{"id":13495843,"url":"https://github.com/six2dez/reconftw","last_synced_at":"2025-05-13T00:05:51.935Z","repository":{"id":37073635,"uuid":"325671936","full_name":"six2dez/reconftw","owner":"six2dez","description":"reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities","archived":false,"fork":false,"pushed_at":"2025-05-06T10:33:07.000Z","size":122786,"stargazers_count":6251,"open_issues_count":9,"forks_count":990,"subscribers_count":111,"default_branch":"main","last_synced_at":"2025-05-13T00:05:35.334Z","etag":null,"topics":["bug-bounty","bugbounty","dns","fuzzing","hacking","nuclei","osint","penetration-testing","pentest","pentest-tool","pentesting","recon","reconnaissance","scanner","security","security-tools","subdomain","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/six2dez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"six2dez","custom":["buymeacoffee.com/six2dez","https://www.paypal.com/paypalme/six2dez"]}},"created_at":"2020-12-30T23:52:52.000Z","updated_at":"2025-05-12T15:33:44.000Z","dependencies_parsed_at":"2023-10-20T23:09:01.142Z","dependency_job_id":"6e1a58f2-3ea7-46f3-81df-e7e252dc3403","html_url":"https://github.com/six2dez/reconftw","commit_stats":{"total_commits":1445,"total_committers":71,"mean_commits":20.35211267605634,"dds":0.4422145328719723,"last_synced_commit":"d28296765a1a34650f953b6ed9b49daeedc56d77"},"previous_names":[],"tags_count":54,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/six2dez%2Freconftw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/six2dez%2Freconftw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/six2dez%2Freconftw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/six2dez%2Freconftw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/six2dez","download_url":"https://codeload.github.com/six2dez/reconftw/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253843215,"owners_count":21972873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","bugbounty","dns","fuzzing","hacking","nuclei","osint","penetration-testing","pentest","pentest-tool","pentesting","recon","reconnaissance","scanner","security","security-tools","subdomain","vulnerabilities"],"created_at":"2024-07-31T19:01:38.823Z","updated_at":"2025-05-13T00:05:51.911Z","avatar_url":"https://github.com/six2dez.png","language":"Shell","readme":"\u003ch1 align=\"center\"\u003e\r\n  \u003cbr\u003e\r\n  \u003ca href=\"https://github.com/six2dez/reconftw\"\u003e\u003cimg src=\"https://github.com/six2dez/reconftw/blob/main/images/banner.png\" alt=\"reconftw\"\u003e\u003c/a\u003e\r\n  \u003cbr\u003e\r\n  reconFTW\r\n  \u003cbr\u003e\r\n\u003c/h1\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003ca href=\"https://github.com/six2dez/reconftw/releases/tag/v3.0\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/release-v3.0-green\"\u003e\r\n  \u003c/a\u003e\r\n   \u003c/a\u003e\r\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\r\n      \u003cimg src=\"https://img.shields.io/badge/License-MIT-yellow.svg\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://twitter.com/Six2dez1\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/twitter-%40Six2dez1-blue\"\u003e\r\n  \u003c/a\u003e\r\n    \u003ca href=\"https://github.com/six2dez/reconftw/issues?q=is%3Aissue+is%3Aclosed\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/github/issues-closed-raw/six2dez/reconftw.svg\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://github.com/six2dez/reconftw/wiki\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/doc-wiki-blue.svg\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://t.me/joinchat/H5bAaw3YbzzmI5co\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/badge/telegram-@ReconFTW-blue.svg\"\u003e\r\n  \u003c/a\u003e\r\n  \u003ca href=\"https://discord.gg/R5DdXVEdTy\"\u003e\r\n    \u003cimg src=\"https://img.shields.io/discord/1048623782912340038.svg?logo=discord\"\u003e\r\n  \u003c/a\u003e\r\n\u003c/p\u003e\r\n\r\n\u003ch3 align=\"center\"\u003eSummary\u003c/h3\u003e\r\n\r\n**reconFTW** automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.\r\n\r\nreconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records...) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.\r\n\r\nIt also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.