reconFTW – Tool to Perform Automated Scan and Finding Vulnerabilities

reconFTW - Tool to Perform Automated Scanning and Finding Vulnerabilities


ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. ReconFTW automates the entire process of reconnaisance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.

ReconFTW uses lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you getting the maximum and the most interesting subdomains so that you be ahead of the competition.

It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.







  • Multithread (Interlace)
  • Custom resolvers generated list (dnsvalidator)
  • Docker container included and DockerHub integration
  • Allows IP/CIDR as target
  • Resume the scan from last performed step
  • Custom output folder option
  • All in one installer/updater script compatible with most distros
  • Diff support for continuous running (cron mode)
  • Support for targets with multiple domains
  • Raspberry Pi/ARM support
  • 6 modes (recon, passive, subdomains, web, osint and all)
  • Out of Scope Support
  • Notification system with Slack, Discord and Telegram (notify) and sending zipped results support


In your PC/VPS/VM

You can check out our wiki for the installation guide Installation Guide

  • Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH$GOROOT)
git clone cd reconftw/ ./ ./ -d -r

Config file:

A detailed explaintion of config file can be found here Configuration file

  • Through reconftw.cfg file the whole execution of the tool can be controlled.
  • Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.


Check out the wiki section to know which flag performs what all steps/attacks Usage Guide


-dSingle Target domain (
-lList of targets (one per line)
-mMultiple domain target (companyName)
-xExclude subdomains list (Out Of Scope)
-iInclude subdomains list (In Scope)


-rRecon – Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.)
-sSubdomains – Perform only subdomain enumeration, web probing, subdomain takeovers
-pPassive – Perform only passive steps
-aAll – Perform whole recon and all active attacks
-wWeb – Perform only vulnerability checks/attacks on particular target
-nOSINT – Performs an OSINT scan (no subdomain enumeration and attacks)
-cCustom – Launches specific function against target
-hHelp – Show this help menu


–deepDeep scan (Enable some slow options for deeper scan, vps intended mode)
-fCustom config file path
-oOutput directory
-vAxiom distributed VPS

Example Usage:

To perform a full recon on single target

./ -d -r

To perform a full recon on a list of targets

./ -l sites.txt -r -o /output/directory/

Perform full recon with more time intense tasks (VPS intended only)

./ -d -r –deep -o /output/directory/

Perform recon with axiom integration

./ -d -r -v

Perform all steps (whole recon + all attacks) a.k.a. YOLO mode

./ -d -a


Demo Video

ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − two =