# Table of Contents - [Reconnaissance Methodology Deep Dive | reconftw-docs](#reconnaissance-methodology-deep-dive-reconftw-docs) - [Subdomain Deep Dive | reconftw-docs](#subdomain-deep-dive-reconftw-docs) - [Modules Overview | reconftw-docs](#modules-overview-reconftw-docs) - [First 30 Minutes | reconftw-docs](#first-30-minutes-reconftw-docs) - [Introduction | reconftw-docs](#introduction-reconftw-docs) - [Installation & Setup | reconftw-docs](#installation-setup-reconftw-docs) - [Glossary | reconftw-docs](#glossary-reconftw-docs) - [FAQ | reconftw-docs](#faq-reconftw-docs) - [Subdomain Module | reconftw-docs](#subdomain-module-reconftw-docs) - [OSINT Module | reconftw-docs](#osint-module-reconftw-docs) - [Configuration Reference | reconftw-docs](#configuration-reference-reconftw-docs) - [Concepts & Architecture | reconftw-docs](#concepts-architecture-reconftw-docs) - [Command Line Guide | reconftw-docs](#command-line-guide-reconftw-docs) - [Axiom Integration | reconftw-docs](#axiom-integration-reconftw-docs) - [Vulnerability Module | reconftw-docs](#vulnerability-module-reconftw-docs) - [Web Analysis Module | reconftw-docs](#web-analysis-module-reconftw-docs) - [Output Interpretation | reconftw-docs](#output-interpretation-reconftw-docs) - [Integrated Tools | reconftw-docs](#integrated-tools-reconftw-docs) - [Host Module | reconftw-docs](#host-module-reconftw-docs) - [Faraday Integration | reconftw-docs](#faraday-integration-reconftw-docs) - [Deployment Guide | reconftw-docs](#deployment-guide-reconftw-docs) - [Advanced Usage | reconftw-docs](#advanced-usage-reconftw-docs) - [Performance Tuning | reconftw-docs](#performance-tuning-reconftw-docs) - [OPSEC & Legal | reconftw-docs](#opsec-legal-reconftw-docs) - [Data Model & I/O | reconftw-docs](#data-model-i-o-reconftw-docs) - [Case Studies | reconftw-docs](#case-studies-reconftw-docs) - [Troubleshooting | reconftw-docs](#troubleshooting-reconftw-docs) - [Modules Overview | reconftw-docs](#modules-overview-reconftw-docs) - [Introduction | reconftw-docs](#introduction-reconftw-docs) - [Installation & Setup | reconftw-docs](#installation-setup-reconftw-docs) - [Axiom Integration | reconftw-docs](#axiom-integration-reconftw-docs) - [Configuration Reference | reconftw-docs](#configuration-reference-reconftw-docs) - [Concepts & Architecture | reconftw-docs](#concepts-architecture-reconftw-docs) --- # Reconnaissance Methodology Deep Dive | reconftw-docs This guide explains the reasoning behind reconFTW's reconnaissance approach. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#why-this-order) Why This Order? ----------------------------------------------------------------------------------------------------------------- reconFTW executes modules in a specific sequence based on data dependencies and resource efficiency. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-1.-osint-first) 1\. OSINT First **Functions:** `google_dorks`, `github_dorks`, `metadata`, `emails`, `domain_info` **Why first:** * Zero target interaction (completely passive) * Provides context for later phases * May reveal additional scope (related domains, acquisitions) * Fast execution with no rate limiting concerns **What it reveals:** * Exposed files via search engines * Leaked credentials in code repositories * Document metadata (usernames, software versions) * Email patterns for social engineering * Domain registration history ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-2.-subdomain-enumeration-second) 2\. Subdomain Enumeration Second **Functions:** `sub_passive`, `sub_crt`, `sub_active`, `sub_brute`, `sub_permut` **Why second:** * Defines the attack surface * Required input for all subsequent phases * Passive sources first (no detection), active later **Data flow:** ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-3.-web-probing-third) 3\. Web Probing Third **Functions:** `webprobe_simple`, `webprobe_full` **Why third:** * Requires subdomain list as input * Identifies HTTP/HTTPS services * Filters to only web-accessible hosts **Output:** `webs/webs.txt` - URLs of live web services ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-4.-host-analysis-fourth) 4\. Host Analysis Fourth **Functions:** `portscan`, `cdnprovider`, `favicon`, `geo_info` **Why fourth:** * Operates on resolved IPs * Identifies services beyond HTTP * CDN detection affects later scanning decisions ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-5.-web-analysis-fifth) 5\. Web Analysis Fifth **Functions:** `urlchecks`, `jschecks`, `fuzz`, `cms_scanner` **Why fifth:** * Requires live web URLs * Discovers endpoints for vulnerability testing * JavaScript analysis reveals API endpoints ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-6.-vulnerability-scanning-last) 6\. Vulnerability Scanning Last **Functions:** `nuclei_check`, `xss`, `sqli`, `ssrf_checks` **Why last:** * Most intrusive phase * Requires discovered URLs and parameters * Generates alerts/logs on target systems * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#passive-vs-active) Passive vs Active ---------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#passive-reconnaissance) Passive Reconnaissance Operations that do NOT directly contact the target. Technique Data Source Detection Risk CT log queries crt.sh, Censys None DNS database queries SecurityTrails, VirusTotal None Search engine dorks Google, Bing None Code repository search GitHub, GitLab None WHOIS lookups WHOIS servers None **reconFTW passive mode:** `./reconftw.sh -d target.com -p` ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#active-reconnaissance) Active Reconnaissance Operations that directly interact with target systems. Technique Target Contact Detection Risk DNS resolution Target DNS servers Low HTTP probing Target web servers Medium Port scanning Target hosts High Directory fuzzing Target web servers High Vulnerability scanning Target applications High * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#the-checkpoint-system) The Checkpoint System ------------------------------------------------------------------------------------------------------------------------------ reconFTW tracks completed functions to enable resumption. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#how-it-works) How It Works Each function creates a marker file on completion: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#resume-behavior) Resume Behavior On subsequent runs: 1. Check if marker exists for function 2. If exists and `DIFF=false` → Skip function 3. If missing or `DIFF=true` → Execute function ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#clearing-checkpoints) Clearing Checkpoints * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#wildcard-handling) Wildcard Handling ---------------------------------------------------------------------------------------------------------------------- Wildcard DNS records return valid responses for any subdomain query. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#the-problem) The Problem Without filtering, bruteforce returns millions of false positives. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#standard-detection) Standard Detection Query random string, if resolves → wildcard exists at root level. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#deep-detection-deep_wildcard_filter) Deep Detection (DEEP\_WILDCARD\_FILTER) Enterprises use nested wildcards: Deep detection iteratively tests parent domains at all levels. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#rate-limiting-strategy) Rate Limiting Strategy -------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#why-rate-limit) Why Rate Limit? * Avoid overwhelming target infrastructure * Prevent IP blocks and WAF bans * Stay within API quotas * Reduce detection risk ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#configuration) Configuration ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#adaptive-rate-limiting) Adaptive Rate Limiting Automatically reduces rate on: * HTTP 429 (Too Many Requests) * HTTP 503 (Service Unavailable) * Connection timeouts * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#scope-management) Scope Management -------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#in-scope-filtering) In-Scope Filtering Enable: `INSCOPE=true` ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#out-of-scope-exclusion) Out-of-Scope Exclusion Usage: `./reconftw.sh -d example.com -r -x outofscope.txt` ### [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#sensitive-domain-exclusion) Sensitive Domain Exclusion Prevents scanning government, military, and critical infrastructure: Patterns defined in `config/sensitive_domains.txt`. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#output-organization) Output Organization -------------------------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/recon-methodology#tool-selection-rationale) Tool Selection Rationale ------------------------------------------------------------------------------------------------------------------------------------ reconFTW integrates specific tools for each task: Task Tool Why This Tool Passive subdomains subfinder 50+ sources, fast, maintained DNS resolution puredns + massdns Fastest resolver with wildcard filtering HTTP probing httpx Feature-rich, handles edge cases Screenshots webscreenshot Headless Chrome, reliable Port scanning nmap Industry standard, scriptable Fuzzing ffuf Fast, flexible, mature Vuln scanning nuclei Template-based, community templates Tools are selected based on: * Speed and reliability * Active maintenance * Community adoption * Output format compatibility [PreviousConcepts & Architecturechevron-left](https://docs.reconftw.com/understanding-reconftw/concepts) [NextCommand Line Guidechevron-right](https://docs.reconftw.com/usage/usage) Last updated 1 month ago * [Why This Order?](https://docs.reconftw.com/understanding-reconftw/recon-methodology#why-this-order) * [1\. OSINT First](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-1.-osint-first) * [2\. Subdomain Enumeration Second](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-2.-subdomain-enumeration-second) * [3\. Web Probing Third](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-3.-web-probing-third) * [4\. Host Analysis Fourth](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-4.-host-analysis-fourth) * [5\. Web Analysis Fifth](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-5.-web-analysis-fifth) * [6\. Vulnerability Scanning Last](https://docs.reconftw.com/understanding-reconftw/recon-methodology#id-6.-vulnerability-scanning-last) * [Passive vs Active](https://docs.reconftw.com/understanding-reconftw/recon-methodology#passive-vs-active) * [Passive Reconnaissance](https://docs.reconftw.com/understanding-reconftw/recon-methodology#passive-reconnaissance) * [Active Reconnaissance](https://docs.reconftw.com/understanding-reconftw/recon-methodology#active-reconnaissance) * [The Checkpoint System](https://docs.reconftw.com/understanding-reconftw/recon-methodology#the-checkpoint-system) * [How It Works](https://docs.reconftw.com/understanding-reconftw/recon-methodology#how-it-works) * [Resume Behavior](https://docs.reconftw.com/understanding-reconftw/recon-methodology#resume-behavior) * [Clearing Checkpoints](https://docs.reconftw.com/understanding-reconftw/recon-methodology#clearing-checkpoints) * [Wildcard Handling](https://docs.reconftw.com/understanding-reconftw/recon-methodology#wildcard-handling) * [The Problem](https://docs.reconftw.com/understanding-reconftw/recon-methodology#the-problem) * [Standard Detection](https://docs.reconftw.com/understanding-reconftw/recon-methodology#standard-detection) * [Deep Detection (DEEP\_WILDCARD\_FILTER)](https://docs.reconftw.com/understanding-reconftw/recon-methodology#deep-detection-deep_wildcard_filter) * [Rate Limiting Strategy](https://docs.reconftw.com/understanding-reconftw/recon-methodology#rate-limiting-strategy) * [Why Rate Limit?](https://docs.reconftw.com/understanding-reconftw/recon-methodology#why-rate-limit) * [Configuration](https://docs.reconftw.com/understanding-reconftw/recon-methodology#configuration) * [Adaptive Rate Limiting](https://docs.reconftw.com/understanding-reconftw/recon-methodology#adaptive-rate-limiting) * [Scope Management](https://docs.reconftw.com/understanding-reconftw/recon-methodology#scope-management) * [In-Scope Filtering](https://docs.reconftw.com/understanding-reconftw/recon-methodology#in-scope-filtering) * [Out-of-Scope Exclusion](https://docs.reconftw.com/understanding-reconftw/recon-methodology#out-of-scope-exclusion) * [Sensitive Domain Exclusion](https://docs.reconftw.com/understanding-reconftw/recon-methodology#sensitive-domain-exclusion) * [Output Organization](https://docs.reconftw.com/understanding-reconftw/recon-methodology#output-organization) * [Tool Selection Rationale](https://docs.reconftw.com/understanding-reconftw/recon-methodology#tool-selection-rationale) sun-brightdesktopmoon Copy Passive sources → Merge → Resolve → Filter wildcards → Active enum ↓ subdomains/subdomains.txt Copy Recon/target.com/.called_fn/ ├── .sub_passive # sub_passive() completed ├── .sub_crt # sub_crt() completed ├── .webprobe_simple # webprobe_simple() completed └── ... Copy # Re-run single function rm Recon/target.com/.called_fn/.sub_passive # Re-run all rm -rf Recon/target.com/.called_fn/ Copy *.example.com → 1.2.3.4 Query: randomstring.example.com Result: 1.2.3.4 (valid response) Copy *.api.example.com → 1.2.3.4 *.na45.salesforce.com → 5.6.7.8 Copy # Global rate limit ./reconftw.sh -d target.com -r -q 50 # 50 requests/second # Per-tool limits HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=150 FFUF_RATELIMIT=50 Copy ./reconftw.sh -d target.com -r --adaptive-rate Copy # inscope.txt *.example.com api.example.com staging.example.com Copy # outofscope.txt admin.example.com vpn.example.com *.internal.example.com Copy EXCLUDE_SENSITIVE=true Copy Recon/target.com/ ├── subdomains/ │ ├── subdomains.txt # All discovered subdomains │ ├── subdomains_new.txt # New since last run (incremental) │ └── wildcards_detected.txt ├── webs/ │ ├── webs.txt # Live web URLs │ └── webscreenshot/ # Screenshots ├── hosts/ │ ├── ips.txt # Resolved IPs │ └── portscan/ # Nmap results ├── osint/ │ ├── emails.txt │ └── github_dorks.txt ├── vulns/ │ ├── nuclei_output/ │ └── xss.txt ├── .tmp/ # Temporary files ├── .log/ # Execution logs └── .called_fn/ # Checkpoint markers sun-brightdesktopmoon --- # Subdomain Deep Dive | reconftw-docs This guide explains the technical foundations behind each subdomain enumeration technique used in reconFTW. * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#execution-pipeline) Execution Pipeline ------------------------------------------------------------------------------------------------------------ reconFTW executes subdomain enumeration in a specific order based on data dependencies: Copy Phase 1: Passive Sources (no target contact) ├── sub_passive → API queries (subfinder, github-subdomains) └── sub_crt → Certificate Transparency logs Phase 2: DNS Resolution (validates passive results) ├── sub_active → Resolve collected subdomains with puredns ├── sub_noerror → DNSSEC NOERROR response analysis └── sub_dns → DNS record extraction Phase 3: Post-Resolution Analysis (requires resolved subdomains) ├── sub_tls → TLS certificate extraction from live hosts └── sub_analytics → Google Analytics ID correlation Phase 4: Bruteforce (resource intensive) ├── sub_brute → DNS bruteforce with wordlists ├── sub_permut → Permutation generation (gotator/ripgen) ├── sub_regex_permut → Regex-based pattern permutations └── sub_ia_permut → AI-powered permutation generation Phase 5: Recursive (multiplies work) ├── sub_recursive_passive → Passive enum on discovered subdomains ├── sub_recursive_brute → Bruteforce on discovered subdomains └── sub_scraping → Web scraping for subdomain extraction * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#passive-techniques) Passive Techniques ------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_passive) sub\_passive Queries multiple APIs and databases that aggregate DNS data globally. **Tools used:** * `subfinder` - Queries 50+ passive sources * `github-subdomains` - Searches GitHub code for subdomains * `gitlab-subdomains` - Searches GitLab code for subdomains **Data sources include:** * SecurityTrails, VirusTotal, AlienVault OTX * Shodan, Censys, BinaryEdge * Wayback Machine, Common Crawl * DNS aggregators (DNSDB, PassiveTotal) **Why multiple sources:** Each source has different coverage. A subdomain may appear in VirusTotal but not SecurityTrails. Combining sources maximizes discovery. ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_crt) sub\_crt Queries Certificate Transparency (CT) logs via crt.sh API. **How CT works:** * Certificate Authorities must log every issued certificate to public logs * Logs are append-only and publicly queryable * Certificates contain Subject Alternative Names (SANs) listing all domains **What it reveals:** * Internal subdomains (admins often request certs for internal tools) * Wildcard certificate patterns * Historical infrastructure (old certificates remain in logs) **Time fencing (**`**DNS_TIME_FENCE_DAYS**`**):** CT logs contain years of historical data. Time fencing filters results to recent certificates, reducing dead subdomain noise. **Implementation:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#active-dns-resolution) Active DNS Resolution ------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_active) sub\_active Resolves all collected subdomains to filter non-existent ones. **Tool used:** `puredns` with massdns backend **Process:** 1. Combine all passive results into single file 2. Resolve against trusted resolvers 3. Filter wildcards using random probe technique 4. Output only subdomains that resolve **Wildcard handling:** **Why wildcard detection matters:** A wildcard DNS record (`*.example.com`) returns a valid response for ANY subdomain. Without filtering, you get thousands of false positives. ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_noerror) sub\_noerror Exploits DNSSEC NOERROR responses to enumerate subdomains. **Technical background:** * Normal DNS returns NXDOMAIN for non-existent domains * Some DNSSEC-signed zones return NOERROR instead (black lies technique) * This allows enumeration via response code analysis **When useful:** * Targets with DNSSEC-signed zones * Can find subdomains not in any passive source ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_dns) sub\_dns Extracts additional information from DNS records. **Records analyzed:** * A/AAAA → IP addresses * CNAME → Alias targets (potential takeover) * MX → Mail servers * TXT → SPF, DKIM, verification records * NS → Nameservers * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#post-resolution-techniques) Post-Resolution Techniques ---------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_tls) sub\_tls Connects to discovered hosts and extracts TLS certificate SANs. **Tool used:** `tlsx` **Ports checked:** **What it finds:** * Additional domains sharing the same certificate * Internal names in SAN fields * Related infrastructure **Why run after resolution:** Requires IP addresses from resolved subdomains. Must run after `sub_active`. ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_analytics) sub\_analytics Finds domains sharing the same Google Analytics or Tag Manager ID. **Tool used:** `AnalyticsRelationships` **How it works:** 1. Extract analytics IDs from resolved web pages 2. Query databases for other domains with same ID 3. Related domains likely owned by same organization **Why run after resolution:** Requires web-accessible hosts to extract analytics IDs. * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#bruteforce-techniques) Bruteforce Techniques ------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_brute) sub\_brute DNS bruteforce using wordlists. **Tool used:** `puredns` with optimized wordlists **Wordlist strategy:** * Default: `~100K` common subdomain names * DEEP mode: `~1M+` extended wordlist **When useful:** * New subdomains not yet indexed by passive sources * Internal naming conventions (dev, staging, prod) * Non-web services without certificates ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_permut) sub\_permut Generates permutations based on discovered subdomains. **Tool used:** `gotator` or `ripgen` **Example:** **Configuration:** ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_regex_permut) sub\_regex\_permut Uses regex pattern learning to generate permutations. **Tool used:** `regulator` **How it works:** 1. Analyze discovered subdomain patterns 2. Learn regex rules from patterns 3. Generate new candidates matching rules ### [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_ia_permut) sub\_ia\_permut AI-powered permutation generation. **Tool used:** `subwiz` **Approach:** Uses machine learning models trained on subdomain patterns to generate likely candidates. * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#deep-wildcard-detection) Deep Wildcard Detection ---------------------------------------------------------------------------------------------------------------------- Standard wildcard detection only checks the root level (`*.example.com`). Enterprise environments often have nested wildcards. **Problem example:** **How** `**deep_wildcard_filter()**` **works:** **Implementation details:** * Maximum 5 iterations * Uses `dnsx` with trusted resolvers * Random probe: 12-character alphanumeric string * Results saved to `subdomains/wildcards_detected.txt` * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#sensitive-domain-exclusion) Sensitive Domain Exclusion ---------------------------------------------------------------------------------------------------------------------------- The `_is_sensitive_domain()` function checks domains against patterns in `config/sensitive_domains.txt`. **Pattern format:** **Matching logic:** **Use case:** When scanning wildcard scopes, prevents enumeration of government or military subdomains that may be part of the target's acquired assets. * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#output-files) Output Files ------------------------------------------------------------------------------------------------ File Description `subdomains/subdomains.txt` Final deduplicated subdomain list `subdomains/subdomains_new.txt` New subdomains since last run (incremental) `subdomains/wildcards_detected.txt` Detected wildcard parent domains `.tmp/passive_subs.txt` Raw passive enumeration results `.tmp/crtsh_subs.txt` Certificate transparency results `.tmp/subs_no_resolved.txt` Subdomains before resolution * * * [hashtag](https://docs.reconftw.com/modules/subdomains-deep-dive#performance-considerations) Performance Considerations ---------------------------------------------------------------------------------------------------------------------------- Technique Speed Resource Usage When to Disable sub\_passive Fast Low (API calls) Never sub\_crt Fast Low Never sub\_active Medium Medium Never sub\_brute Slow High Large targets sub\_permut Slow High Large targets sub\_recursive\_\* Very slow Very high Most scans DEEP\_WILDCARD\_FILTER Medium Medium Small targets **Parallel mode (**`**--parallel**`**):** Runs independent functions concurrently. Phases maintain dependencies: 1. Passive functions run in parallel 2. Wait for passive to complete 3. Active functions run in parallel 4. Post-active functions run after resolution 5. Bruteforce runs with limited parallelism (resource intensive) [PreviousSubdomain Modulechevron-left](https://docs.reconftw.com/modules/subdomains) [NextWeb Analysis Modulechevron-right](https://docs.reconftw.com/modules/web-analysis) Last updated 1 month ago * [Execution Pipeline](https://docs.reconftw.com/modules/subdomains-deep-dive#execution-pipeline) * [Passive Techniques](https://docs.reconftw.com/modules/subdomains-deep-dive#passive-techniques) * [sub\_passive](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_passive) * [sub\_crt](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_crt) * [Active DNS Resolution](https://docs.reconftw.com/modules/subdomains-deep-dive#active-dns-resolution) * [sub\_active](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_active) * [sub\_noerror](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_noerror) * [sub\_dns](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_dns) * [Post-Resolution Techniques](https://docs.reconftw.com/modules/subdomains-deep-dive#post-resolution-techniques) * [sub\_tls](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_tls) * [sub\_analytics](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_analytics) * [Bruteforce Techniques](https://docs.reconftw.com/modules/subdomains-deep-dive#bruteforce-techniques) * [sub\_brute](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_brute) * [sub\_permut](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_permut) * [sub\_regex\_permut](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_regex_permut) * [sub\_ia\_permut](https://docs.reconftw.com/modules/subdomains-deep-dive#sub_ia_permut) * [Deep Wildcard Detection](https://docs.reconftw.com/modules/subdomains-deep-dive#deep-wildcard-detection) * [Sensitive Domain Exclusion](https://docs.reconftw.com/modules/subdomains-deep-dive#sensitive-domain-exclusion) * [Output Files](https://docs.reconftw.com/modules/subdomains-deep-dive#output-files) * [Performance Considerations](https://docs.reconftw.com/modules/subdomains-deep-dive#performance-considerations) sun-brightdesktopmoon Copy # Filter to last 90 days DNS_TIME_FENCE_DAYS=90 Copy crt -s -json -l "${CTR_LIMIT}" "$domain" \ | jq -r --arg cutoff "$cutoff_date" \ '[.[] | select(.not_before >= $cutoff)] | .[].subdomain' Copy puredns resolve input.txt \ --wildcard-tests 30 \ --wildcard-batch 1500000 \ -r "$resolvers_trusted" Copy TLS_PORTS="21,22,25,80,110,135,143,261,443,465,563,587,636,853,990,993,995,..." Copy Found: api-v1.example.com Generates: - api-v2.example.com - api-v3.example.com - api-dev.example.com - api-staging.example.com - api-prod.example.com Copy PERMUTATIONS_OPTION=gotator # Deeper but slower PERMUTATIONS_OPTION=ripgen # Faster but less thorough Copy *.na45.salesforce.com → All subdomains under na45 resolve *.api.prod.example.com → All API subdomains in prod resolve Copy Iteration 1: Input: a.b.c.example.com, x.b.c.example.com, y.c.example.com Test: random123.b.c.example.com Result: Resolves → b.c.example.com is wildcard Filter: Remove all *.b.c.example.com Iteration 2: Input: y.c.example.com Test: random456.c.example.com Result: Does not resolve → c.example.com is not wildcard Filter: Keep y.c.example.com Final: y.c.example.com Copy *.gov → Matches any .gov domain *.gov.* → Matches any .gov.XX domain *.mil → Matches military domains *.edu → Matches educational domains Copy # Wildcard pattern (*.gov) if [[ "$domain" == *".$suffix" ]] || [[ "$domain" == "$suffix" ]]; then return 0 # Is sensitive fi sun-brightdesktopmoon --- # Modules Overview | reconftw-docs reconFTW is organized into specialized modules, each handling a specific phase of reconnaissance. This page provides an overview and quick navigation to each module's detailed documentation. * * * [hashtag](https://docs.reconftw.com/modules/05-modules#module-architecture) Module Architecture ---------------------------------------------------------------------------------------------------- Copy ┌─────────────────────────────────────────────────────────────────────┐ │ reconFTW Module System │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ │ │ │ Target │ │ │ │ Input │ │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Intelligence gathering │ │ │ OSINT │────▶ Dorks, emails, metadata, leaks │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Asset discovery │ │ │ Subdomains │────▶ Passive, brute, permutations, takeover │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Infrastructure analysis │ │ │ Hosts │────▶ Ports, CDN, WAF, geolocation │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Web application analysis │ │ │ Web Analysis │────▶ Probing, screenshots, JS, fuzzing │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Security testing │ │ │Vulnerabilities│───▶ Nuclei, XSS, SQLi, SSRF, etc. │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/modules/05-modules#module-summary) Module Summary ------------------------------------------------------------------------------------------ Module Functions Primary Tools Output Directory [OSINT](https://docs.reconftw.com/modules/osint) 12 theHarvester, gitdorker, trufflehog `osint/` [Subdomains](https://docs.reconftw.com/modules/subdomains) 17 subfinder, amass, puredns, dnsx `subdomains/` [Hosts](https://docs.reconftw.com/modules/hosts) 6 nmap, smap, cdncheck, wafw00f `hosts/` [Web Analysis](https://docs.reconftw.com/modules/web-analysis) 17 httpx, katana, ffuf, gowitness `webs/`, `fuzzing/`, `js/` [Vulnerabilities](https://docs.reconftw.com/modules/vulnerabilities) 18 nuclei, dalfox, sqlmap, ssrf-sheriff `vulns/` * * * [hashtag](https://docs.reconftw.com/modules/05-modules#osint-module) OSINT Module -------------------------------------------------------------------------------------- **Purpose:** Gather intelligence about the target organization without direct interaction. **Key Capabilities:** * Google dorking for sensitive files * GitHub secret scanning * Email harvesting * Document metadata extraction * Cloud storage enumeration * API leak detection **When to use:** At the beginning of an engagement for initial intelligence gathering. ➡️ [**Full OSINT Documentation**](https://docs.reconftw.com/modules/osint) * * * [hashtag](https://docs.reconftw.com/modules/05-modules#subdomains-module) Subdomains Module ------------------------------------------------------------------------------------------------ **Purpose:** Discover all subdomains associated with the target domain. **Key Capabilities:** * Passive enumeration (40+ sources) * Certificate Transparency logs * DNS brute-forcing * Permutation generation * Recursive enumeration * Subdomain takeover detection **When to use:** After OSINT, to map the attack surface. ➡️ [**Full Subdomains Documentation**](https://docs.reconftw.com/modules/subdomains) * * * [hashtag](https://docs.reconftw.com/modules/05-modules#hosts-module) Hosts Module -------------------------------------------------------------------------------------- **Purpose:** Analyze infrastructure behind discovered assets. **Key Capabilities:** * Port scanning (passive + active) * CDN detection and filtering * WAF identification * IP geolocation * Favicon-based IP discovery **When to use:** After subdomain enumeration, to understand infrastructure. ➡️ [**Full Hosts Documentation**](https://docs.reconftw.com/modules/hosts) * * * [hashtag](https://docs.reconftw.com/modules/05-modules#web-analysis-module) Web Analysis Module ---------------------------------------------------------------------------------------------------- **Purpose:** Analyze web applications and discover endpoints. **Key Capabilities:** * HTTP probing and status detection * Screenshot capture * URL extraction from archives * JavaScript analysis for secrets * Directory/file fuzzing * Technology detection **When to use:** After identifying live web servers. ➡️ [**Full Web Analysis Documentation**](https://docs.reconftw.com/modules/web-analysis) * * * [hashtag](https://docs.reconftw.com/modules/05-modules#vulnerabilities-module) Vulnerabilities Module ---------------------------------------------------------------------------------------------------------- **Purpose:** Identify security vulnerabilities in discovered assets. **Key Capabilities:** * Template-based scanning (Nuclei) * XSS testing * SQL injection detection * SSRF testing * CORS misconfiguration * SSL/TLS analysis * And many more... **When to use:** Final phase, after mapping all assets. ➡️ [**Full Vulnerabilities Documentation**](https://docs.reconftw.com/modules/vulnerabilities) * * * [hashtag](https://docs.reconftw.com/modules/05-modules#module-execution-order) Module Execution Order ---------------------------------------------------------------------------------------------------------- In a full scan (`-a` flag), modules execute in this order: Each module builds on the previous one's output, creating a full reconnaissance pipeline. * * * [hashtag](https://docs.reconftw.com/modules/05-modules#enabling-disabling-modules) Enabling/Disabling Modules ------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/05-modules#via-configuration) Via Configuration ### [hashtag](https://docs.reconftw.com/modules/05-modules#via-command-line) Via Command Line * * * [hashtag](https://docs.reconftw.com/modules/05-modules#module-dependencies) Module Dependencies ---------------------------------------------------------------------------------------------------- Some modules depend on outputs from others: * * * [hashtag](https://docs.reconftw.com/modules/05-modules#next-steps) Next Steps ---------------------------------------------------------------------------------- Choose a module to explore in detail: * [**OSINT Module**](https://docs.reconftw.com/modules/osint) - Start with intelligence gathering * [**Subdomains Module**](https://docs.reconftw.com/modules/subdomains) - Discover your attack surface * [**Hosts Module**](https://docs.reconftw.com/modules/hosts) - Understand the infrastructure * [**Web Analysis Module**](https://docs.reconftw.com/modules/web-analysis) - Map web applications * [**Vulnerabilities Module**](https://docs.reconftw.com/modules/vulnerabilities) - Find security issues [PreviousConfiguration Referencechevron-left](https://docs.reconftw.com/configuration/configuration) [NextOSINT Modulechevron-right](https://docs.reconftw.com/modules/osint) Last updated 1 month ago * [Module Architecture](https://docs.reconftw.com/modules/05-modules#module-architecture) * [Module Summary](https://docs.reconftw.com/modules/05-modules#module-summary) * [OSINT Module](https://docs.reconftw.com/modules/05-modules#osint-module) * [Subdomains Module](https://docs.reconftw.com/modules/05-modules#subdomains-module) * [Hosts Module](https://docs.reconftw.com/modules/05-modules#hosts-module) * [Web Analysis Module](https://docs.reconftw.com/modules/05-modules#web-analysis-module) * [Vulnerabilities Module](https://docs.reconftw.com/modules/05-modules#vulnerabilities-module) * [Module Execution Order](https://docs.reconftw.com/modules/05-modules#module-execution-order) * [Enabling/Disabling Modules](https://docs.reconftw.com/modules/05-modules#enabling-disabling-modules) * [Via Configuration](https://docs.reconftw.com/modules/05-modules#via-configuration) * [Via Command Line](https://docs.reconftw.com/modules/05-modules#via-command-line) * [Module Dependencies](https://docs.reconftw.com/modules/05-modules#module-dependencies) * [Next Steps](https://docs.reconftw.com/modules/05-modules#next-steps) sun-brightdesktopmoon Copy 1. OSINT → Intelligence gathering 2. Subdomains → Asset discovery 3. Hosts → Infrastructure analysis 4. Web Analysis → Application mapping 5. Vulnerabilities → Security testing Copy # In reconftw.cfg OSINT=true SUBDOMAINS_GENERAL=true PORTSCANNER=true WEBPROBESIMPLE=true WEBPROBEFULL=true NUCLEICHECK=true # Use VULNS_GENERAL=true if you want to enable the full vulnerability module by config Copy # Run only specific modules ./reconftw.sh -d example.com -s # Subdomains only ./reconftw.sh -d example.com -n # OSINT only ./reconftw.sh -d example.com -w # Web analysis only # Custom function selection ./reconftw.sh -d example.com -c sub_passive ./reconftw.sh -d example.com -c webprobe_simple Copy OSINT ─────────────────────────────────────┐ │ Subdomains ───────┬────────────────────────┤ │ │ ▼ │ Hosts ───────────────────────┤ │ │ ▼ │ Web Analysis ───────────────────┤ │ │ ▼ │ Vulnerabilities ◄────────────────┘ sun-brightdesktopmoon --- # First 30 Minutes | reconftw-docs Get from zero to your first scan results in 30 minutes or less. * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-0-5-install) Minute 0-5: Install --------------------------------------------------------------------------------------------------------- Copy # Clone and install git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh ☕ **While it installs (~15-20 min):** Read the next sections. * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-5-10-understand-what-youre-running) Minute 5-10: Understand What You're Running -------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#reconftw-in-one-sentence) reconFTW in One Sentence > reconFTW finds subdomains, probes them, and scans for vulnerabilities—automatically. ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#available-scan-modes) Available Scan Modes reconFTW offers multiple modes for different use cases: Mode Flag Description Activity Level **Passive** `-p` No direct contact with target, uses only public sources None **Subdomains** `-s` Subdomain enumeration only Low-Medium **OSINT** `-n` OSINT gathering only Low **Web** `-w` Web analysis on known subdomains Medium **Recon** `-r` **Default/recommended.** Full recon + light vuln scan (nuclei on webs) Medium-High **All** `-a` Full recon + aggressive vulnerability scanning **Very High** > ⚠️ **Important:** Even `-r` mode performs active scanning (DNS queries, HTTP requests, port scans). Always ensure you have authorization. ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#about-the-a-all-mode) About the `-a` (All) Mode > 🔴 **WARNING:** The `-a` flag runs aggressive vulnerability testing including SQLi payloads, fuzzing, and multiple scanner tools. This generates significant traffic and may trigger security alerts. Only use when you have **explicit written authorization** for penetration testing. ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#quick-decision-tree) Quick Decision Tree * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-10-15-configure-api-keys-optional-but-recommended) Minute 10-15: Configure API Keys (Optional but Recommended) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- API keys improve results by adding more data sources. Set up at least these 3: ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#id-1.-shodan-free-tier-available) 1\. Shodan (Free tier available) ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#id-2.-github-token-free) 2\. GitHub Token (Free) ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#id-3.-securitytrails-free-tier) 3\. SecurityTrails (Free tier) **No keys?** reconFTW still works, just with fewer data sources. * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-15-20-verify-installation) Minute 15-20: Verify Installation ------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#common-issues) Common Issues Problem Fix `go: command not found` `source ~/.bashrc` or restart terminal Tool shows ✗ Run `./install.sh` again Permission denied `chmod +x reconftw.sh` * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-20-25-run-your-first-scan) Minute 20-25: Run Your First Scan ------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#option-a-safe-passive-scan-recommended-first) Option A: Safe Passive Scan (Recommended First) This: * ✅ No direct contact with target * ✅ Uses only public data sources * ✅ Fast (~15 minutes) * ✅ Safe for any authorized target ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#option-b-quick-subdomain-discovery) Option B: Quick Subdomain Discovery This: * ⚠️ Makes DNS queries (minimal noise) * ✅ Finds subdomains only * ✅ ~30 minutes ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#whats-happening) What's Happening? * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#minute-25-30-check-your-results) Minute 25-30: Check Your Results ----------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#where-are-results) Where Are Results? ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#quick-results-check) Quick Results Check * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#whats-next) What's Next? ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#if-passive-scan-looks-good-run-full-recon) If Passive Scan Looks Good → Run Full Recon ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#if-you-need-vulnerabilities-run-all) If You Need Vulnerabilities → Run All ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#if-scan-was-interrupted-just-resume) If Scan Was Interrupted → Just Resume * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#quick-reference-card) Quick Reference Card ------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#essential-commands) Essential Commands ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#essential-locations) Essential Locations What Where Results `Recon//` Config `reconftw.cfg` API Keys `secrets.cfg` Logs `Recon//.log/` ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#getting-help) Getting Help * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#common-first-timer-questions) Common First-Timer Questions ---------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#its-taking-forever) "It's taking forever" Normal! Full scans take 1-8 hours. Use `-p` for quick results. ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#i-got-rate-limited) "I got rate limited" Add to `reconftw.cfg`: ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#results-are-empty) "Results are empty" 1. Check target exists: `dig target.com` 2. Check API keys are set 3. Look at logs: `cat Recon/target.com/.log/*.log` ### [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#can-i-stop-and-resume) "Can I stop and resume?" Yes! Just Ctrl+C to stop, run same command to resume. * * * [hashtag](https://docs.reconftw.com/welcome/first-30-minutes#youre-ready) 🎉 You're Ready! ----------------------------------------------------------------------------------------------- You now know enough to: * check Run passive reconnaissance * check Find subdomains * check Check results * check Resume interrupted scans **Next steps:** * [**Full Usage Guide**](https://docs.reconftw.com/usage/usage) - All flags explained * [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Customize behavior * [**OPSEC & Legal**](https://docs.reconftw.com/guides/opsec-legal) - Stay safe and legal [PreviousIntroductionchevron-left](https://docs.reconftw.com/) [NextFAQchevron-right](https://docs.reconftw.com/welcome/faq) Last updated 1 month ago * [Minute 0-5: Install](https://docs.reconftw.com/welcome/first-30-minutes#minute-0-5-install) * [Minute 5-10: Understand What You're Running](https://docs.reconftw.com/welcome/first-30-minutes#minute-5-10-understand-what-youre-running) * [reconFTW in One Sentence](https://docs.reconftw.com/welcome/first-30-minutes#reconftw-in-one-sentence) * [Available Scan Modes](https://docs.reconftw.com/welcome/first-30-minutes#available-scan-modes) * [About the -a (All) Mode](https://docs.reconftw.com/welcome/first-30-minutes#about-the-a-all-mode) * [Quick Decision Tree](https://docs.reconftw.com/welcome/first-30-minutes#quick-decision-tree) * [Minute 10-15: Configure API Keys (Optional but Recommended)](https://docs.reconftw.com/welcome/first-30-minutes#minute-10-15-configure-api-keys-optional-but-recommended) * [1\. Shodan (Free tier available)](https://docs.reconftw.com/welcome/first-30-minutes#id-1.-shodan-free-tier-available) * [2\. GitHub Token (Free)](https://docs.reconftw.com/welcome/first-30-minutes#id-2.-github-token-free) * [3\. SecurityTrails (Free tier)](https://docs.reconftw.com/welcome/first-30-minutes#id-3.-securitytrails-free-tier) * [Minute 15-20: Verify Installation](https://docs.reconftw.com/welcome/first-30-minutes#minute-15-20-verify-installation) * [Common Issues](https://docs.reconftw.com/welcome/first-30-minutes#common-issues) * [Minute 20-25: Run Your First Scan](https://docs.reconftw.com/welcome/first-30-minutes#minute-20-25-run-your-first-scan) * [Option A: Safe Passive Scan (Recommended First)](https://docs.reconftw.com/welcome/first-30-minutes#option-a-safe-passive-scan-recommended-first) * [Option B: Quick Subdomain Discovery](https://docs.reconftw.com/welcome/first-30-minutes#option-b-quick-subdomain-discovery) * [What's Happening?](https://docs.reconftw.com/welcome/first-30-minutes#whats-happening) * [Minute 25-30: Check Your Results](https://docs.reconftw.com/welcome/first-30-minutes#minute-25-30-check-your-results) * [Where Are Results?](https://docs.reconftw.com/welcome/first-30-minutes#where-are-results) * [Quick Results Check](https://docs.reconftw.com/welcome/first-30-minutes#quick-results-check) * [What's Next?](https://docs.reconftw.com/welcome/first-30-minutes#whats-next) * [If Passive Scan Looks Good → Run Full Recon](https://docs.reconftw.com/welcome/first-30-minutes#if-passive-scan-looks-good-run-full-recon) * [If You Need Vulnerabilities → Run All](https://docs.reconftw.com/welcome/first-30-minutes#if-you-need-vulnerabilities-run-all) * [If Scan Was Interrupted → Just Resume](https://docs.reconftw.com/welcome/first-30-minutes#if-scan-was-interrupted-just-resume) * [Quick Reference Card](https://docs.reconftw.com/welcome/first-30-minutes#quick-reference-card) * [Essential Commands](https://docs.reconftw.com/welcome/first-30-minutes#essential-commands) * [Essential Locations](https://docs.reconftw.com/welcome/first-30-minutes#essential-locations) * [Getting Help](https://docs.reconftw.com/welcome/first-30-minutes#getting-help) * [Common First-Timer Questions](https://docs.reconftw.com/welcome/first-30-minutes#common-first-timer-questions) * ["It's taking forever"](https://docs.reconftw.com/welcome/first-30-minutes#its-taking-forever) * ["I got rate limited"](https://docs.reconftw.com/welcome/first-30-minutes#i-got-rate-limited) * ["Results are empty"](https://docs.reconftw.com/welcome/first-30-minutes#results-are-empty) * ["Can I stop and resume?"](https://docs.reconftw.com/welcome/first-30-minutes#can-i-stop-and-resume) * [🎉 You're Ready!](https://docs.reconftw.com/welcome/first-30-minutes#youre-ready) sun-brightdesktopmoon Copy Do I have written authorization for this target? ├── No → STOP. Get permission first. └── Yes ├── First time? → Start with -p (passive) ├── Need subdomains only? → Use -s ├── Standard recon? → Use -r (recommended) └── Full pentest scope? → Use -a (read warning above) Copy # Get key: https://shodan.io → Account → API Key echo 'SHODAN_API_KEY="your_key"' >> secrets.cfg Copy # Get token: GitHub → Settings → Developer settings → Personal access tokens echo 'GITHUB_TOKEN="your_token"' >> secrets.cfg Copy # Get key: https://securitytrails.com/app/api # Add to ~/.config/subfinder/provider-config.yaml Copy # Check all tools installed ./reconftw.sh --check-tools # You should see green checkmarks ✓ # Red X means a tool failed - usually fixed by running install.sh again Copy ./reconftw.sh -d example.com -p Copy ./reconftw.sh -d example.com -s Copy [sub_passive] Running: Subdomain enumeration... → Querying 40+ data sources → Certificate Transparency logs → DNS brute-forcing (if -s or -r) [webprobe_simple] Running: Web probing... → Checking which subdomains are alive → Detecting technologies Copy ls Recon/example.com/ Copy Recon/example.com/ ├── subdomains/ │ └── subdomains.txt ← All found subdomains ├── webs/ │ └── webs.txt ← Live web servers ├── osint/ │ └── emails.txt ← Found email addresses └── .log/ └── reconftw.log ← Execution log Copy # How many subdomains? wc -l Recon/example.com/subdomains/subdomains.txt # What's alive? cat Recon/example.com/webs/webs.txt # Any interesting findings? cat Recon/example.com/osint/*.txt Copy ./reconftw.sh -d example.com -r Copy ./reconftw.sh -d example.com -a Copy # Run the same command again - it continues from where it stopped ./reconftw.sh -d example.com -r Copy # Passive (safe, fast) ./reconftw.sh -d target.com -p # Recon (full discovery) ./reconftw.sh -d target.com -r # All (recon + vulns) ./reconftw.sh -d target.com -a # Multiple targets ./reconftw.sh -l targets.txt -r # Resume interrupted scan ./reconftw.sh -d target.com -r # just run again Copy ./reconftw.sh -h # Show help ./reconftw.sh --check-tools # Verify installation Copy HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 sun-brightdesktopmoon --- # Introduction | reconftw-docs ![](https://docs.reconftw.com/~gitbook/image?url=https%3A%2F%2F4002482909-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FaI11LZxKJyqTqfArwVL8%252Fuploads%252FZhQq6d6DzeYrt4QjaqTi%252Fimage.png%3Falt%3Dmedia%26token%3Db688113d-d113-4775-82d9-9757619fc02c&width=768&dpr=3&quality=100&sign=15985712&sv=2) **Automated Reconnaissance Framework** [GitHubarrow-up-right](https://github.com/six2dez/reconftw) • [Twitterarrow-up-right](https://twitter.com/Six2dez1) • [Discordarrow-up-right](https://discord.gg/R5DdXVEdTy) • [Telegramarrow-up-right](https://t.me/joinchat/H5bAaw3YbzzmI5co) * * * [hashtag](https://docs.reconftw.com/#welcome-to-reconftw) Welcome to reconFTW ---------------------------------------------------------------------------------- **reconFTW** is a modular reconnaissance automation framework designed for security researchers, penetration testers, and bug bounty hunters. It orchestrates 80+ security tools to perform full reconnaissance on your targets, from subdomain enumeration to vulnerability scanning. ### [hashtag](https://docs.reconftw.com/#why-reconftw) Why reconFTW? Feature Description 🔄 **Automated Workflow** Complete reconnaissance pipeline with a single command 🧩 **Modular Design** Enable/disable any module or function as needed **Distributed Scanning** Scale with [Axiom](https://docs.reconftw.com/integrations/axiom) across cloud infrastructure **Structured Output** Organized results with multiple export formats 🔧 **Highly Configurable** 300+ configuration options for fine-tuning 🔄 **Incremental Scans** Only scan new findings since last run 🤖 **AI Integration** Generate executive reports with local AI models ### [hashtag](https://docs.reconftw.com/#what-can-reconftw-do) What Can reconFTW Do? * * * [hashtag](https://docs.reconftw.com/#quick-start) Quick Start ------------------------------------------------------------------ * * * [hashtag](https://docs.reconftw.com/#documentation-overview) Documentation Overview ---------------------------------------------------------------------------------------- This documentation is organized to help you get the most out of reconFTW: ### [hashtag](https://docs.reconftw.com/#for-beginners) 📚 For Beginners 1. [**First 30 Minutes**](https://docs.reconftw.com/welcome/first-30-minutes) - Quick start guide to get scanning 2. [**Getting Started**](https://docs.reconftw.com/getting-started/getting-started) - Installation and setup 3. [**Concepts**](https://docs.reconftw.com/understanding-reconftw/concepts) - Understanding how reconFTW works 4. [**Usage Guide**](https://docs.reconftw.com/usage/usage) - All command-line options explained ### [hashtag](https://docs.reconftw.com/#for-configuration) 🔧 For Configuration 1. [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Deep dive into reconftw.cfg 2. [**Modules**](https://docs.reconftw.com/modules/05-modules) - Detailed documentation for each module 3. [**Tools Reference**](https://docs.reconftw.com/tools-reference/tools) - All 80+ integrated tools ### [hashtag](https://docs.reconftw.com/#for-results) 📊 For Results 1. [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understanding your results 2. [**Data Model & I/O**](https://docs.reconftw.com/guides/data-model) - Complete input/output reference 3. [**Integrations**arrow-up-right](https://github.com/six2dez/reconftw-docs/blob/main/08-integrations/README.md) - Axiom and Faraday setup ### [hashtag](https://docs.reconftw.com/#for-advanced-users) For Advanced Users 1. [**Deployment**](https://docs.reconftw.com/deployment/deployment) - Docker, Terraform, VPS, CI/CD 2. [**Performance Tuning**](https://docs.reconftw.com/guides/tuning) - Optimize for speed and target size 3. [**Case Studies**](https://docs.reconftw.com/guides/case-studies) - Real-world usage examples 4. [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced) - Custom functions and optimization 5. [**Troubleshooting**](https://docs.reconftw.com/help/troubleshooting) - Common issues and solutions ### [hashtag](https://docs.reconftw.com/#legal-and-security) ⚖️ Legal & Security 1. [**OPSEC & Legal**](https://docs.reconftw.com/guides/opsec-legal) - Stay safe and authorized * * * [hashtag](https://docs.reconftw.com/#scan-modes-at-a-glance) Scan Modes at a Glance ---------------------------------------------------------------------------------------- Mode Flag Description Use Case **Recon** `-r` Full reconnaissance Standard bug bounty recon **Subdomains** `-s` Subdomain enumeration only Quick subdomain discovery **Passive** `-p` Passive reconnaissance Stealth/non-intrusive **All** `-a` Full recon + vulnerabilities Full assessment **Web** `-w` Web analysis only Analyze known URLs **OSINT** `-n` OSINT gathering only Intelligence gathering **Custom** `-c` Run custom function Advanced workflows **Zen** `-z` Minimal output mode Clean terminal output * * * [hashtag](https://docs.reconftw.com/#legal-and-opsec) ⚠️ Legal & OPSEC --------------------------------------------------------------------------- > **IMPORTANT**: reconFTW is designed for authorized security testing only. ### [hashtag](https://docs.reconftw.com/#authorization-checklist) Authorization Checklist Before running any scan, verify: * Written permission from target owner * Defined scope (in-scope and out-of-scope assets) * Rate limits agreed upon * Testing window defined (if applicable) * Emergency contact available * NDA signed (if required) ### [hashtag](https://docs.reconftw.com/#opsec-considerations) OPSEC Considerations Risk Mitigation **IP Blocking** Use VPS, rotate IPs with Axiom **WAF Detection** Start with passive mode (`-p`) **Rate Limiting** Use `--adaptive-rate` flag **Legal Issues** Always have written authorization **Data Exposure** Keep `secrets.cfg` secure, never commit ### [hashtag](https://docs.reconftw.com/#legal-disclaimer) Legal Disclaimer By using this tool, you confirm that: * You have explicit written permission to test the target * You will comply with all applicable laws and regulations * You understand that unauthorized testing is illegal The developers assume no liability for misuse of this tool. **Use responsibly.** ➡️ [**Full OPSEC Guide**](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-and-legal) * * * [hashtag](https://docs.reconftw.com/#community-and-support) Community & Support ------------------------------------------------------------------------------------ * **GitHub Issues**: [Report bugs or request featuresarrow-up-right](https://github.com/six2dez/reconftw/issues) * **Discord**: [Join our communityarrow-up-right](https://discord.gg/R5DdXVEdTy) * **Telegram**: [Discussion grouparrow-up-right](https://t.me/joinchat/H5bAaw3YbzzmI5co) * **Twitter**: [@Six2dez1arrow-up-right](https://twitter.com/Six2dez1) * * * [hashtag](https://docs.reconftw.com/#contributing) Contributing -------------------------------------------------------------------- reconFTW is open source and welcomes contributions! See our [Contributing Guidearrow-up-right](https://github.com/six2dez/reconftw/blob/main/CONTRIBUTING.md) for details. * * * Made with ❤️ by [six2dezarrow-up-right](https://github.com/six2dez) and the security community * * * [NextFirst 30 Minuteschevron-right](https://docs.reconftw.com/welcome/first-30-minutes) Last updated 1 month ago * [Welcome to reconFTW](https://docs.reconftw.com/#welcome-to-reconftw) * [Why reconFTW?](https://docs.reconftw.com/#why-reconftw) * [What Can reconFTW Do?](https://docs.reconftw.com/#what-can-reconftw-do) * [Quick Start](https://docs.reconftw.com/#quick-start) * [Documentation Overview](https://docs.reconftw.com/#documentation-overview) * [📚 For Beginners](https://docs.reconftw.com/#for-beginners) * [🔧 For Configuration](https://docs.reconftw.com/#for-configuration) * [📊 For Results](https://docs.reconftw.com/#for-results) * [For Advanced Users](https://docs.reconftw.com/#for-advanced-users) * [⚖️ Legal & Security](https://docs.reconftw.com/#legal-and-security) * [Scan Modes at a Glance](https://docs.reconftw.com/#scan-modes-at-a-glance) * [⚠️ Legal & OPSEC](https://docs.reconftw.com/#legal-and-opsec) * [Authorization Checklist](https://docs.reconftw.com/#authorization-checklist) * [OPSEC Considerations](https://docs.reconftw.com/#opsec-considerations) * [Legal Disclaimer](https://docs.reconftw.com/#legal-disclaimer) * [Community & Support](https://docs.reconftw.com/#community-and-support) * [Contributing](https://docs.reconftw.com/#contributing) sun-brightdesktopmoon Copy ┌─────────────────────────────────────────────────────────────────┐ │ reconFTW Capabilities │ ├─────────────────────────────────────────────────────────────────┤ │ OSINT │ Google dorks, GitHub secrets, metadata, │ │ │ email harvesting, API leaks, cloud enum, │ │ │ leaked credentials, S3 buckets │ ├──────────────────┼──────────────────────────────────────────────┤ │ Subdomains │ 10+ passive sources, DNS bruteforce, │ │ │ permutations (AI-powered), recursive enum, │ │ │ CT logs, scraping, zone transfer, takeover │ ├──────────────────┼──────────────────────────────────────────────┤ │ Web Analysis │ HTTP probing, screenshots, JS secrets, │ │ │ URL extraction, directory fuzzing, CMS, │ │ │ virtual hosts, parameters, GraphQL, gRPC │ ├──────────────────┼──────────────────────────────────────────────┤ │ Vulnerabilities │ Nuclei templates, XSS, SQLi, SSRF, LFI, │ │ │ SSTI, CORS, CRLF, command injection, │ │ │ prototype pollution, 403 bypass, smuggling │ ├──────────────────┼──────────────────────────────────────────────┤ │ Host Analysis │ Port scanning (nmap/naabu), CDN detection, │ │ │ WAF fingerprinting, geolocation, banners │ ├──────────────────┼──────────────────────────────────────────────┤ │ Automation │ Checkpoint/resume system, incremental scans, │ │ │ notifications (Slack/Discord/Telegram), │ │ │ Axiom distributed scanning, AI reports │ └─────────────────────────────────────────────────────────────────┘ Copy # Install reconFTW git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh # Run your first scan ./reconftw.sh -d example.com -r # Full scan with vulnerabilities ./reconftw.sh -d example.com -a sun-brightdesktopmoon --- # Installation & Setup | reconftw-docs This guide will walk you through installing reconFTW, setting it up, and running your first reconnaissance scan. * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#system-requirements) System Requirements ----------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#minimum-requirements) Minimum Requirements Resource Minimum Recommended **OS** Ubuntu 20.04+ / Debian 11+ / Kali Ubuntu 22.04 LTS **RAM** 4 GB 8-16 GB **Disk Space** 20 GB 50+ GB **CPU** 2 cores 4+ cores **Network** Stable internet High bandwidth ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#supported-operating-systems) Supported Operating Systems * ✅ **Ubuntu** 20.04, 22.04, 24.04 (Recommended) * ✅ **Debian** 11, 12 * ✅ **Kali Linux** (latest rolling) * ✅ **Parrot OS** * ✅ **macOS** 12+ (with Homebrew) * ✅ **Docker** (any platform) * ⚠️ **Windows WSL2** (experimental) ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#required-dependencies) Required Dependencies reconFTW will install most dependencies automatically, but these base packages are required: * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#installation-methods) Installation Methods ------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#method-1-local-installation-recommended) Method 1: Local Installation (Recommended) This is the standard installation for Linux/macOS systems. The installer will: 1. Check system requirements 2. Install Go, Rust, and Python dependencies 3. Install 80+ security tools 4. Configure PATH and environment variables 5. Download required wordlists and resolvers > **⏱️ Installation Time**: 15-45 minutes depending on internet speed and system resources. #### [hashtag](https://docs.reconftw.com/getting-started/getting-started#installation-options) Installation Options When running `./install.sh`, you'll see these options: ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#method-2-docker-installation) Method 2: Docker Installation Docker provides a consistent environment across all platforms. #### [hashtag](https://docs.reconftw.com/getting-started/getting-started#docker-with-custom-configuration) Docker with Custom Configuration #### [hashtag](https://docs.reconftw.com/getting-started/getting-started#building-custom-docker-image) Building Custom Docker Image ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#method-3-terraform--ansible-cloud-deployment) Method 3: Terraform + Ansible (Cloud Deployment) For deploying reconFTW on AWS or other cloud providers: See [Deployment Guide](https://docs.reconftw.com/deployment/deployment) for detailed cloud setup. * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#macos-specific-setup) macOS-Specific Setup ------------------------------------------------------------------------------------------------------------------- macOS requires additional Homebrew packages due to BSD tool differences: > **Note**: reconFTW automatically detects macOS and uses Homebrew GNU tools. Make sure they're installed before running. * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#your-first-scan) Your First Scan --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#basic-reconnaissance-scan) Basic Reconnaissance Scan This will: 1. Enumerate subdomains (passive + active) 2. Probe for live web servers 3. Take screenshots 4. Extract URLs and JavaScript files 5. Run nuclei vulnerability scans 6. Generate organized output ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#understanding-the-output) Understanding the Output Results are saved in `Recon//`: ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#quick-scan-examples) Quick Scan Examples * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#verifying-installation) Verifying Installation ----------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#check-tools-installation) Check Tools Installation This displays a checklist of all required tools and their installation status. ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#health-check) Health Check The health check verifies: * All critical dependencies are installed * Required files and directories exist * Configuration is valid * Network connectivity works ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#dry-run-mode) Dry Run Mode Test your command without executing anything: * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#updating-reconftw) Updating reconFTW ------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#update-everything) Update Everything ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#update-only-tools) Update Only Tools ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#automatic-updates-before-scans) Automatic Updates Before Scans Enable in `reconftw.cfg`: * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#post-installation-configuration) Post-Installation Configuration ----------------------------------------------------------------------------------------------------------------------------------------- After installation, you should configure API keys for maximum effectiveness: ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#id-1.-create-secrets.cfg) 1\. Create secrets.cfg Edit `secrets.cfg`: ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#id-2.-configure-github-tokens) 2\. Configure GitHub Tokens Create `$HOME/Tools/.github_tokens` with one token per line: Multiple tokens help avoid rate limiting during GitHub reconnaissance. ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#id-3.-verify-configuration) 3\. Verify Configuration * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#common-installation-issues) Common Installation Issues ------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#go-not-found) "Go not found" ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#permission-denied) "Permission denied" ### [hashtag](https://docs.reconftw.com/getting-started/getting-started#tool-x-not-found) "Tool X not found" See [Troubleshooting](https://docs.reconftw.com/help/troubleshooting) for more solutions. * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#next-steps) Next Steps ----------------------------------------------------------------------------------------------- Now that reconFTW is installed: 1. [**Learn the concepts**](https://docs.reconftw.com/understanding-reconftw/concepts) - Understand how reconFTW works 2. [**Explore usage options**](https://docs.reconftw.com/usage/usage) - Master command-line flags 3. [**Configure settings**](https://docs.reconftw.com/configuration/configuration) - Customize for your needs 4. [**Understand output**](https://docs.reconftw.com/output/output) - Interpret your results * * * [hashtag](https://docs.reconftw.com/getting-started/getting-started#quick-reference-card) Quick Reference Card ------------------------------------------------------------------------------------------------------------------- [PreviousGlossarychevron-left](https://docs.reconftw.com/welcome/glossary) [NextConcepts & Architecturechevron-right](https://docs.reconftw.com/understanding-reconftw/concepts) Last updated 1 month ago * [System Requirements](https://docs.reconftw.com/getting-started/getting-started#system-requirements) * [Minimum Requirements](https://docs.reconftw.com/getting-started/getting-started#minimum-requirements) * [Supported Operating Systems](https://docs.reconftw.com/getting-started/getting-started#supported-operating-systems) * [Required Dependencies](https://docs.reconftw.com/getting-started/getting-started#required-dependencies) * [Installation Methods](https://docs.reconftw.com/getting-started/getting-started#installation-methods) * [Method 1: Local Installation (Recommended)](https://docs.reconftw.com/getting-started/getting-started#method-1-local-installation-recommended) * [Method 2: Docker Installation](https://docs.reconftw.com/getting-started/getting-started#method-2-docker-installation) * [Method 3: Terraform + Ansible (Cloud Deployment)](https://docs.reconftw.com/getting-started/getting-started#method-3-terraform--ansible-cloud-deployment) * [macOS-Specific Setup](https://docs.reconftw.com/getting-started/getting-started#macos-specific-setup) * [Your First Scan](https://docs.reconftw.com/getting-started/getting-started#your-first-scan) * [Basic Reconnaissance Scan](https://docs.reconftw.com/getting-started/getting-started#basic-reconnaissance-scan) * [Understanding the Output](https://docs.reconftw.com/getting-started/getting-started#understanding-the-output) * [Quick Scan Examples](https://docs.reconftw.com/getting-started/getting-started#quick-scan-examples) * [Verifying Installation](https://docs.reconftw.com/getting-started/getting-started#verifying-installation) * [Check Tools Installation](https://docs.reconftw.com/getting-started/getting-started#check-tools-installation) * [Health Check](https://docs.reconftw.com/getting-started/getting-started#health-check) * [Dry Run Mode](https://docs.reconftw.com/getting-started/getting-started#dry-run-mode) * [Updating reconFTW](https://docs.reconftw.com/getting-started/getting-started#updating-reconftw) * [Update Everything](https://docs.reconftw.com/getting-started/getting-started#update-everything) * [Update Only Tools](https://docs.reconftw.com/getting-started/getting-started#update-only-tools) * [Automatic Updates Before Scans](https://docs.reconftw.com/getting-started/getting-started#automatic-updates-before-scans) * [Post-Installation Configuration](https://docs.reconftw.com/getting-started/getting-started#post-installation-configuration) * [1\. Create secrets.cfg](https://docs.reconftw.com/getting-started/getting-started#id-1.-create-secrets.cfg) * [2\. Configure GitHub Tokens](https://docs.reconftw.com/getting-started/getting-started#id-2.-configure-github-tokens) * [3\. Verify Configuration](https://docs.reconftw.com/getting-started/getting-started#id-3.-verify-configuration) * [Common Installation Issues](https://docs.reconftw.com/getting-started/getting-started#common-installation-issues) * ["Go not found"](https://docs.reconftw.com/getting-started/getting-started#go-not-found) * ["Permission denied"](https://docs.reconftw.com/getting-started/getting-started#permission-denied) * ["Tool X not found"](https://docs.reconftw.com/getting-started/getting-started#tool-x-not-found) * [Next Steps](https://docs.reconftw.com/getting-started/getting-started#next-steps) * [Quick Reference Card](https://docs.reconftw.com/getting-started/getting-started#quick-reference-card) sun-brightdesktopmoon Copy # Ubuntu/Debian sudo apt update sudo apt install -y git curl wget python3 python3-pip ruby golang jq # macOS (via Homebrew) brew install git curl wget python@3 ruby go jq gnu-getopt coreutils gnu-sed bash Copy # Clone the repository git clone https://github.com/six2dez/reconftw.git cd reconftw # Run the installer (interactive) ./install.sh # Or run non-interactively (option 1 = install all) echo 1 | ./install.sh Copy Select an option: 1. Install all dependencies and tools 2. Install only tools (skip dependencies) 3. Update tools only 4. Check tool installation status Copy # Pull the official image docker pull six2dez/reconftw:latest # Run a scan docker run --rm -v $(pwd)/Recon:/reconftw/Recon six2dez/reconftw:latest -d example.com -r # Interactive mode docker run -it --rm -v $(pwd)/Recon:/reconftw/Recon six2dez/reconftw:latest /bin/bash Copy # Mount your custom config docker run --rm \ -v $(pwd)/Recon:/reconftw/Recon \ -v $(pwd)/my_config.cfg:/reconftw/reconftw.cfg \ -e SHODAN_API_KEY="your_key" \ six2dez/reconftw:latest -d example.com -r Copy cd reconftw/Docker docker build -t my-reconftw . Copy cd reconftw/Terraform # Configure your AWS credentials export AWS_ACCESS_KEY_ID="your_key" export AWS_SECRET_ACCESS_KEY="your_secret" # Deploy infrastructure terraform init terraform apply # Run Ansible playbook ansible-playbook -i inventory reconFTW.yml Copy # Install Homebrew if not installed /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install required formulae brew install bash coreutils gnu-sed gnu-getopt findutils grep # Use Homebrew's bash (required for reconFTW) # reconFTW will automatically use /opt/homebrew/bin/bash on Apple Silicon Copy cd reconftw # Standard reconnaissance ./reconftw.sh -d example.com -r Copy Recon/example.com/ ├── subdomains/ # Discovered subdomains │ ├── subdomains.txt # Final subdomain list │ └── ... ├── webs/ # Web server information │ ├── webs.txt # Live web servers │ └── ... ├── hosts/ # Host/IP information ├── vulns/ # Vulnerability findings ├── osint/ # OSINT results ├── screenshots/ # Web screenshots ├── nuclei_output/ # Nuclei scan results ├── .log/ # Scan logs └── .tmp/ # Temporary files Copy # Subdomain enumeration only (fast) ./reconftw.sh -d example.com -s # Passive reconnaissance (non-intrusive) ./reconftw.sh -d example.com -p # Full scan with vulnerability checks ./reconftw.sh -d example.com -a # Scan from a list of domains ./reconftw.sh -l targets.txt -r # Custom output directory ./reconftw.sh -d example.com -r -o /path/to/output Copy # Verify all tools are installed ./reconftw.sh --check-tools Copy # Run system health check ./reconftw.sh --health-check Copy # Preview what commands would be executed ./reconftw.sh -d example.com -r --dry-run Copy cd reconftw # Pull latest code git pull # Update all tools ./install.sh --tools Copy ./install.sh --tools # Or use option 3 in interactive mode Copy upgrade_before_running=true Copy cp secrets.cfg.example secrets.cfg chmod 600 secrets.cfg Copy # API keys for enhanced functionality SHODAN_API_KEY="your_shodan_api_key" WHOISXML_API="your_whoisxml_api_key" XSS_SERVER="your_xss_hunter_server" COLLAB_SERVER="your_interactsh_server" Copy ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy Copy # Test with a simple scan ./reconftw.sh -d example.com -p --dry-run Copy # Install Go manually wget https://go.dev/dl/go1.21.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin Copy # Fix permissions chmod +x reconftw.sh install.sh Copy # Reinstall specific tools ./install.sh --tools Copy # Installation git clone https://github.com/six2dez/reconftw.git && cd reconftw && ./install.sh # Basic scans ./reconftw.sh -d target.com -r # Full recon ./reconftw.sh -d target.com -s # Subdomains only ./reconftw.sh -d target.com -p # Passive only ./reconftw.sh -d target.com -a # Full + vulns # Advanced options ./reconftw.sh -d target.com -r --deep # Deep/thorough scan ./reconftw.sh -d target.com -r -v # With Axiom (distributed) ./reconftw.sh -l targets.txt -r # Multiple targets # Maintenance ./reconftw.sh --check-tools # Verify installation ./reconftw.sh --health-check # System health ./install.sh --tools # Update tools sun-brightdesktopmoon --- # Glossary | reconftw-docs Technical terms and concepts used throughout the reconFTW documentation. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#a) A -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#active-scanning) Active Scanning Reconnaissance that directly interacts with the target, such as sending HTTP requests or DNS queries. Contrast with [Passive Scanning](https://docs.reconftw.com/welcome/glossary#passive-scanning) . ### [hashtag](https://docs.reconftw.com/welcome/glossary#api-key) API Key Authentication credential for accessing third-party services like Shodan, VirusTotal, or GitHub. ### [hashtag](https://docs.reconftw.com/welcome/glossary#asn-autonomous-system-number) ASN (Autonomous System Number) A unique identifier for a network on the internet, useful for discovering related IP ranges. ### [hashtag](https://docs.reconftw.com/welcome/glossary#asset) Asset Any discoverable resource belonging to a target: subdomains, IPs, URLs, etc. ### [hashtag](https://docs.reconftw.com/welcome/glossary#axiom) Axiom Infrastructure automation tool for distributing security tools across cloud instances. Commands use `axiom-*` naming (e.g., `axiom-fleet`, `axiom-scan`). See [Axiom Integration](https://docs.reconftw.com/integrations/axiom) . * * * [hashtag](https://docs.reconftw.com/welcome/glossary#b) B -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#banner-grabbing) Banner Grabbing Technique to identify services by examining their response banners (e.g., SSH version, HTTP server). ### [hashtag](https://docs.reconftw.com/welcome/glossary#brute-force) Brute Force Technique of systematically checking all possible values (e.g., subdomain wordlist enumeration). ### [hashtag](https://docs.reconftw.com/welcome/glossary#bug-bounty) Bug Bounty Program where organizations pay security researchers for responsibly disclosed vulnerabilities. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#c) C -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#cdn-content-delivery-network) CDN (Content Delivery Network) Distributed network of servers that cache content closer to users. Examples: Cloudflare, Akamai, CloudFront. ### [hashtag](https://docs.reconftw.com/welcome/glossary#certificate-transparency-ct) Certificate Transparency (CT) Public logs of SSL/TLS certificates, useful for discovering subdomains. ### [hashtag](https://docs.reconftw.com/welcome/glossary#checkpoint) Checkpoint Marker file indicating a function has completed, enabling scan resumption. ### [hashtag](https://docs.reconftw.com/welcome/glossary#cidr-classless-inter-domain-routing) CIDR (Classless Inter-Domain Routing) Notation for IP address ranges (e.g., 192.168.1.0/24). ### [hashtag](https://docs.reconftw.com/welcome/glossary#cors-cross-origin-resource-sharing) CORS (Cross-Origin Resource Sharing) Browser security mechanism that can be misconfigured, leading to data theft vulnerabilities. ### [hashtag](https://docs.reconftw.com/welcome/glossary#crawler) Crawler Tool that automatically follows links to discover URLs and content on websites. ### [hashtag](https://docs.reconftw.com/welcome/glossary#crlf-injection) CRLF Injection Vulnerability where attacker injects carriage return and line feed characters to manipulate HTTP headers. ### [hashtag](https://docs.reconftw.com/welcome/glossary#crt.sh) CRT.sh Certificate Transparency log search engine operated by Sectigo. ### [hashtag](https://docs.reconftw.com/welcome/glossary#cve-common-vulnerabilities-and-exposures) CVE (Common Vulnerabilities and Exposures) Standardized identifier for known security vulnerabilities (e.g., CVE-2021-44228). * * * [hashtag](https://docs.reconftw.com/welcome/glossary#d) D -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#dalfox) Dalfox Fast XSS (Cross-Site Scripting) vulnerability scanner. ### [hashtag](https://docs.reconftw.com/welcome/glossary#deep-mode) DEEP Mode reconFTW mode that runs additional intensive checks when target size is below threshold. ### [hashtag](https://docs.reconftw.com/welcome/glossary#dns-domain-name-system) DNS (Domain Name System) System that translates domain names to IP addresses. ### [hashtag](https://docs.reconftw.com/welcome/glossary#dns-bruteforce) DNS Bruteforce Technique of testing wordlist entries as subdomains against DNS servers. ### [hashtag](https://docs.reconftw.com/welcome/glossary#dnsx) Dnsx Fast DNS toolkit for resolution and record querying. ### [hashtag](https://docs.reconftw.com/welcome/glossary#dork) Dork Search query using advanced operators to find specific information (e.g., Google dorks). * * * [hashtag](https://docs.reconftw.com/welcome/glossary#e) E -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#endpoint) Endpoint Specific URL path on a web server (e.g., /api/users). ### [hashtag](https://docs.reconftw.com/welcome/glossary#enumeration) Enumeration Process of systematically discovering assets or information. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#f) F -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#faraday) Faraday Collaborative vulnerability management platform for organizing and reporting findings. ### [hashtag](https://docs.reconftw.com/welcome/glossary#favicon) Favicon Small icon associated with a website, can be used to discover real IPs behind CDNs. ### [hashtag](https://docs.reconftw.com/welcome/glossary#ffuf) ffuf Fast web fuzzer for discovering directories, files, and parameters. ### [hashtag](https://docs.reconftw.com/welcome/glossary#fleet) Fleet Group of cloud instances managed by Axiom for distributed scanning. See [Axiom Integration](https://docs.reconftw.com/integrations/axiom) . ### [hashtag](https://docs.reconftw.com/welcome/glossary#fuzzing) Fuzzing Technique of sending random or semi-random data to find vulnerabilities or hidden content. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#g) G -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#gau-get-all-urls) GAU (Get All URLs) Tool that fetches known URLs from web archives and other sources. ### [hashtag](https://docs.reconftw.com/welcome/glossary#gf-grep-for-pentesters) gf (grep for pentesters) Pattern-matching tool for extracting potentially vulnerable URLs. ### [hashtag](https://docs.reconftw.com/welcome/glossary#gitbook) GitBook Documentation platform used to host docs.reconftw.com. ### [hashtag](https://docs.reconftw.com/welcome/glossary#github-dorking) GitHub Dorking Using GitHub search to find sensitive information in repositories. ### [hashtag](https://docs.reconftw.com/welcome/glossary#go-golang) Go/Golang Programming language used by many security tools integrated with reconFTW. ### [hashtag](https://docs.reconftw.com/welcome/glossary#gowitness) Gowitness Screenshot tool for capturing web page images. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#h) H -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#httpx) httpx Fast HTTP toolkit for probing web servers and extracting metadata. ### [hashtag](https://docs.reconftw.com/welcome/glossary#host) Host Individual server or IP address. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#i) I -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#incremental-scan) Incremental Scan Scan mode that only processes new findings since the last scan. ### [hashtag](https://docs.reconftw.com/welcome/glossary#in-scope) In-Scope Assets that are authorized for testing in an engagement. ### [hashtag](https://docs.reconftw.com/welcome/glossary#interactsh) Interactsh Out-of-band interaction detection service for finding blind vulnerabilities. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#j) J -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#javascript-analysis) JavaScript Analysis Examining JavaScript files for endpoints, secrets, and vulnerabilities. ### [hashtag](https://docs.reconftw.com/welcome/glossary#json-javascript-object-notation) JSON (JavaScript Object Notation) Data format used for structured output (e.g., Nuclei results). ### [hashtag](https://docs.reconftw.com/welcome/glossary#jsonl-json-lines) JSONL (JSON Lines) Format with one JSON object per line, useful for streaming data. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#k) K -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#katana) Katana Modern web crawler for URL and endpoint discovery. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#l) L -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#lfi-local-file-inclusion) LFI (Local File Inclusion) Vulnerability allowing attackers to read local files from the server. ### [hashtag](https://docs.reconftw.com/welcome/glossary#linkfinder) Linkfinder Tool for extracting endpoints from JavaScript files. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#m) M -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#massdns) Massdns High-performance DNS resolver for bulk subdomain resolution. ### [hashtag](https://docs.reconftw.com/welcome/glossary#metadata) Metadata Data about data; in documents, includes author, creation date, software used. ### [hashtag](https://docs.reconftw.com/welcome/glossary#module) Module Logical grouping of related functions in reconFTW (e.g., OSINT module, Subdomains module). * * * [hashtag](https://docs.reconftw.com/welcome/glossary#n) N -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#nmap) Nmap Network scanner for port discovery and service detection. ### [hashtag](https://docs.reconftw.com/welcome/glossary#noerror) NOERROR DNS response code indicating the domain exists (used for subdomain discovery). ### [hashtag](https://docs.reconftw.com/welcome/glossary#notify) Notify Tool for sending notifications to Slack, Discord, Telegram, etc. ### [hashtag](https://docs.reconftw.com/welcome/glossary#nuclei) Nuclei Template-based vulnerability scanner by ProjectDiscovery. ### [hashtag](https://docs.reconftw.com/welcome/glossary#nuclei-templates) Nuclei Templates YAML files defining vulnerability checks for Nuclei. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#o) O -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#oob-out-of-band) OOB (Out-of-Band) Testing technique where vulnerable application makes external callback to attacker's server. ### [hashtag](https://docs.reconftw.com/welcome/glossary#open-redirect) Open Redirect Vulnerability where application redirects users to arbitrary URLs. ### [hashtag](https://docs.reconftw.com/welcome/glossary#osint-open-source-intelligence) OSINT (Open Source Intelligence) Information gathered from publicly available sources. ### [hashtag](https://docs.reconftw.com/welcome/glossary#out-of-scope) Out-of-Scope Assets explicitly excluded from testing authorization. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#p) P -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#parameter) Parameter Query string or form field name (e.g., `?id=1` where `id` is the parameter). ### [hashtag](https://docs.reconftw.com/welcome/glossary#passive-scanning) Passive Scanning Reconnaissance using only publicly available data without direct target interaction. ### [hashtag](https://docs.reconftw.com/welcome/glossary#permutation) Permutation Variation of subdomain names (e.g., dev, dev1, development). ### [hashtag](https://docs.reconftw.com/welcome/glossary#port) Port Network endpoint for services (e.g., 80 for HTTP, 443 for HTTPS). ### [hashtag](https://docs.reconftw.com/welcome/glossary#port-scanning) Port Scanning Discovering open ports and services on hosts. ### [hashtag](https://docs.reconftw.com/welcome/glossary#prototype-pollution) Prototype Pollution JavaScript vulnerability where attacker modifies Object prototype. ### [hashtag](https://docs.reconftw.com/welcome/glossary#proxy) Proxy Intermediary server for routing traffic (e.g., Burp Suite). ### [hashtag](https://docs.reconftw.com/welcome/glossary#puredns) Puredns Fast DNS resolution tool with wildcard filtering. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#r) R -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#rate-limiting) Rate Limiting Restricting request frequency to avoid overwhelming targets or being blocked. ### [hashtag](https://docs.reconftw.com/welcome/glossary#recon-reconnaissance) Recon (Reconnaissance) Information gathering phase of security testing. ### [hashtag](https://docs.reconftw.com/welcome/glossary#recursive-enumeration) Recursive Enumeration Discovering subdomains of subdomains (e.g., finding x.dev.example.com). ### [hashtag](https://docs.reconftw.com/welcome/glossary#resolver) Resolver DNS server that translates domain names to IP addresses. ### [hashtag](https://docs.reconftw.com/welcome/glossary#rfi-remote-file-inclusion) RFI (Remote File Inclusion) Vulnerability allowing inclusion of remote files in server-side code. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#s) S -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#scope) Scope Defined boundaries of what can be tested in an engagement. ### [hashtag](https://docs.reconftw.com/welcome/glossary#screenshot) Screenshot Image capture of web page appearance. ### [hashtag](https://docs.reconftw.com/welcome/glossary#secrets) Secrets Sensitive data like API keys, passwords, or tokens. ### [hashtag](https://docs.reconftw.com/welcome/glossary#shodan) Shodan Search engine for internet-connected devices. ### [hashtag](https://docs.reconftw.com/welcome/glossary#smap) Smap Shodan-based passive port scanner. ### [hashtag](https://docs.reconftw.com/welcome/glossary#spider) Spider See [Crawler](https://docs.reconftw.com/welcome/glossary#crawler) . ### [hashtag](https://docs.reconftw.com/welcome/glossary#sql-injection-sqli) SQL Injection (SQLi) Vulnerability where attacker injects SQL commands into database queries. ### [hashtag](https://docs.reconftw.com/welcome/glossary#ssrf-server-side-request-forgery) SSRF (Server-Side Request Forgery) Vulnerability where attacker makes server perform requests to internal resources. ### [hashtag](https://docs.reconftw.com/welcome/glossary#ssti-server-side-template-injection) SSTI (Server-Side Template Injection) Vulnerability in template engines allowing code execution. ### [hashtag](https://docs.reconftw.com/welcome/glossary#subdomain) Subdomain Prefix to a domain name (e.g., `www` in `www.example.com`). ### [hashtag](https://docs.reconftw.com/welcome/glossary#subdomain-takeover) Subdomain Takeover Vulnerability where unclaimed subdomain can be claimed by attacker. ### [hashtag](https://docs.reconftw.com/welcome/glossary#subfinder) Subfinder Fast passive subdomain enumeration tool. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#t) T -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#target) Target Domain, IP, or organization being assessed. ### [hashtag](https://docs.reconftw.com/welcome/glossary#template) Template Reusable definition file (e.g., Nuclei vulnerability templates). ### [hashtag](https://docs.reconftw.com/welcome/glossary#thread) Thread Concurrent execution unit; more threads = faster but more resource-intensive. ### [hashtag](https://docs.reconftw.com/welcome/glossary#tls-ssl) TLS/SSL Encryption protocols for secure communication. ### [hashtag](https://docs.reconftw.com/welcome/glossary#tlsx) Tlsx TLS analysis tool for certificate inspection. ### [hashtag](https://docs.reconftw.com/welcome/glossary#trufflehog) Trufflehog Secret scanning tool for Git repositories. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#u) U -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#url-uniform-resource-locator) URL (Uniform Resource Locator) Web address (e.g., https://example.com/page). ### [hashtag](https://docs.reconftw.com/welcome/glossary#user-agent) User-Agent HTTP header identifying the client software. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#v) V -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#vps-virtual-private-server) VPS (Virtual Private Server) Cloud-hosted virtual machine for running tools. ### [hashtag](https://docs.reconftw.com/welcome/glossary#vulnerability) Vulnerability Security weakness that can be exploited. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#w) W -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#waf-web-application-firewall) WAF (Web Application Firewall) Security system that filters malicious web traffic. ### [hashtag](https://docs.reconftw.com/welcome/glossary#wafw00f) Wafw00f WAF detection and fingerprinting tool. ### [hashtag](https://docs.reconftw.com/welcome/glossary#wayback-machine) Wayback Machine Internet Archive's historical web page database. ### [hashtag](https://docs.reconftw.com/welcome/glossary#wildcard) Wildcard DNS configuration returning response for any subdomain query. ### [hashtag](https://docs.reconftw.com/welcome/glossary#wordlist) Wordlist File containing entries for brute-force testing. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#x) X -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#xss-cross-site-scripting) XSS (Cross-Site Scripting) Vulnerability allowing injection of malicious scripts into web pages. ### [hashtag](https://docs.reconftw.com/welcome/glossary#xxe-xml-external-entity) XXE (XML External Entity) Vulnerability in XML parsers allowing file disclosure or SSRF. * * * [hashtag](https://docs.reconftw.com/welcome/glossary#z) Z -------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/glossary#zen-mode) Zen Mode reconFTW mode with minimal terminal output. ### [hashtag](https://docs.reconftw.com/welcome/glossary#zone-transfer) Zone Transfer DNS mechanism for replicating records, sometimes misconfigured to leak all subdomains. [PreviousFAQchevron-left](https://docs.reconftw.com/welcome/faq) [NextInstallation & Setupchevron-right](https://docs.reconftw.com/getting-started/getting-started) Last updated 1 month ago * [A](https://docs.reconftw.com/welcome/glossary#a) * [Active Scanning](https://docs.reconftw.com/welcome/glossary#active-scanning) * [API Key](https://docs.reconftw.com/welcome/glossary#api-key) * [ASN (Autonomous System Number)](https://docs.reconftw.com/welcome/glossary#asn-autonomous-system-number) * [Asset](https://docs.reconftw.com/welcome/glossary#asset) * [Axiom](https://docs.reconftw.com/welcome/glossary#axiom) * [B](https://docs.reconftw.com/welcome/glossary#b) * [Banner Grabbing](https://docs.reconftw.com/welcome/glossary#banner-grabbing) * [Brute Force](https://docs.reconftw.com/welcome/glossary#brute-force) * [Bug Bounty](https://docs.reconftw.com/welcome/glossary#bug-bounty) * [C](https://docs.reconftw.com/welcome/glossary#c) * [CDN (Content Delivery Network)](https://docs.reconftw.com/welcome/glossary#cdn-content-delivery-network) * [Certificate Transparency (CT)](https://docs.reconftw.com/welcome/glossary#certificate-transparency-ct) * [Checkpoint](https://docs.reconftw.com/welcome/glossary#checkpoint) * [CIDR (Classless Inter-Domain Routing)](https://docs.reconftw.com/welcome/glossary#cidr-classless-inter-domain-routing) * [CORS (Cross-Origin Resource Sharing)](https://docs.reconftw.com/welcome/glossary#cors-cross-origin-resource-sharing) * [Crawler](https://docs.reconftw.com/welcome/glossary#crawler) * [CRLF Injection](https://docs.reconftw.com/welcome/glossary#crlf-injection) * [CRT.sh](https://docs.reconftw.com/welcome/glossary#crt.sh) * [CVE (Common Vulnerabilities and Exposures)](https://docs.reconftw.com/welcome/glossary#cve-common-vulnerabilities-and-exposures) * [D](https://docs.reconftw.com/welcome/glossary#d) * [Dalfox](https://docs.reconftw.com/welcome/glossary#dalfox) * [DEEP Mode](https://docs.reconftw.com/welcome/glossary#deep-mode) * [DNS (Domain Name System)](https://docs.reconftw.com/welcome/glossary#dns-domain-name-system) * [DNS Bruteforce](https://docs.reconftw.com/welcome/glossary#dns-bruteforce) * [Dnsx](https://docs.reconftw.com/welcome/glossary#dnsx) * [Dork](https://docs.reconftw.com/welcome/glossary#dork) * [E](https://docs.reconftw.com/welcome/glossary#e) * [Endpoint](https://docs.reconftw.com/welcome/glossary#endpoint) * [Enumeration](https://docs.reconftw.com/welcome/glossary#enumeration) * [F](https://docs.reconftw.com/welcome/glossary#f) * [Faraday](https://docs.reconftw.com/welcome/glossary#faraday) * [Favicon](https://docs.reconftw.com/welcome/glossary#favicon) * [ffuf](https://docs.reconftw.com/welcome/glossary#ffuf) * [Fleet](https://docs.reconftw.com/welcome/glossary#fleet) * [Fuzzing](https://docs.reconftw.com/welcome/glossary#fuzzing) * [G](https://docs.reconftw.com/welcome/glossary#g) * [GAU (Get All URLs)](https://docs.reconftw.com/welcome/glossary#gau-get-all-urls) * [gf (grep for pentesters)](https://docs.reconftw.com/welcome/glossary#gf-grep-for-pentesters) * [GitBook](https://docs.reconftw.com/welcome/glossary#gitbook) * [GitHub Dorking](https://docs.reconftw.com/welcome/glossary#github-dorking) * [Go/Golang](https://docs.reconftw.com/welcome/glossary#go-golang) * [Gowitness](https://docs.reconftw.com/welcome/glossary#gowitness) * [H](https://docs.reconftw.com/welcome/glossary#h) * [httpx](https://docs.reconftw.com/welcome/glossary#httpx) * [Host](https://docs.reconftw.com/welcome/glossary#host) * [I](https://docs.reconftw.com/welcome/glossary#i) * [Incremental Scan](https://docs.reconftw.com/welcome/glossary#incremental-scan) * [In-Scope](https://docs.reconftw.com/welcome/glossary#in-scope) * [Interactsh](https://docs.reconftw.com/welcome/glossary#interactsh) * [J](https://docs.reconftw.com/welcome/glossary#j) * [JavaScript Analysis](https://docs.reconftw.com/welcome/glossary#javascript-analysis) * [JSON (JavaScript Object Notation)](https://docs.reconftw.com/welcome/glossary#json-javascript-object-notation) * [JSONL (JSON Lines)](https://docs.reconftw.com/welcome/glossary#jsonl-json-lines) * [K](https://docs.reconftw.com/welcome/glossary#k) * [Katana](https://docs.reconftw.com/welcome/glossary#katana) * [L](https://docs.reconftw.com/welcome/glossary#l) * [LFI (Local File Inclusion)](https://docs.reconftw.com/welcome/glossary#lfi-local-file-inclusion) * [Linkfinder](https://docs.reconftw.com/welcome/glossary#linkfinder) * [M](https://docs.reconftw.com/welcome/glossary#m) * [Massdns](https://docs.reconftw.com/welcome/glossary#massdns) * [Metadata](https://docs.reconftw.com/welcome/glossary#metadata) * [Module](https://docs.reconftw.com/welcome/glossary#module) * [N](https://docs.reconftw.com/welcome/glossary#n) * [Nmap](https://docs.reconftw.com/welcome/glossary#nmap) * [NOERROR](https://docs.reconftw.com/welcome/glossary#noerror) * [Notify](https://docs.reconftw.com/welcome/glossary#notify) * [Nuclei](https://docs.reconftw.com/welcome/glossary#nuclei) * [Nuclei Templates](https://docs.reconftw.com/welcome/glossary#nuclei-templates) * [O](https://docs.reconftw.com/welcome/glossary#o) * [OOB (Out-of-Band)](https://docs.reconftw.com/welcome/glossary#oob-out-of-band) * [Open Redirect](https://docs.reconftw.com/welcome/glossary#open-redirect) * [OSINT (Open Source Intelligence)](https://docs.reconftw.com/welcome/glossary#osint-open-source-intelligence) * [Out-of-Scope](https://docs.reconftw.com/welcome/glossary#out-of-scope) * [P](https://docs.reconftw.com/welcome/glossary#p) * [Parameter](https://docs.reconftw.com/welcome/glossary#parameter) * [Passive Scanning](https://docs.reconftw.com/welcome/glossary#passive-scanning) * [Permutation](https://docs.reconftw.com/welcome/glossary#permutation) * [Port](https://docs.reconftw.com/welcome/glossary#port) * [Port Scanning](https://docs.reconftw.com/welcome/glossary#port-scanning) * [Prototype Pollution](https://docs.reconftw.com/welcome/glossary#prototype-pollution) * [Proxy](https://docs.reconftw.com/welcome/glossary#proxy) * [Puredns](https://docs.reconftw.com/welcome/glossary#puredns) * [R](https://docs.reconftw.com/welcome/glossary#r) * [Rate Limiting](https://docs.reconftw.com/welcome/glossary#rate-limiting) * [Recon (Reconnaissance)](https://docs.reconftw.com/welcome/glossary#recon-reconnaissance) * [Recursive Enumeration](https://docs.reconftw.com/welcome/glossary#recursive-enumeration) * [Resolver](https://docs.reconftw.com/welcome/glossary#resolver) * [RFI (Remote File Inclusion)](https://docs.reconftw.com/welcome/glossary#rfi-remote-file-inclusion) * [S](https://docs.reconftw.com/welcome/glossary#s) * [Scope](https://docs.reconftw.com/welcome/glossary#scope) * [Screenshot](https://docs.reconftw.com/welcome/glossary#screenshot) * [Secrets](https://docs.reconftw.com/welcome/glossary#secrets) * [Shodan](https://docs.reconftw.com/welcome/glossary#shodan) * [Smap](https://docs.reconftw.com/welcome/glossary#smap) * [Spider](https://docs.reconftw.com/welcome/glossary#spider) * [SQL Injection (SQLi)](https://docs.reconftw.com/welcome/glossary#sql-injection-sqli) * [SSRF (Server-Side Request Forgery)](https://docs.reconftw.com/welcome/glossary#ssrf-server-side-request-forgery) * [SSTI (Server-Side Template Injection)](https://docs.reconftw.com/welcome/glossary#ssti-server-side-template-injection) * [Subdomain](https://docs.reconftw.com/welcome/glossary#subdomain) * [Subdomain Takeover](https://docs.reconftw.com/welcome/glossary#subdomain-takeover) * [Subfinder](https://docs.reconftw.com/welcome/glossary#subfinder) * [T](https://docs.reconftw.com/welcome/glossary#t) * [Target](https://docs.reconftw.com/welcome/glossary#target) * [Template](https://docs.reconftw.com/welcome/glossary#template) * [Thread](https://docs.reconftw.com/welcome/glossary#thread) * [TLS/SSL](https://docs.reconftw.com/welcome/glossary#tls-ssl) * [Tlsx](https://docs.reconftw.com/welcome/glossary#tlsx) * [Trufflehog](https://docs.reconftw.com/welcome/glossary#trufflehog) * [U](https://docs.reconftw.com/welcome/glossary#u) * [URL (Uniform Resource Locator)](https://docs.reconftw.com/welcome/glossary#url-uniform-resource-locator) * [User-Agent](https://docs.reconftw.com/welcome/glossary#user-agent) * [V](https://docs.reconftw.com/welcome/glossary#v) * [VPS (Virtual Private Server)](https://docs.reconftw.com/welcome/glossary#vps-virtual-private-server) * [Vulnerability](https://docs.reconftw.com/welcome/glossary#vulnerability) * [W](https://docs.reconftw.com/welcome/glossary#w) * [WAF (Web Application Firewall)](https://docs.reconftw.com/welcome/glossary#waf-web-application-firewall) * [Wafw00f](https://docs.reconftw.com/welcome/glossary#wafw00f) * [Wayback Machine](https://docs.reconftw.com/welcome/glossary#wayback-machine) * [Wildcard](https://docs.reconftw.com/welcome/glossary#wildcard) * [Wordlist](https://docs.reconftw.com/welcome/glossary#wordlist) * [X](https://docs.reconftw.com/welcome/glossary#x) * [XSS (Cross-Site Scripting)](https://docs.reconftw.com/welcome/glossary#xss-cross-site-scripting) * [XXE (XML External Entity)](https://docs.reconftw.com/welcome/glossary#xxe-xml-external-entity) * [Z](https://docs.reconftw.com/welcome/glossary#z) * [Zen Mode](https://docs.reconftw.com/welcome/glossary#zen-mode) * [Zone Transfer](https://docs.reconftw.com/welcome/glossary#zone-transfer) sun-brightdesktopmoon sun-brightdesktopmoon --- # FAQ | reconftw-docs Common questions and answers about reconFTW. * * * [hashtag](https://docs.reconftw.com/welcome/faq#general-questions) General Questions ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#what-is-reconftw) What is reconFTW? reconFTW is an automated reconnaissance framework that orchestrates 80+ security tools to perform full reconnaissance on targets. It's designed for bug bounty hunters, penetration testers, and security researchers. ### [hashtag](https://docs.reconftw.com/welcome/faq#is-reconftw-free) Is reconFTW free? Yes, reconFTW is completely free and open source under the MIT license. ### [hashtag](https://docs.reconftw.com/welcome/faq#what-operating-systems-are-supported) What operating systems are supported? * **Linux** (Ubuntu/Debian recommended) - Full support * **macOS** - Supported with GNU tools installed via Homebrew * **Windows** - Via WSL2 (Windows Subsystem for Linux) ### [hashtag](https://docs.reconftw.com/welcome/faq#do-i-need-root-sudo-access) Do I need root/sudo access? Only for the initial installation of system dependencies. Normal scans run without elevated privileges. * * * [hashtag](https://docs.reconftw.com/welcome/faq#installation-questions) Installation Questions --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#how-long-does-installation-take) How long does installation take? Initial installation typically takes 15-30 minutes depending on your internet connection and system speed. Most time is spent downloading and compiling Go tools. ### [hashtag](https://docs.reconftw.com/welcome/faq#can-i-install-on-a-vps) Can I install on a VPS? Yes! VPS deployment is recommended for large scans. See the [Deployment Guide](https://docs.reconftw.com/deployment/deployment) for detailed instructions. ### [hashtag](https://docs.reconftw.com/welcome/faq#which-cloud-provider-is-best) Which cloud provider is best? Any provider works. Popular choices: * **DigitalOcean** - Simple, good pricing * **Linode** - Good performance * **Hetzner** - Best value in Europe * **AWS/Azure** - Enterprise features ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-update-reconftw) How do I update reconFTW? ### [hashtag](https://docs.reconftw.com/welcome/faq#tools-arent-installing-what-do-i-do) Tools aren't installing, what do I do? 1. Ensure Go is properly installed: `go version` 2. Check PATH includes Go bin: `echo $PATH | grep go` 3. Run installer again: `./install.sh` 4. Check specific tool: `which httpx` * * * [hashtag](https://docs.reconftw.com/welcome/faq#usage-questions) Usage Questions ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#what-scan-modes-are-available) What scan modes are available? reconFTW has several modes for different scenarios: Flag Mode What It Does Use Case `-p` Passive Uses only public data sources, no direct target contact Safe first scan, stealth `-s` Subdomains Subdomain enumeration (passive + active) Quick subdomain discovery `-n` OSINT OSINT gathering only (dorks, emails, leaks) Information gathering `-w` Web Web analysis on existing subdomains Analyze known assets `-r` **Recon** **Full reconnaissance + light nuclei scan** **Default, recommended** `-a` All Full recon + aggressive vulnerability scanning Full pentest (see warning) `-c` Custom Run a single specific function Advanced users ### [hashtag](https://docs.reconftw.com/welcome/faq#whats-the-difference-between-r-and-a) What's the difference between `-r` and `-a`? `**-r**` **(Recon) is the recommended default mode.** It performs: * Full subdomain enumeration (passive + active) * Web probing, screenshots, JS analysis * URL collection and parameter discovery * Light vulnerability scanning (nuclei on discovered webs/domains) * Port scanning > ⚠️ **Note:** `-r` mode IS active scanning. It sends HTTP requests, DNS queries, and runs nuclei templates. It generates traffic to the target. `**-a**` **(All) adds aggressive vulnerability testing:** * SQLi testing with SQLMap/Ghauri * XSS fuzzing with Dalfox * SSRF, LFI, SSTI, command injection checks * Directory fuzzing * All nuclei templates including intrusive ones > 🔴 **WARNING:** The `-a` flag is the "YOLO mode". It sends attack payloads to the target. Only use with explicit written authorization for penetration testing. This mode may trigger WAFs, get your IP blocked, or cause service disruption. ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-scan-multiple-domains) How do I scan multiple domains? Create a file with one domain per line: Then run: ### [hashtag](https://docs.reconftw.com/welcome/faq#can-i-resume-an-interrupted-scan) Can I resume an interrupted scan? Yes! Simply run the same command again. reconFTW uses checkpoints to skip completed functions. ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-force-a-full-rescan) How do I force a full rescan? Delete the checkpoint directory: ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-run-only-specific-functions) How do I run only specific functions? Use the `-c` flag: `-c` accepts a single function per run. To execute multiple functions, run separate commands. ### [hashtag](https://docs.reconftw.com/welcome/faq#what-does-deep-mode-do) What does DEEP mode do? DEEP mode runs additional, more intensive checks when the number of assets is below a threshold. It's controlled by `DEEP_LIMIT` in the config. See [Performance Tuning](https://docs.reconftw.com/guides/tuning#understanding-deep-mode) for details. * * * [hashtag](https://docs.reconftw.com/welcome/faq#configuration-questions) Configuration Questions ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#where-is-the-config-file) Where is the config file? The main configuration file is `reconftw.cfg` in the reconftw directory. See [Configuration Reference](https://docs.reconftw.com/configuration/configuration) for all options. ### [hashtag](https://docs.reconftw.com/welcome/faq#where-do-i-put-api-keys) Where do I put API keys? Create a `secrets.cfg` file (it's gitignored for security): ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-change-thread-counts) How do I change thread counts? Edit `reconftw.cfg`: For Nuclei speed, use `NUCLEI_RATELIMIT`. ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-use-a-custom-wordlist) How do I use a custom wordlist? ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-exclude-certain-subdomains) How do I exclude certain subdomains? Create an out-of-scope file: Then run: * * * [hashtag](https://docs.reconftw.com/welcome/faq#output-questions) Output Questions --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#where-are-results-saved) Where are results saved? Results are saved in the `Recon/` directory. See [Data Model & I/O](https://docs.reconftw.com/guides/data-model) for the complete output structure: ### [hashtag](https://docs.reconftw.com/welcome/faq#what-format-are-vulnerability-results-in) What format are vulnerability results in? Nuclei results are saved in JSON format in `vulns/nuclei_output/`: * `nuclei_critical.json` * `nuclei_high.json` * `nuclei_medium.json` * etc. ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-generate-a-report) How do I generate a report? Enable AI reports: Or manually aggregate results from the output files. ### [hashtag](https://docs.reconftw.com/welcome/faq#can-i-export-to-csv) Can I export to CSV? Results can be converted: * * * [hashtag](https://docs.reconftw.com/welcome/faq#performance-questions) Performance Questions ------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#how-long-does-a-full-scan-take) How long does a full scan take? Depends on target size: * Small target (< 100 subdomains): 30-60 minutes * Medium target (100-1000 subdomains): 2-4 hours * Large target (1000+ subdomains): 4-12+ hours ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-speed-up-scans) How do I speed up scans? 1. **Use Axiom** for distributed scanning (see [Axiom Integration](https://docs.reconftw.com/integrations/axiom) ) 2. **Increase threads** in config (see [Performance Tuning](https://docs.reconftw.com/guides/tuning) ) 3. **Use passive mode** (`-p`) for quick results 4. **Skip modules** you don't need ### [hashtag](https://docs.reconftw.com/welcome/faq#why-is-my-scan-slow) Why is my scan slow? Common causes: * Large number of subdomains (normal) * Rate limiting by target * Slow DNS resolvers * Limited system resources Solutions: * Use validated resolvers * Reduce rate limits to avoid blocks * Increase VPS resources * Enable DEEP mode limits ### [hashtag](https://docs.reconftw.com/welcome/faq#how-much-disk-space-do-i-need) How much disk space do I need? * Small scans: 1-5 GB * Medium scans: 5-20 GB * Large scans: 20-100+ GB Monitor with: `du -sh Recon/example.com/` * * * [hashtag](https://docs.reconftw.com/welcome/faq#axiom-questions) Axiom Questions ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#what-is-axiom) What is Axiom? Axiom is a tool that lets you distribute reconFTW across multiple cloud instances for faster scanning. See [Axiom Integration](https://docs.reconftw.com/integrations/axiom) for full details. ### [hashtag](https://docs.reconftw.com/welcome/faq#do-i-need-axiom) Do I need Axiom? No, Axiom is optional. It's useful for: * Very large targets * Time-sensitive engagements * Regular/automated scanning ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-enable-axiom) How do I enable Axiom? 1. Install Axiom: `bash <(curl -s https://raw.githubusercontent.com/pry0cc/axiom/master/interact/axiom-configure)` 2. Configure cloud provider 3. Run reconFTW with `-v` flag: `./reconftw.sh -d example.com -a -v` ### [hashtag](https://docs.reconftw.com/welcome/faq#how-much-does-axiom-cost) How much does Axiom cost? Axiom itself is free. You pay for cloud instances: * ~$0.07/hour for a 10-instance fleet * A typical scan costs $0.15-0.50 * * * [hashtag](https://docs.reconftw.com/welcome/faq#legal-questions) Legal Questions ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#is-it-legal-to-use-reconftw) Is it legal to use reconFTW? reconFTW is a legal tool. However, using it against targets without authorization is illegal. Always: * Get written permission before testing * Stay within defined scope * Follow responsible disclosure ### [hashtag](https://docs.reconftw.com/welcome/faq#can-i-use-it-for-bug-bounties) Can I use it for bug bounties? Yes! reconFTW is designed for bug bounty hunting. See [OPSEC & Legal](https://docs.reconftw.com/guides/opsec-legal) and [Case Studies](https://docs.reconftw.com/guides/case-studies#case-study-1-bug-bounty---new-program-launch) for detailed guidance. Always: * Read the program's rules carefully * Respect rate limits * Stay in scope * Report responsibly ### [hashtag](https://docs.reconftw.com/welcome/faq#what-about-rate-limiting-and-being-blocked) What about rate limiting and being blocked? To avoid issues (see [OPSEC & Legal](https://docs.reconftw.com/guides/opsec-legal#staying-under-the-radar) ): * Use reasonable rate limits * Respect robots.txt (optional, configurable) * Don't scan during business hours if concerned * Use the `-p` (passive) flag for initial recon * * * [hashtag](https://docs.reconftw.com/welcome/faq#troubleshooting) Troubleshooting ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/welcome/faq#where-can-i-get-help) Where can I get help? * **GitHub Issues:** https://github.com/six2dez/reconftw/issues * **Discord:** https://discord.gg/R5DdXVEdTy * **Telegram:** https://t.me/joinchat/H5bAaw3YbzzmI5co ### [hashtag](https://docs.reconftw.com/welcome/faq#how-do-i-report-a-bug) How do I report a bug? Open a GitHub issue with: 1. reconFTW version: `git rev-parse --abbrev-ref HEAD` and `git describe --tags 2>/dev/null || git rev-parse --short HEAD` 2. Operating system 3. Full error message 4. Steps to reproduce ### [hashtag](https://docs.reconftw.com/welcome/faq#where-are-the-logs) Where are the logs? Logs are in the scan directory: * * * [hashtag](https://docs.reconftw.com/welcome/faq#more-questions) More Questions? ------------------------------------------------------------------------------------ If your question isn't answered here: 1. Check the [Troubleshooting Guide](https://docs.reconftw.com/help/troubleshooting) 2. Search [GitHub Issuesarrow-up-right](https://github.com/six2dez/reconftw/issues) 3. Ask on [Discordarrow-up-right](https://discord.gg/R5DdXVEdTy) 4. Open a new GitHub issue [PreviousFirst 30 Minuteschevron-left](https://docs.reconftw.com/welcome/first-30-minutes) [NextGlossarychevron-right](https://docs.reconftw.com/welcome/glossary) Last updated 1 month ago * [General Questions](https://docs.reconftw.com/welcome/faq#general-questions) * [What is reconFTW?](https://docs.reconftw.com/welcome/faq#what-is-reconftw) * [Is reconFTW free?](https://docs.reconftw.com/welcome/faq#is-reconftw-free) * [What operating systems are supported?](https://docs.reconftw.com/welcome/faq#what-operating-systems-are-supported) * [Do I need root/sudo access?](https://docs.reconftw.com/welcome/faq#do-i-need-root-sudo-access) * [Installation Questions](https://docs.reconftw.com/welcome/faq#installation-questions) * [How long does installation take?](https://docs.reconftw.com/welcome/faq#how-long-does-installation-take) * [Can I install on a VPS?](https://docs.reconftw.com/welcome/faq#can-i-install-on-a-vps) * [Which cloud provider is best?](https://docs.reconftw.com/welcome/faq#which-cloud-provider-is-best) * [How do I update reconFTW?](https://docs.reconftw.com/welcome/faq#how-do-i-update-reconftw) * [Tools aren't installing, what do I do?](https://docs.reconftw.com/welcome/faq#tools-arent-installing-what-do-i-do) * [Usage Questions](https://docs.reconftw.com/welcome/faq#usage-questions) * [What scan modes are available?](https://docs.reconftw.com/welcome/faq#what-scan-modes-are-available) * [What's the difference between -r and -a?](https://docs.reconftw.com/welcome/faq#whats-the-difference-between-r-and-a) * [How do I scan multiple domains?](https://docs.reconftw.com/welcome/faq#how-do-i-scan-multiple-domains) * [Can I resume an interrupted scan?](https://docs.reconftw.com/welcome/faq#can-i-resume-an-interrupted-scan) * [How do I force a full rescan?](https://docs.reconftw.com/welcome/faq#how-do-i-force-a-full-rescan) * [How do I run only specific functions?](https://docs.reconftw.com/welcome/faq#how-do-i-run-only-specific-functions) * [What does DEEP mode do?](https://docs.reconftw.com/welcome/faq#what-does-deep-mode-do) * [Configuration Questions](https://docs.reconftw.com/welcome/faq#configuration-questions) * [Where is the config file?](https://docs.reconftw.com/welcome/faq#where-is-the-config-file) * [Where do I put API keys?](https://docs.reconftw.com/welcome/faq#where-do-i-put-api-keys) * [How do I change thread counts?](https://docs.reconftw.com/welcome/faq#how-do-i-change-thread-counts) * [How do I use a custom wordlist?](https://docs.reconftw.com/welcome/faq#how-do-i-use-a-custom-wordlist) * [How do I exclude certain subdomains?](https://docs.reconftw.com/welcome/faq#how-do-i-exclude-certain-subdomains) * [Output Questions](https://docs.reconftw.com/welcome/faq#output-questions) * [Where are results saved?](https://docs.reconftw.com/welcome/faq#where-are-results-saved) * [What format are vulnerability results in?](https://docs.reconftw.com/welcome/faq#what-format-are-vulnerability-results-in) * [How do I generate a report?](https://docs.reconftw.com/welcome/faq#how-do-i-generate-a-report) * [Can I export to CSV?](https://docs.reconftw.com/welcome/faq#can-i-export-to-csv) * [Performance Questions](https://docs.reconftw.com/welcome/faq#performance-questions) * [How long does a full scan take?](https://docs.reconftw.com/welcome/faq#how-long-does-a-full-scan-take) * [How do I speed up scans?](https://docs.reconftw.com/welcome/faq#how-do-i-speed-up-scans) * [Why is my scan slow?](https://docs.reconftw.com/welcome/faq#why-is-my-scan-slow) * [How much disk space do I need?](https://docs.reconftw.com/welcome/faq#how-much-disk-space-do-i-need) * [Axiom Questions](https://docs.reconftw.com/welcome/faq#axiom-questions) * [What is Axiom?](https://docs.reconftw.com/welcome/faq#what-is-axiom) * [Do I need Axiom?](https://docs.reconftw.com/welcome/faq#do-i-need-axiom) * [How do I enable Axiom?](https://docs.reconftw.com/welcome/faq#how-do-i-enable-axiom) * [How much does Axiom cost?](https://docs.reconftw.com/welcome/faq#how-much-does-axiom-cost) * [Legal Questions](https://docs.reconftw.com/welcome/faq#legal-questions) * [Is it legal to use reconFTW?](https://docs.reconftw.com/welcome/faq#is-it-legal-to-use-reconftw) * [Can I use it for bug bounties?](https://docs.reconftw.com/welcome/faq#can-i-use-it-for-bug-bounties) * [What about rate limiting and being blocked?](https://docs.reconftw.com/welcome/faq#what-about-rate-limiting-and-being-blocked) * [Troubleshooting](https://docs.reconftw.com/welcome/faq#troubleshooting) * [Where can I get help?](https://docs.reconftw.com/welcome/faq#where-can-i-get-help) * [How do I report a bug?](https://docs.reconftw.com/welcome/faq#how-do-i-report-a-bug) * [Where are the logs?](https://docs.reconftw.com/welcome/faq#where-are-the-logs) * [More Questions?](https://docs.reconftw.com/welcome/faq#more-questions) sun-brightdesktopmoon Copy cd reconftw git pull ./install.sh Copy # targets.txt example.com test.com target.org Copy ./reconftw.sh -l targets.txt -r Copy # Scan interrupted ./reconftw.sh -d example.com -a # Resume - just run again ./reconftw.sh -d example.com -a # Output: [sub_passive] Already run, skipping... Copy rm -rf Recon/example.com/.called_fn/ ./reconftw.sh -d example.com -a Copy ./reconftw.sh -d example.com -c nuclei_check ./reconftw.sh -d example.com -c sub_passive Copy # secrets.cfg SHODAN_API_KEY="your_key" GITHUB_TOKEN="your_token" Copy HTTPX_THREADS=50 FFUF_THREADS=40 KATANA_THREADS=20 DALFOX_THREADS=200 RESOLVE_DOMAINS_THREADS=150 TLSX_THREADS=1000 Copy # In reconftw.cfg subs_wordlist="/path/to/your/wordlist.txt" subs_wordlist_big="/path/to/your/big_wordlist.txt" fuzz_wordlist="/path/to/your/dirs.txt" Copy # outofscope.txt blog.example.com legacy.example.com Copy ./reconftw.sh -d example.com -r -x outofscope.txt Copy Recon/ └── example.com/ ├── subdomains/ ├── webs/ ├── hosts/ ├── osint/ └── vulns/ Copy ./reconftw.sh -d example.com -a -y Copy cat vulns/nuclei_output/*.json | jq -r '[.host, .["template-id"], .info.severity] | @csv' Copy cat Recon/example.com/.log/reconftw.log cat Recon/example.com/.log/errors.log sun-brightdesktopmoon --- # Subdomain Module | reconftw-docs The subdomain enumeration module is the cornerstone of reconFTW, discovering all subdomains associated with a target using multiple complementary techniques. * * * [hashtag](https://docs.reconftw.com/modules/subdomains#module-overview) Module Overview -------------------------------------------------------------------------------------------- Function Type Purpose Tools `sub_passive` Passive API-based subdomain discovery subfinder, github-subdomains `sub_crt` Passive Certificate transparency logs crt.sh `sub_noerror` Active DNS NOERROR response analysis dnsx `sub_brute` Active DNS bruteforce with wordlists puredns `sub_permut` Active Permutation generation gotator, ripgen `sub_ia_permut` Active AI-powered permutations subwiz `sub_regex_permut` Active Regex-based permutations regulator `sub_recursive_passive` Passive Recursive passive enum subfinder `sub_recursive_brute` Active Recursive bruteforce puredns `sub_scraping` Semi-active Web scraping extraction katana `sub_analytics` Passive Google Analytics correlation AnalyticsRelationships `sub_tls` Active TLS certificate discovery tlsx `sub_dns` Active DNS record resolution dnsx `subtakeover` Active Subdomain takeover detection nuclei, dnstake `zonetransfer` Active DNS zone transfer check dig `s3buckets` Active S3 bucket enumeration S3Scanner, CloudHunter * * * [hashtag](https://docs.reconftw.com/modules/subdomains#configuration-options) Configuration Options -------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/modules/subdomains#new-features-v3.x) New Features (v3.x) -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#time-fencing-dns_time_fence_days) Time Fencing (`DNS_TIME_FENCE_DAYS`) Filters Certificate Transparency results to recent certificates only. **Problem solved:** CT logs contain years of historical data including certificates for decommissioned infrastructure. This creates noise in results. **Impact:** Typically reduces false positives by 20-40% on established targets. ### [hashtag](https://docs.reconftw.com/modules/subdomains#deep-wildcard-detection-deep_wildcard_filter) Deep Wildcard Detection (`DEEP_WILDCARD_FILTER`) Detects wildcard DNS records at all subdomain levels, not just the root domain. **Problem solved:** Standard wildcard detection only checks `*.example.com`. Enterprise environments often have nested wildcards like `*.na45.salesforce.com` or `*.api.prod.example.com`. **How it works:** 1. Extract unique parent domains from discovered subdomains 2. For each parent, generate a random probe: `randomstring.parent.example.com` 3. If the random probe resolves, that parent has a wildcard record 4. Remove all subdomains under wildcard parents 5. Repeat up to 5 iterations to catch multiple levels **Output:** Detected wildcards are saved to `subdomains/wildcards_detected.txt` **Impact:** Removes 50-80% false positives on enterprise targets with wildcard DNS. ### [hashtag](https://docs.reconftw.com/modules/subdomains#sensitive-domain-exclusion-exclude_sensitive) Sensitive Domain Exclusion (`EXCLUDE_SENSITIVE`) Prevents scanning government, military, educational, and financial domains. **Patterns file:** `config/sensitive_domains.txt` **Excluded by default:** * Government: `*.gov`, `*.gob.*`, `*.gouv.*`, `*.govt.*` * Military: `*.mil`, `*.defense.*`, `*.army.*` * Educational: `*.edu`, `*.ac.*`, `*.university.*` * Financial: `*.bank`, `*.banking.*` * Critical: `*.nhs.*`, `*.hospital.*`, `*.police.*` **Use case:** When scanning wildcard scopes (e.g., `*.company.com`), this prevents accidental enumeration of acquired government or educational assets. * * * [hashtag](https://docs.reconftw.com/modules/subdomains#passive-enumeration) Passive Enumeration ---------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_passive-api-based-discovery) `sub_passive` - API-Based Discovery The primary passive enumeration function querying multiple data sources. **Sources Queried:** * Subfinder (50+ sources including): * VirusTotal * SecurityTrails * Shodan * Censys * AlienVault * Chaos * And many more... * GitHub subdomains **How It Works:** **Output:** **Configuration:** > **Tip:** Configure API keys in `~/.config/subfinder/provider-config.yaml` for better results. * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_crt-certificate-transparency) `sub_crt` - Certificate Transparency Queries certificate transparency logs for issued certificates. **How It Works:** **Output:** **Sample Findings:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_analytics-google-analytics-correlation) `sub_analytics` - Google Analytics Correlation Discovers related domains through shared Google Analytics IDs. **How It Works:** **Output:** **Why It Works:** Organizations often use the same Google Analytics ID across multiple properties, revealing: * Related domains * Acquired companies * Partner sites * Development environments **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains#active-enumeration) Active Enumeration -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_brute-dns-bruteforcing) `sub_brute` - DNS Bruteforcing Performs DNS bruteforce using wordlists to discover subdomains. **How It Works:** **Wordlists Used:** * Standard: `$subs_wordlist` (~10k entries) * Deep mode: `$subs_wordlist_big` (~100k+ entries) **Output:** **Configuration:** > **Performance:** Bruteforcing can generate significant DNS traffic. Adjust rate limits for your environment. * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_noerror-dns-noerror-analysis) `sub_noerror` - DNS NOERROR Analysis Discovers subdomains by analyzing DNS NOERROR responses (domain exists but no record type). **How It Works:** **Why It Works:** Some DNS servers return NOERROR for existing domains even without specific records, revealing domains that standard bruteforce might miss. **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_scraping-web-scraping) `sub_scraping` - Web Scraping Extracts subdomains from web pages, JavaScript files, and crawled content. **How It Works:** **What It Finds:** * Links in HTML * API endpoints in JavaScript * References in source maps * Hardcoded URLs **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_tls-tls-certificate-discovery) `sub_tls` - TLS Certificate Discovery Discovers subdomains by connecting to TLS ports and extracting certificate information. **How It Works:** **Ports Checked:** **Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains#permutation-techniques) Permutation Techniques ---------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_permut-standard-permutations) `sub_permut` - Standard Permutations Generates subdomain variations from discovered subdomains. **Permutation Types:** * Prefix: `dev-api`, `staging-api`, `api-v2` * Suffix: `api-dev`, `api-staging`, `api-2` * Word insertion: `api-internal`, `api-test` * Number variations: `api1`, `api2`, `api3` **Tools:** * **gotator**: Deep permutations (slower, more thorough) * **ripgen**: Fast permutations (faster, less thorough) **How It Works:** **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_ia_permut-ai-powered-permutations) `sub_ia_permut` - AI-Powered Permutations Uses machine learning to generate intelligent permutations based on patterns. **How It Works:** **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_regex_permut-regex-based-permutations) `sub_regex_permut` - Regex-Based Permutations Analyzes subdomain patterns and generates variations using regex. **How It Works:** **Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains#recursive-enumeration) Recursive Enumeration -------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_recursive_passive) `sub_recursive_passive` Performs passive enumeration on discovered subdomains. **How It Works:** **Example:** **Configuration:** > **Warning:** This uses many API queries. Ensure you have adequate API credits. * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_recursive_brute) `sub_recursive_brute` Performs DNS bruteforce on discovered subdomains. **How It Works:** **Configuration:** > **Warning:** This is extremely resource-intensive. Only enable for high-value targets. * * * [hashtag](https://docs.reconftw.com/modules/subdomains#dns-analysis) DNS Analysis -------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#sub_dns-dns-resolution) `sub_dns` - DNS Resolution Resolves all discovered subdomains to IP addresses and extracts DNS records. **Records Extracted:** * A records (IPv4) * AAAA records (IPv6) * CNAME records * MX records * TXT records * NS records **Output:** **Sample DNS Records Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains#security-checks) Security Checks -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/subdomains#subtakeover-subdomain-takeover-detection) `subtakeover` - Subdomain Takeover Detection Identifies subdomains vulnerable to takeover. **What It Checks:** * Dangling CNAME records * Unclaimed cloud resources * Expired services * Misconfigured DNS **Tools Used:** * **nuclei**: Takeover templates * **dnstake**: Additional checks **How It Works:** **Output:** **Sample Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#zonetransfer-dns-zone-transfer) `zonetransfer` - DNS Zone Transfer Checks if DNS servers allow zone transfers (AXFR). **What It Does:** Attempts zone transfer against all NS records. Successful transfers reveal all DNS records. **Output:** **Configuration:** > **Note:** Zone transfers are rarely successful but when they work, they reveal everything. * * * ### [hashtag](https://docs.reconftw.com/modules/subdomains#s3buckets-s3-bucket-enumeration) `s3buckets` - S3 Bucket Enumeration Discovers S3 buckets related to the target. **Tools Used:** * **S3Scanner**: Bucket discovery and permission check * **CloudHunter**: Additional cloud enumeration **Output:** **Sample Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/subdomains#data-flow) Data Flow -------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/modules/subdomains#output-files-summary) Output Files Summary ------------------------------------------------------------------------------------------------------ File Content `subdomains/subdomains.txt` Final deduplicated subdomain list `subdomains/subdomains_passive.txt` Passive enumeration results `subdomains/subdomains_crt.txt` Certificate transparency results `subdomains/subdomains_brute.txt` Bruteforce results `subdomains/subdomains_permut.txt` Permutation results `subdomains/subdomains_scraping.txt` Web scraping results `subdomains/subdomains_analytics.txt` Analytics correlation `subdomains/subdomains_tls.txt` TLS discovery results `subdomains/subdomains_dnsrecords.txt` Full DNS records `subdomains/subdomains_zonetransfer.txt` Zone transfer results `subdomains/s3buckets.txt` S3 bucket enumeration `hosts/ips.txt` Resolved IP addresses `webs/takeover.txt` Subdomain takeover vulnerabilities * * * [hashtag](https://docs.reconftw.com/modules/subdomains#running-subdomain-enumeration-only) Running Subdomain Enumeration Only ---------------------------------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/modules/subdomains#best-practices) Best Practices ------------------------------------------------------------------------------------------ 1. **Use Fresh Resolvers:** Update resolvers regularly for accurate results 2. **Enable API Keys:** Configure subfinder providers for full coverage 3. **Adjust Threads:** Balance speed vs. accuracy based on target size 4. **Monitor Resources:** Bruteforce and permutations can use significant disk/memory 5. **Review Wildcards:** Check for wildcard DNS that may cause false positives 6. **Verify Takeovers:** Always manually verify takeover vulnerabilities before reporting * * * [hashtag](https://docs.reconftw.com/modules/subdomains#next-steps) Next Steps ---------------------------------------------------------------------------------- * [**Web Analysis Module**](https://docs.reconftw.com/modules/web-analysis) - Analyze discovered web assets * [**Host Module**](https://docs.reconftw.com/modules/hosts) - Port scanning and host analysis * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understand your results [PreviousOSINT Modulechevron-left](https://docs.reconftw.com/modules/osint) [NextSubdomain Deep Divechevron-right](https://docs.reconftw.com/modules/subdomains-deep-dive) Last updated 1 month ago * [Module Overview](https://docs.reconftw.com/modules/subdomains#module-overview) * [Configuration Options](https://docs.reconftw.com/modules/subdomains#configuration-options) * [New Features (v3.x)](https://docs.reconftw.com/modules/subdomains#new-features-v3.x) * [Time Fencing (DNS\_TIME\_FENCE\_DAYS)](https://docs.reconftw.com/modules/subdomains#time-fencing-dns_time_fence_days) * [Deep Wildcard Detection (DEEP\_WILDCARD\_FILTER)](https://docs.reconftw.com/modules/subdomains#deep-wildcard-detection-deep_wildcard_filter) * [Sensitive Domain Exclusion (EXCLUDE\_SENSITIVE)](https://docs.reconftw.com/modules/subdomains#sensitive-domain-exclusion-exclude_sensitive) * [Passive Enumeration](https://docs.reconftw.com/modules/subdomains#passive-enumeration) * [sub\_passive - API-Based Discovery](https://docs.reconftw.com/modules/subdomains#sub_passive-api-based-discovery) * [sub\_crt - Certificate Transparency](https://docs.reconftw.com/modules/subdomains#sub_crt-certificate-transparency) * [sub\_analytics - Google Analytics Correlation](https://docs.reconftw.com/modules/subdomains#sub_analytics-google-analytics-correlation) * [Active Enumeration](https://docs.reconftw.com/modules/subdomains#active-enumeration) * [sub\_brute - DNS Bruteforcing](https://docs.reconftw.com/modules/subdomains#sub_brute-dns-bruteforcing) * [sub\_noerror - DNS NOERROR Analysis](https://docs.reconftw.com/modules/subdomains#sub_noerror-dns-noerror-analysis) * [sub\_scraping - Web Scraping](https://docs.reconftw.com/modules/subdomains#sub_scraping-web-scraping) * [sub\_tls - TLS Certificate Discovery](https://docs.reconftw.com/modules/subdomains#sub_tls-tls-certificate-discovery) * [Permutation Techniques](https://docs.reconftw.com/modules/subdomains#permutation-techniques) * [sub\_permut - Standard Permutations](https://docs.reconftw.com/modules/subdomains#sub_permut-standard-permutations) * [sub\_ia\_permut - AI-Powered Permutations](https://docs.reconftw.com/modules/subdomains#sub_ia_permut-ai-powered-permutations) * [sub\_regex\_permut - Regex-Based Permutations](https://docs.reconftw.com/modules/subdomains#sub_regex_permut-regex-based-permutations) * [Recursive Enumeration](https://docs.reconftw.com/modules/subdomains#recursive-enumeration) * [sub\_recursive\_passive](https://docs.reconftw.com/modules/subdomains#sub_recursive_passive) * [sub\_recursive\_brute](https://docs.reconftw.com/modules/subdomains#sub_recursive_brute) * [DNS Analysis](https://docs.reconftw.com/modules/subdomains#dns-analysis) * [sub\_dns - DNS Resolution](https://docs.reconftw.com/modules/subdomains#sub_dns-dns-resolution) * [Security Checks](https://docs.reconftw.com/modules/subdomains#security-checks) * [subtakeover - Subdomain Takeover Detection](https://docs.reconftw.com/modules/subdomains#subtakeover-subdomain-takeover-detection) * [zonetransfer - DNS Zone Transfer](https://docs.reconftw.com/modules/subdomains#zonetransfer-dns-zone-transfer) * [s3buckets - S3 Bucket Enumeration](https://docs.reconftw.com/modules/subdomains#s3buckets-s3-bucket-enumeration) * [Data Flow](https://docs.reconftw.com/modules/subdomains#data-flow) * [Output Files Summary](https://docs.reconftw.com/modules/subdomains#output-files-summary) * [Running Subdomain Enumeration Only](https://docs.reconftw.com/modules/subdomains#running-subdomain-enumeration-only) * [Best Practices](https://docs.reconftw.com/modules/subdomains#best-practices) * [Next Steps](https://docs.reconftw.com/modules/subdomains#next-steps) sun-brightdesktopmoon Copy # In reconftw.cfg # Master toggle SUBDOMAINS_GENERAL=true # Passive techniques SUBPASSIVE=true # API-based enumeration SUBCRT=true # Certificate transparency CTR_LIMIT=999999 # Max CT log results DNS_TIME_FENCE_DAYS=0 # Filter CT to last N days (0=disabled) SUBANALYTICS=true # Google Analytics # Active techniques SUBNOERROR=false # DNS NOERROR (can be slow) SUBBRUTE=true # DNS bruteforcing SUBSCRAPING=true # Web scraping SUBPERMUTE=true # Permutations SUBIAPERMUTE=true # AI permutations SUBREGEXPERMUTE=true # Regex permutations # Recursive SUB_RECURSIVE_PASSIVE=false # Uses many API queries DEEP_RECURSIVE_PASSIVE=10 # Top N for recursion SUB_RECURSIVE_BRUTE=false # Very resource intensive # Filtering DEEP_WILDCARD_FILTER=false # Multi-level wildcard detection EXCLUDE_SENSITIVE=false # Skip gov/mil/edu domains # Other SUBTAKEOVER=true # Takeover detection ZONETRANSFER=true # Zone transfer S3BUCKETS=true # S3 enumeration REVERSE_IP=false # Enable for IP targets INSCOPE=false # Scope filtering # Permutation options PERMUTATIONS_OPTION=gotator # or "ripgen" GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" Copy DNS_TIME_FENCE_DAYS=90 # Only certs from last 90 days Copy DEEP_WILDCARD_FILTER=true Copy EXCLUDE_SENSITIVE=true Copy Target domain → subfinder (API queries) → github-subdomains → → Deduplicate → subdomains_passive.txt Copy subdomains/subdomains_passive.txt Copy SUBPASSIVE=true SUBFINDER_ENUM_TIMEOUT=180 # Timeout in minutes Copy Target domain → crt.sh API → Parse certificates → → Extract subdomains → subdomains_crt.txt Copy subdomains/subdomains_crt.txt Copy www.example.com api.example.com mail.example.com staging.example.com *.dev.example.com # Wildcard certificates Copy SUBCRT=true CTR_LIMIT=999999 # Max results to fetch Copy Target domain → Extract GA ID from website → → Find other domains with same GA ID → Output Copy subdomains/subdomains_analytics.txt Copy SUBANALYTICS=true Copy Wordlist → Generate DNS queries → puredns (with resolvers) → → Filter wildcards → Validate responses → subdomains_brute.txt Copy subdomains/subdomains_brute.txt Copy SUBBRUTE=true subs_wordlist=${tools}/subdomains.txt subs_wordlist_big=${tools}/subdomains_n0kovo_big.txt # PureDNS settings PUREDNS_PUBLIC_LIMIT=0 # 0 = unlimited PUREDNS_TRUSTED_LIMIT=400 PUREDNS_WILDCARDTEST_LIMIT=30 Copy Known subdomains → Query non-existent record types → → NOERROR response = subdomain exists → → Bruteforce variations → New subdomains Copy subdomains/subdomains_noerror.txt Copy SUBNOERROR=false # Disabled by default (can be slow) Copy Known web servers → katana (crawl) → → Extract URLs → Parse for subdomains → Output Copy subdomains/subdomains_scraping.txt Copy SUBSCRAPING=true KATANA_THREADS=20 Copy IP addresses → Connect to TLS ports → → Extract certificate CN/SAN → Filter in-scope → Output Copy TLS_PORTS="21,22,25,80,110,443,465,587,636,993,995,8443,..." Copy subdomains/subdomains_tls.txt Copy TLSX_THREADS=1000 Copy Known subdomains → gotator/ripgen → Generate permutations → → puredns (resolve) → Filter valid → Output Copy subdomains/subdomains_permut.txt Copy SUBPERMUTE=true PERMUTATIONS_OPTION=gotator # or "ripgen" GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" PERMUTATIONS_LIMIT=21474836480 # Max file size (20GB) Copy Known subdomains → subwiz (AI model) → → Learn patterns → Generate smart variations → Resolve → Output Copy subdomains/subdomains_ai_permut.txt Copy SUBIAPERMUTE=true Copy Known subdomains → regulator (pattern analysis) → → Generate regex-based variations → Resolve → Output Copy subdomains/subdomains_regex_permut.txt Copy SUBREGEXPERMUTE=true Copy Top N subdomains (by depth) → Run sub_passive on each → → Combine results → More subdomains Copy example.com → api.example.com, dev.example.com api.example.com → internal.api.example.com, v2.api.example.com Copy SUB_RECURSIVE_PASSIVE=false # Disabled by default (API heavy) DEEP_RECURSIVE_PASSIVE=10 # Top N subdomains for recursion Copy Top N subdomains → Bruteforce each with wordlist → → Combine results → Even more subdomains Copy SUB_RECURSIVE_BRUTE=false # Disabled by default (very slow) Copy subdomains/subdomains.txt # Final subdomain list subdomains/subdomains_dnsrecords.txt # Full DNS records hosts/ips.txt # Resolved IP addresses Copy api.example.com [A] 192.168.1.10 api.example.com [CNAME] api.example.com.cdn.cloudflare.net mail.example.com [MX] 10 mail.example.com mail.example.com [A] 192.168.1.20 Copy RESOLVE_DOMAINS_THREADS=150 Copy Subdomains → Check CNAME targets → → Verify if target is claimable → Report vulnerable Copy webs/takeover.txt Copy [TAKEOVER] old-app.example.com → herokuapp.com (No such app) [TAKEOVER] cdn.example.com → cloudfront.net (Bad request) Copy SUBTAKEOVER=true DNSTAKE_THREADS=100 Copy subdomains/subdomains_zonetransfer.txt Copy ZONETRANSFER=true Copy subdomains/s3buckets.txt Copy [PUBLIC-READ] example-backups.s3.amazonaws.com [PUBLIC-LIST] example-assets.s3.amazonaws.com [PRIVATE] example-data.s3.amazonaws.com Copy S3BUCKETS=true CLOUDHUNTER_PERMUTATION=NORMAL # DEEP, NORMAL, or NONE Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Subdomain Enumeration Flow │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │ │ Passive │ │ Active │ │ Permutations│ │ │ │ sub_passive│ │ sub_brute │ │ sub_permut │ │ │ │ sub_crt │ │ sub_noerror│ │ sub_ia_perm │ │ │ │ sub_analyt │ │ sub_scrape │ │ sub_regex │ │ │ └─────┬──────┘ └─────┬──────┘ └─────┬───────┘ │ │ │ │ │ │ │ └────────────────┼────────────────┘ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Combine All │ │ │ │ Deduplicate │ │ │ └────────┬─────────┘ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ sub_dns │ │ │ │ DNS Resolution │ │ │ └────────┬─────────┘ │ │ ▼ │ │ ┌───────────────┼───────────────┐ │ │ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────────┐ ┌──────────┐ │ │ │subdomains│ │ DNS Records │ │ IPs │ │ │ │ .txt │ │ .txt │ │ .txt │ │ │ └──────────┘ └──────────────┘ └──────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ Copy # Quick subdomain enumeration ./reconftw.sh -d example.com -s # With deep mode ./reconftw.sh -d example.com -s --deep sun-brightdesktopmoon --- # OSINT Module | reconftw-docs The OSINT (Open Source Intelligence) module gathers publicly available information about the target without direct interaction. This passive intelligence gathering helps understand the target's digital footprint. * * * [hashtag](https://docs.reconftw.com/modules/osint#why-osint-first) Why OSINT First? ---------------------------------------------------------------------------------------- OSINT is executed before any other module for strategic reasons: 1. **Zero Target Interaction**: All queries go to third-party services (Google, GitHub, crt.sh), not the target. This means: * No logs generated on target systems * No risk of detection or blocking * No rate limiting concerns from the target 2. **Context Building**: Information gathered here informs later phases: * Email patterns → potential usernames for login bruteforce * Exposed API keys → direct access without exploitation * Related domains → expanded attack surface 3. **Quick Wins**: OSINT often reveals immediate vulnerabilities: * Leaked credentials in GitHub * Exposed admin panels via Google dorks * Misconfigured cloud storage buckets 4. **Scope Discovery**: May reveal additional targets: * Acquisitions mentioned in documents * Azure tenant domains * Related domains via registrant data * * * [hashtag](https://docs.reconftw.com/modules/osint#module-overview) Module Overview --------------------------------------------------------------------------------------- Function Purpose Tools Used `google_dorks` Find exposed files/pages via Google dorks\_hunter `github_dorks` Search GitHub for leaked secrets gitdorks\_go `github_repos` Analyze organization repositories enumerepo, gitleaks, trufflehog `metadata` Extract document metadata metagoofil, exiftool `apileaks` Detect exposed APIs porch-pirate, SwaggerSpy `emails` Harvest email addresses EmailHarvester, LeakSearch `domain_info` WHOIS and domain intelligence whois, msftrecon, scopify `third_party_misconfigs` Third-party service misconfigs misconfig-mapper `spoof` Email spoofing vulnerability spoofy `mail_hygiene` SPF/DMARC analysis dig `cloud_enum_scan` Cloud storage enumeration cloud\_enum `ip_info` IP intelligence (for IP targets) WhoisXML API * * * [hashtag](https://docs.reconftw.com/modules/osint#configuration-options) Configuration Options --------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/modules/osint#google-dorks) Google Dorks --------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does) What It Does Searches Google for sensitive files, pages, and information exposure using predefined dork queries. ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#example-dorks-searched) Example Dorks Searched * `site:example.com filetype:pdf` * `site:example.com filetype:sql` * `site:example.com inurl:admin` * `site:example.com intitle:"index of"` * `site:example.com ext:log` ### [hashtag](https://docs.reconftw.com/modules/osint#output) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration) Configuration > **Note:** Google may rate-limit or block automated queries. Results vary based on Google's indexing. * * * [hashtag](https://docs.reconftw.com/modules/osint#github-analysis) GitHub Analysis --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#github-dorks-github_dorks) GitHub Dorks (`github_dorks`) Searches GitHub for secrets, credentials, and sensitive information related to the target. **Requires:** GitHub tokens in `$GITHUB_TOKENS` file **How It Works:** **Dork Categories:** * API keys and tokens * Passwords and credentials * Configuration files * Database connection strings * Private keys **Output:** **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#github-repos-github_repos) GitHub Repos (`github_repos`) Analyzes organization repositories for leaked secrets using multiple detection tools. **How It Works:** **Output:** **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-1) Configuration **Creating Token File:** > **Tip:** Multiple tokens help avoid rate limiting. Create tokens with `read:org` and `repo` scopes. * * * [hashtag](https://docs.reconftw.com/modules/osint#metadata-extraction) Metadata Extraction ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-1) What It Does Downloads indexed documents (PDF, DOCX, XLSX) and extracts metadata that may reveal: * Author names (potential usernames) * Email addresses * Software versions * Internal paths * Creation/modification dates ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-1) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-1) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-2) Configuration > **Note:** Downloading many documents can be slow. Adjust `METAFINDER_LIMIT` based on needs. * * * [hashtag](https://docs.reconftw.com/modules/osint#api-leaks) API Leaks --------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-2) What It Does Searches for exposed API documentation and collections in: * **Postman** - Public workspaces and collections * **SwaggerHub** - Public API specifications ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-2) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-2) Output **Sample Postman Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-3) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#email-harvesting) Email Harvesting ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-3) What It Does Discovers email addresses associated with the target domain through: * Search engine results * Public databases * Leaked credential databases ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-3) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-3) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-4) Configuration > **⚠️ Ethics:** Handle leaked credentials responsibly. Only use for authorized testing. * * * [hashtag](https://docs.reconftw.com/modules/osint#domain-intelligence) Domain Intelligence ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-4) What It Does Gathers complete domain information: * WHOIS registration data * Microsoft 365/Azure tenant domains * Related domains via Scopify ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-4) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-4) Output **Sample WHOIS Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-5) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#third-party-misconfigurations) Third-Party Misconfigurations ------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-5) What It Does Checks for misconfigurations in third-party services used by the target: * Atlassian (Jira, Confluence) * Slack * Zendesk * HubSpot * And many more... ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-5) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-5) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-6) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#email-spoofing-check) Email Spoofing Check ------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-6) What It Does Analyzes if the domain is vulnerable to email spoofing attacks by checking: * SPF record configuration * DMARC policy strength * DKIM presence ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-6) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-6) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-7) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#mail-hygiene) Mail Hygiene --------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-7) What It Does Performs a quick check of email security DNS records: * TXT records (SPF) * DMARC records ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-7) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-7) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-8) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#cloud-enumeration) Cloud Enumeration ------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-8) What It Does Searches for exposed cloud storage buckets across multiple providers: * Amazon S3 * Azure Blob Storage * Google Cloud Storage * DigitalOcean Spaces ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-8) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-8) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-9) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#ip-information) IP Information ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/osint#what-it-does-9) What It Does For IP address targets, gathers: * Reverse IP lookups (domains on same IP) * WHOIS information * Geolocation data **Requires:** `WHOISXML_API` key ### [hashtag](https://docs.reconftw.com/modules/osint#how-it-works-9) How It Works ### [hashtag](https://docs.reconftw.com/modules/osint#output-9) Output **Sample Output:** ### [hashtag](https://docs.reconftw.com/modules/osint#configuration-10) Configuration * * * [hashtag](https://docs.reconftw.com/modules/osint#running-osint-only) Running OSINT Only --------------------------------------------------------------------------------------------- This executes all enabled OSINT functions without subdomain enumeration or vulnerability scanning. * * * [hashtag](https://docs.reconftw.com/modules/osint#output-summary) Output Summary ------------------------------------------------------------------------------------- Function Output File(s) google\_dorks `osint/dorks.txt` github\_dorks `osint/gitdorks.txt` github\_repos `osint/github_company_secrets.json` metadata `osint/metadata_results.txt` apileaks `osint/postman_leaks*.txt`, `osint/swagger_leaks*.txt` emails `osint/emails.txt`, `osint/passwords.txt` domain\_info `osint/domain_info_*.txt`, `osint/scopify.txt` third\_party\_misconfigs `osint/3rdparts_misconfigurations.txt` spoof `osint/spoof.txt` mail\_hygiene `osint/mail_hygiene.txt` cloud\_enum\_scan `osint/cloud_enum.txt` ip\_info `osint/ip_*_*.txt` * * * [hashtag](https://docs.reconftw.com/modules/osint#best-practices) Best Practices ------------------------------------------------------------------------------------- 1. **Configure API Keys:** Many OSINT functions work better with API keys (GitHub, WhoisXML) 2. **Rate Limiting:** Google may block automated searches; space out scans 3. **Legal Considerations:** OSINT is generally legal but respect terms of service 4. **Credential Handling:** Handle any discovered credentials responsibly 5. **Verification:** Always verify OSINT findings with additional sources * * * [hashtag](https://docs.reconftw.com/modules/osint#next-steps) Next Steps ----------------------------------------------------------------------------- * [**Subdomain Module**](https://docs.reconftw.com/modules/subdomains) - Discover attack surface * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understand results [PreviousModules Overviewchevron-left](https://docs.reconftw.com/modules/05-modules) [NextSubdomain Modulechevron-right](https://docs.reconftw.com/modules/subdomains) Last updated 1 month ago * [Why OSINT First?](https://docs.reconftw.com/modules/osint#why-osint-first) * [Module Overview](https://docs.reconftw.com/modules/osint#module-overview) * [Configuration Options](https://docs.reconftw.com/modules/osint#configuration-options) * [Google Dorks](https://docs.reconftw.com/modules/osint#google-dorks) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works) * [Example Dorks Searched](https://docs.reconftw.com/modules/osint#example-dorks-searched) * [Output](https://docs.reconftw.com/modules/osint#output) * [Configuration](https://docs.reconftw.com/modules/osint#configuration) * [GitHub Analysis](https://docs.reconftw.com/modules/osint#github-analysis) * [GitHub Dorks (github\_dorks)](https://docs.reconftw.com/modules/osint#github-dorks-github_dorks) * [GitHub Repos (github\_repos)](https://docs.reconftw.com/modules/osint#github-repos-github_repos) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-1) * [Metadata Extraction](https://docs.reconftw.com/modules/osint#metadata-extraction) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-1) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-1) * [Output](https://docs.reconftw.com/modules/osint#output-1) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-2) * [API Leaks](https://docs.reconftw.com/modules/osint#api-leaks) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-2) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-2) * [Output](https://docs.reconftw.com/modules/osint#output-2) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-3) * [Email Harvesting](https://docs.reconftw.com/modules/osint#email-harvesting) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-3) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-3) * [Output](https://docs.reconftw.com/modules/osint#output-3) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-4) * [Domain Intelligence](https://docs.reconftw.com/modules/osint#domain-intelligence) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-4) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-4) * [Output](https://docs.reconftw.com/modules/osint#output-4) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-5) * [Third-Party Misconfigurations](https://docs.reconftw.com/modules/osint#third-party-misconfigurations) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-5) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-5) * [Output](https://docs.reconftw.com/modules/osint#output-5) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-6) * [Email Spoofing Check](https://docs.reconftw.com/modules/osint#email-spoofing-check) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-6) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-6) * [Output](https://docs.reconftw.com/modules/osint#output-6) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-7) * [Mail Hygiene](https://docs.reconftw.com/modules/osint#mail-hygiene) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-7) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-7) * [Output](https://docs.reconftw.com/modules/osint#output-7) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-8) * [Cloud Enumeration](https://docs.reconftw.com/modules/osint#cloud-enumeration) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-8) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-8) * [Output](https://docs.reconftw.com/modules/osint#output-8) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-9) * [IP Information](https://docs.reconftw.com/modules/osint#ip-information) * [What It Does](https://docs.reconftw.com/modules/osint#what-it-does-9) * [How It Works](https://docs.reconftw.com/modules/osint#how-it-works-9) * [Output](https://docs.reconftw.com/modules/osint#output-9) * [Configuration](https://docs.reconftw.com/modules/osint#configuration-10) * [Running OSINT Only](https://docs.reconftw.com/modules/osint#running-osint-only) * [Output Summary](https://docs.reconftw.com/modules/osint#output-summary) * [Best Practices](https://docs.reconftw.com/modules/osint#best-practices) * [Next Steps](https://docs.reconftw.com/modules/osint#next-steps) sun-brightdesktopmoon Copy # In reconftw.cfg # Master toggle OSINT=true # Individual toggles GOOGLE_DORKS=true GITHUB_DORKS=true GITHUB_REPOS=true METADATA=true EMAILS=true DOMAIN_INFO=true IP_INFO=true API_LEAKS=true THIRD_PARTIES=true SPOOF=true MAIL_HYGIENE=true CLOUD_ENUM=true # Limits METAFINDER_LIMIT=20 # Max documents to fetch (max 250) Copy Target domain → dorks_hunter → Google search → Results filtered Copy osint/dorks.txt Copy [+] site:example.com filetype:pdf - https://example.com/docs/report.pdf - https://example.com/files/manual.pdf [+] site:example.com inurl:login - https://admin.example.com/login - https://portal.example.com/user/login Copy GOOGLE_DORKS=true Copy Target domain → gitdorks_go → GitHub API → Secret patterns matched Copy osint/gitdorks.txt Copy https://github.com/user/repo/blob/main/config.js - "api_key": "sk_live_xxxxx" https://github.com/org/project/blob/master/.env - DATABASE_URL=postgres://user:pass@host Copy Target domain → Extract org name → enumerepo (find repos) → Clone repos → → gitleaks (scan) → trufflehog (scan) → Combine results Copy osint/github_company_secrets.json Copy { "Description": "AWS API Key", "File": "deploy/config.yaml", "Commit": "a1b2c3d4", "Match": "AKIA...", "Repository": "https://github.com/example-org/infra" } Copy GITHUB_DORKS=true GITHUB_REPOS=true # Token file path GITHUB_TOKENS=${tools}/.github_tokens Copy # Create file with one token per line cat > ~/Tools/.github_tokens << EOF ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy EOF # Secure permissions chmod 600 ~/Tools/.github_tokens Copy Target domain → metagoofil (download docs) → exiftool (extract metadata) → Filter results Copy osint/metadata_results.txt Copy Author : John Smith Creator : Microsoft® Word 2019 Producer : Microsoft® Word 2019 Template : C:\Users\jsmith\Templates\Report.dotx Email : [email protected] Copy METADATA=true METAFINDER_LIMIT=20 # Max documents to download (max 250) Copy Target domain → porch-pirate (Postman) → SwaggerSpy (Swagger) → → trufflehog (analyze for secrets) → Combined results Copy osint/postman_leaks.txt # Raw Postman findings osint/swagger_leaks.txt # Raw Swagger findings osint/postman_leaks_trufflehog.json # Secrets from Postman osint/swagger_leaks_trufflehog.json # Secrets from Swagger Copy [Collection] Example API v2 Environment: Production Variables: - api_key: sk_live_xxxxx - base_url: https://api.example.com [Request] POST /auth/login Body: {"username": "admin", "password": "{{password}}"} Copy API_LEAKS=true Copy Target domain → EmailHarvester (search engines) → LeakSearch (breach data) → → Deduplicate → Output Copy osint/emails.txt # Discovered email addresses osint/passwords.txt # Leaked credentials (if found) Copy # emails.txt [email protected] [email protected] [email protected] [email protected] # passwords.txt [email protected]:password123 [email protected]:admin2020 Copy EMAILS=true Copy Target domain → whois → WHOIS data → msftrecon → Azure/M365 tenants → scopify → Related domains Copy osint/domain_info_general.txt # WHOIS data osint/azure_tenant_domains.txt # Microsoft tenant domains osint/scopify.txt # Related scope domains Copy Domain Name: EXAMPLE.COM Registry Domain ID: 123456789_DOMAIN_COM-VRSN Registrar: Example Registrar, Inc. Creation Date: 1995-08-14T04:00:00Z Registrant Organization: Example Corporation Registrant Country: US Name Server: NS1.EXAMPLE.COM Copy DOMAIN_INFO=true Copy Target domain → Extract company name → misconfig-mapper → → Check all services → Report findings Copy osint/3rdparts_misconfigurations.txt Copy [+] Jira: Open project listing found URL: https://example.atlassian.net/browse [+] Slack: Workspace enumeration possible Workspace: example-company [+] Zendesk: Public support tickets accessible URL: https://example.zendesk.com/hc Copy THIRD_PARTIES=true Copy Target domain → spoofy → Analyze DNS records → → Determine spoofability → Report Copy osint/spoof.txt Copy Domain: example.com SPF Record: v=spf1 include:_spf.google.com ~all DMARC Record: v=DMARC1; p=none; rua=mailto:[email protected] Result: POTENTIALLY SPOOFABLE Reason: DMARC policy is 'none' (not enforced) Copy SPOOF=true Copy Target domain → dig TXT → SPF record → dig TXT _dmarc → DMARC record Copy osint/mail_hygiene.txt Copy Domain: example.com TXT records: "v=spf1 include:_spf.google.com include:amazonses.com ~all" DMARC record: "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]" Copy MAIL_HYGIENE=true Copy Target domain → Extract keywords → cloud_enum → → Check all providers → Report accessible buckets Copy osint/cloud_enum.txt Copy [+] S3 Bucket Found: example-backups.s3.amazonaws.com Status: Public (READ) [+] Azure Blob Found: exampledata.blob.core.windows.net Status: Public (LIST) [+] GCS Bucket Found: example-assets.storage.googleapis.com Status: Authenticated Users Copy CLOUD_ENUM=true Copy IP target → WhoisXML API → Reverse IP → WHOIS data → Geolocation Copy osint/ip__relations.txt # Domains on IP osint/ip__whois.txt # WHOIS data osint/ip__location.txt # Geolocation Copy # ip_192.168.1.1_relations.txt example.com 192.168.1.1 test.com 192.168.1.1 demo.org 192.168.1.1 # ip_192.168.1.1_location.txt 192.168.1.1 { "city": "San Francisco", "region": "California", "country": "US", "org": "Example Hosting Inc." } Copy IP_INFO=true WHOISXML_API="your_api_key" # In secrets.cfg Copy # Run only OSINT module ./reconftw.sh -d example.com -n sun-brightdesktopmoon --- # Configuration Reference | reconftw-docs > **Documentation for reconFTW** `**dev**` **branch** | Variables match `reconftw.cfg` This guide provides a complete reference for reconFTW's configuration file (`reconftw.cfg`), covering every option with detailed explanations. * * * [hashtag](https://docs.reconftw.com/configuration/configuration#configuration-files-overview) Configuration Files Overview ------------------------------------------------------------------------------------------------------------------------------- reconFTW uses several configuration files: File Purpose Git Tracked `reconftw.cfg` Main configuration ✅ Yes `secrets.cfg` API keys and tokens ❌ No (gitignored) `custom_config.cfg` User overrides (optional) ❌ No ### [hashtag](https://docs.reconftw.com/configuration/configuration#load-order) Load Order 1. `reconftw.cfg` is loaded first (defaults) 2. `secrets.cfg` is sourced if it exists (API keys) 3. Custom config via `-f` flag overrides all * * * [hashtag](https://docs.reconftw.com/configuration/configuration#general-settings) General Settings ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#tool-paths) Tool Paths ### [hashtag](https://docs.reconftw.com/configuration/configuration#shell-configuration) Shell Configuration ### [hashtag](https://docs.reconftw.com/configuration/configuration#version-information) Version Information ### [hashtag](https://docs.reconftw.com/configuration/configuration#resolver-settings) Resolver Settings **When to change:** * Set `generate_resolvers=true` for custom resolver validation (slower but more accurate) * Set `update_resolvers=false` if you maintain your own resolver list ### [hashtag](https://docs.reconftw.com/configuration/configuration#proxy-settings) Proxy Settings **Usage:** Set `PROXY=true` to route web requests through Burp Suite or similar proxy. ### [hashtag](https://docs.reconftw.com/configuration/configuration#golang-configuration) Golang Configuration ### [hashtag](https://docs.reconftw.com/configuration/configuration#update-settings) Update Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#output-settings) Output Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#disk-space-check) Disk Space Check * * * [hashtag](https://docs.reconftw.com/configuration/configuration#api-keys-and-tokens) API Keys and Tokens ------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#environment-variables-preferred) Environment Variables (Preferred) Set these in your shell or `secrets.cfg`: ### [hashtag](https://docs.reconftw.com/configuration/configuration#secrets.cfg-file) secrets.cfg File Create from the example: Edit `secrets.cfg`: ### [hashtag](https://docs.reconftw.com/configuration/configuration#token-files) Token Files **Create GitHub tokens file:** * * * [hashtag](https://docs.reconftw.com/configuration/configuration#module-toggles) Module Toggles --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#osint-module) OSINT Module ### [hashtag](https://docs.reconftw.com/configuration/configuration#subdomain-module) Subdomain Module #### [hashtag](https://docs.reconftw.com/configuration/configuration#dns_time_fence_days) DNS\_TIME\_FENCE\_DAYS Filters Certificate Transparency (crt.sh) results to certificates issued within the last N days. **Why use this:** * CT logs contain historical certificates, including expired and decommissioned domains * Old certificates often point to infrastructure that no longer exists * Setting to 90 days typically reduces noise by 20-40% while keeping relevant results #### [hashtag](https://docs.reconftw.com/configuration/configuration#deep_wildcard_filter) DEEP\_WILDCARD\_FILTER Enables iterative wildcard detection at all subdomain levels, not just the root. **How it works:** 1. Extracts unique parent domains from resolved subdomains 2. Generates random probe hostname for each parent (e.g., `a1b2c3d4.api.example.com`) 3. If random probe resolves, parent is a wildcard 4. Filters all subdomains under detected wildcard parents 5. Repeats up to 5 iterations to catch nested wildcards **Why use this:** * Enterprise targets often have deep wildcards (e.g., `*.na45.salesforce.com`) * Standard detection only checks `*.example.com` * Removes 50-80% false positives on enterprise infrastructure * Detected wildcards saved to `subdomains/wildcards_detected.txt` #### [hashtag](https://docs.reconftw.com/configuration/configuration#exclude_sensitive) EXCLUDE\_SENSITIVE Prevents scanning domains that match patterns in `config/sensitive_domains.txt`. **Excluded patterns include:** * Government: `*.gov`, `*.gob.*`, `*.gouv.*` * Military: `*.mil`, `*.defense.*` * Educational: `*.edu`, `*.ac.*` * Financial: `*.bank`, `*.banking.*` * Critical infrastructure: `*.nhs.*`, `*.hospital.*`, `*.police.*` **Why use this:** * Legal protection when scanning wildcard scopes * Prevents accidental contact with sensitive infrastructure * Patterns can be customized in `config/sensitive_domains.txt` ### [hashtag](https://docs.reconftw.com/configuration/configuration#permutation-settings) Permutation Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#tls-port-discovery) TLS Port Discovery ### [hashtag](https://docs.reconftw.com/configuration/configuration#web-detection-module) Web Detection Module ### [hashtag](https://docs.reconftw.com/configuration/configuration#host-module) Host Module ### [hashtag](https://docs.reconftw.com/configuration/configuration#web-analysis-module) Web Analysis Module ### [hashtag](https://docs.reconftw.com/configuration/configuration#vulnerability-module) Vulnerability Module ### [hashtag](https://docs.reconftw.com/configuration/configuration#nuclei-configuration) Nuclei Configuration * * * [hashtag](https://docs.reconftw.com/configuration/configuration#threading-and-rate-limits) Threading and Rate Limits ------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#thread-configuration) Thread Configuration ### [hashtag](https://docs.reconftw.com/configuration/configuration#rate-limits) Rate Limits ### [hashtag](https://docs.reconftw.com/configuration/configuration#puredns-limits) PureDNS Limits ### [hashtag](https://docs.reconftw.com/configuration/configuration#adaptive-rate-limiting) Adaptive Rate Limiting * * * [hashtag](https://docs.reconftw.com/configuration/configuration#timeouts) Timeouts --------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#wordlists) Wordlists ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#cloud-hunter-settings) Cloud Hunter Settings * * * [hashtag](https://docs.reconftw.com/configuration/configuration#deep-mode-settings) DEEP Mode Settings ----------------------------------------------------------------------------------------------------------- **Behavior:** * If subdomain count < DEEP\_LIMIT, additional techniques run * If < DEEP\_LIMIT2, even more intensive techniques run * * * [hashtag](https://docs.reconftw.com/configuration/configuration#axiom-settings) Axiom Settings --------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#faraday-settings) Faraday Settings ------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#ai-settings) AI Settings --------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#extra-features) Extra Features --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#notification-settings) Notification Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#diff-incremental-mode) Diff/Incremental Mode ### [hashtag](https://docs.reconftw.com/configuration/configuration#cleanup-settings) Cleanup Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#cache-settings) Cache Settings ### [hashtag](https://docs.reconftw.com/configuration/configuration#log-rotation) Log Rotation ### [hashtag](https://docs.reconftw.com/configuration/configuration#structured-logging) Structured Logging ### [hashtag](https://docs.reconftw.com/configuration/configuration#asset-tracking) Asset Tracking ### [hashtag](https://docs.reconftw.com/configuration/configuration#ipv6) IPv6 ### [hashtag](https://docs.reconftw.com/configuration/configuration#intrusive-mode) Intrusive Mode * * * [hashtag](https://docs.reconftw.com/configuration/configuration#http-options) HTTP Options ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#tool-flags) Tool Flags * * * [hashtag](https://docs.reconftw.com/configuration/configuration#color-configuration) Color Configuration ------------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#debug-settings) Debug Settings --------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#configuration-examples) Configuration Examples ------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration/configuration#stealth-configuration) Stealth Configuration ### [hashtag](https://docs.reconftw.com/configuration/configuration#aggressive-configuration) Aggressive Configuration ### [hashtag](https://docs.reconftw.com/configuration/configuration#bug-bounty-configuration) Bug Bounty Configuration * * * [hashtag](https://docs.reconftw.com/configuration/configuration#using-custom-config-files) Using Custom Config Files ------------------------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/configuration/configuration#environment-variable-priority) Environment Variable Priority --------------------------------------------------------------------------------------------------------------------------------- Environment variables override config file settings: * * * [hashtag](https://docs.reconftw.com/configuration/configuration#next-steps) Next Steps ------------------------------------------------------------------------------------------- * [**Module Documentation**](https://docs.reconftw.com/modules/05-modules) - Understand each module in detail * [**Tools Reference**](https://docs.reconftw.com/tools-reference/tools) - Learn about integrated tools * [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced) - Custom functions and optimization * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 Variables documented match `reconftw.cfg` in the repository root. [PreviousCommand Line Guidechevron-left](https://docs.reconftw.com/usage/usage) [NextModules Overviewchevron-right](https://docs.reconftw.com/modules/05-modules) Last updated 1 month ago * [Configuration Files Overview](https://docs.reconftw.com/configuration/configuration#configuration-files-overview) * [Load Order](https://docs.reconftw.com/configuration/configuration#load-order) * [General Settings](https://docs.reconftw.com/configuration/configuration#general-settings) * [Tool Paths](https://docs.reconftw.com/configuration/configuration#tool-paths) * [Shell Configuration](https://docs.reconftw.com/configuration/configuration#shell-configuration) * [Version Information](https://docs.reconftw.com/configuration/configuration#version-information) * [Resolver Settings](https://docs.reconftw.com/configuration/configuration#resolver-settings) * [Proxy Settings](https://docs.reconftw.com/configuration/configuration#proxy-settings) * [Golang Configuration](https://docs.reconftw.com/configuration/configuration#golang-configuration) * [Update Settings](https://docs.reconftw.com/configuration/configuration#update-settings) * [Output Settings](https://docs.reconftw.com/configuration/configuration#output-settings) * [Disk Space Check](https://docs.reconftw.com/configuration/configuration#disk-space-check) * [API Keys and Tokens](https://docs.reconftw.com/configuration/configuration#api-keys-and-tokens) * [Environment Variables (Preferred)](https://docs.reconftw.com/configuration/configuration#environment-variables-preferred) * [secrets.cfg File](https://docs.reconftw.com/configuration/configuration#secrets.cfg-file) * [Token Files](https://docs.reconftw.com/configuration/configuration#token-files) * [Module Toggles](https://docs.reconftw.com/configuration/configuration#module-toggles) * [OSINT Module](https://docs.reconftw.com/configuration/configuration#osint-module) * [Subdomain Module](https://docs.reconftw.com/configuration/configuration#subdomain-module) * [Permutation Settings](https://docs.reconftw.com/configuration/configuration#permutation-settings) * [TLS Port Discovery](https://docs.reconftw.com/configuration/configuration#tls-port-discovery) * [Web Detection Module](https://docs.reconftw.com/configuration/configuration#web-detection-module) * [Host Module](https://docs.reconftw.com/configuration/configuration#host-module) * [Web Analysis Module](https://docs.reconftw.com/configuration/configuration#web-analysis-module) * [Vulnerability Module](https://docs.reconftw.com/configuration/configuration#vulnerability-module) * [Nuclei Configuration](https://docs.reconftw.com/configuration/configuration#nuclei-configuration) * [Threading and Rate Limits](https://docs.reconftw.com/configuration/configuration#threading-and-rate-limits) * [Thread Configuration](https://docs.reconftw.com/configuration/configuration#thread-configuration) * [Rate Limits](https://docs.reconftw.com/configuration/configuration#rate-limits) * [PureDNS Limits](https://docs.reconftw.com/configuration/configuration#puredns-limits) * [Adaptive Rate Limiting](https://docs.reconftw.com/configuration/configuration#adaptive-rate-limiting) * [Timeouts](https://docs.reconftw.com/configuration/configuration#timeouts) * [Wordlists](https://docs.reconftw.com/configuration/configuration#wordlists) * [Cloud Hunter Settings](https://docs.reconftw.com/configuration/configuration#cloud-hunter-settings) * [DEEP Mode Settings](https://docs.reconftw.com/configuration/configuration#deep-mode-settings) * [Axiom Settings](https://docs.reconftw.com/configuration/configuration#axiom-settings) * [Faraday Settings](https://docs.reconftw.com/configuration/configuration#faraday-settings) * [AI Settings](https://docs.reconftw.com/configuration/configuration#ai-settings) * [Extra Features](https://docs.reconftw.com/configuration/configuration#extra-features) * [Notification Settings](https://docs.reconftw.com/configuration/configuration#notification-settings) * [Diff/Incremental Mode](https://docs.reconftw.com/configuration/configuration#diff-incremental-mode) * [Cleanup Settings](https://docs.reconftw.com/configuration/configuration#cleanup-settings) * [Cache Settings](https://docs.reconftw.com/configuration/configuration#cache-settings) * [Log Rotation](https://docs.reconftw.com/configuration/configuration#log-rotation) * [Structured Logging](https://docs.reconftw.com/configuration/configuration#structured-logging) * [Asset Tracking](https://docs.reconftw.com/configuration/configuration#asset-tracking) * [IPv6](https://docs.reconftw.com/configuration/configuration#ipv6) * [Intrusive Mode](https://docs.reconftw.com/configuration/configuration#intrusive-mode) * [HTTP Options](https://docs.reconftw.com/configuration/configuration#http-options) * [Tool Flags](https://docs.reconftw.com/configuration/configuration#tool-flags) * [Color Configuration](https://docs.reconftw.com/configuration/configuration#color-configuration) * [Debug Settings](https://docs.reconftw.com/configuration/configuration#debug-settings) * [Configuration Examples](https://docs.reconftw.com/configuration/configuration#configuration-examples) * [Stealth Configuration](https://docs.reconftw.com/configuration/configuration#stealth-configuration) * [Aggressive Configuration](https://docs.reconftw.com/configuration/configuration#aggressive-configuration) * [Bug Bounty Configuration](https://docs.reconftw.com/configuration/configuration#bug-bounty-configuration) * [Using Custom Config Files](https://docs.reconftw.com/configuration/configuration#using-custom-config-files) * [Environment Variable Priority](https://docs.reconftw.com/configuration/configuration#environment-variable-priority) * [Next Steps](https://docs.reconftw.com/configuration/configuration#next-steps) sun-brightdesktopmoon Copy # Path where tools are installed tools=$HOME/Tools # Auto-detected script path (don't change) SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" Copy # Detected shell profile (.bashrc, .zshrc, etc.) profile_shell=".$(basename "${SHELL:-/bin/bash}")rc" Copy # Auto-detected from git reconftw_version="$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags)" Copy # Generate custom resolvers with dnsvalidator generate_resolvers=false # Fetch resolvers from trickest before scanning update_resolvers=true # Resolver URLs resolvers_url="https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt" resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/.../trusted_resolvers.txt" Copy # HTTP proxy for tools that support it proxy_url="http://127.0.0.1:8080/" # Enable proxy usage PROXY=false Copy install_golang=true # Install Go if not found export GOROOT="/usr/local/go" # Go installation path export GOPATH="$HOME/go" # Go workspace Copy upgrade_tools=true # Allow tool updates upgrade_before_running=false # Update tools before each scan Copy # Custom output directory (uncomment to enable) #dir_output=/custom/output/path # Log executed commands (verbose, may contain sensitive data) SHOW_COMMANDS=false Copy # Minimum required disk space in GB (0 to disable) MIN_DISK_SPACE_GB=0 Copy # Shodan API for passive port scanning SHODAN_API_KEY="your_shodan_api_key" # WhoisXML API for domain lookups WHOISXML_API="your_whoisxml_api_key" # Blind XSS callback server XSS_SERVER="https://your.xss.hunter" # SSRF/OOB callback server COLLAB_SERVER="https://your.interact.sh" # Slack notifications slack_channel="C0XXXXXXXXX" slack_auth="xoxb-xxxxx-xxxxx-xxxxx" Copy cp secrets.cfg.example secrets.cfg chmod 600 secrets.cfg # Restrict permissions Copy # API Keys SHODAN_API_KEY="abc123..." WHOISXML_API="xyz789..." # Callback servers XSS_SERVER="https://xss.example.com" COLLAB_SERVER="https://interact.example.com" # Notifications slack_channel="C0XXXXXXXXX" slack_auth="xoxb-..." Copy # GitHub tokens (one per line for rate limit distribution) GITHUB_TOKENS=${tools}/.github_tokens # GitLab tokens GITLAB_TOKENS=${tools}/.gitlab_tokens Copy cat > $HOME/Tools/.github_tokens << EOF ghp_token1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_token2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_token3xxxxxxxxxxxxxxxxxxxxxxxxxxxxx EOF chmod 600 $HOME/Tools/.github_tokens Copy OSINT=true # Master toggle for OSINT module GOOGLE_DORKS=true # Google dorking GITHUB_DORKS=true # GitHub secret searching GITHUB_REPOS=true # GitHub repository analysis METADATA=true # Document metadata extraction EMAILS=true # Email harvesting DOMAIN_INFO=true # WHOIS lookups IP_INFO=true # IP reverse lookup and geolocation API_LEAKS=true # Postman/Swagger leak detection THIRD_PARTIES=true # Third-party misconfiguration checks SPOOF=true # Domain spoofing checks MAIL_HYGIENE=true # SPF/DMARC analysis CLOUD_ENUM=true # Cloud storage enumeration METAFINDER_LIMIT=20 # Max documents to analyze (max 250) Copy SUBDOMAINS_GENERAL=true # Master toggle for subdomain module SUBPASSIVE=true # Passive enumeration (APIs, CT logs) SUBCRT=true # Certificate transparency search CTR_LIMIT=999999 # Max CT results DNS_TIME_FENCE_DAYS=0 # Filter CT results to last N days (0=disabled) DEEP_WILDCARD_FILTER=false # Multi-level wildcard detection EXCLUDE_SENSITIVE=false # Skip gov/mil/edu domains SUBNOERROR=false # DNS NOERROR response checking SUBANALYTICS=true # Google Analytics correlation SUBBRUTE=true # DNS bruteforcing SUBSCRAPING=true # Web scraping for subdomains SUBPERMUTE=true # DNS permutations SUBIAPERMUTE=true # AI-powered permutations SUBREGEXPERMUTE=true # Regex-based permutations SUBTAKEOVER=true # Subdomain takeover checks SUB_RECURSIVE_PASSIVE=false # Recursive passive (uses many API queries) DEEP_RECURSIVE_PASSIVE=10 # Top N subdomains for recursion SUB_RECURSIVE_BRUTE=false # Recursive bruteforce (disk/time intensive) ZONETRANSFER=true # DNS zone transfer checks S3BUCKETS=true # S3 bucket misconfiguration checks REVERSE_IP=false # Reverse IP lookups (enable for IP/CIDR targets) INSCOPE=false # Apply inscope filtering Copy DNS_TIME_FENCE_DAYS=90 # Only certificates from last 90 days DNS_TIME_FENCE_DAYS=0 # Disabled (default) - return all results Copy DEEP_WILDCARD_FILTER=true # Enable multi-level wildcard detection DEEP_WILDCARD_FILTER=false # Standard wildcard detection only (default) Copy EXCLUDE_SENSITIVE=true # Skip sensitive domains EXCLUDE_SENSITIVE=false # Scan all domains (default) Copy # Permutation tool: "gotator" (deeper) or "ripgen" (faster) PERMUTATIONS_OPTION=gotator # Gotator flags GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" Copy # Ports to check for TLS certificates TLS_PORTS="21,22,25,80,110,135,143,261,443,465,563,587,636,853,990,993,995,..." Copy WEBPROBESIMPLE=true # Probe ports 80/443 WEBPROBEFULL=true # Probe uncommon web ports WEBSCREENSHOT=true # Capture screenshots VIRTUALHOSTS=false # Virtual host fuzzing (slower) # Uncommon web ports to probe UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,..." Copy FAVICON=true # Favicon-based IP discovery PORTSCANNER=true # Port scanning module GEO_INFO=true # IP geolocation PORTSCAN_PASSIVE=true # Shodan passive port scan PORTSCAN_ACTIVE=true # Nmap active port scan CDN_IP=true # CDN detection # Nmap options PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners" Copy WAF_DETECTION=true # WAF detection NUCLEICHECK=true # Nuclei vulnerability scanning URL_CHECK=true # URL collection URL_CHECK_PASSIVE=true # Passive URL collection (archives) URL_CHECK_ACTIVE=true # Active URL crawling URL_GF=true # URL pattern matching URL_EXT=true # File extension sorting JSCHECKS=true # JavaScript analysis FUZZ=true # Directory fuzzing IIS_SHORTNAME=true # IIS shortname scanning CMS_SCANNER=true # CMS detection WORDLIST=true # Custom wordlist generation ROBOTSWORDLIST=true # Robots.txt historical analysis PASSWORD_DICT=true # Password dictionary generation PASSWORD_MIN_LENGTH=5 # Min password length PASSWORD_MAX_LENGTH=14 # Max password length GRAPHQL_CHECK=true # GraphQL endpoint detection GQLSPECTION=false # Deep GraphQL introspection PARAM_DISCOVERY=true # Parameter discovery with Arjun GRPC_SCAN=false # gRPC reflection probing Copy VULNS_GENERAL=false # Master toggle for vuln scanning XSS=true # XSS testing CORS=true # CORS misconfiguration TEST_SSL=true # SSL/TLS analysis OPEN_REDIRECT=true # Open redirect detection SSRF_CHECKS=true # SSRF testing CRLF_CHECKS=true # CRLF injection LFI=true # Local file inclusion SSTI=true # Server-side template injection SQLI=true # SQL injection SQLMAP=true # SQLMap testing GHAURI=false # Ghauri SQLi testing BROKENLINKS=true # Broken link detection SPRAY=true # Password spraying COMM_INJ=true # Command injection PROTO_POLLUTION=true # Prototype pollution SMUGGLING=true # HTTP request smuggling WEBCACHE=true # Web cache issues BYPASSER4XX=true # 4XX bypass attempts FUZZPARAMS=true # Parameter fuzzing Copy # Nuclei templates path NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates" # Severity levels to run NUCLEI_SEVERITY="info,low,medium,high,critical" # Extra arguments (exclusions, etc.) NUCLEI_EXTRA_ARGS="" # Example with exclusions: # NUCLEI_EXTRA_ARGS="-etags openssh,ssl -eid node-express-dev-env" # Standard flags NUCLEI_FLAGS="-silent -retries 2" # JS secret scanning flags NUCLEI_FLAGS_JS="-silent -tags exposure,token -severity info,low,medium,high,critical" Copy FFUF_THREADS=40 # Directory fuzzing HTTPX_THREADS=50 # HTTP probing HTTPX_UNCOMMONPORTS_THREADS=100 # Uncommon port probing KATANA_THREADS=20 # Web crawling BRUTESPRAY_THREADS=20 # Password spraying BRUTESPRAY_CONCURRENCE=10 # Concurrent targets DNSTAKE_THREADS=100 # DNS takeover checks DALFOX_THREADS=200 # XSS testing TLSX_THREADS=1000 # TLS certificate scanning INTERLACE_THREADS=10 # Parallel tool execution RESOLVE_DOMAINS_THREADS=150 # DNS resolution DNSVALIDATOR_THREADS=200 # Resolver validation XNLINKFINDER_DEPTH=3 # Link finder depth ARJUN_THREADS=10 # Parameter discovery Copy HTTPX_RATELIMIT=150 # HTTP requests/second NUCLEI_RATELIMIT=150 # Nuclei requests/second FFUF_RATELIMIT=0 # Fuzzing requests/second (0=unlimited) Copy PUREDNS_PUBLIC_LIMIT=0 # Public resolver limit (0=unlimited) PUREDNS_TRUSTED_LIMIT=400 # Trusted resolver limit PUREDNS_WILDCARDTEST_LIMIT=30 # Wildcard detection limit PUREDNS_WILDCARDBATCH_LIMIT=1500000 # Wildcard batch size Copy ADAPTIVE_RATE_LIMIT=false # Auto-adjust on errors MIN_RATE_LIMIT=10 # Minimum rate limit MAX_RATE_LIMIT=500 # Maximum rate limit RATE_LIMIT_BACKOFF_FACTOR=0.5 # Reduce by 50% on error RATE_LIMIT_INCREASE_FACTOR=1.2 # Increase by 20% on success Copy SUBFINDER_ENUM_TIMEOUT=180 # Subfinder timeout (minutes) CMSSCAN_TIMEOUT=3600 # CMS scan timeout (seconds) FFUF_MAXTIME=900 # Fuzzing timeout (seconds) HTTPX_TIMEOUT=10 # HTTP request timeout (seconds) HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Uncommon port timeout (seconds) PERMUTATIONS_LIMIT=21474836480 # Max permutation file size (bytes, 20GB) Copy # Fuzzing wordlist fuzz_wordlist=${tools}/fuzz_wordlist.txt # LFI payloads lfi_wordlist=${tools}/lfi_wordlist.txt # SSTI payloads ssti_wordlist=${tools}/ssti_wordlist.txt # Subdomain wordlists subs_wordlist=${tools}/subdomains.txt subs_wordlist_big=${tools}/subdomains_n0kovo_big.txt # Resolver lists resolvers=${tools}/resolvers.txt resolvers_trusted=${tools}/resolvers_trusted.txt Copy # Cloud permutation depth: DEEP, NORMAL, or NONE CLOUDHUNTER_PERMUTATION=NORMAL Copy DEEP=false # Deep scanning mode DEEP_LIMIT=500 # First auto-deep threshold DEEP_LIMIT2=1500 # Second auto-deep threshold Copy # Axiom fleet configuration AXIOM_FLEET_LAUNCH=true # Auto-launch fleet AXIOM_FLEET_NAME="reconFTW" # Fleet name prefix AXIOM_FLEET_COUNT=10 # Number of instances AXIOM_FLEET_REGIONS="eu-central" # Cloud regions AXIOM_FLEET_SHUTDOWN=true # Auto-shutdown after scan # Resolver paths on Axiom instances AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" AXIOM_RESOLVERS_TRUSTED_PATH="/home/op/lists/resolvers_trusted.txt" # Post-start script (optional) #AXIOM_POST_START="~/Tools/axiom_config.sh" # Extra arguments AXIOM_EXTRA_ARGS="" Copy FARADAY=false # Enable Faraday integration FARADAY_SERVER="http://localhost:5985" FARADAY_USER="faraday" FARADAY_PASS="FARADAY_PASSWORD" FARADAY_WORKSPACE="reconftw" Copy AI_MODEL="llama3:8b" # AI model to use AI_REPORT_TYPE="md" # Report format (md, txt) AI_REPORT_PROFILE="bughunter" # Profile: executive, brief, bughunter Copy NOTIFICATION=false # Notifications for every function SOFT_NOTIFICATION=false # Only start/end notifications SENDZIPNOTIFY=false # Send zipped results via notify Copy DIFF=false # Differential scanning INCREMENTAL_MODE=false # Incremental scanning Copy REMOVETMP=false # Delete .tmp after scan REMOVELOG=false # Delete logs after scan PRESERVE=true # Keep .called_fn markers Copy CACHE_MAX_AGE_DAYS=30 # Cache validity (days) Copy MAX_LOG_FILES=10 # Max log files per target MAX_LOG_AGE_DAYS=30 # Delete logs older than this Copy STRUCTURED_LOGGING=false # JSON format logging Copy ASSET_STORE=true # Append to assets.jsonl QUICK_RESCAN=false # Skip heavy steps if no new assets CHUNK_LIMIT=2000 # Split large lists HOTLIST_TOP=50 # Top risky assets to highlight Copy IPV6_SCAN=true # Enable IPv6 discovery Copy INTRUSIVE=false # Dangerous cloud/CORS tests Copy # Default User-Agent header HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" Copy # FFUF default flags FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json" # HTTPX probing flags HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" Copy # Terminal colors (ANSI codes) bred='\033[1;31m' # Bold red\ bblue='\033[1;34m' # Bold blue\ bgreen='\033[1;32m' # Bold green\ byellow='\033[1;33m' # Bold yellow\ red='\033[0;31m' # Red\ blue='\033[0;34m' # Blue\ green='\033[0;32m' # Green\ yellow='\033[0;33m' # Yellow\ reset='\033[0m' # Reset\ \ Copy\ \ DEBUG_STD="&>/dev/null" # Skip stdout in installer\ DEBUG_ERROR="2>/dev/null" # Skip stderr in installer\ \ Copy\ \ # Minimal noise configuration\ SUBBRUTE=false\ SUBPERMUTE=false\ PORTSCAN_ACTIVE=false\ FUZZ=false\ VULNS_GENERAL=false\ HTTPX_RATELIMIT=10\ NUCLEI_RATELIMIT=10\ \ Copy\ \ # Maximum coverage\ DEEP=true\ SUBBRUTE=true\ SUBPERMUTE=true\ SUB_RECURSIVE_BRUTE=true\ VULNS_GENERAL=true\ FUZZ=true\ HTTPX_THREADS=100\ NUCLEI_RATELIMIT=500\ \ Copy\ \ # Balanced for bug bounty\ OSINT=true\ SUBDOMAINS_GENERAL=true\ VULNS_GENERAL=false # Enable with -a flag\ NOTIFICATION=true\ DIFF=true\ \ Copy\ \ # Create custom config\ cp reconftw.cfg client_config.cfg\ \ # Edit for specific client\ vim client_config.cfg\ \ # Use custom config\ ./reconftw.sh -d target.com -r -f client_config.cfg\ \ Copy\ \ # Override via environment\ export SHODAN_API_KEY="my_key"\ export NUCLEI_RATELIMIT=50\ \ # Run scan (uses environment values)\ ./reconftw.sh -d target.com -r\ \ sun-brightdesktopmoon --- # Concepts & Architecture | reconftw-docs This guide explains the fundamental concepts behind reconFTW, its architecture, and how it orchestrates reconnaissance workflows. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#what-is-reconftw) What is reconFTW? ------------------------------------------------------------------------------------------------------------ reconFTW is a **modular reconnaissance automation framework** that integrates 80+ security tools into a unified workflow. Rather than running tools individually and correlating results manually, reconFTW: 1. **Orchestrates** tools in the optimal order 2. **Manages** input/output between tools automatically 3. **Deduplicates** and normalizes results 4. **Resumes** interrupted scans from checkpoints 5. **Scales** across distributed infrastructure (via Axiom) ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#philosophy) Philosophy reconFTW follows these design principles: * **Thorough over fast**: Cover all attack surface, don't miss findings * **Modular**: Enable/disable any component without breaking others * **Resumable**: Never lose progress on long-running scans * **Configurable**: Every behavior can be customized * **Fail-soft**: Continue scanning even if individual tools fail * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#reconnaissance-methodology) Reconnaissance Methodology ------------------------------------------------------------------------------------------------------------------------------- reconFTW implements a structured reconnaissance methodology following industry best practices: ![](https://docs.reconftw.com/~gitbook/image?url=https%3A%2F%2F4002482909-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FaI11LZxKJyqTqfArwVL8%252Fuploads%252Fz7A7EQidt85jfVTFWSXF%252Freconfw_updated.png%3Falt%3Dmedia%26token%3D05618398-3bac-4e34-85ff-e2e3fd2d20e1&width=768&dpr=3&quality=100&sign=a47c480b&sv=2) ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#phase-1-osint-open-source-intelligence) Phase 1: OSINT (Open Source Intelligence) Gather publicly available information about the target: Technique Purpose Tools Google Dorks Find exposed files/pages dorks\_hunter GitHub Dorks Find leaked credentials gitdorks\_go Metadata Extract document metadata metagoofil, exiftool Email Harvesting Discover email addresses emailfinder API Leaks Find exposed APIs porch-pirate, SwaggerSpy Domain Info WHOIS, registrant data whois, msftrecon ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#phase-2-subdomain-enumeration) Phase 2: Subdomain Enumeration Discover all subdomains associated with the target: Technique Type Description Passive Non-intrusive Query APIs, CT logs, archives Active/Bruteforce Intrusive DNS queries with wordlists Permutations Intrusive Generate variations Recursive Both Enumerate subdomains of subdomains Scraping Semi-passive Extract from web pages ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#phase-3-web-analysis) Phase 3: Web Analysis Analyze discovered web assets: * HTTP probing (find live servers) * Screenshot capture * URL extraction (passive + crawling) * JavaScript analysis (secrets, endpoints) * Directory fuzzing * CMS detection * Parameter discovery ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#phase-4-vulnerability-scanning) Phase 4: Vulnerability Scanning Test for security issues: * CVE scanning with Nuclei * Injection testing (XSS, SQLi, SSTI, LFI) * Server-side vulnerabilities (SSRF, command injection) * Misconfigurations (CORS, open redirect) * SSL/TLS issues * Subdomain takeovers * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#architecture-overview) Architecture Overview --------------------------------------------------------------------------------------------------------------------- reconFTW uses a modular architecture where components are separated by responsibility: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#module-loading-order) Module Loading Order Modules are loaded in a specific order to ensure dependencies are satisfied: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#key-functions) Key Functions #### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#lifecycle-functions-core.sh) Lifecycle Functions (core.sh) Every scan function follows this pattern: #### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#utility-functions-utils.sh) Utility Functions (utils.sh) Function Purpose `sanitize_domain()` Clean and validate domain input `sanitize_ip()` Clean and validate IP/CIDR input `deleteOutScoped()` Remove out-of-scope entries `run_command()` Execute with logging (respects DRY\_RUN) `should_run_deep()` Check if DEEP mode should activate `retry_with_backoff()` Retry failed operations `check_disk_space()` Verify available storage #### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#common-library-functions-lib-common.sh) Common Library Functions (lib/common.sh) Function Purpose `ensure_dirs()` Create multiple directories safely `safe_backup()` Backup file with timestamp `skip_notification()` Log skipped function notification `count_lines()` Count lines in file safely `safe_count()` Count with fallback to 0 `dedupe_append()` Append and deduplicate file `run_tool()` Execute tool with timeout and error handling `process_results()` Process and dedupe results `should_run_function()` Check if function should run (checkpoint aware) #### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#parallelization-functions-lib-parallel.sh) Parallelization Functions (lib/parallel.sh) Function Purpose `parallel_run()` Run commands in parallel with job limit `parallel_funcs()` Run bash functions in parallel `parallel_batch()` Run commands with rate limiting `parallel_passive_enum()` Parallel passive subdomain enumeration `parallel_active_enum()` Parallel active DNS enumeration `parallel_postactive_enum()` Parallel post-resolution (TLS, analytics) `parallel_brute_enum()` Parallel brute force (resource limited) `parallel_web_vulns()` Parallel web vulnerability scanning `parallel_subdomains_full()` Orchestrate full parallelized subdomain enum * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#data-flow) Data Flow --------------------------------------------------------------------------------------------- Understanding how data flows through reconFTW helps interpret results: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#data-dependencies) Data Dependencies Module Depends On Produces OSINT Target domain osint/\*.txt Subdomains Target domain subdomains/subdomains.txt Hosts subdomains.txt hosts/ips.txt, hosts/portscan\* Web Probing subdomains.txt webs/webs.txt URL Collection webs.txt webs/url\_extract.txt JS Analysis webs.txt js/js\_secrets.txt Vulns webs.txt, urls vulns/_, nuclei\_output/_ * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#scan-phases) Scan Phases ------------------------------------------------------------------------------------------------- When you run `./reconftw.sh -d target.com -r`, the following phases execute: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-1.-initialization-start) 1\. Initialization (`start()`) ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-2.-osint-phase) 2\. OSINT Phase ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-3.-subdomain-phase) 3\. Subdomain Phase ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-4.-host-analysis) 4\. Host Analysis ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-5.-web-analysis) 5\. Web Analysis ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-6.-vulnerability-phase-if-a-flag) 6\. Vulnerability Phase (if `-a` flag) ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#id-7.-finalization-end) 7\. Finalization (`end()`) * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#checkpoint-system) Checkpoint System ------------------------------------------------------------------------------------------------------------- reconFTW uses a checkpoint system to track completed functions and enable scan resumption. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#how-it-works) How It Works Each function creates a marker file when completed: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#resume-behavior) Resume Behavior When you re-run a scan: 1. reconFTW checks for existing `.called_fn` markers 2. Functions with markers are **skipped** 3. Functions without markers are **executed** ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#force-re-execution) Force Re-execution To re-run a specific function: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#diff-mode) DIFF Mode The `-r` flag with `DIFF=true` in config enables differential scanning: In DIFF mode: * All functions execute regardless of markers * Only **new** findings are highlighted * Previous results are preserved * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#understanding-deep-mode) Understanding DEEP Mode ------------------------------------------------------------------------------------------------------------------------- DEEP mode enables thorough scanning for high-value targets: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#standard-vs-deep) Standard vs DEEP Aspect Standard DEEP Wordlists Small (~10k) Large (~100k+) Permutations Basic Extensive Recursive depth Limited Full Fuzzing Common paths Extended Time 1-4 hours 4-24+ hours ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#activation) Activation ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#auto-deep) Auto-DEEP reconFTW can auto-enable DEEP based on result counts: If subdomains < DEEP\_LIMIT, additional enumeration runs automatically. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#error-handling) Error Handling ------------------------------------------------------------------------------------------------------- reconFTW uses a "fail-soft" approach: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#error-codes) Error Codes Code Meaning 0 Success 1 General error 2 Missing dependency 3 Invalid input 4 Network error 5 Disk space error 6 Permission error 7 Timeout 8 Configuration error ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#error-trapping) Error Trapping Errors are logged but don't stop the scan: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#circuit-breaker) Circuit Breaker For unreliable tools, reconFTW implements a circuit breaker: * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#global-variables) Global Variables ----------------------------------------------------------------------------------------------------------- Key variables used throughout reconFTW: ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#required-variables) Required Variables Variable Description `$SCRIPTPATH` Path to reconFTW installation `$domain` Current target domain `$dir` Output directory for current scan `$called_fn_dir` Directory for checkpoint markers `$LOGFILE` Current log file path ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#configuration-flags) Configuration Flags Variable Default Description `$DEEP` false Enable thorough scanning `$DIFF` false Differential mode `$AXIOM` false Distributed scanning `$DRY_RUN` false Preview without executing * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#visual-architecture-diagram) Visual: Architecture Diagram ---------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#module-interaction-flow) Module Interaction Flow * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-and-legal) OPSEC and Legal --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#authorization-requirements) Authorization Requirements **NEVER scan without explicit written authorization.** This includes: 1. **Bug Bounty Programs**: Read rules carefully, some exclude certain asset types 2. **Penetration Tests**: Written statement of work (SOW) with defined scope 3. **Internal Testing**: Formal approval from asset owners 4. **Personal Projects**: Only test assets you own ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#pre-scan-checklist) Pre-Scan Checklist ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-best-practices) OPSEC Best Practices Consideration Recommendation **IP Attribution** Use VPS or cloud instances, not personal IP **Rate Limiting** Start conservative, increase gradually **Noise Reduction** Begin with passive mode (`-p`) **Data Security** Encrypt sensitive findings, secure `secrets.cfg` **Logging** Keep records of authorization and scan times **Communication** Notify target of critical findings immediately ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#reducing-detection-risk) Reducing Detection Risk ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#legal-risks-by-region) Legal Risks by Region Region Key Laws Notes **USA** CFAA Unauthorized access is federal crime **EU** Computer Misuse Acts (varies) Strict consent requirements **UK** Computer Misuse Act 1990 Even attempting unauthorized access is illegal **Global** Various Always research local laws ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#what-to-do-if-something-goes-wrong) What to Do If Something Goes Wrong 1. **Stop scanning immediately** 2. **Document what happened** (timestamps, commands run) 3. **Contact the target** via emergency channels 4. **Preserve evidence** of authorization 5. **Consult legal counsel** if needed * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#recommended-workflows) Recommended Workflows --------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#bug-bounty-standard-recon) Bug Bounty - Standard Recon Best for: Regular bug bounty hunting on established programs. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#bug-bounty-new-program) Bug Bounty - New Program Best for: New programs where you want full coverage quickly. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#large-scope-multiple-targets) Large Scope / Multiple Targets Best for: Programs with many root domains or large scope. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#red-team-pentest) Red Team / Pentest Best for: Authorized penetration tests with defined scope. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#automated-weekly-monitoring) Automated Weekly Monitoring Best for: Continuous monitoring of assets. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#quick-assessment) Quick Assessment Best for: Rapid initial assessment before deeper testing. ### [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#ci-cd-integration) CI/CD Integration Best for: Automated security checks in pipelines. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw/concepts#next-steps) Next Steps ----------------------------------------------------------------------------------------------- Now that you understand how reconFTW works: 1. [**Learn the command line options**](https://docs.reconftw.com/usage/usage) - Master all flags 2. [**Configure your setup**](https://docs.reconftw.com/configuration/configuration) - Customize behavior 3. [**Explore modules in depth**](https://docs.reconftw.com/modules/05-modules) - Understand each capability [PreviousInstallation & Setupchevron-left](https://docs.reconftw.com/getting-started/getting-started) [NextReconnaissance Methodology Deep Divechevron-right](https://docs.reconftw.com/understanding-reconftw/recon-methodology) Last updated 1 month ago * [What is reconFTW?](https://docs.reconftw.com/understanding-reconftw/concepts#what-is-reconftw) * [Philosophy](https://docs.reconftw.com/understanding-reconftw/concepts#philosophy) * [Reconnaissance Methodology](https://docs.reconftw.com/understanding-reconftw/concepts#reconnaissance-methodology) * [Phase 1: OSINT (Open Source Intelligence)](https://docs.reconftw.com/understanding-reconftw/concepts#phase-1-osint-open-source-intelligence) * [Phase 2: Subdomain Enumeration](https://docs.reconftw.com/understanding-reconftw/concepts#phase-2-subdomain-enumeration) * [Phase 3: Web Analysis](https://docs.reconftw.com/understanding-reconftw/concepts#phase-3-web-analysis) * [Phase 4: Vulnerability Scanning](https://docs.reconftw.com/understanding-reconftw/concepts#phase-4-vulnerability-scanning) * [Architecture Overview](https://docs.reconftw.com/understanding-reconftw/concepts#architecture-overview) * [Module Loading Order](https://docs.reconftw.com/understanding-reconftw/concepts#module-loading-order) * [Key Functions](https://docs.reconftw.com/understanding-reconftw/concepts#key-functions) * [Data Flow](https://docs.reconftw.com/understanding-reconftw/concepts#data-flow) * [Data Dependencies](https://docs.reconftw.com/understanding-reconftw/concepts#data-dependencies) * [Scan Phases](https://docs.reconftw.com/understanding-reconftw/concepts#scan-phases) * [1\. Initialization (start())](https://docs.reconftw.com/understanding-reconftw/concepts#id-1.-initialization-start) * [2\. OSINT Phase](https://docs.reconftw.com/understanding-reconftw/concepts#id-2.-osint-phase) * [3\. Subdomain Phase](https://docs.reconftw.com/understanding-reconftw/concepts#id-3.-subdomain-phase) * [4\. Host Analysis](https://docs.reconftw.com/understanding-reconftw/concepts#id-4.-host-analysis) * [5\. Web Analysis](https://docs.reconftw.com/understanding-reconftw/concepts#id-5.-web-analysis) * [6\. Vulnerability Phase (if -a flag)](https://docs.reconftw.com/understanding-reconftw/concepts#id-6.-vulnerability-phase-if-a-flag) * [7\. Finalization (end())](https://docs.reconftw.com/understanding-reconftw/concepts#id-7.-finalization-end) * [Checkpoint System](https://docs.reconftw.com/understanding-reconftw/concepts#checkpoint-system) * [How It Works](https://docs.reconftw.com/understanding-reconftw/concepts#how-it-works) * [Resume Behavior](https://docs.reconftw.com/understanding-reconftw/concepts#resume-behavior) * [Force Re-execution](https://docs.reconftw.com/understanding-reconftw/concepts#force-re-execution) * [DIFF Mode](https://docs.reconftw.com/understanding-reconftw/concepts#diff-mode) * [Understanding DEEP Mode](https://docs.reconftw.com/understanding-reconftw/concepts#understanding-deep-mode) * [Standard vs DEEP](https://docs.reconftw.com/understanding-reconftw/concepts#standard-vs-deep) * [Activation](https://docs.reconftw.com/understanding-reconftw/concepts#activation) * [Auto-DEEP](https://docs.reconftw.com/understanding-reconftw/concepts#auto-deep) * [Error Handling](https://docs.reconftw.com/understanding-reconftw/concepts#error-handling) * [Error Codes](https://docs.reconftw.com/understanding-reconftw/concepts#error-codes) * [Error Trapping](https://docs.reconftw.com/understanding-reconftw/concepts#error-trapping) * [Circuit Breaker](https://docs.reconftw.com/understanding-reconftw/concepts#circuit-breaker) * [Global Variables](https://docs.reconftw.com/understanding-reconftw/concepts#global-variables) * [Required Variables](https://docs.reconftw.com/understanding-reconftw/concepts#required-variables) * [Configuration Flags](https://docs.reconftw.com/understanding-reconftw/concepts#configuration-flags) * [Visual: Architecture Diagram](https://docs.reconftw.com/understanding-reconftw/concepts#visual-architecture-diagram) * [Module Interaction Flow](https://docs.reconftw.com/understanding-reconftw/concepts#module-interaction-flow) * [OPSEC and Legal](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-and-legal) * [Authorization Requirements](https://docs.reconftw.com/understanding-reconftw/concepts#authorization-requirements) * [Pre-Scan Checklist](https://docs.reconftw.com/understanding-reconftw/concepts#pre-scan-checklist) * [OPSEC Best Practices](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-best-practices) * [Reducing Detection Risk](https://docs.reconftw.com/understanding-reconftw/concepts#reducing-detection-risk) * [Legal Risks by Region](https://docs.reconftw.com/understanding-reconftw/concepts#legal-risks-by-region) * [What to Do If Something Goes Wrong](https://docs.reconftw.com/understanding-reconftw/concepts#what-to-do-if-something-goes-wrong) * [Recommended Workflows](https://docs.reconftw.com/understanding-reconftw/concepts#recommended-workflows) * [Bug Bounty - Standard Recon](https://docs.reconftw.com/understanding-reconftw/concepts#bug-bounty-standard-recon) * [Bug Bounty - New Program](https://docs.reconftw.com/understanding-reconftw/concepts#bug-bounty-new-program) * [Large Scope / Multiple Targets](https://docs.reconftw.com/understanding-reconftw/concepts#large-scope-multiple-targets) * [Red Team / Pentest](https://docs.reconftw.com/understanding-reconftw/concepts#red-team-pentest) * [Automated Weekly Monitoring](https://docs.reconftw.com/understanding-reconftw/concepts#automated-weekly-monitoring) * [Quick Assessment](https://docs.reconftw.com/understanding-reconftw/concepts#quick-assessment) * [CI/CD Integration](https://docs.reconftw.com/understanding-reconftw/concepts#ci-cd-integration) * [Next Steps](https://docs.reconftw.com/understanding-reconftw/concepts#next-steps) sun-brightdesktopmoon Copy ┌─────────────────────────────────────────────────────────────────────┐ │ reconFTW Reconnaissance Phases │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ OSINT │───▶│ Subdomain│───▶│ Web │───▶│ Vulns │ │ │ │ Gathering│ │ Enum │ │ Analysis │ │ Scanning │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │ │ │ │ │ │ │ ▼ ▼ ▼ ▼ │ │ • Dorks • Passive • Probing • Nuclei │ │ • Emails • Active • Screenshots • XSS/SQLi │ │ • Metadata • Bruteforce • Fuzzing • SSRF/LFI │ │ • API leaks • Permutations • JS Analysis • Misconfigs │ │ • GitHub • Takeovers • CMS detect • SSL/TLS │ │ │ └─────────────────────────────────────────────────────────────────────┘ Copy reconftw/ ├── reconftw.sh # Main entry point (orchestration) ├── reconftw.cfg # Configuration file ├── secrets.cfg # API keys (gitignored) │ ├── modules/ # Feature modules (what to do) │ ├── utils.sh # Utility functions │ ├── core.sh # Framework core (logging, lifecycle) │ ├── osint.sh # OSINT functions │ ├── subdomains.sh # Subdomain enumeration │ ├── web.sh # Web analysis │ ├── vulns.sh # Vulnerability scanning │ ├── axiom.sh # Distributed scanning │ └── modes.sh # Scan mode orchestration │ ├── lib/ # Pure libraries (how to do it) │ ├── common.sh # Shared utility functions (dedupe, ensure_dirs) │ ├── config.sh # Configuration helpers │ ├── parallel.sh # Parallelization framework │ └── validation.sh # Input validation │ └── Recon/ # Output directory └── / # Per-target results Copy 1. lib/validation.sh # Input validation (first) 2. lib/common.sh # Shared utilities (ensure_dirs, dedupe, etc.) 3. lib/parallel.sh # Parallelization framework 4. modules/utils.sh # Base utilities 5. modules/core.sh # Framework infrastructure 6. modules/osint.sh # OSINT functions 7. modules/subdomains.sh # Subdomain functions 8. modules/web.sh # Web analysis functions 9. modules/vulns.sh # Vulnerability functions 10. modules/axiom.sh # Distributed scanning 11. modules/modes.sh # Mode orchestration (last) Copy start_func(name, description) # Begin a function, check if already done end_func(message, name) # Complete a function, mark as done Copy function some_scan() { if [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; then start_func "${FUNCNAME[0]}" "Running some scan..." # ... actual scan logic ... end_func "Results saved in..." "${FUNCNAME[0]}" fi } Copy ┌─────────────────────────────────────┐ │ USER INPUT │ │ -d domain.com / -l targets.txt │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ INPUT SANITIZATION │ │ • Validate domain/IP format │ │ • Remove dangerous characters │ │ • Normalize case │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ DIRECTORY SETUP │ │ Recon// │ │ ├── subdomains/ │ │ ├── webs/ │ │ ├── hosts/ │ │ ├── vulns/ │ │ ├── osint/ │ │ ├── .tmp/ │ │ └── .log/ │ └─────────────────┬───────────────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ OSINT │ │ SUBDOMAINS │ │ WEB │ │ (osint.sh) │ │ (subdomains.sh) │ │ (web.sh) │ └────────┬─────────┘ └────────┬─────────┘ └────────┬─────────┘ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ osint/*.txt │───▶│subdomains/*.txt │───▶│ webs/*.txt │ └──────────────────┘ └────────┬─────────┘ └────────┬─────────┘ │ │ │ │ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ │ HOSTS ANALYSIS │ │ VULN SCANNING │ │ (hosts/) │ │ (vulns.sh) │ └──────────────────┘ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ FINAL OUTPUT │ │ • vulns/ │ │ • nuclei_output/│ │ • hotlist.txt │ └──────────────────┘ Copy [start] → Validate config → Check disk space → Create directories → Initialize logging Copy [osint] → domain_info → emails → google_dorks → github_repos → metadata → apileaks Copy [subdomains] → sub_passive → sub_crt → sub_brute → sub_permut → sub_scraping → sub_dns Copy [hosts] → portscan → cdnprovider → waf_checks → favicon → geo_info Copy [web] → webprobe → screenshot → urlchecks → jschecks → fuzz → cms_scanner Copy [vulns] → nuclei → xss → sqli → ssrf → cors → lfi → ssti → ... Copy [end] → Build hotlist → Generate reports → Send notifications → Cleanup Copy Recon//.called_fn/ ├── .sub_passive # sub_passive() completed ├── .sub_brute # sub_brute() completed ├── .webprobe_simple # webprobe_simple() completed └── ... Copy # First run - executes all functions ./reconftw.sh -d target.com -r # Second run - skips completed functions ./reconftw.sh -d target.com -r # Output: "sub_passive has already been processed..." Copy # Delete the marker rm Recon/target.com/.called_fn/.sub_passive # Or delete all markers (full rescan) rm -rf Recon/target.com/.called_fn/ Copy # Config setting DIFF=true Copy # Command line ./reconftw.sh -d target.com -r --deep # Or in config DEEP=true Copy # In reconftw.cfg DEEP_LIMIT=500 # First threshold DEEP_LIMIT2=1500 # Second threshold Copy # From reconftw.sh trap 'rc=$?; ... echo "$msg" >>"$LOGFILE" ...' ERR Copy # After 3 consecutive failures, tool is skipped CIRCUIT_BREAKER_THRESHOLD=3 CIRCUIT_BREAKER_TIMEOUT=300 # Reset after 5 minutes Copy ┌─────────────────────────────────────┐ │ CONFIGURATION │ │ reconftw.cfg │ secrets.cfg │ │ ───────────────────────────────── │ │ • API keys • Module toggles │ │ • Wordlists • Rate limits │ └───────────────────┬─────────────────┘ │ ▼ ┌────────────────────┐ ┌─────────────────────────────────────────────────────┐ │ INPUT │ │ reconftw.sh │ │ ──────────────── │────────▶│ (Main Orchestrator) │ │ -d domain.com │ │ ─────────────────────────────────────────────── │ │ -l targets.txt │ │ • Argument parsing • Module loading │ │ -m multi.txt │ │ • Checkpoint system • Notification hooks │ └────────────────────┘ └────────────────────────┬────────────────────────────┘ │ ┌──────────────────────────────────┼──────────────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌────────────────────┐ ┌────────────────────┐ ┌────────────────────┐ │ lib/ │ │ modules/ │ │ config/ │ │ ──────────────── │ │ ──────────────── │ │ ──────────────── │ │ common.sh │ │ osint.sh │ │ amass_config.ini │ │ parallel.sh │ │ subdomains.sh │ │ nuclei_config.yml │ │ validation.sh │ │ web.sh │ │ sensitive_domains │ │ │ │ vulns.sh │ │ ... │ │ Utilities for: │ │ core.sh │ │ │ │ • Parallelization │ │ modes.sh │ │ Tool configs │ │ • Error handling │ │ axiom.sh │ │ Wordlists paths │ │ • File operations │ │ utils.sh │ │ │ └────────────────────┘ └─────────┬──────────┘ └────────────────────┘ │ ┌──────────────────────────────┴──────────────────────────────┐ │ SCAN PHASES │ │ ────────────────────────────────────────────────────────── │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ 1.OSINT │──▶│ 2.SUBS │──▶│ 3.WEB │──▶│ 4.VULNS │ │ │ │(passive)│ │(active) │ │(probe) │ │(exploit)│ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ Data flows from each phase to the next │ └──────────────────────────────┬──────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ OUTPUT STRUCTURE │ │ Recon// │ │ ───────────────────────────────────────────── │ │ ├── subdomains/ (discovered subs) │ │ ├── webs/ (live web URLs) │ │ ├── hosts/ (IP data, ports) │ │ ├── vulns/ (vulnerability results) │ │ ├── osint/ (passive intel) │ │ ├── screenshots/ (web captures) │ │ ├── .called_fn/ (checkpoint markers) │ │ └── .log/ (execution logs) │ └─────────────────────────────────────────────────┘ │ ┌──────────────────────────────┴──────────────────────────────┐ │ OPTIONAL: AXIOM │ ▼ │ ┌────────────────────────────────────────────────────────────────┐ │ │ Distributed Execution │ │ │ ──────────────────────────────────────────────────────────── │ │ │ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ │ node01 │ │ node02 │ │ node03 │ │ node04 │ │ node05 │ │◀───────┘ │ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │ │ │ │ Splits workload across cloud instances for faster scanning │ └────────────────────────────────────────────────────────────────┘ Copy ┌─────────────────────────────────────────────────────────────────────────────┐ │ DETAILED DATA FLOW │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ INPUT: domain.com │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ OSINT │──▶ osint/emails.txt, osint/dorks.txt │ │ │ (passive) │ osint/github_secrets.json │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Passive: subfinder, amass, crt.sh │ │ │ SUBDOMAINS │──▶ Active: puredns, massdns │ │ │ (enum) │ Output: subdomains/subdomains.txt │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ WEB PROBE │──▶ webs/webs.txt (live HTTP/HTTPS URLs) │ │ │ (httpx) │ webs/webs_info.txt (titles, status, tech) │ │ └──────┬───────┘ │ │ │ │ │ ├───────────────────────┬───────────────────────┐ │ │ ▼ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ URL CHECK │ │ JS CHECKS │ │ SCREENSHOTS │ │ │ │ (katana) │ │ (xnlink) │ │ (nuclei) │ │ │ └──────┬───────┘ └──────┬───────┘ └──────────────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ gf patterns │ │ JS secrets │ │ │ │ (params) │ │ (API keys) │ │ │ └──────┬───────┘ └──────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────────────────────────────────────────────────────┐ │ │ │ VULNERABILITY SCANNING │ │ │ │ ───────────────────────────────────────────────────────────── │ │ │ │ nuclei (CVEs) │ dalfox (XSS) │ sqlmap (SQLi) │ ffuf (fuzz)│ │ │ │ cors │ ssrf │ lfi │ ssti │ │ │ └──────────────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ vulns/nuclei_output/, vulns/xss.txt, vulns/sqli.txt, etc. │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ Copy ## Authorization Checklist - [ ] Written permission obtained (email, contract, bug bounty policy) - [ ] Scope document reviewed - [ ] In-scope targets identified - [ ] Out-of-scope targets documented - [ ] Rate limits defined (if any) - [ ] Testing window confirmed - [ ] Emergency contact identified - [ ] Data handling requirements understood - [ ] NDA signed (if required) Copy # Start with passive reconnaissance (no direct contact) ./reconftw.sh -d target.com -p # Use adaptive rate limiting ./reconftw.sh -d target.com -r --adaptive-rate # Lower rate limits in config # In reconftw.cfg HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 Copy # Week 1: Initial passive recon ./reconftw.sh -d target.com -p # Week 1: Full reconnaissance (if passive looks good) ./reconftw.sh -d target.com -r # Week 2+: Incremental updates ./reconftw.sh -d target.com -r --incremental Copy # Full scan with vulnerabilities ./reconftw.sh -d target.com -a # Enable notifications # In reconftw.cfg: NOTIFICATION=true # Check results ls -la Recon/target.com/vulns/ Copy # Create scope file cat > scope.txt << EOF target1.com target2.com *.target3.com EOF # Use Axiom for distributed scanning ./reconftw.sh -l scope.txt -r -v # Or run sequentially with multi-mode ./reconftw.sh -m client-project -l scope.txt -r Copy # Start passive (intelligence gathering) ./reconftw.sh -d target.com -n # OSINT only # Then subdomains ./reconftw.sh -d target.com -s # Finally, careful active scanning ./reconftw.sh -d target.com -a -q 50 # Rate limited Copy # Cron job (every Sunday at 2 AM) 0 2 * * 0 cd /path/to/reconftw && ./reconftw.sh -d target.com -r --incremental -z # Or use Docker 0 2 * * 0 docker run -v /data/recon:/reconftw/Recon six2dez/reconftw -d target.com -r --incremental Copy # Passive only (fastest, safest) ./reconftw.sh -d target.com -p # Time: ~15-30 minutes # Output: subdomains, basic OSINT, no active scanning Copy # GitHub Actions example - name: Security Recon run: | ./reconftw.sh -d ${{ secrets.TARGET }} -p -z - name: Check Critical Vulns run: | if [ -s Recon/*/vulns/nuclei_critical.json ]; then echo "Critical vulnerabilities found!" exit 1 fi sun-brightdesktopmoon --- # Command Line Guide | reconftw-docs > **Documentation for reconFTW** `**dev**` **branch** | [View all flags](https://docs.reconftw.com/usage/usage#quick-reference) This guide covers every command-line option available in reconFTW, with detailed explanations and practical examples. * * * [hashtag](https://docs.reconftw.com/usage/usage#basic-syntax) Basic Syntax ------------------------------------------------------------------------------- Copy ./reconftw.sh [TARGET_OPTIONS] [MODE_OPTIONS] [ADDITIONAL_OPTIONS] ### [hashtag](https://docs.reconftw.com/usage/usage#quick-examples) Quick Examples Copy # Single domain reconnaissance ./reconftw.sh -d example.com -r # Multiple targets from file ./reconftw.sh -l targets.txt -r # Full scan with vulnerabilities ./reconftw.sh -d example.com -a # Passive only (stealth) ./reconftw.sh -d example.com -p * * * [hashtag](https://docs.reconftw.com/usage/usage#target-options) Target Options ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/usage/usage#d-domain-less-than-domain-greater-than) `-d, --domain ` Specify a single target domain or IP address. **Input Validation:** * Domains are sanitized (lowercase, safe characters only) * IPs/CIDRs are validated for proper format * Invalid inputs are rejected with error messages ### [hashtag](https://docs.reconftw.com/usage/usage#l-list-less-than-file-greater-than) `-l, --list ` Specify a file containing multiple targets (one per line). **File Format:** **Behavior:** * Each target is scanned sequentially * Results are saved in separate directories * Progress continues if one target fails ### [hashtag](https://docs.reconftw.com/usage/usage#m-less-than-name-greater-than) `-m ` Multi-target mode with custom name for the output directory. **Output Structure:** * * * [hashtag](https://docs.reconftw.com/usage/usage#scan-modes) Scan Modes --------------------------------------------------------------------------- reconFTW offers several scan modes optimized for different use cases. ### [hashtag](https://docs.reconftw.com/usage/usage#r-recon-full-reconnaissance) `-r, --recon` (Full Reconnaissance) **The standard bug bounty reconnaissance mode.** Performs full subdomain enumeration, web analysis, and light vulnerability scanning (nuclei on discovered webs). > ⚠️ **Note:** This is an active scanning mode. It sends requests to the target. Ensure you have authorization. **What it does:** Phase Functions OSINT domain\_info, emails, dorks, metadata Subdomains passive, bruteforce, permutations, scraping Hosts portscan, CDN detection, WAF detection Web probing, screenshots, URL extraction, JS analysis Light Vulns nuclei (info/low), subdomain takeover **Duration:** 1-4 hours depending on target size **Best for:** Initial reconnaissance, bug bounty hunting ### [hashtag](https://docs.reconftw.com/usage/usage#s-subdomains-subdomain-enumeration-only) `-s, --subdomains` (Subdomain Enumeration Only) **Fast subdomain discovery without web analysis.** **What it does:** * Passive subdomain enumeration (APIs, CT logs) * Active DNS bruteforce * Permutation generation * DNS resolution * Subdomain takeover checks **Does NOT do:** * Web probing * Screenshot capture * URL extraction * Vulnerability scanning **Duration:** 15-60 minutes **Best for:** Quick attack surface mapping, asset discovery ### [hashtag](https://docs.reconftw.com/usage/usage#p-passive-passive-reconnaissance) `-p, --passive` (Passive Reconnaissance) **Non-intrusive reconnaissance using only passive techniques.** **What it does:** * Passive subdomain enumeration only * No DNS bruteforce * No active web crawling * No vulnerability scanning * OSINT gathering **Techniques disabled:** **Duration:** 10-30 minutes **Best for:** Stealth recon, initial scoping, when you can't touch the target ### [hashtag](https://docs.reconftw.com/usage/usage#a-all-full-scan-with-vulnerabilities) `-a, --all` (Full Scan with Vulnerabilities) **Complete reconnaissance plus full vulnerability scanning.** > 🔴 **WARNING:** This is the "YOLO mode". It sends attack payloads (SQLi, XSS, etc.) to the target. Only use with explicit written authorization for penetration testing. May trigger WAFs and security alerts. **What it does:** Everything in `-r` mode PLUS: * Full Nuclei scanning (all severities) * XSS testing * SQL injection testing * SSRF checks * LFI/SSTI testing * CORS misconfiguration * Open redirect testing * Command injection * Prototype pollution * HTTP smuggling * And more... **Duration:** 4-24+ hours **Best for:** Full security assessment, when you have explicit authorization and time > ⚠️ **Warning:** This mode performs intrusive testing. Ensure you have explicit authorization. ### [hashtag](https://docs.reconftw.com/usage/usage#w-web-web-analysis-only) `-w, --web` (Web Analysis Only) **Analyze a list of known URLs without subdomain enumeration.** **What it does:** * HTTP probing * Screenshot capture * URL extraction * JavaScript analysis * Directory fuzzing * CMS detection **Does NOT do:** * Subdomain enumeration * DNS analysis * Port scanning **Duration:** 30 minutes - 2 hours **Best for:** When you already have a list of targets, analyzing specific endpoints ### [hashtag](https://docs.reconftw.com/usage/usage#n-osint-osint-only) `-n, --osint` (OSINT Only) **Gather open-source intelligence without active scanning.** **What it does:** * Domain WHOIS information * Email harvesting * Google dorking * GitHub repository analysis * Metadata extraction * API leak detection * Third-party misconfiguration checks * SPF/DMARC analysis * Cloud storage enumeration **Does NOT do:** * Active subdomain enumeration * Web crawling * Port scanning * Vulnerability testing **Duration:** 15-45 minutes **Best for:** Intelligence gathering, pre-engagement research ### [hashtag](https://docs.reconftw.com/usage/usage#c-less-than-function-greater-than-custom-function) `-c ` (Custom Function) **Execute a specific function from the reconFTW modules.** **Note:** `-c` accepts a single function per run. To execute multiple functions, run separate commands (or create a custom mode). **Available Functions:** chevron-rightClick to expand function list[hashtag](https://docs.reconftw.com/usage/usage#click-to-expand-function-list) **OSINT Functions:** * `google_dorks` * `github_dorks` * `github_repos` * `metadata` * `apileaks` * `emails` * `domain_info` * `third_party_misconfigs` * `spoof` * `mail_hygiene` * `cloud_enum_scan` * `ip_info` **Subdomain Functions:** * `sub_passive` * `sub_crt` * `sub_brute` * `sub_permut` * `sub_ia_permut` * `sub_regex_permut` * `sub_recursive_passive` * `sub_recursive_brute` * `sub_scraping` * `sub_analytics` * `sub_noerror` * `sub_dns` * `sub_tls` * `subtakeover` * `zonetransfer` * `s3buckets` **Web Functions:** * `webprobe_simple` * `webprobe_full` * `screenshot` * `virtualhosts` * `urlchecks` * `url_gf` * `url_ext` * `jschecks` * `fuzz` * `cms_scanner` * `wordlist_gen` * `iishortname` * `graphql_scan` **Vulnerability Functions:** * `nuclei_check` * `xss` * `cors` * `open_redirect` * `ssrf_checks` * `crlf_checks` * `lfi` * `ssti` * `sqli` * `command_injection` * `prototype_pollution` * `smuggling` * `webcache` * `4xxbypass` * `fuzzparams` * `test_ssl` * `spraying` * `brokenLinks` **Host Functions:** * `portscan` * `cdnprovider` * `waf_checks` * `favicon` * `geo_info` **Requirement:** The target directory must already exist (from a previous scan). ### [hashtag](https://docs.reconftw.com/usage/usage#z-zen-zen-mode) `-z, --zen` (Zen Mode) **Minimal terminal output mode for cleaner logs.** **Behavior:** * Reduced terminal output * Progress indicators only * Full details in log files * Same functionality as `-r` **Best for:** Running in tmux/screen, CI/CD pipelines * * * [hashtag](https://docs.reconftw.com/usage/usage#scope-management) Scope Management --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/usage/usage#x-less-than-file-greater-than-out-of-scope) `-x ` (Out-of-Scope) Exclude specific domains/patterns from results. **Pattern Syntax:** ### [hashtag](https://docs.reconftw.com/usage/usage#i-less-than-file-greater-than-in-scope) `-i ` (In-Scope) Only include targets matching the scope file. **How it works:** 1. Results are generated normally 2. inscope filter is applied 3. Only matching entries are kept **Enable in config:** * * * [hashtag](https://docs.reconftw.com/usage/usage#advanced-flags) Advanced Flags ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/usage/usage#deep-deep-thorough-mode) `--deep` (Deep/Thorough Mode) Enable extended scanning with larger wordlists and more techniques. **Changes from standard mode:** Aspect Standard Deep Subdomain wordlist ~10k entries ~100k+ entries Permutation depth 1 level Multiple levels GitHub dorks Small list Medium list Fuzzing wordlist Common paths Extended Recursive enumeration Limited Full ### [hashtag](https://docs.reconftw.com/usage/usage#v-vps-axiom-distributed-mode) `-v, --vps` (Axiom/Distributed Mode) Enable distributed scanning using [Axiomarrow-up-right](https://github.com/six2dez/reconftw-docs/blob/main/03-usage/08-integrations/axiom.md) . **Requirements:** * Axiom must be installed and configured * Cloud provider account (DigitalOcean, AWS, etc.) * Fleet configuration in reconftw.cfg See [Axiom Integration](https://docs.reconftw.com/integrations/axiom) for setup details. ### [hashtag](https://docs.reconftw.com/usage/usage#f-less-than-file-greater-than-custom-config) `-f ` (Custom Config) Use a custom configuration file instead of the default. **Use cases:** * Different configs for different clients * Testing configuration changes * CI/CD with environment-specific settings ### [hashtag](https://docs.reconftw.com/usage/usage#q-less-than-rate-greater-than-rate-limiting) `-q ` (Rate Limiting) Set a global rate limit for all tools. **Affects:** * `NUCLEI_RATELIMIT` * `FFUF_RATELIMIT` * `HTTPX_RATELIMIT` ### [hashtag](https://docs.reconftw.com/usage/usage#o-less-than-path-greater-than-custom-output-directory) `-o ` (Custom Output Directory) Save results to a custom location. **Output structure:** ### [hashtag](https://docs.reconftw.com/usage/usage#y-ai-ai-report-generation) `-y, --ai` (AI Report Generation) Generate AI-powered reports after scan completion. **Requirements:** * Local AI model (e.g., llama3:8b via Ollama) * reconftw\_ai tool installed * Configured in reconftw.cfg **Report types:** * `executive` - High-level summary * `brief` - Concise findings * `bughunter` - Detailed technical report ### [hashtag](https://docs.reconftw.com/usage/usage#quick-rescan) `--quick-rescan` Skip heavy operations if no new subdomains/assets found. **Behavior:** 1. Performs subdomain enumeration 2. Compares with previous results 3. If no new subdomains → skips heavy modules 4. Saves significant time on repeat scans ### [hashtag](https://docs.reconftw.com/usage/usage#incremental) `--incremental` Only scan new findings since last run. **How it works:** 1. Loads previous scan baseline 2. Performs new enumeration 3. Identifies delta (new findings only) 4. Scans only new assets 5. Generates incremental report ### [hashtag](https://docs.reconftw.com/usage/usage#adaptive-rate) `--adaptive-rate` Automatically adjust rate limits when encountering errors. **Behavior:** * Starts at configured rate limit * Detects 429/503 errors * Reduces rate by 50% on errors * Increases rate by 20% on success * Respects MIN/MAX limits ### [hashtag](https://docs.reconftw.com/usage/usage#dry-run) `--dry-run` Preview commands without executing them. **Output:** **Best for:** Testing configurations, understanding workflow ### [hashtag](https://docs.reconftw.com/usage/usage#parallel) `--parallel` Run independent functions in parallel for faster scans. **What it does:** * Runs passive enumeration sources concurrently * Runs active DNS checks in parallel after passive completes * Runs TLS and analytics checks after resolution * Uses native bash job control (no external dependencies) **Performance impact:** * ~2-3x faster subdomain enumeration * Higher memory usage (multiple processes) * Higher CPU usage **When NOT to use:** * Low memory systems (< 4GB RAM) * Rate-limited targets * With Axiom (already distributed) * When debugging issues ### [hashtag](https://docs.reconftw.com/usage/usage#check-tools) `--check-tools` Verify all required tools are installed. **Output:** ### [hashtag](https://docs.reconftw.com/usage/usage#health-check) `--health-check` Run system health diagnostics. **Checks:** * Critical dependencies installed * Configuration file valid * Required directories exist * Network connectivity * Disk space available * * * [hashtag](https://docs.reconftw.com/usage/usage#usage-examples) Usage Examples ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/usage/usage#bug-bounty-workflow) Bug Bounty Workflow ### [hashtag](https://docs.reconftw.com/usage/usage#stealth-assessment) Stealth Assessment ### [hashtag](https://docs.reconftw.com/usage/usage#large-scale-scanning) Large-Scale Scanning ### [hashtag](https://docs.reconftw.com/usage/usage#ci-cd-integration) CI/CD Integration ### [hashtag](https://docs.reconftw.com/usage/usage#scoped-assessment) Scoped Assessment ### [hashtag](https://docs.reconftw.com/usage/usage#custom-function-execution) Custom Function Execution * * * [hashtag](https://docs.reconftw.com/usage/usage#flag-reference-table) Flag Reference Table ----------------------------------------------------------------------------------------------- Flag Long Form Argument Description `-d` `--domain` domain Single target domain/IP `-l` `--list` file Target list file `-m` \- name Multi-target output name `-r` `--recon` \- Full reconnaissance mode `-s` `--subdomains` \- Subdomain enumeration only `-p` `--passive` \- Passive reconnaissance `-a` `--all` \- Full scan + vulnerabilities `-w` `--web` \- Web analysis only `-n` `--osint` \- OSINT gathering only `-c` \- function Custom function execution `-z` `--zen` \- Minimal output mode `-x` \- file Out-of-scope file `-i` \- file In-scope file `-o` \- path Custom output directory `-f` \- file Custom config file `-q` \- rate Rate limit (req/sec) `-v` `--vps` \- Axiom distributed mode `-y` `--ai` \- AI report generation \- `--deep` \- Deep/thorough scanning \- `--quick-rescan` \- Skip heavy ops if no new assets \- `--incremental` \- Scan only new findings \- `--adaptive-rate` \- Auto-adjust rate limits \- `--dry-run` \- Preview without executing \- `--parallel` \- Run functions in parallel (faster) \- `--check-tools` \- Verify tool installation \- `--health-check` \- System diagnostics `-h` `--help` \- Show help message * * * [hashtag](https://docs.reconftw.com/usage/usage#next-steps) Next Steps --------------------------------------------------------------------------- * [**Configuration Reference**](https://docs.reconftw.com/configuration/configuration) - Customize every setting * [**Module Documentation**](https://docs.reconftw.com/modules/05-modules) - Deep dive into each module * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understand your results * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 [PreviousReconnaissance Methodology Deep Divechevron-left](https://docs.reconftw.com/understanding-reconftw/recon-methodology) [NextConfiguration Referencechevron-right](https://docs.reconftw.com/configuration/configuration) Last updated 1 month ago * [Basic Syntax](https://docs.reconftw.com/usage/usage#basic-syntax) * [Quick Examples](https://docs.reconftw.com/usage/usage#quick-examples) * [Target Options](https://docs.reconftw.com/usage/usage#target-options) * [\-d, --domain ](https://docs.reconftw.com/usage/usage#d-domain-less-than-domain-greater-than) * [\-l, --list ](https://docs.reconftw.com/usage/usage#l-list-less-than-file-greater-than) * [\-m ](https://docs.reconftw.com/usage/usage#m-less-than-name-greater-than) * [Scan Modes](https://docs.reconftw.com/usage/usage#scan-modes) * [\-r, --recon (Full Reconnaissance)](https://docs.reconftw.com/usage/usage#r-recon-full-reconnaissance) * [\-s, --subdomains (Subdomain Enumeration Only)](https://docs.reconftw.com/usage/usage#s-subdomains-subdomain-enumeration-only) * [\-p, --passive (Passive Reconnaissance)](https://docs.reconftw.com/usage/usage#p-passive-passive-reconnaissance) * [\-a, --all (Full Scan with Vulnerabilities)](https://docs.reconftw.com/usage/usage#a-all-full-scan-with-vulnerabilities) * [\-w, --web (Web Analysis Only)](https://docs.reconftw.com/usage/usage#w-web-web-analysis-only) * [\-n, --osint (OSINT Only)](https://docs.reconftw.com/usage/usage#n-osint-osint-only) * [\-c (Custom Function)](https://docs.reconftw.com/usage/usage#c-less-than-function-greater-than-custom-function) * [\-z, --zen (Zen Mode)](https://docs.reconftw.com/usage/usage#z-zen-zen-mode) * [Scope Management](https://docs.reconftw.com/usage/usage#scope-management) * [\-x (Out-of-Scope)](https://docs.reconftw.com/usage/usage#x-less-than-file-greater-than-out-of-scope) * [\-i (In-Scope)](https://docs.reconftw.com/usage/usage#i-less-than-file-greater-than-in-scope) * [Advanced Flags](https://docs.reconftw.com/usage/usage#advanced-flags) * [\--deep (Deep/Thorough Mode)](https://docs.reconftw.com/usage/usage#deep-deep-thorough-mode) * [\-v, --vps (Axiom/Distributed Mode)](https://docs.reconftw.com/usage/usage#v-vps-axiom-distributed-mode) * [\-f (Custom Config)](https://docs.reconftw.com/usage/usage#f-less-than-file-greater-than-custom-config) * [\-q (Rate Limiting)](https://docs.reconftw.com/usage/usage#q-less-than-rate-greater-than-rate-limiting) * [\-o (Custom Output Directory)](https://docs.reconftw.com/usage/usage#o-less-than-path-greater-than-custom-output-directory) * [\-y, --ai (AI Report Generation)](https://docs.reconftw.com/usage/usage#y-ai-ai-report-generation) * [\--quick-rescan](https://docs.reconftw.com/usage/usage#quick-rescan) * [\--incremental](https://docs.reconftw.com/usage/usage#incremental) * [\--adaptive-rate](https://docs.reconftw.com/usage/usage#adaptive-rate) * [\--dry-run](https://docs.reconftw.com/usage/usage#dry-run) * [\--parallel](https://docs.reconftw.com/usage/usage#parallel) * [\--check-tools](https://docs.reconftw.com/usage/usage#check-tools) * [\--health-check](https://docs.reconftw.com/usage/usage#health-check) * [Usage Examples](https://docs.reconftw.com/usage/usage#usage-examples) * [Bug Bounty Workflow](https://docs.reconftw.com/usage/usage#bug-bounty-workflow) * [Stealth Assessment](https://docs.reconftw.com/usage/usage#stealth-assessment) * [Large-Scale Scanning](https://docs.reconftw.com/usage/usage#large-scale-scanning) * [CI/CD Integration](https://docs.reconftw.com/usage/usage#ci-cd-integration) * [Scoped Assessment](https://docs.reconftw.com/usage/usage#scoped-assessment) * [Custom Function Execution](https://docs.reconftw.com/usage/usage#custom-function-execution) * [Flag Reference Table](https://docs.reconftw.com/usage/usage#flag-reference-table) * [Next Steps](https://docs.reconftw.com/usage/usage#next-steps) sun-brightdesktopmoon Copy # Domain target ./reconftw.sh -d example.com -r # Subdomain target ./reconftw.sh -d api.example.com -r # IP address target ./reconftw.sh -d 192.168.1.1 -r # CIDR range ./reconftw.sh -d 192.168.1.0/24 -r Copy # Create targets file cat > targets.txt << EOF example.com test.com demo.org EOF # Run scan on all targets ./reconftw.sh -l targets.txt -r Copy # targets.txt example.com api.example.com 192.168.1.0/24 test.org Copy # Scan multiple targets, save under "client-project" ./reconftw.sh -m client-project -l targets.txt -r Copy Recon/client-project/ ├── targets/ │ ├── example.com/ │ ├── test.com/ │ └── demo.org/ └── .log/ Copy ./reconftw.sh -d example.com -r Copy ./reconftw.sh -d example.com -s Copy ./reconftw.sh -d example.com -p Copy SUBNOERROR=false SUBANALYTICS=false SUBBRUTE=false SUBSCRAPING=false SUBPERMUTE=false PORTSCAN_ACTIVE=false Copy ./reconftw.sh -d example.com -a Copy # Create a list of URLs cat > urls.txt << EOF https://www.example.com https://api.example.com https://admin.example.com EOF # Run web analysis ./reconftw.sh -l urls.txt -w Copy ./reconftw.sh -d example.com -n Copy # Run only subdomain bruteforce ./reconftw.sh -d example.com -c sub_brute # Run only nuclei scanning ./reconftw.sh -d example.com -c nuclei_check # Run only screenshot capture ./reconftw.sh -d example.com -c screenshot Copy ./reconftw.sh -d example.com -z Copy # Create out-of-scope file cat > outscope.txt << EOF *.cdn.example.com staging.example.com *.cloudfront.net EOF # Run scan with exclusions ./reconftw.sh -d example.com -r -x outscope.txt Copy # Exact match staging.example.com # Wildcard (ends with) *.cdn.example.com # Multiple patterns test.example.com *.dev.example.com Copy # Create in-scope file cat > inscope.txt << EOF *.example.com *.example.org api.partner.com EOF # Run scan with scope filter ./reconftw.sh -d example.com -r -i inscope.txt Copy INSCOPE=true # In reconftw.cfg Copy ./reconftw.sh -d example.com -r --deep Copy ./reconftw.sh -d example.com -r -v Copy # Create custom config cp reconftw.cfg custom_config.cfg # Edit custom_config.cfg... # Use custom config ./reconftw.sh -d example.com -r -f custom_config.cfg Copy # Limit to 50 requests/second ./reconftw.sh -d example.com -r -q 50 # Very slow/stealthy ./reconftw.sh -d example.com -r -q 10 Copy # Absolute path ./reconftw.sh -d example.com -r -o /home/user/results # Relative path ./reconftw.sh -d example.com -r -o ./client-results Copy /home/user/results/ └── example.com/ ├── subdomains/ ├── webs/ └── ... Copy ./reconftw.sh -d example.com -r -y Copy ./reconftw.sh -d example.com -r --quick-rescan Copy ./reconftw.sh -d example.com -r --incremental Copy ./reconftw.sh -d example.com -r --adaptive-rate Copy ./reconftw.sh -d example.com -r --dry-run Copy [DRY-RUN] Would execute: subfinder -d example.com -all -o .tmp/subfinder.txt [DRY-RUN] Would execute: amass enum -passive -d example.com -o .tmp/amass.txt ... Copy ./reconftw.sh -d example.com -r --parallel Copy ./reconftw.sh --check-tools Copy [✓] subfinder [✓] amass [✓] httpx [✗] nuclei (not found) ... Copy ./reconftw.sh --health-check Copy # Initial reconnaissance ./reconftw.sh -d target.com -r # Follow-up with vulnerabilities ./reconftw.sh -d target.com -a # Quick rescan after some time ./reconftw.sh -d target.com -r --quick-rescan --incremental Copy # Passive only - no direct contact with target ./reconftw.sh -d target.com -p -q 5 Copy # Multiple targets with Axiom ./reconftw.sh -l targets.txt -r -v --deep # With custom output ./reconftw.sh -m client-assessment -l targets.txt -a -o /data/assessments Copy # Non-interactive, minimal output ./reconftw.sh -d target.com -r -z --dry-run # With health check first ./reconftw.sh --health-check && ./reconftw.sh -d target.com -r -z Copy # With in-scope and out-of-scope files ./reconftw.sh -d target.com -a -i scope.txt -x exclusions.txt Copy # Re-run only specific parts ./reconftw.sh -d target.com -c nuclei_check ./reconftw.sh -d target.com -c xss ./reconftw.sh -d target.com -c sqli sun-brightdesktopmoon --- # Axiom Integration | reconftw-docs > **Note**: Axiom was rebranded to "Ax Framework" but the tool and commands still use `axiom-*` naming. This documentation uses "Axiom" for consistency with the actual commands. Axiom enables distributed scanning across cloud infrastructure, speeding up reconnaissance by parallelizing workloads across multiple instances. * * * [hashtag](https://docs.reconftw.com/integrations/axiom#what-is-axiom) What is Axiom? ----------------------------------------------------------------------------------------- Axiom is an infrastructure automation framework that allows you to: * **Spin up cloud instances on-demand** across multiple providers * **Distribute scanning tasks** across a fleet of machines * **Scale horizontally** for large-scale reconnaissance * **Reduce scan time** from hours to minutes * * * [hashtag](https://docs.reconftw.com/integrations/axiom#prerequisites) Prerequisites ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#id-1.-axiom-installation) 1\. Axiom Installation Copy # Install axiom bash <(curl -s https://raw.githubusercontent.com/pry0cc/axiom/master/interact/axiom-configure) # Or clone and install git clone https://github.com/pry0cc/axiom ~/.axiom cd ~/.axiom && ./interact/axiom-configure ### [hashtag](https://docs.reconftw.com/integrations/axiom#id-2.-cloud-provider-setup) 2\. Cloud Provider Setup Supported providers: * DigitalOcean (recommended) * AWS * Azure * Linode * Google Cloud * Hetzner * IBM Cloud ### [hashtag](https://docs.reconftw.com/integrations/axiom#id-3.-api-keys) 3\. API Keys Configure cloud provider credentials: * * * [hashtag](https://docs.reconftw.com/integrations/axiom#configuration-in-reconftw) Configuration in reconFTW ---------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#enable-axiom-mode) Enable Axiom Mode ### [hashtag](https://docs.reconftw.com/integrations/axiom#instance-configuration) Instance Configuration ### [hashtag](https://docs.reconftw.com/integrations/axiom#resolver-configuration) Resolver Configuration * * * [hashtag](https://docs.reconftw.com/integrations/axiom#running-with-axiom) Running with Axiom -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#basic-usage) Basic Usage ### [hashtag](https://docs.reconftw.com/integrations/axiom#what-happens) What Happens 1. **Fleet Launch:** Axiom spins up configured number of instances 2. **Tool Distribution:** Tools run across fleet in parallel 3. **Result Collection:** Results merged from all instances 4. **Fleet Shutdown:** Instances terminated (if configured) * * * [hashtag](https://docs.reconftw.com/integrations/axiom#distributed-scanning-flow) Distributed Scanning Flow ---------------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/integrations/axiom#tools-with-axiom-support) Tools with Axiom Support -------------------------------------------------------------------------------------------------------------- reconFTW distributes these tools across the fleet: Tool Distribution Type Notes subfinder Target split Each instance handles subset httpx Target split URL probing distributed nuclei Target split Vulnerability scanning ffuf Target split Directory fuzzing dnsx Target split DNS resolution nmap Target split Port scanning katana Target split Web crawling dalfox Target split XSS testing * * * [hashtag](https://docs.reconftw.com/integrations/axiom#fleet-management) Fleet Management ---------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#manual-fleet-control) Manual Fleet Control ### [hashtag](https://docs.reconftw.com/integrations/axiom#fleet-lifecycle) Fleet Lifecycle * * * [hashtag](https://docs.reconftw.com/integrations/axiom#cost-optimization) Cost Optimization ------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations/axiom#instance-sizing) Instance Sizing Provider Instance vCPU RAM Cost/hr DigitalOcean s-1vcpu-1gb 1 1GB $0.007 DigitalOcean s-2vcpu-2gb 2 2GB $0.018 AWS t3.micro 2 1GB $0.012 Linode g6-nanode-1 1 1GB $0.0075 ### [hashtag](https://docs.reconftw.com/integrations/axiom#cost-estimation) Cost Estimation ### [hashtag](https://docs.reconftw.com/integrations/axiom#best-practices) Best Practices 1. **Use smallest viable instance:** 1GB RAM sufficient for most tools 2. **Auto-shutdown:** Enable `AXIOM_FLEET_SHUTDOWN=true` 3. **Spot instances:** Use when available for 60-90% savings 4. **Regional pricing:** Some regions cheaper than others * * * [hashtag](https://docs.reconftw.com/integrations/axiom#resolver-management) Resolver Management ---------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#upload-custom-resolvers) Upload Custom Resolvers ### [hashtag](https://docs.reconftw.com/integrations/axiom#configuration) Configuration * * * [hashtag](https://docs.reconftw.com/integrations/axiom#troubleshooting) Troubleshooting -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#fleet-wont-start) Fleet Won't Start ### [hashtag](https://docs.reconftw.com/integrations/axiom#ssh-connection-issues) SSH Connection Issues ### [hashtag](https://docs.reconftw.com/integrations/axiom#tools-not-running) Tools Not Running ### [hashtag](https://docs.reconftw.com/integrations/axiom#result-merge-failures) Result Merge Failures * * * [hashtag](https://docs.reconftw.com/integrations/axiom#advanced-configuration) Advanced Configuration ---------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/axiom#custom-axiom-image) Custom Axiom Image ### [hashtag](https://docs.reconftw.com/integrations/axiom#per-tool-distribution) Per-Tool Distribution ### [hashtag](https://docs.reconftw.com/integrations/axiom#scan-modules) Scan Modules * * * [hashtag](https://docs.reconftw.com/integrations/axiom#example-workflows) Example Workflows ------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations/axiom#large-target-list) Large Target List ### [hashtag](https://docs.reconftw.com/integrations/axiom#bug-bounty-program) Bug Bounty Program ### [hashtag](https://docs.reconftw.com/integrations/axiom#red-team-assessment) Red Team Assessment * * * [hashtag](https://docs.reconftw.com/integrations/axiom#security-considerations) Security Considerations ------------------------------------------------------------------------------------------------------------ 1. **Instance isolation:** Each scan uses fresh instances 2. **Credential management:** Cloud keys never touch targets 3. **Data cleanup:** Results removed from instances 4. **Network isolation:** Use private networking when possible 5. **Audit logging:** Enable cloud provider audit logs * * * [hashtag](https://docs.reconftw.com/integrations/axiom#next-steps) Next Steps ---------------------------------------------------------------------------------- * [**Faraday Integration**](https://docs.reconftw.com/integrations/faraday) - Vulnerability management * [**Deployment Guide**](https://docs.reconftw.com/deployment/deployment) - VPS setup [PreviousOutput Interpretationchevron-left](https://docs.reconftw.com/output/output) [NextFaraday Integrationchevron-right](https://docs.reconftw.com/integrations/faraday) Last updated 1 month ago * [What is Axiom?](https://docs.reconftw.com/integrations/axiom#what-is-axiom) * [Prerequisites](https://docs.reconftw.com/integrations/axiom#prerequisites) * [1\. Axiom Installation](https://docs.reconftw.com/integrations/axiom#id-1.-axiom-installation) * [2\. Cloud Provider Setup](https://docs.reconftw.com/integrations/axiom#id-2.-cloud-provider-setup) * [3\. API Keys](https://docs.reconftw.com/integrations/axiom#id-3.-api-keys) * [Configuration in reconFTW](https://docs.reconftw.com/integrations/axiom#configuration-in-reconftw) * [Enable Axiom Mode](https://docs.reconftw.com/integrations/axiom#enable-axiom-mode) * [Instance Configuration](https://docs.reconftw.com/integrations/axiom#instance-configuration) * [Resolver Configuration](https://docs.reconftw.com/integrations/axiom#resolver-configuration) * [Running with Axiom](https://docs.reconftw.com/integrations/axiom#running-with-axiom) * [Basic Usage](https://docs.reconftw.com/integrations/axiom#basic-usage) * [What Happens](https://docs.reconftw.com/integrations/axiom#what-happens) * [Distributed Scanning Flow](https://docs.reconftw.com/integrations/axiom#distributed-scanning-flow) * [Tools with Axiom Support](https://docs.reconftw.com/integrations/axiom#tools-with-axiom-support) * [Fleet Management](https://docs.reconftw.com/integrations/axiom#fleet-management) * [Manual Fleet Control](https://docs.reconftw.com/integrations/axiom#manual-fleet-control) * [Fleet Lifecycle](https://docs.reconftw.com/integrations/axiom#fleet-lifecycle) * [Cost Optimization](https://docs.reconftw.com/integrations/axiom#cost-optimization) * [Instance Sizing](https://docs.reconftw.com/integrations/axiom#instance-sizing) * [Cost Estimation](https://docs.reconftw.com/integrations/axiom#cost-estimation) * [Best Practices](https://docs.reconftw.com/integrations/axiom#best-practices) * [Resolver Management](https://docs.reconftw.com/integrations/axiom#resolver-management) * [Upload Custom Resolvers](https://docs.reconftw.com/integrations/axiom#upload-custom-resolvers) * [Configuration](https://docs.reconftw.com/integrations/axiom#configuration) * [Troubleshooting](https://docs.reconftw.com/integrations/axiom#troubleshooting) * [Fleet Won't Start](https://docs.reconftw.com/integrations/axiom#fleet-wont-start) * [SSH Connection Issues](https://docs.reconftw.com/integrations/axiom#ssh-connection-issues) * [Tools Not Running](https://docs.reconftw.com/integrations/axiom#tools-not-running) * [Result Merge Failures](https://docs.reconftw.com/integrations/axiom#result-merge-failures) * [Advanced Configuration](https://docs.reconftw.com/integrations/axiom#advanced-configuration) * [Custom Axiom Image](https://docs.reconftw.com/integrations/axiom#custom-axiom-image) * [Per-Tool Distribution](https://docs.reconftw.com/integrations/axiom#per-tool-distribution) * [Scan Modules](https://docs.reconftw.com/integrations/axiom#scan-modules) * [Example Workflows](https://docs.reconftw.com/integrations/axiom#example-workflows) * [Large Target List](https://docs.reconftw.com/integrations/axiom#large-target-list) * [Bug Bounty Program](https://docs.reconftw.com/integrations/axiom#bug-bounty-program) * [Red Team Assessment](https://docs.reconftw.com/integrations/axiom#red-team-assessment) * [Security Considerations](https://docs.reconftw.com/integrations/axiom#security-considerations) * [Next Steps](https://docs.reconftw.com/integrations/axiom#next-steps) sun-brightdesktopmoon Copy # Run axiom configuration axiom-configure Copy # In reconftw.cfg # Enable Axiom/VPS mode AXIOM=true # Fleet configuration AXIOM_FLEET_NAME="reconftw" # Fleet identifier AXIOM_FLEET_COUNT=10 # Number of instances AXIOM_FLEET_LAUNCH=true # Auto-launch fleet AXIOM_FLEET_SHUTDOWN=true # Auto-shutdown after scan # Distributed tool settings AXIOM_THREADS=20 # Threads per instance Copy # Fleet instance settings AXIOM_INSTANCE_TYPE="s-1vcpu-1gb" # DigitalOcean size AXIOM_REGION="nyc1" # Deployment region AXIOM_IMAGE="axiom-default" # Base image name Copy # Resolvers for distributed scanning AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" Copy # Run with Axiom flag ./reconftw.sh -d example.com -a --vps # Or use -v shorthand ./reconftw.sh -d example.com -a -v Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Axiom Distributed Scanning │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ │ │ │ Local Machine│ │ │ │ (reconFTW) │ │ │ └──────┬───────┘ │ │ │ │ │ │ axiom-fleet launch │ │ ▼ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ Axiom Fleet (10 instances) │ │ │ ├──────────────────────────────────────────────────────┤ │ │ │ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ │ │ │ │ │ 01 │ │ 02 │ │ 03 │ │ 04 │ │ 05 │ │ │ │ │ └────┘ └────┘ └────┘ └────┘ └────┘ │ │ │ │ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ │ │ │ │ │ 06 │ │ 07 │ │ 08 │ │ 09 │ │ 10 │ │ │ │ │ └────┘ └────┘ └────┘ └────┘ └────┘ │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ │ │ │ axiom-scan (distribute tasks) │ │ ▼ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ Each instance processes portion of targets: │ │ │ │ - Instance 01: subdomains 1-1000 │ │ │ │ - Instance 02: subdomains 1001-2000 │ │ │ │ - ... │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ │ │ │ Results merged │ │ ▼ │ │ ┌──────────────┐ │ │ │ Local Machine│ │ │ │ (combined │ │ │ │ results) │ │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ Copy # Launch fleet axiom-fleet reconftw -i 10 # Check fleet status axiom-ls # SSH to specific instance axiom-ssh reconftw01 # Execute command on all instances axiom-exec "nuclei -update-templates" # Shutdown fleet axiom-rm "reconftw*" -f Copy # In reconftw.cfg # Auto-launch fleet if not running AXIOM_FLEET_LAUNCH=true # Shutdown after scan completion AXIOM_FLEET_SHUTDOWN=true # Keep fleet running for subsequent scans AXIOM_FLEET_SHUTDOWN=false Copy Fleet: 10 instances × $0.007/hr = $0.07/hr Scan duration: 2 hours Total cost: ~$0.14 per scan Copy # Upload resolvers to fleet axiom-scp resolvers.txt "reconftw*":/home/op/lists/ # Or use built-in resolver update axiom-exec "dnsvalidator -tL public-resolvers.txt -threads 100 -o resolvers.txt" Copy # In reconftw.cfg RESOLVERS_TRUSTED="/home/op/lists/resolvers_trusted.txt" RESOLVERS="/home/op/lists/resolvers.txt" # On fleet AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" Copy # Check cloud provider credentials axiom-configure # Verify API key doctl auth init # DigitalOcean aws configure # AWS # Check available images axiom-images ls Copy # Regenerate SSH keys axiom-init --regenerate # Manual SSH test ssh -i ~/.axiom/.sshkey root@ Copy # Update tools on fleet axiom-exec "axiom-build tools" # Verify tool installation axiom-exec "which nuclei" Copy # Check disk space axiom-exec "df -h" # Manual result collection axiom-scp "reconftw*":/home/op/recon/results.txt ./results/ Copy # Build custom image with all tools axiom-build reconftw --install-tools # Use custom image AXIOM_IMAGE="reconftw-image" Copy # Override distribution for specific tools AXIOM_SUBFINDER_DISTRIBUTE=true AXIOM_NUCLEI_DISTRIBUTE=true AXIOM_HTTPX_DISTRIBUTE=true Copy # reconFTW Axiom modules in modules/axiom.sh # Functions prefixed with axiom_* axiom_launch # Launch fleet axiom_shutdown # Terminate fleet axiom_selected # Run tool on fleet axiom_exec # Execute command Copy # Scan 10,000 subdomains with 20-instance fleet AXIOM_FLEET_COUNT=20 ./reconftw.sh -l targets_10k.txt -a -v Copy # Weekly automated scan ./reconftw.sh -d target.com -a -v --incremental Copy # Quick initial recon AXIOM_FLEET_COUNT=5 ./reconftw.sh -d target.com -r -v sun-brightdesktopmoon --- # Vulnerability Module | reconftw-docs The vulnerability module performs active security testing to identify exploitable weaknesses. This module requires explicit authorization as it performs intrusive testing. * * * [hashtag](https://docs.reconftw.com/modules/vulnerabilities#important-warning) ⚠️ Important Warning -------------------------------------------------------------------------------------------------------- > **LEGAL NOTICE:** This module performs active security testing that may: > > * Send malicious payloads to targets > > * Attempt to exploit vulnerabilities > > * Trigger security alerts > > * Potentially cause service disruption > > > **Only use with explicit written authorization.** * * * [hashtag](https://docs.reconftw.com/modules/vulnerabilities#why-this-order-of-tests) Why This Order of Tests? ------------------------------------------------------------------------------------------------------------------ Vulnerability checks run last in reconFTW's pipeline for important reasons: 1. **Dependency Chain**: Tests require data from previous phases: * URLs from web analysis → XSS, SQLi, LFI testing * Parameters from param\_discovery → Injection point testing * JavaScript analysis → Prototype pollution candidates 2. **Detection Risk**: Vuln scanning generates suspicious traffic: * SQL injection payloads like `' OR 1=1--` * XSS payloads with ` Type: Reflected Parameter: q Payload: "> Copy XSS=true XSS_SERVER="https://your.xss.hunter" # For blind XSS DALFOX_THREADS=200 Copy URLs with parameters → sqlmap/ghauri → → Test injection points → Identify vulnerable params → Report Copy vulns/sqli.txt vulns/sqlmap_output/ # Detailed SQLMap results Copy [VULNERABLE] https://example.com/user?id=1 Parameter: id Type: Boolean-based blind Backend: MySQL Copy SQLI=true SQLMAP=true GHAURI=false # Alternative SQLi tool Copy URLs with parameters → ffuf (SSTI payloads) → → Check for template execution → Report Copy {{7*7}} ${7*7} <%= 7*7 %> {7*7} ${{7*7}} Copy vulns/ssti.txt Copy SSTI=true ssti_wordlist=${tools}/ssti_wordlist.txt Copy URLs with parameters → ffuf (LFI payloads) → → Check for file content → Report Copy ../../../etc/passwd ..%2f..%2f..%2fetc/passwd ....//....//....//etc/passwd /etc/passwd Copy vulns/lfi.txt Copy LFI=true lfi_wordlist=${tools}/lfi_wordlist.txt Copy URLs with parameters → commix → → Test command separators → Verify execution → Report Copy vulns/command_injection.txt Copy COMM_INJ=true Copy URLs with parameters → Replace values with callback URL → → Monitor for callbacks → Report SSRF Copy http://callback.server/ http://169.254.169.254/ # AWS metadata http://127.0.0.1/ Copy vulns/ssrf.txt Copy SSRF_CHECKS=true COLLAB_SERVER="https://your.interact.sh" Copy webs.txt → Corsy → Test CORS headers → → Check for misconfigs → Report Copy vulns/cors.txt Copy [VULNERABLE] https://api.example.com Issue: Origin Reflected Impact: Attacker can read responses from any origin Copy CORS=true Copy URLs → crlfuzz → Inject CRLF sequences → → Check for header injection → Report Copy vulns/crlf.txt Copy CRLF_CHECKS=true Copy webs.txt → ppmap → Analyze JS → → Test pollution payloads → Report Copy vulns/prototype_pollution.txt Copy PROTO_POLLUTION=true Copy vulns/smuggling.txt Copy SMUGGLING=true Copy vulns/webcache.txt Copy WEBCACHE=true Copy URLs with redirect parameters → Oralyzer → → Test redirect payloads → Verify redirect → Report Copy vulns/open_redirect.txt Copy [VULNERABLE] https://example.com/login?redirect= Payload: //evil.com Redirects to: https://evil.com Copy OPEN_REDIRECT=true Copy 403/401 URLs → nomore403 → Try bypass techniques → → Check for successful access → Report Copy vulns/4xxbypass.txt Copy [BYPASS] https://example.com/admin Original: 403 Forbidden Technique: X-Original-URL header Result: 200 OK Copy BYPASSER4XX=true Copy vulns/testssl.txt Copy TEST_SSL=true Copy hosts/portscan_active.xml → brutespray → → Test common creds → Report successful logins Copy vulns/brutespray.txt Copy SPRAY=true BRUTESPRAY_THREADS=20 BRUTESPRAY_CONCURRENCE=10 Copy URLs with parameters → nuclei (fuzzing templates) → → Test injection points → Report findings Copy vulns/fuzzparams.txt Copy FUZZPARAMS=true Copy webs.txt → katana (crawl) → Check external links → → Identify dead/available domains → Report Copy vulns/broken_links.txt Copy BROKENLINKS=true Copy # Full recon + all vulnerability checks ./reconftw.sh -d example.com -a Copy # In reconftw.cfg VULNS_GENERAL=true Copy # Enable only specific checks VULNS_GENERAL=true XSS=true SQLI=true CORS=false SSRF_CHECKS=false # ... etc sun-brightdesktopmoon --- # Web Analysis Module | reconftw-docs The web analysis module examines discovered web assets to identify technologies, extract content, and prepare targets for vulnerability testing. * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#why-web-analysis) Why Web Analysis? ------------------------------------------------------------------------------------------------- Before scanning for vulnerabilities, you need to understand what you're scanning: 1. **Target Validation**: Not all subdomains run web servers. HTTP probing identifies which hosts actually serve web content on which ports. 2. **Technology Fingerprinting**: Different technologies have different vulnerabilities. Knowing that a target runs WordPress vs Django changes your attack approach. 3. **Attack Surface Mapping**: URL collection reveals: * Hidden endpoints not linked in the UI * API routes * Admin panels * Legacy code paths 4. **Input Discovery**: Parameters and endpoints found here become test targets for vulnerability scanning. Without URL collection, scanners miss most of the attack surface. 5. **Efficiency**: Analyzing JavaScript and crawling once, then reusing results for multiple vulnerability tests, is more efficient than having each scanner crawl independently. * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#module-overview) Module Overview ---------------------------------------------------------------------------------------------- Function Purpose Tools `webprobe_simple` Probe ports 80/443 httpx `webprobe_full` Probe uncommon web ports httpx `screenshot` Capture web screenshots nuclei `virtualhosts` Virtual host discovery VhostFinder `urlchecks` URL collection (passive + active) urlfinder, katana, JSA `url_gf` URL pattern classification gf, urless `url_ext` File extension sorting custom `jschecks` JavaScript analysis subjs, xnLinkFinder, mantra, jsluice `fuzz` Directory fuzzing ffuf `cms_scanner` CMS detection CMSeeK `wordlist_gen` Custom wordlist generation custom `wordlist_gen_roboxtractor` Robots.txt wordlist roboxtractor `password_dict` Password dictionary generation pydictor `iishortname` IIS shortname scanning shortscan, sns `graphql_scan` GraphQL endpoint detection nuclei, GQLSpection `grpc_reflection` gRPC reflection probing grpcurl `param_discovery` Parameter discovery arjun `websocket_checks` WebSocket auditing custom * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#configuration-options) Configuration Options ---------------------------------------------------------------------------------------------------------- * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#http-probing) HTTP Probing ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/web-analysis#webprobe_simple-standard-port-probing) `webprobe_simple` - Standard Port Probing Identifies live web servers on standard ports (80, 443). **How It Works:** **Information Extracted:** * Status codes * Page titles * Web server type * Technologies detected * Content length * Redirect locations **Output:** **Sample Output (webs\_info.txt):** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#webprobe_full-uncommon-port-probing) `webprobe_full` - Uncommon Port Probing Probes an extended list of ports commonly used for web services. **Ports Checked:** **Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#screenshots) Screenshots -------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/web-analysis#screenshot-web-screenshot-capture) `screenshot` - Web Screenshot Capture Captures screenshots of all discovered web servers for visual analysis. **How It Works:** **Output:** **Change Detection:** reconFTW creates SHA256 hashes of screenshots to detect visual changes between scans: **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#virtual-hosts) Virtual Hosts ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/web-analysis#virtualhosts-virtual-host-discovery) `virtualhosts` - Virtual Host Discovery Discovers virtual hosts by fuzzing the HTTP Host header. **How It Works:** **Why It's Useful:** Many servers host multiple websites on the same IP. Virtual host fuzzing reveals: * Hidden admin panels * Development sites * Internal applications * Additional attack surface **Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#url-collection) URL Collection -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/web-analysis#urlchecks-full-url-extraction) `urlchecks` - Full URL Extraction Collects URLs from multiple sources for full coverage. **Passive Sources:** * Wayback Machine * Common Crawl * AlienVault OTX * URLScan.io **Active Sources:** * Katana web crawler * JavaScript parsing * Sitemap analysis **How It Works:** **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#url_gf-url-pattern-classification) `url_gf` - URL Pattern Classification Classifies URLs by potential vulnerability patterns using gf patterns. **Patterns Detected:** Pattern Description `xss` Potential XSS parameters `sqli` SQL injection candidates `ssrf` SSRF-prone URLs `redirect` Open redirect parameters `rce` Command injection candidates `lfi` Local file inclusion `ssti` Template injection `idor` Insecure direct object reference `debug_logic` Debug/admin endpoints **Output:** **Sample XSS Pattern Match:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#url_ext-file-extension-sorting) `url_ext` - File Extension Sorting Organizes URLs by file extension for targeted analysis. **Categories:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#javascript-analysis) JavaScript Analysis ------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/web-analysis#jschecks-full-js-analysis) `jschecks` - Full JS Analysis Extracts secrets, endpoints, and sensitive information from JavaScript files. **What It Finds:** * API keys and tokens * AWS credentials * Internal endpoints * Hardcoded passwords * Debug information * Hidden functionality **Tools Used:** * **subjs**: JS file discovery * **xnLinkFinder**: Endpoint extraction * **mantra**: Secret patterns * **jsluice**: Advanced JS parsing * **nuclei**: JS secret templates * **sourcemapper**: Source map extraction **How It Works:** **Output:** **Sample Secrets Found:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#directory-fuzzing) Directory Fuzzing -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/web-analysis#fuzz-web-directory-fuzzing) `fuzz` - Web Directory Fuzzing Discovers hidden directories, files, and endpoints. **How It Works:** **Wordlists:** * Primary: `$fuzz_wordlist` * Custom generated from target **Output:** **Sample Findings:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#cms-detection) CMS Detection ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/web-analysis#cms_scanner-cms-identification) `cms_scanner` - CMS Identification Identifies content management systems and their versions. **CMS Detected:** * WordPress * Joomla * Drupal * Magento * Shopify * And 170+ more... **Information Extracted:** * CMS type and version * Installed plugins/themes * Known vulnerabilities * Configuration issues **Output:** **Sample Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#advanced-analysis) Advanced Analysis -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/web-analysis#iishortname-iis-shortname-scanner) `iishortname` - IIS Shortname Scanner Exploits IIS shortname vulnerability to discover hidden files/directories. **How It Works:** Windows IIS servers may expose 8.3 format filenames through timing attacks, revealing: * Hidden directories * Backup files * Configuration files **Output:** **Sample Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#graphql_scan-graphql-endpoint-detection) `graphql_scan` - GraphQL Endpoint Detection Discovers and analyzes GraphQL endpoints. **What It Checks:** * `/graphql` * `/graphiql` * `/api/graphql` * Custom endpoints **Analysis:** * Introspection enabled? * Schema extraction * Query suggestions **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#param_discovery-parameter-discovery) `param_discovery` - Parameter Discovery Discovers hidden parameters on web endpoints. **How It Works:** **Output:** **Sample Output:** **Configuration:** * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#wordlist-generation) Wordlist Generation ------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/modules/web-analysis#wordlist_gen-custom-wordlist-creation) `wordlist_gen` - Custom Wordlist Creation Generates target-specific wordlists from discovered content. **Sources:** * JavaScript content * HTML content * URL paths * Parameter names * Domain-specific terms **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#wordlist_gen_roboxtractor-robots.txt-analysis) `wordlist_gen_roboxtractor` - Robots.txt Analysis Extracts historical disallowed paths from Wayback Machine. **How It Works:** **Output:** **Configuration:** * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#password_dict-password-dictionary-generation) `password_dict` - Password Dictionary Generation Generates target-specific password lists based on the domain name. **How It Works:** The function takes the first part of the domain (e.g., "target" from "target.com") and generates password variations using: * Leetspeak transformations (a→4, e→3, etc.) * Common suffixes (123, !, 2024, etc.) * Length constraints **Output:** **Sample Output (for target.com):** **Configuration:** **Use Cases:** * Password spraying attacks (with authorization) * Testing default/weak credential policies * Generating custom wordlists for brute-force * * * ### [hashtag](https://docs.reconftw.com/modules/web-analysis#grpc_reflection-grpc-reflection-probing) `grpc_reflection` - gRPC Reflection Probing Discovers gRPC services with reflection enabled. **What is gRPC Reflection?