reconFTW
A simple bash script for full recon
📔 Table of Contents
- 💿 Installation
- ⚙️ Config file
- Usage
- Axiom Support ☁️
- Sample video
- 🔥 Features 🔥
- Mindmap/Workflow
- Need help?
- Support this project
- Thanks 🙏
💿 Installation:
a) In your PC/VPS/VM
You can check out our wiki for the installation guide Installation Guide 📖
- Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH, $GOROOT)
▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/
▶ ./install.sh
▶ ./reconftw.sh -d target.com -rb) Docker container 🐳 (2 options)
1) From DockerHub
▶ docker pull six2dez/reconftw:main
▶ docker run -it six2dez/reconftw:main /bin/bash
# Exit the container and run these commands additionally if you want to gain persistence:
▶ docker start $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1)
▶ docker exec -it $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1) /bin/bash
# Now you can exit the container and run again this command without files loss:
▶ docker exec -it $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1) /bin/bash2) From repository
▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/Docker
▶ docker build -t reconftw .
▶ docker run -it reconftw /bin/bash⚙️ Config file:
A detailed explaintion of config file can be found here Configuration file 📖
- Through
reconftw.cfgfile the whole execution of the tool can be controlled. - Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.
👉 Click here to view default config file 👈
#################################################################
# reconFTW config file #
#################################################################
# TERM COLORS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'
# General values
tools=~/Tools
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
profile_shell=".$(basename $(echo $SHELL))rc"
reconftw_version=$(git branch --show-current)-$(git describe --tags)
update_resolvers=true
proxy_url="http://127.0.0.1:8080/"
#dir_output=/custom/output/path
# Golang Vars (Comment or change on your own)
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH
# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens
# APIs/TOKENS - Uncomment the lines you set removing the '#' at the beginning of the line
#SHODAN_API_KEY="XXXXXXXXXXXXX"
#XSS_SERVER="XXXXXXXXXXXXXXXXX"
#COLLAB_SERVER="XXXXXXXXXXXXXXXXX"
#findomain_virustotal_token="XXXXXXXXXXXXXXXXX"
#findomain_spyse_token="XXXXXXXXXXXXXXXXX"
#findomain_securitytrails_token="XXXXXXXXXXXXXXXXX"
#findomain_fb_token="XXXXXXXXXXXXXXXXX"
slack_channel="XXXXXXXX"
slack_auth="xoXX-XXX-XXX-XXX"
# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"
# Osint
OSINT=true
GOOGLE_DORKS=true
GITHUB_DORKS=true
METADATA=true
EMAILS=true
DOMAIN_INFO=true
# Subdomains
SUBCRT=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
SUBRECURSIVE=true
ZONETRANSFER=true
S3BUCKETS=true
# Web detection
WEBPROBESIMPLE=true
WEBPROBEFULL=true
WEBSCREENSHOT=true
UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672"
# You can change to aquatone if gowitness fails, comment the one you don't want
AXIOM_SCREENSHOT_MODULE=gowitness
#AXIOM_SCREENSHOT_MODULE=aquatone
# Host
FAVICON=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true
CLOUD_IP=true
# Web analysis
WAF_DETECTION=true
NUCLEICHECK=true
URL_CHECK=true
URL_GF=true
URL_EXT=true
JSCHECKS=true
PARAMS=true
FUZZ=true
CMS_SCANNER=true
WORDLIST=true
# Vulns
XSS=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
SPRAY=true
BYPASSER4XX=true
# Extra features
NOTIFICATION=false
DEEP=false
DIFF=false
REMOVETMP=false
PROXY=false
SENDZIPNOTIFY=false
# HTTP options
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"
# Threads
FFUF_THREADS=40
HTTPX_THREADS=50
HTTPX_UNCOMMONPORTS_THREADS=100
GOSPIDER_THREADS=50
GITDORKER_THREADS=5
BRUTESPRAY_THREADS=20
BRUTESPRAY_CONCURRENCE=10
ARJUN_THREADS=20
GAUPLUS_THREADS=10
DALFOX_THREADS=200
PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited
PUREDNS_TRUSTED_LIMIT=400
DIRDAR_THREADS=200
# Timeouts
CMSSCAN_TIMEOUT=3600
FFUF_MAXTIME=900 # Seconds
HTTPX_TIMEOUT=15 # Seconds
HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds
# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
subs_wordlist_big=${tools}/subdomains_big.txt
resolvers=${tools}/resolvers.txt
resolvers_trusted=${tools}/resolvers_trusted.txt
# Axiom Fleet
# Will not start a new fleet if one exist w/ same name and size (or larger)
AXIOM_FLEET_LAUNCH=true
AXIOM_FLEET_NAME="reconFTW"
AXIOM_FLEET_COUNT=5
AXIOM_FLEET_REGIONS=""
