From 7e20370d26b0deece1e7177c7d547db45a7b5c8f Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 14 Oct 2022 09:17:30 +0200 Subject: [PATCH 1/6] update mac installation --- install.sh | 4 +++- reconftw.cfg | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index cee18e34..76113b3d 100755 --- a/install.sh +++ b/install.sh @@ -145,7 +145,9 @@ install_brew(){ fi eval brew update -$DEBUG_STD eval brew install --cask chromium $DEBUG_STD - eval brew install bash coreutils python massdns jq gcc cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils whois libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb libxml2-utils libdata-hexdump-perl $DEBUG_STD + eval brew install bash coreutils python massdns jq gcc cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils whois libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb libxml2-utils libdata-hexdump-perl gnu-getopt $DEBUG_STD + export PATH="/opt/homebrew/opt/gnu-getopt/bin:$PATH" + echo 'export PATH="/opt/homebrew/opt/gnu-getopt/bin:$PATH"' >> ~/.zshrc eval brew services start tor $DEBUG_STD eval brew install rustup $DEBUG_STD eval rustup-init $DEBUG_STD diff --git a/reconftw.cfg b/reconftw.cfg index dd149fcf..9f5d0cc7 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -75,7 +75,7 @@ WEBPROBEFULL=true # Web probing in a large port list WEBSCREENSHOT=true # Webs screenshooting VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header NMAP_WEBPROBE=true # If disabled it will run httpx directly over subdomains list, nmap before web probing is used to increase the speed and avoid repeated requests -UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" +UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" # You can change to aquatone if gowitness fails, comment the one you don't want AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot From 483bc99c12e4cef759c5dd5a536f7b127742e201 Mon Sep 17 00:00:00 2001 From: Nico Kokonas Date: Tue, 18 Oct 2022 08:01:54 -0600 Subject: [PATCH 2/6] feat: support custom output path in notify flow --- reconftw.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index c4034b15..7114c9be 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1918,9 +1918,10 @@ function zipSnedOutputFolder { zip_name="$zip_name"_"$domain.zip" (cd $dir && zip -r "../$zip_name" .) - if [ -s "$SCRIPTPATH/$zip_name" ]; then - sendToNotify "$SCRIPTPATH/$zip_name" - rm -f "$SCRIPTPATH/$zip_name" + echo "Sending zip file "${dir_output}/${zip_name}"" + if [ -s "$dir_output/$zip_name" ]; then + sendToNotify "$dir_output/$zip_name" + rm -f "$dir_output/$zip_name" else notification "No Zip file to send" warn fi From f3b9c123495114cf27d2baa974d1ffcbb2fb8167 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 21 Oct 2022 11:09:59 +0200 Subject: [PATCH 3/6] Added subfinder --- install.sh | 4 +++- reconftw.cfg | 2 ++ reconftw.sh | 46 +++++++++++++++------------------------------- 3 files changed, 20 insertions(+), 32 deletions(-) diff --git a/install.sh b/install.sh index 76113b3d..2fcad44b 100755 --- a/install.sh +++ b/install.sh @@ -81,6 +81,7 @@ gotools["inscope"]="go install github.com/tomnomnom/hacks/inscope@latest" gotools["rush"]="go install github.com/shenwei356/rush@latest" gotools["enumerepo"]="go install github.com/trickest/enumerepo@latest" gotools["Web-Cache-Vulnerability-Scanner"]="go install -v github.com/Hackmanit/Web-Cache-Vulnerability-Scanner@latest" +gotools["subfinder"]="go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest" declare -A repos repos["dorks_hunter"]="six2dez/dorks_hunter" @@ -373,6 +374,7 @@ eval $SUDO strip -s /usr/local/bin/unimap $DEBUG_STD eval $SUDO chmod 755 /usr/local/bin/ppfuzz eval $SUDO strip -s /usr/local/bin/ppfuzz $DEBUG_STD eval notify $DEBUG_STD +eval subfinder -h $DEBUG_STD printf "${bblue}\n Running: Downloading required files ${reset}\n\n" ## Downloads @@ -471,6 +473,6 @@ eval strip -s "$HOME"/go/bin/* $DEBUG_STD eval $SUDO cp "$HOME"/go/bin/* /usr/local/bin/ $DEBUG_STD -printf "${yellow} Remember set your api keys:\n - amass (~/.config/amass/config.ini)\n - GitHub (~/Tools/.github_tokens)\n - SSRF Server (COLLAB_SERVER in reconftw.cfg or env var) \n - Blind XSS Server (XSS_SERVER in reconftw.cfg or env var) \n - notify (~/.config/notify/provider-config.yaml) \n - theHarvester (~/Tools/theHarvester/api-keys.yaml or /etc/theHarvester/api-keys.yaml)\n - H8mail (~/Tools/h8mail_config.ini)\n - WHOISXML API (WHOISXML_API in reconftw.cfg or env var)\n\n\n${reset}" +printf "${yellow} Remember set your api keys:\n - amass (~/.config/amass/config.ini)\n - subfinder (~/.config/subfinder/provider-config.yaml)\n - GitHub (~/Tools/.github_tokens)\n - SSRF Server (COLLAB_SERVER in reconftw.cfg or env var) \n - Blind XSS Server (XSS_SERVER in reconftw.cfg or env var) \n - notify (~/.config/notify/provider-config.yaml) \n - theHarvester (~/Tools/theHarvester/api-keys.yaml or /etc/theHarvester/api-keys.yaml)\n - H8mail (~/Tools/h8mail_config.ini)\n - WHOISXML API (WHOISXML_API in reconftw.cfg or env var)\n\n\n${reset}" printf "${bgreen} Finished!${reset}\n\n" printf "\n\n${bgreen}#######################################################################${reset}\n" diff --git a/reconftw.cfg b/reconftw.cfg index 9f5d0cc7..07ef11e8 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -49,6 +49,8 @@ IP_INFO=true # Reverse IP search, geolocation and whois METAFINDER_LIMIT=20 # Max 250 # Subdomains +RUNAMASS=true +RUNSUBFINDER=true SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module SUBPASSIVE=true # Passive subdomains search SUBCRT=true # crtsh search diff --git a/reconftw.sh b/reconftw.sh index c4034b15..49a162de 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -108,6 +108,7 @@ function tools_installed(){ which enumerepo &>/dev/null || { printf "${bred} [*] enumerepo [NO]${reset}\n${reset}"; allinstalled=false;} which trufflehog &>/dev/null || { printf "${bred} [*] trufflehog [NO]${reset}\n${reset}"; allinstalled=false;} which Web-Cache-Vulnerability-Scanner &>/dev/null || { printf "${bred} [*] Web-Cache-Vulnerability-Scanner [NO]${reset}\n"; allinstalled=false;} + which subfinder &>/dev/null || { printf "${bred} [*] subfinder [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -362,12 +363,14 @@ function sub_passive(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBPASSIVE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Passive Subdomain Enumeration" if [ ! "$AXIOM" = true ]; then - amass enum -passive -d $domain -config $AMASS_CONFIG -timeout $AMASS_ENUM_TIMEOUT -json .tmp/amass_json.json 2>>"$LOGFILE" &>/dev/null + [[ $RUNAMASS == true ]] && amass enum -passive -d $domain -config $AMASS_CONFIG -timeout $AMASS_ENUM_TIMEOUT -json .tmp/amass_json.json 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/amass_json.json" ] && cat .tmp/amass_json.json | jq -r '.name' | anew -q .tmp/amass_psub.txt + [[ $RUNSUBFINDER == true ]] && subfinder -all -d $domain -silent | anew -q .tmp/amass_psub.txt else echo $domain > .tmp/amass_temp_axiom.txt - [ -s ".tmp/amass_temp_axiom.txt" ] && axiom-scan .tmp/amass_temp_axiom.txt -m amass -passive -o .tmp/amass_axiom.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null - [ -s ".tmp/amass_axiom.txt" ] && cat .tmp/amass_axiom.txt | anew -q .tmp/amass_psub.txt + [[ $RUNAMASS == true ]] && axiom-scan .tmp/amass_temp_axiom.txt -m amass -passive -o .tmp/amass_axiom.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [[ $RUNSUBFINDER == true ]] && axiom-scan .tmp/amass_temp_axiom.txt -m subfinder -all -silent -o .tmp/subfinder_axiom.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + cat .tmp/amass_axiom.txt .tmp/subfinder_axiom.txt 2>>"$LOGFILE" | anew -q .tmp/amass_psub.txt fi if [ -s "${GITHUB_TOKENS}" ]; then if [ "$DEEP" = true ]; then @@ -395,9 +398,7 @@ function sub_crt(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBCRT" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Crtsh Subdomain Enumeration" python3 $tools/ctfr/ctfr.py -d $domain -o .tmp/crtsh_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/crtsh_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/crtsh_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/crtsh_subs_tmp.txt 2>>"$LOGFILE" | sed 's/\*.//g' | anew .tmp/crtsh_subs.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} else @@ -427,9 +428,7 @@ function sub_active(){ else cat .tmp/subdomains_tmp.txt | tlsx -san -cn -silent -ro -c $TLSX_THREADS | anew -q .tmp/subdomains_tmp.txt fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/subdomains_tmp.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/subdomains_tmp.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/subdomains_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} subs DNS resolved from passive" ${FUNCNAME[0]} else @@ -447,9 +446,7 @@ function sub_noerror(){ else dnsx -d $domain -r $resolvers -silent -rcode noerror -w $subs_wordlist | cut -d' ' -f1 | anew -q .tmp/subs_noerror.txt 2>>"$LOGFILE" &>/dev/null fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/subs_noerror.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/subs_noerror.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/subs_noerror.txt 2>>"$LOGFILE" | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (DNS noerror)" ${FUNCNAME[0]} else @@ -484,9 +481,7 @@ function sub_dns(){ resolvers_update_quick_axiom [ -s ".tmp/subdomains_dns.txt" ] && axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_dns_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/subdomains_dns_resolved.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/subdomains_dns_resolved.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/subdomains_dns_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else @@ -514,9 +509,7 @@ function sub_brute(){ fi [ -s ".tmp/subs_brute.txt" ] && axiom-scan .tmp/subs_brute.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute_valid.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/subs_brute_valid.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/subs_brute_valid.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/subs_brute_valid.txt 2>>"$LOGFILE" | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} else @@ -571,9 +564,7 @@ function sub_scraping(){ [[ $NUMFILES -gt 0 ]] && find .tmp/gospider/ -type f -exec cat {} + | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -aEo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains 2>>"$LOGFILE" | grep ".$domain$" | anew -q .tmp/scrap_subs.txt [ -s ".tmp/scrap_subs.txt" ] && axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/scrap_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | sed '/^$/d' | wc -l) [ -s ".tmp/diff_scrap.txt" ] && axiom-scan .tmp/diff_scrap.txt -m httpx -follow-host-redirects -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info3.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi @@ -610,9 +601,7 @@ function sub_analytics(){ [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/analytics_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (analytics relationship)" ${FUNCNAME[0]} else @@ -666,9 +655,7 @@ function sub_permut(){ if [ -s ".tmp/permute_subs.txt" ]; then deleteOutScoped $outOfScope_file .tmp/permute_subs.txt - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/permute_subs.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/permute_subs.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/permute_subs.txt 2>>"$LOGFILE" | grep ".$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) else NUMOFLINES=0 @@ -698,9 +685,7 @@ function sub_recursive_passive(){ [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - if [ "$INSCOPE" = true ]; then - check_inscope .tmp/passive_recurs_tmp.txt 2>>"$LOGFILE" &>/dev/null - fi + [[ "$INSCOPE" = true ]] && check_inscope .tmp/passive_recurs_tmp.