** gRPC reflection allows clients to query a server for available services and methods without prior knowledge. When enabled (often for debugging), it exposes the entire API surface. **How It Works:** **Output:** **Sample Output:** **Configuration:** **Security Implications:** * Exposed reflection reveals internal API structure * Service names may reveal business logic * Combined with protobuf enumeration = full API mapping **Requirements:** * `grpcurl` installed * Network access to gRPC ports * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#output-summary) Output Summary -------------------------------------------------------------------------------------------- File Content `webs/webs.txt` Live web servers `webs/webs_info.txt` Detailed probe results `webs/url_extract.txt` All discovered URLs `screenshots/` Web screenshots `gf/*.txt` Pattern-classified URLs `js/js_secrets.txt` JavaScript secrets `fuzzing/` Directory fuzzing results `webs/cms_scanner.txt` CMS detection results * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#best-practices) Best Practices -------------------------------------------------------------------------------------------- 1. **Rate Limiting:** Respect target resources with appropriate rate limits 2. **Scope Filtering:** Use `-x` flag to exclude out-of-scope URLs 3. **Screenshot Review:** Visual inspection often reveals interesting assets 4. **JS Analysis Priority:** JavaScript often contains the most valuable secrets 5. **Custom Wordlists:** Generated wordlists improve fuzzing effectiveness * * * [hashtag](https://docs.reconftw.com/modules/web-analysis#next-steps) Next Steps ------------------------------------------------------------------------------------ * [**Vulnerability Module**](https://docs.reconftw.com/modules/vulnerabilities) - Test for security issues * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understand results [PreviousSubdomain Deep Divechevron-left](https://docs.reconftw.com/modules/subdomains-deep-dive) [NextVulnerability Modulechevron-right](https://docs.reconftw.com/modules/vulnerabilities) Last updated 1 month ago * [Why Web Analysis?](https://docs.reconftw.com/modules/web-analysis#why-web-analysis) * [Module Overview](https://docs.reconftw.com/modules/web-analysis#module-overview) * [Configuration Options](https://docs.reconftw.com/modules/web-analysis#configuration-options) * [HTTP Probing](https://docs.reconftw.com/modules/web-analysis#http-probing) * [webprobe\_simple - Standard Port Probing](https://docs.reconftw.com/modules/web-analysis#webprobe_simple-standard-port-probing) * [webprobe\_full - Uncommon Port Probing](https://docs.reconftw.com/modules/web-analysis#webprobe_full-uncommon-port-probing) * [Screenshots](https://docs.reconftw.com/modules/web-analysis#screenshots) * [screenshot - Web Screenshot Capture](https://docs.reconftw.com/modules/web-analysis#screenshot-web-screenshot-capture) * [Virtual Hosts](https://docs.reconftw.com/modules/web-analysis#virtual-hosts) * [virtualhosts - Virtual Host Discovery](https://docs.reconftw.com/modules/web-analysis#virtualhosts-virtual-host-discovery) * [URL Collection](https://docs.reconftw.com/modules/web-analysis#url-collection) * [urlchecks - Full URL Extraction](https://docs.reconftw.com/modules/web-analysis#urlchecks-full-url-extraction) * [url\_gf - URL Pattern Classification](https://docs.reconftw.com/modules/web-analysis#url_gf-url-pattern-classification) * [url\_ext - File Extension Sorting](https://docs.reconftw.com/modules/web-analysis#url_ext-file-extension-sorting) * [JavaScript Analysis](https://docs.reconftw.com/modules/web-analysis#javascript-analysis) * [jschecks - Full JS Analysis](https://docs.reconftw.com/modules/web-analysis#jschecks-full-js-analysis) * [Directory Fuzzing](https://docs.reconftw.com/modules/web-analysis#directory-fuzzing) * [fuzz - Web Directory Fuzzing](https://docs.reconftw.com/modules/web-analysis#fuzz-web-directory-fuzzing) * [CMS Detection](https://docs.reconftw.com/modules/web-analysis#cms-detection) * [cms\_scanner - CMS Identification](https://docs.reconftw.com/modules/web-analysis#cms_scanner-cms-identification) * [Advanced Analysis](https://docs.reconftw.com/modules/web-analysis#advanced-analysis) * [iishortname - IIS Shortname Scanner](https://docs.reconftw.com/modules/web-analysis#iishortname-iis-shortname-scanner) * [graphql\_scan - GraphQL Endpoint Detection](https://docs.reconftw.com/modules/web-analysis#graphql_scan-graphql-endpoint-detection) * [param\_discovery - Parameter Discovery](https://docs.reconftw.com/modules/web-analysis#param_discovery-parameter-discovery) * [Wordlist Generation](https://docs.reconftw.com/modules/web-analysis#wordlist-generation) * [wordlist\_gen - Custom Wordlist Creation](https://docs.reconftw.com/modules/web-analysis#wordlist_gen-custom-wordlist-creation) * [wordlist\_gen\_roboxtractor - Robots.txt Analysis](https://docs.reconftw.com/modules/web-analysis#wordlist_gen_roboxtractor-robots.txt-analysis) * [password\_dict - Password Dictionary Generation](https://docs.reconftw.com/modules/web-analysis#password_dict-password-dictionary-generation) * [grpc\_reflection - gRPC Reflection Probing](https://docs.reconftw.com/modules/web-analysis#grpc_reflection-grpc-reflection-probing) * [Output Summary](https://docs.reconftw.com/modules/web-analysis#output-summary) * [Best Practices](https://docs.reconftw.com/modules/web-analysis#best-practices) * [Next Steps](https://docs.reconftw.com/modules/web-analysis#next-steps) sun-brightdesktopmoon Copy # In reconftw.cfg # Web probing WEBPROBESIMPLE=true # Probe 80/443 WEBPROBEFULL=true # Probe uncommon ports WEBSCREENSHOT=true # Screenshots VIRTUALHOSTS=false # Virtual host fuzzing # URL analysis URL_CHECK=true # URL collection URL_CHECK_PASSIVE=true # Passive URL sources URL_CHECK_ACTIVE=true # Active crawling URL_GF=true # Pattern matching URL_EXT=true # Extension sorting # JavaScript JSCHECKS=true # JS analysis XNLINKFINDER_DEPTH=3 # Link finder depth # Fuzzing FUZZ=true # Directory fuzzing FFUF_THREADS=40 FFUF_RATELIMIT=0 FFUF_MAXTIME=900 FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json" # CMS CMS_SCANNER=true CMSSCAN_TIMEOUT=3600 # Other WORDLIST=true ROBOTSWORDLIST=true # Robots.txt wordlist generation PASSWORD_DICT=true # Password dictionary generation PASSWORD_MIN_LENGTH=5 # Min password length PASSWORD_MAX_LENGTH=14 # Max password length IIS_SHORTNAME=true GRAPHQL_CHECK=true GQLSPECTION=false PARAM_DISCOVERY=true GRPC_SCAN=false # gRPC reflection probing Copy Subdomains → httpx (80, 443) → Filter responses → → Extract metadata → webs.txt Copy webs/webs.txt # Live web servers webs/webs_info.txt # Detailed probe results Copy https://www.example.com [200] [Example Site] [nginx] [PHP,WordPress] https://api.example.com [401] [API Gateway] [cloudflare] https://admin.example.com [403] [Forbidden] [Apache] Copy WEBPROBESIMPLE=true HTTPX_THREADS=50 HTTPX_RATELIMIT=150 HTTPX_TIMEOUT=10 HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" Copy 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000, 3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108, 5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014, 8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172, 8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983, 9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981, 10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000, 55440,55672 Copy webs/webs_uncommon_ports.txt Copy WEBPROBEFULL=true HTTPX_UNCOMMONPORTS_THREADS=100 HTTPX_UNCOMMONPORTS_TIMEOUT=10 UNCOMMON_PORTS_WEB="81,300,591,..." Copy webs.txt → nuclei (headless browser) → PNG screenshots Copy screenshots/ ├── screenshot_www.example.com_443.png ├── screenshot_api.example.com_443.png ├── screenshot_admin.example.com_8080.png └── hashes.txt # For change detection Copy screenshots/hashes.txt # Current scan hashes screenshots/hashes_prev.txt # Previous scan hashes screenshots/diff_changed.txt # Changed screenshots Copy WEBSCREENSHOT=true Copy IP addresses → Fuzz Host header with subdomain wordlist → → Compare responses → Identify unique virtual hosts Copy webs/virtualhosts.txt Copy VIRTUALHOSTS=false # Disabled by default (can be slow) Copy ┌─────────────────┐ │ webs.txt │ └────────┬────────┘ │ ┌─────────────────┼─────────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ urlfinder│ │ katana │ │ JSA │ │ (passive)│ │ (active) │ │ (JS URLs)│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ └────────────────┼────────────────┘ ▼ ┌──────────────────┐ │ Combine & Dedup │ └────────┬─────────┘ ▼ ┌──────────────────┐ │ url_extract.txt │ └──────────────────┘ Copy webs/url_extract.txt # All discovered URLs webs/url_extract_comb.txt # Combined and cleaned Copy URL_CHECK=true URL_CHECK_PASSIVE=true URL_CHECK_ACTIVE=true KATANA_THREADS=20 Copy gf/ ├── xss.txt ├── sqli.txt ├── ssrf.txt ├── redirect.txt ├── rce.txt ├── lfi.txt ├── ssti.txt ├── idor.txt └── debug_logic.txt Copy https://example.com/search?q=test https://example.com/page?msg=hello https://example.com/api?callback=func Copy URL_GF=true Copy webs/urls_by_extension/ ├── js.txt # JavaScript files ├── json.txt # JSON endpoints ├── php.txt # PHP files ├── asp.txt # ASP/ASPX files ├── jsp.txt # JSP files ├── xml.txt # XML files ├── pdf.txt # PDF documents ├── config.txt # Configuration files └── backup.txt # Backup files Copy URL_EXT=true Copy webs.txt → subjs (find JS files) → Download JS → → Multiple analyzers → Extract secrets/endpoints → Output Copy js/ ├── js_livelinks.txt # Extracted endpoints ├── js_secrets.txt # Discovered secrets ├── js_secrets_jsmap.txt # Sourcemap secrets ├── js_secrets_jsluice.txt # jsluice findings └── js_getjswords.txt # Wordlist from JS Copy [AWS_ACCESS_KEY] AKIA... in https://example.com/app.js [API_KEY] sk_live_... in https://example.com/config.js [PRIVATE_KEY] -----BEGIN RSA PRIVATE KEY----- in /bundle.js Copy JSCHECKS=true XNLINKFINDER_DEPTH=3 NUCLEI_FLAGS_JS="-silent -tags exposure,token -severity info,low,medium,high,critical" Copy webs.txt → ffuf (with wordlist) → Filter responses → → Identify interesting paths → Output Copy fuzzing/ ├── fuzzing_full.json # Complete results └── fuzzing_interesting.txt # Filtered findings Copy /admin [200] [Admin Panel] /backup [403] [Forbidden] /.git/config [200] [Git Config] /api/swagger [200] [Swagger UI] /phpinfo.php [200] [PHP Info] Copy FUZZ=true FFUF_THREADS=40 FFUF_RATELIMIT=0 FFUF_MAXTIME=900 FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json" fuzz_wordlist=${tools}/fuzz_wordlist.txt Copy webs/cms_scanner.txt Copy [WordPress] https://blog.example.com Version: 6.2.1 Plugins: contact-form-7, yoast-seo Theme: flavor Users: admin, editor [Drupal] https://cms.example.com Version: 9.4.0 Modules: views, pathauto Copy CMS_SCANNER=true CMSSCAN_TIMEOUT=3600 Copy webs/iis_shortname.txt Copy [FOUND] /BACKUP~1 -> likely: /backups, /backup_old [FOUND] /CONFIG~1 -> likely: /config, /configuration [FOUND] /ASPNET~1 -> likely: /aspnet_client Copy IIS_SHORTNAME=true Copy webs/graphql_endpoints.txt webs/graphql_introspection.json # If GQLSPECTION enabled Copy GRAPHQL_CHECK=true GQLSPECTION=false # Deep introspection (heavier) Copy URLs with parameters → arjun → Fuzz parameter names → → Identify valid parameters → Output Copy webs/param_discovery.txt Copy https://api.example.com/search Found: q, page, limit, sort, debug, admin https://example.com/user Found: id, action, redirect, token Copy PARAM_DISCOVERY=true ARJUN_THREADS=10 Copy webs/wordlist_custom.txt Copy WORDLIST=true PASSWORD_DICT=true PASSWORD_MIN_LENGTH=5 PASSWORD_MAX_LENGTH=14 Copy Target domain → Wayback Machine → Historical robots.txt → → Extract disallow paths → Custom wordlist Copy webs/robots_wordlist.txt Copy ROBOTSWORDLIST=true Copy Domain name → Extract keywords → pydictor → → Apply leetspeak variations → Password wordlist Copy webs/password_dict.txt Copy target Target TARGET t4rget targ3t target123 Target2024! T4rg3t! Copy PASSWORD_DICT=true PASSWORD_MIN_LENGTH=5 # Minimum password length PASSWORD_MAX_LENGTH=14 # Maximum password length Copy IPs from hosts/ips.txt → Probe gRPC ports (50051, 50052) → → grpcurl reflection query → List available services Copy hosts/grpc_reflection.txt Copy [192.168.1.10:50051] grpc.reflection.v1alpha.ServerReflection [192.168.1.10:50051] helloworld.Greeter [192.168.1.10:50051] api.UserService [192.168.1.10:50051] api.AdminService Copy GRPC_SCAN=false # Disabled by default (requires grpcurl) sun-brightdesktopmoon --- # Output Interpretation | reconftw-docs Understanding reconFTW's output structure and how to interpret results is crucial for effective reconnaissance. * * * [hashtag](https://docs.reconftw.com/output/output#output-directory-structure) Output Directory Structure ------------------------------------------------------------------------------------------------------------- When you run a scan against `example.com`, reconFTW creates: Copy Recon/ └── example.com/ ├── subdomains/ # Subdomain enumeration results ├── webs/ # Web probing and analysis ├── hosts/ # IP and port scanning ├── osint/ # OSINT findings ├── vulns/ # Vulnerability scan results ├── nuclei_output/ # Nuclei JSON results ├── fuzzing/ # Directory/file fuzzing ├── js/ # JavaScript analysis ├── screenshots/ # Web screenshots ├── .tmp/ # Temporary files ├── .log/ # Execution logs ├── .called_fn/ # Checkpoint markers ├── assets.jsonl # Automation-friendly asset list └── hotlist.txt # Risk-scored findings * * * [hashtag](https://docs.reconftw.com/output/output#subdomain-files-subdomains) Subdomain Files (`subdomains/`) ------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/output/output#subdomains.txt) subdomains.txt **Content:** Final deduplicated list of discovered subdomains. **Format:** One subdomain per line. **Use Cases:** * Input for further enumeration * Scope verification * Asset inventory * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_crt.txt) subdomains\_crt.txt **Content:** Subdomains from Certificate Transparency logs. **Source:** crt.sh queries * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_dnsrecords.txt) subdomains\_dnsrecords.txt **Content:** DNS records for resolved subdomains. **Format:** Subdomain with record types. * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_noerror.txt) subdomains\_noerror.txt **Content:** Subdomains discovered via DNS NOERROR response. **Technique:** DNS response code analysis. * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_permut.txt) subdomains\_permut.txt **Content:** Subdomains found via permutation techniques. * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_recursive.txt) subdomains\_recursive.txt **Content:** Subdomains from recursive enumeration. * * * ### [hashtag](https://docs.reconftw.com/output/output#subdomains_scraping.txt) subdomains\_scraping.txt **Content:** Subdomains extracted from web scraping. * * * [hashtag](https://docs.reconftw.com/output/output#web-files-webs) Web Files (`webs/`) ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/output/output#webs.txt) webs.txt **Content:** Live web servers (HTTP 200/30x responses). **Format:** Full URLs. **Use Cases:** * Target list for vulnerability scanning * Web application testing * Screenshot generation * * * ### [hashtag](https://docs.reconftw.com/output/output#webs_all.txt) webs\_all.txt **Content:** All probed URLs with HTTP response data. **Format:** URL with metadata. * * * ### [hashtag](https://docs.reconftw.com/output/output#url_extract.txt) url\_extract.txt **Content:** All discovered URLs from crawling and archives. **Sources:** gau, waybackurls, katana, hakrawler * * * ### [hashtag](https://docs.reconftw.com/output/output#takeover.txt) takeover.txt **Content:** Potential subdomain takeover vulnerabilities. **Format:** Subdomain with service info. **Action Required:** Verify and claim vulnerable subdomains. * * * ### [hashtag](https://docs.reconftw.com/output/output#url_gf) url\_gf/ **Content:** URLs categorized by vulnerability patterns. **Files:** * `xss.txt` - XSS candidates * `sqli.txt` - SQL injection candidates * `ssrf.txt` - SSRF candidates * `lfi.txt` - LFI candidates * `redirect.txt` - Open redirect candidates * `rce.txt` - RCE candidates * `idor.txt` - IDOR candidates **Example (xss.txt):** * * * ### [hashtag](https://docs.reconftw.com/output/output#url_extensions) url\_extensions/ **Content:** URLs grouped by file extension. **Files:** * `url_pdf.txt` * `url_doc.txt` * `url_js.txt` * `url_json.txt` * `url_xml.txt` * `url_config.txt` * * * [hashtag](https://docs.reconftw.com/output/output#host-files-hosts) Host Files (`hosts/`) ---------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#ips.txt) ips.txt **Content:** All resolved IP addresses (non-CDN). * * * ### [hashtag](https://docs.reconftw.com/output/output#cdn.txt) cdn.txt **Content:** IP addresses identified as CDN. * * * ### [hashtag](https://docs.reconftw.com/output/output#portscan_passive.txt) portscan\_passive.txt **Content:** Port scan results from Shodan. * * * ### [hashtag](https://docs.reconftw.com/output/output#portscan_active.txt) portscan\_active.txt **Content:** Active nmap scan results. **Format:** Standard nmap output. * * * ### [hashtag](https://docs.reconftw.com/output/output#portscan_active.xml) portscan\_active.xml **Content:** Nmap results in XML format. **Use Cases:** * Import to vulnerability scanners * Parse with scripts * Import to Faraday * * * ### [hashtag](https://docs.reconftw.com/output/output#portscan_active.gnmap) portscan\_active.gnmap **Content:** Nmap greppable format. * * * ### [hashtag](https://docs.reconftw.com/output/output#waf.txt) waf.txt **Content:** WAF detection results. * * * ### [hashtag](https://docs.reconftw.com/output/output#geo.txt) geo.txt **Content:** IP geolocation data. * * * [hashtag](https://docs.reconftw.com/output/output#osint-files-osint) OSINT Files (`osint/`) ------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/output/output#dorks.txt) dorks.txt **Content:** Google dork results. * * * ### [hashtag](https://docs.reconftw.com/output/output#emails.txt) emails.txt **Content:** Discovered email addresses. * * * ### [hashtag](https://docs.reconftw.com/output/output#passwords.txt) passwords.txt **Content:** Leaked credential data. **Format:** Email:password pairs (from breach databases). **⚠️ IMPORTANT:** Handle with care, sensitive data. * * * ### [hashtag](https://docs.reconftw.com/output/output#metadata_results.txt) metadata\_results.txt **Content:** Document metadata extraction. * * * ### [hashtag](https://docs.reconftw.com/output/output#github_company_secrets.json) github\_company\_secrets.json **Content:** Secrets found in GitHub repositories. **Format:** JSON with file locations and secret types. * * * ### [hashtag](https://docs.reconftw.com/output/output#apileaks.txt) apileaks.txt **Content:** API endpoints from Postman/Swagger leaks. * * * ### [hashtag](https://docs.reconftw.com/output/output#domain_info.txt) domain\_info.txt **Content:** WHOIS and domain intelligence. * * * ### [hashtag](https://docs.reconftw.com/output/output#spf_dmarc.txt) spf\_dmarc.txt **Content:** Email security analysis. * * * [hashtag](https://docs.reconftw.com/output/output#vulnerability-files-vulns) Vulnerability Files (`vulns/`) ---------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#nuclei_output) nuclei\_output/ **Content:** Nuclei scan results in JSON format. **Files:** * `nuclei_critical.json` * `nuclei_high.json` * `nuclei_medium.json` * `nuclei_low.json` * `nuclei_info.json` **Sample JSON:** * * * ### [hashtag](https://docs.reconftw.com/output/output#xss.txt) xss.txt **Content:** XSS vulnerability findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#sqli.txt) sqli.txt **Content:** SQL injection findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#ssrf.txt) ssrf.txt **Content:** SSRF vulnerability findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#cors.txt) cors.txt **Content:** CORS misconfiguration findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#redirect.txt) redirect.txt **Content:** Open redirect findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#lfi.txt) lfi.txt **Content:** Local File Inclusion findings. * * * ### [hashtag](https://docs.reconftw.com/output/output#testssl.txt) testssl.txt **Content:** SSL/TLS analysis results. * * * [hashtag](https://docs.reconftw.com/output/output#javascript-files-js) JavaScript Files (`js/`) ---------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#js_files.txt) js\_files.txt **Content:** Discovered JavaScript file URLs. * * * ### [hashtag](https://docs.reconftw.com/output/output#js_secrets.txt) js\_secrets.txt **Content:** Secrets found in JavaScript files. * * * ### [hashtag](https://docs.reconftw.com/output/output#js_endpoints.txt) js\_endpoints.txt **Content:** API endpoints extracted from JavaScript. * * * [hashtag](https://docs.reconftw.com/output/output#fuzzing-files-fuzzing) Fuzzing Files (`fuzzing/`) -------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#fuzzing_full.txt) fuzzing\_full.txt **Content:** All fuzzing results combined. * * * ### [hashtag](https://docs.reconftw.com/output/output#fuzzing_-subdomain-.txt) fuzzing\_{subdomain}.txt **Content:** Per-subdomain fuzzing results. * * * [hashtag](https://docs.reconftw.com/output/output#screenshots-screenshots) Screenshots (`screenshots/`) ------------------------------------------------------------------------------------------------------------ **Content:** Web page screenshots. **Format:** PNG images named by URL hash. **Files:** * `https_www.example.com.png` * `https_api.example.com.png` * `http_dev.example.com_8080.png` **Gallery View:** Use gowitness report for HTML gallery. * * * [hashtag](https://docs.reconftw.com/output/output#log-files-.log) Log Files (`.log/`) ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/output/output#reconftw.log) reconftw.log **Content:** Main execution log. * * * ### [hashtag](https://docs.reconftw.com/output/output#errors.log) errors.log **Content:** Error messages during execution. * * * [hashtag](https://docs.reconftw.com/output/output#checkpoint-files-.called_fn) Checkpoint Files (`.called_fn/`) -------------------------------------------------------------------------------------------------------------------- **Content:** Function completion markers for checkpoint/resume. **Files:** **Purpose:** Resume interrupted scans from last checkpoint. * * * [hashtag](https://docs.reconftw.com/output/output#special-files) Special Files ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#assets.jsonl) assets.jsonl **Content:** Automation-friendly asset list in JSON Lines format. **Format:** **Use Cases:** * Pipeline integration * Custom tooling * Data analysis * * * ### [hashtag](https://docs.reconftw.com/output/output#hotlist.txt) hotlist.txt **Content:** Risk-scored priority targets. **Format:** Assets with risk indicators. * * * [hashtag](https://docs.reconftw.com/output/output#interpreting-nuclei-results) Interpreting Nuclei Results --------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#severity-levels) Severity Levels Severity Description Action **Critical** Immediate exploitation possible Report immediately **High** Significant security impact Prioritize remediation **Medium** Moderate risk Schedule fix **Low** Minor issues Best practice **Info** Informational Document ### [hashtag](https://docs.reconftw.com/output/output#reading-nuclei-json) Reading Nuclei JSON ### [hashtag](https://docs.reconftw.com/output/output#key-fields) Key Fields: * `template-id`: Template identifier * `severity`: Risk level * `host`: Target URL * `matched-at`: Exact vulnerable endpoint * `extracted-results`: Evidence of vulnerability * `curl-command`: Reproduction command * * * [hashtag](https://docs.reconftw.com/output/output#report-generation) Report Generation ------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#ai-generated-reports) AI-Generated Reports **Report Types:** * `detailed` - Technical deep-dive * `executive` - High-level summary * `compliance` - Compliance-focused ### [hashtag](https://docs.reconftw.com/output/output#manual-report-creation) Manual Report Creation 1. Collect key findings from: * `vulns/nuclei_output/` * `webs/takeover.txt` * `osint/github_company_secrets.json` 2. Prioritize by severity 3. Include reproduction steps from curl commands * * * [hashtag](https://docs.reconftw.com/output/output#data-export) Data Export ------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#export-to-csv) Export to CSV ### [hashtag](https://docs.reconftw.com/output/output#export-to-faraday) Export to Faraday Automatic when `FARADAY` is enabled. Results imported to workspace. ### [hashtag](https://docs.reconftw.com/output/output#export-to-json) Export to JSON Most output files have JSON equivalents in `.tmp/` directory. * * * [hashtag](https://docs.reconftw.com/output/output#cleanup) Cleanup ----------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/output/output#temporary-files) Temporary Files ### [hashtag](https://docs.reconftw.com/output/output#reset-checkpoints) Reset Checkpoints ### [hashtag](https://docs.reconftw.com/output/output#full-clean) Full Clean * * * [hashtag](https://docs.reconftw.com/output/output#next-steps) Next Steps ----------------------------------------------------------------------------- * [**Integrations**](https://docs.reconftw.com/integrations/axiom) - Axiom and Faraday * [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced) - Custom functions [PreviousIntegrated Toolschevron-left](https://docs.reconftw.com/tools-reference/tools) [NextAxiom Integrationchevron-right](https://docs.reconftw.com/integrations/axiom) Last updated 1 month ago * [Output Directory Structure](https://docs.reconftw.com/output/output#output-directory-structure) * [Subdomain Files (subdomains/)](https://docs.reconftw.com/output/output#subdomain-files-subdomains) * [subdomains.txt](https://docs.reconftw.com/output/output#subdomains.txt) * [subdomains\_crt.txt](https://docs.reconftw.com/output/output#subdomains_crt.txt) * [subdomains\_dnsrecords.txt](https://docs.reconftw.com/output/output#subdomains_dnsrecords.txt) * [subdomains\_noerror.txt](https://docs.reconftw.com/output/output#subdomains_noerror.txt) * [subdomains\_permut.txt](https://docs.reconftw.com/output/output#subdomains_permut.txt) * [subdomains\_recursive.txt](https://docs.reconftw.com/output/output#subdomains_recursive.txt) * [subdomains\_scraping.txt](https://docs.reconftw.com/output/output#subdomains_scraping.txt) * [Web Files (webs/)](https://docs.reconftw.com/output/output#web-files-webs) * [webs.txt](https://docs.reconftw.com/output/output#webs.txt) * [webs\_all.txt](https://docs.reconftw.com/output/output#webs_all.txt) * [url\_extract.txt](https://docs.reconftw.com/output/output#url_extract.txt) * [takeover.txt](https://docs.reconftw.com/output/output#takeover.txt) * [url\_gf/](https://docs.reconftw.com/output/output#url_gf) * [url\_extensions/](https://docs.reconftw.com/output/output#url_extensions) * [Host Files (hosts/)](https://docs.reconftw.com/output/output#host-files-hosts) * [ips.txt](https://docs.reconftw.com/output/output#ips.txt) * [cdn.txt](https://docs.reconftw.com/output/output#cdn.txt) * [portscan\_passive.txt](https://docs.reconftw.com/output/output#portscan_passive.txt) * [portscan\_active.txt](https://docs.reconftw.com/output/output#portscan_active.txt) * [portscan\_active.xml](https://docs.reconftw.com/output/output#portscan_active.xml) * [portscan\_active.gnmap](https://docs.reconftw.com/output/output#portscan_active.gnmap) * [waf.txt](https://docs.reconftw.com/output/output#waf.txt) * [geo.txt](https://docs.reconftw.com/output/output#geo.txt) * [OSINT Files (osint/)](https://docs.reconftw.com/output/output#osint-files-osint) * [dorks.txt](https://docs.reconftw.com/output/output#dorks.txt) * [emails.txt](https://docs.reconftw.com/output/output#emails.txt) * [passwords.txt](https://docs.reconftw.com/output/output#passwords.txt) * [metadata\_results.txt](https://docs.reconftw.com/output/output#metadata_results.txt) * [github\_company\_secrets.json](https://docs.reconftw.com/output/output#github_company_secrets.json) * [apileaks.txt](https://docs.reconftw.com/output/output#apileaks.txt) * [domain\_info.txt](https://docs.reconftw.com/output/output#domain_info.txt) * [spf\_dmarc.txt](https://docs.reconftw.com/output/output#spf_dmarc.txt) * [Vulnerability Files (vulns/)](https://docs.reconftw.com/output/output#vulnerability-files-vulns) * [nuclei\_output/](https://docs.reconftw.com/output/output#nuclei_output) * [xss.txt](https://docs.reconftw.com/output/output#xss.txt) * [sqli.txt](https://docs.reconftw.com/output/output#sqli.txt) * [ssrf.txt](https://docs.reconftw.com/output/output#ssrf.txt) * [cors.txt](https://docs.reconftw.com/output/output#cors.txt) * [redirect.txt](https://docs.reconftw.com/output/output#redirect.txt) * [lfi.txt](https://docs.reconftw.com/output/output#lfi.txt) * [testssl.txt](https://docs.reconftw.com/output/output#testssl.txt) * [JavaScript Files (js/)](https://docs.reconftw.com/output/output#javascript-files-js) * [js\_files.txt](https://docs.reconftw.com/output/output#js_files.txt) * [js\_secrets.txt](https://docs.reconftw.com/output/output#js_secrets.txt) * [js\_endpoints.txt](https://docs.reconftw.com/output/output#js_endpoints.txt) * [Fuzzing Files (fuzzing/)](https://docs.reconftw.com/output/output#fuzzing-files-fuzzing) * [fuzzing\_full.txt](https://docs.reconftw.com/output/output#fuzzing_full.txt) * [fuzzing\_{subdomain}.txt](https://docs.reconftw.com/output/output#fuzzing_-subdomain-.txt) * [Screenshots (screenshots/)](https://docs.reconftw.com/output/output#screenshots-screenshots) * [Log Files (.log/)](https://docs.reconftw.com/output/output#log-files-.log) * [reconftw.log](https://docs.reconftw.com/output/output#reconftw.log) * [errors.log](https://docs.reconftw.com/output/output#errors.log) * [Checkpoint Files (.called\_fn/)](https://docs.reconftw.com/output/output#checkpoint-files-.called_fn) * [Special Files](https://docs.reconftw.com/output/output#special-files) * [assets.jsonl](https://docs.reconftw.com/output/output#assets.jsonl) * [hotlist.txt](https://docs.reconftw.com/output/output#hotlist.txt) * [Interpreting Nuclei Results](https://docs.reconftw.com/output/output#interpreting-nuclei-results) * [Severity Levels](https://docs.reconftw.com/output/output#severity-levels) * [Reading Nuclei JSON](https://docs.reconftw.com/output/output#reading-nuclei-json) * [Key Fields:](https://docs.reconftw.com/output/output#key-fields) * [Report Generation](https://docs.reconftw.com/output/output#report-generation) * [AI-Generated Reports](https://docs.reconftw.com/output/output#ai-generated-reports) * [Manual Report Creation](https://docs.reconftw.com/output/output#manual-report-creation) * [Data Export](https://docs.reconftw.com/output/output#data-export) * [Export to CSV](https://docs.reconftw.com/output/output#export-to-csv) * [Export to Faraday](https://docs.reconftw.com/output/output#export-to-faraday) * [Export to JSON](https://docs.reconftw.com/output/output#export-to-json) * [Cleanup](https://docs.reconftw.com/output/output#cleanup) * [Temporary Files](https://docs.reconftw.com/output/output#temporary-files) * [Reset Checkpoints](https://docs.reconftw.com/output/output#reset-checkpoints) * [Full Clean](https://docs.reconftw.com/output/output#full-clean) * [Next Steps](https://docs.reconftw.com/output/output#next-steps) sun-brightdesktopmoon Copy www.example.com api.example.com mail.example.com dev.example.com staging.example.com Copy www.example.com mail.example.com *.dev.example.com autodiscover.example.com Copy www.example.com [A] 93.184.216.34 mail.example.com [CNAME] mail.example.com.mail.protection.outlook.com api.example.com [A] 93.184.216.35 example.com [MX] 10 mail.example.com example.com [TXT] "v=spf1 include:_spf.google.com ~all" Copy https://www.example.com https://api.example.com http://dev.example.com:8080 https://staging.example.com Copy https://www.example.com [200] [Example Site] [nginx] https://api.example.com [200] [API v2] [Express] http://dev.example.com:8080 [403] [Forbidden] [Apache] Copy https://example.com/login https://example.com/api/v1/users https://example.com/admin/dashboard https://example.com/uploads/document.pdf https://example.com/search?q=test Copy VULNERABLE: docs.example.com [GitHub Pages] VULNERABLE: blog.example.com [Heroku] EDGE CASE: old.example.com [S3 bucket] Copy https://example.com/search?q=FUZZ https://example.com/user?name=FUZZ https://example.com/callback?url=FUZZ Copy 93.184.216.34 93.184.216.35 10.0.0.100 Copy 104.16.132.229 [cloudflare] 151.101.1.195 [fastly] 13.32.123.45 [cloudfront] Copy 93.184.216.34 22/tcp open ssh OpenSSH 8.2 80/tcp open http nginx 1.18 443/tcp open https nginx 1.18 3306/tcp open mysql MySQL 8.0 Copy Nmap scan report for 93.184.216.34 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu | vulners: | CVE-2020-15778 6.8 80/tcp open http nginx 1.18.0 443/tcp open ssl/https nginx 1.18.0 | ssl-cert: Subject: CN=example.com Copy Host: 93.184.216.34 () Ports: 22/open/tcp//ssh//OpenSSH 8.2p1/, 80/open/tcp//http//nginx 1.18.0/, 443/open/tcp//https// Copy https://www.example.com WAF: Cloudflare Detected by: Response headers https://api.example.com WAF: AWS WAF Detected by: Response behavior Copy 93.184.216.34 Country: United States Region: California City: Los Angeles Org: Edgecast Inc. ASN: AS15133 Copy [site:example.com filetype:pdf] https://example.com/documents/report.pdf https://example.com/downloads/manual.pdf [site:example.com inurl:admin] https://example.com/admin/login https://example.com/administrator/ Copy [email protected] [email protected] [email protected] [email protected] Copy [email protected]:password123 [email protected]:admin2020 Copy File: report.pdf Author: John Doe Creator: Microsoft Word Creation Date: 2023-01-15 Software: Adobe Acrobat File: presentation.pptx Author: Jane Smith Company: Example Corp Last Modified: 2023-03-20 Copy [\ {\ "file": "config.js",\ "repo": "example/webapp",\ "secret_type": "AWS_KEY",\ "match": "AKIA..."\ },\ {\ "file": ".env.example",\ "repo": "example/api",\ "secret_type": "API_KEY",\ "match": "sk_live_..."\ }\ ] Copy [Postman Collection: example-api] POST /api/v1/users GET /api/v1/orders DELETE /api/v1/sessions [Swagger: api.example.com] /api/auth/login /api/users/{id} /api/admin/settings Copy Domain: example.com Registrar: GoDaddy Created: 1995-08-14 Expires: 2025-08-13 Registrant: Example Corporation Email: [email protected] Nameservers: ns1.example.com ns2.example.com Copy Domain: example.com SPF Record: v=spf1 include:_spf.google.com ~all Status: CONFIGURED Policy: Soft fail DMARC Record: v=DMARC1; p=quarantine; rua=mailto:[email protected] Status: CONFIGURED Policy: Quarantine Email Spoofing: PROTECTED (moderate) Copy { "template-id": "cve-2021-44228-log4j-rce", "info": { "name": "Apache Log4j RCE", "severity": "critical", "tags": ["cve", "rce", "log4j"] }, "matcher-name": "dns", "host": "https://api.example.com", "matched-at": "https://api.example.com/api/v1/log", "timestamp": "2023-06-15T10:30:45Z" } Copy [VULNERABLE] https://example.com/search?q= Payload: Type: Reflected XSS [VULNERABLE] https://example.com/user?name="> Payload: "> Type: Reflected XSS Copy [VULNERABLE] https://example.com/product?id=1 Parameter: id Type: Boolean-based blind Payload: 1 AND 1=1 DBMS: MySQL [VULNERABLE] https://example.com/user?name=admin Parameter: name Type: Error-based Payload: admin' DBMS: PostgreSQL Copy [VULNERABLE] https://example.com/fetch?url=http://169.254.169.254 Parameter: url Type: Blind SSRF Evidence: Delayed response / OOB callback Copy [MISCONFIGURED] https://api.example.com Issue: Arbitrary Origin Reflection ACAO: * ACAC: true Impact: Credential theft possible Copy [VULNERABLE] https://example.com/redirect?url=https://evil.com Parameter: url Redirects to: https://evil.com Copy [VULNERABLE] https://example.com/view?file=../../../etc/passwd Parameter: file Payload: ../../../etc/passwd Evidence: root:x:0:0:root:/root:/bin/bash Copy Testing: https://example.com Protocol Support: TLS 1.3: YES TLS 1.2: YES TLS 1.1: NO (good) TLS 1.0: NO (good) SSL 3.0: NO (good) Vulnerabilities: Heartbleed: NOT vulnerable ROBOT: NOT vulnerable BEAST: NOT vulnerable Certificate: Subject: CN=example.com Issuer: Let's Encrypt Valid Until: 2024-01-15 Key Size: 2048 bits Copy https://example.com/static/app.js https://example.com/assets/bundle.min.js https://example.com/js/vendor.js https://cdn.example.com/lib/jquery-3.6.0.min.js Copy [API_KEY] https://example.com/app.js Line 145: apiKey: "sk_live_abc123..." [AWS_KEY] https://example.com/config.js Line 23: accessKeyId: "AKIA..." [PRIVATE_KEY] https://example.com/auth.js Line 89: privateKey: "-----BEGIN RSA PRIVATE KEY-----" Copy /api/v1/users /api/v1/orders /api/v2/products /internal/admin/settings /graphql /api/auth/token Copy [200] https://example.com/admin [200] https://example.com/api [301] https://example.com/docs → /documentation [403] https://example.com/.git [200] https://example.com/backup.zip Copy # Generate HTML report gowitness report serve Copy [2023-06-15 10:00:00] Starting reconnaissance for example.com [2023-06-15 10:00:01] Running sub_passive... [2023-06-15 10:05:30] sub_passive completed: 150 subdomains [2023-06-15 10:05:31] Running sub_crt... Copy [ERROR] subfinder: API rate limit exceeded for VirusTotal [ERROR] httpx: Connection timeout for staging.example.com [WARN] nuclei: Template cve-2021-1234 deprecated Copy .called_fn/ ├── sub_passive ├── sub_crt ├── sub_brute ├── webprobe_simple └── nuclei_check Copy {"subdomain":"www.example.com","ip":"93.184.216.34","url":"https://www.example.com","status":200,"title":"Example Site"} {"subdomain":"api.example.com","ip":"93.184.216.35","url":"https://api.example.com","status":200,"title":"API v2"} Copy [HIGH] https://admin.example.com - Admin panel exposed [HIGH] https://api.example.com/graphql - GraphQL endpoint [MEDIUM] https://staging.example.com - Staging environment [MEDIUM] https://dev.example.com - Development server Copy { "template-id": "cve-2021-44228-log4j-rce", "info": { "name": "Apache Log4j2 RCE (CVE-2021-44228)", "severity": "critical", "description": "Apache Log4j2 allows remote code execution...", "reference": ["https://nvd.nist.gov/vuln/detail/CVE-2021-44228"], "tags": ["cve", "cve2021", "rce", "log4j", "apache"] }, "type": "http", "host": "https://api.example.com", "matched-at": "https://api.example.com/api/v1/log", "extracted-results": ["dns-callback-received"], "curl-command": "curl -X POST ...", "timestamp": "2023-06-15T10:30:45.123456789Z" } Copy # Generate AI report ./reconftw.sh -d example.com -y # Custom report type ./reconftw.sh -d example.com -y --report-type executive Copy # Convert JSON to CSV cat nuclei_output/*.json | jq -r '[.host, .["template-id"], .info.severity] | @csv' Copy # Clear temp files rm -rf Recon/example.com/.tmp/* Copy # Remove checkpoints to re-run functions rm -rf Recon/example.com/.called_fn/* Copy # Remove all data for target rm -rf Recon/example.com/ sun-brightdesktopmoon --- # Integrated Tools | reconftw-docs reconFTW integrates 80+ security tools. This reference documents each tool, its purpose, and how reconFTW uses it. * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#tool-categories) Tool Categories ----------------------------------------------------------------------------------------------- Category Tools Purpose Subdomain Enumeration 15+ Discover subdomains DNS Analysis 8+ DNS resolution and records Web Probing 10+ HTTP analysis Content Discovery 6+ Directory/file fuzzing Vulnerability Scanning 20+ Detect vulnerabilities OSINT 12+ Intelligence gathering Utilities 10+ Support functions * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#installation-verification) Installation Verification ------------------------------------------------------------------------------------------------------------------- Copy # Check all tool installations ./reconftw.sh --check-tools # System health check ./reconftw.sh --health-check * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#subdomain-enumeration-tools) Subdomain Enumeration Tools ----------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#subfinder) subfinder **Purpose:** Passive subdomain enumeration using APIs and data sources. **Data Sources:** VirusTotal, Shodan, Censys, SecurityTrails, and 40+ more. **Usage in reconFTW:** Copy # Called in sub_passive() subfinder -d example.com -all -o output.txt **Configuration:** Copy # Control how long passive enumeration runs (minutes) SUBFINDER_ENUM_TIMEOUT=180 # API keys in ~/.config/subfinder/provider-config.yaml **Website:** https://github.com/projectdiscovery/subfinder * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#amass) amass **Purpose:** Multi-source subdomain enumeration using multiple techniques. **Techniques:** DNS brute-force, web scraping, APIs, certificate logs. **Usage in reconFTW:** Copy # Passive mode amass enum -passive -d example.com -o output.txt **Configuration:** Copy # API keys in ~/.config/amass/config.ini **Website:** https://github.com/owasp-amass/amass * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#assetfinder) assetfinder **Purpose:** Fast passive subdomain enumeration. **Usage in reconFTW:** Copy # Called for quick enumeration echo example.com | assetfinder --subs-only **Website:** https://github.com/tomnomnom/assetfinder * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#findomain) findomain **Purpose:** Fast subdomain enumeration using multiple APIs. **Usage in reconFTW:** Copy findomain -t example.com -u output.txt **Configuration:** Copy # API keys as environment variables FINDOMAIN_FB_TOKEN=... FINDOMAIN_VIRUSTOTAL_TOKEN=... **Website:** https://github.com/Findomain/Findomain * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#github-subdomains) github-subdomains **Purpose:** Find subdomains mentioned in GitHub code. **Usage in reconFTW:** Copy github-subdomains -d example.com -t $GITHUB_TOKEN **Configuration:** Copy GITHUB_TOKEN="your_token" # In secrets.cfg **Website:** https://github.com/gwen001/github-subdomains * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#crt.sh-ctfr) crt.sh / ctfr **Purpose:** Query Certificate Transparency logs. **Usage in reconFTW:** Copy # Certificate transparency lookup curl "https://crt.sh/?q=%25.example.com&output=json" * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dnsx) dnsx **Purpose:** Fast DNS resolution and record querying. **Usage in reconFTW:** Copy # DNS resolution cat subdomains.txt | dnsx -silent -a -resp **Configuration:** Copy DNSX_THREADS=100 **Website:** https://github.com/projectdiscovery/dnsx * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#puredns) puredns **Purpose:** High-performance DNS brute-forcing with wildcard filtering. **Usage in reconFTW:** Copy # DNS brute-force puredns bruteforce wordlist.txt example.com -r resolvers.txt **Configuration:** Copy PUREDNS_PUBLIC_LIMIT=10 **Website:** https://github.com/d3mondev/puredns * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#shuffledns) shuffledns **Purpose:** Wrapper for massdns with wildcard handling. **Usage in reconFTW:** Copy shuffledns -d example.com -w wordlist.txt -r resolvers.txt **Website:** https://github.com/projectdiscovery/shuffledns * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dnsgen) dnsgen **Purpose:** Generate subdomain permutations. **Usage in reconFTW:** Copy # Generate permutations cat subdomains.txt | dnsgen - | puredns resolve **Website:** https://github.com/ProjectAnte/dnsgen * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#alterx) alterx **Purpose:** AI-powered subdomain permutation generation. **Usage in reconFTW:** Copy # Called in sub_ia_permut() echo example.com | alterx **Website:** https://github.com/projectdiscovery/alterx * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gotator) gotator **Purpose:** Fast subdomain permutation generator. **Usage in reconFTW:** Copy gotator -sub subdomains.txt -perm permutations.txt -depth 1 **Website:** https://github.com/Josue87/gotator * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#regulator) regulator **Purpose:** Generate subdomains based on regex patterns. **Usage in reconFTW:** Copy # Called in sub_regex_permut() regulator -d example.com * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#analyticsrelationships) analyticsrelationships **Purpose:** Find related domains via Google Analytics IDs. **Usage in reconFTW:** Copy # Find related domains analyticsrelationships -ch $BUILTWITH_API_KEY **Website:** https://github.com/Josue87/AnalyticsRelationships * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#tlsx) tlsx **Purpose:** TLS/SSL certificate analysis and subdomain discovery. **Usage in reconFTW:** Copy # Extract subdomains from certificates echo example.com | tlsx -san -cn -silent **Website:** https://github.com/projectdiscovery/tlsx * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#web-probing-tools) Web Probing Tools --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#httpx) httpx **Purpose:** Fast HTTP probing with metadata extraction. **Features:** Status codes, titles, technologies, content length. **Usage in reconFTW:** Copy # Probe for live hosts cat subdomains.txt | httpx -ports 80,443,8080 -title -tech-detect **Configuration:** Copy HTTPX_THREADS=50 HTTPX_RATELIMIT=150 HTTPX_TIMEOUT=10 **Website:** https://github.com/projectdiscovery/httpx * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gowitness) gowitness **Purpose:** Web screenshot tool. **Usage in reconFTW:** Copy # Screenshot web pages gowitness file -f webs.txt --delay 2 **Configuration:** Copy GOWITNESS_THREADS=8 **Website:** https://github.com/sensepost/gowitness * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#webanalyze) webanalyze **Purpose:** Technology detection (Wappalyzer-based). **Usage in reconFTW:** Copy # Detect technologies webanalyze -host https://example.com **Website:** https://github.com/rverton/webanalyze * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#wafw00f) wafw00f **Purpose:** Web Application Firewall detection. **Usage in reconFTW:** Copy # Detect WAF wafw00f https://example.com **Website:** https://github.com/EnableSecurity/wafw00f * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#content-discovery-tools) Content Discovery Tools --------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#ffuf) ffuf **Purpose:** Fast web fuzzer for directory/file discovery. **Usage in reconFTW:** Copy # Directory fuzzing ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200,301,302 **Configuration:** Copy FFUF_THREADS=40 FFUF_RATELIMIT= **Website:** https://github.com/ffuf/ffuf * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#feroxbuster) feroxbuster **Purpose:** Recursive content discovery. **Usage in reconFTW:** Copy # Recursive fuzzing feroxbuster -u https://example.com -w wordlist.txt **Website:** https://github.com/epi052/feroxbuster * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dirsearch) dirsearch **Purpose:** Web path discovery. **Usage in reconFTW:** Copy # Directory enumeration dirsearch -u https://example.com -e php,html,js **Website:** https://github.com/maurosoria/dirsearch * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#hakrawler) hakrawler **Purpose:** Web crawler for URL discovery. **Usage in reconFTW:** Copy # Crawl website echo https://example.com | hakrawler -d 3 **Website:** https://github.com/hakluke/hakrawler * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#katana) katana **Purpose:** Modern web crawler. **Usage in reconFTW:** Copy # Crawl and extract URLs katana -u https://example.com -d 3 -jc **Website:** https://github.com/projectdiscovery/katana * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gospider) gospider **Purpose:** Fast web spidering. **Usage in reconFTW:** Copy # Spider website gospider -s https://example.com -d 2 **Website:** https://github.com/jaeles-project/gospider * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gau) gau **Purpose:** Fetch known URLs from web archives. **Sources:** Wayback Machine, Common Crawl, URLScan. **Usage in reconFTW:** Copy # Get archived URLs echo example.com | gau --threads 5 **Website:** https://github.com/lc/gau * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#waybackurls) waybackurls **Purpose:** Fetch URLs from Wayback Machine. **Usage in reconFTW:** Copy echo example.com | waybackurls **Website:** https://github.com/tomnomnom/waybackurls * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#vulnerability-scanning-tools) Vulnerability Scanning Tools ------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#nuclei) nuclei **Purpose:** Template-based vulnerability scanner. **Usage in reconFTW:** Copy # Scan with templates nuclei -l urls.txt -t ~/nuclei-templates -severity critical,high **Configuration:** Copy NUCLEI_RATELIMIT=150 NUCLEI_SEVERITY="critical,high,medium" NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates" NUCLEI_EXTRA_ARGS="" **Website:** https://github.com/projectdiscovery/nuclei * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dalfox) dalfox **Purpose:** XSS vulnerability scanner. **Usage in reconFTW:** Copy # Test for XSS dalfox url https://example.com/search?q=test **Configuration:** Copy DALFOX_THREADS=30 **Website:** https://github.com/hahwul/dalfox * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#sqlmap) sqlmap **Purpose:** Automatic SQL injection detection. **Usage in reconFTW:** Copy # Test for SQLi sqlmap -u "https://example.com/page?id=1" --batch **Configuration:** Copy SQLMAP_THREADS=5 **Website:** https://github.com/sqlmapproject/sqlmap * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#ghauri) ghauri **Purpose:** Advanced SQL injection scanner. **Usage in reconFTW:** Copy # Alternative SQLi testing ghauri -u "https://example.com/page?id=1" **Website:** https://github.com/r0oth3x49/ghauri * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#commix) commix **Purpose:** Command injection exploitation. **Usage in reconFTW:** Copy # Test for command injection commix -u "https://example.com/ping?host=test" **Website:** https://github.com/commixproject/commix * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#crlfuzz) crlfuzz **Purpose:** CRLF injection scanner. **Usage in reconFTW:** Copy # Test for CRLF crlfuzz -l urls.txt **Website:** https://github.com/dwisiswant0/crlfuzz * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#interactsh-client) interactsh-client **Purpose:** Out-of-band interaction detection. **Usage in reconFTW:** Copy # OOB testing server interactsh-client **Website:** https://github.com/projectdiscovery/interactsh * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#ssrf-sheriff) ssrf-sheriff **Purpose:** SSRF vulnerability detection. **Usage in reconFTW:** Copy # Test for SSRF ssrf-sheriff -u "https://example.com/fetch?url=" * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#tplmap) tplmap **Purpose:** Server-side template injection detection. **Usage in reconFTW:** Copy # Test for SSTI tplmap -u "https://example.com/page?name=test" **Website:** https://github.com/epinna/tplmap * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#ppfuzz) ppfuzz **Purpose:** Prototype pollution scanner. **Usage in reconFTW:** Copy # Test for prototype pollution ppfuzz -l urls.txt * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#smuggler) smuggler **Purpose:** HTTP request smuggling detection. **Usage in reconFTW:** Copy # Test for smuggling python3 smuggler.py -u https://example.com **Website:** https://github.com/defparam/smuggler * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#web-cache-vulnerability-scanner) Web-Cache-Vulnerability-Scanner **Purpose:** Web cache poisoning detection. **Usage in reconFTW:** Copy # Test for cache poisoning wcvs -u https://example.com * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#testssl.sh) testssl.sh **Purpose:** SSL/TLS vulnerability testing. **Usage in reconFTW:** Copy # Test SSL configuration testssl.sh https://example.com **Website:** https://github.com/drwetter/testssl.sh * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#byp4xx) byp4xx **Purpose:** 403/401 bypass techniques. **Usage in reconFTW:** Copy # Bypass 4xx byp4xx https://example.com/admin **Website:** https://github.com/lobuhi/byp4xx * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gf) gf **Purpose:** Pattern extraction from URLs. **Patterns:** XSS, SQLi, SSRF, LFI, etc. **Usage in reconFTW:** Copy # Extract SQLi candidates cat urls.txt | gf sqli **Website:** https://github.com/tomnomnom/gf * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gxss) Gxss **Purpose:** Check for reflected parameters. **Usage in reconFTW:** Copy # Check reflection cat urls.txt | Gxss **Website:** https://github.com/KathanP19/Gxss * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#kxss) kxss **Purpose:** Find reflected XSS endpoints. **Usage in reconFTW:** Copy # Find reflected params cat urls.txt | kxss **Website:** https://github.com/Emoe/kxss * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#osint-tools) OSINT Tools --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#theharvester) theHarvester **Purpose:** Email and subdomain harvesting. **Usage in reconFTW:** Copy # Harvest emails theHarvester -d example.com -b all **Website:** https://github.com/laramies/theHarvester * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#emailfinder) emailfinder **Purpose:** Find email addresses. **Usage in reconFTW:** Copy # Find emails emailfinder -d example.com **Website:** https://github.com/Josue87/EmailFinder * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#pwndb) pwndb **Purpose:** Check for leaked credentials. **Usage in reconFTW:** Copy # Check leaks pwndb -t example.com * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gitdorker) gitdorker **Purpose:** GitHub dorking for secrets. **Usage in reconFTW:** Copy # Search GitHub python3 GitDorker.py -tf GITHUB_TOKEN -q example.com **Website:** https://github.com/obheda12/GitDorker * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#trufflehog) trufflehog **Purpose:** Secret scanning in repositories. **Usage in reconFTW:** Copy # Scan for secrets trufflehog github --org example **Website:** https://github.com/trufflesecurity/trufflehog * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#gitrob) gitrob **Purpose:** GitHub organization reconnaissance. **Usage in reconFTW:** Copy # Scan GitHub org gitrob -o example-org * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#cloud_enum) cloud\_enum **Purpose:** Cloud storage enumeration. **Usage in reconFTW:** Copy # Enumerate cloud storage python3 cloud_enum.py -k example **Website:** https://github.com/initstring/cloud\_enum * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dnsrecon) dnsrecon **Purpose:** DNS enumeration and zone transfer. **Usage in reconFTW:** Copy # Zone transfer check dnsrecon -d example.com -t axfr **Website:** https://github.com/darkoperator/dnsrecon * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#spoof.py) spoof.py **Purpose:** Email spoofing check. **Usage in reconFTW:** Copy # Check SPF/DMARC spoofcheck.py example.com * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#metagoofil) metagoofil **Purpose:** Metadata extraction from documents. **Usage in reconFTW:** Copy # Extract metadata metagoofil -d example.com -t pdf,doc **Website:** https://github.com/laramies/metagoofil * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#port-scanning-tools) Port Scanning Tools ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#nmap) nmap **Purpose:** Network discovery and security auditing. **Usage in reconFTW:** Copy # Port scan nmap -sV -sC --top-ports 200 -Pn target.txt **Configuration:** Copy PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open" **Website:** https://nmap.org/ * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#smap) smap **Purpose:** Shodan-based passive port scanning. **Usage in reconFTW:** Copy # Passive port scan smap target.txt **Website:** https://github.com/s0md3v/Smap * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#masscan) masscan **Purpose:** Fast port scanning. **Usage in reconFTW:** Copy # Quick port scan masscan -p1-65535 target -rate=1000 **Website:** https://github.com/robertdavidgraham/masscan * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#javascript-analysis-tools) JavaScript Analysis Tools ------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#getjs) getJS **Purpose:** Extract JavaScript files from pages. **Usage in reconFTW:** Copy # Get JS files getJS -url https://example.com **Website:** https://github.com/003random/getJS * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#subjs) subjs **Purpose:** Find JavaScript files in pages. **Usage in reconFTW:** Copy # Find JS cat urls.txt | subjs **Website:** https://github.com/lc/subjs * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#linkfinder) linkfinder **Purpose:** Find endpoints in JavaScript files. **Usage in reconFTW:** Copy # Extract endpoints python3 linkfinder.py -i https://example.com/app.js **Website:** https://github.com/GerbenJav);do/LinkFinder * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#secretfinder) secretfinder **Purpose:** Find secrets in JavaScript. **Usage in reconFTW:** Copy # Find secrets in JS python3 SecretFinder.py -i https://example.com/app.js **Website:** https://github.com/m4ll0k/SecretFinder * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#mantra) mantra **Purpose:** Hunt for API keys and secrets. **Usage in reconFTW:** Copy # Find API keys mantra -u https://example.com * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#jsluice) jsluice **Purpose:** JavaScript analysis and URL extraction. **Usage in reconFTW:** Copy # Analyze JS cat app.js | jsluice urls **Website:** https://github.com/BishopFox/jsluice * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#utility-tools) Utility Tools ------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#anew) anew **Purpose:** Append lines to file if they don't exist. **Usage in reconFTW:** Copy # Deduplicate append cat new.txt | anew existing.txt **Website:** https://github.com/tomnomnom/anew * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#qsreplace) qsreplace **Purpose:** Replace query string parameters. **Usage in reconFTW:** Copy # Replace params cat urls.txt | qsreplace FUZZ **Website:** https://github.com/tomnomnom/qsreplace * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#unfurl) unfurl **Purpose:** Parse and extract URL components. **Usage in reconFTW:** Copy # Extract domains cat urls.txt | unfurl domains **Website:** https://github.com/tomnomnom/unfurl * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#urldedupe) urldedupe **Purpose:** Remove duplicate URLs. **Usage in reconFTW:** Copy # Deduplicate URLs cat urls.txt | urldedupe **Website:** https://github.com/ameenmaali/urldedupe * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#inscope) inscope **Purpose:** Filter URLs by scope. **Usage in reconFTW:** Copy # Filter in-scope cat urls.txt | inscope **Website:** https://github.com/tomnomnom/inscope * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#interlace) interlace **Purpose:** Run commands across multiple targets. **Usage in reconFTW:** Copy # Parallel execution interlace -tL targets.txt -threads 10 -c "cmd _target_" **Website:** https://github.com/codingo/Interlace * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#notify) notify **Purpose:** Send notifications (Slack, Discord, etc.). **Usage in reconFTW:** Copy # Send notification echo "message" | notify **Configuration:** Copy NOTIFICATION=true **Website:** https://github.com/projectdiscovery/notify * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#cdncheck) cdncheck **Purpose:** Identify CDN providers. **Usage in reconFTW:** Copy # Check for CDN cat ips.txt | cdncheck **Website:** https://github.com/projectdiscovery/cdncheck * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#mapcidr) mapcidr **Purpose:** CIDR manipulation and expansion. **Usage in reconFTW:** Copy # Expand CIDR echo "192.168.1.0/24" | mapcidr **Website:** https://github.com/projectdiscovery/mapcidr * * * ### [hashtag](https://docs.reconftw.com/tools-reference/tools#dnsvalidator) dnsvalidator **Purpose:** Validate DNS resolvers. **Usage in reconFTW:** Copy # Validate resolvers dnsvalidator -tL resolvers.txt -threads 100 **Website:** https://github.com/vortexau/dnsvalidator * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#api-dependent-tools) API-Dependent Tools ------------------------------------------------------------------------------------------------------- These tools require API keys configured in `secrets.cfg`: Tool API Required subfinder Multiple (optional) shodan SHODAN\_API\_KEY censys CENSYS\_API\_ID, CENSYS\_API\_SECRET github-subdomains GITHUB\_TOKEN gitdorker GITHUB\_TOKEN whoisxml WHOISXML\_API securitytrails SECURITYTRAILS\_KEY intelx INTELX\_KEY hunter HUNTER\_API\_KEY * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#tool-update-commands) Tool Update Commands --------------------------------------------------------------------------------------------------------- Copy # Update reconFTW and reinstall all tools cd reconftw git pull ./install.sh # Update specific tool go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest # Update nuclei templates nuclei -update-templates * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#tool-troubleshooting) Tool Troubleshooting --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/tools-reference/tools#common-issues) Common Issues 1. **Tool not found:** Ensure `~/go/bin` is in PATH 2. **Permission denied:** Check executable permissions 3. **API errors:** Verify API keys in secrets.cfg 4. **Rate limiting:** Reduce thread counts ### [hashtag](https://docs.reconftw.com/tools-reference/tools#verification) Verification Copy # Check tool path which httpx # Check version httpx -version # Test functionality echo example.com | httpx -silent * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#adding-custom-tools) Adding Custom Tools ------------------------------------------------------------------------------------------------------- To integrate a new tool: 1. Install the tool 2. Create wrapper function in custom module 3. Add configuration options to reconftw.cfg 4. Test integration * * * [hashtag](https://docs.reconftw.com/tools-reference/tools#next-steps) Next Steps ------------------------------------------------------------------------------------- * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understanding results * [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Tool settings [PreviousHost Modulechevron-left](https://docs.reconftw.com/modules/hosts) [NextOutput Interpretationchevron-right](https://docs.reconftw.com/output/output) Last updated 1 month ago --- # Host Module | reconftw-docs The host analysis module examines the infrastructure behind discovered assets, including port scanning, CDN detection, WAF identification, cloud enumeration, and geolocation. * * * [hashtag](https://docs.reconftw.com/modules/hosts#module-overview) Module Overview --------------------------------------------------------------------------------------- Function Purpose Tools `portscan` Port discovery (passive + active) nmap, smap `cdnprovider` CDN detection and filtering cdncheck `waf_checks` WAF detection wafw00f `favicon` Real IP discovery via favicon fav-up `cloud_extra_providers` Extra cloud storage enumeration curl `geo_info` IP geolocation ipinfo `banner_grabber` Service banner extraction nmap * * * [hashtag](https://docs.reconftw.com/modules/hosts#configuration-options) Configuration Options --------------------------------------------------------------------------------------------------- Copy # In reconftw.cfg # Master toggle PORTSCANNER=true # Port scanning PORTSCAN_PASSIVE=true # Shodan-based (requires API key) PORTSCAN_ACTIVE=true # Nmap-based # Nmap options PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners" # Other host checks FAVICON=true # Favicon IP discovery CDN_IP=true # CDN detection GEO_INFO=true # Geolocation WAF_DETECTION=true # WAF detection # IPv6 IPV6_SCAN=true # IPv6 discovery * * * [hashtag](https://docs.reconftw.com/modules/hosts#port-scanning) Port Scanning ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#passive-port-scanning-shodan) Passive Port Scanning (Shodan) Uses Shodan API to retrieve port/service information without touching the target. **How It Works:** Copy IP addresses → smap (Shodan query) → → Return known open ports → hosts/portscan_passive.txt **Advantages:** * No direct target interaction * Historical data available * Fast results **Limitations:** * Requires Shodan API key * Data may be outdated * Only indexed hosts **Output:** Copy hosts/portscan_passive.txt **Sample Output:** Copy 192.168.1.10 22/tcp ssh OpenSSH 8.2 80/tcp http nginx 1.18 443/tcp https nginx 1.18 3306/tcp mysql MySQL 8.0 **Configuration:** Copy PORTSCAN_PASSIVE=true SHODAN_API_KEY="your_key" # In secrets.cfg * * * ### [hashtag](https://docs.reconftw.com/modules/hosts#active-port-scanning-nmap) Active Port Scanning (Nmap) Performs direct port scanning against target IPs. **How It Works:** Copy IP addresses (non-CDN) → nmap → → Scan ports → Service detection → Vuln scripts → Output **Default Scan Options:** Copy PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners" **Option Breakdown:** Option Description `--top-ports 200` Scan top 200 ports `-sV` Version detection `-n` No DNS resolution `-Pn` Skip host discovery `--open` Show only open ports `--max-retries 2` Retry limit `--script vulners` Check for CVEs **Output:** Copy hosts/portscan_active.txt # Human readable hosts/portscan_active.xml # Nmap XML format hosts/portscan_active.gnmap # Greppable format **Sample Output:** Copy Nmap scan report for 192.168.1.10 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 | vulners: | CVE-2020-15778 6.8 80/tcp open http nginx 1.18.0 443/tcp open ssl/https nginx 1.18.0 3306/tcp open mysql MySQL 8.0.26 **Configuration:** Copy PORTSCAN_ACTIVE=true PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open" **Custom Scan Profiles:** Copy # Quick scan (top 100 ports) PORTSCAN_ACTIVE_OPTIONS="--top-ports 100 -Pn --open" # Full port scan (all ports) PORTSCAN_ACTIVE_OPTIONS="-p- -sV -sC -Pn --open" # Stealth scan (slower, less detectable) PORTSCAN_ACTIVE_OPTIONS="-sS -T2 --top-ports 1000 -Pn" * * * [hashtag](https://docs.reconftw.com/modules/hosts#cdn-detection) CDN Detection ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#cdnprovider-cdn-identification) `cdnprovider` - CDN Identification Identifies IPs behind CDN providers to avoid scanning CDN infrastructure. **Why It Matters:** * CDN IPs don't represent the actual target * Scanning CDNs wastes resources * May violate CDN terms of service * Focus on real infrastructure **CDN Providers Detected:** * Cloudflare * Akamai * Fastly * CloudFront * Incapsula * And many more... **How It Works:** Copy All IPs → cdncheck → → Identify CDN IPs → Separate into cdn.txt and non-cdn IPs **Output:** Copy hosts/cdn.txt # CDN IPs (excluded from active scans) hosts/ips.txt # Non-CDN IPs (scanned) **Sample Output:** Copy # cdn.txt 104.16.132.229 [cloudflare] 151.101.1.195 [fastly] 13.32.123.45 [cloudfront] # ips.txt (non-CDN, will be scanned) 192.168.1.10 10.0.0.5 **Configuration:** Copy CDN_IP=true * * * [hashtag](https://docs.reconftw.com/modules/hosts#waf-detection) WAF Detection ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#waf_checks-web-application-firewall-detection) `waf_checks` - Web Application Firewall Detection Identifies WAF/security products protecting web applications. **WAFs Detected:** * Cloudflare * AWS WAF * Akamai * Imperva/Incapsula * ModSecurity * Sucuri * F5 BIG-IP * And 100+ more... **How It Works:** Copy webs.txt → wafw00f → → Send probe requests → Analyze responses → Identify WAF **Output:** Copy hosts/waf.txt **Sample Output:** Copy https://www.example.com WAF: Cloudflare Detected by: Response headers, Server header https://api.example.com WAF: AWS WAF Detected by: Response behavior https://admin.example.com WAF: None detected **Why It Matters:** * Adjust attack strategies * Understand defensive posture * Identify bypass opportunities * Report in findings **Configuration:** Copy WAF_DETECTION=true * * * [hashtag](https://docs.reconftw.com/modules/hosts#favicon-analysis) Favicon Analysis ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#favicon-real-ip-discovery) `favicon` - Real IP Discovery Discovers real IP addresses behind CDN/proxy by analyzing favicon hashes. **How It Works:** Copy Known favicon hash → Shodan search → → Find servers with same favicon → Potential real IPs **Technique:** 1. Download favicon from target 2. Calculate hash (MurmurHash3) 3. Search Shodan for matching hashes 4. Servers with same favicon may be the real origin **Output:** Copy hosts/favicontest.txt **Sample Output:** Copy # Favicon hash: -1234567890 Real IP candidates: 192.168.1.100 (Direct match) 10.0.0.50 (Partial match) **Configuration:** Copy FAVICON=true SHODAN_API_KEY="your_key" # Required * * * [hashtag](https://docs.reconftw.com/modules/hosts#geolocation) Geolocation ------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#geo_info-ip-geolocation) `geo_info` - IP Geolocation Retrieves geographic information for discovered IP addresses. **Information Gathered:** * Country * Region/State * City * Organization/ISP * ASN **How It Works:** Copy IP addresses → ipinfo.io API → → Geolocation data → hosts/geo.txt **Output:** Copy hosts/geo.txt **Sample Output:** Copy 192.168.1.10 Country: United States Region: California City: San Francisco Org: Example Hosting Inc. ASN: AS12345 10.0.0.5 Country: Germany Region: Hesse City: Frankfurt Org: AWS ASN: AS16509 **Use Cases:** * Understand infrastructure distribution * Identify hosting providers * Compliance/jurisdiction issues * Attack surface mapping **Configuration:** Copy GEO_INFO=true * * * [hashtag](https://docs.reconftw.com/modules/hosts#cloud-storage-enumeration) Cloud Storage Enumeration ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#cloud_extra_providers-extra-cloud-provider-checks) `cloud_extra_providers` - Extra Cloud Provider Checks Discovers misconfigured cloud storage buckets beyond standard S3 enumeration. **Cloud Providers Checked:** * **Google Cloud Storage (GCS)** * `https://storage.googleapis.com/{name}/` * `https://{name}.storage.googleapis.com/` * **Azure Blob Storage** * `https://{name}.blob.core.windows.net/{container}` * Tests common containers: public, static, media, images, assets, backup, files, cdn **How It Works:** Copy Domain → Extract company/brand names → → Generate candidate bucket names → Test cloud URLs → → Check for public access (200/403) → Report findings **Name Generation:** 1. Domain root (e.g., "example" from "example.com") 2. Company name variations 3. Subdomain prefixes (e.g., "api", "dev", "staging") 4. Combined with common container names **Output:** Copy subdomains/cloud_extra.txt **Sample Output:** Copy GCS examplecorp https://storage.googleapis.com/examplecorp/ GCS example-backup https://example-backup.storage.googleapis.com/ AZURE examplecorp/public https://examplecorp.blob.core.windows.net/public AZURE example-dev/static https://example-dev.blob.core.windows.net/static **What It Finds:** * Publicly accessible storage buckets * Buckets returning 403 (exist but restricted - worth manual testing) * Misconfigured backup/static file storage **Security Implications:** * Public buckets may contain sensitive data * 403 responses confirm bucket existence (enumeration value) * Backup buckets often contain valuable data **Note:** This complements the OSINT module's `cloud_enum` function by testing additional providers and name variations. * * * [hashtag](https://docs.reconftw.com/modules/hosts#ipv6-scanning) IPv6 Scanning ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#ipv6-discovery-and-scanning) IPv6 Discovery and Scanning Discovers and scans IPv6 addresses when available. **How It Works:** Copy Subdomains → DNS AAAA records → → IPv6 addresses → Include in scanning **Configuration:** Copy IPV6_SCAN=true **Note:** IPv6 scanning may reveal additional attack surface not visible via IPv4. * * * [hashtag](https://docs.reconftw.com/modules/hosts#data-flow) Data Flow --------------------------------------------------------------------------- Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Host Analysis Flow │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌────────────────┐ │ │ │ subdomains.txt │ │ │ └───────┬────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────┐ │ │ │ DNS Resolution│ (sub_dns) │ │ └───────┬────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────┐ │ │ │ All IPs │ │ │ └───────┬────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────┐ ┌────────────────┐ │ │ │ cdnprovider │────▶│ cdn.txt │ (excluded) │ │ └───────┬────────┘ └────────────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────┐ │ │ │ Non-CDN IPs │ │ │ └───────┬────────┘ │ │ │ │ │ ┌─────┴─────┬─────────────┬─────────────┐ │ │ ▼ ▼ ▼ ▼ │ │ ┌──────┐ ┌────────┐ ┌─────────┐ ┌─────────┐ │ │ │ nmap │ │ shodan │ │ wafw00f │ │ geo_info│ │ │ │active│ │passive │ │ (WAF) │ │ (geo) │ │ │ └──┬───┘ └───┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ │ │ │ │ ▼ ▼ ▼ ▼ │ │ portscan_ portscan_ waf.txt geo.txt │ │ active.txt passive.txt │ │ │ └─────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/modules/hosts#output-files-summary) Output Files Summary ------------------------------------------------------------------------------------------------- File Content `hosts/ips.txt` All resolved IP addresses `hosts/cdn.txt` IPs identified as CDN `hosts/portscan_passive.txt` Shodan port results `hosts/portscan_active.txt` Nmap scan results `hosts/portscan_active.xml` Nmap XML output `hosts/portscan_active.gnmap` Nmap greppable output `hosts/waf.txt` WAF detection results `hosts/geo.txt` Geolocation data `hosts/favicontest.txt` Favicon real IP discovery `hosts/grpc_reflection.txt` gRPC services with reflection `subdomains/cloud_extra.txt` Extra cloud storage findings * * * [hashtag](https://docs.reconftw.com/modules/hosts#integration-with-vulnerability-scanning) Integration with Vulnerability Scanning --------------------------------------------------------------------------------------------------------------------------------------- Host analysis results feed into vulnerability scanning: 1. **Port scan results** → Password spraying targets 2. **Service versions** → CVE matching (vulners script) 3. **Non-CDN IPs** → Focus active testing 4. **WAF detection** → Adjust attack strategies * * * [hashtag](https://docs.reconftw.com/modules/hosts#best-practices) Best Practices ------------------------------------------------------------------------------------- 1. **CDN Awareness:** Don't waste resources scanning CDN IPs 2. **Rate Limiting:** Aggressive port scans can trigger alerts 3. **Authorization:** Ensure port scanning is in scope 4. **Service Detection:** Version info helps identify vulnerabilities 5. **Passive First:** Start with Shodan to minimize noise 6. **IPv6 Coverage:** Don't forget IPv6 attack surface * * * [hashtag](https://docs.reconftw.com/modules/hosts#nmap-scan-customization) Nmap Scan Customization ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules/hosts#quick-discovery) Quick Discovery Copy PORTSCAN_ACTIVE_OPTIONS="--top-ports 100 -Pn -T4" ### [hashtag](https://docs.reconftw.com/modules/hosts#full-scan) Full Scan Copy PORTSCAN_ACTIVE_OPTIONS="-p- -sV -sC -Pn" ### [hashtag](https://docs.reconftw.com/modules/hosts#stealth-scan) Stealth Scan Copy PORTSCAN_ACTIVE_OPTIONS="-sS -T2 --top-ports 1000 -Pn" ### [hashtag](https://docs.reconftw.com/modules/hosts#service-focus) Service Focus Copy PORTSCAN_ACTIVE_OPTIONS="-p 21,22,23,25,80,443,3306,5432,6379,27017 -sV -Pn" * * * [hashtag](https://docs.reconftw.com/modules/hosts#next-steps) Next Steps ----------------------------------------------------------------------------- * [**Tools Reference**](https://docs.reconftw.com/tools-reference/tools) - All integrated tools * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understand results [PreviousVulnerability Modulechevron-left](https://docs.reconftw.com/modules/vulnerabilities) [NextIntegrated Toolschevron-right](https://docs.reconftw.com/tools-reference/tools) Last updated 1 month ago --- # Faraday Integration | reconftw-docs Faraday is a collaborative vulnerability management platform. reconFTW integrates with Faraday to automatically import scan results. * * * [hashtag](https://docs.reconftw.com/integrations/faraday#what-is-faraday) What is Faraday? ----------------------------------------------------------------------------------------------- Faraday provides: * **Centralized vulnerability database** * **Team collaboration features** * **Report generation** * **Integration with 80+ security tools** * **Workspace management** * * * [hashtag](https://docs.reconftw.com/integrations/faraday#prerequisites) Prerequisites ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations/faraday#faraday-installation) Faraday Installation Copy # Docker installation (recommended) docker pull faradaysec/faraday:latest docker run -d --name faraday -p 5985:5985 faradaysec/faraday # Or native installation pip install faradaysec ### [hashtag](https://docs.reconftw.com/integrations/faraday#faraday-setup) Faraday Setup 1. Access Faraday web interface: `http://localhost:5985` 2. Create admin account 3. Create workspace for your project 4. Generate API token * * * [hashtag](https://docs.reconftw.com/integrations/faraday#configuration-in-reconftw) Configuration in reconFTW ------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations/faraday#enable-faraday-integration) Enable Faraday Integration Copy # In reconftw.cfg # Enable Faraday FARADAY=true # Faraday server URL FARADAY_URL="http://localhost:5985" # Workspace name FARADAY_WORKSPACE="reconftw" # API credentials (in secrets.cfg) # FARADAY_API_TOKEN="your_token" ### [hashtag](https://docs.reconftw.com/integrations/faraday#secrets.cfg-setup) secrets.cfg Setup Copy # In secrets.cfg FARADAY_API_TOKEN="your_api_token_here" * * * [hashtag](https://docs.reconftw.com/integrations/faraday#data-imported-to-faraday) Data Imported to Faraday ---------------------------------------------------------------------------------------------------------------- reconFTW automatically sends: Data Type Source Faraday Entity Hosts Subdomain resolution Host Services Port scan (nmap) Service Vulnerabilities Nuclei results Vulnerability CVEs Nmap vulners script Vulnerability * * * [hashtag](https://docs.reconftw.com/integrations/faraday#integration-flow) Integration Flow ------------------------------------------------------------------------------------------------ Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Faraday Integration Flow │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ │ │ │ reconFTW │ │ │ │ Scan │ │ │ └──────┬───────┘ │ │ │ │ │ ┌────┴────┬────────────┬─────────────┐ │ │ ▼ ▼ ▼ ▼ │ │ ┌──────┐ ┌───────┐ ┌──────────┐ ┌──────────┐ │ │ │Nuclei│ │ Nmap │ │ Hosts │ │ Services │ │ │ │ JSON │ │ XML │ │ IPs │ │ Ports │ │ │ └──┬───┘ └───┬───┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ │ └────┬────┴───────────┴─────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ faraday-cli │ (or API calls) │ │ └──────┬───────┘ │ │ │ │ │ │ POST /api/v3/ws/{workspace}/... │ │ ▼ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ Faraday Server │ │ │ ├──────────────────────────────────────────────────────┤ │ │ │ ┌─────────┐ ┌─────────────┐ ┌────────────────┐ │ │ │ │ │ Hosts │ │ Services │ │ Vulnerabilities│ │ │ │ │ │ Table │ │ Table │ │ Table │ │ │ │ │ └─────────┘ └─────────────┘ └────────────────┘ │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/integrations/faraday#workspace-management) Workspace Management -------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/faraday#create-workspace) Create Workspace Copy # Via Faraday CLI faraday-cli create_ws reconftw # Via API curl -X POST "http://localhost:5985/api/v3/ws" \ -H "Authorization: Token $FARADAY_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"name": "reconftw"}' ### [hashtag](https://docs.reconftw.com/integrations/faraday#workspace-strategy) Workspace Strategy Strategy Description Use Case Per-target One workspace per domain Isolated scans Per-program One workspace per bug bounty Program tracking Unified Single workspace Overview of all targets * * * [hashtag](https://docs.reconftw.com/integrations/faraday#viewing-results) Viewing Results ---------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/faraday#faraday-web-interface) Faraday Web Interface 1. Open `http://localhost:5985` 2. Select workspace (`reconftw`) 3. Navigate to: * **Hosts:** All discovered hosts with IPs * **Services:** Ports and services per host * **Vulns:** All vulnerabilities by severity ### [hashtag](https://docs.reconftw.com/integrations/faraday#faraday-cli) Faraday CLI Copy # List hosts faraday-cli host -w reconftw # List vulnerabilities faraday-cli vuln -w reconftw # Export report faraday-cli report -w reconftw -o report.pdf * * * [hashtag](https://docs.reconftw.com/integrations/faraday#report-generation) Report Generation -------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/faraday#built-in-reports) Built-in Reports Faraday generates reports in multiple formats: * PDF * HTML * Markdown * CSV ### [hashtag](https://docs.reconftw.com/integrations/faraday#custom-templates) Custom Templates Copy # Create custom report template faraday-cli report -w reconftw --template custom.html * * * [hashtag](https://docs.reconftw.com/integrations/faraday#advanced-configuration) Advanced Configuration ------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations/faraday#severity-mapping) Severity Mapping reconFTW maps nuclei severities to Faraday: Nuclei Severity Faraday Severity critical Critical high High medium Medium low Low info Informational ### [hashtag](https://docs.reconftw.com/integrations/faraday#custom-fields) Custom Fields Copy # Add custom data to vulnerabilities # In reconftw.cfg FARADAY_CUSTOM_FIELDS=true ### [hashtag](https://docs.reconftw.com/integrations/faraday#bulk-import) Bulk Import For large scans, results are batched: Copy # Batch size configuration FARADAY_BATCH_SIZE=100 * * * [hashtag](https://docs.reconftw.com/integrations/faraday#troubleshooting) Troubleshooting ---------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations/faraday#connection-issues) Connection Issues Copy # Test Faraday connectivity curl -X GET "http://localhost:5985/api/v3/info" \ -H "Authorization: Token $FARADAY_API_TOKEN" ### [hashtag](https://docs.reconftw.com/integrations/faraday#authentication-errors) Authentication Errors Copy # Verify token # Check secrets.cfg has correct token # Regenerate token in Faraday web UI if needed ### [hashtag](https://docs.reconftw.com/integrations/faraday#missing-data) Missing Data 1. Check workspace exists 2. Verify scan completed successfully 3. Review Faraday logs: `docker logs faraday` ### [hashtag](https://docs.reconftw.com/integrations/faraday#duplicate-entries) Duplicate Entries Faraday deduplicates by: * Host: IP address * Service: IP + port + protocol * Vulnerability: Name + host + service * * * [hashtag](https://docs.reconftw.com/integrations/faraday#best-practices) Best Practices -------------------------------------------------------------------------------------------- 1. **Workspace naming:** Use consistent naming convention 2. **Token security:** Keep API token in secrets.cfg 3. **Regular cleanup:** Archive old workspaces 4. **Backup:** Export workspaces regularly 5. **Access control:** Use Faraday roles for team access * * * [hashtag](https://docs.reconftw.com/integrations/faraday#alternative-manual-import) Alternative: Manual Import ------------------------------------------------------------------------------------------------------------------- If automatic integration fails, import manually: Copy # Import nmap results faraday-cli tool nmap -w reconftw hosts/portscan_active.xml # Import nuclei results faraday-cli tool nuclei -w reconftw vulns/nuclei_output/*.json * * * [hashtag](https://docs.reconftw.com/integrations/faraday#next-steps) Next Steps ------------------------------------------------------------------------------------ * [**Deployment Guide**](https://docs.reconftw.com/deployment/deployment) - Full setup * [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understanding results [PreviousAxiom Integrationchevron-left](https://docs.reconftw.com/integrations/axiom) [NextDeployment Guidechevron-right](https://docs.reconftw.com/deployment/deployment) Last updated 1 month ago --- # Deployment Guide | reconftw-docs This guide covers all deployment options for reconFTW: local installation, Docker, cloud platforms, and infrastructure as code. * * * [hashtag](https://docs.reconftw.com/deployment/deployment#deployment-options-overview) Deployment Options Overview ----------------------------------------------------------------------------------------------------------------------- Method Best For Complexity Local Install Development, single machine Low Docker Portability, isolation Low VPS Long-running scans Medium Terraform/Ansible Reproducible infrastructure High Proxmox Home lab, dedicated hardware Medium * * * [hashtag](https://docs.reconftw.com/deployment/deployment#local-installation) Local Installation ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#system-requirements) System Requirements Resource Minimum Recommended CPU 2 cores 4+ cores RAM 4 GB 8+ GB Disk 20 GB 50+ GB OS Ubuntu 20.04+ Ubuntu 22.04 ### [hashtag](https://docs.reconftw.com/deployment/deployment#quick-install) Quick Install Copy # Clone repository git clone https://github.com/six2dez/reconftw.git cd reconftw # Run installer ./install.sh # Verify installation ./reconftw.sh --check-tools ### [hashtag](https://docs.reconftw.com/deployment/deployment#manual-installation) Manual Installation Copy # Install system dependencies sudo apt update sudo apt install -y git curl wget python3 python3-pip ruby golang jq # Set up Go environment export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin echo 'export GOPATH=$HOME/go' >> ~/.bashrc echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.bashrc # Clone and install git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh ### [hashtag](https://docs.reconftw.com/deployment/deployment#macos-installation) macOS Installation Copy # Install Homebrew dependencies brew install git curl wget python3 go ruby jq coreutils gnu-sed # Use GNU versions export PATH="/opt/homebrew/opt/coreutils/libexec/gnubin:$PATH" export PATH="/opt/homebrew/opt/gnu-sed/libexec/gnubin:$PATH" # Clone and install git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh * * * [hashtag](https://docs.reconftw.com/deployment/deployment#docker-deployment) Docker Deployment --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#using-official-image) Using Official Image Copy # Pull latest image docker pull six2dez/reconftw:latest # Run scan docker run -it --rm \ -v $(pwd)/Recon:/reconftw/Recon \ -v $(pwd)/reconftw.cfg:/reconftw/reconftw.cfg \ -v $(pwd)/secrets.cfg:/reconftw/secrets.cfg \ six2dez/reconftw:latest \ -d example.com -r ### [hashtag](https://docs.reconftw.com/deployment/deployment#docker-compose) Docker Compose Create `docker-compose.yml`: Copy version: '3.8' services: reconftw: image: six2dez/reconftw:latest container_name: reconftw volumes: - ./Recon:/reconftw/Recon - ./reconftw.cfg:/reconftw/reconftw.cfg - ./secrets.cfg:/reconftw/secrets.cfg - ./wordlists:/reconftw/wordlists environment: - TERM=xterm-256color stdin_open: true tty: true command: ["-d", "example.com", "-r"] Run with: Copy docker-compose up ### [hashtag](https://docs.reconftw.com/deployment/deployment#building-custom-image) Building Custom Image Copy # Dockerfile.custom FROM six2dez/reconftw:latest # Add custom tools RUN go install -v github.com/custom/tool@latest # Add custom wordlists COPY ./wordlists /reconftw/wordlists # Add custom config COPY ./reconftw.cfg /reconftw/reconftw.cfg Build and run: Copy docker build -t reconftw-custom -f Dockerfile.custom . docker run -it --rm -v $(pwd)/Recon:/reconftw/Recon reconftw-custom -d example.com -r ### [hashtag](https://docs.reconftw.com/deployment/deployment#volume-mounts) Volume Mounts Mount Purpose `/reconftw/Recon` Output directory `/reconftw/reconftw.cfg` Configuration `/reconftw/secrets.cfg` API keys `/reconftw/wordlists` Custom wordlists ### [hashtag](https://docs.reconftw.com/deployment/deployment#resource-limits) Resource Limits Copy # docker-compose.yml with limits services: reconftw: image: six2dez/reconftw:latest deploy: resources: limits: cpus: '4' memory: 8G reservations: cpus: '2' memory: 4G * * * [hashtag](https://docs.reconftw.com/deployment/deployment#vps-deployment) VPS Deployment --------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#recommended-providers) Recommended Providers Provider Instance Specs Cost/mo DigitalOcean Basic Droplet 2vCPU/4GB $24 Linode Linode 4GB 2vCPU/4GB $24 Vultr Cloud Compute 2vCPU/4GB $24 Hetzner CX21 2vCPU/4GB €5.83 AWS t3.medium 2vCPU/4GB ~$30 ### [hashtag](https://docs.reconftw.com/deployment/deployment#initial-vps-setup) Initial VPS Setup Copy # Connect to VPS ssh root@your-vps-ip # Update system apt update && apt upgrade -y # Create non-root user adduser recon usermod -aG sudo recon # Switch to user su - recon # Install reconFTW git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh ### [hashtag](https://docs.reconftw.com/deployment/deployment#security-hardening) Security Hardening Copy # Disable root login sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config # Setup firewall sudo ufw allow ssh sudo ufw enable # Install fail2ban sudo apt install fail2ban sudo systemctl enable fail2ban ### [hashtag](https://docs.reconftw.com/deployment/deployment#running-long-scans) Running Long Scans Copy # Use tmux for persistent sessions sudo apt install tmux tmux new -s recon # Start scan inside tmux ./reconftw.sh -d example.com -a # Detach: Ctrl+B, then D # Reattach: tmux attach -t recon ### [hashtag](https://docs.reconftw.com/deployment/deployment#screen-alternative) Screen Alternative Copy # Use screen screen -S recon ./reconftw.sh -d example.com -a # Detach: Ctrl+A, then D # Reattach: screen -r recon * * * [hashtag](https://docs.reconftw.com/deployment/deployment#terraform-deployment) Terraform Deployment --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#aws-terraform) AWS Terraform Copy # main.tf terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } } provider "aws" { region = "us-east-1" } resource "aws_instance" "reconftw" { ami = "ami-0c55b159cbfafe1f0" # Ubuntu 22.04 instance_type = "t3.medium" key_name = "your-key-pair" vpc_security_group_ids = [aws_security_group.reconftw.id] user_data = <<-EOF #!/bin/bash apt update apt install -y git git clone https://github.com/six2dez/reconftw.git /opt/reconftw cd /opt/reconftw && ./install.sh EOF tags = { Name = "reconftw" } root_block_device { volume_size = 50 } } resource "aws_security_group" "reconftw" { name = "reconftw-sg" description = "Security group for reconFTW" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["YOUR_IP/32"] # Restrict to your IP } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } output "instance_ip" { value = aws_instance.reconftw.public_ip } Deploy: Copy terraform init terraform plan terraform apply ### [hashtag](https://docs.reconftw.com/deployment/deployment#digitalocean-terraform) DigitalOcean Terraform Copy # main.tf terraform { required_providers { digitalocean = { source = "digitalocean/digitalocean" version = "~> 2.0" } } } variable "do_token" {} provider "digitalocean" { token = var.do_token } resource "digitalocean_droplet" "reconftw" { image = "ubuntu-22-04-x64" name = "reconftw" region = "nyc1" size = "s-2vcpu-4gb" ssh_keys = [digitalocean_ssh_key.default.fingerprint] user_data = <<-EOF #!/bin/bash apt update apt install -y git git clone https://github.com/six2dez/reconftw.git /opt/reconftw cd /opt/reconftw && ./install.sh EOF } resource "digitalocean_ssh_key" "default" { name = "reconftw-key" public_key = file("~/.ssh/id_rsa.pub") } output "ip_address" { value = digitalocean_droplet.reconftw.ipv4_address } * * * [hashtag](https://docs.reconftw.com/deployment/deployment#ansible-deployment) Ansible Deployment ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#playbook) Playbook Copy # reconftw-playbook.yml --- - name: Deploy reconFTW hosts: reconftw_servers become: yes vars: reconftw_user: recon reconftw_path: /opt/reconftw tasks: - name: Update apt cache apt: update_cache: yes - name: Install dependencies apt: name: - git - curl - wget - python3 - python3-pip - golang - ruby - jq state: present - name: Create reconftw user user: name: "{{ reconftw_user }}" shell: /bin/bash groups: sudo append: yes - name: Clone reconFTW git: repo: https://github.com/six2dez/reconftw.git dest: "{{ reconftw_path }}" version: main become_user: "{{ reconftw_user }}" - name: Run installer shell: ./install.sh args: chdir: "{{ reconftw_path }}" become_user: "{{ reconftw_user }}" - name: Copy configuration copy: src: ./reconftw.cfg dest: "{{ reconftw_path }}/reconftw.cfg" owner: "{{ reconftw_user }}" mode: '0644' - name: Copy secrets copy: src: ./secrets.cfg dest: "{{ reconftw_path }}/secrets.cfg" owner: "{{ reconftw_user }}" mode: '0600' ### [hashtag](https://docs.reconftw.com/deployment/deployment#inventory) Inventory Copy # inventory.ini [reconftw_servers] reconftw-1 ansible_host=192.168.1.100 ansible_user=root reconftw-2 ansible_host=192.168.1.101 ansible_user=root Run: Copy ansible-playbook -i inventory.ini reconftw-playbook.yml * * * [hashtag](https://docs.reconftw.com/deployment/deployment#proxmox-deployment) Proxmox Deployment ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#create-vm) Create VM 1. Upload Ubuntu ISO to Proxmox 2. Create VM: * CPU: 2+ cores * RAM: 4+ GB * Disk: 50+ GB 3. Install Ubuntu 4. Install reconFTW ### [hashtag](https://docs.reconftw.com/deployment/deployment#lxc-container) LXC Container Copy # Create container pct create 100 local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst \ --hostname reconftw \ --memory 4096 \ --cores 2 \ --rootfs local-lvm:50 \ --net0 name=eth0,bridge=vmbr0,ip=dhcp # Start container pct start 100 # Enter container pct enter 100 # Install reconFTW apt update && apt install -y git git clone https://github.com/six2dez/reconftw.git cd reconftw && ./install.sh * * * [hashtag](https://docs.reconftw.com/deployment/deployment#ci-cd-integration) CI/CD Integration --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#github-actions) GitHub Actions #### [hashtag](https://docs.reconftw.com/deployment/deployment#basic-weekly-scan) Basic Weekly Scan Copy # .github/workflows/reconftw.yml name: reconFTW Scan on: schedule: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: inputs: target: description: 'Target domain' required: true jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup reconFTW run: | git clone https://github.com/six2dez/reconftw.git cd reconftw && ./install.sh - name: Configure secrets run: | echo "SHODAN_API_KEY=${{ secrets.SHODAN_API_KEY }}" >> reconftw/secrets.cfg - name: Run scan run: | cd reconftw ./reconftw.sh -d ${{ github.event.inputs.target }} -r - name: Upload results uses: actions/upload-artifact@v3 with: name: reconftw-results path: reconftw/Recon/ #### [hashtag](https://docs.reconftw.com/deployment/deployment#advanced-multi-target-with-diff-and-notifications) Advanced: Multi-Target with Diff and Notifications Copy # .github/workflows/reconftw-advanced.yml name: reconFTW Multi-Target Scan on: schedule: - cron: '0 2 * * 0' # Weekly Sunday 2AM workflow_dispatch: env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} jobs: scan: runs-on: ubuntu-latest strategy: matrix: target: [target1.com, target2.com, target3.com] max-parallel: 1 # Sequential to avoid rate limits steps: - name: Setup reconFTW run: | git clone https://github.com/six2dez/reconftw.git cd reconftw && ./install.sh - name: Configure run: | cd reconftw cat << 'EOF' > secrets.cfg SHODAN_API_KEY="${{ secrets.SHODAN_API_KEY }}" GITHUB_TOKEN="${{ secrets.GH_TOKEN }}" EOF - name: Restore previous results uses: actions/cache@v3 with: path: reconftw/Recon/${{ matrix.target }} key: reconftw-${{ matrix.target }}-${{ github.run_number }} restore-keys: reconftw-${{ matrix.target }}- - name: Run scan run: | cd reconftw ./reconftw.sh -d ${{ matrix.target }} -r --incremental - name: Generate diff id: diff run: | cd reconftw/Recon/${{ matrix.target }} # Count new findings NEW_SUBS=$(wc -l < subdomains/subdomains.txt 2>/dev/null || echo 0) VULNS=$(cat vulns/nuclei_output.json 2>/dev/null | jq -s 'length' || echo 0) echo "new_subs=$NEW_SUBS" >> $GITHUB_OUTPUT echo "vulns=$VULNS" >> $GITHUB_OUTPUT - name: Notify Slack if: steps.diff.outputs.vulns > 0 run: | curl -X POST -H 'Content-type: application/json' \ --data '{"text":"🔔 reconFTW: ${{ matrix.target }} - ${{ steps.diff.outputs.new_subs }} subs, ${{ steps.diff.outputs.vulns }} vulns"}' \ $SLACK_WEBHOOK - name: Upload results uses: actions/upload-artifact@v3 with: name: results-${{ matrix.target }} path: reconftw/Recon/${{ matrix.target }} retention-days: 30 #### [hashtag](https://docs.reconftw.com/deployment/deployment#scheduled-with-faraday-integration) Scheduled with Faraday Integration Copy # .github/workflows/reconftw-faraday.yml name: reconFTW to Faraday on: schedule: - cron: '0 3 * * 1' # Weekly Monday 3AM jobs: scan: runs-on: ubuntu-latest steps: - name: Setup run: | git clone https://github.com/six2dez/reconftw.git cd reconftw && ./install.sh - name: Configure Faraday run: | cd reconftw cat << EOF >> reconftw.cfg FARADAY=true FARADAY_URL="${{ secrets.FARADAY_URL }}" FARADAY_USER="${{ secrets.FARADAY_USER }}" FARADAY_PASSWORD="${{ secrets.FARADAY_PASSWORD }}" FARADAY_WORKSPACE="${{ github.event.inputs.workspace || 'default' }}" EOF - name: Run scan run: | cd reconftw ./reconftw.sh -l targets.txt -r ### [hashtag](https://docs.reconftw.com/deployment/deployment#gitlab-ci) GitLab CI #### [hashtag](https://docs.reconftw.com/deployment/deployment#basic-pipeline) Basic Pipeline Copy # .gitlab-ci.yml stages: - scan reconftw_scan: stage: scan image: six2dez/reconftw:latest script: - ./reconftw.sh -d $TARGET_DOMAIN -r artifacts: paths: - Recon/ expire_in: 1 week only: - schedules #### [hashtag](https://docs.reconftw.com/deployment/deployment#advanced-parallel-targets-with-reports) Advanced: Parallel Targets with Reports Copy # .gitlab-ci.yml stages: - scan - report variables: TARGETS: "target1.com target2.com target3.com" .scan_template: &scan_template image: six2dez/reconftw:latest before_script: - echo "$SECRETS_CFG" > secrets.cfg artifacts: paths: - Recon/ expire_in: 2 weeks scan_target1: <<: *scan_template stage: scan script: - ./reconftw.sh -d target1.com -r only: - schedules scan_target2: <<: *scan_template stage: scan script: - ./reconftw.sh -d target2.com -r only: - schedules generate_report: stage: report image: python:3.9 dependencies: - scan_target1 - scan_target2 script: - pip install jinja2 - python scripts/generate_report.py artifacts: paths: - report.html expire_in: 4 weeks ### [hashtag](https://docs.reconftw.com/deployment/deployment#jenkins-pipeline) Jenkins Pipeline Copy // Jenkinsfile pipeline { agent any parameters { string(name: 'TARGET', defaultValue: 'example.com', description: 'Target domain') choice(name: 'MODE', choices: ['passive', 'recon', 'all'], description: 'Scan mode') } environment { SHODAN_API_KEY = credentials('shodan-api-key') GITHUB_TOKEN = credentials('github-token') } stages { stage('Setup') { steps { sh ''' git clone https://github.com/six2dez/reconftw.git || true cd reconftw && git pull && ./install.sh ''' } } stage('Configure') { steps { sh ''' cd reconftw echo "SHODAN_API_KEY=${SHODAN_API_KEY}" > secrets.cfg echo "GITHUB_TOKEN=${GITHUB_TOKEN}" >> secrets.cfg ''' } } stage('Scan') { steps { sh ''' cd reconftw MODE_FLAG="" case "${MODE}" in passive) MODE_FLAG="-p" ;; recon) MODE_FLAG="-r" ;; all) MODE_FLAG="-a" ;; esac ./reconftw.sh -d ${TARGET} ${MODE_FLAG} ''' } } stage('Archive') { steps { archiveArtifacts artifacts: 'reconftw/Recon/**/*', fingerprint: true } } stage('Notify') { when { expression { return fileExists('reconftw/Recon/${TARGET}/vulns/nuclei_output.json') } } steps { script { def vulnCount = sh( script: 'cat reconftw/Recon/${TARGET}/vulns/nuclei_output.json | jq -s length', returnStdout: true ).trim() if (vulnCount.toInteger() > 0) { slackSend( color: 'danger', message: "reconFTW found ${vulnCount} vulnerabilities on ${TARGET}" ) } } } } } post { always { cleanWs() } } } ### [hashtag](https://docs.reconftw.com/deployment/deployment#cron-based-linux-server) Cron-based (Linux Server) Copy #!/bin/bash # /opt/reconftw/scripts/weekly_scan.sh RECONFTW_PATH="/opt/reconftw" TARGETS_FILE="/opt/reconftw/targets.txt" RESULTS_PATH="/var/reconftw-results" DATE=$(date +%Y-%m-%d) # Ensure directories exist mkdir -p "$RESULTS_PATH/$DATE" # Run scans while IFS= read -r target; do echo "[$(date)] Starting scan for $target" cd "$RECONFTW_PATH" ./reconftw.sh -d "$target" -r -o "$RESULTS_PATH/$DATE/$target" # Generate diff if previous results exist PREV=$(ls -1 "$RESULTS_PATH" | grep -v "$DATE" | sort -r | head -1) if [[ -n "$PREV" && -d "$RESULTS_PATH/$PREV/$target" ]]; then echo "[$(date)] Generating diff against $PREV" diff -rq "$RESULTS_PATH/$PREV/$target/subdomains" \ "$RESULTS_PATH/$DATE/$target/subdomains" \ > "$RESULTS_PATH/$DATE/$target/diff_subs.txt" 2>/dev/null fi echo "[$(date)] Completed scan for $target" done < "$TARGETS_FILE" # Cleanup old results (keep 4 weeks) find "$RESULTS_PATH" -maxdepth 1 -type d -mtime +28 -exec rm -rf {} \; # Send summary TOTAL_VULNS=$(cat "$RESULTS_PATH/$DATE"/*/vulns/nuclei_output.json 2>/dev/null | jq -s 'length') echo "Weekly scan complete. Total vulnerabilities: $TOTAL_VULNS" | \ mail -s "reconFTW Weekly Report" security@company.com **Cron entry:** Copy # /etc/cron.d/reconftw 0 2 * * 0 root /opt/reconftw/scripts/weekly_scan.sh >> /var/log/reconftw.log 2>&1 * * * [hashtag](https://docs.reconftw.com/deployment/deployment#post-deployment) Post-Deployment ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#verify-installation) Verify Installation Copy # Check tools ./reconftw.sh --check-tools # System health ./reconftw.sh --health-check # Test scan ./reconftw.sh -d example.com -p ### [hashtag](https://docs.reconftw.com/deployment/deployment#configure-api-keys) Configure API Keys Copy # Edit secrets.cfg nano secrets.cfg # Add keys SHODAN_API_KEY="your_key" GITHUB_TOKEN="your_token" # ... more keys ### [hashtag](https://docs.reconftw.com/deployment/deployment#update-tools) Update Tools Copy # Update reconFTW and reinstall tools git pull ./install.sh * * * [hashtag](https://docs.reconftw.com/deployment/deployment#resource-management) Resource Management ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/deployment/deployment#monitor-usage) Monitor Usage Copy # CPU and memory htop # Disk usage df -h # Network iftop ### [hashtag](https://docs.reconftw.com/deployment/deployment#cleanup) Cleanup Copy # Clear old results rm -rf Recon/old-target/ # Clear temp files rm -rf Recon/*/tmp/* # Docker cleanup docker system prune -a * * * [hashtag](https://docs.reconftw.com/deployment/deployment#next-steps) Next Steps ------------------------------------------------------------------------------------- * [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Customize settings * [**Usage Guide**](https://docs.reconftw.com/usage/usage) - Run scans * [**Axiom Integration**](https://docs.reconftw.com/integrations/axiom) - Distributed scanning [PreviousFaraday Integrationchevron-left](https://docs.reconftw.com/integrations/faraday) [NextAdvanced Usagechevron-right](https://docs.reconftw.com/advanced/advanced) Last updated 1 month ago --- # Advanced Usage | reconftw-docs This guide covers advanced features, customization, and optimization techniques for power users. * * * [hashtag](https://docs.reconftw.com/advanced/advanced#custom-function-execution) Custom Function Execution --------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#running-specific-functions) Running Specific Functions Use the `-c` flag to run specific functions: Copy # Run single function ./reconftw.sh -d example.com -c nuclei_check # Run multiple functions ./reconftw.sh -d example.com -c sub_passive ./reconftw.sh -d example.com -c webprobe_simple ./reconftw.sh -d example.com -c nuclei_check ### [hashtag](https://docs.reconftw.com/advanced/advanced#available-functions) Available Functions Module Functions OSINT `google_dorks`, `github_dorks`, `metadata`, `emails`, `domain_info` Subdomains `sub_passive`, `sub_crt`, `sub_brute`, `sub_permut`, `sub_dns` Web `webprobe_simple`, `screenshot`, `fuzz`, `urlchecks`, `jschecks` Vulns `nuclei_check`, `xss`, `sqli`, `ssrf_checks`, `cors` Hosts `portscan`, `cdnprovider`, `waf_checks`, `geo_info` ### [hashtag](https://docs.reconftw.com/advanced/advanced#function-dependencies) Function Dependencies Some functions depend on others: Copy webprobe_simple → screenshot → urlchecks → jschecks sub_passive → sub_dns → webprobe_simple * * * [hashtag](https://docs.reconftw.com/advanced/advanced#creating-custom-modules) Creating Custom Modules ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#module-structure) Module Structure Copy # Create custom module: modules/custom.sh #!/bin/bash custom_function() { start_func "${FUNCNAME[0]}" "Running custom check" # Your code here echo "Custom scan for $domain" # Use existing outputs if [[ -f "$dir/webs/webs.txt" ]]; then cat "$dir/webs/webs.txt" | custom-tool > "$dir/custom/results.txt" fi end_func "Results: $dir/custom/results.txt" } ### [hashtag](https://docs.reconftw.com/advanced/advanced#loading-custom-modules) Loading Custom Modules Add to reconftw.sh: Copy # Load custom module source "$SCRIPTPATH/modules/custom.sh" ### [hashtag](https://docs.reconftw.com/advanced/advanced#function-templates) Function Templates Copy # Template with all features my_function() { # Function lifecycle start_func "${FUNCNAME[0]}" "Description" # Check if should run in DEEP mode if should_run_deep "$input_file" "$DEEP_LIMIT"; then # DEEP mode behavior fi # Use axiom if enabled if [[ "$AXIOM" == true ]]; then axiom_scan "$input_file" "my-tool" "$output_file" else my-tool < "$input_file" > "$output_file" fi # Notifications notification "Found $(wc -l < $output_file) results" # End function end_func "Completed: $(wc -l < $output_file) results" } * * * [hashtag](https://docs.reconftw.com/advanced/advanced#plugin-system) Plugin System --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#plugin-architecture) Plugin Architecture reconFTW supports plugins via hooks: Copy # In reconftw.cfg PLUGINS=true PLUGINS_PATH="$SCRIPTPATH/plugins" ### [hashtag](https://docs.reconftw.com/advanced/advanced#creating-plugins) Creating Plugins Copy # plugins/my-plugin.sh #!/bin/bash # Hook: after_subdomains plugin_after_subdomains() { echo "[PLUGIN] Processing subdomains..." # Custom post-processing } # Hook: after_scan plugin_after_scan() { echo "[PLUGIN] Scan completed, generating custom report..." # Custom reporting } # Register plugin plugins_register "my-plugin" "after_subdomains,after_scan" ### [hashtag](https://docs.reconftw.com/advanced/advanced#available-hooks) Available Hooks Hook Timing `before_scan` Before scan starts `after_subdomains` After subdomain enumeration `after_webprobe` After web probing `after_vulns` After vulnerability scanning `after_scan` After scan completes * * * [hashtag](https://docs.reconftw.com/advanced/advanced#wordlist-customization) Wordlist Customization --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#custom-wordlist-configuration) Custom Wordlist Configuration Copy # In reconftw.cfg # Custom subdomain wordlists subs_wordlist="$SCRIPTPATH/wordlists/custom_subdomains.txt" subs_wordlist_big="$SCRIPTPATH/wordlists/custom_subdomains_big.txt" # Custom directory wordlists fuzz_wordlist="$SCRIPTPATH/wordlists/custom_dirs.txt" # Optional vuln-specific wordlists lfi_wordlist="$SCRIPTPATH/wordlists/custom_lfi.txt" ssti_wordlist="$SCRIPTPATH/wordlists/custom_ssti.txt" ### [hashtag](https://docs.reconftw.com/advanced/advanced#generating-custom-wordlists) Generating Custom Wordlists Copy # Generate target-specific wordlist ./reconftw.sh -d example.com -c wordlist_gen # Merge wordlists cat wordlist1.txt wordlist2.txt | sort -u > merged.txt # Filter by length awk 'length($0) >= 3 && length($0) <= 20' wordlist.txt > filtered.txt ### [hashtag](https://docs.reconftw.com/advanced/advanced#per-target-wordlists) Per-Target Wordlists Copy # Create target-specific wordlist directory mkdir -p wordlists/example.com/ # Place custom wordlists cp custom_subs.txt wordlists/example.com/subdomains.txt cp custom_dirs.txt wordlists/example.com/fuzzing.txt # reconFTW will use if present * * * [hashtag](https://docs.reconftw.com/advanced/advanced#resolver-optimization) Resolver Optimization ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#resolver-setup) Resolver Setup Copy # Validate resolvers dnsvalidator -tL public_resolvers.txt -threads 100 -o resolvers.txt # Use validated resolvers RESOLVERS="$SCRIPTPATH/resolvers.txt" ### [hashtag](https://docs.reconftw.com/advanced/advanced#trusted-resolvers) Trusted Resolvers Copy # Trusted resolvers (for sensitive queries) RESOLVERS_TRUSTED="$SCRIPTPATH/resolvers_trusted.txt" # Contents: reliable, trusted DNS servers 8.8.8.8 8.8.4.4 1.1.1.1 9.9.9.9 ### [hashtag](https://docs.reconftw.com/advanced/advanced#resolver-rotation) Resolver Rotation Copy # Enable resolver rotation RESOLVER_ROTATE=true RESOLVER_ROTATE_INTERVAL=100 # Rotate every 100 queries * * * [hashtag](https://docs.reconftw.com/advanced/advanced#incremental-mode-deep-dive) Incremental Mode Deep Dive ----------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#how-incremental-works) How Incremental Works 1. First scan: Full enumeration, results saved 2. Subsequent scans: Compare new vs existing 3. Process only NEW findings 4. Merge results Copy # Enable incremental ./reconftw.sh -d example.com -r --incremental ### [hashtag](https://docs.reconftw.com/advanced/advanced#incremental-data-flow) Incremental Data Flow Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Incremental Scan Flow │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ New Scan │ │ Previous │ │ │ │ Results │ │ Results │ │ │ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ └────────┬───────────┘ │ │ │ │ │ ▼ │ │ ┌───────────────┐ │ │ │ Compare │ │ │ │ (comm/diff) │ │ │ └───────┬───────┘ │ │ │ │ │ ┌───────────┼───────────┐ │ │ ▼ ▼ ▼ │ │ ┌───────┐ ┌────────┐ ┌────────┐ │ │ │ New │ │ Common │ │Removed │ │ │ │ Items │ │ Items │ │ Items │ │ │ └───┬───┘ └────────┘ └────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────┐ │ │ │ Process ONLY │ │ │ │ New Items │ │ │ └─────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ ### [hashtag](https://docs.reconftw.com/advanced/advanced#incremental-configuration) Incremental Configuration Copy # In reconftw.cfg INCREMENTAL=true DIFF_ONLY=true # Process only differences DIFF_NOTIFY=true # Notify on new findings * * * [hashtag](https://docs.reconftw.com/advanced/advanced#checkpoint-recovery-system) Checkpoint/Recovery System ----------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#how-checkpoints-work) How Checkpoints Work Copy # Checkpoint directory Recon/example.com/.called_fn/ # Each completed function creates a marker .called_fn/ ├── sub_passive ├── sub_crt ├── webprobe_simple └── nuclei_check ### [hashtag](https://docs.reconftw.com/advanced/advanced#resuming-interrupted-scans) Resuming Interrupted Scans Copy # Scan interrupted at nuclei_check ./reconftw.sh -d example.com -a # Resume - skips completed functions ./reconftw.sh -d example.com -a # Output: [sub_passive] Already run, skipping... ### [hashtag](https://docs.reconftw.com/advanced/advanced#reset-checkpoints) Reset Checkpoints Copy # Reset all checkpoints (full rescan) rm -rf Recon/example.com/.called_fn/ # Reset specific function rm Recon/example.com/.called_fn/nuclei_check ### [hashtag](https://docs.reconftw.com/advanced/advanced#checkpoint-configuration) Checkpoint Configuration Copy # In reconftw.cfg USE_CHECKPOINT=true # Enable checkpoint system CHECKPOINT_DIR=".called_fn" * * * [hashtag](https://docs.reconftw.com/advanced/advanced#rate-limiting-strategies) Rate Limiting Strategies ------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#per-tool-rate-limits) Per-Tool Rate Limits Copy # In reconftw.cfg # httpx rate limit (requests per second) HTTPX_RATELIMIT=150 # Nuclei rate limit NUCLEI_RATELIMIT=150 # FFUF rate limit FFUF_RATELIMIT=0 # 0 = no limit ### [hashtag](https://docs.reconftw.com/advanced/advanced#adaptive-rate-limiting) Adaptive Rate Limiting Copy # Enable adaptive rate limiting ./reconftw.sh -d example.com -a --adaptive-rate # Automatically adjusts based on: # - Response times # - Error rates # - 429 responses ### [hashtag](https://docs.reconftw.com/advanced/advanced#global-rate-limit) Global Rate Limit Copy # Limit all requests ./reconftw.sh -d example.com -r -q 100 # 100 req/sec global ### [hashtag](https://docs.reconftw.com/advanced/advanced#target-specific-limits) Target-Specific Limits Copy # Create scope file with rate limits echo "example.com:50" > scope.txt # 50 req/sec for this target ./reconftw.sh -d example.com -r -i scope.txt * * * [hashtag](https://docs.reconftw.com/advanced/advanced#multi-target-scanning) Multi-Target Scanning ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#target-list) Target List Copy # targets.txt example.com test.com target.org Copy # Scan multiple targets ./reconftw.sh -l targets.txt -r ### [hashtag](https://docs.reconftw.com/advanced/advanced#parallel-execution) Parallel Execution Copy # Run multiple scans in parallel cat targets.txt | parallel -j 3 "./reconftw.sh -d {} -r" ### [hashtag](https://docs.reconftw.com/advanced/advanced#multi-target-with-different-configs) Multi-Target with Different Configs Copy # Create per-target configs cp reconftw.cfg configs/example.com.cfg cp reconftw.cfg configs/target.org.cfg # Run with specific config ./reconftw.sh -d example.com -r -f configs/example.com.cfg * * * [hashtag](https://docs.reconftw.com/advanced/advanced#scope-file-management) Scope File Management ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#scope-file-format) Scope File Format Copy # inscope.txt - domains to include example.com *.example.com api.example.org # outofscope.txt - domains to exclude blog.example.com legacy.example.com ### [hashtag](https://docs.reconftw.com/advanced/advanced#using-scope-files) Using Scope Files Copy # Include scope ./reconftw.sh -d example.com -r -i inscope.txt # Exclude scope ./reconftw.sh -d example.com -r -x outofscope.txt # Both ./reconftw.sh -d example.com -r -i inscope.txt -x outofscope.txt ### [hashtag](https://docs.reconftw.com/advanced/advanced#wildcard-scopes) Wildcard Scopes Copy # inscope.txt with wildcards *.example.com # All subdomains *.*.example.com # Second-level subdomains api.*.example.com # api.X.example.com pattern * * * [hashtag](https://docs.reconftw.com/advanced/advanced#notification-customization) Notification Customization ----------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#notification-providers) Notification Providers Copy # In reconftw.cfg NOTIFICATION=true # Configure in ~/.config/notify/provider-config.yaml ### [hashtag](https://docs.reconftw.com/advanced/advanced#provider-configuration) Provider Configuration Copy # ~/.config/notify/provider-config.yaml slack: - id: "slack-webhook" slack_webhook_url: "https://hooks.slack.com/services/XXX" discord: - id: "discord-webhook" discord_webhook_url: "https://discord.com/api/webhooks/XXX" telegram: - id: "telegram" telegram_api_key: "XXX" telegram_chat_id: "XXX" ### [hashtag](https://docs.reconftw.com/advanced/advanced#custom-notification-templates) Custom Notification Templates Copy # Custom notification format notification() { local message="$1" echo "[$(date)] $domain: $message" | notify -silent } * * * [hashtag](https://docs.reconftw.com/advanced/advanced#ai-report-customization) AI Report Customization ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#ai-configuration) AI Configuration Copy # In reconftw.cfg AI_REPORT=true AI_MODEL="gpt-4" AI_REPORT_TYPE="detailed" # detailed, executive, compliance ### [hashtag](https://docs.reconftw.com/advanced/advanced#custom-report-prompts) Custom Report Prompts Copy # Custom system prompt AI_SYSTEM_PROMPT="You are a senior penetration tester..." # Custom report sections AI_REPORT_SECTIONS="executive_summary,findings,recommendations,methodology" ### [hashtag](https://docs.reconftw.com/advanced/advanced#report-types) Report Types Type Focus Audience `detailed` Technical deep-dive Security team `executive` High-level summary Management `compliance` Compliance mapping Auditors * * * [hashtag](https://docs.reconftw.com/advanced/advanced#performance-tuning) Performance Tuning ------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#thread-optimization) Thread Optimization Copy # In reconftw.cfg # Based on CPU cores (nproc) THREADS=$(($(nproc) * 2)) # Per-tool threads HTTPX_THREADS=50 FFUF_THREADS=40 KATANA_THREADS=20 DALFOX_THREADS=200 RESOLVE_DOMAINS_THREADS=150 TLSX_THREADS=1000 ### [hashtag](https://docs.reconftw.com/advanced/advanced#memory-management) Memory Management Copy # Limit memory-intensive tools FFUF_THREADS=20 # Reduce if OOM HTTPX_THREADS=20 KATANA_THREADS=10 # Use streaming where possible # Avoid loading large files into memory ### [hashtag](https://docs.reconftw.com/advanced/advanced#disk-i-o-optimization) Disk I/O Optimization Copy # Use SSD for output directory OUTPUT="/mnt/ssd/Recon" # Compress old results tar -czf old_results.tar.gz Recon/old_target/ ### [hashtag](https://docs.reconftw.com/advanced/advanced#network-optimization) Network Optimization Copy # Reduce HTTP timeouts HTTPX_TIMEOUT=5 HTTPX_UNCOMMONPORTS_TIMEOUT=5 # Reduce passive enum time window SUBFINDER_ENUM_TIMEOUT=120 * * * [hashtag](https://docs.reconftw.com/advanced/advanced#circuit-breaker-pattern) Circuit Breaker Pattern ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#configuration) Configuration Copy # In reconftw.cfg CIRCUIT_BREAKER=true CIRCUIT_BREAKER_THRESHOLD=50 # Error threshold CIRCUIT_BREAKER_TIMEOUT=300 # Cooldown in seconds ### [hashtag](https://docs.reconftw.com/advanced/advanced#behavior) Behavior 1. **Closed:** Normal operation 2. **Open:** Too many errors, stop requests 3. **Half-Open:** Test with few requests 4. **Recovery:** Resume normal operation * * * [hashtag](https://docs.reconftw.com/advanced/advanced#environment-variables) Environment Variables ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#override-configuration) Override Configuration Copy # Set via environment export RECONFTW_THREADS=100 export RECONFTW_OUTPUT="/custom/output" ./reconftw.sh -d example.com -r ### [hashtag](https://docs.reconftw.com/advanced/advanced#precedence) Precedence 1. Command-line flags (highest) 2. Environment variables 3. Custom config file (-f) 4. Default reconftw.cfg (lowest) * * * [hashtag](https://docs.reconftw.com/advanced/advanced#debugging) Debugging ------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/advanced/advanced#dry-run-mode) Dry Run Mode Copy # Preview commands without executing ./reconftw.sh -d example.com -r --dry-run ### [hashtag](https://docs.reconftw.com/advanced/advanced#verbose-output) Verbose Output Copy # Enable debug logging DEBUG=true ./reconftw.sh -d example.com -r # Or in config DEBUG=true ### [hashtag](https://docs.reconftw.com/advanced/advanced#log-analysis) Log Analysis Copy # Check execution log tail -f Recon/example.com/.log/reconftw.log # Check errors grep -i error Recon/example.com/.log/*.log * * * [hashtag](https://docs.reconftw.com/advanced/advanced#next-steps) Next Steps --------------------------------------------------------------------------------- * [**Troubleshooting**](https://docs.reconftw.com/help/troubleshooting) - Common issues * [**Configuration**](https://docs.reconftw.com/configuration/configuration) - All options [PreviousDeployment Guidechevron-left](https://docs.reconftw.com/deployment/deployment) [NextPerformance Tuningchevron-right](https://docs.reconftw.com/guides/tuning) Last updated 1 month ago --- # Performance Tuning | reconftw-docs Optimize reconFTW for your target size, hardware, and time constraints. * * * [hashtag](https://docs.reconftw.com/guides/tuning#quick-tuning-profiles) Quick Tuning Profiles --------------------------------------------------------------------------------------------------- Copy-paste these configurations based on your scenario: ### [hashtag](https://docs.reconftw.com/guides/tuning#small-target-less-than-100-subdomains) Small Target (< 100 subdomains) Copy # In reconftw.cfg - Small target, thorough scan # Enable DEEP mode (more thorough) DEEP=true DEEP_LIMIT=500 DEEP_LIMIT2=2000 # Moderate threads (don't overwhelm small infra) HTTPX_THREADS=50 FFUF_THREADS=40 NUCLEI_RATELIMIT=100 # Enable all checks NUCLEICHECK=true FUZZ=true CORS=true XSS=true SQLI=true # Time estimate: 1-2 hours ### [hashtag](https://docs.reconftw.com/guides/tuning#medium-target-100-1-000-subdomains) Medium Target (100-1,000 subdomains) Copy # In reconftw.cfg - Medium target, balanced # Standard DEEP limits DEEP_LIMIT=500 DEEP_LIMIT2=1500 # Higher threads HTTPX_THREADS=100 FFUF_THREADS=60 NUCLEI_RATELIMIT=150 # Core checks enabled NUCLEICHECK=true FUZZ=true XSS=true SQLI=true # Skip some heavy checks SMUGGLING=false WEBCACHE=false PROTOTYPE_POLLUTION=false # Time estimate: 2-4 hours ### [hashtag](https://docs.reconftw.com/guides/tuning#large-target-1-000-10-000-subdomains) Large Target (1,000-10,000 subdomains) Copy # In reconftw.cfg - Large target, efficient # Lower DEEP limits (skip intensive checks for large lists) DEEP_LIMIT=200 DEEP_LIMIT2=500 # High threads HTTPX_THREADS=150 FFUF_THREADS=80 NUCLEI_RATELIMIT=200 # Essential checks only NUCLEICHECK=true FUZZ=false # Too slow for large targets XSS=true SQLI=false # Use nuclei SQLi templates instead # Skip slow modules SMUGGLING=false WEBCACHE=false PROTOTYPE_POLLUTION=false GRAPHQL_SCAN=false WEBSOCKET_CHECKS=false # Time estimate: 4-8 hours ### [hashtag](https://docs.reconftw.com/guides/tuning#massive-target-10-000-subdomains) Massive Target (10,000+ subdomains) Copy # In reconftw.cfg - Massive target, speed priority # Minimal DEEP mode DEEP_LIMIT=100 DEEP_LIMIT2=200 # Maximum threads HTTPX_THREADS=200 FFUF_THREADS=100 NUCLEI_RATELIMIT=300 # Only nuclei scanning NUCLEICHECK=true FUZZ=false XSS=false SQLI=false SSRF_CHECKS=false CORS=false # Use Axiom for distribution AXIOM=true AXIOM_FLEET_COUNT=20 # Time estimate: 8-24 hours (or 2-4 with Axiom) * * * [hashtag](https://docs.reconftw.com/guides/tuning#understanding-deep-mode) Understanding DEEP Mode ------------------------------------------------------------------------------------------------------- DEEP mode runs additional checks when target size is below threshold. ### [hashtag](https://docs.reconftw.com/guides/tuning#how-it-works) How It Works Copy Target subdomains count: ├── Below DEEP_LIMIT (500) → Run intensive checks (DEEP mode) ├── Below DEEP_LIMIT2 (1500) → Run moderate checks └── Above DEEP_LIMIT2 → Skip intensive checks ### [hashtag](https://docs.reconftw.com/guides/tuning#what-deep-mode-enables) What DEEP Mode Enables Check Without DEEP With DEEP Permutations Basic AI + Regex permutations Fuzzing Top dirs only Full wordlist JS Analysis Extract endpoints Full secret scanning Nuclei Critical/High only All severities Parameter discovery Skip Full discovery ### [hashtag](https://docs.reconftw.com/guides/tuning#configuring-deep-limits) Configuring DEEP Limits Copy # For thorough scanning (small targets) DEEP_LIMIT=1000 DEEP_LIMIT2=3000 # For fast scanning (large targets) DEEP_LIMIT=100 DEEP_LIMIT2=300 # Disable DEEP mode entirely DEEP=false * * * [hashtag](https://docs.reconftw.com/guides/tuning#thread-optimization) Thread Optimization ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#by-tool) By Tool Tool Default Min (Stealth) Max (Speed) Notes `HTTPX_THREADS` 50 10 200 HTTP probing `FFUF_THREADS` 40 10 100 Directory fuzzing `NUCLEI_RATELIMIT` 150 30 500 Vuln scanning (req/sec) `DALFOX_THREADS` 200 50 500 XSS testing `TLSX_THREADS` 1000 200 2000 TLS analysis `RESOLVE_DOMAINS_THREADS` 150 50 300 DNS resolution ### [hashtag](https://docs.reconftw.com/guides/tuning#by-hardware) By Hardware System Threads Multiplier Example 1 CPU / 1GB RAM 0.5x HTTPX\_THREADS=25 2 CPU / 4GB RAM 1x (default) HTTPX\_THREADS=50 4 CPU / 8GB RAM 2x HTTPX\_THREADS=100 8+ CPU / 16GB+ RAM 3-4x HTTPX\_THREADS=200 ### [hashtag](https://docs.reconftw.com/guides/tuning#memory-considerations) Memory Considerations High-memory tools: * `nuclei` - Keep under 200 ratelimit on low-memory systems * `ffuf` - Reduce threads on large wordlists * `katana` - Can be memory-intensive on large sites Copy # Low memory system (2GB) HTTPX_THREADS=30 FFUF_THREADS=20 NUCLEI_RATELIMIT=50 # High memory system (16GB+) HTTPX_THREADS=150 FFUF_THREADS=80 NUCLEI_RATELIMIT=300 * * * [hashtag](https://docs.reconftw.com/guides/tuning#rate-limiting-strategies) Rate Limiting Strategies --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#adaptive-rate-limiting) Adaptive Rate Limiting Copy # Enable automatic adjustment ./reconftw.sh -d target.com -r --adaptive-rate # Or in config ADAPTIVE_RATE_LIMIT=true MIN_RATE_LIMIT=10 # Never go below this MAX_RATE_LIMIT=500 # Never exceed this RATE_LIMIT_BACKOFF_FACTOR=0.5 # Reduce by 50% on errors RATE_LIMIT_INCREASE_FACTOR=1.2 # Increase by 20% on success ### [hashtag](https://docs.reconftw.com/guides/tuning#manual-rate-limiting) Manual Rate Limiting Copy # Global rate limit ./reconftw.sh -d target.com -r -q 50 # 50 req/sec # Per-tool limits in config HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 FFUF_RATELIMIT=50 ### [hashtag](https://docs.reconftw.com/guides/tuning#when-to-reduce-rates) When to Reduce Rates Symptom Action 429 errors Reduce ratelimit by 50% Connection timeouts Reduce threads WAF blocks Use `--adaptive-rate`, reduce to 30 req/sec Server errors (5xx) Reduce threads AND ratelimit * * * [hashtag](https://docs.reconftw.com/guides/tuning#timeout-configuration) Timeout Configuration --------------------------------------------------------------------------------------------------- Copy # In reconftw.cfg # HTTP timeouts HTTPX_TIMEOUT=10 # Seconds per request FFUF_TIMEOUT=10 NUCLEI_TIMEOUT=15 # DNS timeouts DNS_TIMEOUT=5 # For slow targets HTTPX_TIMEOUT=30 NUCLEI_TIMEOUT=30 * * * [hashtag](https://docs.reconftw.com/guides/tuning#wordlist-optimization) Wordlist Optimization --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#subdomain-wordlists) Subdomain Wordlists Wordlist Size Use When `subdomains.txt` (default) ~100K Standard scans `subdomains_n0kovo_big.txt` ~1M DEEP mode / thorough Custom small list ~10K Fast scans / CI/CD Copy # Fast scan - small wordlist subs_wordlist="${tools}/subdomains_small.txt" # Thorough scan - large wordlist subs_wordlist="${tools}/subdomains_n0kovo_big.txt" ### [hashtag](https://docs.reconftw.com/guides/tuning#fuzzing-wordlists) Fuzzing Wordlists Wordlist Size Time Impact Small (~5K) Fast 5-10 min/target Medium (~20K) Moderate 20-40 min/target Large (~100K+) Slow 1-2 hours/target Copy # Fast fuzzing fuzz_wordlist="${tools}/fuzz_small.txt" # Thorough fuzzing fuzz_wordlist="${tools}/fuzz_wordlist.txt" ### [hashtag](https://docs.reconftw.com/guides/tuning#recommended-wordlists) Recommended Wordlists Copy # Download optimized wordlists # SecLists git clone https://github.com/danielmiessler/SecLists.git ~/wordlists # Assetnote wget https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt * * * [hashtag](https://docs.reconftw.com/guides/tuning#module-specific-tuning) Module-Specific Tuning ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#nuclei-optimization) Nuclei Optimization Copy # Severity filtering (faster) NUCLEI_SEVERITY="critical,high" # Skip medium/low/info # Template exclusion NUCLEI_EXTRA_ARGS="-etags dos,fuzz" # Skip DoS and heavy fuzz templates # Timeout NUCLEI_TIMEOUT=10 # For large scans NUCLEI_RATELIMIT=200 NUCLEI_FLAGS="-silent -retries 1" # Reduce retries ### [hashtag](https://docs.reconftw.com/guides/tuning#subdomain-enumeration) Subdomain Enumeration Copy # Fast passive only SUBBRUTE=false # Skip brute-force SUBPERMUTE=false # Skip permutations SUBIAPERMUTE=false # Skip AI permutations # Thorough SUBBRUTE=true SUBPERMUTE=true SUBIAPERMUTE=true SUBREGEXPERMUTE=true SUB_RECURSIVE_PASSIVE=true ### [hashtag](https://docs.reconftw.com/guides/tuning#fuzzing) Fuzzing Copy # Fast FUZZ=false # Skip entirely, rely on nuclei # Or minimal fuzzing FFUF_THREADS=20 fuzz_wordlist="${tools}/fuzz_small.txt" # Thorough FUZZ=true FFUF_THREADS=80 fuzz_wordlist="${tools}/fuzz_wordlist.txt" * * * [hashtag](https://docs.reconftw.com/guides/tuning#axiom-scaling) Axiom Scaling ----------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#fleet-sizing) Fleet Sizing Target Size Fleet Size Est. Time < 100 subs 3-5 30 min 100-1000 5-10 1-2 hours 1000-10000 10-20 2-4 hours 10000+ 20-50 4-8 hours ### [hashtag](https://docs.reconftw.com/guides/tuning#cost-optimization) Cost Optimization Copy # Cheapest instances AXIOM_INSTANCE_TYPE="s-1vcpu-1gb" # $0.007/hr on DO # Cost example: # 10 instances × 2 hours × $0.007 = $0.14 per scan ### [hashtag](https://docs.reconftw.com/guides/tuning#fleet-configuration) Fleet Configuration Copy # In reconftw.cfg AXIOM=true AXIOM_FLEET_NAME="reconftw" AXIOM_FLEET_COUNT=10 AXIOM_FLEET_LAUNCH=true AXIOM_FLEET_SHUTDOWN=true # Destroy after scan * * * [hashtag](https://docs.reconftw.com/guides/tuning#time-estimates) Time Estimates ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#by-mode) By Mode Mode Small (<100) Medium (100-1K) Large (1K-10K) `-p` (passive) 5-10 min 10-20 min 20-40 min `-s` (subs) 15-30 min 30-60 min 1-2 hours `-r` (recon) 30-60 min 1-3 hours 3-6 hours `-a` (all) 1-2 hours 2-5 hours 5-12 hours ### [hashtag](https://docs.reconftw.com/guides/tuning#speed-vs-thoroughness) Speed vs Thoroughness Copy Fast ←————————————————————————→ Thorough -p -s -r -a Passive Subs only Full recon All + vulns ~15 min ~30 min ~2 hours ~4 hours * * * [hashtag](https://docs.reconftw.com/guides/tuning#parallelization) Parallelization --------------------------------------------------------------------------------------- reconFTW includes built-in parallelization to speed up reconnaissance by running independent operations concurrently. ### [hashtag](https://docs.reconftw.com/guides/tuning#enabling-parallelization) Enabling Parallelization Copy # Run subdomains with parallelization ./reconftw.sh -d target.com -s --parallel # Or use the parallel functions directly parallel_subdomains_full ### [hashtag](https://docs.reconftw.com/guides/tuning#parallelization-phases) Parallelization Phases Subdomain enumeration is organized into phases with dependencies: Copy Phase 1: Passive (parallel) ├── sub_passive └── sub_crt Phase 2: Active DNS (parallel) ├── sub_active ├── sub_noerror └── sub_dns Phase 3: Post-Active (parallel) - requires resolved subs from Phase 2 ├── sub_tls └── sub_analytics Phase 4: Brute Force (limited parallel) - resource intensive ├── sub_brute ├── sub_permut ├── sub_regex_permut └── sub_ia_permut Phase 5: Recursive (sequential) - depends on all previous ├── sub_recursive_passive ├── sub_recursive_brute └── sub_scraping ### [hashtag](https://docs.reconftw.com/guides/tuning#configuration-variables) Configuration Variables Copy # Maximum parallel jobs (default: 4) PARALLEL_MAX_JOBS=4 # Parallel batch size for large operations PARALLEL_BATCH_SIZE=10 # Enable/disable parallelization globally PARALLEL_ENABLED=true ### [hashtag](https://docs.reconftw.com/guides/tuning#performance-impact) Performance Impact Target Size Without Parallel With Parallel Speedup Small (<100) 15 min 8 min ~2x Medium (100-1K) 45 min 20 min ~2.2x Large (1K-10K) 3 hours 1.5 hours ~2x ### [hashtag](https://docs.reconftw.com/guides/tuning#parallel-functions-reference) Parallel Functions Reference Function Purpose Max Jobs `parallel_passive_enum()` Run passive sources in parallel 4 `parallel_active_enum()` Run active DNS checks in parallel 3 `parallel_postactive_enum()` TLS and analytics after resolution 2 `parallel_brute_enum()` Brute force (resource limited) 2 `parallel_web_vulns()` Web vulnerability checks 4 `parallel_injection_vulns()` Injection testing 4 `parallel_osint()` OSINT gathering 4 ### [hashtag](https://docs.reconftw.com/guides/tuning#when-not-to-use-parallelization) When NOT to Use Parallelization * **Low-memory systems** (< 4GB RAM): Use sequential mode * **Rate-limited targets**: Parallel can trigger blocks faster * **Axiom mode**: Already distributed, parallelization adds complexity * **Debugging**: Sequential is easier to troubleshoot * * * [hashtag](https://docs.reconftw.com/guides/tuning#common-tuning-scenarios) Common Tuning Scenarios ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#i-need-results-in-30-minutes) "I need results in 30 minutes" Copy # Passive only ./reconftw.sh -d target.com -p ### [hashtag](https://docs.reconftw.com/guides/tuning#overnight-scan-make-it-thorough) "Overnight scan, make it thorough" Copy # Config: Enable everything, DEEP mode DEEP=true DEEP_LIMIT=2000 ./reconftw.sh -d target.com -a ### [hashtag](https://docs.reconftw.com/guides/tuning#bug-bounty-new-program-rush) "Bug bounty, new program rush" Copy # Fast but complete DEEP_LIMIT=300 FUZZ=false ./reconftw.sh -d target.com -r --adaptive-rate ### [hashtag](https://docs.reconftw.com/guides/tuning#red-team-need-to-stay-quiet) "Red team, need to stay quiet" Copy # Low and slow HTTPX_RATELIMIT=10 NUCLEI_RATELIMIT=10 HTTPX_THREADS=10 ./reconftw.sh -d target.com -p # Start passive * * * [hashtag](https://docs.reconftw.com/guides/tuning#monitoring-performance) Monitoring Performance ----------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/tuning#check-progress) Check Progress Copy # Watch log tail -f Recon/target.com/.log/reconftw.log # Check completed functions ls Recon/target.com/.called_fn/ # Count results wc -l Recon/target.com/subdomains/subdomains.txt ### [hashtag](https://docs.reconftw.com/guides/tuning#resource-monitoring) Resource Monitoring Copy # CPU/Memory htop # Disk df -h # Network iftop # or nload * * * [hashtag](https://docs.reconftw.com/guides/tuning#tl-dr-quick-config) TL;DR Quick Config --------------------------------------------------------------------------------------------- Copy # SMALL target - be thorough DEEP=true && HTTPX_THREADS=50 && NUCLEI_RATELIMIT=100 # LARGE target - be efficient DEEP_LIMIT=200 && HTTPX_THREADS=150 && FUZZ=false # QUIET scan - low profile HTTPX_RATELIMIT=10 && NUCLEI_RATELIMIT=10 # FAST scan - speed priority ./reconftw.sh -d target.com -p # Just passive * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 [PreviousAdvanced Usagechevron-left](https://docs.reconftw.com/advanced/advanced) [NextData Model & I/Ochevron-right](https://docs.reconftw.com/guides/data-model) Last updated 1 month ago --- # OPSEC & Legal | reconftw-docs Operational security and legal considerations for using reconFTW responsibly. * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#the-golden-rule) ⚠️ The Golden Rule ----------------------------------------------------------------------------------------------- > **NEVER scan a target without explicit written authorization.