Recon Tool: ReconFTW

by | Apr 21, 2022 | Tools

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 4 Minutes

Recon Tool: ReconFTW

GitHub Link

 

ReconFTW

When you perform Pentesting or Bug bounty hunting, the most important part is reconnaissance, gathering info and studying the intel to determine weakness spots that are familiar to you, and would result further investigation for the next step, the attack phase and exploitation. The difference however lays from one security researcher vs another, and this tool actually balances that whole recon phase to be the same by running the best set of tools based on the results as it goes, and not a default automated config that’s goes with any type of device found.

ReconFTW by six2dez, is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. It automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.

It uses lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you getting the maximum and the most interesting subdomains so that you be ahead of the competition.

It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.

Installation:

 

a) In your PC/VPS/VM

You can check out the wiki for the installation guide Installation Guide

  • Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH$GOROOT)
git clone https://github.com/six2dez/reconftw
cd reconftw/
./install.sh
./reconftw.sh -d target.com -r

 

b) Docker Image (3 options)

 

  • Pull the image
$ docker pull six2dez/reconftw:main
  • Run the container
$ docker run -it --rm \\
    -v "${PWD}/OutputFolder/":'/reconftw/Recon/' \\
    six2dez/reconftw:main -d example.com -r

 

However, if you wish to:

  1. Dynamically modify the behaviour & function of the image
  2. Build your own container
  3. Build an Axiom Controller on top of the official image

Please refer to the Docker documentation.

See Also: Offensive Security Tool: Proxmark3

 

 

Config file

 

Usage:

Check out the wiki section to know which flag performs what all steps/attacks Usage Guide

 

TARGET OPTIONS

FlagDescription
-dSingle Target domain (example.com)
-lList of targets (one per line)
-mMultiple domain target (companyName)
-xExclude subdomains list (Out Of Scope)
-iInclude subdomains list (In Scope)

MODE OPTIONS

FlagDescription
-rRecon – Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.)
-sSubdomains – Perform only subdomain enumeration, web probing, subdomain takeovers
-pPassive – Perform only passive steps
-aAll – Perform whole recon and all active attacks
-wWeb – Perform only vulnerability checks/attacks on particular target
-nOSINT – Performs an OSINT scan (no subdomain enumeration and attacks)
-cCustom – Launches specific function against target
-hHelp – Show this help menu

GENERAL OPTIONS

FlagDescription
–deepDeep scan (Enable some slow options for deeper scan, vps intended mode)
-fCustom config file path
-oOutput directory
-vAxiom distributed VPS

 

See Also: Recon Tool: Smap

 

Example Usage:

 

To perform a full recon on single target

./reconftw.sh -d target.com -r

To perform a full recon on a list of targets

./reconftw.sh -l sites.txt -r -o /output/directory/

Perform full recon with more time intense tasks (VPS intended only)

./reconftw.sh -d target.com -r --deep -o /output/directory/

Perform recon in a multi domain target

./reconftw.sh -m company -l domains_list.txt -r
 

Perform recon with axiom integration

./reconftw.sh -d target.com -r -v

Perform all steps (whole recon + all attacks) a.k.a. YOLO mode

./reconftw.sh -d target.com -a

Show help section

./reconftw.sh -h

 

 

Axiom Support:

Check out the wiki section for more info Axiom Support

  • As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
  • During the configuration of axiom you need to select reconftw as provisoner.
  • You can create your own axiom’s fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file.

 

BBRF Support:

  • To add reconFTW results to your BBRF instance just add IP and credentials on reconftw.cfg file section dedicated to bbrf.
  • During the execution of the scans the results will be added dinamically when each step ends.
  • Even you can set up locally your BBRF instance to be able to visualize your results in a fancy web UI.

 

See Also: Write up: Hacking is an art, and so is subdomain enumeration.

 

Features

 

Osint

 

Subdomains

 

Hosts

 

Webs

 

Extras

  • Multithread (Interlace)
  • Custom resolvers generated list (dnsvalidator)
  • Docker container included and DockerHub integration
  • Allows IP/CIDR as target
  • Resume the scan from last performed step
  • Custom output folder option
  • All in one installer/updater script compatible with most distros
  • Diff support for continuous running (cron mode)
  • Support for targets with multiple domains
  • Raspberry Pi/ARM support
  • 6 modes (recon, passive, subdomains, web, osint and all)
  • Out of Scope Support
  • Notification system with Slack, Discord and Telegram (notify) and sending zipped results support

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

Mindmap/Workflow

mindmapv2

 

Data Keep

Follow these simple steps to end up having a private repository with your API Keys and /Recon data.

  • Create a private blank repository on Git(Hub|Lab) (Take into account size limits regarding Recon data upload)
  • Clone your project: git clone https://gitlab.com/example/reconftw-data
  • Get inside the cloned repository: cd reconftw-data
  • Create branch with an empty commit: git commit –allow-empty -m “Empty commit”
  • Add official repo as a new remote: git remote add upstream https://github.com/six2dez/reconftw (upstream is an example)
  • Update upstream’s repo: git fetch upstream
  • Rebase current branch with the official one: git rebase upstream/main master

 

Main commands:

  • Upload changes to your personal repo:
    git add . && git commit -m “Data upload” && git push origin master
  • Update tool anytime: git fetch upstream && git rebase upstream/main master

 

 

See Also: Lizard Squad – the infamous hacking group that brought Xbox and PlayStation networks to their knees.


 

Merch

 

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This