• Summary
• Install
• Usage
• Running reconFTW
• Sample Video
• Features
• Mindmap/Workflow
• Need help?
• Contribute
• Thanks

reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform enumeration and finding out vulnerabilities.

• Installation Guide 📖
• Requires Golang > 1.14 installed and paths correctly set ($GOPATH, $GOROOT)

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw
▶ chmod +x *.sh
▶ ./install.sh
▶ ./reconftw.sh -d target.com -a

▶ docker pull six2dez/reconftw:main
▶ docker run -it six2dez/reconftw:main /bin/bash

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/Docker
▶ docker build -t reconftw .
▶ docker run -it reconftw /bin/bash

• Through reconftw.config file the whole execution of the tool can be controlled.
• Hunters can set various scanning modes, execution preferences, tools config files, APIs/TOKENS, personalized wordlists

#################################################################
#			reconFTW config file			#
#################################################################

# TERM COLOURS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'

# General values
tools=~/Tools
NPROC=$(nproc || echo -n 1)
output=${dir}/Recon/${domain}

# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens

# APIs/TOKENS
SHODAN_API_KEY=XXXXXXXXXXXXX
XSS_SERVER=reconftw.xss.ht
COLLAB_SERVER=webhook.site/e3d6156b
findomain_virustotal_token=XXXXXXXXXXXXXXXXX
findomain_spyse_token=XXXXXXXXXXXXXXXXX
findomain_securitytrails_token=XXXXXXXXXXXXXXXXX
findomain_fb_token=XXXXXXXXXXXXXXXXX

# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"

# Steps
DORKS=true
SUBCRT=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
WEBPROBEFULL=true
WEBSCREENSHOT=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true
NUCLEICHECK=true
URL_GF=true
JSCHECKS=true
PARAMS=true
XSS=true
GITHUB=true
FAVICON=true
FUZZ=true
CMS_SCANNER=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
WORDLIST=true

# Extra features
NOTIFICATION=false
DEEP=false
FULLSCOPE=false
DIFF=false
REMOVETMP=false

## HTTP options
COOKIE=""
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
resolvers=${tools}/resolvers.txt

TARGET OPTIONS

MODE OPTIONS

GENERAL OPTIONS

To perform a full recon on single target (may take a significant time)

▶ ./reconftw.sh -d example.com -r

To perfrom a full recon on a list of targets

▶ ./reconftw.sh -l sites.txt -r -o /output/directory/

Perform all steps (recon + attacks)

▶ ./reconftw.sh -d example.com -a

Perform full recon with more intense tasks (VPS intended)

▶ ./reconftw.sh -d example.com -r --deep -o /output/directory/

Perform a wide scope recon on a target (may include false positives)

▶ ./reconftw.sh -d example.com -r --fs -o /output/directory/

Perform recon in a multi domain target

▶ ./reconftw.sh -m company -l domainsList.txt

Show help section

▶ ./reconftw.sh -h

• Domain information parser (domainbigdata)
• Emails addresses and users (theHarvester)
• Password leaks (pwndb and H8mail)
• Metadata finder (MetaFinder)
• Google Dorks (degoogle_hunter)
• Github Dorks (GitDorker)
• Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
  • Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls, github-subdomains, Anubis and mildew)
  • Certificate transparency (crtfinder, tls.bufferover and dns.bufferover))
  • Bruteforce (shuffledns)
  • Permutations (dnsgen)
  • Source Code Scraping (gospider)
  • CNAME Records (dnsx)
• Nuclei Sub TKO templates (nuclei)
• Web Prober (httpx)
• Web screenshot (gowitness)
• Web templates scanner (nuclei)
• IP and subdomains WAF checker (cf-check and wafw00f)
• Port Scanner (Active with nmap and passive with shodan-cli)
• Url extraction (waybackurls, gau, gospider, github-endpoints)
• Pattern Search (gf and gf-patterns)
• Param discovery (paramspider and arjun)
• XSS (XSStrike)
• Open redirect (Openredirex)
• SSRF (headers asyncio_ssrf.py and param values with ffuf)
• CRLF (crlfuzz)
• Favicon Real IP (fav-up)
• Javascript analysis (LinkFinder, scripts from JSFScan)
• Fuzzing (ffuf)
• Cors (Corsy)
• LFI Checks (manual/ffuf)
• SQLi Check (SQLMap)
• SSTI (manual/ffuf)
• CMS Scanner (CMSeeK)
• SSL tests (testssl)
• Multithread in some steps (Interlace)
• Broken Links Checker (gospider)
• Docker container included and DockerHub integration
• Custom output folder
• Polished installer compatible with most distros
• Diff support for continuous running (cron mode)
• Support for targets with multiple domains
• Update tools script
• RaspberryPi/ARM support
• 5 modes (recon, passive, subdomains, web and all)
• Out of Scope Support
• Notification support for Slack, Discord and Telegram (notify)

If you want to contribute to this project you can do it in multiple ways:

• Submitting an issue because you have found a bug or you have any suggestion or request.
• Making a Pull Request from dev branch because you want to improve the code or add something to the script.

• Take a look in the wiki
• Ask for help in the Telegram group

For their great feedback, support, help or for nothing special but well deserved:

• @detonXX
• @Bileltechno
• @cyph3r_asr
• @h4ms1k