ReconFTW为你自动化整个侦察过程。它优于子域枚举以及各种漏洞检查和获取有关目标的最大信息的工作。
ReconFTW 使用许多技术(被动、暴力、排列、证书透明度、源代码抓取、分析、DNS 记录...)进行子域枚举,这可以帮助你获得最大和最有趣的子域,从而在竞争中处于领先地位。
它还执行各种漏洞检查,如 XSS、开放重定向、SSRF、CRLF、LFI、SQLi、SSL 测试、SSTI、DNS 区域传输等等。除此之外,它还会对你的目标执行 OSINT 技术、目录模糊测试、dorking、端口扫描、屏幕截图、核扫描。
那么,你还在等什么Go!走!走!
你可以查看我们的 wiki 以获取安装指南安装指南
📖
git clone https://github.com/six2dez/reconftw
cd reconftw/
./install.sh
./reconftw.sh -d target.com -r
-d -> Detached
-v $PWD/reconftw.cfg:/root/Tools/reconftw/reconftw.cfg -> Share CFG with the Docker
-v $PWD/Recon/:/root/Tools/reconftw/Recon/ -> Share output folder with the Host
--name reconftwSCAN -> Docker name
--rm -> Automatically remove the container when it exits
'-d target.com -r' -> reconftw parameters
docker pull six2dez/reconftw:main
# Download and configure CFG file
wget https://raw.githubusercontent.com/six2dez/reconftw/main/reconftw.cfg
mkdir Recon
docker run -d -v $PWD/reconftw.cfg:/root/Tools/reconftw/reconftw.cfg -v $PWD/Recon/:/root/Tools/reconftw/Recon/ --name reconftwSCAN --rm six2dez/reconftw:main -d target.com -r
git clone https://github.com/six2dez/reconftw
cd reconftw
docker build -t reconftw Docker/.
# Running from reconftw root folder, configure values properly for your needs
docker run -v $PWD/reconftw.cfg:/root/Tools/reconftw/reconftw.cfg -v $PWD/Recon/:/root/Tools/reconftw/Recon/ --name reconftwSCAN --rm reconftw -d target.com -r
配置文件的详细说明可以在这里找到配置文件
📖
reconftw.cfg文件可以控制工具的整个执行。
#################################################################
# reconFTW config file #
#################################################################
# General values
tools=~/Tools
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
profile_shell=".$(basename $(echo $SHELL))rc"
reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags)
update_resolvers=true
proxy_url="http://127.0.0.1:8080/"
#dir_output=/custom/output/path
# Golang Vars (Comment or change on your own)
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH
# Tools config files
#NOTIFY_CONFIG=~/.config/notify/notify.conf # No need to define
#SUBFINDER_CONFIG=~/.config/subfinder/config.yaml # No need to define
AMASS_CONFIG=~/.config/amass/config.ini
GITHUB_TOKENS=${tools}/.github_tokens
# APIs/TOKENS - Uncomment the lines you want removing the '#' at the beginning of the line
#UDORK_COOKIE="c_user=XXXXXXXXXX; xs=XXXXXXXXXXXXXX"
#SHODAN_API_KEY="XXXXXXXXXXXXX"
#XSS_SERVER="XXXXXXXXXXXXXXXXX"
#COLLAB_SERVER="XXXXXXXXXXXXXXXXX"
#findomain_virustotal_token="XXXXXXXXXXXXXXXXX"
#findomain_spyse_token="XXXXXXXXXXXXXXXXX"
#findomain_securitytrails_token="XXXXXXXXXXXXXXXXX"
#findomain_fb_token="XXXXXXXXXXXXXXXXX"
#slack_channel="XXXXXXXX"
#slack_auth="xoXX-XXX-XXX-XXX"
# File descriptors
DEBUG_STD="&>/dev/null"
DEBUG_ERROR="2>/dev/null"
# Osint
OSINT=true
GOOGLE_DORKS=true
GITHUB_DORKS=true
METADATA=true
EMAILS=true
DOMAIN_INFO=true
METAFINDER_LIMIT=20 # Max 250
# Subdomains
SUBDOMAINS_GENERAL=true
SUBPASSIVE=true
SUBCRT=true
SUBANALYTICS=true
SUBBRUTE=true
SUBSCRAPING=true
SUBPERMUTE=true
SUBTAKEOVER=true
SUBRECURSIVE=true
SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries
ZONETRANSFER=true
S3BUCKETS=true
REVERSE_IP=false
# Web detection
WEBPROBESIMPLE=true
WEBPROBEFULL=true
WEBSCREENSHOT=true
UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672"
# You can change to aquatone if gowitness fails, comment the one you don't want
AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot
# Host
FAVICON=true
PORTSCANNER=true
PORTSCAN_PASSIVE=true
PORTSCAN_ACTIVE=true
CLOUD_IP=true
# Web analysis
WAF_DETECTION=true
NUCLEICHECK=true
NUCLEI_SEVERITY="info,low,medium,high,critical"
URL_CHECK=true
URL_GF=true
URL_EXT=true
JSCHECKS=true
