Reconftw

<h1 align="center"> <br> <a href="https://github.com/six2dez/reconftw"><img src="https://github.com/six2dez/reconftw/blob/main/images/banner.png" alt="reconftw"></a> <br> reconFTW <br> </h1> <p align="center"> <a href="https://github.com/six2dez/reconftw/releases/tag/v4.1"><img src="https://img.shields.io/badge/release-v4.1-2ea043?style=for-the-badge" alt="Release"></a> <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge" alt="License"></a> <a href="https://github.com/six2dez/reconftw/issues?q=is%3Aissue+is%3Aclosed"><img src="https://img.shields.io/github/issues-closed-raw/six2dez/reconftw.svg?style=for-the-badge" alt="Closed Issues"></a> <a href="https://discord.gg/R5DdXVEdTy"><img src="https://img.shields.io/discord/1048623782912340038.svg?style=for-the-badge&logo=discord&label=discord" alt="Discord"></a> <a href="https://t.me/joinchat/H5bAaw3YbzzmI5co"><img src="https://img.shields.io/badge/telegram-@ReconFTW-26A5E4?style=for-the-badge&logo=telegram&logoColor=white" alt="Telegram"></a> <a href="https://twitter.com/Six2dez1"><img src="https://img.shields.io/badge/twitter-@Six2dez1-1D9BF0?style=for-the-badge&logo=x&logoColor=white" alt="Twitter"></a> </p> <p align="center"> <a href="https://docs.reconftw.com"><img src="https://img.shields.io/badge/GitBook-%23000000.svg?style=for-the-badge&logo=gitbook&logoColor=white" alt="Docs"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/Bash%20Script-%23121011.svg?style=for-the-badge&logo=gnu-bash&logoColor=white" alt="Bash Script"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black" alt="Linux"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/macOS-000000?style=for-the-badge&logo=macos&logoColor=F0F0F0" alt="macOS"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/github-%23121011.svg?style=for-the-badge&logo=github&logoColor=white" alt="GitHub"></a> </p> <p align="center"> <a href="https://github.com/six2dez/reconftw/actions"><img src="https://img.shields.io/badge/github_actions-%232671E5.svg?style=for-the-badge&logo=githubactions&logoColor=white" alt="GitHub Actions"></a> <a href="https://hub.docker.com/r/six2dez/reconftw"><img src="https://img.shields.io/badge/docker-%230db7ed.svg?style=for-the-badge&logo=docker&logoColor=white" alt="Docker"></a> <a href="https://github.com/six2dez/reconftw/tree/main/Terraform"><img src="https://img.shields.io/badge/terraform-%23844FBA.svg?style=for-the-badge&logo=terraform&logoColor=white" alt="Terraform"></a> <a href="https://github.com/six2dez/reconftw/tree/main/Terraform"><img src="https://img.shields.io/badge/ansible-%231A1918.svg?style=for-the-badge&logo=ansible&logoColor=white" alt="Ansible"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/Go-00ADD8.svg?style=for-the-badge&logo=go&logoColor=white" alt="Go"></a> <a href="https://github.com/six2dez/reconftw"><img src="https://img.shields.io/badge/Python-3776AB.svg?style=for-the-badge&logo=python&logoColor=white" alt="Python"></a> </p> <p align="center"> <a href="https://www.buymeacoffee.com/six2dez"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-ffdd00?style=for-the-badge&logo=buy-me-a-coffee&logoColor=black" alt="Buy Me a Coffee"></a> <a href="https://github.com/sponsors/six2dez"><img src="https://img.shields.io/badge/sponsor-30363D?style=for-the-badge&logo=GitHub-Sponsors&logoColor=EA4AAA" alt="GitHub Sponsors"></a> <a href="https://www.paypal.com/paypalme/six2dez"><img src="https://img.shields.io/badge/PayPal-00457C?style=for-the-badge&logo=paypal&logoColor=white" alt="PayPal"></a> </p>

reconFTW is a powerful automated reconnaissance tool designed for security researchers and penetration testers. It streamlines the process of gathering intelligence on a target by performing subdomain enumeration, vulnerability scanning, OSINT and more. With a modular design, extensive configuration options, and support for distributed scanning via AX Framework, reconFTW is built to deliver comprehensive results efficiently.

reconFTW leverages a wide range of techniques, including passive and active subdomain discovery, web vulnerability checks (e.g., XSS, SSRF, SQLi), OSINT, directory fuzzing, port scanning and screenshotting. It integrates with cutting-edge tools and APIs to maximize coverage and accuracy, ensuring you stay ahead in your reconnaissance efforts.

