diff --git a/README.md b/README.md
index 61b3db9d..56ff6b41 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,6 @@
-
@@ -32,30 +31,30 @@
-
Summary
-**ReconFTW** automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
+**reconFTW** automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
-ReconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records...) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.
+reconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records...) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition.
It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target.
So, what are you waiting for? Go! Go! Go! :boom:
+## 📔 Table of Contents
-📔 Table of Contents
-----------------
-- [💿 Installation:](#-installation)
- - [a) In your PC/VPS/VM](#a-in-your-pcvpsvm)
- - [b) Docker Image 🐳 (3 options)](#b-docker-image--3-options)
+
+- [💿 Installation](#💿-installation)
+ - [a) Using a PC/VPS/VM](#a-using-a-pcvpsvm)
+ - [b) Docker Image 🐳 (3 options)](#b-docker-image-🐳-3-options)
- [c) Terraform + Ansible](#c-terraform--ansible)
-- [⚙️ Config file:](#️-config-file)
-- [Usage:](#usage)
-- [Example Usage:](#example-usage)
-- [Axiom Support: :cloud:](#axiom-support-cloud)
-- [BBRF Support: :computer:](#bbrf-support-computer)
-- [Sample video:](#sample-video)
+- [⚙️ Config file](#⚙️-config-file)
+- [Usage](#usage)
+- [Example Usage](#example-usage)
+- [Axiom Support :cloud:](#axiom-support-cloud)
+- [BBRF Support :computer:](#bbrf-support-computer)
+- [Sample video](#sample-video)
- [:fire: Features :fire:](#fire-features-fire)
- [Osint](#osint)
- [Subdomains](#subdomains)
@@ -67,8 +66,8 @@ So, what are you waiting for? Go! Go! Go! :boom:
- [Data Keep](#data-keep)
- [Makefile](#makefile)
- [Manual](#manual)
- - [Main commands:](#main-commands)
- - [How to contribute:](#how-to-contribute)
+ - [Main commands](#main-commands)
+ - [How to contribute](#how-to-contribute)
- [Need help? :information\_source:](#need-help-information_source)
- [Support this project](#support-this-project)
- [Buymeacoffee](#buymeacoffee)
@@ -78,17 +77,17 @@ So, what are you waiting for? Go! Go! Go! :boom:
- [Thanks :pray:](#thanks-pray)
- [Disclaimer](#disclaimer)
----
+-----------------
-# 💿 Installation:
+## 💿 Installation
-## a) In your PC/VPS/VM
+## a) Using a PC/VPS/VM
> You can check out our wiki for the installation guide [Installation Guide](https://github.com/six2dez/reconftw/wiki/0.-Installation-Guide) :book:
- Requires [Golang](https://golang.org/dl/) > **1.15.0+** installed and paths correctly set (**$GOPATH**, **$GOROOT**)
-Important : If you are not running reconftw as root, run `sudo echo "${USERNAME} ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers.d/reconFTW` , to make sure no sudo prompts are required to run the tool and to avoid any permission issues.
+Important: if you are not running reconftw as root, run `sudo echo "${USERNAME} ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers.d/reconFTW`, to make sure no sudo prompts are required to run the tool and to avoid any permission issues.
```bash
git clone https://github.com/six2dez/reconftw
@@ -100,17 +99,21 @@ cd reconftw/
## b) Docker Image 🐳 (3 options)
- Pull the image
+
```bash
-$ docker pull six2dez/reconftw:main
+docker pull six2dez/reconftw:main
```
+
- Run the container
-```
+
+```bash
$ docker run -it --rm \
-v "${PWD}/OutputFolder/":'/reconftw/Recon/' \
six2dez/reconftw:main -d example.com -r
```
However, if you wish to:
+
1. Dynamically modify the behaviour & function of the image
2. Build your own container
3. Build an Axiom Controller on top of the official image
@@ -121,7 +124,8 @@ Please refer to the [Docker](https://github.com/six2dez/reconftw/wiki/4.-Docker)
Yes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if you want to know how to do it, you can check the guide [here](Terraform/README.md)
-# ⚙️ Config file:
+# ⚙️ Config file
+>
> You can find a detailed explanation of the configuration file [here](https://github.com/six2dez/reconftw/wiki/3.-Configuration-file) :book:
- Through ```reconftw.cfg``` file the whole execution of the tool can be controlled.