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/passive_recurs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed '/^$/d' | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else @@ -981,7 +966,6 @@ function screenshot(){ start_func ${FUNCNAME[0]} "Web Screenshots" [ ! -s ".tmp/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q .tmp/webs_all.txt if [ ! "$AXIOM" = true ]; then - #[ -s ".tmp/webs_screenshots.txt" ] && webscreenshot -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/webs_all.txt" ] && gowitness file -f .tmp/webs_all.txt -t $GOWITNESS_THREADS --disable-logging 2>>"$LOGFILE" else [ "$AXIOM_SCREENSHOT_MODULE" = "webscreenshot" ] && axiom-scan .tmp/webs_all.txt -m $AXIOM_SCREENSHOT_MODULE -w $WEBSCREENSHOT_THREADS -o screenshots $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null From 5013945f0cc13de937ec85a017ad745d791e4eac Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 21 Oct 2022 11:28:39 +0200 Subject: [PATCH 4/6] update --- README.md | 240 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 134 insertions(+), 106 deletions(-) diff --git a/README.md b/README.md index e717f85f..3df08258 100644 --- a/README.md +++ b/README.md @@ -35,13 +35,13 @@

Summary

-**ReconFTW** automates the entire process of reconnaisance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target. +**ReconFTW** automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target. -ReconFTW uses lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records...) for subdomain enumeration which helps you getting the maximum and the most interesting subdomains so that you be ahead of the competition. +ReconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records...) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that you be ahead of the competition. It also performs various vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and much more. Along with these, it performs OSINT techniques, directory fuzzing, dorking, ports scanning, screenshots, nuclei scan on your target. -So, what are you waiting for Go! Go! Go! :boom: +So, what are you waiting for? Go! Go! Go! :boom: 📔 Table of Contents @@ -61,6 +61,7 @@ So, what are you waiting for Go! Go! Go! :boom: - [Subdomains](#subdomains) - [Hosts](#hosts) - [Webs](#webs) + - [Vulnerability checks](#vulnerability-checks) - [Extras](#extras) - [Mindmap/Workflow](#mindmapworkflow) - [Data Keep](#data-keep) @@ -117,7 +118,7 @@ Please refer to the [Docker](https://github.com/six2dez/reconftw/wiki/4.-Docker) Yes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if you want to know how to do it, you can check the guide [here](Terraform/README.md) # ⚙️ Config file: -> A detailed explaintion of config file can be found here [Configuration file](https://github.com/six2dez/reconftw/wiki/3.-Configuration-file) :book: +> You can find a detailed explanation of the configuration file [here](https://github.com/six2dez/reconftw/wiki/3.-Configuration-file) :book: - Through ```reconftw.cfg``` file the whole execution of the tool can be controlled. - Hunters can set various scanning modes, execution preferences, tools, config files, APIs/TOKENS, personalized wordlists and much more. @@ -132,12 +133,14 @@ Yes! reconFTW can also be easily deployed with Terraform and Ansible to AWS, if ################################################################# # General values -tools=~/Tools -SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" -profile_shell=".$(basename $(echo $SHELL))rc" -reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) -generate_resolvers=false -proxy_url="http://127.0.0.1:8080/" +tools=~/Tools # Path installed tools +SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path +profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile +reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version +generate_resolvers=false # Generate custom resolvers with dnsvalidator +update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution +proxy_url="http://127.0.0.1:8080/" # Proxy url +install_golang=true # Set it to false if you already have Golang configured and ready #dir_output=/custom/output/path # Golang Vars (Comment