests (testssl)
- Multithread in some steps (Interlace)
- Custom output folder (default under Recon/target.tld/)
- Run standalone steps (subdomains, subtko, web, gdorks...)
- Polished installer compatible with most distros
- Verbose mode
- Update tools script
- Raspberry Pi support
- Docker support
- CMS Scanner (CMSeeK)
- Out of Scope Support
- LFI Checks
- Notification support for Slack, Discord and Telegram (notify)
These are the next features that would come soon, take a look at all our pending features and feel free to contribute:
- Notification support
- HTML Report
- In Scope file support
- ASN/CIDR/Name allowed as target
You can support this work buying me a coffee:
For their great feedback, support, help or for nothing special but well deserved: