-
-
Notifications
You must be signed in to change notification settings - Fork 929
2. Usage Guide
six2dez edited this page Sep 6, 2021
·
4 revisions
- Your Target could be a root domain or a subdomain.
- It's mandatory to specify a target for a scan.
- Also reconFTW has ability to import a list of targets from a text file. (The targets must be specified one on each line)
Subcommand | Description | Example |
---|---|---|
-d | Single target domain | ./reconftw.sh -d target.com -r |
-l | Specify a list of target domains (targets.txt), reconFTW runs one time for each target | ./reconftw.sh -l targets.txt -r |
-m | For one target with multiple domains (tesla.com, teslamotors.com...) | ./reconftw.sh -m target -l domains.txt -r |
-i | Force include subdomain list (in.txt) | ./reconftw.sh -d target.com -i in.txt -r |
-x | Out of scope subdomain list (oos.txt) | ./reconftw.sh -d target.com -x oos.txt -r |
- reconFTW supports several mode options. It's best preferred to use
-r
. But depending on your needs you can select the required mode. - Changes in the mode options results in varying execution time of the script.
Subcommand | Description | Example |
---|---|---|
-r | Recon - Full recon process (only recon without attacks) | ./reconftw.sh -d target.com -r |
-s | Subdomains - Search subdomains, check tko and web probe | ./reconftw.sh -d target.com -s |
-p | Passive - Performs only passive steps | ./reconftw.sh -d target.com -p |
-w | Web - Just web checks from list provided | ./reconftw.sh -l targetlist.txt -w |
-a | All - Perform all checks and exploitations (a.k.a. YOLO) | ./reconftw.sh -d target.com -a |
-n | Osint - Just checks for public intel info | ./reconftw.sh -d target.com -n |
-h | Help - Show this help | ./reconftw.sh -h |
π Click here to view the steps/attacks performed by "-r" Recon flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
Active portscan
Passive portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
π Click here to view the steps/attacks performed by "-s" Subdomains flag π
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
π Click here to view the steps/attacks performed by "-p" Passive flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scraping through CT logs
Subdomain Bruteforcing
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
#Host
favicon
passive portscan
cloudprovider
π Click here to view the steps/attacks performed by "-w" Web flag π
#Subdomain Enumeration
S3 Bucket
Subdomain Takeover
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
4xxbypass
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
spraying
brokenLinks
test_ssl
π Click here to view the steps/attacks performed by "-a" All flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
favicon
portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
command_injection
prototype_pollution
spraying
brokenLinks
test_ssl
- Some checks/tasks of reconFTW take a longer time and generate a lot of web traffic.
- You can enable these tasks by using the following options.
- The
--deep
flag is a VPS intended option.
Subcommand | Description | Example |
---|---|---|
--deep | Deep scan (Enable some slow options for deeper scan) | ./reconftw.sh -d target.com [mode] --deep |
-v | VPS - Run reconftw with Axiom distributed VPS fleet | ./reconftw.sh -d target.com [mode] -v |
-f confile_file | Alternate reconftw.cfg file | ./reconftw.sh -d target.com [mode] -f config_file |
- Supports option for user-defined output directory of the results.
Subcommand | Description | Example |
---|---|---|
-o | Define the output folder | ./reconftw.sh -d target.com -r -o /output/directory/ |