FUZZ=true
CMS_SCANNER=true
WORDLIST=true
ROBOTSWORDLIST=true
# Vulns
VULNS_GENERAL=false
XSS=true
CORS=true
TEST_SSL=true
OPEN_REDIRECT=true
SSRF_CHECKS=true
CRLF_CHECKS=true
LFI=true
SSTI=true
SQLI=true
BROKENLINKS=true
SPRAY=true
COMM_INJ=true
PROTO_POLLUTION=true
# Extra features
NOTIFICATION=false # Notification for every function
SOFT_NOTIFICATION=false # Only for start/end
DEEP=false
DEEP_LIMIT=500
DIFF=false
REMOVETMP=false
REMOVELOG=false
PROXY=false
SENDZIPNOTIFY=false
PRESERVE=true # set to true to avoid deleting the .called_fn files on really large scans
# HTTP options
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"
# Threads
FFUF_THREADS=40
HTTPX_THREADS=50
HTTPX_UNCOMMONPORTS_THREADS=100
GOSPIDER_THREADS=50
GITDORKER_THREADS=5
BRUTESPRAY_THREADS=20
BRUTESPRAY_CONCURRENCE=10
ARJUN_THREADS=20
GAUPLUS_THREADS=10
DALFOX_THREADS=200
PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited
PUREDNS_TRUSTED_LIMIT=400
WEBSCREENSHOT_THREADS=200
RESOLVE_DOMAINS_THREADS=150
PPFUZZ_THREADS=30
# Timeouts
CMSSCAN_TIMEOUT=3600
FFUF_MAXTIME=900 # Seconds
HTTPX_TIMEOUT=10 # Seconds
HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds
# lists
fuzz_wordlist=${tools}/fuzz_wordlist.txt
lfi_wordlist=${tools}/lfi_wordlist.txt
ssti_wordlist=${tools}/ssti_wordlist.txt
subs_wordlist=${tools}/subdomains.txt
subs_wordlist_big=${tools}/subdomains_big.txt
resolvers=${tools}/resolvers.txt
resolvers_trusted=${tools}/resolvers_trusted.txt
# Axiom Fleet
# Will not start a new fleet if one exist w/ same name and size (or larger)
AXIOM=false
AXIOM_FLEET_LAUNCH=false
AXIOM_FLEET_NAME="reconFTW"
AXIOM_FLEET_COUNT=10
AXIOM_FLEET_REGIONS="eu-central"
AXIOM_FLEET_SHUTDOWN=true
# This is a script on your reconftw host that might prep things your way...
#AXIOM_POST_START="~/Tools/axiom_config.sh"
# BBRF
BBRF_CONNECTION=false
BBRF_SERVER=https://demo.bbrf.me/bbrf
BBRF_USERNAME=user
BBRF_PASSWORD=password
# TERM COLORS
bred='\033[1;31m'
bblue='\033[1;34m'
bgreen='\033[1;32m'
yellow='\033[0;33m'
red='\033[0;31m'
blue='\033[0;34m'
green='\033[0;32m'
reset='\033[0m'
查看 wiki 部分以了解哪个标志执行所有步骤/攻击使用指南
📖
目标选项
旗帜 | 描述 |
---|---|
-d | 单一目标域(example.com) |
-l | 目标列表(每行一个) |
-m | 多域目标(公司名称) |
-X | 排除子域列表(超出范围) |
-一世 | 包括子域列表(范围内) |
模式选项
旗帜 | 描述 |
---|---|
-r | 侦察 - 完整的侦察过程(没有像 sqli、ssrf、xss、ssti、lfi 等攻击) |
-s | 子域 - 仅执行子域枚举、网络探测、子域接管 |
-p | 被动 - 仅执行被动步骤 |
-一种 | 全部 - 执行全面侦察和所有主动攻击 |
-w | Web - 仅对特定目标执行漏洞检查/攻击 |
-n | OSINT - 执行 OSINT 扫描(无子域枚举和攻击) |
-C | 自定义 - 针对目标启动特定功能 |
-H | 帮助 - 显示此帮助菜单 |
常规选项
旗帜 | 描述 |
---|---|
- 深的 | 深度扫描(为深度扫描启用一些慢速选项,vps 预期模式) |
-F | 自定义配置文件路径 |
-o | 输出目录 |
-v | Axiom 分布式 VPS |
对单个目标执行全面侦察
./reconftw.sh -d target.com -r
对目标列表执行全面侦察
./reconftw.sh -l sites.txt -r -o /output/directory/
执行更多时间密集型任务的全面侦察 (仅适用于 VPS)
./reconftw.sh -d target.com -r --deep -o /output/directory/
在多域目标中执行侦察
./reconftw.sh -m company -l domains_list.txt -r
使用公理集成执行侦察
./reconftw.sh -d target.com -r -v
执行所有步骤(整个侦察 + 所有攻击)又名 YOLO 模式
./reconftw.sh -d target.com -a
显示帮助部分
./reconftw.sh -h
Check out the wiki section for more info Axiom Support
reconftwas provisoner.
按照这些简单的步骤,最终拥有一个包含你的
API Keys和
/Recon数据的私有存储库。
Git(Hub|Lab)(考虑到有关 Recon 数据上传的大小限制)
git clone https://gitlab.com/example/reconftw-data
cd reconftw-data
git commit --allow-empty -m "Empty commit"
git remote add upstream https://github.com/six2dez/reconftw(
upstream就是一个例子)
git fetch upstream
git rebase upstream/main master
git add . && git commit -m "Data upload" && git push origin master
git fetch upstream && git rebase upstream/main master
如果你想为这个项目做出贡献,你可以通过多种方式做到:
此部分显示该项目的当前财务赞助商
未经同意使用此程序攻击目标是非法的。用户有责任遵守所有适用法律。开发者不承担任何责任,也不对本程序造成的任何误用或损坏负责。请负责任地使用。
此存储库中包含的材料在 GNU GPLv3 下获得许可。