or change on your own) @@ -160,100 +163,116 @@ GITHUB_TOKENS=${tools}/.github_tokens #slack_auth="xoXX-XXX-XXX-XXX" # File descriptors -DEBUG_STD="&>/dev/null" -DEBUG_ERROR="2>/dev/null" +DEBUG_STD="&>/dev/null" # Skips STD output on installer +DEBUG_ERROR="2>/dev/null" # Skips ERR output on installer # Osint -OSINT=true +OSINT=true # Enable or disable the whole OSINT module GOOGLE_DORKS=true GITHUB_DORKS=true -METADATA=true -EMAILS=true -DOMAIN_INFO=true -IP_INFO=true +GITHUB_REPOS=true +METADATA=true # Fetch metadata from indexed office documents +EMAILS=true # Fetch emails from differents sites +DOMAIN_INFO=true # whois info +REVERSE_WHOIS=true # amass intel reverse whois info, takes some time +IP_INFO=true # Reverse IP search, geolocation and whois METAFINDER_LIMIT=20 # Max 250 # Subdomains -SUBDOMAINS_GENERAL=true -SUBPASSIVE=true -SUBCRT=true -SUBANALYTICS=true -SUBBRUTE=true -SUBSCRAPING=true -SUBPERMUTE=true -SUBTAKEOVER=true -SUBRECURSIVE=true +RUNAMASS=true +RUNSUBFINDER=true +SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module +SUBPASSIVE=true # Passive subdomains search +SUBCRT=true # crtsh search +SUBNOERROR=true # Check DNS NOERROR response and BF on them +SUBANALYTICS=true # Google Analytics search +SUBBRUTE=true # DNS bruteforcing +SUBSCRAPING=true # Subdomains extraction from web crawling +SUBPERMUTE=true # DNS permutations +PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper) +GOTATOR_FLAGS="-depth 1 -numbers 3 -mindup -adv -md" # Flags for gotator +SUBTAKEOVER=false # Check subdomain takeovers, false by default cuz nuclei already check this SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries +DEEP_RECURSIVE_PASSIVE=10 # Number of top subdomains for recursion SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve -ZONETRANSFER=true -S3BUCKETS=true -REVERSE_IP=false -TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,990,992,993,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,6697,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003" +ZONETRANSFER=true # Check zone transfer +S3BUCKETS=true # Check S3 buckets misconfigs +REVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP) +TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,992,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003" +INSCOPE=false # Uses inscope tool to filter the scope, requires .scope file in reconftw folder # Web detection -WEBPROBESIMPLE=true -WEBPROBEFULL=true -WEBSCREENSHOT=true -VIRTUALHOSTS=true -UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" +WEBPROBESIMPLE=true # Web probing on 80/443 +WEBPROBEFULL=true # Web probing in a large port list +WEBSCREENSHOT=true # Webs screenshooting +VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header +NMAP_WEBPROBE=true # If disabled it will run httpx directly over subdomains list, nmap before web probing is used to increase the speed and avoid repeated requests +UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" # You can change to aquatone if gowitness fails, comment the one you don't want AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot # Host -FAVICON=true -PORTSCANNER=true -PORTSCAN_PASSIVE=true -PORTSCAN_ACTIVE=true -CDN_IP=true +FAVICON=true # Check Favicon domain discovery +PORTSCANNER=true # Enable or disable the whole Port scanner module +PORTSCAN_PASSIVE=true # Port scanner with Shodan +PORTSCAN_ACTIVE=true # Port scanner with nmap +CDN_IP=true # Check which IPs belongs to CDN # Web analysis -WAF_DETECTION=true -NUCLEICHECK=true -NUCLEI_SEVERITY="info,low,medium,high,critical" -URL_CHECK=true -URL_GF=true -URL_EXT=true -JSCHECKS=true -FUZZ=true -CMS_SCANNER=true -WORDLIST=true -ROBOTSWORDLIST=true -PASSWORD_DICT=true -PASSWORD_MIN_LENGTH=5 -PASSWORD_MAX_LENGTH=14 +WAF_DETECTION=true # Detect WAFs +NUCLEICHECK=true # Enable or disable nuclei +NUCLEI_SEVERITY="info,low,medium,high,critical" # Set templates criticity +NUCLEI_FLAGS="-silent -t ~/nuclei-templates/ -retries 2" # Additional nuclei extra