Overview
ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. ReconFTW automates the entire process of reconnaisance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
ReconFTW uses lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you getting the maximum and the most interesting subdomains so that you be ahead of the competition.
It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.
Features
Osint
- Domain information parser (domainbigdata)
- Emails addresses and users (theHarvester, emailfinder)
- Password leaks (pwndb and H8mail)
- Metadata finder (MetaFinder)
- Google Dorks (degoogle_hunter)
- Github Dorks (gitdorks_go)
Subdomains
- Passive (amass, waybackurls, github-subdomains, gau)
- Certificate transparency (ctfr)
- Bruteforce (puredns)
- Permutations (Gotator)
- JS files & Source Code Scraping (gospider)
- DNS Records (dnsx)
- Google Analytics ID (AnalyticsRelationships)
- Recursive search.
- Subdomains takeover (nuclei)
- DNS takeover (dnstake)
- DNS Zone Transfer (dig)
Hosts
- IP and subdomains WAF checker (cf-check and wafw00f)
- Port Scanner (Active with nmap and passive with nrich)
- Port services vulnerability checks (searchsploit)
- Password spraying (brutespray)
- Cloud providers check (clouddetect)
Webs
- Web Prober (httpx and unimap)
- Web screenshot (webscreenshot or gowitness)
- Web templates scanner (nuclei and nuclei geeknik)
- Url extraction (waybackurls, gauplus, gospider, github-endpoints and JSA)
- URLPatterns Search (gf and gf-patterns)
- XSS (dalfox)
- Open redirect (Oralyzer)
- SSRF (headers interactsh and param values with ffuf)
- CRLF (crlfuzz)
- Favicon Real IP (fav-up)
- Javascript analysis (subjs, JSA, LinkFinder, getjswords)
- Fuzzing (ffuf)
- Cors (Corsy)
- LFI Checks (ffuf)
- SQLi Check (SQLMap)
- SSTI (ffuf)
- CMS Scanner (CMSeeK)
- SSL tests (testssl)
- Broken Links Checker (gospider)
- S3 bucket finder (S3Scanner)
- Prototype Pollution (ppfuzz)
- URL sorting by extension
- Wordlist generation
- Passwords dictionary creation (pydictor)
Extras
- Multithread (Interlace)
- Custom resolvers generated list (dnsvalidator)
- Docker container included and DockerHub integration
- Allows IP/CIDR as target
- Resume the scan from last performed step
- Custom output folder option
- All in one installer/updater script compatible with most distros
- Diff support for continuous running (cron mode)
- Support for targets with multiple domains
- Raspberry Pi/ARM support
- 6 modes (recon, passive, subdomains, web, osint and all)
- Out of Scope Support
- Notification system with Slack, Discord and Telegram (notify) and sending zipped results support
Installation
In your PC/VPS/VM
You can check out our wiki for the installation guide Installation Guide
- Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH, $GOROOT)
Config file:
A detailed explaintion of config file can be found here Configuration file
- Through
reconftw.cfgfile the whole execution of the tool can be controlled. - Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.
Usage:
Check out the wiki section to know which flag performs what all steps/attacks Usage Guide
TARGET OPTIONS
| Flag | Description |
|---|---|
| -d | Single Target domain (example.com) |
| -l | List of targets (one per line) |
| -m | Multiple domain target (companyName) |
| -x | Exclude subdomains list (Out Of Scope) |
| -i | Include subdomains list (In Scope) |
MODE OPTIONS
| Flag | Description |
|---|---|
| -r | Recon – Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.) |
| -s | Subdomains – Perform only subdomain enumeration, web probing, subdomain takeovers |
| -p | Passive – Perform only passive steps |
| -a | All – Perform whole recon and all active attacks |
| -w | Web – Perform only vulnerability checks/attacks on particular target |
| -n | OSINT – Performs an OSINT scan (no subdomain enumeration and attacks) |
| -c | Custom – Launches specific function against target |
| -h | Help – Show this help menu |
GENERAL OPTIONS
| Flag | Description |
|---|---|
| –deep | Deep scan (Enable some slow options for deeper scan, vps intended mode) |
| -f | Custom config file path |
| -o | Output directory |
| -v | Axiom distributed VPS |
Example Usage:
To perform a full recon on single target
To perform a full recon on a list of targets
Perform full recon with more time intense tasks (VPS intended only)
Perform recon with axiom integration
Perform all steps (whole recon + all attacks) a.k.a. YOLO mode
;
Demo Video
