reconftw: automates the entire process of reconnaissance
reconftw
reconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
reconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.
It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.
Feature
Osint
- Domain information (whois and amass)
- Emails addresses and passwords leaks (emailfinder and LeakSearch)
- Metadata finder (MetaFinder)
- API leaks search (porch-pirate and SwaggerSpy)
- Google Dorks (dorks_hunter)
- Github Dorks (gitdorks_go)
- GitHub org analysis (enumerepo, trufflehog and gitleaks)
- 3rd parties misconfigurations(misconfig-mapper)
- Spoofable domains (spoofcheck)
Subdomains
- Passive (amass, subfinder and github-subdomains)
- Certificate transparency (crt)
- NOERROR subdomain discovery (dnsx, more info here)
- Bruteforce (puredns)
- Permutations (Gotator, ripgen and regulator)
- JS files & Source Code Scraping (katana)
- DNS Records (dnsx)
- Google Analytics ID (AnalyticsRelationships)
- TLS handshake (tlsx)
- Recursive search (dsieve).
- Subdomains takeover (nuclei)
- DNS takeover (dnstake)
- DNS Zone Transfer (dig)
- Cloud checkers (S3Scanner and cloud_enum)
Hosts
- IP info (whoisxmlapi API)
- CDN checker (ipcdn)
- WAF checker (wafw00f)
- Port Scanner (Active with nmap and passive with smap)
- Port services vulnerability checks (vulners)
- Password spraying (brutespray)
- Geolocalization info (ipapi.co)
Webs
- Web Prober (httpx)
- Web screenshoting (nuclei)
- Web templates scanner (nuclei and nuclei geeknik)
- CMS Scanner (CMSeeK)
- Url extraction (gau,waymore, katana, github-endpoints and JSA)
- URL patterns Search and filtering (urless, gf and gf-patterns)
- Favicon Real IP (fav-up)
- Javascript analysis (subjs, JSA, xnLinkFinder, getjswords, mantra, jsluice)
- Sourcemap JS extraction (sourcemapper)
- Fuzzing (ffuf)
- URL sorting by extension
- Wordlist generation
- Passwords dictionary creation (pydictor)
Vulnerability checks
- XSS (dalfox)
- Open redirect (Oralyzer)
- SSRF (headers interactsh and param values with ffuf)
- CRLF (crlfuzz)
- Cors (Corsy)
- LFI Checks (ffuf)
- SQLi Check (SQLMap and ghauri)
- SSTI (ffuf)
- SSL tests (testssl)
- Broken Links Checker (katana)
- Prototype Pollution (ppmap)
- Web Cache Vulnerabilities (Web-Cache-Vulnerability-Scanner)
- 4XX Bypasser (nomore403)
Extras
- Multithreading (Interlace)
- Custom resolvers generated list (dnsvalidator)
- Docker container included and DockerHub integration
- Ansible + Terraform deployment over AWS
- Allows IP/CIDR as target
- Resume the scan from last performed step
- Custom output folder option
- All in one installer/updater script compatible with most distros
- Diff support for continuous running (cron mode)
- Support for targets with multiple domains
- Raspberry Pi/ARM support
- 6 modes (recon, passive, subdomains, web, osint and all)
- Out of Scope Support + optional inscope support
- Notification system with Slack, Discord and Telegram (notify) and sending zipped results support
Install & Use
Copyright (c) 2023 six2dez
