-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
3. Configuration file
reconftw.cfg file is the way to have complete control of all the functions and options of the script. The following explains what each of the options is for:
Just the color to be printed depending on the message typed. Here you can find a good guide to change those colors if you want.
** Warning: a wrong change here can break the output, so be careful **
| OPTION | Default | Description |
|---|---|---|
| bred | '\033[1;31m' | Bold red |
| bblue | '\033[1;34m' | Bold blue |
| bgreen | '\033[1;32m' | Bold green |
| yellow | '\033[0;33m' | Yellow |
| red | '\033[0;31m' | Red |
| blue | '\033[0;34m' | Blue |
| green | '\033[0;32m' | Green |
| reset | '\033[0m' | Reset color |
Values affecting the general workflow of the tool no matter what mode is using
| OPTION | Default | Description |
|---|---|---|
| tools | ~/Tools | Path where tools are stored |
| NPROC | $(nproc | echo -n 1) | Number of CPU processors |
| SCRIPTPATH | "$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" | Path where reconFTW is placed |
| profile_shell | ".$(basename $(echo $SHELL))rc" | Name of your config shell file (i.e. .zshrc or .bashrc) |
| reconftw_version |
|
Get git version |
| dir_output | Default is ignored (#) = false | Output folder for results, uncomment and set an absoulte path to use it |
These are the default values in any Golang installation, if you have any other configuration change it here.
** Warning: any wrong here can break the script execution **
| OPTION | Default | Description |
|---|---|---|
| export GOROOT | /usr/local/go | Golang path for root |
| export GOPATH | $HOME/go | Default golang path for root |
| export PATH | $GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH | Add Golang to your $PATH |
Path where config files for tools used by reconFTW are stored
| OPTION | Default | Description |
|---|---|---|
| AMASS_CONFIG | ~/.config/amass/config.ini | Amass config file |
| GITHUB_TOKENS | ${tools}/.github_tokens | File with Github tokens, one per line |
Here you can define some API keys, values or tokens used for some tools, it also can be defined in your .bashrc/.zshrc instead here. In case you want to define here first uncomment and then add the value. These are the used:
| OPTION | Default | Description |
|---|---|---|
| SHODAN_API_KEY | Shodan API key | |
| XSS_SERVER | Domain for blind XSS attacks (i.e. six2dez.xss.ht) | |
| COLLAB_SERVER | Collaborator server for SSRF tests | |
| findomain_virustotal_token | Findomain VT token | |
| findomain_spyse_token | Findomain Spyse token | |
| findomain_securitytrails_token | Findomain ST token | |
| findomain_fb_token | Findomain FB token |
As you can see, reconFTW doesn't outputs the original stdout of the tools, this is because is redirected because of a clean output, you can comment this vars to output everything (same behavior of -v flag), or just comment DEGUB_ERROR to show only tools errors
| OPTION | Default | Description |
|---|---|---|
| DEBUG_STD | "&>/dev/null" | Standard message redirection |
| DEBUG_ERROR | "2>/dev/null" | Error message redirection |
Functions executed for OSINT techniques, you can avoid them if you set to false
| OPTION | Default | Description |
|---|---|---|
| GOOGLE_DORKS | true | Google dorking |
| GITHUB_DORKS | false | GitHub dorking, default to false because is slow |
| METADATA | true | Extract metadata from public files |
| EMAILS | true | Extract emails/users/passwords related to target |
| DOMAIN_INFO | true | Whois info and domains related to the same registrant |
Subdomain processes used, set to false those that you don't want to run.
| OPTION | Default | Description |
|---|---|---|
| SUBCRT | true | Subdomains from certificate transparency |
| SUBBRUTE | true | Subdomain bruteforce |
| SUBSCRAPING | true | Subdomains scraping from source code |
| SUBPERMUTE | true | Subdomains permutations |
| SUBTAKEOVER | true | Subdomain takeover check |
| SUBRECURSIVE | true | Subdomain recursive searhc |
| ZONETRANSFER | true | Zone transfer check |
| S3BUCKETS | true | Checks for S3 buckets |
Tasks to detect websites in subdomains
| OPTION | Default | Description |
|---|---|---|
| WEBPROBESIMPLE | true | Web probe on http and https |
| WEBPROBEFULL | true | Web probe on more than 80 ports, both http and https |
| WEBSCREENSHOT | true | Web screenshot every website found |
Tasks performed on hosts found
| OPTION | Default | Description |
|---|---|---|
| FAVICON | true | Check favicon to find more domains or waf bypass with same favicon hash |
| PORTSCANNER | true | To disable or enable any type of port scan |
| PORTSCAN_PASSIVE | true | Port scanner passive with Shodan |
| PORTSCAN_ACTIVE | true | Port scanner with nmap top 1000 |
Tasks performed on any web to retrieve as much as info as possible
| OPTION | Default | Description |
|---|---|---|
| WAF_DETECTION | true | Detect if website is behind waf |
| NUCLEICHECK | true | Run nuclei templates |
| URL_CHECK | true | Retrieve urls from passive and crawling |
| URL_GF | true | Analyze urls extracted with gf patterns |
| URL_EXT | true | Create a file sort by extension type |
| JSCHECKS | true | Analyze JS files |
| PARAMS | true | Retrieve urls with GET parameters and force hidden params |
| FUZZ | true | Web fuzzing |
| CMS_SCANNER | true | Scan to detect CMS |
| WORDLIST | true | Set wordlist used in Fuzzer |
Every vulnerability check performed, first filtered with uddup, qsreplace and gf-patterns
| OPTION | Default | Description |
|---|---|---|
| XSS | true | XSS reflected with Gxss confirmed with dalfox |
| CORS | true | CORS misconfigurations |
| TEST_SSL | true | Check SSL |
| OPEN_REDIRECT | true | Check Open Redirects flaws |
| SSRF_CHECKS | true | Scan for SSRF |
| CRLF_CHECKS | true | Scan for CRLF |
| LFI | true | LFI with fuzzing wordlist |
| SSTI | true | LFI with fuzzing |
| SQLI | true | SQLi with SQLmap |
| BROKENLINKS | true | Check broken links redirections |
| SPRAY | true | Password spraying with brutespray over ports and services found |
| BYPASSER4XX | true | Check common 4xx bypasses found in fuzz |
Advanced options that you may find interesting
| OPTION | Default | Description |
|---|---|---|
| NOTIFICATION | false | Set to true to receive notifications (Telegram, Slack or Discord), need configuration |
| DEEP | false | Enable deep (and slower) scan, same as --deep flag |
| DIFF | false | Enable support to run over same targets again and again and it only advice for new findings (for cron mode and monitoring) |
| REMOVETMP | false | Remove temporary files after finish scan |
Headers for HTTP requests
| OPTION | Default | Description |
|---|---|---|
| COOKIE | "" | Define custom Cookie |
| HEADER | "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" | Define custom Header or User-Agent |
Threads control for the tools
| OPTION | Default | Description |
|---|---|---|
| FFUF_THREADS | 40 | Fuzzing threads |
| HTTPX_THREADS | 50 | Http probe threads |
| HTTPX_UNCOMMONPORTS_THREADS | 100 | Http uncommon ports probe threads |
| GOSPIDER_THREADS | 50 | Crawler threads |
| GITDORKER_THREADS | 5 | Github dorking threads |
| BRUTESPRAY_THREADS | 20 | Password spraying threads |
| BRUTESPRAY_CONCURRENCE | 10 | Password spraying concurrent hosts |
| ARJUN_THREADS | 20 | Param discovery threads |
Wordlists in use
| OPTION | Default | Description |
|---|---|---|
| fuzz_wordlist | ${tools}/fuzz_wordlist.txt | Fuzzing wordlist |
| lfi_wordlist | ${tools}/lfi_wordlist.txt | LFI wordlist |
| subs_wordlist | ${tools}/subdomains.txt | Subdomains wordlist |
| subs_wordlist_big | ${tools}/subdomains_big.txt | Big subdomain wordlist used with deep flag |
| resolvers | ${tools}/resolvers.txt | List of resolvers |