|
Getting your Trinity Audio player ready... |
Reconnaissance is the foundation of any successful penetration test or bug bounty assessment. Automating this process can save hours of time and provide more accurate results. ReconFTW is one such powerful tool, developed to streamline and automate the entire reconnaissance process. Built primarily for bug bounty hunters and penetration testers, ReconFTW integrates multiple tools into one smooth workflow.
In this article, we’ll dive deep into ReconFTW’s features, included tools, and essential commands to help you understand how it works and how to use it effectively.
Table of Contents
What is ReconFTW?
ReconFTW is an open-source reconnaissance automation framework built in Bash. It aims to cover end-to-end recon, starting from subdomain enumeration to active web exploitation techniques. It is designed for Linux and macOS and can be run on VPS, WSL, or cloud instances.
ReconFTW is maintained on GitHub by @six2dez, and it’s popular for its speed, wide tool integration, and easy-to-read outputs.
Key Features of ReconFTW
1. Fully Automated Workflow
ReconFTW automates the entire recon process—from subdomain enumeration to vulnerability detection—with little or no user interaction.
2. Integration of Powerful Tools
It integrates over 30+ popular recon tools,
3. Organized Output
All results are stored in neatly organized folders with logs and categorized findings
output/
└── domain.com/
├── subdomains/
├── screenshots/
├── web-analysis/
├── vulnerabilities/
└── logs/
4. Passive and Active Scanning
ReconFTW supports both passive (no interaction with the target) and active (direct interaction with the target) reconnaissance.
5. Modular Configuration
You can customize ReconFTW to enable/disable tools or actions according to your preference through the config/ directory.
(: Read More 🙂
ReconFTW Tool Stack (Main Tools Used)
ReconFTW brings together the best tools from the bug bounty and hacking community. ReconFTW combines over 30+ powerful security tools to perform end-to-end reconnaissance. Here’s the categorized breakdown:
1. Subdomain Enumeration Tools
| Tool | Working / Purpose |
|---|---|
| subfinder | Finds subdomains using passive sources like search engines and APIs. |
| amass | Discovers subdomains using both passive and active techniques (DNS brute force, scraping, etc.). |
| assetfinder | Quickly finds subdomains related to a domain from known sources. |
| findomain | Fast subdomain finder that supports multiple APIs. |
| sublist3r | Uses multiple search engines to gather subdomains. |
| chaos client | Pulls subdomains from Project Discovery’s Chaos DB (requires API key). |
| github-subdomains | Extracts subdomains from public GitHub repositories. |
2. DNS Resolution and Probing
| Tool | Working / Purpose |
|---|---|
| dnsx | Resolves subdomains to IPs; supports wildcard filtering. |
| shuffledns | DNS brute-forcer that supports multiple resolvers for speed and accuracy. |
| massdns | High-performance DNS resolver used by shuffledns. |
| puredns | Another DNS resolution tool with support for massive bruteforce. |
| mapcidr | Converts IP ranges to CIDR and vice versa; useful for network scoping. |
3. HTTP Probing and Web Enumeration
| Tool | Working / Purpose |
|---|---|
| httpx | Probes subdomains for live web services (detects status code, title, technologies, etc.). |
| httprobe | Similar to httpx, checks which hosts have active HTTP/HTTPS services. |
| gau (GetAllURLs) | Fetches archived URLs from public sources like Wayback Machine. |
| waybackurls | Another tool to fetch historical URLs from web archives. |
| hakrawler | Web crawler that finds hidden links and endpoints. |
| katana | Fast web crawler by ProjectDiscovery that supports JS parsing and single-page apps. |
4. Port Scanning and Network Mapping
| Tool | Working / Purpose |
|---|---|
| naabu | Fast port scanner (alternative to nmap); discovers open ports. |
| nmap | Industry-standard tool for scanning ports and running detailed service scans. |
| rustscan | Lightning-fast port scanner written in Rust. |
| mapcidr | Helps in visualizing IP spaces and converting formats. |
5. Vulnerability Scanners
| Tool | Working / Purpose |
|---|---|
| nuclei | Template-based vulnerability scanner for fast and accurate scanning (XSS, SQLi, SSRF, etc.). |
| dalfox | Specialized XSS scanner that detects reflected/stored XSS. |
| kxss | Finds potential XSS reflection points in parameters. |
| gf (grep patterns) | Filters interesting patterns like XSS, SSRF, RCE from URLs using custom regex. |
| interactsh-client | Out-of-band interaction tool to detect SSRF, RCE, etc. |
| jaeles | Flexible vulnerability scanner using YAML-based templates (like nuclei). |
| nikto | Scans for common web vulnerabilities and server misconfigurations. |
6. Content Discovery (Fuzzing)
| Tool | Working / Purpose |
|---|---|
| ffuf | Fast web fuzzer for discovering hidden files, directories, parameters, and endpoints. |
| dirsearch | Brute-forces directories and files on web servers using wordlists. |
7. Screenshot and Visual Recon
| Tool | Working / Purpose |
|---|---|
| gowitness | Captures screenshots of live web services. |
| aquatone | Takes screenshots and collects headers for websites. |
8. Parameter and JS Analysis
| Tool | Working / Purpose |
|---|---|
| arjun | Finds hidden GET/POST parameters from web applications. |
| linkfinder | Extracts endpoints and links from JavaScript files. |
| xnLinkFinder | Extended version of linkfinder for modern JS parsing. |
9. Miscellaneous Tools
| Tool | Working / Purpose |
|---|---|
| unfurl | Breaks down URLs into structured components for analysis. |
| qsreplace | Replaces query string values, useful in fuzzing and payload injection. |
| notify | Sends notifications (Slack, Discord, Telegram) when tasks complete. |
| uro | Cleans and deduplicates URL lists. |
| dnsgen | Generates permutations of subdomains for bruteforce. |
| tlsx | Fetches TLS information from servers. |
| github-endpoints | Extracts endpoints from JavaScript files on GitHub. |
How ReconFTW Uses These Tools
ReconFTW runs these tools in logical order:
- Subdomain discovery
→ (subfinder,amass,findomain, etc.) - DNS resolution
→ (dnsx,massdns,shuffledns) - Port scanning
→ (naabu,nmap,rustscan) - HTTP probing & URL extraction
→ (httpx,gau,waybackurls,hakrawler) - Vulnerability detection
→ (nuclei,dalfox,gf,interactsh-client) - Directory/parameter fuzzing
→ (ffuf,arjun,dirsearch) - Visual recon
→ (gowitness,aquatone) - Reporting & cleanup
→ Organized results in the/outputfolder, optionally sends alerts vianotify.
Common ReconFTW Commands
Installation
git clone https://github.com/six2dez/reconftw.git
cd reconftw
./install.sh
This command installs all necessary tools and dependencies.
Basic Recon Command
./reconftw.sh -d example.com
This command runs the default recon mode against example.com
Passive Recon Only
./reconftw.sh -d example.com -p
This restricts ReconFTW to passive methods only. No direct interaction is made with the target
Enable All Modules
./reconftw.sh -d example.com -a
This enables all modules, including active scanning, screenshotting, vulnerability detection, etc.
Scope In / Out
./reconftw.sh -l domains.txt –in-scope scope.txt –out-scope exclude.txt
You can provide:
- A list of domains in
domains.txt - An
--in-scopefile to define allowed targets - An
--out-scopefile to exclude forbidden domains
Use Custom Wordlist for Fuzzing
./reconftw.sh -d example.com –wordlist custom.txt
This allows you to use your own wordlist for directories and parameter fuzzing
Use Proxy or VPN
./reconftw.sh -d example.com –proxy socks5://127.0.0.1:9050
Useful for anonymizing your scans via Tor or VPN proxy.
Resume a Previous Scan
./reconftw.sh -d example.com -r
If the scan was interrupted, this lets you resume from the last step.
Get Help
./reconftw.sh -h
Displays the full help menu with all available options.
Tips for Using ReconFTW Effectively
Run on VPS: ReconFTW is resource-intensive. Running it on a cloud VPS ensures better performance
Customize Configuration: You can edit the tools and settings inside config/ folder to match your style
Use with APIs: Tools like subfinder and amass require API keys for full functionality
Combine with Burp Suite: Export interesting URLs and feed them into Burp for manual testing
Regular Updates: Tools used by ReconFTW often receive updates. Run ./install.sh occasionally to keep them up-to-date
ReconFTW is one of the most powerful reconnaissance tools available today. Its strength lies in automation, modularity, and tool integration. Whether you are a beginner in ethical hacking or a seasoned bug bounty hunter, ReconFTW can significantly enhance your recon workflow and help you uncover more vulnerabilities in less time.
If you’re serious about web application security, understanding and using ReconFTW is a game changer, for more help you can write an email on contact@widelamp.com without any delay, I am always welcome
