Recon Tool: ReconFTW
Reading Time: 4 Minutes
Recon Tool: ReconFTW
ReconFTW
When you perform Pentesting or Bug bounty hunting, the most important part is reconnaissance, gathering info and studying the intel to determine weakness spots that are familiar to you, and would result further investigation for the next step, the attack phase and exploitation. The difference however lays from one security researcher vs another, and this tool actually balances that whole recon phase to be the same by running the best set of tools based on the results as it goes, and not a default automated config that’s goes with any type of device found.
ReconFTW by six2dez, is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. It automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
It uses lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you getting the maximum and the most interesting subdomains so that you be ahead of the competition.
It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.
Installation:
a) In your PC/VPS/VM
You can check out the wiki for the installation guide Installation Guide
- Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH, $GOROOT)
git clone https://github.com/six2dez/reconftw
cd reconftw/
./install.sh
./reconftw.sh -d target.com -r
b) Docker Image (3 options)
- Pull the image
$ docker pull six2dez/reconftw:main
- Run the container
$ docker run -it --rm \\
-v "${PWD}/OutputFolder/":'/reconftw/Recon/' \\
six2dez/reconftw:main -d example.com -r
However, if you wish to:
- Dynamically modify the behaviour & function of the image
- Build your own container
- Build an Axiom Controller on top of the official image
Please refer to the Docker documentation.
See Also: Offensive Security Tool: Proxmark3
Config file
Usage:
Check out the wiki section to know which flag performs what all steps/attacks Usage Guide
TARGET OPTIONS
Flag | Description |
---|---|
-d | Single Target domain (example.com) |
-l | List of targets (one per line) |
-m | Multiple domain target (companyName) |
-x | Exclude subdomains list (Out Of Scope) |
-i | Include subdomains list (In Scope) |
MODE OPTIONS
Flag | Description |
---|---|
-r | Recon – Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.) |
-s | Subdomains – Perform only subdomain enumeration, web probing, subdomain takeovers |
-p | Passive – Perform only passive steps |
-a | All – Perform whole recon and all active attacks |
-w | Web – Perform only vulnerability checks/attacks on particular target |
-n | OSINT – Performs an OSINT scan (no subdomain enumeration and attacks) |
-c | Custom – Launches specific function against target |
-h | Help – Show this help menu |
GENERAL OPTIONS
Flag | Description |
---|---|
–deep | Deep scan (Enable some slow options for deeper scan, vps intended mode) |
-f | Custom config file path |
-o | Output directory |
-v | Axiom distributed VPS |
See Also: Recon Tool: Smap
Example Usage:
To perform a full recon on single target
./reconftw.sh -d target.com -r
To perform a full recon on a list of targets
./reconftw.sh -l sites.txt -r -o /output/directory/
Perform full recon with more time intense tasks (VPS intended only)
./reconftw.sh -d target.com -r --deep -o /output/directory/
Perform recon in a multi domain target
./reconftw.sh -m company -l domains_list.txt -r
Perform recon with axiom integration
./reconftw.sh -d target.com -r -v
Perform all steps (whole recon + all attacks) a.k.a. YOLO mode
./reconftw.sh -d target.com -a
Show help section
./reconftw.sh -h
Axiom Support:
Check out the wiki section for more info Axiom Support
- As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
- During the configuration of axiom you need to select reconftw as provisoner.
- You can create your own axiom’s fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file.
BBRF Support:
- To add reconFTW results to your BBRF instance just add IP and credentials on reconftw.cfg file section dedicated to bbrf.
- During the execution of the scans the results will be added dinamically when each step ends.
- Even you can set up locally your BBRF instance to be able to visualize your results in a fancy web UI.
See Also: Write up: Hacking is an art, and so is subdomain enumeration.
Features
Osint
- Domain information parser (domainbigdata)
- Emails addresses and users (theHarvester, emailfinder)
- Password leaks (pwndb and H8mail)
- Metadata finder (MetaFinder)
- Google Dorks (degoogle_hunter)
- Github Dorks (gitdorks_go)
Subdomains
- Passive (amass, waybackurls, github-subdomains, gau)
- Certificate transparency (ctfr)
- Bruteforce (puredns)
- Permutations (Gotator)
- JS files & Source Code Scraping (gospider)
- DNS Records (dnsx)
- Google Analytics ID (AnalyticsRelationships)
- Recursive search.
- Subdomains takeover (nuclei)
- DNS takeover (dnstake)
- DNS Zone Transfer (dig)
Hosts
- IP and subdomains WAF checker (cf-check and wafw00f)
- Port Scanner (Active with nmap and passive with nrich)
- Port services vulnerability checks (searchsploit)
- Password spraying (brutespray)
- Cloud providers check (clouddetect)
Webs
- Web Prober (httpx and unimap)
- Web screenshot (webscreenshot or gowitness)
- Web templates scanner (nuclei and nuclei geeknik)
- Url extraction (waybackurls, gauplus, gospider, github-endpoints and JSA)
- URLPatterns Search (gf and gf-patterns)
- XSS (dalfox)
- Open redirect (Oralyzer)
- SSRF (headers interactsh and param values with ffuf)
- CRLF (crlfuzz)
- Favicon Real IP (fav-up)
- Javascript analysis (subjs, JSA, LinkFinder, getjswords)
- Fuzzing (ffuf)
- Cors (Corsy)
- LFI Checks (ffuf)
- SQLi Check (SQLMap)
- SSTI (ffuf)
- CMS Scanner (CMSeeK)
- SSL tests (testssl)
- Broken Links Checker (gospider)
- S3 bucket finder (S3Scanner)
- Prototype Pollution (ppfuzz)
- URL sorting by extension
- Wordlist generation
- Passwords dictionary creation (pydictor)
Extras
- Multithread (Interlace)
- Custom resolvers generated list (dnsvalidator)
- Docker container included and DockerHub integration
- Allows IP/CIDR as target
- Resume the scan from last performed step
- Custom output folder option
- All in one installer/updater script compatible with most distros
- Diff support for continuous running (cron mode)
- Support for targets with multiple domains
- Raspberry Pi/ARM support
- 6 modes (recon, passive, subdomains, web, osint and all)
- Out of Scope Support
- Notification system with Slack, Discord and Telegram (notify) and sending zipped results support
See Also: Complete Offensive Security and Ethical Hacking Course
Mindmap/Workflow
Data Keep
Follow these simple steps to end up having a private repository with your API Keys and /Recon data.
- Create a private blank repository on Git(Hub|Lab) (Take into account size limits regarding Recon data upload)
- Clone your project: git clone https://gitlab.com/example/reconftw-data
- Get inside the cloned repository: cd reconftw-data
- Create branch with an empty commit: git commit –allow-empty -m “Empty commit”
- Add official repo as a new remote: git remote add upstream https://github.com/six2dez/reconftw (upstream is an example)
- Update upstream’s repo: git fetch upstream
- Rebase current branch with the official one: git rebase upstream/main master
Main commands:
- Upload changes to your personal repo:
git add . && git commit -m “Data upload” && git push origin master - Update tool anytime: git fetch upstream && git rebase upstream/main master
See Also: Lizard Squad – the infamous hacking group that brought Xbox and PlayStation networks to their knees.