AXIOM_FLEET_SHUTDOWN=true
# This is a script on your reconftw host that might prep things your way...
#AXIOM_POST_START="$HOME/bin/yourScript"
Usage:
Check out the wiki section to know which flag performs what all steps/attacks Usage Guide 📖
TARGET OPTIONS
| Flag | Description |
|---|---|
| -d | Target domain (example.com) |
| -m | Multiple domain target (companyName) |
| -l | Target list (one per line) |
| -x | Exclude subdomains list (Out Of Scope) |
MODE OPTIONS
| Flag | Description |
|---|---|
| -r | Recon - Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.) |
| -s | Subdomains - Perform only subdomain enumeration, web probing, subdomain takeovers |
| -p | Passive - Perform only passive steps |
| -a | All - Perform whole recon and all active attacks |
| -w | Web - Just web checks on the list provided |
| -n | OSINT - Performs and OSINT scan, without subdomains |
| -h | Help - Show this help menu |
GENERAL OPTIONS
| Flag | Description |
|---|---|
| --deep | Deep scan (Enable some slow options for deeper scan, vps intended mode) |
| -o | Output directory |
Example Usage:
To perform a full recon on single target
▶ ./reconftw.sh -d target.com -rTo perform a full recon on a list of targets
▶ ./reconftw.sh -l sites.txt -r -o /output/directory/Perform all steps (whole recon + all attacks)
▶ ./reconftw.sh -d target.com -aPerform full recon with more time intense tasks (VPS intended only)
▶ ./reconftw.sh -d target.com -r --deep -o /output/directory/Perform recon in a multi domain target
▶ ./reconftw.sh -m company -l domains_list.txt -rShow help section
▶ ./reconftw.sh -hAxiom Support: ☁️
Check out the wiki section for more info Axiom Support
- Using
reconftw_axiom.shscript you can take advantage of running reconFTW with Axiom. - As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
- Currently except the
-aflag, all flags are supported when running with Axiom.
▶ ./reconftw_axiom.sh -d target.com -rSample video:
🔥 Features 🔥
- Domain information parser (domainbigdata)
- Emails addresses and users (theHarvester)
- Password leaks (pwndb and H8mail)
- Metadata finder (MetaFinder)
- Google Dorks (degoogle_hunter)
- Github Dorks (GitDorker)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls, github-subdomains, Anubis and mildew)
- Certificate transparency (ctfr, tls.bufferover and dns.bufferover))
- Bruteforce (puredns)
- Permutations (DNScewl)
- JS files & Source Code Scraping (gospider)
- CNAME Records (dnsx)
- Nuclei Sub TKO templates (nuclei)
- Web Prober (httpx and naabu)
- Web screenshot (gowitness)
- Web templates scanner (nuclei)
- IP and subdomains WAF checker (cf-check and wafw00f)
- Port Scanner (Active with nmap and passive with shodan-cli)
- Url extraction (waybackurls, gauplus, gospider, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (dalfox)
- Open redirect (Openredirex)
- SSRF (headers asyncio_ssrf.py and param values with ffuf)
- CRLF (crlfuzz)
- Favicon Real IP (fav-up)
- Javascript analysis (LinkFinder, scripts from JSFScan)
- Fuzzing (ffuf)
- Cors (Corsy)
- LFI Checks (manual/ffuf)
- SQLi Check (SQLMap)
- SSTI (manual/ffuf)
- CMS Scanner (CMSeeK)
- SSL tests (testssl)
- Multithread in some steps (Interlace)
- Broken Links Checker (gospider)
- S3 bucket finder (S3Scanner)
- Password spraying (brutespray)
- 4xx bypasser (DirDar)
- Custom resolvers generated list (dnsvalidator)
- DNS Zone Transfer (dnsrecon)
- Docker container included and DockerHub integration
- Cloud providers check (ip2provider)
- Resume the scan from last performed step
- Custom output folder option
- All in one installer/updater script compatible with most distros
- Diff support for continuous running (cron mode)
- Support for targets with multiple domains
- RaspberryPi/ARM support
- Send scan results zipped over Slack, Discord and Telegram
- 6 modes (recon, passive, subdomains, web, osint and all)
- Out of Scope Support
- Notification support for Slack, Discord and Telegram (notify)
Mindmap/Workflow
Data Keep
Follow these simple steps to end up having a private repository with your API Keys and /Recon data.
- Create a private blank repository on
Git(Hub|Lab)(Take into account size limits regarding Recon data upload) - Clone your project:
git clone https://gitlab.com/example/reconftw-data - Get inside the cloned repository:
cd reconftw-data - Create branch with an empty commit:
git commit --allow-empty -m "Empty commit" - Add official repo as a new remote:
git remote add upstream https://github.com/six2dez/reconftw(upstreamis an example) - Update upstream's repo:
git fetch upstream - Rebase current branch with the official one:
git rebase upstream/main master
Main commands:
- Upload changes to your personal repo:
git add . && git commit -m "Data upload" && git push origin master - Update tool anytime:
git fetch upstream && git rebase upstream/main master
How to contribute:
If you want to contribute to this project you can do it in multiple ways:
- Submitting an issue because you have found a bug or you have any suggestion or request.
- Making a Pull Request from dev branch because you want to improve the code or add something to the script.
Need help?
- Take a look in the wiki
- Ask for help in the Telegram group
You can support this work buying me a coffee:
Sponsors
This section shows the current financial sponsors of this project
Thanks 🙏
- Thank you for lending a helping hand towards the development of the project!