@@ -133,7 +137,7 @@ Yes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if
```yaml
#################################################################
-# reconFTW config file #
+# reconFTW config file #
#################################################################
# General values
@@ -355,13 +359,14 @@ yellow='\033[0;33m'
reset='\033[0m'
```
+
-# Usage:
+# Usage
> Check out the wiki section to know which flag performs what all steps/attacks [Usage Guide](https://github.com/six2dez/reconftw/wiki/2.-Usage-Guide) :book:
-**TARGET OPTIONS**
+## TARGET OPTIONS
| Flag | Description |
|------|-------------|
@@ -371,7 +376,7 @@ reset='\033[0m'
| -x | Exclude subdomains list *(Out Of Scope)* |
| -i | Include subdomains list *(In Scope)* |
-**MODE OPTIONS**
+## MODE OPTIONS
| Flag | Description |
|------|-------------|
@@ -384,79 +389,84 @@ reset='\033[0m'
| -c | Custom - Launches specific function against target |
| -h | Help - Show this help menu |
-**GENERAL OPTIONS**
+## GENERAL OPTIONS
| Flag | Description |
|------|-------------|
-| --deep | Deep scan (Enable some slow options for deeper scan, _vps intended mode_) |
+| --deep | Deep scan (Enable some slow options for deeper scan, *vps intended mode*) |
| -f | Custom config file path |
| -o | Output directory |
| -v | Axiom distributed VPS |
| -q | Rate limit in requests per second |
-# Example Usage:
+## Example Usage
-**To perform a full recon on single target**
+### To perform a full recon on single target
```bash
./reconftw.sh -d target.com -r
```
-**To perform a full recon on a list of targets**
+### To perform a full recon on a list of targets
```bash
./reconftw.sh -l sites.txt -r -o /output/directory/
```
-**Perform full recon with more time intense tasks** *(VPS intended only)*
+### Perform full recon with more time intense tasks *(VPS intended only)*
```bash
./reconftw.sh -d target.com -r --deep -o /output/directory/
```
-**Perform recon in a multi domain target**
+### Perform recon in a multi domain target
```bash
./reconftw.sh -m company -l domains_list.txt -r
```
-**Perform recon with axiom integration**
+### Perform recon with axiom integration
```bash
./reconftw.sh -d target.com -r -v
```
- **Perform all steps (whole recon + all attacks) a.k.a. YOLO mode**
+### Perform all steps (whole recon + all attacks) a.k.a. YOLO mode
```bash
./reconftw.sh -d target.com -a
```
-**Show help section**
+### Show help section
```bash
./reconftw.sh -h
```
-# Axiom Support: :cloud:
+# Axiom Support :cloud:
+
> Check out the wiki section for more info [Axiom Support](https://github.com/six2dez/reconftw/wiki/5.-Axiom-version)
-* As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
-* During the configuration of axiom you need to select `reconftw` as provisoner.
-* You can create your own axiom's fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file.
-# BBRF Support: :computer:
-* To add reconFTW results to your [BBRF instance](https://github.com/honoki/bbrf-server) just add IP and credentials to reconftw.cfg file section dedicated to bbrf.
-* During the execution of the scans the results will be added dynamically when each step ends.
-* Even you can set up locally your BBRF instance to be able to visualize your results in a fancy web UI.
+- As reconFTW actively hits the target with a lot of web traffic, hence there was a need to move to Axiom distributing the work load among various instances leading to reduction of execution time.
+- During the configuration of axiom you need to select `reconftw` as provisoner.
+- You can create your own axiom's fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file.
+
+# BBRF Support :computer:
+
+- To add reconFTW results to your [BBRF instance](https://github.com/honoki/bbrf-server) just add IP and credentials to reconftw.cfg file section dedicated to bbrf.
-# Sample video:
+- During the execution of the scans the results will be added dynamically when each step ends.
+- Even you can set up locally your BBRF instance to be able to visualize your results in a fancy web UI.
