• tl;dr
• Summary
• Features
• Mindmap
• Requirements
• Usage examples
• Improvement plan
• Thanks

⚠️ Warning ⚠️

This is a live development project, until the first stable release (1.0) it will be constantly updated in master branch, so if you have detected any bug, you can open an issue or ping me over Telegram (@six2dez) or Twitter (@six2dez1) and I will try to do my best :)

• Requires Golang > 1.14 installed and env vars correctly set ($GOPATH,$GOROOT)
• Run ./install.sh before first run (apt, rpm, pacman compatible)

git clone https://github.com/six2dez/reconftw
cd reconftw
chmod +x *.sh
./install.sh
./reconftw.sh -d target.com -a

This is a simple script intended to perform a full recon on an objective with multiple subdomains

• Tools checker
• Google Dorks (based on deggogle_hunter)
• Subdomain enumeration (passive, resolution, bruteforce and permutations)
• Sub TKO (subjack and nuclei)
• Web Prober (httpx)
• Web screenshot (aquatone)
• Template scanner (nuclei)
• Port Scanner (naabu)
• Url extraction (waybackurls, gau, hakrawler, github-endpoints)
• Pattern Search (gf and gf-patterns)
• Param discovery (paramspider and arjun)
• XSS (Gxss and dalfox)
• Open redirect (Openredirex)
• SSRF checks (from m4ll0k/Bug-Bounty-Toolz/SSRF.py)
• Github Check (git-hound)
• Favicon Real IP (fav-up)
• JS Checks (LinkFinder, SecretFinder, scripts from JSFScan)
• Fuzzing (ffuf)
• Cors (Corsy)
• SSL Check (testssl)
• Interlace integration
• Custom output folder (default under Recon/target.com/)
• Run standalone steps (subdomains, subtko, web, gdorks...)
• Polished installer compatible with most distros
• Verbose mode
• Update tools script

• Golang > 1.14 installed and env vars correctly set ($GOPATH,$GOROOT)
• Run ./install.sh

Installer is provided as is. Nobody knows your system better than you, so nobody can debug your system better than you. If you are experiencing some issues with the installer script I can help you out, but keep in mind that is not my main priority.

• It is highly recommended, and in some cases essential, set your api keys or env vars:
  • amass (~/.config/amass/config.ini)
  • subfinder (~/.config/subfinder/config.yaml)
  • git-hound (~/.githound/config.yml)
  • github-endpoints.py (GITHUB_TOKEN env var)
  • favup (shodan init SHODANPAIDAPIKEY)
  • SSRF Server (COLLAB_SERVER env var)
  • Blind XSS Server (XSS_SERVER env var)
• This script uses dalfox with blind-xss option, you must change to your own server, check xsshunter.com.

./reconftw.sh -d target.com -a

./reconftw.sh -d target.com -s

./reconftw.sh -d target.com -l targets.txt -w

./reconftw.sh -d target.com -g

Anyone can take one of these features and start working on it, just ping me to keep in mind and avoid duplicate efforts:

(yeah, this has become my backlog)

• Notification support for Slack, Discord and Telegram (slackcat? notify.sh?)
• CMS tools (wpscan, drupwn/droopescan, joomscan)
• Add menu option for every feature
• CRLF checks, manual or this scanner
• Fast mode (Like -a but only passive cheks, maxtime, etc)
• Docker image
• Diff support
• Performance options to avoid net overload (soft, default, hard)
• Nice and easily readable final html report
• Add autosubtakeover before subjack
• Public S3 Checker, this or this
• Check git-hound replacements (GitGraber or truffleHog or other)
• Metadata Checks (pymeta)
• Check xsstrike instead dalfox
• Open Redirect with Openredirex
• SSRF Checks
• More error checks
• More verbose
• Enhance this Readme
• Customize output folder
• Interlace usage
• Crawler
• SubDomainizer
• Install script
• Apt,rpm,pacman compatible installer

You can support this work buying me a coffee:

For their great feedback, support, help or for nothing special but well deserved:

• @detonXX
• @cyph3r_asr
• @h4ms1k
• @Bileltechno