** This isn't just advice—it's the law in most jurisdictions. Unauthorized scanning can result in: * Criminal charges * Civil lawsuits * Career damage * Account bans from bug bounty platforms * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#authorization-checklist) Authorization Checklist ------------------------------------------------------------------------------------------------------------ Before ANY scan, verify you have: Copy ## Pre-Scan Authorization Checklist ### Legal Authorization - [ ] Written permission from asset owner (email, contract, or bug bounty policy) - [ ] Scope document clearly defines in-scope assets - [ ] Out-of-scope assets are documented and excluded - [ ] Testing window defined (if applicable) - [ ] Rate limits agreed upon (if any) ### Technical Preparation - [ ] Scope file created (`-i inscope.txt`) - [ ] Exclusions configured (`-x outofscope.txt`) - [ ] Rate limits set appropriately - [ ] VPS/cloud instance ready (recommended) ### Communication - [ ] Emergency contact identified - [ ] Reporting channel established - [ ] NDA signed (if required) * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#scan-intrusiveness-matrix) Scan Intrusiveness Matrix ---------------------------------------------------------------------------------------------------------------- Understanding how "noisy" each mode is: ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#by-mode) By Mode Mode Intrusiveness Detection Risk Direct Contact `-p` (passive) 🟢 None None No `-n` (OSINT) 🟢 Minimal Very Low Minimal `-s` (subdomains) 🟡 Low Low DNS only `-r` (recon) 🟡 Medium Medium Yes `-a` (all) 🔴 High High Yes + Vuln tests ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#by-function) By Function Function Intrusiveness Notes `sub_passive` 🟢 None Third-party APIs only `sub_crt` 🟢 None Certificate Transparency `sub_brute` 🟡 Low DNS queries `webprobe_simple` 🟡 Medium HTTP requests `screenshot` 🟡 Medium HTTP requests `fuzz` 🟠 High Many HTTP requests `nuclei_check` 🔴 Very High Active vulnerability testing `sqli` 🔴 Very High SQL injection attempts `xss` 🔴 Very High XSS payload injection ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#noise-levels-explained) Noise Levels Explained * 🟢 **None/Minimal**: No direct target contact, uses public data * 🟡 **Low/Medium**: Standard HTTP/DNS traffic, looks like normal browsing * 🟠 **High**: Elevated traffic, may trigger WAF/IDS alerts * 🔴 **Very High**: Attack-like traffic, will likely trigger security alerts * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#reducing-detection-risk) Reducing Detection Risk ------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#start-passive) Start Passive Copy # Always start with passive reconnaissance ./reconftw.sh -d target.com -p # Review results before going active cat Recon/target.com/subdomains/subdomains.txt ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#use-rate-limiting) Use Rate Limiting Copy # In reconftw.cfg HTTPX_RATELIMIT=50 # Requests per second NUCLEI_RATELIMIT=50 FFUF_RATELIMIT=50 # Or use adaptive rate limiting ./reconftw.sh -d target.com -r --adaptive-rate ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#use-scope-files) Use Scope Files Copy # inscope.txt - Only scan these *.example.com api.example.org # outofscope.txt - Never scan these admin.example.com legacy.example.com *.internal.example.com Copy ./reconftw.sh -d example.com -r -i inscope.txt -x outofscope.txt ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#use-a-vps) Use a VPS Scanning from your personal IP: * Links activity directly to you * May get your home IP blocked * Exposes your location Instead: Copy # Use a cloud VPS (DigitalOcean, Linode, etc.) # Or use Axiom for distributed scanning ./reconftw.sh -d target.com -r -v * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#legal-framework-by-region) Legal Framework by Region ---------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#united-states) United States Law What It Covers **CFAA** (Computer Fraud and Abuse Act) Unauthorized access to computer systems **ECPA** Wiretapping and electronic surveillance State laws Vary by state **Key Points:** * "Exceeding authorized access" is a federal crime * Bug bounty policies = authorization * Always document permission ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#european-union) European Union Framework What It Covers **GDPR** Personal data handling **NIS Directive** Network security National laws Vary by country **Key Points:** * Stricter consent requirements * Data handling must comply with GDPR * Some countries require explicit contracts ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#united-kingdom) United Kingdom Law What It Covers **Computer Misuse Act 1990** Unauthorized access **GDPR UK** Data protection **Key Points:** * Even attempting unauthorized access is illegal * "With intent to commit further offences" increases penalties ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#general-international) General International * Always research local laws before testing * Consider both your location AND target's location * When in doubt, get explicit written permission * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#bug-bounty-specific-guidelines) Bug Bounty Specific Guidelines -------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#before-testing) Before Testing 1. **Read the policy completely** * Safe harbor language * Scope (domains, IPs, applications) * Out-of-scope items * Prohibited actions 2. **Note exclusions** (common ones): * DoS/DDoS testing * Social engineering * Physical attacks * Third-party services * Rate limit abuse 3. **Check asset types**: * Some exclude certain subdomains * API vs web app rules may differ * Mobile apps often have different rules ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#during-testing) During Testing Copy # Respect rate limits ./reconftw.sh -d target.com -r -q 30 # 30 req/sec max # Stay in scope ./reconftw.sh -d target.com -r -x outofscope.txt # Use passive first ./reconftw.sh -d target.com -p # Then review before -r ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#what-not-to-do) What NOT to Do ❌ Don't Why Test without reading policy Different programs, different rules Ignore scope Instant ban risk Chain to access other data May cross legal lines Store sensitive data GDPR/privacy issues Share findings publicly Violates responsible disclosure Test production during peak hours May cause outages * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#data-handling) Data Handling ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#what-reconftw-collects) What reconFTW Collects Data Type Location Sensitivity Subdomains `subdomains/` Low URLs `webs/` Low-Medium Emails `osint/emails.txt` Medium Leaked passwords `osint/passwords.txt` **High** Vulnerabilities `vulns/` **High** Screenshots `screenshots/` Medium ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#security-practices) Security Practices Copy # 1. Protect secrets.cfg chmod 600 secrets.cfg # 2. Don't commit sensitive files # .gitignore already includes: # - secrets.cfg # - Recon/ # 3. Encrypt sensitive results tar czf results.tar.gz Recon/target.com/ gpg -c results.tar.gz # 4. Secure deletion when done srm -r Recon/target.com/ # Or use shred ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#reporting-guidelines) Reporting Guidelines When you find vulnerabilities: 1. **Don't access more than necessary** to prove the bug 2. **Don't exfiltrate data** beyond proof 3. **Document everything** (timestamps, commands, evidence) 4. **Report promptly** through official channels 5. **Wait for authorization** before public disclosure * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#incident-response) Incident Response ------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#if-you-find-critical-data) If You Find Critical Data Copy 1. STOP further testing immediately 2. Document what you accessed (screenshot, timestamp) 3. Report through fastest channel available 4. Do NOT share with anyone else 5. Securely delete any copies ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#if-something-breaks) If Something Breaks Copy 1. STOP scanning immediately 2. Document what happened (command run, time, error) 3. Contact emergency point immediately 4. Preserve evidence of authorization 5. Do NOT try to "fix" anything on target ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#if-you-receive-a-cease-and-desist) If You Receive a Cease & Desist Copy 1. STOP all testing immediately 2. Preserve all documentation of authorization 3. Do NOT delete anything 4. Contact legal counsel 5. Respond professionally * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#vps-and-infrastructure-opsec) VPS and Infrastructure OPSEC ---------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#recommended-setup) Recommended Setup Copy # Use cloud VPS, not home IP # Provider: DigitalOcean, Linode, Vultr, Hetzner # Change hostname to something neutral hostnamectl set-hostname scanner-01 # Use separate VPS per engagement (if possible) ### [hashtag](https://docs.reconftw.com/guides/opsec-legal#what-not-to-do-1) What NOT to Do ❌ Don't ✅ Do Instead Scan from home IP Use cloud VPS Reuse VPS across clients Fresh instance per engagement Store results on VPS long-term Download and destroy Use personal accounts Create engagement-specific accounts * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#quick-reference-safe-scanning-checklist) Quick Reference: Safe Scanning Checklist --------------------------------------------------------------------------------------------------------------------------------------------- Copy ## Before Scan - [ ] Authorization documented - [ ] Scope file ready - [ ] VPS configured - [ ] Rate limits set - [ ] Start with passive mode ## During Scan - [ ] Monitor for errors - [ ] Stay in scope - [ ] Respect rate limits - [ ] Watch for critical findings ## After Scan - [ ] Review all findings - [ ] Report vulnerabilities - [ ] Secure/delete sensitive data - [ ] Document for records * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#additional-resources) Additional Resources ------------------------------------------------------------------------------------------------------ * [**EFF Know Your Rights**arrow-up-right](https://www.eff.org/issues/cfaa) - CFAA information * [**HackerOne Policy Guidelines**arrow-up-right](https://www.hackerone.com/disclosure-guidelines) - Disclosure best practices * [**Bugcrowd VRT**arrow-up-right](https://bugcrowd.com/vulnerability-rating-taxonomy) - Vulnerability classification * [**OWASP Testing Guide**arrow-up-right](https://owasp.org/www-project-web-security-testing-guide/) - Ethical testing methodology * * * [hashtag](https://docs.reconftw.com/guides/opsec-legal#tl-dr) TL;DR ------------------------------------------------------------------------ 1. **Get written permission** before any scan 2. **Start passive** (`-p`), then go active 3. **Use rate limiting** and scope files 4. **Scan from VPS**, not personal IP 5. **Report responsibly**, don't overstep 6. **When in doubt, ask** - it's better to ask than apologize * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 [PreviousData Model & I/Ochevron-left](https://docs.reconftw.com/guides/data-model) [NextCase Studieschevron-right](https://docs.reconftw.com/guides/case-studies) Last updated 1 month ago --- # Data Model & I/O | reconftw-docs Complete reference for reconFTW's input formats and output structure. * * * [hashtag](https://docs.reconftw.com/guides/data-model#input-formats) Input Formats --------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#single-domain-d) Single Domain (-d) Copy # Standard domain ./reconftw.sh -d example.com -r # Subdomain (scans parent automatically) ./reconftw.sh -d api.example.com -r # With protocol (protocol is stripped) ./reconftw.sh -d https://example.com -r ### [hashtag](https://docs.reconftw.com/guides/data-model#domain-list-l) Domain List (-l) Copy ./reconftw.sh -l targets.txt -r **targets.txt format:** Copy example.com target.org subdomain.another.com * One domain per line * No protocols, paths, or ports * Blank lines ignored * Comments NOT supported ### [hashtag](https://docs.reconftw.com/guides/data-model#cidr-ip-range-m) CIDR/IP Range (-m) Copy ./reconftw.sh -m 192.168.1.0/24 -r Supported formats: * CIDR: `192.168.1.0/24` * Range: `192.168.1.1-255` * Single IP: `192.168.1.1` ### [hashtag](https://docs.reconftw.com/guides/data-model#scope-files) Scope Files **In-scope (-i):** Copy *.example.com api.example.com 192.168.1.0/24 **Out-of-scope (-x):** Copy admin.example.com *.internal.example.com 10.0.0.0/8 Wildcards supported: `*.example.com` matches `anything.example.com` * * * [hashtag](https://docs.reconftw.com/guides/data-model#output-directory-structure) Output Directory Structure ----------------------------------------------------------------------------------------------------------------- All results stored in `Recon//`: Copy Recon/example.com/ ├── .called_fn/ # Checkpoint markers (hidden) ├── .log/ # Execution logs (hidden) │ └── reconftw.log ├── .tmp/ # Temporary files (hidden) │ ├── subdomains/ # Subdomain enumeration results │ ├── subdomains.txt # [KEY] Final merged subdomains │ ├── subdomains_crt.txt # CT log subdomains │ ├── subdomains_passive.txt │ ├── subdomains_brute.txt │ ├── subdomains_permut.txt │ ├── subdomains_dnsrecords.txt # DNS record details │ └── takeover.txt # Subdomain takeover findings │ ├── webs/ # Web probing results │ ├── webs.txt # [KEY] Live HTTP/HTTPS servers │ ├── webs_all.txt # All probed URLs with metadata │ ├── webs_info.txt # Detailed web info (title, status, tech) │ └── url_extract.txt # Extracted URLs from crawling │ ├── hosts/ # Host/IP information │ ├── ips.txt # [KEY] Resolved IP addresses │ ├── cdn.txt # CDN IPs (filtered) │ ├── portscan_active.txt # Open ports │ └── portscan_active.xml # Nmap XML output │ ├── osint/ # OSINT results │ ├── dorks.txt # Google dork results │ ├── github_company_secrets.json # GitHub leaks │ ├── github_dorks.txt │ ├── emails.txt # [KEY] Discovered emails │ ├── passwords.txt # Leaked credentials │ └── metadata_results.txt # Document metadata │ ├── vulns/ # Vulnerability findings │ ├── nuclei_output.txt # Nuclei text output │ ├── nuclei_output.json # [KEY] Nuclei JSON (parseable) │ ├── xss.txt # XSS vulnerabilities │ ├── sqli.txt # SQL injection │ ├── cors.txt # CORS misconfigs │ ├── ssrf.txt # SSRF findings │ └── ... # Other vuln types │ ├── js/ # JavaScript analysis │ ├── js_livelinks.txt # Found JS files │ ├── js_secrets.txt # [KEY] Secrets in JS │ └── js_endpoints.txt # API endpoints │ ├── screenshots/ # Web screenshots │ └── *.png │ ├── fuzzing/ # Directory fuzzing │ └── fuzzing_full.txt # Discovered paths │ └── hotlist.txt # [KEY] Priority findings (risk-scored) * * * [hashtag](https://docs.reconftw.com/guides/data-model#key-output-files) Key Output Files --------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#subdomains-subdomains.txt) subdomains/subdomains.txt The master list of all discovered subdomains. Copy api.example.com www.example.com staging.example.com dev.example.com **How it's built:** 1. Passive sources (subfinder, APIs) 2. Certificate transparency (crt.sh) 3. Brute-force (if enabled) 4. Permutations (if enabled) 5. All sources merged and deduplicated ### [hashtag](https://docs.reconftw.com/guides/data-model#webs-webs.txt) webs/webs.txt Live web servers (responding HTTP/HTTPS). Copy https://www.example.com https://api.example.com http://staging.example.com:8080 **Filtering applied:** * DNS resolves ✓ * TCP connection succeeds ✓ * HTTP response received ✓ ### [hashtag](https://docs.reconftw.com/guides/data-model#webs-webs_all.txt) webs/webs\_all.txt Detailed web server information. Copy https://www.example.com [200] [Example Corp] [nginx/1.18] [text/html] https://api.example.com [401] [API Gateway] [kong/2.5] [application/json] Format: `URL [status] [title] [server] [content-type]` ### [hashtag](https://docs.reconftw.com/guides/data-model#hosts-ips.txt) hosts/ips.txt All resolved IP addresses (CDN filtered). Copy 93.184.216.34 93.184.216.35 ### [hashtag](https://docs.reconftw.com/guides/data-model#vulns-nuclei_output.json) vulns/nuclei\_output.json Machine-readable vulnerability data. Copy { "template-id": "cve-2021-44228", "name": "Log4j RCE", "severity": "critical", "host": "https://api.example.com", "matched-at": "https://api.example.com/search", "extracted-results": ["${jndi:ldap://...}"], "timestamp": "2024-01-15T10:30:00Z" } **Useful jq queries:** Copy # Get critical vulns cat nuclei_output.json | jq -r 'select(.severity=="critical")' # List unique templates triggered cat nuclei_output.json | jq -r '."template-id"' | sort -u # Count by severity cat nuclei_output.json | jq -r '.severity' | sort | uniq -c ### [hashtag](https://docs.reconftw.com/guides/data-model#hotlist.txt) hotlist.txt Risk-scored priority findings. Copy [CRITICAL] https://api.example.com/admin - nuclei:cve-2021-44228 [HIGH] staging.example.com - subdomain takeover [MEDIUM] https://www.example.com - cors misconfiguration * * * [hashtag](https://docs.reconftw.com/guides/data-model#module-input-output-matrix) Module Input/Output Matrix ----------------------------------------------------------------------------------------------------------------- Module Primary Input Key Outputs **OSINT** Domain `osint/emails.txt`, `osint/github_*.json`, `osint/dorks.txt` **Subdomains** Domain `subdomains/subdomains.txt`, `subdomains/takeover.txt` **Web Probing** Subdomains `webs/webs.txt`, `webs/webs_all.txt` **URL Collection** Live webs `webs/url_extract.txt`, `js/js_endpoints.txt` **Fuzzing** Live webs `fuzzing/fuzzing_full.txt` **Ports** IPs `hosts/portscan_active.txt`, `hosts/portscan_active.xml` **Vulns** URLs `vulns/nuclei_output.json`, `vulns/*.txt` * * * [hashtag](https://docs.reconftw.com/guides/data-model#data-flow) Data Flow ------------------------------------------------------------------------------- Copy ┌─────────────┐ │ INPUT │ │ -d / -l │ └──────┬──────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ OSINT MODULE │ │ Domain → emails, dorks, GitHub leaks │ └──────┬──────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ SUBDOMAIN MODULE │ │ Domain → subdomains.txt (merged, deduped) │ └──────┬──────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ WEB MODULE │ │ Subdomains → webs.txt (live servers) │ │ Live webs → URLs, JS files, screenshots │ └──────┬──────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ HOST MODULE │ │ IPs → port scans, CDN detection │ └──────┬──────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ VULN MODULE │ │ URLs → nuclei, XSS, SQLi, etc. │ └──────┬──────────────────────────────────────────┘ │ ▼ ┌─────────────┐ │ OUTPUT │ │ Recon/domain│ └─────────────┘ * * * [hashtag](https://docs.reconftw.com/guides/data-model#file-formats) File Formats ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#text-lists-.txt) Text Lists (.txt) One item per line, no headers: Copy item1 item2 item3 ### [hashtag](https://docs.reconftw.com/guides/data-model#json-output-.json) JSON Output (.json) NDJSON format (one JSON object per line): Copy {"host":"example.com","finding":"vuln1"} {"host":"example.org","finding":"vuln2"} ### [hashtag](https://docs.reconftw.com/guides/data-model#xml-output-.xml) XML Output (.xml) Standard Nmap XML for port scans: Copy
### [hashtag](https://docs.reconftw.com/guides/data-model#csv-output) CSV Output Some tools output CSV (httpx with custom flags): Copy url,status_code,title,tech https://example.com,200,Example,nginx * * * [hashtag](https://docs.reconftw.com/guides/data-model#checkpoint-system) Checkpoint System ----------------------------------------------------------------------------------------------- The `.called_fn/` directory tracks completed functions. ### [hashtag](https://docs.reconftw.com/guides/data-model#how-it-works) How It Works Copy # After sub_passive() completes: ls Recon/example.com/.called_fn/ # sub_passive # After more functions: # sub_passive sub_brute webprobe_simple ### [hashtag](https://docs.reconftw.com/guides/data-model#resuming-scans) Resuming Scans If interrupted, reconFTW skips completed functions: Copy # Scan interrupted at 50% ./reconftw.sh -d example.com -r # Resumes from where it stopped ### [hashtag](https://docs.reconftw.com/guides/data-model#force-re-run) Force Re-run Copy # Delete specific checkpoint rm Recon/example.com/.called_fn/nuclei_check # Delete all checkpoints (full re-scan) rm -rf Recon/example.com/.called_fn/ * * * [hashtag](https://docs.reconftw.com/guides/data-model#log-files) Log Files ------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#main-log) Main Log `Recon//.log/reconftw.log` Copy [2024-01-15 10:30:00] [INFO] Starting reconnaissance for example.com [2024-01-15 10:30:05] [INFO] Running sub_passive [2024-01-15 10:35:00] [INFO] sub_passive found 150 subdomains [2024-01-15 10:35:01] [INFO] Running sub_brute [2024-01-15 10:45:00] [ERROR] nuclei timeout on https://slow.example.com ### [hashtag](https://docs.reconftw.com/guides/data-model#debug-mode) Debug Mode Copy DEBUG=true ./reconftw.sh -d example.com -r Outputs verbose tool commands and intermediate results. * * * [hashtag](https://docs.reconftw.com/guides/data-model#aggregated-outputs) Aggregated Outputs ------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#assets.jsonl) assets.jsonl Machine-readable asset inventory: Copy {"type":"subdomain","value":"api.example.com","source":"subfinder"} {"type":"url","value":"https://api.example.com/v1","source":"katana"} {"type":"vulnerability","value":"cve-2021-44228","host":"api.example.com"} ### [hashtag](https://docs.reconftw.com/guides/data-model#html-report-with-ai) HTML Report (with AI) When using `-y/--ai`: Copy Recon/example.com/ └── report.html # AI-generated summary report * * * [hashtag](https://docs.reconftw.com/guides/data-model#integration-exports) Integration Exports --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#faraday) Faraday Automatic import when configured: * Nuclei JSON → Faraday vulnerabilities * Host info → Faraday hosts * Services → Faraday services ### [hashtag](https://docs.reconftw.com/guides/data-model#custom-export) Custom Export Copy # Export to CSV cat vulns/nuclei_output.json | jq -r '[.host, .severity, ."template-id"] | @csv' # Export subdomains for other tools cat subdomains/subdomains.txt | httpx -silent > live.txt * * * [hashtag](https://docs.reconftw.com/guides/data-model#common-data-operations) Common Data Operations --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/guides/data-model#find-all-critical-vulns) Find All Critical Vulns Copy cat Recon/*/vulns/nuclei_output.json | jq -r 'select(.severity=="critical")' ### [hashtag](https://docs.reconftw.com/guides/data-model#merge-results-from-multiple-scans) Merge Results from Multiple Scans Copy # Merge subdomains cat Recon/*/subdomains/subdomains.txt | sort -u > all_subs.txt # Merge vulnerabilities cat Recon/*/vulns/nuclei_output.json > all_vulns.json ### [hashtag](https://docs.reconftw.com/guides/data-model#generate-statistics) Generate Statistics Copy # Count subdomains per domain for d in Recon/*/; do echo "$(basename $d): $(wc -l < $d/subdomains/subdomains.txt)" done # Vulnerability summary cat Recon/*/vulns/nuclei_output.json | jq -r '.severity' | sort | uniq -c * * * [hashtag](https://docs.reconftw.com/guides/data-model#storage-requirements) Storage Requirements ----------------------------------------------------------------------------------------------------- Approximate disk usage per scan: Target Size Storage Small (<100 subs) 50-200 MB Medium (100-1K subs) 200-500 MB Large (1K-10K subs) 500 MB - 2 GB Massive (10K+ subs) 2-10 GB **Space-heavy components:** * Screenshots (~500KB each) * Fuzzing results (large wordlists) * Full port scan XML **Cleanup command:** Copy # Remove temporary files rm -rf Recon/example.com/.tmp/ * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 [PreviousPerformance Tuningchevron-left](https://docs.reconftw.com/guides/tuning) [NextOPSEC & Legalchevron-right](https://docs.reconftw.com/guides/opsec-legal) Last updated 1 month ago --- # Case Studies | reconftw-docs Real-world examples of reconFTW in action. * * * [hashtag](https://docs.reconftw.com/guides/case-studies#case-study-1-bug-bounty-new-program-launch) Case Study 1: Bug Bounty - New Program Launch ------------------------------------------------------------------------------------------------------------------------------------------------------ **Scenario:** A new bug bounty program launched with `*.target.com` in scope. Goal is to find vulnerabilities quickly before other hunters. ### [hashtag](https://docs.reconftw.com/guides/case-studies#target-profile) Target Profile * **Scope:** `*.target.com` (wildcard) * **Size:** Unknown (new program) * **Time:** 4 hours before others catch up * **Goal:** Quick wins - subdomain takeovers, exposed panels, known CVEs ### [hashtag](https://docs.reconftw.com/guides/case-studies#configuration) Configuration Copy # Custom config: bounty-rush.cfg # Fast subdomain enumeration SUBBRUTE=false # Skip brute-force (time-consuming) SUBPERMUTE=false # Skip permutations SUBIAPERMUTE=false # Essential web checks only WEBPROBESIMPLE=true WEBPROBEFULL=false # Skip detailed probing # Priority vulnerability checks NUCLEICHECK=true NUCLEI_SEVERITY="critical,high" # Only high-impact SUBTAKEOVER=true # Quick wins # Skip slow modules FUZZ=false XSS=false SQLI=false SSRF_CHECKS=false ### [hashtag](https://docs.reconftw.com/guides/case-studies#execution) Execution Copy # Phase 1: Quick passive recon (15 minutes) ./reconftw.sh -d target.com -p # Review subdomains found wc -l Recon/target.com/subdomains/subdomains.txt # 847 subdomains # Phase 2: Fast vulnerability scan (2 hours) ./reconftw.sh -d target.com -r -f bounty-rush.cfg --adaptive-rate # Phase 3: Check results immediately cat Recon/target.com/subdomains/takeover.txt cat Recon/target.com/vulns/nuclei_output.json | jq -r 'select(.severity=="critical")' ### [hashtag](https://docs.reconftw.com/guides/case-studies#results) Results Finding Severity File Location Subdomain takeover on `old.target.com` High `subdomains/takeover.txt` Exposed Jenkins on `ci.target.com` Critical `vulns/nuclei_output.json` S3 bucket listing Medium `osint/cloud_enum.txt` 3 exposed admin panels High `vulns/nuclei_output.json` **Time to first finding:** 23 minutes (subdomain takeover) ### [hashtag](https://docs.reconftw.com/guides/case-studies#key-takeaways) Key Takeaways 1. **Passive first** - Always run `-p` before full recon 2. **Skip slow modules** - Brute-force can wait 3. **Focus on quick wins** - Takeovers, panels, known CVEs 4. **Review as you go** - Don't wait for full scan to complete * * * [hashtag](https://docs.reconftw.com/guides/case-studies#case-study-2-security-assessment-enterprise-client) Case Study 2: Security Assessment - Enterprise Client ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Scenario:** Contracted for a security assessment of a Fortune 500 company. Need full coverage with minimal disruption. ### [hashtag](https://docs.reconftw.com/guides/case-studies#target-profile-1) Target Profile * **Scope:** `corp.example.com` + IP range `10.0.0.0/8` (internal) * **Size:** Large enterprise (~5,000 subdomains expected) * **Time:** 1 week engagement * **Goal:** Complete asset inventory, all vulnerabilities documented ### [hashtag](https://docs.reconftw.com/guides/case-studies#pre-engagement-setup) Pre-Engagement Setup Copy # Create scope files echo "*.corp.example.com" > scope-in.txt echo "*.internal.example.com" >> scope-in.txt echo "vpn.corp.example.com" > scope-out.txt echo "mail.corp.example.com" >> scope-out.txt ### [hashtag](https://docs.reconftw.com/guides/case-studies#configuration-1) Configuration Copy # Custom config: enterprise-assessment.cfg # Thorough enumeration SUBBRUTE=true subs_wordlist="${tools}/subdomains_n0kovo_big.txt" SUBPERMUTE=true SUBIAPERMUTE=true # All web checks WEBPROBESIMPLE=true WEBPROBEFULL=true SCREENSHOT=true # Full vulnerability assessment NUCLEICHECK=true NUCLEI_SEVERITY="critical,high,medium" FUZZ=true XSS=true SQLI=true SSRF_CHECKS=true CORS=true # Rate limiting (be respectful) HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=100 ADAPTIVE_RATE_LIMIT=true # Save everything PORTSCANNER=true PORTSCAN_ACTIVE=true ### [hashtag](https://docs.reconftw.com/guides/case-studies#execution-plan) Execution Plan **Day 1-2: Reconnaissance** Copy # External reconnaissance ./reconftw.sh -d corp.example.com -r \ -i scope-in.txt -x scope-out.txt \ -f enterprise-assessment.cfg # OSINT deep dive ./reconftw.sh -d corp.example.com -n # OSINT only **Day 3-4: Vulnerability Assessment** Copy # Full vulnerability scan ./reconftw.sh -d corp.example.com -a \ -i scope-in.txt -x scope-out.txt \ -f enterprise-assessment.cfg # Review and prioritize cat Recon/corp.example.com/vulns/nuclei_output.json | \ jq -r 'select(.severity=="critical")' > critical_findings.json **Day 5: Deep Dive on Findings** Copy # Re-scan specific high-value targets ./reconftw.sh -d api.corp.example.com -a --deep # Manual verification of critical findings ### [hashtag](https://docs.reconftw.com/guides/case-studies#results-summary) Results Summary Category Count Files Subdomains 4,892 `subdomains/subdomains.txt` Live web servers 1,247 `webs/webs.txt` Open ports 8,432 `hosts/portscan_active.txt` Critical vulns 12 `vulns/nuclei_output.json` High vulns 47 `vulns/nuclei_output.json` Medium vulns 183 `vulns/nuclei_output.json` Email addresses 234 `osint/emails.txt` GitHub secrets 8 `osint/github_company_secrets.json` **Notable Findings:** * Exposed Kubernetes dashboard (critical) * Default credentials on 3 admin panels * SQL injection in legacy application * 2 subdomain takeover possibilities * 8 hardcoded API keys in public GitHub repos ### [hashtag](https://docs.reconftw.com/guides/case-studies#deliverable-generation) Deliverable Generation Copy # Export all critical/high findings cat Recon/corp.example.com/vulns/nuclei_output.json | \ jq -r 'select(.severity=="critical" or .severity=="high") | [.host, .severity, ."template-id", .name] | @csv' > findings.csv # Generate AI report ./reconftw.sh -d corp.example.com -y --ai-report full ### [hashtag](https://docs.reconftw.com/guides/case-studies#key-takeaways-1) Key Takeaways 1. **Scope files are essential** - Prevent accidental out-of-scope testing 2. **Rate limiting** - Enterprise WAFs will block aggressive scans 3. **OSINT is gold** - GitHub secrets often provide initial access vectors 4. **Document everything** - Use `--deep` on interesting assets * * * [hashtag](https://docs.reconftw.com/guides/case-studies#case-study-3-red-team-distributed-scanning-with-axiom) Case Study 3: Red Team - Distributed Scanning with Axiom ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Scenario:** Red team engagement against a large organization. Need to enumerate quickly across multiple regions without attribution. ### [hashtag](https://docs.reconftw.com/guides/case-studies#target-profile-2) Target Profile * **Scope:** `bigcorp.com` and all subsidiaries * **Size:** Very large (10,000+ subdomains estimated) * **Time:** 48 hours for initial recon * **Goal:** Complete external footprint, identify entry points ### [hashtag](https://docs.reconftw.com/guides/case-studies#infrastructure-setup) Infrastructure Setup Copy # Launch Axiom fleet (20 instances across regions) axiom-fleet reconftw -i 20 --regions nyc1,lon1,sgp1,ams3 # Verify fleet axiom-ls ### [hashtag](https://docs.reconftw.com/guides/case-studies#configuration-2) Configuration Copy # Custom config: redteam-distributed.cfg # Aggressive enumeration (fleet handles load) SUBBRUTE=true SUBPERMUTE=true SUBRECURSIVE=true SUB_RECURSIVE_BRUTE=true # Full web checks WEBPROBESIMPLE=true WEBPROBEFULL=true # All vulnerability checks NUCLEICHECK=true NUCLEI_SEVERITY="critical,high,medium,low" FUZZ=true XSS=true SQLI=true # Axiom configuration AXIOM=true AXIOM_FLEET_NAME="reconftw" AXIOM_FLEET_COUNT=20 AXIOM_FLEET_SHUTDOWN=false # Keep for multiple scans ### [hashtag](https://docs.reconftw.com/guides/case-studies#execution-1) Execution Copy # Create target list cat << EOF > targets.txt bigcorp.com subsidiary1.com subsidiary2.com acquired-company.com EOF # Launch distributed scan ./reconftw.sh -l targets.txt -a -v -f redteam-distributed.cfg ### [hashtag](https://docs.reconftw.com/guides/case-studies#monitoring-progress) Monitoring Progress Copy # Watch fleet activity axiom-exec 'ps aux | grep -E "(nuclei|httpx|subfinder)"' -f reconftw # Check intermediate results axiom-exec 'wc -l /tmp/subdomains.txt' -f reconftw # Pull partial results axiom-scp 'reconftw*:/home/op/Recon' ./partial_results/ -f reconftw ### [hashtag](https://docs.reconftw.com/guides/case-studies#results-1) Results **Scan completed in:** 14 hours (vs estimated 72 hours single-machine) Target Subdomains Web Servers Critical High bigcorp.com 8,234 2,847 8 34 subsidiary1.com 1,892 623 3 12 subsidiary2.com 945 312 1 8 acquired-company.com 2,134 892 6 23 **Total** **13,205** **4,674** **18** **77** **Entry Points Identified:** 1. Exposed Citrix gateway (CVE-2023-XXXX) 2. Password spraying vector (O365 enumeration) 3. VPN with default credentials 4. Subdomain takeover → potential phishing vector 5. API key leaked in JS files → internal API access ### [hashtag](https://docs.reconftw.com/guides/case-studies#cost-analysis) Cost Analysis Copy Fleet: 20 × $0.03/hr × 14 hours = $8.40 Total scan cost: Under $10 for massive reconnaissance ### [hashtag](https://docs.reconftw.com/guides/case-studies#post-scan-cleanup) Post-Scan Cleanup Copy # Merge all results axiom-scp 'reconftw*:/home/op/Recon' ./final_results/ -f reconftw # Shutdown fleet axiom-rm 'reconftw*' -f ### [hashtag](https://docs.reconftw.com/guides/case-studies#key-takeaways-2) Key Takeaways 1. **Axiom is cost-effective** - Massive scans for dollars, not hours 2. **Regional distribution** - Avoids geo-blocking 3. **Keep fleet alive** - Reuse for multiple targets 4. **Merge results carefully** - Use provided merge scripts * * * [hashtag](https://docs.reconftw.com/guides/case-studies#case-study-4-continuous-monitoring-ci-cd-integration) Case Study 4: Continuous Monitoring - CI/CD Integration -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Scenario:** Security team wants automated weekly scans of all company assets with alerts for new findings. ### [hashtag](https://docs.reconftw.com/guides/case-studies#setup) Setup **Weekly cron job:** Copy # /etc/cron.d/reconftw-weekly 0 2 * * 0 /opt/reconftw/scripts/weekly_scan.sh **Scan script:** Copy #!/bin/bash # weekly_scan.sh TARGETS="/opt/targets/company_domains.txt" CONFIG="/opt/reconftw/configs/weekly.cfg" OUTPUT="/opt/recon_results/$(date +%Y-%m-%d)" # Run scan cd /opt/reconftw ./reconftw.sh -l "$TARGETS" -r -f "$CONFIG" -o "$OUTPUT" # Generate diff from last week ./scripts/diff_results.sh "$OUTPUT" "$LAST_WEEK" # Send notification ./scripts/notify.sh "$OUTPUT/diff_report.txt" ### [hashtag](https://docs.reconftw.com/guides/case-studies#configuration-3) Configuration Copy # weekly.cfg - Balanced for regular monitoring # Standard enumeration SUBBRUTE=false # Passive only for regular scans SUBPERMUTE=false # Web checks WEBPROBESIMPLE=true SCREENSHOT=true # Vulnerability focus NUCLEICHECK=true NUCLEI_SEVERITY="critical,high" SUBTAKEOVER=true # Notifications SLACK_WEBHOOK="https://hooks.slack.com/services/XXX" NOTIFY=true NOTIFY_CONFIG="${tools}/notify-config.yaml" ### [hashtag](https://docs.reconftw.com/guides/case-studies#diff-script) Diff Script Copy #!/bin/bash # diff_results.sh NEW=$1 OLD=$2 echo "=== New Subdomains ===" > "$NEW/diff_report.txt" comm -23 <(sort "$NEW/subdomains/subdomains.txt") \ <(sort "$OLD/subdomains/subdomains.txt") >> "$NEW/diff_report.txt" echo -e "\n=== New Vulnerabilities ===" >> "$NEW/diff_report.txt" diff "$OLD/vulns/nuclei_output.json" "$NEW/vulns/nuclei_output.json" \ | grep "^>" >> "$NEW/diff_report.txt" ### [hashtag](https://docs.reconftw.com/guides/case-studies#alert-output) Alert Output Copy 🔔 Weekly Recon Report - 2024-01-15 === New Subdomains (12) === new-api.company.com staging2.company.com ... === New Vulnerabilities (3) === [CRITICAL] api.company.com - CVE-2024-XXXX [HIGH] staging.company.com - exposed-admin [HIGH] new-api.company.com - default-credentials Full report: /opt/recon_results/2024-01-15/ ### [hashtag](https://docs.reconftw.com/guides/case-studies#key-takeaways-3) Key Takeaways 1. **Passive for monitoring** - Brute-force only for initial scans 2. **Diff is everything** - Focus on changes, not full results 3. **Alert on severity** - Critical/High only for notifications 4. **Archive results** - Keep history for trend analysis * * * [hashtag](https://docs.reconftw.com/guides/case-studies#quick-reference-scenario-configuration) Quick Reference: Scenario → Configuration ---------------------------------------------------------------------------------------------------------------------------------------------- Scenario Mode Key Flags Config Changes Bug bounty rush `-p` then `-r` `--adaptive-rate` Disable slow modules Enterprise assessment `-a` `-i`, `-x`, `-f` Rate limiting, thorough Red team (distributed) `-a -v` `--vps` Axiom fleet config CI/CD monitoring `-r` `-o`, `-f` Passive only, notifications Quick triage `-p` None Default passive Deep dive (single target) `-a --deep` None Enable everything * * * > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 [PreviousOPSEC & Legalchevron-left](https://docs.reconftw.com/guides/opsec-legal) [NextTroubleshootingchevron-right](https://docs.reconftw.com/help/troubleshooting) Last updated 1 month ago --- # Troubleshooting | reconftw-docs This guide covers common issues, their causes, and solutions when running reconFTW. * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#installation-issues) Installation Issues ------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/help/troubleshooting#go-not-found) Go Not Found **Symptom:** Copy go: command not found **Solution:** Copy # Install Go wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz # Add to PATH echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc source ~/.bashrc # Verify go version * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#permission-denied) Permission Denied **Symptom:** Copy bash: ./reconftw.sh: Permission denied **Solution:** Copy chmod +x reconftw.sh chmod +x install.sh * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#macos-homebrew-issues) macOS Homebrew Issues **Symptom:** Copy sed: illegal option -- r **Cause:** macOS uses BSD sed, not GNU sed. **Solution:** Copy # Install GNU tools brew install coreutils gnu-sed findutils grep # Add to PATH (add to ~/.zshrc or ~/.bashrc) export PATH="/opt/homebrew/opt/coreutils/libexec/gnubin:$PATH" export PATH="/opt/homebrew/opt/gnu-sed/libexec/gnubin:$PATH" export PATH="/opt/homebrew/opt/findutils/libexec/gnubin:$PATH" export PATH="/opt/homebrew/opt/grep/libexec/gnubin:$PATH" * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#python-dependency-conflicts) Python Dependency Conflicts **Symptom:** Copy ERROR: pip's dependency resolver does not support... **Solution:** Copy # Create virtual environment python3 -m venv ~/reconftw-venv source ~/reconftw-venv/bin/activate # Install dependencies pip install -r requirements.txt * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#tool-installation-failures) Tool Installation Failures **Symptom:** Copy go install: module not found **Solution:** Copy # Check Go proxy settings go env GOPROXY # Reset to default go env -w GOPROXY=https://proxy.golang.org,direct # Retry installation go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#runtime-errors) Runtime Errors -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#no-domain-provided) No Domain Provided **Symptom:** Copy Error: No domain provided **Solution:** Copy # Provide domain with -d flag ./reconftw.sh -d example.com -r # Or use target list with -l flag ./reconftw.sh -l targets.txt -r * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#tool-not-found) Tool Not Found **Symptom:** Copy subfinder: command not found **Solution:** Copy # Check if tool exists which subfinder # If missing, install manually go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest # Verify Go bin in PATH echo $PATH | grep -q "$HOME/go/bin" || export PATH=$PATH:$HOME/go/bin # Run tool check ./reconftw.sh --check-tools * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#memory-issues-oom) Memory Issues (OOM) **Symptom:** Copy Killed or Copy Out of memory **Solution:** Copy # Reduce thread counts in reconftw.cfg HTTPX_THREADS=20 KATANA_THREADS=10 FFUF_THREADS=10 DALFOX_THREADS=50 # Add swap space sudo fallocate -l 4G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#disk-space-issues) Disk Space Issues **Symptom:** Copy No space left on device **Solution:** Copy # Check disk usage df -h # Find large files du -sh Recon/* # Clean old scans rm -rf Recon/old-target/ # Clean temp files rm -rf Recon/*/.tmp/* * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#config-file-not-found) Config File Not Found **Symptom:** Copy Config file not found **Solution:** Copy # Check config exists ls -la reconftw.cfg # Create from example cp reconftw.cfg.example reconftw.cfg # Or specify path ./reconftw.sh -d example.com -r -f /path/to/reconftw.cfg * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#performance-issues) Performance Issues ---------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#slow-scans) Slow Scans **Causes and Solutions:** 1. **Too many subdomains:** Copy # Use DEEP mode limits DEEP_LIMIT=500 DEEP_LIMIT2=1500 2. **DNS resolution slow:** Copy # Use validated resolvers dnsvalidator -tL resolvers.txt -threads 100 -o valid_resolvers.txt 3. **Rate limiting by target:** Copy # Reduce rate limits HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 4. **Network latency:** Copy # Use VPS closer to target # Enable connection reuse * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#high-cpu-usage) High CPU Usage **Solution:** Copy # Reduce parallel threads HTTPX_THREADS=20 KATANA_THREADS=10 RESOLVE_DOMAINS_THREADS=80 # Use nice to lower priority nice -n 10 ./reconftw.sh -d example.com -r * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#rate-limiting-429-errors) Rate Limiting (429 Errors) **Symptom:** Copy Too Many Requests 429 **Solution:** Copy # Reduce rate limits HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 # Enable adaptive rate limiting ./reconftw.sh -d example.com -r --adaptive-rate # Use global rate limit ./reconftw.sh -d example.com -r -q 50 * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#axiom-issues) Axiom Issues ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#fleet-wont-start) Fleet Won't Start **Symptom:** Copy Error: Failed to launch fleet **Solutions:** 1. **Check cloud credentials:** Copy axiom-configure 2. **Check API limits:** Copy # DigitalOcean doctl account get # Check droplet limits doctl account ratelimit 3. **Check available images:** Copy axiom-images ls 4. **Rebuild image:** Copy axiom-build default * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#ssh-connection-issues) SSH Connection Issues **Symptom:** Copy ssh: connect to host ... port 22: Connection refused **Solutions:** 1. **Regenerate SSH keys:** Copy axiom-init --regenerate 2. **Check security groups:** Copy # Ensure port 22 is open # Check cloud provider firewall 3. **Wait for instance:** Copy # Instances may take 1-2 minutes to be ready sleep 120 axiom-ls * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#resolver-problems-on-fleet) Resolver Problems on Fleet **Symptom:** Copy DNS resolution failing on fleet **Solution:** Copy # Upload resolvers to fleet axiom-scp resolvers.txt "reconftw*":/home/op/lists/ # Update resolver config axiom-exec "cat /home/op/lists/resolvers.txt | head -5" * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#output-issues) Output Issues ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/help/troubleshooting#empty-results) Empty Results **Possible Causes:** 1. **Scope too restrictive:** Copy # Check scope files cat inscope.txt cat outofscope.txt 2. **Target doesn't exist:** Copy # Verify domain dig example.com 3. **All tools failed:** Copy # Check logs cat Recon/example.com/.log/*.log | grep -i error 4. **API keys missing:** Copy # Verify secrets.cfg cat secrets.cfg * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#missing-files) Missing Files **Symptom:** Files expected but not present in output. **Solutions:** 1. **Check if function ran:** Copy ls Recon/example.com/.called_fn/ 2. **Check logs for errors:** Copy grep -i "error\|fail" Recon/example.com/.log/*.log 3. **Rerun specific function:** Copy rm Recon/example.com/.called_fn/nuclei_check ./reconftw.sh -d example.com -c nuclei_check * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#corrupted-output) Corrupted Output **Symptom:** Copy unexpected EOF parse error **Solution:** Copy # Clear temp files rm -rf Recon/example.com/.tmp/* # Clear checkpoints rm -rf Recon/example.com/.called_fn/* # Rescan ./reconftw.sh -d example.com -r * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#api-key-issues) API Key Issues -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#invalid-api-key) Invalid API Key **Symptom:** Copy 401 Unauthorized API key invalid **Solution:** Copy # Verify key in secrets.cfg grep SHODAN secrets.cfg # Test key directly curl "https://api.shodan.io/api-info?key=YOUR_KEY" * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#rate-limited-by-api) Rate Limited by API **Symptom:** Copy Rate limit exceeded Too many requests **Solution:** Copy # Wait and retry sleep 3600 # Wait 1 hour # Use multiple API keys (if allowed) # Reduce parallel requests * * * ### [hashtag](https://docs.reconftw.com/help/troubleshooting#missing-api-keys) Missing API Keys **Symptom:** Copy Warning: SHODAN_API_KEY not set **Solution:** Copy # Edit secrets.cfg nano secrets.cfg # Add keys SHODAN_API_KEY="your_key_here" GITHUB_TOKEN="your_token_here" * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#common-fixes) Common Fixes ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#clear-cache) Clear Cache Copy # Clear all cache rm -rf Recon/example.com/.tmp/* rm -rf Recon/example.com/.cache/* ### [hashtag](https://docs.reconftw.com/help/troubleshooting#update-resolvers) Update Resolvers Copy # Download fresh resolvers wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt # Validate dnsvalidator -tL resolvers.txt -threads 100 -o valid_resolvers.txt # Update config cp valid_resolvers.txt ~/.config/reconftw/resolvers.txt ### [hashtag](https://docs.reconftw.com/help/troubleshooting#reinstall-tools) Reinstall Tools Copy # Reinstall all tools ./install.sh # Or update specific tool go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest ### [hashtag](https://docs.reconftw.com/help/troubleshooting#reset-checkpoints) Reset Checkpoints Copy # Reset all (full rescan) rm -rf Recon/example.com/.called_fn/ # Reset specific function rm Recon/example.com/.called_fn/function_name ### [hashtag](https://docs.reconftw.com/help/troubleshooting#check-logs) Check Logs Copy # Main log cat Recon/example.com/.log/reconftw.log # Error log cat Recon/example.com/.log/errors.log # Live monitoring tail -f Recon/example.com/.log/reconftw.log * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#diagnostic-commands) Diagnostic Commands ------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/help/troubleshooting#system-check) System Check Copy # Check all tools ./reconftw.sh --check-tools # System health ./reconftw.sh --health-check # Show version git rev-parse --abbrev-ref HEAD git describe --tags 2>/dev/null || git rev-parse --short HEAD ### [hashtag](https://docs.reconftw.com/help/troubleshooting#resource-check) Resource Check Copy # Memory free -h # Disk df -h # CPU nproc cat /proc/cpuinfo | grep "model name" | head -1 ### [hashtag](https://docs.reconftw.com/help/troubleshooting#network-check) Network Check Copy # DNS resolution dig example.com # HTTP connectivity curl -I https://example.com # Check resolvers cat resolvers.txt | head -5 | xargs -I {} dig @{} example.com * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#getting-help) Getting Help ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/help/troubleshooting#community-resources) Community Resources * **GitHub Issues:** https://github.com/six2dez/reconftw/issues * **Discord:** \[Link to Discord\] * **Twitter:** @six2dez ### [hashtag](https://docs.reconftw.com/help/troubleshooting#reporting-bugs) Reporting Bugs Include: 1. reconFTW version: `git rev-parse --abbrev-ref HEAD` and `git describe --tags 2>/dev/null || git rev-parse --short HEAD` 2. OS version: `cat /etc/os-release` 3. Error message (full) 4. Steps to reproduce 5. Relevant log sections ### [hashtag](https://docs.reconftw.com/help/troubleshooting#feature-requests) Feature Requests Use GitHub Issues with `[FEATURE]` prefix. * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#error-code-reference) Error Code Reference -------------------------------------------------------------------------------------------------------- Code Meaning 0 Success 1 General error 2 Invalid argument 3 Tool not found 4 Configuration error 5 Network error 6 Permission denied 7 Disk full 8 Memory exhausted * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#quick-reference) Quick Reference ---------------------------------------------------------------------------------------------- Issue Quick Fix Tool not found `./install.sh` Empty results Check API keys in secrets.cfg Slow scan Reduce THREADS in config 429 errors Reduce RATELIMIT values OOM Add swap, reduce threads Resume scan Just run same command again Full rescan Delete `.called_fn/` directory * * * [hashtag](https://docs.reconftw.com/help/troubleshooting#next-steps) Next Steps ------------------------------------------------------------------------------------ * [**Getting Started**](https://docs.reconftw.com/getting-started/getting-started) - Fresh installation * [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Optimize settings * [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced) - Power user features [PreviousCase Studieschevron-left](https://docs.reconftw.com/guides/case-studies) Last updated 1 month ago --- # Modules Overview | reconftw-docs reconFTW is organized into specialized modules, each handling a specific phase of reconnaissance. This page provides an overview and quick navigation to each module's detailed documentation. * * * [hashtag](https://docs.reconftw.com/modules#module-architecture) Module Architecture ----------------------------------------------------------------------------------------- Copy ┌─────────────────────────────────────────────────────────────────────┐ │ reconFTW Module System │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ │ │ │ Target │ │ │ │ Input │ │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Intelligence gathering │ │ │ OSINT │────▶ Dorks, emails, metadata, leaks │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Asset discovery │ │ │ Subdomains │────▶ Passive, brute, permutations, takeover │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Infrastructure analysis │ │ │ Hosts │────▶ Ports, CDN, WAF, geolocation │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Web application analysis │ │ │ Web Analysis │────▶ Probing, screenshots, JS, fuzzing │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Security testing │ │ │Vulnerabilities│───▶ Nuclei, XSS, SQLi, SSRF, etc. │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/modules#module-summary) Module Summary ------------------------------------------------------------------------------- Module Functions Primary Tools Output Directory [OSINT](https://docs.reconftw.com/modules/osint) 12 theHarvester, gitdorker, trufflehog `osint/` [Subdomains](https://docs.reconftw.com/modules/subdomains) 17 subfinder, amass, puredns, dnsx `subdomains/` [Hosts](https://docs.reconftw.com/modules/hosts) 6 nmap, smap, cdncheck, wafw00f `hosts/` [Web Analysis](https://docs.reconftw.com/modules/web-analysis) 17 httpx, katana, ffuf, gowitness `webs/`, `fuzzing/`, `js/` [Vulnerabilities](https://docs.reconftw.com/modules/vulnerabilities) 18 nuclei, dalfox, sqlmap, ssrf-sheriff `vulns/` * * * [hashtag](https://docs.reconftw.com/modules#osint-module) OSINT Module --------------------------------------------------------------------------- **Purpose:** Gather intelligence about the target organization without direct interaction. **Key Capabilities:** * Google dorking for sensitive files * GitHub secret scanning * Email harvesting * Document metadata extraction * Cloud storage enumeration * API leak detection **When to use:** At the beginning of an engagement for initial intelligence gathering. ➡️ [**Full OSINT Documentation**](https://docs.reconftw.com/modules/osint) * * * [hashtag](https://docs.reconftw.com/modules#subdomains-module) Subdomains Module ------------------------------------------------------------------------------------- **Purpose:** Discover all subdomains associated with the target domain. **Key Capabilities:** * Passive enumeration (40+ sources) * Certificate Transparency logs * DNS brute-forcing * Permutation generation * Recursive enumeration * Subdomain takeover detection **When to use:** After OSINT, to map the attack surface. ➡️ [**Full Subdomains Documentation**](https://docs.reconftw.com/modules/subdomains) * * * [hashtag](https://docs.reconftw.com/modules#hosts-module) Hosts Module --------------------------------------------------------------------------- **Purpose:** Analyze infrastructure behind discovered assets. **Key Capabilities:** * Port scanning (passive + active) * CDN detection and filtering * WAF identification * IP geolocation * Favicon-based IP discovery **When to use:** After subdomain enumeration, to understand infrastructure. ➡️ [**Full Hosts Documentation**](https://docs.reconftw.com/modules/hosts) * * * [hashtag](https://docs.reconftw.com/modules#web-analysis-module) Web Analysis Module ----------------------------------------------------------------------------------------- **Purpose:** Analyze web applications and discover endpoints. **Key Capabilities:** * HTTP probing and status detection * Screenshot capture * URL extraction from archives * JavaScript analysis for secrets * Directory/file fuzzing * Technology detection **When to use:** After identifying live web servers. ➡️ [**Full Web Analysis Documentation**](https://docs.reconftw.com/modules/web-analysis) * * * [hashtag](https://docs.reconftw.com/modules#vulnerabilities-module) Vulnerabilities Module ----------------------------------------------------------------------------------------------- **Purpose:** Identify security vulnerabilities in discovered assets. **Key Capabilities:** * Template-based scanning (Nuclei) * XSS testing * SQL injection detection * SSRF testing * CORS misconfiguration * SSL/TLS analysis * And many more... **When to use:** Final phase, after mapping all assets. ➡️ [**Full Vulnerabilities Documentation**](https://docs.reconftw.com/modules/vulnerabilities) * * * [hashtag](https://docs.reconftw.com/modules#module-execution-order) Module Execution Order ----------------------------------------------------------------------------------------------- In a full scan (`-a` flag), modules execute in this order: Copy 1. OSINT → Intelligence gathering 2. Subdomains → Asset discovery 3. Hosts → Infrastructure analysis 4. Web Analysis → Application mapping 5. Vulnerabilities → Security testing Each module builds on the previous one's output, creating a full reconnaissance pipeline. * * * [hashtag](https://docs.reconftw.com/modules#enabling-disabling-modules) Enabling/Disabling Modules ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/modules#via-configuration) Via Configuration Copy # In reconftw.cfg OSINT=true SUBDOMAINS_GENERAL=true PORTSCANNER=true WEBPROBESIMPLE=true WEBPROBEFULL=true NUCLEICHECK=true # Use VULNS_GENERAL=true if you want to enable the full vulnerability module by config ### [hashtag](https://docs.reconftw.com/modules#via-command-line) Via Command Line Copy # Run only specific modules ./reconftw.sh -d example.com -s # Subdomains only ./reconftw.sh -d example.com -n # OSINT only ./reconftw.sh -d example.com -w # Web analysis only # Custom function selection ./reconftw.sh -d example.com -c sub_passive ./reconftw.sh -d example.com -c webprobe_simple * * * [hashtag](https://docs.reconftw.com/modules#module-dependencies) Module Dependencies ----------------------------------------------------------------------------------------- Some modules depend on outputs from others: Copy OSINT ─────────────────────────────────────┐ │ Subdomains ───────┬────────────────────────┤ │ │ ▼ │ Hosts ───────────────────────┤ │ │ ▼ │ Web Analysis ───────────────────┤ │ │ ▼ │ Vulnerabilities ◄────────────────┘ * * * [hashtag](https://docs.reconftw.com/modules#next-steps) Next Steps ----------------------------------------------------------------------- Choose a module to explore in detail: * [**OSINT Module**](https://docs.reconftw.com/modules/osint) - Start with intelligence gathering * [**Subdomains Module**](https://docs.reconftw.com/modules/subdomains) - Discover your attack surface * [**Hosts Module**](https://docs.reconftw.com/modules/hosts) - Understand the infrastructure * [**Web Analysis Module**](https://docs.reconftw.com/modules/web-analysis) - Map web applications * [**Vulnerabilities Module**](https://docs.reconftw.com/modules/vulnerabilities) - Find security issues [PreviousConfiguration Referencechevron-left](https://docs.reconftw.com/configuration/configuration) [NextOSINT Modulechevron-right](https://docs.reconftw.com/modules/osint) Last updated 1 month ago --- # Introduction | reconftw-docs ![](https://docs.reconftw.com/~gitbook/image?url=https%3A%2F%2F4002482909-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FaI11LZxKJyqTqfArwVL8%252Fuploads%252FZhQq6d6DzeYrt4QjaqTi%252Fimage.png%3Falt%3Dmedia%26token%3Db688113d-d113-4775-82d9-9757619fc02c&width=768&dpr=3&quality=100&sign=15985712&sv=2) **Automated Reconnaissance Framework** [GitHubarrow-up-right](https://github.com/six2dez/reconftw) • [Twitterarrow-up-right](https://twitter.com/Six2dez1) • [Discordarrow-up-right](https://discord.gg/R5DdXVEdTy) • [Telegramarrow-up-right](https://t.me/joinchat/H5bAaw3YbzzmI5co) * * * [hashtag](https://docs.reconftw.com/welcome#welcome-to-reconftw) Welcome to reconFTW ----------------------------------------------------------------------------------------- **reconFTW** is a modular reconnaissance automation framework designed for security researchers, penetration testers, and bug bounty hunters. It orchestrates 80+ security tools to perform full reconnaissance on your targets, from subdomain enumeration to vulnerability scanning. ### [hashtag](https://docs.reconftw.com/welcome#why-reconftw) Why reconFTW? Feature Description 🔄 **Automated Workflow** Complete reconnaissance pipeline with a single command 🧩 **Modular Design** Enable/disable any module or function as needed **Distributed Scanning** Scale with [Axiom](https://docs.reconftw.com/integrations/axiom) across cloud infrastructure **Structured Output** Organized results with multiple export formats 🔧 **Highly Configurable** 300+ configuration options for fine-tuning 🔄 **Incremental Scans** Only scan new findings since last run 🤖 **AI Integration** Generate executive reports with local AI models ### [hashtag](https://docs.reconftw.com/welcome#what-can-reconftw-do) What Can reconFTW Do? Copy ┌─────────────────────────────────────────────────────────────────┐ │ reconFTW Capabilities │ ├─────────────────────────────────────────────────────────────────┤ │ OSINT │ Google dorks, GitHub secrets, metadata, │ │ │ email harvesting, API leaks, cloud enum, │ │ │ leaked credentials, S3 buckets │ ├──────────────────┼──────────────────────────────────────────────┤ │ Subdomains │ 10+ passive sources, DNS bruteforce, │ │ │ permutations (AI-powered), recursive enum, │ │ │ CT logs, scraping, zone transfer, takeover │ ├──────────────────┼──────────────────────────────────────────────┤ │ Web Analysis │ HTTP probing, screenshots, JS secrets, │ │ │ URL extraction, directory fuzzing, CMS, │ │ │ virtual hosts, parameters, GraphQL, gRPC │ ├──────────────────┼──────────────────────────────────────────────┤ │ Vulnerabilities │ Nuclei templates, XSS, SQLi, SSRF, LFI, │ │ │ SSTI, CORS, CRLF, command injection, │ │ │ prototype pollution, 403 bypass, smuggling │ ├──────────────────┼──────────────────────────────────────────────┤ │ Host Analysis │ Port scanning (nmap/naabu), CDN detection, │ │ │ WAF fingerprinting, geolocation, banners │ ├──────────────────┼──────────────────────────────────────────────┤ │ Automation │ Checkpoint/resume system, incremental scans, │ │ │ notifications (Slack/Discord/Telegram), │ │ │ Axiom distributed scanning, AI reports │ └─────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/welcome#quick-start) Quick Start ------------------------------------------------------------------------- Copy # Install reconFTW git clone https://github.com/six2dez/reconftw.git cd reconftw ./install.sh # Run your first scan ./reconftw.sh -d example.com -r # Full scan with vulnerabilities ./reconftw.sh -d example.com -a * * * [hashtag](https://docs.reconftw.com/welcome#documentation-overview) Documentation Overview ----------------------------------------------------------------------------------------------- This documentation is organized to help you get the most out of reconFTW: ### [hashtag](https://docs.reconftw.com/welcome#for-beginners) 📚 For Beginners 1. [**First 30 Minutes**](https://docs.reconftw.com/welcome/first-30-minutes) - Quick start guide to get scanning 2. [**Getting Started**](https://docs.reconftw.com/getting-started/getting-started) - Installation and setup 3. [**Concepts**](https://docs.reconftw.com/understanding-reconftw/concepts) - Understanding how reconFTW works 4. [**Usage Guide**](https://docs.reconftw.com/usage/usage) - All command-line options explained ### [hashtag](https://docs.reconftw.com/welcome#for-configuration) 🔧 For Configuration 1. [**Configuration**](https://docs.reconftw.com/configuration/configuration) - Deep dive into reconftw.cfg 2. [**Modules**](https://docs.reconftw.com/modules/05-modules) - Detailed documentation for each module 3. [**Tools Reference**](https://docs.reconftw.com/tools-reference/tools) - All 80+ integrated tools ### [hashtag](https://docs.reconftw.com/welcome#for-results) 📊 For Results 1. [**Output Interpretation**](https://docs.reconftw.com/output/output) - Understanding your results 2. [**Data Model & I/O**](https://docs.reconftw.com/guides/data-model) - Complete input/output reference 3. [**Integrations**arrow-up-right](https://github.com/six2dez/reconftw-docs/blob/main/08-integrations/README.md) - Axiom and Faraday setup ### [hashtag](https://docs.reconftw.com/welcome#for-advanced-users) For Advanced Users 1. [**Deployment**](https://docs.reconftw.com/deployment/deployment) - Docker, Terraform, VPS, CI/CD 2. [**Performance Tuning**](https://docs.reconftw.com/guides/tuning) - Optimize for speed and target size 3. [**Case Studies**](https://docs.reconftw.com/guides/case-studies) - Real-world usage examples 4. [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced) - Custom functions and optimization 5. [**Troubleshooting**](https://docs.reconftw.com/help/troubleshooting) - Common issues and solutions ### [hashtag](https://docs.reconftw.com/welcome#legal-and-security) ⚖️ Legal & Security 1. [**OPSEC & Legal**](https://docs.reconftw.com/guides/opsec-legal) - Stay safe and authorized * * * [hashtag](https://docs.reconftw.com/welcome#scan-modes-at-a-glance) Scan Modes at a Glance ----------------------------------------------------------------------------------------------- Mode Flag Description Use Case **Recon** `-r` Full reconnaissance Standard bug bounty recon **Subdomains** `-s` Subdomain enumeration only Quick subdomain discovery **Passive** `-p` Passive reconnaissance Stealth/non-intrusive **All** `-a` Full recon + vulnerabilities Full assessment **Web** `-w` Web analysis only Analyze known URLs **OSINT** `-n` OSINT gathering only Intelligence gathering **Custom** `-c` Run custom function Advanced workflows **Zen** `-z` Minimal output mode Clean terminal output * * * [hashtag](https://docs.reconftw.com/welcome#legal-and-opsec) ⚠️ Legal & OPSEC ---------------------------------------------------------------------------------- > **IMPORTANT**: reconFTW is designed for authorized security testing only. ### [hashtag](https://docs.reconftw.com/welcome#authorization-checklist) Authorization Checklist Before running any scan, verify: * Written permission from target owner * Defined scope (in-scope and out-of-scope assets) * Rate limits agreed upon * Testing window defined (if applicable) * Emergency contact available * NDA signed (if required) ### [hashtag](https://docs.reconftw.com/welcome#opsec-considerations) OPSEC Considerations Risk Mitigation **IP Blocking** Use VPS, rotate IPs with Axiom **WAF Detection** Start with passive mode (`-p`) **Rate Limiting** Use `--adaptive-rate` flag **Legal Issues** Always have written authorization **Data Exposure** Keep `secrets.cfg` secure, never commit ### [hashtag](https://docs.reconftw.com/welcome#legal-disclaimer) Legal Disclaimer By using this tool, you confirm that: * You have explicit written permission to test the target * You will comply with all applicable laws and regulations * You understand that unauthorized testing is illegal The developers assume no liability for misuse of this tool. **Use responsibly.** ➡️ [**Full OPSEC Guide**](https://docs.reconftw.com/understanding-reconftw/concepts#opsec-and-legal) * * * [hashtag](https://docs.reconftw.com/welcome#community-and-support) Community & Support ------------------------------------------------------------------------------------------- * **GitHub Issues**: [Report bugs or request featuresarrow-up-right](https://github.com/six2dez/reconftw/issues) * **Discord**: [Join our communityarrow-up-right](https://discord.gg/R5DdXVEdTy) * **Telegram**: [Discussion grouparrow-up-right](https://t.me/joinchat/H5bAaw3YbzzmI5co) * **Twitter**: [@Six2dez1arrow-up-right](https://twitter.com/Six2dez1) * * * [hashtag](https://docs.reconftw.com/welcome#contributing) Contributing --------------------------------------------------------------------------- reconFTW is open source and welcomes contributions! See our [Contributing Guidearrow-up-right](https://github.com/six2dez/reconftw/blob/main/CONTRIBUTING.md) for details. * * * Made with ❤️ by [six2dezarrow-up-right](https://github.com/six2dez) and the security community * * * [NextFirst 30 Minuteschevron-right](https://docs.reconftw.com/welcome/first-30-minutes) Last updated 1 month ago --- # Installation & Setup | reconftw-docs This guide will walk you through installing reconFTW, setting it up, and running your first reconnaissance scan. * * * [hashtag](https://docs.reconftw.com/getting-started#system-requirements) System Requirements ------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#minimum-requirements) Minimum Requirements Resource Minimum Recommended **OS** Ubuntu 20.04+ / Debian 11+ / Kali Ubuntu 22.04 LTS **RAM** 4 GB 8-16 GB **Disk Space** 20 GB 50+ GB **CPU** 2 cores 4+ cores **Network** Stable internet High bandwidth ### [hashtag](https://docs.reconftw.com/getting-started#supported-operating-systems) Supported Operating Systems * ✅ **Ubuntu** 20.04, 22.04, 24.04 (Recommended) * ✅ **Debian** 11, 12 * ✅ **Kali Linux** (latest rolling) * ✅ **Parrot OS** * ✅ **macOS** 12+ (with Homebrew) * ✅ **Docker** (any platform) * ⚠️ **Windows WSL2** (experimental) ### [hashtag](https://docs.reconftw.com/getting-started#required-dependencies) Required Dependencies reconFTW will install most dependencies automatically, but these base packages are required: Copy # Ubuntu/Debian sudo apt update sudo apt install -y git curl wget python3 python3-pip ruby golang jq # macOS (via Homebrew) brew install git curl wget python@3 ruby go jq gnu-getopt coreutils gnu-sed bash * * * [hashtag](https://docs.reconftw.com/getting-started#installation-methods) Installation Methods --------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#method-1-local-installation-recommended) Method 1: Local Installation (Recommended) This is the standard installation for Linux/macOS systems. Copy # Clone the repository git clone https://github.com/six2dez/reconftw.git cd reconftw # Run the installer (interactive) ./install.sh # Or run non-interactively (option 1 = install all) echo 1 | ./install.sh The installer will: 1. Check system requirements 2. Install Go, Rust, and Python dependencies 3. Install 80+ security tools 4. Configure PATH and environment variables 5. Download required wordlists and resolvers > **⏱️ Installation Time**: 15-45 minutes depending on internet speed and system resources. #### [hashtag](https://docs.reconftw.com/getting-started#installation-options) Installation Options When running `./install.sh`, you'll see these options: Copy Select an option: 1. Install all dependencies and tools 2. Install only tools (skip dependencies) 3. Update tools only 4. Check tool installation status ### [hashtag](https://docs.reconftw.com/getting-started#method-2-docker-installation) Method 2: Docker Installation Docker provides a consistent environment across all platforms. Copy # Pull the official image docker pull six2dez/reconftw:latest # Run a scan docker run --rm -v $(pwd)/Recon:/reconftw/Recon six2dez/reconftw:latest -d example.com -r # Interactive mode docker run -it --rm -v $(pwd)/Recon:/reconftw/Recon six2dez/reconftw:latest /bin/bash #### [hashtag](https://docs.reconftw.com/getting-started#docker-with-custom-configuration) Docker with Custom Configuration Copy # Mount your custom config docker run --rm \ -v $(pwd)/Recon:/reconftw/Recon \ -v $(pwd)/my_config.cfg:/reconftw/reconftw.cfg \ -e SHODAN_API_KEY="your_key" \ six2dez/reconftw:latest -d example.com -r #### [hashtag](https://docs.reconftw.com/getting-started#building-custom-docker-image) Building Custom Docker Image Copy cd reconftw/Docker docker build -t my-reconftw . ### [hashtag](https://docs.reconftw.com/getting-started#method-3-terraform--ansible-cloud-deployment) Method 3: Terraform + Ansible (Cloud Deployment) For deploying reconFTW on AWS or other cloud providers: Copy cd reconftw/Terraform # Configure your AWS credentials export AWS_ACCESS_KEY_ID="your_key" export AWS_SECRET_ACCESS_KEY="your_secret" # Deploy infrastructure terraform init terraform apply # Run Ansible playbook ansible-playbook -i inventory reconFTW.yml See [Deployment Guide](https://docs.reconftw.com/deployment/deployment) for detailed cloud setup. * * * [hashtag](https://docs.reconftw.com/getting-started#macos-specific-setup) macOS-Specific Setup --------------------------------------------------------------------------------------------------- macOS requires additional Homebrew packages due to BSD tool differences: Copy # Install Homebrew if not installed /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install required formulae brew install bash coreutils gnu-sed gnu-getopt findutils grep # Use Homebrew's bash (required for reconFTW) # reconFTW will automatically use /opt/homebrew/bin/bash on Apple Silicon > **Note**: reconFTW automatically detects macOS and uses Homebrew GNU tools. Make sure they're installed before running. * * * [hashtag](https://docs.reconftw.com/getting-started#your-first-scan) Your First Scan ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#basic-reconnaissance-scan) Basic Reconnaissance Scan Copy cd reconftw # Standard reconnaissance ./reconftw.sh -d example.com -r This will: 1. Enumerate subdomains (passive + active) 2. Probe for live web servers 3. Take screenshots 4. Extract URLs and JavaScript files 5. Run nuclei vulnerability scans 6. Generate organized output ### [hashtag](https://docs.reconftw.com/getting-started#understanding-the-output) Understanding the Output Results are saved in `Recon//`: Copy Recon/example.com/ ├── subdomains/ # Discovered subdomains │ ├── subdomains.txt # Final subdomain list │ └── ... ├── webs/ # Web server information │ ├── webs.txt # Live web servers │ └── ... ├── hosts/ # Host/IP information ├── vulns/ # Vulnerability findings ├── osint/ # OSINT results ├── screenshots/ # Web screenshots ├── nuclei_output/ # Nuclei scan results ├── .log/ # Scan logs └── .tmp/ # Temporary files ### [hashtag](https://docs.reconftw.com/getting-started#quick-scan-examples) Quick Scan Examples Copy # Subdomain enumeration only (fast) ./reconftw.sh -d example.com -s # Passive reconnaissance (non-intrusive) ./reconftw.sh -d example.com -p # Full scan with vulnerability checks ./reconftw.sh -d example.com -a # Scan from a list of domains ./reconftw.sh -l targets.txt -r # Custom output directory ./reconftw.sh -d example.com -r -o /path/to/output * * * [hashtag](https://docs.reconftw.com/getting-started#verifying-installation) Verifying Installation ------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#check-tools-installation) Check Tools Installation Copy # Verify all tools are installed ./reconftw.sh --check-tools This displays a checklist of all required tools and their installation status. ### [hashtag](https://docs.reconftw.com/getting-started#health-check) Health Check Copy # Run system health check ./reconftw.sh --health-check The health check verifies: * All critical dependencies are installed * Required files and directories exist * Configuration is valid * Network connectivity works ### [hashtag](https://docs.reconftw.com/getting-started#dry-run-mode) Dry Run Mode Test your command without executing anything: Copy # Preview what commands would be executed ./reconftw.sh -d example.com -r --dry-run * * * [hashtag](https://docs.reconftw.com/getting-started#updating-reconftw) Updating reconFTW --------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#update-everything) Update Everything Copy cd reconftw # Pull latest code git pull # Update all tools ./install.sh --tools ### [hashtag](https://docs.reconftw.com/getting-started#update-only-tools) Update Only Tools Copy ./install.sh --tools # Or use option 3 in interactive mode ### [hashtag](https://docs.reconftw.com/getting-started#automatic-updates-before-scans) Automatic Updates Before Scans Enable in `reconftw.cfg`: Copy upgrade_before_running=true * * * [hashtag](https://docs.reconftw.com/getting-started#post-installation-configuration) Post-Installation Configuration ------------------------------------------------------------------------------------------------------------------------- After installation, you should configure API keys for maximum effectiveness: ### [hashtag](https://docs.reconftw.com/getting-started#id-1.