+
+# Sample video
# :fire: Features :fire:
- ## Osint
+## Osint
+
- Domain information ([whois](https://github.com/rfc1036/whois) and [amass](https://github.com/OWASP/Amass))
- Emails addresses and users ([emailfinder](https://github.com/Josue87/EmailFinder))
- Metadata finder ([MetaFinder](https://github.com/Josue87/MetaFinder))
@@ -465,22 +475,24 @@ reset='\033[0m'
- GitHub org analysis ([enumerepo](https://github.com/trickest/enumerepo) and [trufflehog](https://github.com/trufflesecurity/trufflehog))
## Subdomains
- - Passive ([amass](https://github.com/OWASP/Amass), [subfinder](https://github.com/projectdiscovery/subfinder) and [github-subdomains](https://github.com/gwen001/github-subdomains))
- - Certificate transparency ([ctfr](https://github.com/UnaPibaGeek/ctfr))
- - NOERROR subdomain discovery ([dnsx](https://github.com/projectdiscovery/dnsx), more info [here](https://www.securesystems.de/blog/enhancing-subdomain-enumeration-ents-and-noerror/))
- - Bruteforce ([puredns](https://github.com/d3mondev/puredns))
- - Permutations ([Gotator](https://github.com/Josue87/gotator), [ripgen](https://github.com/resyncgg/ripgen) and [regulator](https://github.com/cramppet/regulator))
- - JS files & Source Code Scraping ([katana](https://github.com/projectdiscovery/katana))
- - DNS Records ([dnsx](https://github.com/projectdiscovery/dnsx))
- - Google Analytics ID ([AnalyticsRelationships](https://github.com/Josue87/AnalyticsRelationships))
- - TLS handshake ([tlsx](https://github.com/projectdiscovery/tlsx))
- - Recursive search ([dsieve](https://github.com/trickest/dsieve)).
- - Subdomains takeover ([nuclei](https://github.com/projectdiscovery/nuclei))
- - DNS takeover ([dnstake](https://github.com/pwnesia/dnstake))
- - DNS Zone Transfer ([dig](https://linux.die.net/man/1/dig))
- - Cloud checkers ([S3Scanner](https://github.com/sa7mon/S3Scanner) and [cloud_enum](https://github.com/initstring/cloud_enum))
+
+- Passive ([amass](https://github.com/OWASP/Amass), [subfinder](https://github.com/projectdiscovery/subfinder) and [github-subdomains](https://github.com/gwen001/github-subdomains))
+- Certificate transparency ([ctfr](https://github.com/UnaPibaGeek/ctfr))
+- NOERROR subdomain discovery ([dnsx](https://github.com/projectdiscovery/dnsx), more info [here](https://www.securesystems.de/blog/enhancing-subdomain-enumeration-ents-and-noerror/))
+- Bruteforce ([puredns](https://github.com/d3mondev/puredns))
+- Permutations ([Gotator](https://github.com/Josue87/gotator), [ripgen](https://github.com/resyncgg/ripgen) and [regulator](https://github.com/cramppet/regulator))
+- JS files & Source Code Scraping ([katana](https://github.com/projectdiscovery/katana))
+- DNS Records ([dnsx](https://github.com/projectdiscovery/dnsx))
+- Google Analytics ID ([AnalyticsRelationships](https://github.com/Josue87/AnalyticsRelationships))
+- TLS handshake ([tlsx](https://github.com/projectdiscovery/tlsx))
+- Recursive search ([dsieve](https://github.com/trickest/dsieve)).