\r\n\r\nSo, what are you waiting for? Go! Go! Go! :boom:\r\n\r\n## 📔 Table of Contents\r\n\r\n---\r\n\r\n- [⚙️ Config file](#️-config-file)\r\n- [Usage](#usage)\r\n  - [TARGET OPTIONS](#target-options)\r\n  - [MODE OPTIONS](#mode-options)\r\n  - [GENERAL OPTIONS](#general-options)\r\n  - [Example Usage](#example-usage)\r\n    - [To perform a full recon on single target](#to-perform-a-full-recon-on-single-target)\r\n    - [To perform a full recon on a list of targets](#to-perform-a-full-recon-on-a-list-of-targets)\r\n    - [Perform full recon with more time intense tasks _(VPS intended only)_](#perform-full-recon-with-more-time-intense-tasks-vps-intended-only)\r\n    - [Perform recon in a multi domain target](#perform-recon-in-a-multi-domain-target)\r\n    - [Perform recon with axiom integration](#perform-recon-with-axiom-integration)\r\n    - [Perform all steps (whole recon + all attacks) a.k.a. YOLO mode](#perform-all-steps-whole-recon--all-attacks-aka-yolo-mode)\r\n    - [Show help section](#show-help-section)\r\n- [Axiom Support :cloud:](#axiom-support-cloud)\r\n- [Faraday Support :computer:](#faraday-support-computer)\r\n- [Sample video](#sample-video)\r\n- [:fire: Features :fire:](#fire-features-fire)\r\n  - [Osint](#osint)\r\n  - [Subdomains](#subdomains)\r\n  - [Hosts](#hosts)\r\n  - [Webs](#webs)\r\n  - [Vulnerability checks](#vulnerability-checks)\r\n  - [Extras](#extras)\r\n  - [Mindmap/Workflow](#mindmapworkflow)\r\n  - [Data Keep](#data-keep)\r\n    - [Makefile](#makefile)\r\n    - [Manual](#manual)\r\n    - [Main commands](#main-commands)\r\n  - [How to contribute](#how-to-contribute)\r\n  - [Need help? :information\\_source:](#need-help-information_source)\r\n  - [Support this project](#support-this-project)\r\n    - [Buymeacoffee](#buymeacoffee)\r\n    - [DigitalOcean referral link](#digitalocean-referral-link)\r\n    - [GitHub sponsorship](#github-sponsorship)\r\n  - [Thanks :pray:](#thanks-pray)\r\n  - [Disclaimer](#disclaimer)\r\n  - [Star History](#star-history)\r\n\r\n---\r\n\r\n## 💿 Installation\r\n\r\n## a) Using a PC/VPS/VM\r\n\r\n\u003e You can check out our wiki for the installation guide [Installation Guide](https://github.com/six2dez/reconftw/wiki/0.-Installation-Guide) :book:\r\n\r\n- Requires [Golang](https://golang.org/dl/) \u003e **1.15.0+** installed and paths correctly set (**$GOPATH**, **$GOROOT**)\r\n\r\nImportant: if you are not running reconftw as root, run `sudo echo \"${USERNAME}  ALL=(ALL:ALL) NOPASSWD: ALL\" | sudo tee -a /etc/sudoers.d/reconFTW`, to make sure no sudo prompts are required to run the tool and to avoid any permission issues.\r\n\r\n```bash\r\ngit clone https://github.com/six2dez/reconftw\r\ncd reconftw/\r\n./install.sh\r\n./reconftw.sh -d target.com -r\r\n```\r\n\r\n## b) Docker Image 🐳 (3 options)\r\n\r\n- Pull the image\r\n\r\n```bash\r\ndocker pull six2dez/reconftw:main\r\n```\r\n\r\n- Run the container\r\n\r\n```bash\r\ndocker run -it --rm \\\r\n-v \"${PWD}/OutputFolder/\":'/reconftw/Recon/' \\\r\nsix2dez/reconftw:main -d example.com -r\r\n```\r\n\r\n- View results (they're NOT in the Docker container)\r\n\r\n  - As the folder you cloned earlier (named `reconftw`) is being renamed to `OutputFolder`, you'll have to go to that folder to view results.\r\n\r\nIf you wish to:\r\n\r\n1. Dynamically modify the behaviour \u0026 function of the image\r\n2. Build your own container\r\n3. Build an Axiom Controller on top of the official image\r\n\r\nPlease refer to the [Docker](https://github.com/six2dez/reconftw/wiki/4.-Docker) documentation.\r\n\r\n## c) Terraform + Ansible\r\n\r\nYes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if you want to know how to do it, you can check the guide [here](Terraform/README.md)\r\n\r\n# ⚙️ Config file\r\n\r\n\u003e You can find a detailed explanation of the configuration file [here](https://github.com/six2dez/reconftw/wiki/3.-Configuration-file) :book:\r\n\r\n- Through `reconftw.cfg` file the whole execution of the tool can be controlled.\r\n- Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.\r\n\r\n\u003cdetails\u003e\r\n \u003cbr\u003e\u003cbr\u003e\r\n \u003csummary\u003e :point_right: Click here to view default config file :point_left: \u003c/summary\u003e\r\n\r\n```yaml\r\n#############################################\r\n#\t\t\treconFTW config file\t\t\t#\r\n#############################################\r\n\r\n# General values\r\ntools=$HOME/Tools   # Path installed tools\r\nSCRIPTPATH=\"$( cd \"$(dirname \"$0\")\" \u003e/dev/null 2\u003e\u00261 ; pwd -P )\" # Get current script's path\r\nprofile_shell=\".$(basename $(echo $SHELL))rc\" # Get current shell profile\r\nreconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version\r\ngenerate_resolvers=false # Generate custom resolvers with dnsvalidator\r\nupdate_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution\r\nresolvers_url=\"https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt\"\r\nresolvers_trusted_url=\"https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt\"\r\nfuzzing_remote_list=\"https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt\" # Used to send to axiom(if used) on fuzzing\r\nproxy_url=\"http://127.0.0.1:8080/\" # Proxy url\r\ninstall_golang=true # Set it to false if you already have Golang configured and ready\r\nupgrade_tools=true\r\nupgrade_before_running=false # Upgrade tools before running\r\n#dir_output=/custom/output/path\r\n\r\n# Golang Vars (Comment or change on your own)\r\nexport GOROOT=/usr/local/go\r\nexport GOPATH=$HOME/go\r\nexport PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH\r\n\r\n# Rust Vars (Comment or change on your own)\r\nexport PATH=\"$HOME/.cargo/bin:$PATH\"\r\n\r\n# Tools config files\r\n#NOTIFY_CONFIG=~/.config/notify/provider-config.yaml # No need to define\r\nGITHUB_TOKENS=${tools}/.github_tokens\r\nGITLAB_TOKENS=${tools}/.gitlab_tokens\r\n#CUSTOM_CONFIG=custom_config_path.txt # In case you use a custom config file, uncomment this line and set your files path\r\n\r\n# APIs/TOKENS - Uncomment the lines you want removing the '#' at the beginning of the line\r\n#SHODAN_API_KEY=\"XXXXXXXXXXXXX\"\r\n#WHOISXML_API=\"XXXXXXXXXX\"\r\n#XSS_SERVER=\"XXXXXXXXXXXXXXXXX\"\r\n#COLLAB_SERVER=\"XXXXXXXXXXXXXXXXX\"\r\n#slack_channel=\"XXXXXXXX\"\r\n#slack_auth=\"xoXX-XXX-XXX-XXX\"\r\n\r\n# File descriptors\r\nDEBUG_STD=\"\u0026\u003e/dev/null\" # Skips STD output on installer\r\nDEBUG_ERROR=\"2\u003e/dev/null\" # Skips ERR output on installer\r\n\r\n# Osint\r\nOSINT=true # Enable or disable the whole OSINT module\r\nGOOGLE_DORKS=true\r\nGITHUB_DORKS=true\r\nGITHUB_REPOS=true\r\nMETADATA=true # Fetch metadata from indexed office documents\r\nEMAILS=true # Fetch emails from differents sites\r\nDOMAIN_INFO=true # whois info\r\nIP_INFO=true    # Reverse IP search, geolocation and whois\r\nAPI_LEAKS=true # Check for API leaks\r\nTHIRD_PARTIES=true # Check for 3rd parties misconfigs\r\nSPOOF=true # Check spoofable domains\r\nMETAFINDER_LIMIT=20 # Max 250\r\n\r\n# Subdomains\r\nSUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module\r\nSUBPASSIVE=true # Passive subdomains search\r\nSUBCRT=true # crtsh search\r\nCTR_LIMIT=999999 # Limit the number of results\r\nSUBNOERROR=false # Check DNS NOERROR response and BF on them\r\nSUBANALYTICS=true # Google Analytics search\r\nSUBBRUTE=true # DNS bruteforcing\r\nSUBSCRAPING=true # Subdomains extraction from web crawling\r\nSUBPERMUTE=true # DNS permutations\r\nSUBREGEXPERMUTE=true # Permutations by regex analysis\r\nPERMUTATIONS_OPTION=gotator # The alternative is \"ripgen\" (faster, not deeper)\r\nGOTATOR_FLAGS=\" -depth 1 -numbers 3 -mindup -adv -md\" # Flags for gotator\r\nSUBTAKEOVER=true # Check subdomain takeovers, false by default cuz nuclei already check this\r\nSUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries\r\nDEEP_RECURSIVE_PASSIVE=10 # Number of top subdomains for recursion\r\nSUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve\r\nZONETRANSFER=true # Check zone transfer\r\nS3BUCKETS=true # Check S3 buckets misconfigs\r\nREVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP)\r\nTLS_PORTS=\"21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,992,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003\"\r\nINSCOPE=false # Uses inscope tool to filter the scope, requires .scope file in reconftw folder\r\n\r\n# Web detection\r\nWEBPROBESIMPLE=true # Web probing on 80/443\r\nWEBPROBEFULL=true # Web probing in a large port list\r\nWEBSCREENSHOT=true # Webs screenshooting\r\nVIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header\r\nUNCOMMON_PORTS_WEB=\"81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672\"\r\n\r\n# Host\r\nFAVICON=true # Check Favicon domain discovery\r\nPORTSCANNER=true # Enable or disable the whole Port scanner module\r\nGEO_INFO=true # Fetch Geolocalization info\r\nPORTSCAN_PASSIVE=true # Port scanner with Shodan\r\nPORTSCAN_ACTIVE=true # Port scanner with nmap\r\nPORTSCAN_ACTIVE_OPTIONS=\"--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners\"\r\nCDN_IP=true # Check which IPs belongs to CDN\r\n\r\n# Web analysis\r\nWAF_DETECTION=true # Detect WAFs\r\nNUCLEICHECK=true # Enable or disable nuclei\r\nNUCLEI_TEMPLATES_PATH=\"$HOME/nuclei-templates\" # Set nuclei templates path\r\nNUCLEI_SEVERITY=\"info,low,medium,high,critical\" # Set templates criticity\r\nNUCLEI_EXTRA_ARGS=\"\" # Additional nuclei extra flags, don't set the severity here but the exclusions like \" -etags openssh\"\r\n#NUCLEI_EXTRA_ARGS=\"-etags openssh,ssl -eid node-express-dev-env,keycloak-xss,CVE-2023-24044,CVE-2021-20323,header-sql,header-reflection\" # Additional nuclei extra flags, don't set the severity here but the exclusions like \" -etags openssh\"\r\nNUCLEI_FLAGS=\" -silent -t ${NUCLEI_TEMPLATES_PATH}/ -retries 2\" # Additional nuclei extra flags, don't set the severity here but the exclusions like \" -etags openssh\"\r\nNUCLEI_FLAGS_JS=\" -silent -tags exposure,token -severity info,low,medium,high,critical\" # Additional nuclei extra flags for js secrets\r\nURL_CHECK=true # Enable or disable URL collection\r\nURL_CHECK_PASSIVE=true # Search for urls, passive methods from Archive, OTX, CommonCrawl, etc\r\nURL_CHECK_ACTIVE=true # Search for urls by crawling the websites\r\nURL_GF=true # Url patterns classification\r\nURL_EXT=true # Returns a list of files divided by extension\r\nJSCHECKS=true # JS analysis\r\nFUZZ=true # Web fuzzing\r\nIIS_SHORTNAME=true\r\nCMS_SCANNER=true # CMS scanner\r\nWORDLIST=true # Wordlist generation\r\nROBOTSWORDLIST=true # Check historic disallow entries on waybackMachine\r\nPASSWORD_DICT=true # Generate password dictionary\r\nPASSWORD_MIN_LENGTH=5 # Min password length\r\nPASSWORD_MAX_LENGTH=14 # Max password length\r\nCLOUDHUNTER_PERMUTATION=NORMAL # Options: DEEP (very slow), NORMAL (slow), NONE\r\nNUCLEI_FUZZING_TEMPLATES_PATH=\"${tools}/fuzzing-templates\" # Set nuclei templates path\r\n\r\n# Vulns\r\nVULNS_GENERAL=false # Enable or disable the vulnerability module (very intrusive and slow)\r\nXSS=true # Check for xss with dalfox\r\nCORS=true # CORS misconfigs\r\nTEST_SSL=true # SSL misconfigs\r\nOPEN_REDIRECT=true # Check open redirects\r\nSSRF_CHECKS=true # SSRF checks\r\nCRLF_CHECKS=true # CRLF checks\r\nLFI=true # LFI by fuzzing\r\nSSTI=true # SSTI by fuzzing\r\nSQLI=true # Check SQLI\r\nSQLMAP=true # Check SQLI with sqlmap\r\nGHAURI=false # Check SQLI with ghauri\r\nBROKENLINKS=true # Check for brokenlinks\r\nSPRAY=true # Performs password spraying\r\nCOMM_INJ=true # Check for command injections with commix\r\nPROTO_POLLUTION=true # Check for prototype pollution flaws\r\nSMUGGLING=true # Check for HTTP request smuggling flaws\r\nWEBCACHE=true # Check for Web Cache issues\r\nBYPASSER4XX=true # Check for 4XX bypasses\r\nFUZZPARAMS=true # Fuzz parameters values\r\n\r\n# Extra features\r\nNOTIFICATION=false # Notification for every function\r\nSOFT_NOTIFICATION=false # Only for start/end\r\nDEEP=false # DEEP mode, really slow and don't care about the number of results\r\nDEEP_LIMIT=500 # First limit to not run unless you run DEEP\r\nDEEP_LIMIT2=1500 # Second limit to not run unless you run DEEP\r\nDIFF=false # Diff function, run every module over an already scanned target, printing only new findings (but save everything)\r\nREMOVETMP=false # Delete temporary files after execution (to free up space)\r\nREMOVELOG=false # Delete logs after execution\r\nPROXY=false # Send to proxy the websites found\r\nSENDZIPNOTIFY=false # Send to zip the results (over notify)\r\nPRESERVE=true      # set to true to avoid deleting the .called_fn files on really large scans\r\nFFUF_FLAGS=\" -mc all -fc 404 -sf -noninteractive -of json\" # Ffuf flags\r\nHTTPX_FLAGS=\" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length\" # Httpx flags for simple web probing\r\n\r\n# HTTP options\r\nHEADER=\"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\" # Default header\r\n\r\n# Threads\r\nFFUF_THREADS=40\r\nHTTPX_THREADS=50\r\nHTTPX_UNCOMMONPORTS_THREADS=100\r\nKATANA_THREADS=20\r\nBRUTESPRAY_THREADS=20\r\nBRUTESPRAY_CONCURRENCE=10\r\nDNSTAKE_THREADS=100\r\nDALFOX_THREADS=200\r\nPUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 means unlimited\r\nPUREDNS_TRUSTED_LIMIT=400\r\nPUREDNS_WILDCARDTEST_LIMIT=30\r\nPUREDNS_WILDCARDBATCH_LIMIT=1500000\r\nRESOLVE_DOMAINS_THREADS=150\r\nDNSVALIDATOR_THREADS=200\r\nINTERLACE_THREADS=10\r\nTLSX_THREADS=1000\r\nXNLINKFINDER_DEPTH=3\r\n\r\n# Rate limits\r\nHTTPX_RATELIMIT=150\r\nNUCLEI_RATELIMIT=150\r\nFFUF_RATELIMIT=0\r\n\r\n# Timeouts\r\nSUBFINDER_ENUM_TIMEOUT=180          # Minutes\r\nCMSSCAN_TIMEOUT=3600            # Seconds\r\nFFUF_MAXTIME=900                # Seconds\r\nHTTPX_TIMEOUT=10                # Seconds\r\nHTTPX_UNCOMMONPORTS_TIMEOUT=10  # Seconds\r\nPERMUTATIONS_LIMIT=21474836480  # Bytes, default is 20 GB\r\n\r\n# lists\r\nfuzz_wordlist=${tools}/fuzz_wordlist.txt\r\nlfi_wordlist=${tools}/lfi_wordlist.txt\r\nssti_wordlist=${tools}/ssti_wordlist.txt\r\nsubs_wordlist=${tools}/subdomains.txt\r\nsubs_wordlist_big=${tools}/subdomains_n0kovo_big.txt\r\nresolvers=${tools}/resolvers.txt\r\nresolvers_trusted=${tools}/resolvers_trusted.txt\r\n\r\n# Axiom Fleet\r\n# Will not start a new fleet if one exist w/ same name and size (or larger)\r\n# AXIOM=false Uncomment only to overwrite command line flags\r\nAXIOM_FLEET_LAUNCH=true # Enable or disable spin up a new fleet, if false it will use the current fleet with the AXIOM_FLEET_NAME prefix\r\nAXIOM_FLEET_NAME=\"reconFTW\" # Fleet's prefix name\r\nAXIOM_FLEET_COUNT=10 # Fleet's number\r\nAXIOM_FLEET_REGIONS=\"eu-central\" # Fleet's region\r\nAXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execution\r\n# This is a script on your reconftw host that might prep things your way...\r\n#AXIOM_POST_START=\"~/Tools/axiom_config.sh\" # Useful  to send your config files to the fleet\r\nAXIOM_EXTRA_ARGS=\"\" # Leave empty if you don't want to add extra arguments\r\n#AXIOM_EXTRA_ARGS=\" --rm-logs\" # Example\r\n\r\n# Faraday-Server\r\nFARADAY=false # Enable or disable Faraday integration\r\nFARADAY_SERVER=\"http://localhost:5985\" # Faraday server address\r\nFARADAY_USER=\"faraday\" # Faraday user\r\nFARADAY_PASS=\"FARADAY_PASSWORD\" # Faraday password\r\nFARADAY_WORKSPACE=\"reconftw\" # Faraday workspace\r\n\r\n# TERM COLORS\r\nbred='\\033[1;31m'\r\nbblue='\\033[1;34m'\r\nbgreen='\\033[1;32m'\r\nbyellow='\\033[1;33m'\r\nred='\\033[0;31m'\r\nblue='\\033[0;34m'\r\ngreen='\\033[0;32m'\r\nyellow='\\033[0;33m'\r\nreset='\\033[0m'\r\n\r\n```\r\n\r\n\u003c/details\u003e\r\n\r\n# Usage\r\n\r\n\u003e Check out the wiki section to know which flag performs what all steps/attacks [Usage Guide](https://github.com/six2dez/reconftw/wiki/2.-Usage-Guide) :book:\r\n\r\n## TARGET OPTIONS\r\n\r\n| Flag | Description                              |\r\n| ---- | ---------------------------------------- |\r\n| -d   | Single Target domain _(example.com)_     |\r\n| -l   | List of targets _(one per line)_         |\r\n| -m   | Multiple domain target _(companyName)_   |\r\n| -x   | Exclude subdomains list _(Out Of Scope)_ |\r\n| -i   | Include subdomains list _(In Scope)_     |\r\n\r\n## MODE OPTIONS\r\n\r\n| Flag | Description                                                                       |\r\n| ---- | --------------------------------------------------------------------------------- |\r\n| -r   | Recon - Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.)     |\r\n| -s   | Subdomains - Perform only subdomain enumeration, web probing, subdomain takeovers |\r\n| -p   | Passive - Perform only passive steps                                              |\r\n| -a   | All - Perform whole recon and all active attacks                                  |\r\n| -w   | Web - Perform only vulnerability checks/attacks on particular target              |\r\n| -n   | OSINT - Performs an OSINT scan (no subdomain enumeration and attacks)             |\r\n| -z   | Zen - Performs a recon process covering the basics and some vulns                 |\r\n| -c   | Custom - Launches specific function against target                                |\r\n| -h   | Help - Show this help menu                                                        |\r\n\r\n## GENERAL OPTIONS\r\n\r\n| Flag          | Description                                                               |\r\n| ------------- | ------------------------------------------------------------------------- |\r\n| --deep        | Deep scan (Enable some slow options for deeper scan, _vps intended mode_) |\r\n| -f            | Custom config file path                                                   |\r\n| -o            | Output directory                                                          |\r\n| -v            | Axiom distributed VPS                                                     |\r\n| -q            | Rate limit in requests per second                                         |\r\n| --check-tools | Exit if one of the tools is missing                                       |\r\n\r\n## Example Usage\r\n\r\n**NOTE: this is applicable when you've installed reconFTW on the host (e.g. VM/VPS/cloud) and not in a Docker container.**\r\n\r\n### To perform a full recon on single target\r\n\r\n```bash\r\n./reconftw.sh -d target.com -r\r\n```\r\n\r\n### To perform a full recon on a list of targets\r\n\r\n```bash\r\n./reconftw.sh -l sites.txt -r -o /output/directory/\r\n```\r\n\r\n### Perform full recon with more time intense tasks _(VPS intended only)_\r\n\r\n```bash\r\n./reconftw.sh -d target.com -r --deep -o /output/directory/\r\n```\r\n\r\n### Perform recon in a multi domain target\r\n\r\n```bash\r\n./reconftw.sh -m company -l domains_list.txt -r\r\n```\r\n\r\n### Perform recon with axiom integration\r\n\r\n```bash\r\n./reconftw.sh -d target.com -r -v\r\n```\r\n\r\n### Perform all steps (whole recon + all attacks) a.k.a. YOLO mode\r\n\r\n```bash\r\n./reconftw.sh -d target.com -a\r\n```\r\n\r\n### Show help section\r\n\r\n```bash\r\n./reconftw.sh -h\r\n```\r\n\r\n# Axiom Support :cloud:\r\n\r\n![](https://i.ibb.co/Jzrgkqt/axiom-readme.png)\r\n\r\n\u003e Check out the wiki section for more info [Axiom Support](https://github.com/six2dez/reconftw/wiki/5.-Axiom-version)\r\n\r\n- As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.\r\n- During the configuration of axiom you need to select `reconftw` as provisoner.\r\n- You can create your own axiom's fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file.\r\n\r\n# Faraday Support :computer:\r\n\r\n- For Faraday community support, you need to install Faraday by yourself, authenticate in faraday-cli and set the workspace both in the config file and in the faraday-cli.\r\n\r\n# Sample video\r\n\r\n![Video](images/reconFTW.gif)\r\n\r\n# :fire: Features :fire:\r\n\r\n## Osint\r\n\r\n- Domain information ([whois](https://github.com/rfc1036/whois))\r\n- Emails addresses and passwords leaks ([emailfinder](https://github.com/Josue87/EmailFinder) and [LeakSearch](https://github.com/JoelGMSec/LeakSearch))\r\n- Microsoft 365 and Azure tenant mapper ([msftrecon](https://github.com/Arcanum-Sec/msftrecon))\r\n- Metadata finder ([MetaFinder](https://github.com/Josue87/MetaFinder))\r\n- API leaks search ([porch-pirate](https://github.com/MandConsultingGroup/porch-pirate) and [SwaggerSpy](https://github.com/UndeadSec/SwaggerSpy))\r\n- Google Dorks ([dorks_hunter](https://github.com/six2dez/dorks_hunter) and [xnldorker](https://github.com/xnl-h4ck3r/xnldorker))\r\n- GitHub org's repos analysis ([enumerepo](https://github.com/trickest/enumerepo), [trufflehog](https://github.com/trufflesecurity/trufflehog) and [gitleaks](https://github.com/gitleaks/gitleaks))\r\n- 3rd parties misconfigurations([misconfig-mapper](https://github.com/intigriti/misconfig-mapper))\r\n- Spoofable domains ([spoofcheck](https://github.com/MattKeeley/Spoofy))\r\n\r\n## Subdomains\r\n\r\n- Passive ([subfinder](https://github.com/projectdiscovery/subfinder) and [github-subdomains](https://github.com/gwen001/github-subdomains))\r\n- Certificate transparency ([crt](https://github.com/cemulus/crt))\r\n- NOERROR subdomain discovery ([dnsx](https://github.com/projectdiscovery/dnsx), more info [here](https://www.securesystems.de/blog/enhancing-subdomain-enumeration-ents-and-noerror/))\r\n- Bruteforce ([puredns](https://github.com/d3mondev/puredns))\r\n- Permutations ([Gotator](https://github.com/Josue87/gotator), [ripgen](https://github.com/resyncgg/ripgen) and [regulator](https://github.com/cramppet/regulator))\r\n- JS files \u0026 Source Code Scraping ([katana](https://github.com/projectdiscovery/katana))\r\n- DNS Records ([dnsx](https://github.com/projectdiscovery/dnsx))\r\n- Google Analytics ID ([AnalyticsRelationships](https://github.com/Josue87/AnalyticsRelationships))\r\n- TLS handshake ([tlsx](https://github.com/projectdiscovery/tlsx))\r\n- Recursive search ([dsieve](https://github.com/trickest/dsieve)).\r\n- Subdomains takeover ([nuclei](https://github.com/projectdiscovery/nuclei))\r\n- DNS takeover ([dnstake](https://github.com/pwnesia/dnstake))\r\n- DNS Zone Transfer ([dig](https://linux.die.net/man/1/dig))\r\n- Cloud checkers ([S3Scanner](https://github.com/sa7mon/S3Scanner) and [CloudHunter](https://github.com/belane/CloudHunter))\r\n\r\n## Hosts\r\n\r\n- IP info ([ipinfo](https://www.ipinfo.io/))\r\n- CDN checker ([ipcdn](https://github.com/six2dez/ipcdn))\r\n- WAF checker ([wafw00f](https://github.com/EnableSecurity/wafw00f))\r\n- Port Scanner (Active with [nmap](https://github.com/nmap/nmap) and passive with [smap](https://github.com/s0md3v/Smap))\r\n- Port services vulnerability checks ([vulners](https://github.com/vulnersCom/nmap-vulners))\r\n- Password spraying ([brutespray](https://github.com/x90skysn3k/brutespray))\r\n- Geolocalization info (ipinfo.io)\r\n\r\n## Webs\r\n\r\n- Web Prober ([httpx](https://github.com/projectdiscovery/httpx))\r\n- Web screenshoting ([nuclei](https://github.com/projectdiscovery/nuclei))\r\n- Web templates scanner ([nuclei](https://github.com/projectdiscovery/nuclei) and [nuclei geeknik](https://github.com/geeknik/the-nuclei-templates.git))\r\n- CMS Scanner ([CMSeeK](https://github.com/Tuhinshubhra/CMSeeK))\r\n- Url extraction ([urlfinder](https://github.com/projectdiscovery/urlfinder), [katana](https://github.com/projectdiscovery/katana), [github-endpoints](https://gist.github.com/six2dez/d1d516b606557526e9a78d7dd49cacd3) and [JSA](https://github.com/w9w/JSA))\r\n- URL patterns Search and filtering ([urless](https://github.com/xnl-h4ck3r/urless), [gf](https://github.com/tomnomnom/gf) and [gf-patterns](https://github.com/1ndianl33t/Gf-Patterns))\r\n- Favicon Real IP ([fav-up](https://github.com/pielco11/fav-up))\r\n- Javascript analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder), [getjswords](https://github.com/m4ll0k/BBTz), [mantra](https://github.com/MrEmpy/mantra), [jsluice](https://github.com/BishopFox/jsluice))\r\n- Sourcemap JS extraction ([sourcemapper](https://github.com/denandz/sourcemapper))\r\n- Fuzzing ([ffuf](https://github.com/ffuf/ffuf))\r\n- URL sorting by extension\r\n- Wordlist generation\r\n- Passwords dictionary creation ([pydictor](https://github.com/LandGrey/pydictor))\r\n\r\n## Vulnerability checks\r\n\r\n- XSS ([dalfox](https://github.com/hahwul/dalfox))\r\n- Open redirect ([Oralyzer](https://github.com/r0075h3ll/Oralyzer))\r\n- SSRF (headers [interactsh](https://github.com/projectdiscovery/interactsh) and param values with [ffuf](https://github.com/ffuf/ffuf))\r\n- CRLF ([crlfuzz](https://github.com/dwisiswant0/crlfuzz))\r\n- Cors ([Corsy](https://github.com/s0md3v/Corsy))\r\n- LFI Checks ([ffuf](https://github.com/ffuf/ffuf))\r\n- SQLi Check ([SQLMap](https://github.com/sqlmapproject/sqlmap) and [ghauri](https://github.com/r0oth3x49/ghauri))\r\n- SSTI ([ffuf](https://github.com/ffuf/ffuf))\r\n- SSL tests ([testssl](https://github.com/drwetter/testssl.sh))\r\n- Broken Links Checker ([katana](https://github.com/projectdiscovery/katana))\r\n- Prototype Pollution ([ppmap](https://github.com/kleiton0x00/ppmap))\r\n- Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner))\r\n- 4XX Bypasser ([nomore403](https://github.com/devploit/nomore403))\r\n\r\n## Extras\r\n\r\n- Multithreading ([Interlace](https://github.com/codingo/Interlace))\r\n- Custom resolvers generated list ([dnsvalidator](https://github.com/vortexau/dnsvalidator))\r\n- Docker container included and [DockerHub](https://hub.docker.com/r/six2dez/reconftw) integration\r\n- Ansible + Terraform deployment over AWS\r\n- Allows IP/CIDR as target\r\n- Resume the scan from last performed step\r\n- Custom output folder option\r\n- All in one installer/updater script compatible with most distros\r\n- Diff support for continuous running (cron mode)\r\n- Support for targets with multiple domains\r\n- Raspberry Pi/ARM support\r\n- 7 modes (recon, passive, subdomains, web, osint, zen and all)\r\n- Integration with FaradaySec for webUI and reporting\r\n- Out of Scope Support + optional [inscope](https://github.com/tomnomnom/hacks/tree/master/inscope) support\r\n- Notification system with Slack, Discord and Telegram ([notify](https://github.com/projectdiscovery/notify)) and sending zipped results support\r\n\r\n## Mindmap/Workflow\r\n\r\n![Mindmap](images/mindmap_obsidian.png)\r\n\r\n## Data Keep\r\n\r\nFollow these simple steps to end up with a private repository with your `API Keys` and `/Recon` data.