reconFTW

A simple bash script for full recon

• Summary
• Install
• Usage
• Running reconFTW
• Sample Video
• Features
• Mindmap/Workflow
• Need help?
• Contribute
• Thanks

Summary

reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform enumeration and finding out vulnerabilities.

Install

a) In your PC/VPS/VM

• Installation Guide 📖
• Requires Golang > 1.14 installed and paths correctly set ($GOPATH, $GOROOT)

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw
▶ chmod +x *.sh
▶ . ./install.sh
▶ ./reconftw.sh -d target.com -a

b) Docker container (2 options)

From DockerHub

▶ docker pull six2dez/reconftw:main
▶ docker run -it six2dez/reconftw:main /bin/bash

From repository

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/Docker
▶ docker build -t reconftw .
▶ docker run -it reconftw /bin/bash

Config file

• Through reconftw.config file the whole execution of the tool can be controlled.
• Hunters can set various scanning modes, execution preferences, tools config files, APIs/TOKENS, personalized wordlists

Click here to view default config file

#################################################################
#			reconFTW config file			#
#################################################################

# TERM COLOURS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'

# General values
tools=~/Tools
NPROC=$(nproc || echo -n 1)
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
profile_shell=".$(basename $(echo $SHELL))rc"
#dir_output=/custom/output/path

# Golang Vars (Comment or change on your own)
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens

# APIs/TOKENS - Uncomment the lines you set removing the '#' at the beginning of the line
SHODAN_API_KEY=XXXXXXXXXXXXX
XSS_SERVER=six2dez.xss.ht
COLLAB_SERVER=i0m1y4j3fu.canarytokens.com
findomain_virustotal_token=XXXXXXXXXXXXXXXXX
findomain_spyse_token=XXXXXXXXXXXXXXXXX
findomain_securitytrails_token=XXXXXXXXXXXXXXXXX
findomain_fb_token=XXXXXXXXXXXXXXXXX

# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"

# Osint
GOOGLE_DORKS=true
GITHUB_DORKS=false
METADATA=true
EMAILS=true
DOMAIN_INFO=true

# Subdomains
SUBCRT=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
ZONETRANSFER=true
S3BUCKETS=true

# Web detection
WEBPROBESIMPLE=true
WEBPROBEFULL=true
WEBSCREENSHOT=true

# Host
FAVICON=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true

# Web analysis
WAF_DETECTION=true
NUCLEICHECK=true
URL_CHECK=true
URL_GF=true
JSCHECKS=true
PARAMS=true
FUZZ=true
CMS_SCANNER=true
WORDLIST=true

# Vulns
XSS=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
SPRAY=true
BYPASSER4XX=true

# Extra features
NOTIFICATION=true
DEEP=false
FULLSCOPE=false
DIFF=false
REMOVETMP=false

# HTTP options
COOKIE=""
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

# Threads
FFUF_THREADS=40
HTTPX_THREADS=50
HTTPX_UNCOMMONPORTS_THREADS=150
SHUFFLEDNS_THREADS=5000
GOSPIDER_THREADS=50
GITDORKER_THREADS=5
XSSTRIKE_THREADS=30
BRUTESPRAY_THREADS=20
BRUTESPRAY_CONCURRENCE=10
ARJUN_THREADS=20

# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
subs_wordlist_big=${tools}/subdomains_big.txt
resolvers=${tools}/resolvers.txt

Usage

TARGET OPTIONS

Flag	Description
-d	Target domain (example.com)
-m	Multiple domain target (companyName)
-l	Target list (one per line)
-x	Exclude subdomains list (Out Of Scope)

MODE OPTIONS

Flag	Description
-r	Recon - Full recon process (only recon without attacks)
-s	Subdomains - Search subdomains, check tko and web probe
-p	Passive - Performs only passive steps
-a	All - Perform all checks and exploitations
-w	Web - Just web checks from list provided
-v	Verbose - Prints everything including errors, for debug purposes
-h	Help - Show this help

GENERAL OPTIONS

Flag	Description
--deep	Deep scan (Enable some slow options for deeper scan)
--fs	Full scope (Enable the widest scope * .domain. * options)
-o	Output directory

Running ReconFTW

To perform a full recon on single target (may take a significant time)

▶ ./reconftw.sh -d example.com -r

To perfrom a full recon on a list of targets

▶ ./reconftw.sh -l sites.txt -r -o /output/directory/

Perform all steps (recon + attacks)

▶ ./reconftw.sh -d example.com -a

Perform full recon with more intense tasks (VPS intended)

▶ ./reconftw.sh -d example.com -r --deep -o /output/directory/

Perform a wide scope recon on a target (may include false positives)

▶ ./reconftw.sh -d example.com -r --fs -o /output/directory/

Perform recon in a multi domain target

▶ ./reconftw.sh -m company -l domainsList.txt

Show help section

▶ ./reconftw.sh -h

Sample video

🔥 Features 🔥

• Domain information parser (domainbigdata)
• Emails addresses and users (theHarvester)
• Password leaks (pwndb and H8mail)
• Metadata finder (MetaFinder)
• Google Dorks (degoogle_hunter)
• Github Dorks (GitDorker)
• Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
  • Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls, github-subdomains, Anubis and mildew)
  • Certificate transparency (crtfinder, tls.bufferover and dns.bufferover))
  • Bruteforce (shuffledns)
  • Permutations (dnsgen)
  • Source Code Scraping (gospider)
  • CNAME Records (dnsx)
• Nuclei Sub TKO templates (nuclei)
• Web Prober (httpx)
• Web screenshot (gowitness)
• Web templates scanner (nuclei)
• IP and subdomains WAF checker (cf-check and wafw00f)
• Port Scanner (Active with nmap and passive with shodan-cli)
• Url extraction (waybackurls, gau, gospider, github-endpoints)
• Pattern Search (gf and gf-patterns)
• Param discovery (paramspider and arjun)
• XSS (XSStrike)
• Open redirect (Openredirex)
• SSRF (headers asyncio_ssrf.py and param values with ffuf)
• CRLF (crlfuzz)
• Favicon Real IP (fav-up)
• Javascript analysis (LinkFinder, scripts from JSFScan)
• Fuzzing (ffuf)
• Cors (Corsy)
• LFI Checks (manual/ffuf)
• SQLi Check (SQLMap)
• SSTI (manual/ffuf)
• CMS Scanner (CMSeeK)
• SSL tests (testssl)
• Multithread in some steps (Interlace)
• Broken Links Checker (gospider)
• S3 bucket finder (S3Scanner)
• Password spraying (brutespray)
• 4xx bypasser (DirDar)
• Custom resolvers generated list (dnsvalidator)
• DNS Zone Transfer (dnsrecon)
• Docker container included and DockerHub integration
• Custom output folder
• Auto installer/updater compatible with most distros
• Diff support for continuous running (cron mode)
• Support for targets with multiple domains
• Update tools script
• RaspberryPi/ARM support
• 5 modes (recon, passive, subdomains, web and all)
• Out of Scope Support
• Notification support for Slack, Discord and Telegram (notify)

Mindmap/Workflow

How to contribute

If you want to contribute to this project you can do it in multiple ways:

• Submitting an issue because you have found a bug or you have any suggestion or request.
• Making a Pull Request from dev branch because you want to improve the code or add something to the script.

Need help?

• Take a look in the wiki
• Ask for help in the Telegram group

You can support this work buying me a coffee:

Thanks

For their great feedback, support, help or for nothing special but well deserved:

• @detonXX
• @Bileltechno
• @cyph3r_asr
• @h4ms1k