๐ง Warning ๐ง
This is a live development project, until the first stable release (1.0) it will be constantly updated in master branch, so if you have detected any bug, you can open an issue or ping me over Telegram or Twitter and I will try to do my best :)
ReconFTW performs automated enumeration of subdomains via various techniques and futher scanning for vulnerabilties, to give you a potential vulns.
- Installation Guide
- Requires Golang > 1.14 installed and paths correctly set ($GOPATH,$GOROOT)
git clone https://github.com/six2dez/reconftw
cd reconftw
chmod +x *.sh
./install.sh
./reconftw.sh -d target.com -a
- It is highly recommended, and in some cases essential, to set your api keys or env variables:
- amass config file(
~/.config/amass/config.ini
) - subfinder config file(
~/.config/subfinder/config.yaml
) - GitHub tokens file(
~/Tools/.github_tokens
) Recommended > 5, see how to create here - favup API(
shodan init <SHODANPAIDAPIKEY>
) - SSRF Server var(
COLLAB_SERVER
env var) - Blind XSS Server var(
XSS_SERVER
env var)
- amass config file(
TARGET OPTIONS -d DOMAIN Target domain -l list.txt Targets list, one per line -x oos.txt Exclude subdomains list (Out Of Scope) MODE OPTIONS -a Perform all checks -s Full subdomains scan (Subs, tko and probe) -g Google dorks searches -w Perform web checks only without subs (-l required) -t Check subdomain takeover(-l required) -i Check all needed tools -v Debug/verbose mode, no file descriptor redir -h Show this help SUBDOMAIN OPTIONS --sp Passive subdomain scans --sb Bruteforce subdomain resolution --sr Subdomain permutations and resolution (-l required) --ss Subdomain scan by scraping (-l required) GENERAL OPTIONS --deep Deep scan (Enable some slow options for deeper scan) --fs Full scope (Enable widest scope *domain* options) -o output/path Define output folder
- Google Dorks (degoogle_hunter)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder and bufferover)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
- Sub TKO (subjack and nuclei)
- Web Prober (httpx)
- Web screenshot (webscreenshot)
- Template scanner (nuclei)
- Port Scanner (naabu)
- Url extraction (waybackurls, gau, gospider, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (XSStrike)
- Open redirect (Openredirex)
- SSRF (asyncio_ssrf.py)
- CRLF (crlfuzz)
- Github (GitDorker)
- Favicon Real IP (fav-up)
- Javascript analysis (LinkFinder, scripts from JSFScan)
- Fuzzing (ffuf)
- Cors (Corsy)
- SSL tests (testssl)
- Multithread in some steps (Interlace)
- Custom output folder (default under Recon/target.tld/)
- Run standalone steps (subdomains, subtko, web, gdorks...)
- Polished installer compatible with most distros
- Verbose mode
- Update tools script
- Raspberry Pi support
- Docker support
- CMS Scanner (CMSeeK)
- Out of Scope Support
These are the next features that would come soon, take a look at all our pending features and feel free to contribute:
- Notification support
- HTML Report
- In Scope file support
- ASN/CIDR/Name allowed as target
You can support this work buying me a coffee:
For their great feedback, support, help or for nothing special but well deserved: