reconFTW

A simple bash script for full recon

📔 Table of Contents

💿 Installation
- a) In your PC/VPS/VM
- b) Docker container 🐳 (2 options)
  - 1) From DockerHub
  - 2) From repository
⚙️ Config file
Usage
- Example Usage
Axiom Support ☁️
Sample video
🔥 Features 🔥
Mindmap/Workflow
Need help?
Support this project
Thanks 🙏

💿 Installation:

a) In your PC/VPS/VM

You can check out our wiki for the installation guide Installation Guide 📖

Requires Golang > 1.15.0+ installed and paths correctly set ($GOPATH, $GOROOT)

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/
▶ ./install.sh
▶ ./reconftw.sh -d target.com -r

b) Docker container 🐳 (2 options)

1) From DockerHub

▶ docker pull six2dez/reconftw:main
▶ docker run -it six2dez/reconftw:main /bin/bash

# Exit the container and run these commands additionally if you want to gain persistence:

▶ docker start $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1)
▶ docker exec -it $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1) /bin/bash

# Now you can exit the container and run again this command without files loss:
▶ docker exec -it $(docker ps -a|grep six2dez/reconftw:main|cut -d' ' -f1) /bin/bash

2) From repository

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw/Docker
▶ docker build -t reconftw .
▶ docker run -it reconftw /bin/bash

⚙️ Config file:

A detailed explaintion of config file can be found here Configuration file 📖

Through reconftw.cfg file the whole execution of the tool can be controlled.
Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more.

👉 Click here to view default config file 👈

#################################################################
#			reconFTW config file			#
#################################################################

# TERM COLORS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'

# General values
tools=~/Tools
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
profile_shell=".$(basename $(echo $SHELL))rc"
reconftw_version=$(git branch --show-current)-$(git describe --tags)
update_resolvers=true
proxy_url="http://127.0.0.1:8080/"
#dir_output=/custom/output/path

# Golang Vars (Comment or change on your own)
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens

# APIs/TOKENS - Uncomment the lines you set removing the '#' at the beginning of the line
#SHODAN_API_KEY="XXXXXXXXXXXXX"
#XSS_SERVER="XXXXXXXXXXXXXXXXX"
#COLLAB_SERVER="XXXXXXXXXXXXXXXXX"
#findomain_virustotal_token="XXXXXXXXXXXXXXXXX"
#findomain_spyse_token="XXXXXXXXXXXXXXXXX"
#findomain_securitytrails_token="XXXXXXXXXXXXXXXXX"
#findomain_fb_token="XXXXXXXXXXXXXXXXX"
slack_channel="XXXXXXXX"
slack_auth="xoXX-XXX-XXX-XXX"

# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"

# Osint
OSINT=true
GOOGLE_DORKS=true
GITHUB_DORKS=true
METADATA=true
EMAILS=true
DOMAIN_INFO=true

# Subdomains
SUBCRT=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
SUBRECURSIVE=true
ZONETRANSFER=true
S3BUCKETS=true

# Web detection
WEBPROBESIMPLE=true
WEBPROBEFULL=true
WEBSCREENSHOT=true
UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672"
# You can change to aquatone if gowitness fails, comment the one you don't want
AXIOM_SCREENSHOT_MODULE=gowitness
#AXIOM_SCREENSHOT_MODULE=aquatone

# Host
FAVICON=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true
CLOUD_IP=true

# Web analysis
WAF_DETECTION=true
NUCLEICHECK=true
URL_CHECK=true
URL_GF=true
URL_EXT=true
JSCHECKS=true
PARAMS=true
FUZZ=true
CMS_SCANNER=true
WORDLIST=true

# Vulns
XSS=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
SPRAY=true
BYPASSER4XX=true

# Extra features
NOTIFICATION=false
DEEP=false
DIFF=false
REMOVETMP=false
PROXY=false
SENDZIPNOTIFY=false

# HTTP options
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

# Threads
FFUF_THREADS=40
HTTPX_THREADS=50
HTTPX_UNCOMMONPORTS_THREADS=100
GOSPIDER_THREADS=50
GITDORKER_THREADS=5
BRUTESPRAY_THREADS=20
BRUTESPRAY_CONCURRENCE=10
ARJUN_THREADS=20
GAUPLUS_THREADS=10
DALFOX_THREADS=200
PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited
PUREDNS_TRUSTED_LIMIT=400
DIRDAR_THREADS=200

# Timeouts
CMSSCAN_TIMEOUT=3600
FFUF_MAXTIME=900                # Seconds
HTTPX_TIMEOUT=15                # Seconds
HTTPX_UNCOMMONPORTS_TIMEOUT=10  # Seconds

# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
subs_wordlist_big=${tools}/subdomains_big.txt
resolvers=${tools}/resolvers.txt
resolvers_trusted=${tools}/resolvers_trusted.txt

# Axiom Fleet
# Will not start a new fleet if one exist w/ same name and size (or larger)
AXIOM_FLEET_LAUNCH=true
AXIOM_FLEET_NAME="reconFTW"
AXIOM_FLEET_COUNT=5
AXIOM_FLEET_REGIONS=""
AXIOM_FLEET_SHUTDOWN=true
# This is a script on your reconftw host that might prep things your way...
#AXIOM_POST_START="$HOME/bin/yourScript"

Usage:

Check out the wiki section to know which flag performs what all steps/attacks Usage Guide 📖

TARGET OPTIONS

Flag	Description
-d	Target domain (example.com)
-m	Multiple domain target (companyName)
-l	Target list (one per line)
-x	Exclude subdomains list (Out Of Scope)

MODE OPTIONS

Flag	Description
-r	Recon - Full recon process (without attacks like sqli,ssrf,xss,ssti,lfi etc.)
-s	Subdomains - Perform only subdomain enumeration, web probing, subdomain takeovers
-p	Passive - Perform only passive steps
-a	All - Perform whole recon and all active attacks
-w	Web - Just web checks on the list provided
-n	OSINT - Performs and OSINT scan, without subdomains
-h	Help - Show this help menu

GENERAL OPTIONS

Flag	Description
--deep	Deep scan (Enable some slow options for deeper scan, vps intended mode)
-o	Output directory

Example Usage:

To perform a full recon on single target

▶ ./reconftw.sh -d target.com -r

To perform a full recon on a list of targets

▶ ./reconftw.sh -l sites.txt -r -o /output/directory/

Perform all steps (whole recon + all attacks)

▶ ./reconftw.sh -d target.com -a

Perform full recon with more time intense tasks (VPS intended only)

▶ ./reconftw.sh -d target.com -r --deep -o /output/directory/

Perform recon in a multi domain target

▶ ./reconftw.sh -m company -l domains_list.txt -r

Show help section

▶ ./reconftw.sh -h

Axiom Support: ☁️

Check out the wiki section for more info Axiom Support

Using reconftw_axiom.sh script you can take advantage of running reconFTW with Axiom.
As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
Currently except the -a flag, all flags are supported when running with Axiom.

▶ ./reconftw_axiom.sh -d target.com -r

Sample video:

🔥 Features 🔥

Domain information parser (domainbigdata)
Emails addresses and users (theHarvester)
Password leaks (pwndb and H8mail)
Metadata finder (MetaFinder)
Google Dorks (degoogle_hunter)
Github Dorks (GitDorker)
Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls, github-subdomains, Anubis and mildew)
- Certificate transparency (ctfr, tls.bufferover and dns.bufferover))
- Bruteforce (puredns)
- Permutations (DNScewl)
- JS files & Source Code Scraping (gospider)
- CNAME Records (dnsx)
Nuclei Sub TKO templates (nuclei)
Web Prober (httpx and naabu)
Web screenshot (gowitness)
Web templates scanner (nuclei)
IP and subdomains WAF checker (cf-check and wafw00f)
Port Scanner (Active with nmap and passive with shodan-cli)
Url extraction (waybackurls, gauplus, gospider, github-endpoints)
Pattern Search (gf and gf-patterns)
Param discovery (paramspider and arjun)
XSS (dalfox)
Open redirect (Openredirex)
SSRF (headers asyncio_ssrf.py and param values with ffuf)
CRLF (crlfuzz)
Favicon Real IP (fav-up)
Javascript analysis (LinkFinder, scripts from JSFScan)
Fuzzing (ffuf)
Cors (Corsy)
LFI Checks (manual/ffuf)
SQLi Check (SQLMap)
SSTI (manual/ffuf)
CMS Scanner (CMSeeK)
SSL tests (testssl)
Multithread in some steps (Interlace)
Broken Links Checker (gospider)
S3 bucket finder (S3Scanner)
Password spraying (brutespray)
4xx bypasser (DirDar)
Custom resolvers generated list (dnsvalidator)
DNS Zone Transfer (dnsrecon)
Docker container included and DockerHub integration
Cloud providers check (ip2provider)
Resume the scan from last performed step
Custom output folder option
All in one installer/updater script compatible with most distros
Diff support for continuous running (cron mode)
Support for targets with multiple domains
RaspberryPi/ARM support
Send scan results zipped over Slack, Discord and Telegram
6 modes (recon, passive, subdomains, web, osint and all)
Out of Scope Support
Notification support for Slack, Discord and Telegram (notify)

Mindmap/Workflow

Data Keep

Follow these simple steps to end up having a private repository with your API Keys and /Recon data.

Create a private blank repository on Git(Hub|Lab) (Take into account size limits regarding Recon data upload)
Clone your project: git clone https://gitlab.com/example/reconftw-data
Get inside the cloned repository: cd reconftw-data
Create branch with an empty commit: git commit --allow-empty -m "Empty commit"
Add official repo as a new remote: git remote add upstream https://github.com/six2dez/reconftw (upstream is an example)
Update upstream's repo: git fetch upstream
Rebase current branch with the official one: git rebase upstream/main master

Main commands:

Upload changes to your personal repo: git add . && git commit -m "Data upload" && git push origin master
Update tool anytime: git fetch upstream && git rebase upstream/main master

How to contribute:

If you want to contribute to this project you can do it in multiple ways:

Submitting an issue because you have found a bug or you have any suggestion or request.
Making a Pull Request from dev branch because you want to improve the code or add something to the script.

anasbousselham / reconftw Goto Github PK

reconftw's Introduction