+- Subdomains takeover ([nuclei](https://github.com/projectdiscovery/nuclei))
+- DNS takeover ([dnstake](https://github.com/pwnesia/dnstake))
+- DNS Zone Transfer ([dig](https://linux.die.net/man/1/dig))
+- Cloud checkers ([S3Scanner](https://github.com/sa7mon/S3Scanner) and [cloud_enum](https://github.com/initstring/cloud_enum))
## Hosts
+
- IP info ([whoisxmlapi API](https://www.whoisxmlapi.com/))
- CDN checker ([ipcdn](https://github.com/six2dez/ipcdn))
- WAF checker ([wafw00f](https://github.com/EnableSecurity/wafw00f))
@@ -489,6 +501,7 @@ reset='\033[0m'
- Password spraying ([brutespray](https://github.com/x90skysn3k/brutespray))
## Webs
+
- Web Prober ([httpx](https://github.com/projectdiscovery/httpx) and [unimap](https://github.com/Edu4rdSHL/unimap))
- Web screenshoting ([webscreenshot](https://github.com/maaaaz/webscreenshot) or [gowitness](https://github.com/sensepost/gowitness))
- Web templates scanner ([nuclei](https://github.com/projectdiscovery/nuclei) and [nuclei geeknik](https://github.com/geeknik/the-nuclei-templates.git))
@@ -503,6 +516,7 @@ reset='\033[0m'
- Passwords dictionary creation ([pydictor](https://github.com/LandGrey/pydictor))
## Vulnerability checks
+
- XSS ([dalfox](https://github.com/hahwul/dalfox))
- Open redirect ([Oralyzer](https://github.com/r0075h3ll/Oralyzer))
- SSRF (headers [interactsh](https://github.com/projectdiscovery/interactsh) and param values with [ffuf](https://github.com/ffuf/ffuf))
@@ -518,6 +532,7 @@ reset='\033[0m'
- 4XX Bypasser ([byp4xx](https://github.com/lobuhi/byp4xx))
## Extras
+
- Multithreading ([Interlace](https://github.com/codingo/Interlace))
- Custom resolvers generated list ([dnsvalidator](https://github.com/vortexau/dnsvalidator))
- Docker container included and [DockerHub](https://hub.docker.com/r/six2dez/reconftw) integration
@@ -533,17 +548,20 @@ reset='\033[0m'
- Out of Scope Support + optional [inscope](https://github.com/tomnomnom/hacks/tree/master/inscope) support
- Notification system with Slack, Discord and Telegram ([notify](https://github.com/projectdiscovery/notify)) and sending zipped results support
-# Mindmap/Workflow
+## Mindmap/Workflow
## Data Keep
Follow these simple steps to end up with a private repository with your `API Keys` and `/Recon` data.
+
### Makefile
+
A `Makefile` is provided to quickly bootstrap a private repo. To use it, you'll need the [Github CLI](https://cli.github.com/) installed.
Once done, just run:
+
```bash
# below line is optional, the default is ~/reconftw-data
export PRIV_REPO="$HOME/reconftw-data"
@@ -551,32 +569,37 @@ make bootstrap
```
To sync your private repo with upstream:
+
```bash
make sync
```
To upload juicy recon data:
+
```bash
make upload
```
### Manual
-* Create a private __blank__ repository on `Git(Hub|Lab)` (Take into account size limits regarding Recon data upload)
-* Clone your project: `git clone https://gitlab.com/example/reconftw-data`
-* Get inside the cloned repository: `cd reconftw-data`
-* Create a new branch with an empty commit: `git commit --allow-empty -m "Empty commit"`
-* Add the official repo as a new remote: `git remote add upstream https://github.com/six2dez/reconftw` (`upstream` is an example)
-* Update upstream's repo: `git fetch upstream`
-* Rebase current branch with the official one: `git rebase upstream/main master`
-### Main commands:
+- Create a private **blank** repository on `Git(Hub|Lab)` (Take into account size limits regarding Recon data upload)
+
+- Clone your project: `git clone https://gitlab.com/example/reconftw-data`
+- Get inside the cloned repository: `cd reconftw-data`
+- Create a new branch with an empty commit: `git commit --allow-empty -m "Empty commit"`
+- Add the official repo as a new remote: `git remote add upstream https://github.com/six2dez/reconftw` (`upstream` is an example)
+- Update upstream's repo: `git fetch upstream`
+- Rebase current branch with the official one: `git rebase upstream/main master`
-* Upload changes to your personal repo: `git add . && git commit -m "Data upload" && git push origin master`
-* Update tool anytime: `git fetch upstream && git rebase upstream/main master`
+### Main commands
-## How to contribute:
+- Upload changes to your personal repo: `git add . && git commit -m "Data upload" && git push origin master`
+- Update tool anytime: `git fetch upstream && git rebase upstream/main master`
+
+## How to contribute
If you want to contribute to this project, you can do it in multiple ways:
+
- Submitting an [issue](https://github.com/six2dez/reconftw/issues/new/choose) because you have found a bug or you have any suggestion or request.
