Home

ReconFTW

Table of Contents

• Installation Guide
• Post Installation Guide
  • Amass Config
  • Subfinder Config
  • Github tokens
  • Favup Config
  • Blind XSS Server
  • SSRF Server
  • Notify configuration
• Usage guide
  • Target Options
  • Mode Options
  • General Options
  • Output Options
• Docker usage

Installation Guide

Configuring Go-lang

• ReconFTW requires go1.14+ to install successfully.
  If not installed follow the steps below.

From Binary

▶ wget https://golang.org/dl/go1.15.7.linux-amd64.tar.gz
▶ tar -C /usr/local -xzf go1.15.7.linux-amd64.tar.gz

Configuring $PATH

Add the following lines in your .bashrc , .zshrc

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

Clone reconFTW repository

▶ git clone https://github.com/six2dez/reconftw.git
▶ cd reconftw
▶ chmod +x *.sh
▶ ./install.sh

---

Post Installation Guide

Amass Config

You will need a config file to use your API keys with Amass.
See the Example Configuration File for more details.

Operating System	Path
Linux / Unix	$HOME/.config/amass/config.ini

Subfinder Config

Subfinder to work with certain services, you will need to have setup API keys

Operating System	Path
Linux / Unix	$HOME/.config/subfinder/config.yaml

Github tokens

• GitDorker & github-ednpoints both require GitHUb Personal Access Tokens.
• Add your GitHub personal tokens in ~/Tools/.github_tokens ,1 per line.
• Its recommended to add > 5 GitHub Personal Access Tokens,each from 2 different accounts. See here how to create them.
• Use multiple tokens from separate GitHub accounts to provide the best results.

d2fec3d6e6712a985259522acec
0e8e24ad765d1550abe13347c48
5da53a644c6aaa5874f669a0218
15977496cc613e33cdb15b83693
46df7cecc76537e229ef069eb63

Favup Config

Run the following command

shodan init [Your-API-Key] 

Blind XSS Server

Script includes a tool called XSStrike which can use a server for detection (optional).
Creating an account on XSS Hunter, will provide you with your own personalized server. Store your personal server into an environment variable in your terminal's configuration file(.bashrc/.zshrc)
Eg: XSS_SERVER=<username>.xss.ht

SSRF Server

• To get inbound requests for finding potential SSRF its necessary to setup your own COLLAB_SERVER
• Services for setting up SSRF Server:

1. Webhook
2. RequestCatcher
3. Canarytokens
4. Burp Collaborator server

Eg:COLLAB_SERVER=XXXXXXXXXX

Notify configuration

• Notify is used to send ReconFTW progress notifications via Slack and Discord.
• The default config file should be located in $HOME/.config/notify/notify.conf

1. Creating Discord webhook
2. Creating Slack webhook
3. Creating Telegram bot

---

Usage Guide

Table of Contents

• Target Options
• Mode Options
• General Options
• Output Options

---

Target Options

Target could be a domain or a subdomain. It important to specify a target for a scan. Also ReconFTW has ability to import a list of target from a text file.(The targets must be specified one on each line)

Subcommand	Description
-d	Target domain
-l	Specify a list of targets (targets.txt)
-x	Out of scope subdomain list(oos.txt)

Mode Options

• ReconFTW supports several mode options. It's best preferred to use all checks. But depending on your needs you can select the required mode.
• Changes in the mode options results in varying execution time of the script.

Subcommand	Description
-a	Perform all checks
-s	Full subdomain scan (Subs, tko and probe)
-w	Perform web checks only without subs (-l required)
-i	Check whether tools required are present or not
-v	Verbose/Debug Mode
-h	Show help section

General Options

• Some checks/tasks of ReconFTW take a longer time and generate a lot of web traffic.
• You can enable these tasks by using the following options.

Subcommand	Description
--deep	Deep scan (Enable some slow options for deeper scan)
--fs	Full scope (Enable the widest scope * .domain. * options)

Output Options

Supports option for user-defined output directory of the results.

Subcommand	Description
-o	Define the output folder

Docker usage

To properly set up Docker container you should modify some files to adequate it to your needs. Read Post Installation Guide to know kind of information should be placed in each file.

** Also it's available in DockerHub **

Inside ''Docker'' folder there are five files and each corresponds to some kind of customizable setting as explained below:

File	Instructions
Dockerfile	Edit the beginning lines COLLAB_SERVER, XSS_SERVER and SHODAN_API_KEY
github_tokens.txt	Take a look here
notify.conf	Add your webhooks in this file as default Notify (or just copy the one you use here)
subfinder_config.yaml	Add your API keys in this file as default Subfinder (or just copy the one you use here)

After you have set up the files you can build the image.

Build image

▶ cd Docker && docker build -t reconftw .

Run container

▶ docker run -it reconftw /bin/bash

After that you should have a prompt inside reconftw folder and the usage at this point is the same as always