Key Features:

• Comprehensive subdomain enumeration (passive, bruteforce, permutations, certificate transparency, etc.)
• Vulnerability scanning for XSS, SSRF, SQLi, LFI, SSTI, and more
• OSINT for emails, metadata, API leaks, and third-party misconfigurations
• Distributed scanning with AX Framework for faster execution
• Customizable workflows with a detailed configuration file
• Integration with Faraday for reporting and visualization
• Support for Docker, Terraform and Ansible deployments

Disclaimer: Usage of reconFTW for attacking targets without prior consent is illegal. It is the user's responsibility to obey all applicable laws. The developers assume no liability for misuse or damage caused by this tool. Use responsibly.

---

📔 Table of Contents

• 📔 Table of Contents
• ✨ Features
  • OSINT
  • Subdomains
  • Hosts
  • Web Analysis
  • Vulnerability Checks
  • Extras
• 🏗️ Architecture
• 💿 Installation
  • Local Installation (PC/VPS/VM)
  • Docker
  • Terraform + Ansible
• ⚙️ Configuration
• 🚀 Usage
  • Target Options
  • Mode Options
  • General Options
  • Example Usage
• ☁️ Ax Framework Support (previously Axiom)
• 💻 Faraday Support
• 🧠 AI Integration
• 🗂️ Data Management
  • Makefile
  • Manual
• 🧪 Testing
• Mindmap/Workflow
• Sample video
• 🤝 How to Contribute
• 🔒 Security
• ❓ Need Help?
• 💖 Support This Project
• 🙏 Thanks
• 📝 Changelog
• 🛠️ Development
• 📜 License
• ⭐ Star History

---

✨ Features

reconFTW is packed with features to make reconnaissance thorough and efficient. Below is a detailed breakdown of its capabilities, updated to reflect the latest functionality in the script and configuration.

OSINT

• Domain Information: WHOIS lookup for domain registration details (whois).
• Email and Password Leaks: Searches for leaked emails and credentials (emailfinder and LeakSearch).
• Microsoft 365/Azure Mapping: Identifies Microsoft 365 and Azure tenants (msftrecon).
• Metadata Extraction: Extracts metadata from indexed office documents (metagoofil).
• API Leaks: Detects exposed APIs in public sources (porch-pirate, SwaggerSpy and postleaksNg).
• Google Dorking: Automated Google dork queries for sensitive information (dorks_hunter and xnldorker).
• GitHub Analysis: Scans GitHub organizations for repositories and secrets with selectable engines (enumerepo, trufflehog, gitleaks, titus, noseyparker).
• GitHub Actions Audit (Optional): Audits workflow artifacts and CI/CD exposure with gato.
• Third-Party Misconfigurations: Identifies misconfigured third-party services (misconfig-mapper).
• Mail Hygiene: Reviews SPF/DMARC configuration to flag spoofing or deliverability issues.
• Cloud Storage Enumeration: Surveys buckets across major providers for exposure (cloud_enum).
• Spoofable Domains: Checks for domains vulnerable to spoofing (spoofcheck).

Subdomains

• Passive Enumeration: Uses APIs and public sources for subdomain discovery (subfinder and github-subdomains).
• Certificate Transparency: Queries certificate transparency logs (crt).
• NOERROR Discovery: Identifies subdomains with DNS NOERROR responses (dnsx, more info here).
• Bruteforce: Performs DNS bruteforcing with customizable wordlists (puredns and custom wordlists).
• Permutations: Generates subdomain permutations using AI, regex and tools (Gotator as the single permutation engine, plus regulator and [subw