-
-
Notifications
You must be signed in to change notification settings - Fork 927
2. Usage Guide
six2dez edited this page Apr 20, 2021
·
4 revisions
- Your Target could be a root domain or a subdomain.
- It's mandatory to specify a target for a scan.
- Also reconFTW has ability to import a list of targets from a text file. (The targets must be specified one on each line)
| Subcommand | Description | Example |
|---|---|---|
| -d | Single target domain | ./reconftw.sh -d target.com -r |
| -l | Specify a list of target domains (targets.txt), reconFTW runs one time for each target | ./reconftw.sh -l targets.txt -r |
| -m | For one target with multiple domains (tesla.com, teslamotors.com...) | ./reconftw.sh -m target -l domains.txt -r |
| -i | Force include subdomain list (in.txt) | ./reconftw.sh -d target.com -i in.txt -r |
| -x | Out of scope subdomain list (oos.txt) | ./reconftw.sh -d target.com -x oos.txt -r |
- reconFTW supports several mode options. It's best preferred to use
-r. But depending on your needs you can select the required mode. - Changes in the mode options results in varying execution time of the script.
| Subcommand | Description | Example |
|---|---|---|
| -r | Recon - Full recon process (only recon without attacks) | ./reconftw.sh -d target.com -r |
| -s | Subdomains - Search subdomains, check tko and web probe | ./reconftw.sh -d target.com -s |
| -p | Passive - Performs only passive steps | ./reconftw.sh -d target.com -p |
| -w | Web - Just web checks from list provided | ./reconftw.sh -l targetlist.txt -w |
| -a | All - Perform all checks and exploitations (a.k.a. YOLO) | ./reconftw.sh -d target.com -a |
| -v | Verbose - Prints everything including errors, for debug purposes | ./reconftw.sh -d target.com [mode] -v |
| -h | Help - Show this help | ./reconftw.sh -h |
π Click here to view the steps/attacks performed by "-r" Recon flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
#Subdomain Enumeration
Passive sources
Scraping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
favicon
Active portscan
Passive portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generationπ Click here to view the steps/attacks performed by "-s" Subdomains flag π
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
π Click here to view the steps/attacks performed by "-p" Passive flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
#Subdomain Enumeration
Passive sources
Scraping through CT logs
Subdomain Bruteforcing
Permutations/Alterations
Active DNS resolutions
#Host
favicon
passive portscan
cloudproviderπ Click here to view the steps/attacks performed by "-w" Web flag π
#Subdomain Enumeration
S3 Bucket
Subdomain Takeover
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
4xxbypass
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
spraying
brokenLinks
test_sslπ Click here to view the steps/attacks performed by "-a" All flag π
#OSINT
domain_info
emails
google_dorks
github_dorks
metadata
#Subdomain Enumeration
Passive sources
Scarping through CT logs
Subdomain Bruteforcing
Subdomain Scraping form JS files & Source code
Permutations/Alterations
Active DNS resolutions
S3 Bucket
Zone Transfer
Subdomain Takeover
#Web Detection
Simple web probe
Web probing on uncommon ports
Screenshots
#Host
favicon
portscan
cloudprovider
#Web Scan
waf_checks
nuclei_check
cms_scanner
fuzz
params
urlchecks
url_gf
jschecks
wordlist generation
#Vulnerabilities
4xxbypass
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
spraying
brokenLinks
test_ssl- Some checks/tasks of reconFTW take a longer time and generate a lot of web traffic.
- You can enable these tasks by using the following options.
- The
-deepflag is a VPS intended option.
| Subcommand | Description | Example |
|---|---|---|
| --deep | Deep scan (Enable some slow options for deeper scan) | ./reconftw.sh -d target.com -r --deep |
- Supports option for user-defined output directory of the results.
| Subcommand | Description | Example |
|---|---|---|
| -o | Define the output folder | ./reconftw.sh -d target.com -r -o /output/directory/ |