According to its GitHub page, reconFTW is desdribed as:
ReconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
ReconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.
It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.
Installation
It can be installed in three different ways (PC/VM/VPS, Docker and Terraform + Ansible)
In this case, I’m using the VPS option.
$ git clone https://github.com/six2dez/reconftw
Cloning into 'reconftw'...
remote: Enumerating objects: 4372, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 4372 (delta 2), reused 5 (delta 2), pack-reused 4360
Receiving objects: 100% (4372/4372), 114.16 MiB | 19.92 MiB/s, done.
Resolving deltas: 100% (2784/2784), done.$ cd reconftw/
$ ./install.sh
#######################################################################
reconFTW installer/updater script
This may take time. So, go grab a coffee!
Running: Looking for new reconFTW version
reconFTW is already up to date!
Running: Installing system packages
Running: Installing/Updating Golang
Running: Installing requirements
Running: Installing Golang tools (37)
...
Running: Installing repositories (26)
...
Running: Downloading required files
Running: Performing last configurations
Remember set your api keys:
- amass (~/.config/amass/config.ini)
- subfinder (~/.config/subfinder/provider-config.yaml)
- GitHub (~/Tools/.github_tokens)
- SSRF Server (COLLAB_SERVER in reconftw.cfg or env var)
- Blind XSS Server (XSS_SERVER in reconftw.cfg or env var)
- notify (~/.config/notify/provider-config.yaml)
- theHarvester (~/Tools/theHarvester/api-keys.yaml or /etc/theHarvester/api-keys.yaml)
- H8mail (~/Tools/h8mail_config.ini)
- WHOISXML API (WHOISXML_API in reconftw.cfg or env var)
Finished!
#######################################################################To update, you just have to run the installer/updater install.sh script again.
With reconftw.cfg config file the whole execution of the tool can be managed.
Usage
Target options
-d: Single target domain
./reconftw.sh -d target.com -r
-l: Specify a list of target domains (targets.txt)
./reconftw.sh -l targets.txt -r
Mode options
-r: Recon – Full recon process (only recon without attacks)
./reconftw.sh -d target.com -r
-s: Subdomains – Search subdomains, check take-overs and web probe
./reconftw.sh -d target.com -s
-p: Passive – Performs only passive steps
./reconftw.sh -d target.com -p
-w: Web – Just web checks from the list provided
./reconftw.sh -l targetlist.txt -w
-a: All – Perform all checks and exploitations
./reconftw.sh -d target.com -a
-n: Osint – Just checks for public intel info
./reconftw.sh -d target.com -n
General options
--deep: Deep scan (Enable some slow options for a deeper scan)
./reconftw.sh -d target.com [mode] --deep
Output options
-o: Define the output folder
./reconftw.sh -d target.com -r -o /output/directory/
The full usage documentation can be found here.
Usage among other tools
This tool can be used together with others to improve its functionality and performance.
Axiom
The main site of the project can be found here and here there is information about the usage with reconFTW.
According to the reconFTW wiki documentation:
Axiom is a framework that allows you to easily orchestrate one, or many cloud instances to distribute processing of a task or many tasks. In simple words, you can make/run multiple VPS(Virtual Private Servers) at once and then run a distributed scan. Thus, saving the execution time and chances of IP ban get reduced.
As reconFTW is a tool which actively hits the target and contains various modules which are time-consuming, there was a need for a distributed scanning. Axiom does this work of equal distribution of tasks for us. Hence, we made reconFTW compatible with Axiom for all you lovely people.
Axiom already comes with several pre-installed/compatible tools. But to make reconFTW compatible we actively worked with the developers of Axiom and made several PRs to add up all the tools which are used by reconFTW.
Now reconFTW runs much faster in terms of execution and returns better quality of results, ever since we made it Axiom compatible.
BBRF (Bug Bounty Reconnaissance Framework)
BBRF it’s a client-server application that can handle all results obtained from the reconFTW tool and help you to manage all the information obtained from the recon process for the different bug bounty programs or pentests.
This is very interesting and cool and in a near future I’ll try it out and I’d like to post too.
If you want to read more about it you can find a great article here:
If you want to go directly to the application, you can go to bbrf-server and bbrf-client.