-create-secrets.cfg) 1\. Create secrets.cfg Copy cp secrets.cfg.example secrets.cfg chmod 600 secrets.cfg Edit `secrets.cfg`: Copy # API keys for enhanced functionality SHODAN_API_KEY="your_shodan_api_key" WHOISXML_API="your_whoisxml_api_key" XSS_SERVER="your_xss_hunter_server" COLLAB_SERVER="your_interactsh_server" ### [hashtag](https://docs.reconftw.com/getting-started#id-2.-configure-github-tokens) 2\. Configure GitHub Tokens Create `$HOME/Tools/.github_tokens` with one token per line: Copy ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy Multiple tokens help avoid rate limiting during GitHub reconnaissance. ### [hashtag](https://docs.reconftw.com/getting-started#id-3.-verify-configuration) 3\. Verify Configuration Copy # Test with a simple scan ./reconftw.sh -d example.com -p --dry-run * * * [hashtag](https://docs.reconftw.com/getting-started#common-installation-issues) Common Installation Issues --------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/getting-started#go-not-found) "Go not found" Copy # Install Go manually wget https://go.dev/dl/go1.21.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin ### [hashtag](https://docs.reconftw.com/getting-started#permission-denied) "Permission denied" Copy # Fix permissions chmod +x reconftw.sh install.sh ### [hashtag](https://docs.reconftw.com/getting-started#tool-x-not-found) "Tool X not found" Copy # Reinstall specific tools ./install.sh --tools See [Troubleshooting](https://docs.reconftw.com/help/troubleshooting) for more solutions. * * * [hashtag](https://docs.reconftw.com/getting-started#next-steps) Next Steps ------------------------------------------------------------------------------- Now that reconFTW is installed: 1. [**Learn the concepts**](https://docs.reconftw.com/understanding-reconftw/concepts) - Understand how reconFTW works 2. [**Explore usage options**](https://docs.reconftw.com/usage/usage) - Master command-line flags 3. [**Configure settings**](https://docs.reconftw.com/configuration/configuration) - Customize for your needs 4. [**Understand output**](https://docs.reconftw.com/output/output) - Interpret your results * * * [hashtag](https://docs.reconftw.com/getting-started#quick-reference-card) Quick Reference Card --------------------------------------------------------------------------------------------------- Copy # Installation git clone https://github.com/six2dez/reconftw.git && cd reconftw && ./install.sh # Basic scans ./reconftw.sh -d target.com -r # Full recon ./reconftw.sh -d target.com -s # Subdomains only ./reconftw.sh -d target.com -p # Passive only ./reconftw.sh -d target.com -a # Full + vulns # Advanced options ./reconftw.sh -d target.com -r --deep # Deep/thorough scan ./reconftw.sh -d target.com -r -v # With Axiom (distributed) ./reconftw.sh -l targets.txt -r # Multiple targets # Maintenance ./reconftw.sh --check-tools # Verify installation ./reconftw.sh --health-check # System health ./install.sh --tools # Update tools [PreviousGlossarychevron-left](https://docs.reconftw.com/welcome/glossary) [NextConcepts & Architecturechevron-right](https://docs.reconftw.com/understanding-reconftw/concepts) Last updated 1 month ago --- # Axiom Integration | reconftw-docs > **Note**: Axiom was rebranded to "Ax Framework" but the tool and commands still use `axiom-*` naming. This documentation uses "Axiom" for consistency with the actual commands. Axiom enables distributed scanning across cloud infrastructure, speeding up reconnaissance by parallelizing workloads across multiple instances. * * * [hashtag](https://docs.reconftw.com/integrations#what-is-axiom) What is Axiom? ----------------------------------------------------------------------------------- Axiom is an infrastructure automation framework that allows you to: * **Spin up cloud instances on-demand** across multiple providers * **Distribute scanning tasks** across a fleet of machines * **Scale horizontally** for large-scale reconnaissance * **Reduce scan time** from hours to minutes * * * [hashtag](https://docs.reconftw.com/integrations#prerequisites) Prerequisites ---------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#id-1.-axiom-installation) 1\. Axiom Installation Copy # Install axiom bash <(curl -s https://raw.githubusercontent.com/pry0cc/axiom/master/interact/axiom-configure) # Or clone and install git clone https://github.com/pry0cc/axiom ~/.axiom cd ~/.axiom && ./interact/axiom-configure ### [hashtag](https://docs.reconftw.com/integrations#id-2.-cloud-provider-setup) 2\. Cloud Provider Setup Supported providers: * DigitalOcean (recommended) * AWS * Azure * Linode * Google Cloud * Hetzner * IBM Cloud ### [hashtag](https://docs.reconftw.com/integrations#id-3.-api-keys) 3\. API Keys Configure cloud provider credentials: Copy # Run axiom configuration axiom-configure * * * [hashtag](https://docs.reconftw.com/integrations#configuration-in-reconftw) Configuration in reconFTW ---------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#enable-axiom-mode) Enable Axiom Mode Copy # In reconftw.cfg # Enable Axiom/VPS mode AXIOM=true # Fleet configuration AXIOM_FLEET_NAME="reconftw" # Fleet identifier AXIOM_FLEET_COUNT=10 # Number of instances AXIOM_FLEET_LAUNCH=true # Auto-launch fleet AXIOM_FLEET_SHUTDOWN=true # Auto-shutdown after scan # Distributed tool settings AXIOM_THREADS=20 # Threads per instance ### [hashtag](https://docs.reconftw.com/integrations#instance-configuration) Instance Configuration Copy # Fleet instance settings AXIOM_INSTANCE_TYPE="s-1vcpu-1gb" # DigitalOcean size AXIOM_REGION="nyc1" # Deployment region AXIOM_IMAGE="axiom-default" # Base image name ### [hashtag](https://docs.reconftw.com/integrations#resolver-configuration) Resolver Configuration Copy # Resolvers for distributed scanning AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" * * * [hashtag](https://docs.reconftw.com/integrations#running-with-axiom) Running with Axiom -------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#basic-usage) Basic Usage Copy # Run with Axiom flag ./reconftw.sh -d example.com -a --vps # Or use -v shorthand ./reconftw.sh -d example.com -a -v ### [hashtag](https://docs.reconftw.com/integrations#what-happens) What Happens 1. **Fleet Launch:** Axiom spins up configured number of instances 2. **Tool Distribution:** Tools run across fleet in parallel 3. **Result Collection:** Results merged from all instances 4. **Fleet Shutdown:** Instances terminated (if configured) * * * [hashtag](https://docs.reconftw.com/integrations#distributed-scanning-flow) Distributed Scanning Flow ---------------------------------------------------------------------------------------------------------- Copy ┌─────────────────────────────────────────────────────────────────────┐ │ Axiom Distributed Scanning │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ │ │ │ Local Machine│ │ │ │ (reconFTW) │ │ │ └──────┬───────┘ │ │ │ │ │ │ axiom-fleet launch │ │ ▼ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ Axiom Fleet (10 instances) │ │ │ ├──────────────────────────────────────────────────────┤ │ │ │ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ │ │ │ │ │ 01 │ │ 02 │ │ 03 │ │ 04 │ │ 05 │ │ │ │ │ └────┘ └────┘ └────┘ └────┘ └────┘ │ │ │ │ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ │ │ │ │ │ 06 │ │ 07 │ │ 08 │ │ 09 │ │ 10 │ │ │ │ │ └────┘ └────┘ └────┘ └────┘ └────┘ │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ │ │ │ axiom-scan (distribute tasks) │ │ ▼ │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ Each instance processes portion of targets: │ │ │ │ - Instance 01: subdomains 1-1000 │ │ │ │ - Instance 02: subdomains 1001-2000 │ │ │ │ - ... │ │ │ └──────────────────────────────────────────────────────┘ │ │ │ │ │ │ Results merged │ │ ▼ │ │ ┌──────────────┐ │ │ │ Local Machine│ │ │ │ (combined │ │ │ │ results) │ │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/integrations#tools-with-axiom-support) Tools with Axiom Support -------------------------------------------------------------------------------------------------------- reconFTW distributes these tools across the fleet: Tool Distribution Type Notes subfinder Target split Each instance handles subset httpx Target split URL probing distributed nuclei Target split Vulnerability scanning ffuf Target split Directory fuzzing dnsx Target split DNS resolution nmap Target split Port scanning katana Target split Web crawling dalfox Target split XSS testing * * * [hashtag](https://docs.reconftw.com/integrations#fleet-management) Fleet Management ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#manual-fleet-control) Manual Fleet Control Copy # Launch fleet axiom-fleet reconftw -i 10 # Check fleet status axiom-ls # SSH to specific instance axiom-ssh reconftw01 # Execute command on all instances axiom-exec "nuclei -update-templates" # Shutdown fleet axiom-rm "reconftw*" -f ### [hashtag](https://docs.reconftw.com/integrations#fleet-lifecycle) Fleet Lifecycle Copy # In reconftw.cfg # Auto-launch fleet if not running AXIOM_FLEET_LAUNCH=true # Shutdown after scan completion AXIOM_FLEET_SHUTDOWN=true # Keep fleet running for subsequent scans AXIOM_FLEET_SHUTDOWN=false * * * [hashtag](https://docs.reconftw.com/integrations#cost-optimization) Cost Optimization ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations#instance-sizing) Instance Sizing Provider Instance vCPU RAM Cost/hr DigitalOcean s-1vcpu-1gb 1 1GB $0.007 DigitalOcean s-2vcpu-2gb 2 2GB $0.018 AWS t3.micro 2 1GB $0.012 Linode g6-nanode-1 1 1GB $0.0075 ### [hashtag](https://docs.reconftw.com/integrations#cost-estimation) Cost Estimation Copy Fleet: 10 instances × $0.007/hr = $0.07/hr Scan duration: 2 hours Total cost: ~$0.14 per scan ### [hashtag](https://docs.reconftw.com/integrations#best-practices) Best Practices 1. **Use smallest viable instance:** 1GB RAM sufficient for most tools 2. **Auto-shutdown:** Enable `AXIOM_FLEET_SHUTDOWN=true` 3. **Spot instances:** Use when available for 60-90% savings 4. **Regional pricing:** Some regions cheaper than others * * * [hashtag](https://docs.reconftw.com/integrations#resolver-management) Resolver Management ---------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#upload-custom-resolvers) Upload Custom Resolvers Copy # Upload resolvers to fleet axiom-scp resolvers.txt "reconftw*":/home/op/lists/ # Or use built-in resolver update axiom-exec "dnsvalidator -tL public-resolvers.txt -threads 100 -o resolvers.txt" ### [hashtag](https://docs.reconftw.com/integrations#configuration) Configuration Copy # In reconftw.cfg RESOLVERS_TRUSTED="/home/op/lists/resolvers_trusted.txt" RESOLVERS="/home/op/lists/resolvers.txt" # On fleet AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" * * * [hashtag](https://docs.reconftw.com/integrations#troubleshooting) Troubleshooting -------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#fleet-wont-start) Fleet Won't Start Copy # Check cloud provider credentials axiom-configure # Verify API key doctl auth init # DigitalOcean aws configure # AWS # Check available images axiom-images ls ### [hashtag](https://docs.reconftw.com/integrations#ssh-connection-issues) SSH Connection Issues Copy # Regenerate SSH keys axiom-init --regenerate # Manual SSH test ssh -i ~/.axiom/.sshkey root@ ### [hashtag](https://docs.reconftw.com/integrations#tools-not-running) Tools Not Running Copy # Update tools on fleet axiom-exec "axiom-build tools" # Verify tool installation axiom-exec "which nuclei" ### [hashtag](https://docs.reconftw.com/integrations#result-merge-failures) Result Merge Failures Copy # Check disk space axiom-exec "df -h" # Manual result collection axiom-scp "reconftw*":/home/op/recon/results.txt ./results/ * * * [hashtag](https://docs.reconftw.com/integrations#advanced-configuration) Advanced Configuration ---------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/integrations#custom-axiom-image) Custom Axiom Image Copy # Build custom image with all tools axiom-build reconftw --install-tools # Use custom image AXIOM_IMAGE="reconftw-image" ### [hashtag](https://docs.reconftw.com/integrations#per-tool-distribution) Per-Tool Distribution Copy # Override distribution for specific tools AXIOM_SUBFINDER_DISTRIBUTE=true AXIOM_NUCLEI_DISTRIBUTE=true AXIOM_HTTPX_DISTRIBUTE=true ### [hashtag](https://docs.reconftw.com/integrations#scan-modules) Scan Modules Copy # reconFTW Axiom modules in modules/axiom.sh # Functions prefixed with axiom_* axiom_launch # Launch fleet axiom_shutdown # Terminate fleet axiom_selected # Run tool on fleet axiom_exec # Execute command * * * [hashtag](https://docs.reconftw.com/integrations#example-workflows) Example Workflows ------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/integrations#large-target-list) Large Target List Copy # Scan 10,000 subdomains with 20-instance fleet AXIOM_FLEET_COUNT=20 ./reconftw.sh -l targets_10k.txt -a -v ### [hashtag](https://docs.reconftw.com/integrations#bug-bounty-program) Bug Bounty Program Copy # Weekly automated scan ./reconftw.sh -d target.com -a -v --incremental ### [hashtag](https://docs.reconftw.com/integrations#red-team-assessment) Red Team Assessment Copy # Quick initial recon AXIOM_FLEET_COUNT=5 ./reconftw.sh -d target.com -r -v * * * [hashtag](https://docs.reconftw.com/integrations#security-considerations) Security Considerations ------------------------------------------------------------------------------------------------------ 1. **Instance isolation:** Each scan uses fresh instances 2. **Credential management:** Cloud keys never touch targets 3. **Data cleanup:** Results removed from instances 4. **Network isolation:** Use private networking when possible 5. **Audit logging:** Enable cloud provider audit logs * * * [hashtag](https://docs.reconftw.com/integrations#next-steps) Next Steps ---------------------------------------------------------------------------- * [**Faraday Integration**](https://docs.reconftw.com/integrations/faraday) - Vulnerability management * [**Deployment Guide**](https://docs.reconftw.com/deployment/deployment) - VPS setup [PreviousOutput Interpretationchevron-left](https://docs.reconftw.com/output/output) [NextFaraday Integrationchevron-right](https://docs.reconftw.com/integrations/faraday) Last updated 1 month ago --- # Configuration Reference | reconftw-docs > **Documentation for reconFTW** `**dev**` **branch** | Variables match `reconftw.cfg` This guide provides a complete reference for reconFTW's configuration file (`reconftw.cfg`), covering every option with detailed explanations. * * * [hashtag](https://docs.reconftw.com/configuration#configuration-files-overview) Configuration Files Overview ----------------------------------------------------------------------------------------------------------------- reconFTW uses several configuration files: File Purpose Git Tracked `reconftw.cfg` Main configuration ✅ Yes `secrets.cfg` API keys and tokens ❌ No (gitignored) `custom_config.cfg` User overrides (optional) ❌ No ### [hashtag](https://docs.reconftw.com/configuration#load-order) Load Order 1. `reconftw.cfg` is loaded first (defaults) 2. `secrets.cfg` is sourced if it exists (API keys) 3. Custom config via `-f` flag overrides all * * * [hashtag](https://docs.reconftw.com/configuration#general-settings) General Settings ----------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration#tool-paths) Tool Paths Copy # Path where tools are installed tools=$HOME/Tools # Auto-detected script path (don't change) SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" ### [hashtag](https://docs.reconftw.com/configuration#shell-configuration) Shell Configuration Copy # Detected shell profile (.bashrc, .zshrc, etc.) profile_shell=".$(basename "${SHELL:-/bin/bash}")rc" ### [hashtag](https://docs.reconftw.com/configuration#version-information) Version Information Copy # Auto-detected from git reconftw_version="$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags)" ### [hashtag](https://docs.reconftw.com/configuration#resolver-settings) Resolver Settings Copy # Generate custom resolvers with dnsvalidator generate_resolvers=false # Fetch resolvers from trickest before scanning update_resolvers=true # Resolver URLs resolvers_url="https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt" resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/.../trusted_resolvers.txt" **When to change:** * Set `generate_resolvers=true` for custom resolver validation (slower but more accurate) * Set `update_resolvers=false` if you maintain your own resolver list ### [hashtag](https://docs.reconftw.com/configuration#proxy-settings) Proxy Settings Copy # HTTP proxy for tools that support it proxy_url="http://127.0.0.1:8080/" # Enable proxy usage PROXY=false **Usage:** Set `PROXY=true` to route web requests through Burp Suite or similar proxy. ### [hashtag](https://docs.reconftw.com/configuration#golang-configuration) Golang Configuration Copy install_golang=true # Install Go if not found export GOROOT="/usr/local/go" # Go installation path export GOPATH="$HOME/go" # Go workspace ### [hashtag](https://docs.reconftw.com/configuration#update-settings) Update Settings Copy upgrade_tools=true # Allow tool updates upgrade_before_running=false # Update tools before each scan ### [hashtag](https://docs.reconftw.com/configuration#output-settings) Output Settings Copy # Custom output directory (uncomment to enable) #dir_output=/custom/output/path # Log executed commands (verbose, may contain sensitive data) SHOW_COMMANDS=false ### [hashtag](https://docs.reconftw.com/configuration#disk-space-check) Disk Space Check Copy # Minimum required disk space in GB (0 to disable) MIN_DISK_SPACE_GB=0 * * * [hashtag](https://docs.reconftw.com/configuration#api-keys-and-tokens) API Keys and Tokens ----------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration#environment-variables-preferred) Environment Variables (Preferred) Set these in your shell or `secrets.cfg`: Copy # Shodan API for passive port scanning SHODAN_API_KEY="your_shodan_api_key" # WhoisXML API for domain lookups WHOISXML_API="your_whoisxml_api_key" # Blind XSS callback server XSS_SERVER="https://your.xss.hunter" # SSRF/OOB callback server COLLAB_SERVER="https://your.interact.sh" # Slack notifications slack_channel="C0XXXXXXXXX" slack_auth="xoxb-xxxxx-xxxxx-xxxxx" ### [hashtag](https://docs.reconftw.com/configuration#secrets.cfg-file) secrets.cfg File Create from the example: Copy cp secrets.cfg.example secrets.cfg chmod 600 secrets.cfg # Restrict permissions Edit `secrets.cfg`: Copy # API Keys SHODAN_API_KEY="abc123..." WHOISXML_API="xyz789..." # Callback servers XSS_SERVER="https://xss.example.com" COLLAB_SERVER="https://interact.example.com" # Notifications slack_channel="C0XXXXXXXXX" slack_auth="xoxb-..." ### [hashtag](https://docs.reconftw.com/configuration#token-files) Token Files Copy # GitHub tokens (one per line for rate limit distribution) GITHUB_TOKENS=${tools}/.github_tokens # GitLab tokens GITLAB_TOKENS=${tools}/.gitlab_tokens **Create GitHub tokens file:** Copy cat > $HOME/Tools/.github_tokens << EOF ghp_token1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_token2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ghp_token3xxxxxxxxxxxxxxxxxxxxxxxxxxxxx EOF chmod 600 $HOME/Tools/.github_tokens * * * [hashtag](https://docs.reconftw.com/configuration#module-toggles) Module Toggles ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration#osint-module) OSINT Module Copy OSINT=true # Master toggle for OSINT module GOOGLE_DORKS=true # Google dorking GITHUB_DORKS=true # GitHub secret searching GITHUB_REPOS=true # GitHub repository analysis METADATA=true # Document metadata extraction EMAILS=true # Email harvesting DOMAIN_INFO=true # WHOIS lookups IP_INFO=true # IP reverse lookup and geolocation API_LEAKS=true # Postman/Swagger leak detection THIRD_PARTIES=true # Third-party misconfiguration checks SPOOF=true # Domain spoofing checks MAIL_HYGIENE=true # SPF/DMARC analysis CLOUD_ENUM=true # Cloud storage enumeration METAFINDER_LIMIT=20 # Max documents to analyze (max 250) ### [hashtag](https://docs.reconftw.com/configuration#subdomain-module) Subdomain Module Copy SUBDOMAINS_GENERAL=true # Master toggle for subdomain module SUBPASSIVE=true # Passive enumeration (APIs, CT logs) SUBCRT=true # Certificate transparency search CTR_LIMIT=999999 # Max CT results DNS_TIME_FENCE_DAYS=0 # Filter CT results to last N days (0=disabled) DEEP_WILDCARD_FILTER=false # Multi-level wildcard detection EXCLUDE_SENSITIVE=false # Skip gov/mil/edu domains SUBNOERROR=false # DNS NOERROR response checking SUBANALYTICS=true # Google Analytics correlation SUBBRUTE=true # DNS bruteforcing SUBSCRAPING=true # Web scraping for subdomains SUBPERMUTE=true # DNS permutations SUBIAPERMUTE=true # AI-powered permutations SUBREGEXPERMUTE=true # Regex-based permutations SUBTAKEOVER=true # Subdomain takeover checks SUB_RECURSIVE_PASSIVE=false # Recursive passive (uses many API queries) DEEP_RECURSIVE_PASSIVE=10 # Top N subdomains for recursion SUB_RECURSIVE_BRUTE=false # Recursive bruteforce (disk/time intensive) ZONETRANSFER=true # DNS zone transfer checks S3BUCKETS=true # S3 bucket misconfiguration checks REVERSE_IP=false # Reverse IP lookups (enable for IP/CIDR targets) INSCOPE=false # Apply inscope filtering #### [hashtag](https://docs.reconftw.com/configuration#dns_time_fence_days) DNS\_TIME\_FENCE\_DAYS Filters Certificate Transparency (crt.sh) results to certificates issued within the last N days. Copy DNS_TIME_FENCE_DAYS=90 # Only certificates from last 90 days DNS_TIME_FENCE_DAYS=0 # Disabled (default) - return all results **Why use this:** * CT logs contain historical certificates, including expired and decommissioned domains * Old certificates often point to infrastructure that no longer exists * Setting to 90 days typically reduces noise by 20-40% while keeping relevant results #### [hashtag](https://docs.reconftw.com/configuration#deep_wildcard_filter) DEEP\_WILDCARD\_FILTER Enables iterative wildcard detection at all subdomain levels, not just the root. Copy DEEP_WILDCARD_FILTER=true # Enable multi-level wildcard detection DEEP_WILDCARD_FILTER=false # Standard wildcard detection only (default) **How it works:** 1. Extracts unique parent domains from resolved subdomains 2. Generates random probe hostname for each parent (e.g., `a1b2c3d4.api.example.com`) 3. If random probe resolves, parent is a wildcard 4. Filters all subdomains under detected wildcard parents 5. Repeats up to 5 iterations to catch nested wildcards **Why use this:** * Enterprise targets often have deep wildcards (e.g., `*.na45.salesforce.com`) * Standard detection only checks `*.example.com` * Removes 50-80% false positives on enterprise infrastructure * Detected wildcards saved to `subdomains/wildcards_detected.txt` #### [hashtag](https://docs.reconftw.com/configuration#exclude_sensitive) EXCLUDE\_SENSITIVE Prevents scanning domains that match patterns in `config/sensitive_domains.txt`. Copy EXCLUDE_SENSITIVE=true # Skip sensitive domains EXCLUDE_SENSITIVE=false # Scan all domains (default) **Excluded patterns include:** * Government: `*.gov`, `*.gob.*`, `*.gouv.*` * Military: `*.mil`, `*.defense.*` * Educational: `*.edu`, `*.ac.*` * Financial: `*.bank`, `*.banking.*` * Critical infrastructure: `*.nhs.*`, `*.hospital.*`, `*.police.*` **Why use this:** * Legal protection when scanning wildcard scopes * Prevents accidental contact with sensitive infrastructure * Patterns can be customized in `config/sensitive_domains.txt` ### [hashtag](https://docs.reconftw.com/configuration#permutation-settings) Permutation Settings Copy # Permutation tool: "gotator" (deeper) or "ripgen" (faster) PERMUTATIONS_OPTION=gotator # Gotator flags GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" ### [hashtag](https://docs.reconftw.com/configuration#tls-port-discovery) TLS Port Discovery Copy # Ports to check for TLS certificates TLS_PORTS="21,22,25,80,110,135,143,261,443,465,563,587,636,853,990,993,995,..." ### [hashtag](https://docs.reconftw.com/configuration#web-detection-module) Web Detection Module Copy WEBPROBESIMPLE=true # Probe ports 80/443 WEBPROBEFULL=true # Probe uncommon web ports WEBSCREENSHOT=true # Capture screenshots VIRTUALHOSTS=false # Virtual host fuzzing (slower) # Uncommon web ports to probe UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,..." ### [hashtag](https://docs.reconftw.com/configuration#host-module) Host Module Copy FAVICON=true # Favicon-based IP discovery PORTSCANNER=true # Port scanning module GEO_INFO=true # IP geolocation PORTSCAN_PASSIVE=true # Shodan passive port scan PORTSCAN_ACTIVE=true # Nmap active port scan CDN_IP=true # CDN detection # Nmap options PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners" ### [hashtag](https://docs.reconftw.com/configuration#web-analysis-module) Web Analysis Module Copy WAF_DETECTION=true # WAF detection NUCLEICHECK=true # Nuclei vulnerability scanning URL_CHECK=true # URL collection URL_CHECK_PASSIVE=true # Passive URL collection (archives) URL_CHECK_ACTIVE=true # Active URL crawling URL_GF=true # URL pattern matching URL_EXT=true # File extension sorting JSCHECKS=true # JavaScript analysis FUZZ=true # Directory fuzzing IIS_SHORTNAME=true # IIS shortname scanning CMS_SCANNER=true # CMS detection WORDLIST=true # Custom wordlist generation ROBOTSWORDLIST=true # Robots.txt historical analysis PASSWORD_DICT=true # Password dictionary generation PASSWORD_MIN_LENGTH=5 # Min password length PASSWORD_MAX_LENGTH=14 # Max password length GRAPHQL_CHECK=true # GraphQL endpoint detection GQLSPECTION=false # Deep GraphQL introspection PARAM_DISCOVERY=true # Parameter discovery with Arjun GRPC_SCAN=false # gRPC reflection probing ### [hashtag](https://docs.reconftw.com/configuration#vulnerability-module) Vulnerability Module Copy VULNS_GENERAL=false # Master toggle for vuln scanning XSS=true # XSS testing CORS=true # CORS misconfiguration TEST_SSL=true # SSL/TLS analysis OPEN_REDIRECT=true # Open redirect detection SSRF_CHECKS=true # SSRF testing CRLF_CHECKS=true # CRLF injection LFI=true # Local file inclusion SSTI=true # Server-side template injection SQLI=true # SQL injection SQLMAP=true # SQLMap testing GHAURI=false # Ghauri SQLi testing BROKENLINKS=true # Broken link detection SPRAY=true # Password spraying COMM_INJ=true # Command injection PROTO_POLLUTION=true # Prototype pollution SMUGGLING=true # HTTP request smuggling WEBCACHE=true # Web cache issues BYPASSER4XX=true # 4XX bypass attempts FUZZPARAMS=true # Parameter fuzzing ### [hashtag](https://docs.reconftw.com/configuration#nuclei-configuration) Nuclei Configuration Copy # Nuclei templates path NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates" # Severity levels to run NUCLEI_SEVERITY="info,low,medium,high,critical" # Extra arguments (exclusions, etc.) NUCLEI_EXTRA_ARGS="" # Example with exclusions: # NUCLEI_EXTRA_ARGS="-etags openssh,ssl -eid node-express-dev-env" # Standard flags NUCLEI_FLAGS="-silent -retries 2" # JS secret scanning flags NUCLEI_FLAGS_JS="-silent -tags exposure,token -severity info,low,medium,high,critical" * * * [hashtag](https://docs.reconftw.com/configuration#threading-and-rate-limits) Threading and Rate Limits ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration#thread-configuration) Thread Configuration Copy FFUF_THREADS=40 # Directory fuzzing HTTPX_THREADS=50 # HTTP probing HTTPX_UNCOMMONPORTS_THREADS=100 # Uncommon port probing KATANA_THREADS=20 # Web crawling BRUTESPRAY_THREADS=20 # Password spraying BRUTESPRAY_CONCURRENCE=10 # Concurrent targets DNSTAKE_THREADS=100 # DNS takeover checks DALFOX_THREADS=200 # XSS testing TLSX_THREADS=1000 # TLS certificate scanning INTERLACE_THREADS=10 # Parallel tool execution RESOLVE_DOMAINS_THREADS=150 # DNS resolution DNSVALIDATOR_THREADS=200 # Resolver validation XNLINKFINDER_DEPTH=3 # Link finder depth ARJUN_THREADS=10 # Parameter discovery ### [hashtag](https://docs.reconftw.com/configuration#rate-limits) Rate Limits Copy HTTPX_RATELIMIT=150 # HTTP requests/second NUCLEI_RATELIMIT=150 # Nuclei requests/second FFUF_RATELIMIT=0 # Fuzzing requests/second (0=unlimited) ### [hashtag](https://docs.reconftw.com/configuration#puredns-limits) PureDNS Limits Copy PUREDNS_PUBLIC_LIMIT=0 # Public resolver limit (0=unlimited) PUREDNS_TRUSTED_LIMIT=400 # Trusted resolver limit PUREDNS_WILDCARDTEST_LIMIT=30 # Wildcard detection limit PUREDNS_WILDCARDBATCH_LIMIT=1500000 # Wildcard batch size ### [hashtag](https://docs.reconftw.com/configuration#adaptive-rate-limiting) Adaptive Rate Limiting Copy ADAPTIVE_RATE_LIMIT=false # Auto-adjust on errors MIN_RATE_LIMIT=10 # Minimum rate limit MAX_RATE_LIMIT=500 # Maximum rate limit RATE_LIMIT_BACKOFF_FACTOR=0.5 # Reduce by 50% on error RATE_LIMIT_INCREASE_FACTOR=1.2 # Increase by 20% on success * * * [hashtag](https://docs.reconftw.com/configuration#timeouts) Timeouts ------------------------------------------------------------------------- Copy SUBFINDER_ENUM_TIMEOUT=180 # Subfinder timeout (minutes) CMSSCAN_TIMEOUT=3600 # CMS scan timeout (seconds) FFUF_MAXTIME=900 # Fuzzing timeout (seconds) HTTPX_TIMEOUT=10 # HTTP request timeout (seconds) HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Uncommon port timeout (seconds) PERMUTATIONS_LIMIT=21474836480 # Max permutation file size (bytes, 20GB) * * * [hashtag](https://docs.reconftw.com/configuration#wordlists) Wordlists --------------------------------------------------------------------------- Copy # Fuzzing wordlist fuzz_wordlist=${tools}/fuzz_wordlist.txt # LFI payloads lfi_wordlist=${tools}/lfi_wordlist.txt # SSTI payloads ssti_wordlist=${tools}/ssti_wordlist.txt # Subdomain wordlists subs_wordlist=${tools}/subdomains.txt subs_wordlist_big=${tools}/subdomains_n0kovo_big.txt # Resolver lists resolvers=${tools}/resolvers.txt resolvers_trusted=${tools}/resolvers_trusted.txt ### [hashtag](https://docs.reconftw.com/configuration#cloud-hunter-settings) Cloud Hunter Settings Copy # Cloud permutation depth: DEEP, NORMAL, or NONE CLOUDHUNTER_PERMUTATION=NORMAL * * * [hashtag](https://docs.reconftw.com/configuration#deep-mode-settings) DEEP Mode Settings --------------------------------------------------------------------------------------------- Copy DEEP=false # Deep scanning mode DEEP_LIMIT=500 # First auto-deep threshold DEEP_LIMIT2=1500 # Second auto-deep threshold **Behavior:** * If subdomain count < DEEP\_LIMIT, additional techniques run * If < DEEP\_LIMIT2, even more intensive techniques run * * * [hashtag](https://docs.reconftw.com/configuration#axiom-settings) Axiom Settings ------------------------------------------------------------------------------------- Copy # Axiom fleet configuration AXIOM_FLEET_LAUNCH=true # Auto-launch fleet AXIOM_FLEET_NAME="reconFTW" # Fleet name prefix AXIOM_FLEET_COUNT=10 # Number of instances AXIOM_FLEET_REGIONS="eu-central" # Cloud regions AXIOM_FLEET_SHUTDOWN=true # Auto-shutdown after scan # Resolver paths on Axiom instances AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt" AXIOM_RESOLVERS_TRUSTED_PATH="/home/op/lists/resolvers_trusted.txt" # Post-start script (optional) #AXIOM_POST_START="~/Tools/axiom_config.sh" # Extra arguments AXIOM_EXTRA_ARGS="" * * * [hashtag](https://docs.reconftw.com/configuration#faraday-settings) Faraday Settings ----------------------------------------------------------------------------------------- Copy FARADAY=false # Enable Faraday integration FARADAY_SERVER="http://localhost:5985" FARADAY_USER="faraday" FARADAY_PASS="FARADAY_PASSWORD" FARADAY_WORKSPACE="reconftw" * * * [hashtag](https://docs.reconftw.com/configuration#ai-settings) AI Settings ------------------------------------------------------------------------------- Copy AI_MODEL="llama3:8b" # AI model to use AI_REPORT_TYPE="md" # Report format (md, txt) AI_REPORT_PROFILE="bughunter" # Profile: executive, brief, bughunter * * * [hashtag](https://docs.reconftw.com/configuration#extra-features) Extra Features ------------------------------------------------------------------------------------- ### [hashtag](https://docs.reconftw.com/configuration#notification-settings) Notification Settings Copy NOTIFICATION=false # Notifications for every function SOFT_NOTIFICATION=false # Only start/end notifications SENDZIPNOTIFY=false # Send zipped results via notify ### [hashtag](https://docs.reconftw.com/configuration#diff-incremental-mode) Diff/Incremental Mode Copy DIFF=false # Differential scanning INCREMENTAL_MODE=false # Incremental scanning ### [hashtag](https://docs.reconftw.com/configuration#cleanup-settings) Cleanup Settings Copy REMOVETMP=false # Delete .tmp after scan REMOVELOG=false # Delete logs after scan PRESERVE=true # Keep .called_fn markers ### [hashtag](https://docs.reconftw.com/configuration#cache-settings) Cache Settings Copy CACHE_MAX_AGE_DAYS=30 # Cache validity (days) ### [hashtag](https://docs.reconftw.com/configuration#log-rotation) Log Rotation Copy MAX_LOG_FILES=10 # Max log files per target MAX_LOG_AGE_DAYS=30 # Delete logs older than this ### [hashtag](https://docs.reconftw.com/configuration#structured-logging) Structured Logging Copy STRUCTURED_LOGGING=false # JSON format logging ### [hashtag](https://docs.reconftw.com/configuration#asset-tracking) Asset Tracking Copy ASSET_STORE=true # Append to assets.jsonl QUICK_RESCAN=false # Skip heavy steps if no new assets CHUNK_LIMIT=2000 # Split large lists HOTLIST_TOP=50 # Top risky assets to highlight ### [hashtag](https://docs.reconftw.com/configuration#ipv6) IPv6 Copy IPV6_SCAN=true # Enable IPv6 discovery ### [hashtag](https://docs.reconftw.com/configuration#intrusive-mode) Intrusive Mode Copy INTRUSIVE=false # Dangerous cloud/CORS tests * * * [hashtag](https://docs.reconftw.com/configuration#http-options) HTTP Options --------------------------------------------------------------------------------- Copy # Default User-Agent header HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" ### [hashtag](https://docs.reconftw.com/configuration#tool-flags) Tool Flags Copy # FFUF default flags FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json" # HTTPX probing flags HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" * * * [hashtag](https://docs.reconftw.com/configuration#color-configuration) Color Configuration ----------------------------------------------------------------------------------------------- Copy # Terminal colors (ANSI codes) bred='\033[1;31m' # Bold red\ bblue='\033[1;34m' # Bold blue\ bgreen='\033[1;32m' # Bold green\ byellow='\033[1;33m' # Bold yellow\ red='\033[0;31m' # Red\ blue='\033[0;34m' # Blue\ green='\033[0;32m' # Green\ yellow='\033[0;33m' # Yellow\ reset='\033[0m' # Reset\ \ * * *\ \ [hashtag](https://docs.reconftw.com/configuration#debug-settings)\ \ Debug Settings\ \ \ -------------------------------------------------------------------------------------\ \ Copy\ \ DEBUG_STD="&>/dev/null" # Skip stdout in installer\ DEBUG_ERROR="2>/dev/null" # Skip stderr in installer\ \ * * *\ \ [hashtag](https://docs.reconftw.com/configuration#configuration-examples)\ \ Configuration Examples\ \ \ -----------------------------------------------------------------------------------------------------\ \ ### \ \ [hashtag](https://docs.reconftw.com/configuration#stealth-configuration)\ \ Stealth Configuration\ \ Copy\ \ # Minimal noise configuration\ SUBBRUTE=false\ SUBPERMUTE=false\ PORTSCAN_ACTIVE=false\ FUZZ=false\ VULNS_GENERAL=false\ HTTPX_RATELIMIT=10\ NUCLEI_RATELIMIT=10\ \ ### \ \ [hashtag](https://docs.reconftw.com/configuration#aggressive-configuration)\ \ Aggressive Configuration\ \ Copy\ \ # Maximum coverage\ DEEP=true\ SUBBRUTE=true\ SUBPERMUTE=true\ SUB_RECURSIVE_BRUTE=true\ VULNS_GENERAL=true\ FUZZ=true\ HTTPX_THREADS=100\ NUCLEI_RATELIMIT=500\ \ ### \ \ [hashtag](https://docs.reconftw.com/configuration#bug-bounty-configuration)\ \ Bug Bounty Configuration\ \ Copy\ \ # Balanced for bug bounty\ OSINT=true\ SUBDOMAINS_GENERAL=true\ VULNS_GENERAL=false # Enable with -a flag\ NOTIFICATION=true\ DIFF=true\ \ * * *\ \ [hashtag](https://docs.reconftw.com/configuration#using-custom-config-files)\ \ Using Custom Config Files\ \ \ -----------------------------------------------------------------------------------------------------------\ \ Copy\ \ # Create custom config\ cp reconftw.cfg client_config.cfg\ \ # Edit for specific client\ vim client_config.cfg\ \ # Use custom config\ ./reconftw.sh -d target.com -r -f client_config.cfg\ \ * * *\ \ [hashtag](https://docs.reconftw.com/configuration#environment-variable-priority)\ \ Environment Variable Priority\ \ \ -------------------------------------------------------------------------------------------------------------------\ \ Environment variables override config file settings:\ \ Copy\ \ # Override via environment\ export SHODAN_API_KEY="my_key"\ export NUCLEI_RATELIMIT=50\ \ # Run scan (uses environment values)\ ./reconftw.sh -d target.com -r\ \ * * *\ \ [hashtag](https://docs.reconftw.com/configuration#next-steps)\ \ Next Steps\ \ \ -----------------------------------------------------------------------------\ \ * [**Module Documentation**](https://docs.reconftw.com/modules/05-modules)\ - Understand each module in detail\ \ * [**Tools Reference**](https://docs.reconftw.com/tools-reference/tools)\ - Learn about integrated tools\ \ * [**Advanced Usage**](https://docs.reconftw.com/advanced/advanced)\ - Custom functions and optimization\ \ \ * * *\ \ > **Documentation Info** Branch: `dev` | Version: `v3.0.0+` | Last updated: February 2026 Variables documented match `reconftw.cfg` in the repository root.\ \ [PreviousCommand Line Guidechevron-left](https://docs.reconftw.com/usage/usage)\ [NextModules Overviewchevron-right](https://docs.reconftw.com/modules/05-modules)\ \ Last updated 1 month ago --- # Concepts & Architecture | reconftw-docs This guide explains the fundamental concepts behind reconFTW, its architecture, and how it orchestrates reconnaissance workflows. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#what-is-reconftw) What is reconFTW? --------------------------------------------------------------------------------------------------- reconFTW is a **modular reconnaissance automation framework** that integrates 80+ security tools into a unified workflow. Rather than running tools individually and correlating results manually, reconFTW: 1. **Orchestrates** tools in the optimal order 2. **Manages** input/output between tools automatically 3. **Deduplicates** and normalizes results 4. **Resumes** interrupted scans from checkpoints 5. **Scales** across distributed infrastructure (via Axiom) ### [hashtag](https://docs.reconftw.com/understanding-reconftw#philosophy) Philosophy reconFTW follows these design principles: * **Thorough over fast**: Cover all attack surface, don't miss findings * **Modular**: Enable/disable any component without breaking others * **Resumable**: Never lose progress on long-running scans * **Configurable**: Every behavior can be customized * **Fail-soft**: Continue scanning even if individual tools fail * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#reconnaissance-methodology) Reconnaissance Methodology ---------------------------------------------------------------------------------------------------------------------- reconFTW implements a structured reconnaissance methodology following industry best practices: Copy ┌─────────────────────────────────────────────────────────────────────┐ │ reconFTW Reconnaissance Phases │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ OSINT │───▶│ Subdomain│───▶│ Web │───▶│ Vulns │ │ │ │ Gathering│ │ Enum │ │ Analysis │ │ Scanning │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │ │ │ │ │ │ │ ▼ ▼ ▼ ▼ │ │ • Dorks • Passive • Probing • Nuclei │ │ • Emails • Active • Screenshots • XSS/SQLi │ │ • Metadata • Bruteforce • Fuzzing • SSRF/LFI │ │ • API leaks • Permutations • JS Analysis • Misconfigs │ │ • GitHub • Takeovers • CMS detect • SSL/TLS │ │ │ └─────────────────────────────────────────────────────────────────────┘ ![](https://docs.reconftw.com/~gitbook/image?url=https%3A%2F%2F4002482909-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FaI11LZxKJyqTqfArwVL8%252Fuploads%252Fz7A7EQidt85jfVTFWSXF%252Freconfw_updated.png%3Falt%3Dmedia%26token%3D05618398-3bac-4e34-85ff-e2e3fd2d20e1&width=768&dpr=3&quality=100&sign=a47c480b&sv=2) ### [hashtag](https://docs.reconftw.com/understanding-reconftw#phase-1-osint-open-source-intelligence) Phase 1: OSINT (Open Source Intelligence) Gather publicly available information about the target: Technique Purpose Tools Google Dorks Find exposed files/pages dorks\_hunter GitHub Dorks Find leaked credentials gitdorks\_go Metadata Extract document metadata metagoofil, exiftool Email Harvesting Discover email addresses emailfinder API Leaks Find exposed APIs porch-pirate, SwaggerSpy Domain Info WHOIS, registrant data whois, msftrecon ### [hashtag](https://docs.reconftw.com/understanding-reconftw#phase-2-subdomain-enumeration) Phase 2: Subdomain Enumeration Discover all subdomains associated with the target: Technique Type Description Passive Non-intrusive Query APIs, CT logs, archives Active/Bruteforce Intrusive DNS queries with wordlists Permutations Intrusive Generate variations Recursive Both Enumerate subdomains of subdomains Scraping Semi-passive Extract from web pages ### [hashtag](https://docs.reconftw.com/understanding-reconftw#phase-3-web-analysis) Phase 3: Web Analysis Analyze discovered web assets: * HTTP probing (find live servers) * Screenshot capture * URL extraction (passive + crawling) * JavaScript analysis (secrets, endpoints) * Directory fuzzing * CMS detection * Parameter discovery ### [hashtag](https://docs.reconftw.com/understanding-reconftw#phase-4-vulnerability-scanning) Phase 4: Vulnerability Scanning Test for security issues: * CVE scanning with Nuclei * Injection testing (XSS, SQLi, SSTI, LFI) * Server-side vulnerabilities (SSRF, command injection) * Misconfigurations (CORS, open redirect) * SSL/TLS issues * Subdomain takeovers * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#architecture-overview) Architecture Overview ------------------------------------------------------------------------------------------------------------ reconFTW uses a modular architecture where components are separated by responsibility: Copy reconftw/ ├── reconftw.sh # Main entry point (orchestration) ├── reconftw.cfg # Configuration file ├── secrets.cfg # API keys (gitignored) │ ├── modules/ # Feature modules (what to do) │ ├── utils.sh # Utility functions │ ├── core.sh # Framework core (logging, lifecycle) │ ├── osint.sh # OSINT functions │ ├── subdomains.sh # Subdomain enumeration │ ├── web.sh # Web analysis │ ├── vulns.sh # Vulnerability scanning │ ├── axiom.sh # Distributed scanning │ └── modes.sh # Scan mode orchestration │ ├── lib/ # Pure libraries (how to do it) │ ├── common.sh # Shared utility functions (dedupe, ensure_dirs) │ ├── config.sh # Configuration helpers │ ├── parallel.sh # Parallelization framework │ └── validation.sh # Input validation │ └── Recon/ # Output directory └── / # Per-target results ### [hashtag](https://docs.reconftw.com/understanding-reconftw#module-loading-order) Module Loading Order Modules are loaded in a specific order to ensure dependencies are satisfied: Copy 1. lib/validation.sh # Input validation (first) 2. lib/common.sh # Shared utilities (ensure_dirs, dedupe, etc.) 3. lib/parallel.sh # Parallelization framework 4. modules/utils.sh # Base utilities 5. modules/core.sh # Framework infrastructure 6. modules/osint.sh # OSINT functions 7. modules/subdomains.sh # Subdomain functions 8. modules/web.sh # Web analysis functions 9. modules/vulns.sh # Vulnerability functions 10. modules/axiom.sh # Distributed scanning 11. modules/modes.sh # Mode orchestration (last) ### [hashtag](https://docs.reconftw.com/understanding-reconftw#key-functions) Key Functions #### [hashtag](https://docs.reconftw.com/understanding-reconftw#lifecycle-functions-core.sh) Lifecycle Functions (core.sh) Copy start_func(name, description) # Begin a function, check if already done end_func(message, name) # Complete a function, mark as done Every scan function follows this pattern: Copy function some_scan() { if [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; then start_func "${FUNCNAME[0]}" "Running some scan..." # ... actual scan logic ... end_func "Results saved in..." "${FUNCNAME[0]}" fi } #### [hashtag](https://docs.reconftw.com/understanding-reconftw#utility-functions-utils.sh) Utility Functions (utils.sh) Function Purpose `sanitize_domain()` Clean and validate domain input `sanitize_ip()` Clean and validate IP/CIDR input `deleteOutScoped()` Remove out-of-scope entries `run_command()` Execute with logging (respects DRY\_RUN) `should_run_deep()` Check if DEEP mode should activate `retry_with_backoff()` Retry failed operations `check_disk_space()` Verify available storage #### [hashtag](https://docs.reconftw.com/understanding-reconftw#common-library-functions-lib-common.sh) Common Library Functions (lib/common.sh) Function Purpose `ensure_dirs()` Create multiple directories safely `safe_backup()` Backup file with timestamp `skip_notification()` Log skipped function notification `count_lines()` Count lines in file safely `safe_count()` Count with fallback to 0 `dedupe_append()` Append and deduplicate file `run_tool()` Execute tool with timeout and error handling `process_results()` Process and dedupe results `should_run_function()` Check if function should run (checkpoint aware) #### [hashtag](https://docs.reconftw.com/understanding-reconftw#parallelization-functions-lib-parallel.sh) Parallelization Functions (lib/parallel.sh) Function Purpose `parallel_run()` Run commands in parallel with job limit `parallel_funcs()` Run bash functions in parallel `parallel_batch()` Run commands with rate limiting `parallel_passive_enum()` Parallel passive subdomain enumeration `parallel_active_enum()` Parallel active DNS enumeration `parallel_postactive_enum()` Parallel post-resolution (TLS, analytics) `parallel_brute_enum()` Parallel brute force (resource limited) `parallel_web_vulns()` Parallel web vulnerability scanning `parallel_subdomains_full()` Orchestrate full parallelized subdomain enum * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#data-flow) Data Flow ------------------------------------------------------------------------------------ Understanding how data flows through reconFTW helps interpret results: Copy ┌─────────────────────────────────────┐ │ USER INPUT │ │ -d domain.com / -l targets.txt │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ INPUT SANITIZATION │ │ • Validate domain/IP format │ │ • Remove dangerous characters │ │ • Normalize case │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ DIRECTORY SETUP │ │ Recon// │ │ ├── subdomains/ │ │ ├── webs/ │ │ ├── hosts/ │ │ ├── vulns/ │ │ ├── osint/ │ │ ├── .tmp/ │ │ └── .log/ │ └─────────────────┬───────────────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ OSINT │ │ SUBDOMAINS │ │ WEB │ │ (osint.sh) │ │ (subdomains.sh) │ │ (web.sh) │ └────────┬─────────┘ └────────┬─────────┘ └────────┬─────────┘ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ osint/*.txt │───▶│subdomains/*.txt │───▶│ webs/*.txt │ └──────────────────┘ └────────┬─────────┘ └────────┬─────────┘ │ │ │ │ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ │ HOSTS ANALYSIS │ │ VULN SCANNING │ │ (hosts/) │ │ (vulns.sh) │ └──────────────────┘ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ FINAL OUTPUT │ │ • vulns/ │ │ • nuclei_output/│ │ • hotlist.txt │ └──────────────────┘ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#data-dependencies) Data Dependencies Module Depends On Produces OSINT Target domain osint/\*.txt Subdomains Target domain subdomains/subdomains.txt Hosts subdomains.txt hosts/ips.txt, hosts/portscan\* Web Probing subdomains.txt webs/webs.txt URL Collection webs.txt webs/url\_extract.txt JS Analysis webs.txt js/js\_secrets.txt Vulns webs.txt, urls vulns/_, nuclei\_output/_ * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#scan-phases) Scan Phases ---------------------------------------------------------------------------------------- When you run `./reconftw.sh -d target.com -r`, the following phases execute: ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-1.-initialization-start) 1\. Initialization (`start()`) Copy [start] → Validate config → Check disk space → Create directories → Initialize logging ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-2.-osint-phase) 2\. OSINT Phase Copy [osint] → domain_info → emails → google_dorks → github_repos → metadata → apileaks ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-3.-subdomain-phase) 3\. Subdomain Phase Copy [subdomains] → sub_passive → sub_crt → sub_brute → sub_permut → sub_scraping → sub_dns ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-4.-host-analysis) 4\. Host Analysis Copy [hosts] → portscan → cdnprovider → waf_checks → favicon → geo_info ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-5.-web-analysis) 5\. Web Analysis Copy [web] → webprobe → screenshot → urlchecks → jschecks → fuzz → cms_scanner ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-6.-vulnerability-phase-if-a-flag) 6\. Vulnerability Phase (if `-a` flag) Copy [vulns] → nuclei → xss → sqli → ssrf → cors → lfi → ssti → ... ### [hashtag](https://docs.reconftw.com/understanding-reconftw#id-7.-finalization-end) 7\. Finalization (`end()`) Copy [end] → Build hotlist → Generate reports → Send notifications → Cleanup * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#checkpoint-system) Checkpoint System ---------------------------------------------------------------------------------------------------- reconFTW uses a checkpoint system to track completed functions and enable scan resumption. ### [hashtag](https://docs.reconftw.com/understanding-reconftw#how-it-works) How It Works Each function creates a marker file when completed: Copy Recon//.called_fn/ ├── .sub_passive # sub_passive() completed ├── .sub_brute # sub_brute() completed ├── .webprobe_simple # webprobe_simple() completed └── ... ### [hashtag](https://docs.reconftw.com/understanding-reconftw#resume-behavior) Resume Behavior When you re-run a scan: 1. reconFTW checks for existing `.called_fn` markers 2. Functions with markers are **skipped** 3. Functions without markers are **executed** Copy # First run - executes all functions ./reconftw.sh -d target.com -r # Second run - skips completed functions ./reconftw.sh -d target.com -r # Output: "sub_passive has already been processed..." ### [hashtag](https://docs.reconftw.com/understanding-reconftw#force-re-execution) Force Re-execution To re-run a specific function: Copy # Delete the marker rm Recon/target.com/.called_fn/.sub_passive # Or delete all markers (full rescan) rm -rf Recon/target.com/.called_fn/ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#diff-mode) DIFF Mode The `-r` flag with `DIFF=true` in config enables differential scanning: Copy # Config setting DIFF=true In DIFF mode: * All functions execute regardless of markers * Only **new** findings are highlighted * Previous results are preserved * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#understanding-deep-mode) Understanding DEEP Mode ---------------------------------------------------------------------------------------------------------------- DEEP mode enables thorough scanning for high-value targets: ### [hashtag](https://docs.reconftw.com/understanding-reconftw#standard-vs-deep) Standard vs DEEP Aspect Standard DEEP Wordlists Small (~10k) Large (~100k+) Permutations Basic Extensive Recursive depth Limited Full Fuzzing Common paths Extended Time 1-4 hours 4-24+ hours ### [hashtag](https://docs.reconftw.com/understanding-reconftw#activation) Activation Copy # Command line ./reconftw.sh -d target.com -r --deep # Or in config DEEP=true ### [hashtag](https://docs.reconftw.com/understanding-reconftw#auto-deep) Auto-DEEP reconFTW can auto-enable DEEP based on result counts: Copy # In reconftw.cfg DEEP_LIMIT=500 # First threshold DEEP_LIMIT2=1500 # Second threshold If subdomains < DEEP\_LIMIT, additional enumeration runs automatically. * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#error-handling) Error Handling ---------------------------------------------------------------------------------------------- reconFTW uses a "fail-soft" approach: ### [hashtag](https://docs.reconftw.com/understanding-reconftw#error-codes) Error Codes Code Meaning 0 Success 1 General error 2 Missing dependency 3 Invalid input 4 Network error 5 Disk space error 6 Permission error 7 Timeout 8 Configuration error ### [hashtag](https://docs.reconftw.com/understanding-reconftw#error-trapping) Error Trapping Errors are logged but don't stop the scan: Copy # From reconftw.sh trap 'rc=$?; ... echo "$msg" >>"$LOGFILE" ...' ERR ### [hashtag](https://docs.reconftw.com/understanding-reconftw#circuit-breaker) Circuit Breaker For unreliable tools, reconFTW implements a circuit breaker: Copy # After 3 consecutive failures, tool is skipped CIRCUIT_BREAKER_THRESHOLD=3 CIRCUIT_BREAKER_TIMEOUT=300 # Reset after 5 minutes * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#global-variables) Global Variables -------------------------------------------------------------------------------------------------- Key variables used throughout reconFTW: ### [hashtag](https://docs.reconftw.com/understanding-reconftw#required-variables) Required Variables Variable Description `$SCRIPTPATH` Path to reconFTW installation `$domain` Current target domain `$dir` Output directory for current scan `$called_fn_dir` Directory for checkpoint markers `$LOGFILE` Current log file path ### [hashtag](https://docs.reconftw.com/understanding-reconftw#configuration-flags) Configuration Flags Variable Default Description `$DEEP` false Enable thorough scanning `$DIFF` false Differential mode `$AXIOM` false Distributed scanning `$DRY_RUN` false Preview without executing * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#visual-architecture-diagram) Visual: Architecture Diagram ------------------------------------------------------------------------------------------------------------------------- Copy ┌─────────────────────────────────────┐ │ CONFIGURATION │ │ reconftw.cfg │ secrets.cfg │ │ ───────────────────────────────── │ │ • API keys • Module toggles │ │ • Wordlists • Rate limits │ └───────────────────┬─────────────────┘ │ ▼ ┌────────────────────┐ ┌─────────────────────────────────────────────────────┐ │ INPUT │ │ reconftw.sh │ │ ──────────────── │────────▶│ (Main Orchestrator) │ │ -d domain.com │ │ ─────────────────────────────────────────────── │ │ -l targets.txt │ │ • Argument parsing • Module loading │ │ -m multi.txt │ │ • Checkpoint system • Notification hooks │ └────────────────────┘ └────────────────────────┬────────────────────────────┘ │ ┌──────────────────────────────────┼──────────────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌────────────────────┐ ┌────────────────────┐ ┌────────────────────┐ │ lib/ │ │ modules/ │ │ config/ │ │ ──────────────── │ │ ──────────────── │ │ ──────────────── │ │ common.sh │ │ osint.sh │ │ amass_config.ini │ │ parallel.sh │ │ subdomains.sh │ │ nuclei_config.yml │ │ validation.sh │ │ web.sh │ │ sensitive_domains │ │ │ │ vulns.sh │ │ ... │ │ Utilities for: │ │ core.sh │ │ │ │ • Parallelization │ │ modes.sh │ │ Tool configs │ │ • Error handling │ │ axiom.sh │ │ Wordlists paths │ │ • File operations │ │ utils.sh │ │ │ └────────────────────┘ └─────────┬──────────┘ └────────────────────┘ │ ┌──────────────────────────────┴──────────────────────────────┐ │ SCAN PHASES │ │ ────────────────────────────────────────────────────────── │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ 1.OSINT │──▶│ 2.SUBS │──▶│ 3.WEB │──▶│ 4.VULNS │ │ │ │(passive)│ │(active) │ │(probe) │ │(exploit)│ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ Data flows from each phase to the next │ └──────────────────────────────┬──────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────┐ │ OUTPUT STRUCTURE │ │ Recon// │ │ ───────────────────────────────────────────── │ │ ├── subdomains/ (discovered subs) │ │ ├── webs/ (live web URLs) │ │ ├── hosts/ (IP data, ports) │ │ ├── vulns/ (vulnerability results) │ │ ├── osint/ (passive intel) │ │ ├── screenshots/ (web captures) │ │ ├── .called_fn/ (checkpoint markers) │ │ └── .log/ (execution logs) │ └─────────────────────────────────────────────────┘ │ ┌──────────────────────────────┴──────────────────────────────┐ │ OPTIONAL: AXIOM │ ▼ │ ┌────────────────────────────────────────────────────────────────┐ │ │ Distributed Execution │ │ │ ──────────────────────────────────────────────────────────── │ │ │ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ │ node01 │ │ node02 │ │ node03 │ │ node04 │ │ node05 │ │◀───────┘ │ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │ │ │ │ Splits workload across cloud instances for faster scanning │ └────────────────────────────────────────────────────────────────┘ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#module-interaction-flow) Module Interaction Flow Copy ┌─────────────────────────────────────────────────────────────────────────────┐ │ DETAILED DATA FLOW │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ INPUT: domain.com │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ OSINT │──▶ osint/emails.txt, osint/dorks.txt │ │ │ (passive) │ osint/github_secrets.json │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ Passive: subfinder, amass, crt.sh │ │ │ SUBDOMAINS │──▶ Active: puredns, massdns │ │ │ (enum) │ Output: subdomains/subdomains.txt │ │ └──────┬───────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ WEB PROBE │──▶ webs/webs.txt (live HTTP/HTTPS URLs) │ │ │ (httpx) │ webs/webs_info.txt (titles, status, tech) │ │ └──────┬───────┘ │ │ │ │ │ ├───────────────────────┬───────────────────────┐ │ │ ▼ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ URL CHECK │ │ JS CHECKS │ │ SCREENSHOTS │ │ │ │ (katana) │ │ (xnlink) │ │ (nuclei) │ │ │ └──────┬───────┘ └──────┬───────┘ └──────────────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ gf patterns │ │ JS secrets │ │ │ │ (params) │ │ (API keys) │ │ │ └──────┬───────┘ └──────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────────────────────────────────────────────────────┐ │ │ │ VULNERABILITY SCANNING │ │ │ │ ───────────────────────────────────────────────────────────── │ │ │ │ nuclei (CVEs) │ dalfox (XSS) │ sqlmap (SQLi) │ ffuf (fuzz)│ │ │ │ cors │ ssrf │ lfi │ ssti │ │ │ └──────────────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ vulns/nuclei_output/, vulns/xss.txt, vulns/sqli.txt, etc. │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#opsec-and-legal) OPSEC and Legal ------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#authorization-requirements) Authorization Requirements **NEVER scan without explicit written authorization.** This includes: 1. **Bug Bounty Programs**: Read rules carefully, some exclude certain asset types 2. **Penetration Tests**: Written statement of work (SOW) with defined scope 3. **Internal Testing**: Formal approval from asset owners 4. **Personal Projects**: Only test assets you own ### [hashtag](https://docs.reconftw.com/understanding-reconftw#pre-scan-checklist) Pre-Scan Checklist Copy ## Authorization Checklist - [ ] Written permission obtained (email, contract, bug bounty policy) - [ ] Scope document reviewed - [ ] In-scope targets identified - [ ] Out-of-scope targets documented - [ ] Rate limits defined (if any) - [ ] Testing window confirmed - [ ] Emergency contact identified - [ ] Data handling requirements understood - [ ] NDA signed (if required) ### [hashtag](https://docs.reconftw.com/understanding-reconftw#opsec-best-practices) OPSEC Best Practices Consideration Recommendation **IP Attribution** Use VPS or cloud instances, not personal IP **Rate Limiting** Start conservative, increase gradually **Noise Reduction** Begin with passive mode (`-p`) **Data Security** Encrypt sensitive findings, secure `secrets.cfg` **Logging** Keep records of authorization and scan times **Communication** Notify target of critical findings immediately ### [hashtag](https://docs.reconftw.com/understanding-reconftw#reducing-detection-risk) Reducing Detection Risk Copy # Start with passive reconnaissance (no direct contact) ./reconftw.sh -d target.com -p # Use adaptive rate limiting ./reconftw.sh -d target.com -r --adaptive-rate # Lower rate limits in config # In reconftw.cfg HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 ### [hashtag](https://docs.reconftw.com/understanding-reconftw#legal-risks-by-region) Legal Risks by Region Region Key Laws Notes **USA** CFAA Unauthorized access is federal crime **EU** Computer Misuse Acts (varies) Strict consent requirements **UK** Computer Misuse Act 1990 Even attempting unauthorized access is illegal **Global** Various Always research local laws ### [hashtag](https://docs.reconftw.com/understanding-reconftw#what-to-do-if-something-goes-wrong) What to Do If Something Goes Wrong 1. **Stop scanning immediately** 2. **Document what happened** (timestamps, commands run) 3. **Contact the target** via emergency channels 4. **Preserve evidence** of authorization 5. **Consult legal counsel** if needed * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#recommended-workflows) Recommended Workflows ------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#bug-bounty-standard-recon) Bug Bounty - Standard Recon Best for: Regular bug bounty hunting on established programs. Copy # Week 1: Initial passive recon ./reconftw.sh -d target.com -p # Week 1: Full reconnaissance (if passive looks good) ./reconftw.sh -d target.com -r # Week 2+: Incremental updates ./reconftw.sh -d target.com -r --incremental ### [hashtag](https://docs.reconftw.com/understanding-reconftw#bug-bounty-new-program) Bug Bounty - New Program Best for: New programs where you want full coverage quickly. Copy # Full scan with vulnerabilities ./reconftw.sh -d target.com -a # Enable notifications # In reconftw.cfg: NOTIFICATION=true # Check results ls -la Recon/target.com/vulns/ ### [hashtag](https://docs.reconftw.com/understanding-reconftw#large-scope-multiple-targets) Large Scope / Multiple Targets Best for: Programs with many root domains or large scope. Copy # Create scope file cat > scope.txt << EOF target1.com target2.com *.target3.com EOF # Use Axiom for distributed scanning ./reconftw.sh -l scope.txt -r -v # Or run sequentially with multi-mode ./reconftw.sh -m client-project -l scope.txt -r ### [hashtag](https://docs.reconftw.com/understanding-reconftw#red-team-pentest) Red Team / Pentest Best for: Authorized penetration tests with defined scope. Copy # Start passive (intelligence gathering) ./reconftw.sh -d target.com -n # OSINT only # Then subdomains ./reconftw.sh -d target.com -s # Finally, careful active scanning ./reconftw.sh -d target.com -a -q 50 # Rate limited ### [hashtag](https://docs.reconftw.com/understanding-reconftw#automated-weekly-monitoring) Automated Weekly Monitoring Best for: Continuous monitoring of assets. Copy # Cron job (every Sunday at 2 AM) 0 2 * * 0 cd /path/to/reconftw && ./reconftw.sh -d target.com -r --incremental -z # Or use Docker 0 2 * * 0 docker run -v /data/recon:/reconftw/Recon six2dez/reconftw -d target.com -r --incremental ### [hashtag](https://docs.reconftw.com/understanding-reconftw#quick-assessment) Quick Assessment Best for: Rapid initial assessment before deeper testing. Copy # Passive only (fastest, safest) ./reconftw.sh -d target.com -p # Time: ~15-30 minutes # Output: subdomains, basic OSINT, no active scanning ### [hashtag](https://docs.reconftw.com/understanding-reconftw#ci-cd-integration) CI/CD Integration Best for: Automated security checks in pipelines. Copy # GitHub Actions example - name: Security Recon run: | ./reconftw.sh -d ${{ secrets.TARGET }} -p -z - name: Check Critical Vulns run: | if [ -s Recon/*/vulns/nuclei_critical.json ]; then echo "Critical vulnerabilities found!" exit 1 fi * * * [hashtag](https://docs.reconftw.com/understanding-reconftw#next-steps) Next Steps -------------------------------------------------------------------------------------- Now that you understand how reconFTW works: 1. [**Learn the command line options**](https://docs.reconftw.com/usage/usage) - Master all flags 2. [**Configure your setup**](https://docs.reconftw.com/configuration/configuration) - Customize behavior 3. [**Explore modules in depth**](https://docs.reconftw.com/modules/05-modules) - Understand each capability [PreviousInstallation & Setupchevron-left](https://docs.reconftw.com/getting-started/getting-started) [NextReconnaissance Methodology Deep Divechevron-right](https://docs.reconftw.com/understanding-reconftw/recon-methodology) Last updated 1 month ago ---