-
-
Notifications
You must be signed in to change notification settings - Fork 935
3. Configuration file
- Through
reconftw.cfg
file the whole execution of the tool can be controlled. - Hunters can set various scanning modes,** execution preferences**, tools, config files, APIs/TOKENS, personalized wordlists and much more. The following explains what each of the options is for:
Values affecting the general workflow of the tool no matter what mode is using
**
OPTION | Default | Description |
---|---|---|
tools | ~/Tools | Directory where all the tools are stored |
SCRIPTPATH | "$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" | Path where reconFTW directory is placed |
profile_shell | ".$(basename $(echo $SHELL))rc" | Name of your config shell file (i.e. .zshrc or .bashrc) |
reconftw_version |
|
Get git version |
update_resolvers | true | Whether you can to update resolvers if they are more than 24hrs. old |
proxy_url | http://127.0.0.1"8080/ | Sends the reconFTW traffic through proxy proxify |
dir_output | Default is ignored (#) = false | Output folder for results, uncomment and set an absolute path to use it |
These are the default values in any Golang installation, if you have any other configuration change it here.
**
OPTION | Default | Description |
---|---|---|
export GOROOT | /usr/local/go | Golang path for root |
export GOPATH | $HOME/go | Default golang path for root |
export PATH | $GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH | Add Golang to your $PATH |
Path where config files for tools used by reconFTW is stored.
OPTION | Default | Description |
---|---|---|
AMASS_CONFIG | ~/.config/amass/config.ini | Amass config file |
GITHUB_TOKENS | ${tools}/.github_tokens | File with Github tokens, one per line |
Here you can define some API keys, values or tokens used for some tools, it also can be defined in your .bashrc/.zshrc instead here. In case you want to define here first uncomment and then add the value. These are the used:
OPTION | Default | Description |
---|---|---|
SHODAN_API_KEY | Shodan API key | |
XSS_SERVER | Domain for blind XSS attacks (i.e. six2dez.xss.ht) | |
COLLAB_SERVER | Collaborator server for SSRF tests | |
findomain_virustotal_token | Findomain VT token | |
findomain_spyse_token | Findomain Spyse token | |
findomain_securitytrails_token | Findomain ST token | |
findomain_fb_token | Findomain FB token | |
slack_channel | Needed to send zip output over Slack | |
slack_auth | Needed to send zip output over Slack |
As you can see, reconFTW doesn't outputs the original stdout of the tools, this is because is redirected because of a clean output, you can comment this vars to output everything (same behavior of -v flag), or just comment DEGUB_ERROR to show only tools errors
OPTION | Default | Description |
---|---|---|
DEBUG_STD | "&>/dev/null" | Standard message redirection |
DEBUG_ERROR | "2>/dev/null" | Error message redirection |
Functions executed for OSINT techniques, you can avoid them if you set to false.
OPTION | Default | Description |
---|---|---|
GOOGLE_DORKS | true | Google dorking |
GITHUB_DORKS | false | GitHub dorking, default to false because is slow |
METADATA | true | Extract metadata from public files |
EMAILS | true | Extract emails/users/passwords related to target |
DOMAIN_INFO | true | Whois info and domains related to the same registrant |
METAFINDER_LIMIT | 20 | Number of results fetched with Metafinder tool |
Various Subdomain techniques used, set to false those that you don't want to run.
OPTION | Default | Description |
---|---|---|
SUBDOMAINS_GENERAL | true | Subdomains general feature |
SUBPASSIVE | true | Subdomains from passive sources |
SUBCRT | true | Subdomains from certificate transparency |
SUBANALYTICS | true | Subdomains from Google Analytics |
SUBBRUTE | true | Subdomain bruteforce |
SUBSCRAPING | true | Subdomains scraping from source code |
SUBPERMUTE | true | Subdomains permutations |
SUBTAKEOVER | true | Subdomain takeover check |
SUBRECURSIVE | true | Subdomain recursive search |
SUB_RECURSIVE_PASSIVE | true | Subdomain recursive search from passive sources |
ZONETRANSFER | true | Zone transfer check |
S3BUCKETS | true | Checks for S3 buckets |
REVERSEIP | true | Reverse IP search |
Tasks to detect websites in subdomains.
OPTION | Default | Description |
---|---|---|
WEBPROBESIMPLE | true | Web probe on http and https |
WEBPROBEFULL | true | Web probe on more than 90 ports, where web interface can be hosted |
WEBSCREENSHOT | true | Web screenshot every website found |
UNCOMMON_PORTS_WEB | ... | List of ports where web interface can be hosted |
AXIOM_SCREENSHOT_MODULE | webscreenshot | Web Screenshots in axiom |
Tasks performed on hosts found.
OPTION | Default | Description |
---|---|---|
FAVICON | true | Check favicon to find more domains or waf bypass with same favicon hash |
PORTSCANNER | true | To disable or enable any type of port scan |
PORTSCAN_PASSIVE | true | Port scanner passive with Shodan |
PORTSCAN_ACTIVE | true | Port scanner with nmap top 1000 |
CLOUD_IP | true | Shows what IPs belong to cloud providers |
Tasks performed on any web to retrieve as much as info as possible.
OPTION | Default | Description |
---|---|---|
WAF_DETECTION | true | Detect if website is behind waf |
NUCLEICHECK | true | Run nuclei templates |
URL_CHECK | true | Retrieve urls from passive and crawling |
URL_GF | true | Analyze urls extracted with gf patterns |
URL_EXT | true | Create a file sort by extension type |
JSCHECKS | true | Analyze JS files |
FUZZ | true | Web fuzzing |
CMS_SCANNER | true | Scan to detect CMS |
WORDLIST | true | Generate wordlists from urls collected |
ROBOTSWORDLIST | true | Set wordlist used in Fuzzer |
Every vulnerability check performed, first filtered with uddup, qsreplace and gf-patterns.
