six2dez/ reconftw

(v1.0.0) 12 days ago

raspberry

xss

ssrf

Shell

pentest

View on GitHub

Need help with reconftw?

Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

six2dez

709 Stars

80 Forks

GNU General Public License v3.0

489 Commits

17 Opened issues

Description

ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities

Services available

Need anything else?

Contributors list

six2dez six2dez

# 45,797

TypeScr...

Shell

Lua

kali-li...

297 commits

Bilel Eljaamii bileltechno

# 214,415

system-...

optimiz...

Linux

Ubuntu

78 commits

Adrián de la Rosa adrm

# 32,837

HTML

TypeScr...

Vue.js

stencil

1 commit

Marco Antonio Blanco mablanco

# 135,523

Shell

HTML

JavaScr...

scannin...

1 commit

Readme

ReconFTW

Name: reconftw
Brand: reconftw
SKU: //six2dez/reconftw
Rating: 3.418 (709 reviews)

A simple bash script for full recon

Summary

ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

Installation Instructions

Installation Guide :book:
Requires Golang > 1.14 installed and paths correctly set ($GOPATH, $GOROOT)

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw
▶ chmod +x *.sh
▶ ./install.sh
▶ ./reconftw.sh -d target.com -a

It is highly recommended, and in some cases essential, to set your API keys or env variables:
- amass config file (
```
~/.config/amass/config.ini
```
  )
- subfinder config file (
```
~/.config/subfinder/config.yaml
```
  )
- GitHub tokens file (
```
~/Tools/.github_tokens
```
  ) Recommended > 5, see how to create here
- favup API (
```
shodan init 
```
  )
- SSRF Server var (
```
COLLAB_SERVER
```
  env var)
- Blind XSS Server var (
```
XSS_SERVER
```
  env var)
- Notify config file (
```
~/.config/notify/notify.conf
```
  )

Usage

TARGET OPTIONS

| Flag | Description | |------|-------------| | -d | Target domain (example.com) | | -l | Target list (one per line) | | -x | Exclude subdomains list (Out Of Scope) |

MODE OPTIONS

| Flag | Description | |------|-------------| | -a | Perform full recon | | -s | Full subdomain scan (Subs, tko and probe) | | -w | Perform web checks only without subs (-l required) | | -i | Check whether tools required are present or not | | -v | Verbose/Debug Mode | | -h | Show help section |

GENERAL OPTIONS

| Flag | Description | |------|-------------| | --deep | Deep scan (Enable some slow options for deeper scan) | | --fs | Full scope (Enable the widest scope * .domain. * options) | | -o | Output directory |

Running ReconFTW

To perform a full recon on single target (may take a significant time)

▶ ./reconftw.sh -d example.com -a

To perfrom a full recon on a list of targets

▶ ./reconftw.sh -l sites.txt -a -o /output/directory/

Perform full recon with more intense tasks (VPS intended)

▶ ./reconftw.sh -d example.com -a --deep -o /output/directory/

Perform a wide scope recon on a target (may include false positives)

▶ ./reconftw.sh -d example.com -a --fs -o /output/directory/

Check whether all required tools are present or not

▶ ./reconftw.sh -i

Show help section

▶ ./reconftw.sh -h

Sample video

:fire: Features :fire:

Google Dorks (degoogle_hunter)
Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder and bufferover)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
Sub TKO (subzy and nuclei)
Web Prober (httpx)
Web screenshot (webscreenshot)
Template scanner (nuclei)
Port Scanner (naabu)
Url extraction (waybackurls, gau, gospider, github-endpoints)
Pattern Search (gf and gf-patterns)
Param discovery (paramspider and arjun)
XSS (XSStrike)
Open redirect (Openredirex)
SSRF (asyncio_ssrf.py)
CRLF (crlfuzz)
Github (GitDorker)
Favicon Real IP (fav-up)
Javascript analysis (LinkFinder, scripts from JSFScan)
Fuzzing (ffuf)
Cors (Corsy)
SSL tests (testssl)
Multithread in some steps (Interlace)
Custom output folder (default under Recon/target.tld/)
Run standalone steps (subdomains, subtko, web, gdorks...)
Polished installer compatible with most distros
Verbose mode
Update tools script
Raspberry Pi support
Docker support
CMS Scanner (CMSeeK)
Out of Scope Support
LFI Checks
Notification support for Slack, Discord and Telegram (notify)

Mindmap/Workflow

:hourglass: Improvement plan :hourglass:

These are the next features that would come soon, take a look at all our pending features and feel free to contribute:

[X] Notification support
[ ] HTML Report
[ ] In Scope file support
[ ] ASN/CIDR/Name allowed as target

You can support this work buying me a coffee:

Thanks

For their great feedback, support, help or for nothing special but well deserved: