Warning
This is a live development project, until the first stable release (1.0) it will be constantly updated in the master branch, so if you have detected any bug, you can open an issue or ping me over Telegram or Twitter and I will try to do my best 🙂
More: https://github.com/six2dez/reconftw
Summary
ReconFTW performs automated enumeration of subdomains via various techniques and further scanning for vulnerabilities, to give you potential vulns.
Installation
- Installation Guide
- Requires Golang > 1.14 installed and paths correctly set ($GOPATH,$GOROOT)
git clone https://github.com/six2dez/reconftw
cd reconftw
chmod +x *.sh
./install.sh
./reconftw.sh -d target.com -a
- It is highly recommended, and in some cases essential, to set your API keys or env variables:
- amass (
~/.config/amass/config.ini
) - subfinder (
~/.config/subfinder/config.yaml
) - git-hound (
~/.githound/config.yml
) - github-endpoints.py (
GITHUB_TOKEN
env var) - favup (
shodan init <SHODANPAIDAPIKEY>
) - SSRF Server (
COLLAB_SERVER
env var) - Blind XSS Server (
XSS_SERVER
env var)
- amass (
- This script uses dalfox with blind-xss option, you must change to your own server, check xsshunter.com.
Usage
TARGET OPTIONS -d DOMAIN Target domain -l list.txt Targets list, one per line -x oos.txt Exclude subdomains list (Out Of Scope) MODE OPTIONS -a Perform all checks -s Full subdomains scan (Subs, tko and probe) -g Google dorks searches -w Perform web checks only without subs (-l required) -t Check subdomain takeover(-l required) -i Check all needed tools -v Debug/verbose mode, no file descriptor redir -h Show this help SUBDOMAIN OPTIONS --sp Passive subdomain scans --sb Bruteforce subdomain resolution --sr Subdomain permutations and resolution (-l required) --ss Subdomain scan by scraping (-l required) OUTPUT OPTIONS -o output/path Define output folder
Features
- Google Dorks (degoogle_hunter)
- Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
- Sub TKO (subjack and nuclei)
- Web Prober (httpx)
- Web screenshot (aquatone)
- Template scanner (nuclei)
- Port Scanner (naabu)
- Url extraction (waybackurls, gau, hakrawler, github-endpoints)
- Pattern Search (gf and gf-patterns)
- Param discovery (paramspider and arjun)
- XSS (Gxss and dalfox)
- Open redirect (Openredirex)
- SSRF checks (asyncio_ssrf.py)
- Github Check (git-hound)
- Favicon Real IP (fav-up)
- JS Checks (LinkFinder, scripts from JSFScan)
- Fuzzing (ffuf)
- Cors (Corsy)
- SSL Check (testssl)
- Multithread in some steps (Interlace)
- Custom output folder (default under Recon/target.com/)
- Run standalone steps (subdomains, subtko, web, gdorks…)
- Polished installer compatible with most distros
- Verbose mode
- Update tools script
- Raspberry Pi support
Mindmap/Workflow
Improvement plan:
These are the last features that we have implemented, take a look at our pending features or suggest a new feature in the issues section:
✔️ Exclude Out Of Scope
✔️ Better outputs
✔️ RPI support
✔️ Open Redirect with Openredirex
✔️ SSRF Checks
✔️ More error checks
✔️ More verbose
✔️ Enhance this Readme
✔️ Customize output folder
✔️ Interlace usage
✔️ Crawler
✔️ JSFinder
✔️ Install script
✔️ Apt,rpm,pacman compatible installer
You can support this work by buying me a coffee:
Thanks
For their great feedback, support, help, or for nothing special but well deserved:
Leave a Reply