- Making a Pull Request from [dev](https://github.com/six2dez/reconftw/tree/dev) branch because you want to improve the code or add something to the script.
@@ -590,21 +613,26 @@ If you want to contribute to this project, you can do it in multiple ways:
## Support this project
### Buymeacoffee
+
[
](https://www.buymeacoffee.com/six2dez)
### DigitalOcean referral link
+
### GitHub sponsorship
+
[Sponsor](https://github.com/sponsors/six2dez)
-# Sponsors ❤️
-**This section shows the current financial sponsors of this project**
+## Sponsors ❤️
+
+This section shows the current financial sponsors of this project
-[
](https://github.com/0xtavian)
+[
](https://github.com/0xtavian)
-# Thanks :pray:
-* Thank you for lending a helping hand towards the development of the project!
+## Thanks :pray:
+
+- Thank you for lending a helping hand towards the development of the project!
- [C99](https://api.c99.nl/)
- [CIRCL](https://www.circl.lu/)
@@ -616,7 +644,8 @@ If you want to contribute to this project, you can do it in multiple ways:
- [intelx](https://intelx.io/)
- [Whoxy](https://www.whoxy.com/)
-# Disclaimer
+## Disclaimer
+
Usage of this program for attacking targets without consent is illegal. It is the user's responsibility to obey all applicable laws. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Please use responsibly.
The material contained in this repository is licensed under GNU GPLv3.
diff --git a/Terraform/README.md b/Terraform/README.md
index 4985bdc1..538cee3d 100644
--- a/Terraform/README.md
+++ b/Terraform/README.md
@@ -1,24 +1,28 @@
# reconFTW loves Ansible+Terraform <3
-This is an automatized script created to work under AWS by using Terraform and Ansible. It allows you to easily deploy it or to easily adapt it into your IaaC strategy.
+
+This is an automated script created to work under AWS by using Terraform and Ansible. It allows you to easily deploy it or to easily adapt it into your IaaC strategy.
## Requirements
+
You would need to have installed:
-- AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-- Terraform (https://learn.hashicorp.com/tutorials/terraform/install-cli)
-- Ansible (https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
-
-As well as both access_key and secret_key (https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/)
-
-## Deploying reconFTW on the AWS Cloud
-- Please note that this will have a cost (unless you are in the Free Tier)
-1. Move to the Terraform folder
-(Optional an recommended) 1.1 Put your own Amass config file and reconFTW config file on the files/ folder
-2. Create a key pair to be used: ssh-keygen -f terraform-keys -t ecdsa -b 521
-3. Use the terraform init command
-4. Use the terraform apply commmand
-5. Click on "yes" when Terraform asks you
-6. Wait, because it can take up to 15 min.
-4. Once the process has finished, you can now login with:
-ssh admin@ip -i terraform-keys
-5. ???
-6. If you have finished playing with ReconFTW and hacking the world remember to destroy the instance with the terraform destroy command
+
+- AWS CLI ()
+- Terraform ()
+- Ansible ()
+
+As well as both `access_key` and `secret_key` ()
+
+## Deploying reconFTW on the AWS Cloud using Terraform and Ansible
+
+Note: **this will charge costs (unless you are in the Free Tier)**
+
+1. Move to the Terraform folder (optional but recommended): `cd terraform`
+ - Put your own Amass config file and reconFTW config file on the files/ folder
+1. Create a key pair to be used, e.g: `ssh-keygen -f terraform-keys -t ecdsa -b 521`
+1. Run `terraform init`
+1. Run `terraform apply`
+1. Type "yes" and hit enter
+1. Wait, because it can take up to 15 min.
+1. Once the process has finished, you can now login, using `ssh admin@ip -i terraform-keys`
+1. ???
+1. If you have finished playing with reconFTW and hacking the world, remember to destroy the instance using `terraform destroy`