\r\n\r\n### Makefile\r\n\r\nA `Makefile` is provided to quickly bootstrap a private repo. To use it, you'll need the [Github CLI](https://cli.github.com/) installed.\r\n\r\nOnce done, just run:\r\n\r\n```bash\r\n# below line is optional, the default is ~/reconftw-data\r\nexport PRIV_REPO=\"$HOME/reconftw-data\"\r\nmake bootstrap\r\n```\r\n\r\nTo sync your private repo with upstream:\r\n\r\n```bash\r\nmake sync\r\n```\r\n\r\nTo upload juicy recon data:\r\n\r\n```bash\r\nmake upload\r\n```\r\n\r\n### Manual\r\n\r\n- Create a private **blank** repository on `Git(Hub|Lab)` (Take into account size limits regarding Recon data upload)\r\n\r\n- Clone your project: `git clone https://gitlab.com/example/reconftw-data`\r\n- Get inside the cloned repository: `cd reconftw-data`\r\n- Create a new branch with an empty commit: `git commit --allow-empty -m \"Empty commit\"`\r\n- Add the official repo as a new remote: `git remote add upstream https://github.com/six2dez/reconftw` (`upstream` is an example)\r\n- Update upstream's repo: `git fetch upstream`\r\n- Rebase current branch with the official one: `git rebase upstream/main master`\r\n\r\n### Main commands\r\n\r\n- Upload changes to your personal repo: `git add . \u0026\u0026 git commit -m \"Data upload\" \u0026\u0026 git push origin master`\r\n- Update tool anytime: `git fetch upstream \u0026\u0026 git rebase upstream/main master`\r\n\r\n## How to contribute\r\n\r\nIf you want to contribute to this project, you can do it in multiple ways:\r\n\r\n- Submitting an [issue](https://github.com/six2dez/reconftw/issues/new/choose) because you have found a bug or you have any suggestion or request.\r\n- Making a Pull Request from [dev](https://github.com/six2dez/reconftw/tree/dev) branch because you want to improve the code or add something to the script.\r\n\r\n## Need help? :information_source:\r\n\r\n- Take a look at the [wiki](https://github.com/six2dez/reconftw/wiki) section.\r\n- Check [FAQ](https://github.com/six2dez/reconftw/wiki/7.-FAQs) for commonly asked questions.\r\n- Join our [Discord server](https://discord.gg/R5DdXVEdTy)\r\n- Ask for help in the [Telegram group](https://t.me/joinchat/TO_R8NYFhhbmI5co)\r\n\r\n## Support this project\r\n\r\n### Buymeacoffee\r\n\r\n[\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/v2/default-green.png\"\u003e](https://www.buymeacoffee.com/six2dez)\r\n\r\n### DigitalOcean referral link\r\n\r\n\u003ca href=\"https://www.digitalocean.com/?refcode=f362a6e193a1\u0026utm_campaign=Referral_Invite\u0026utm_medium=Referral_Program\u0026utm_source=badge\"\u003e\u003cimg src=\"https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg\" alt=\"DigitalOcean Referral Badge\" /\u003e\u003c/a\u003e\r\n\r\n### GitHub sponsorship\r\n\r\n[Sponsor](https://github.com/sponsors/six2dez)\r\n\r\n## Thanks :pray:\r\n\r\n- Thank you for lending a helping hand towards the development of the project!\r\n\r\n- [C99](https://api.c99.nl/)\r\n- [CIRCL](https://www.circl.lu/)\r\n- [NetworksDB](https://networksdb.io/)\r\n- [ipinfo](https://ipinfo.io/)\r\n- [hackertarget](https://hackertarget.com/)\r\n- [Censys](https://censys.io/)\r\n- [Fofa](https://fofa.info/)\r\n- [intelx](https://intelx.io/)\r\n- [Whoxy](https://www.whoxy.com/)\r\n\r\n## Disclaimer\r\n\r\nUsage of this program for attacking targets without consent is illegal. It is the user's responsibility to obey all applicable laws. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Please use responsibly.\r\n\r\nThe material contained in this repository is licensed under MIT.\r\n\r\n## Star History\r\n\r\n[![Star History Chart](https://api.star-history.com/svg?repos=six2dez/reconftw\u0026type=Date)](https://www.star-history.com/#six2dez/reconftw\u0026Date)\r\n","funding_links":["https://github.com/sponsors/six2dez","buymeacoffee.com/six2dez","https://www.paypal.com/paypalme/six2dez","https://www.buymeacoffee.com/six2dez"],"categories":["Shell","HTML","Weapons","Shell (473)","[](#table-of-contents) Table of contents","bugbounty","Web","security-tools","Recon"],"sub_categories":["Tools","[](#dorkspentestvulnerabilities)Dorks/Pentest/Vulnerabilities","Web Vulnerability Scanners"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsix2dez%2Freconftw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsix2dez%2Freconftw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsix2dez%2Freconftw/lists"}