OPTION | Default | Description |
---|---|---|
VULNS_GENERAL | false | Vulns check general feature |
XSS | true | XSS reflected with Gxss confirmed with dalfox |
CORS | true | CORS misconfigurations |
TEST_SSL | true | Check SSL |
OPEN_REDIRECT | true | Check Open Redirects flaws |
SSRF_CHECKS | true | Scan for SSRF |
CRLF_CHECKS | true | Scan for CRLF |
LFI | true | LFI with fuzzing wordlist |
SSTI | true | SSTI with fuzzing |
SQLI | true | SQLi with SQLmap |
BROKENLINKS | true | Check broken links redirections |
SPRAY | true | Password spraying with brutespray over ports and services found |
COMM_INJ | true | Check command injection flaws |
PROTO_POLLUTION | true | Check prototype pollution attack |
Advanced options that you may find interesting.
OPTION | Default | Description |
---|---|---|
NOTIFICATION | false | Set to true to receive notifications for every function, need configuration (Telegram, Slack or Discord) |
SOFT_NOTIFICATION | false | Set to true to receive notifications for each target start and end, need configuration (Telegram, Slack or Discord) |
DEEP | false | Enable deep (and slower) scan, same as --deep flag |
DEEP_LIMIT | 500 | Set DEEP number |
DIFF | false | Enable support to run over same targets again and again and it only advice for new findings (for cron mode and monitoring) |
REMOVETMP | false | Remove temporary files after finish scan |
REMOVELOG | false | Remove log files after finish scan |
PROXY | false | Proxy(burp, zap) to send websites and fuzzing |
SENDZIPNOTIFY | false | Set to true to send zipped results over Tg, Discord or Slack |
PRESERVE | false | Set to true to allow repeat every step (only Axiom) |
Headers for HTTP requests.
OPTION | Default | Description |
---|---|---|
HEADER | "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" | Define custom Header or User-Agent |
Threads control for the tools.
OPTION | Default | Description |
---|---|---|
FFUF_THREADS | 40 | Fuzzing threads |
HTTPX_THREADS | 50 | Http probe threads |
HTTPX_UNCOMMONPORTS_THREADS | 100 | Http uncommon ports probe threads |
GOSPIDER_THREADS | 50 | Crawler threads |
GITDORKER_THREADS | 5 | Github dorking threads |
BRUTESPRAY_THREADS | 20 | Password spraying threads |
BRUTESPRAY_CONCURRENCE | 10 | Password spraying concurrent hosts |
ARJUN_THREADS | 20 | Param discovery threads |
GAUPLUS_THREADS | 10 | Concurrent threads for gauplus |
DALFOX_THREADS | 200 | Threads for dalfox |
PUREDNS_PUBLIC_LIMIT | 0 | Threads for massdns querying public resolvers (when your wifi blows up set between 2000-10000) |
PUREDNS_TRUSTED_LIMIT | 400 | Puredns threads querying trusted dns resolvers |
WEBSCREENSHOT_THREADS | 200 | Webscreenshot threads |
RESOLVE_DOMAINS_THREADS | 150 | Resolve domains IP threads |
PPFUZZ_THREADS | 30 | Ppfuzz threads |
Maximum execution time for a particular tool or job can be set here.
OPTION | Default | Description |
---|---|---|
CMSSCAN_TIMEOUT | 36000 | Timeout for the whole CMScanner execution |
FFUF_MAXTIME | 900 | Maximum execution time for a single url |
HTTPX_TIMEOUT | 10 | Maximum time to wait for a response for web probes on port 80 & 443 |
HTTPX_UNCOMMONPORTS_TIMEOUT | 10 | Maximum time to wait for a response |
Wordlists to use in reconFTW. Here you can specify your personalized wordlists.
OPTION | Default | Description |
---|---|---|
fuzz_wordlist | ${tools}/fuzz_wordlist.txt | Fuzzing wordlist |
lfi_wordlist | ${tools}/lfi_wordlist.txt | LFI wordlist |
ssti_wordlist | ${tools}/ssti_wordlist.txt | SSTI wordlist |
subs_wordlist | ${tools}/subdomains.txt | Subdomains wordlist (jhaddix's all.txt) |
subs_wordlist_big | ${tools}/subdomains_big.txt | Big subdomain wordlist used with deep flag (assetnote) |
resolvers | ${tools}/resolvers.txt | List of resolvers |
resolvers_trusted | ${tools}/resolvers_trusted.txt | List of trusted DNS resolvers |
Axiom configurations
OPTION | Default | Description |
---|---|---|
AXIOM | false | Enable axiom, same as -v flag |
AXIOM_FLEET_LAUNCH | false | Set to true to automatically launch a new axiom instance |
AXIOM_FLEET_NAME | reconFTW | Axiom's fleet name |
AXIOM_FLEET_COUNT | 10 | Axiom's fleet size |
AXIOM_FLEET_REGIONS | "eu-central" | Axiom's fleet region |
AXIOM_FLEET_SHUTDOWN | true | Set to true to automatically delete axiom instance after the work is done |
Just the color to be printed depending on the message typed. Here you can find a good guide to change those colors if you want.
OPTION | Default | Description |
---|---|---|
bred | '\033[1;31m' | Bold red |
bblue | '\033[1;34m' | Bold blue |
bgreen | '\033[1;32m' | Bold green |
yellow | '\033[0;33m' | Yellow |
red | '\033[0;31m' | Red |
blue | '\033[0;34m' | Blue |
green | '\033[0;32m' | Green |
reset | '\033[0m' | Reset color |