-
-
Notifications
You must be signed in to change notification settings - Fork 893
2. Usage Guide
six2dez edited this page Sep 6, 2021
·
4 revisions
- Your Target could be a root domain or a subdomain.
- It's mandatory to specify a target for a scan.
- Also reconFTW has ability to import a list of targets from a text file. (The targets must be specified one on each line)
| Subcommand | Description | Example |
|---|---|---|
| -d | Single target domain | ./reconftw.sh -d target.com -r |
| -l | Specify a list of target domains (targets.txt), reconFTW runs one time for each target | ./reconftw.sh -l targets.txt -r |
| -m | For one target with multiple domains (tesla.com, teslamotors.com...) | ./reconftw.sh -m target -l domains.txt -r |
| -i | Force include subdomain list (in.txt) | ./reconftw.sh -d target.com -i in.txt -r |
| -x | Out of scope subdomain list (oos.txt) | ./reconftw.sh -d target.com -x oos.txt -r |
- reconFTW supports several mode options. It's best preferred to use
-r. But depending on your needs you can select the required mode. - Changes in the mode options results in varying execution time of the script.
| Subcommand | Description | Example |
|---|---|---|
| -r | Recon - Full recon process (only recon without attacks) | ./reconftw.sh -d target.com -r |
| -s | Subdomains - Search subdomains, check tko and web probe | ./reconftw.sh -d target.com -s |
| -p | Passive - Performs only passive steps | ./reconftw.sh -d target.com -p |
| -w | Web - Just web checks from list provided | ./reconftw.sh -l targetlist.txt -w |
| -a | All - Perform all checks and exploitations (a.k.a. YOLO) | ./reconftw.sh -d target.com -a |
| -n | Osint - Just checks for public intel info | ./reconftw.sh -d target.com -n |
| -h | Help - Show this help | ./reconftw.sh -h |
👉 Click here to view the steps/attacks performed by "-r" Recon flag 👈
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
Active portscan
Passive portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation👉 Click here to view the steps/attacks performed by "-s" Subdomains flag 👈
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
👉 Click here to view the steps/attacks performed by "-p" Passive flag 👈
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scraping through CT logs
Subdomain Bruteforcing
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
#Host
favicon
passive portscan
cloudprovider👉 Click here to view the steps/attacks performed by "-w" Web flag 👈
#Subdomain Enumeration
S3 Bucket
Subdomain Takeover
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
4xxbypass
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
spraying
brokenLinks
test_ssl👉 Click here to view the steps/attacks performed by "-a" All flag 👈
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
zonetransfer
favicon
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Google Analytics ID relationships
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
favicon
portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
command_injection
prototype_pollution
spraying
brokenLinks
test_ssl- Some checks/tasks of reconFTW take a longer time and generate a lot of web traffic.
- You can enable these tasks by using the following options.
- The
--deepflag is a VPS intended option.
| Subcommand | Description | Example |
|---|---|---|
| --deep | Deep scan (Enable some slow options for deeper scan) | ./reconftw.sh -d target.com [mode] --deep |
| -v | VPS - Run reconftw with Axiom distributed VPS fleet | ./reconftw.sh -d target.com [mode] -v |
| -f confile_file | Alternate reconftw.cfg file | ./reconftw.sh -d target.com [mode] -f config_file |
- Supports option for user-defined output directory of the results.
| Subcommand | Description | Example |
|---|---|---|
| -o | Define the output folder | ./reconftw.sh -d target.com -r -o /output/directory/ |