six2dez/reconftw

Simple script for full recon


repo name	six2dez/reconftw
repo link	https://github.com/six2dez/reconftw
homepage
language	Shell
size (curr.)	10633 kB
stars (curr.)	682
created	2020-12-30
license	GNU General Public License v3.0

:construction: Warning :construction:

This is a live development project, until the first stable release (1.0) it will be constantly updated in master branch, so if you have detected any bug, you can open an issue or ping me over Telegram or Twitter and I will try to do my best :)

Summary
Installation Instructions
Usage
Features
Mindmap
Improvement plan
Thanks

Summary

ReconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

Installation Instructions:

Installation Guide :book:
Requires Golang > 1.14 installed and paths correctly set ($GOPATH,$GOROOT)

▶ git clone https://github.com/six2dez/reconftw
▶ cd reconftw
▶ chmod +x *.sh
▶ ./install.sh
▶ ./reconftw.sh -d target.com -a

It is highly recommended, and in some cases essential, to set your API keys or env variables:
- amass config file (~/.config/amass/config.ini)
- subfinder config file (~/.config/subfinder/config.yaml)
- GitHub tokens file (~/Tools/.github_tokens) Recommended > 5, see how to create here
- favup API (shodan init <SHODAN-API-KEY>)
- SSRF Server var (COLLAB_SERVER env var)
- Blind XSS Server var (XSS_SERVER env var)
- Notify config file (~/.config/notify/notify.conf)

Usage:

TARGET OPTIONS

Flag	Description
-d	Target domain (example.com)
-l	Target list (one per line)
-x	Exclude subdomains list (Out Of Scope)

MODE OPTIONS

Flag	Description
-a	Perform full recon
-s	Full subdomain scan (Subs, tko and probe)
-w	Perform web checks only without subs (-l required)
-i	Check whether tools required are present or not
-v	Verbose/Debug Mode
-h	Show help section

GENERAL OPTIONS

Flag	Description
–deep	Deep scan (Enable some slow options for deeper scan)
–fs	Full scope (Enable the widest scope * .domain. * options)
-o	Output directory

Running ReconFTW:

To perform a full recon on single target (may take a significant time)

▶ ./reconftw.sh -d example.com -a

To perfrom a full recon on a list of targets

▶ ./reconftw.sh -l sites.txt -a -o /output/directory/

Perform full recon with more intense tasks (VPS intended)

▶ ./reconftw.sh -d example.com -a --deep -o /output/directory/

Perform a wide scope recon on a target (may include false positives)

▶ ./reconftw.sh -d example.com -a --fs -o /output/directory/

Check whether all required tools are present or not

▶ ./reconftw.sh -i

Show help section

▶ ./reconftw.sh -h

:fire: Features :fire:

Google Dorks (degoogle_hunter)
Multiple subdomain enumeration techniques (passive, bruteforce, permutations and scraping)
- Passive (subfinder, assetfinder, amass, findomain, crobat, waybackurls)
- Certificate transparency (crtfinder and bufferover)
- Bruteforce (shuffledns)
- Permutations (dnsgen)
- Subdomain JS Scraping (JSFinder)
Sub TKO (subzy and nuclei)
Web Prober (httpx)
Web screenshot (webscreenshot)
Template scanner (nuclei)
Port Scanner (naabu)
Url extraction (waybackurls, gau, gospider, github-endpoints)
Pattern Search (gf and gf-patterns)
Param discovery (paramspider and arjun)
XSS (XSStrike)
Open redirect (Openredirex)
SSRF (asyncio_ssrf.py)
CRLF (crlfuzz)
Github (GitDorker)
Favicon Real IP (fav-up)
Javascript analysis (LinkFinder, scripts from JSFScan)
Fuzzing (ffuf)
Cors (Corsy)
SSL tests (testssl)
Multithread in some steps (Interlace)
Custom output folder (default under Recon/target.tld/)
Run standalone steps (subdomains, subtko, web, gdorks…)
Polished installer compatible with most distros
Verbose mode
Update tools script
Raspberry Pi support
Docker support
CMS Scanner (CMSeeK)
Out of Scope Support
LFI Checks
Notification support for Slack, Discord and Telegram (notify)