flags, don't set the severity here but the exclusions like "-etags openssh" +NUCLEI_FLAGS_JS="-silent -tags exposure,token -severity info,low,medium,high,critical" # Additional nuclei extra flags for js secrets +URL_CHECK=true # Enable or disable URL collection +URL_CHECK_PASSIVE=true # Search for urls, passive methods from Archive, OTX, CommonCrawl, etc +URL_CHECK_ACTIVE=true # Search for urls by crawling the websites +URL_GF=true # Url patterns classification +URL_EXT=true # Returns a list of files divided by extension +JSCHECKS=true # JS analysis +FUZZ=true # Web fuzzing +CMS_SCANNER=true # CMS scanner +WORDLIST=true # Wordlist generation +ROBOTSWORDLIST=true # Check historic disallow entries on waybackMachine +PASSWORD_DICT=true # Generate password dictionary +PASSWORD_MIN_LENGTH=5 # Min password lenght +PASSWORD_MAX_LENGTH=14 # Max password lenght # Vulns -VULNS_GENERAL=false -XSS=true -CORS=true -TEST_SSL=true -OPEN_REDIRECT=true -SSRF_CHECKS=true -CRLF_CHECKS=true -LFI=true -SSTI=true -SQLI=true -BROKENLINKS=true -SPRAY=true -COMM_INJ=true -PROTO_POLLUTION=true +VULNS_GENERAL=false # Enable or disable the vulnerability module (very intrusive and slow) +XSS=true # Check for xss with dalfox +CORS=true # CORS misconfigs +TEST_SSL=true # SSL misconfigs +OPEN_REDIRECT=true # Check open redirects +SSRF_CHECKS=true # SSRF checks +CRLF_CHECKS=true # CRLF checks +LFI=true # LFI by fuzzing +SSTI=true # SSTI by fuzzing +SQLI=true # Check SQLI with sqlmap +BROKENLINKS=true # Check for brokenlinks +SPRAY=true # Performs password spraying +COMM_INJ=true # Check for command injections with commix +PROTO_POLLUTION=true # Check for prototype pollution flaws +SMUGGLING=true # Check for HTTP request smuggling flaws +WEBCACHE=true # Check for HTTP request smuggling flaws # Extra features NOTIFICATION=false # Notification for every function SOFT_NOTIFICATION=false # Only for start/end -DEEP=false -DEEP_LIMIT=500 -DEEP_LIMIT2=1500 -DIFF=false -REMOVETMP=false -REMOVELOG=false -PROXY=false -SENDZIPNOTIFY=false +DEEP=false # DEEP mode, really slow and don't care about the number of results +DEEP_LIMIT=500 # First limit to not run unless you run DEEP +DEEP_LIMIT2=1500 # Second limit to not run unless you run DEEP +DIFF=false # Diff function, run every module over an already scanned target, printing only new findings (but save everything) +REMOVETMP=false # Delete temporary files after execution (to free up space) +REMOVELOG=false # Delete logs after execution +PROXY=false # Send to proxy the websites found +SENDZIPNOTIFY=false # Send to zip the results (over notify) PRESERVE=true # set to true to avoid deleting the .called_fn files on really large scans -FFUF_FLAGS="-mc all -fc 404 -ac -sf -s" +FFUF_FLAGS="-mc all -fc 404 -ac -sf" # Ffuf flags +HTTPX_FLAGS="-follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location" # Httpx flags for simple web probing # HTTP options -HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" +HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" # Default header # Threads FFUF_THREADS=40 @@ -265,7 +284,7 @@ BRUTESPRAY_CONCURRENCE=10 GAU_THREADS=10 DNSTAKE_THREADS=100 DALFOX_THREADS=200 -PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited +PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 means unlimited PUREDNS_TRUSTED_LIMIT=400 PUREDNS_WILDCARDTEST_LIMIT=30 PUREDNS_WILDCARDBATCH_LIMIT=1500000 @@ -276,6 +295,7 @@ PPFUZZ_THREADS=30 DNSVALIDATOR_THREADS=200 INTERLACE_THREADS=10 TLSX_THREADS=1000 +XNLINKFINDER_DEPTH=3 # Rate limits HTTPX_RATELIMIT=150 @@ -283,10 +303,13 @@ NUCLEI_RATELIMIT=150 FFUF_RATELIMIT=0 # Timeouts -CMSSCAN_TIMEOUT=3600 +AMASS_INTEL_TIMEOUT=15 # Minutes +AMASS_ENUM_TIMEOUT=180 # Minutes +CMSSCAN_TIMEOUT=3600 # Seconds FFUF_MAXTIME=900 # Seconds HTTPX_TIMEOUT=10 # Seconds HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds +PERMUTATIONS_LIMIT=21474836480 # Bytes, default is 20 GB # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt @@ -300,13 +323,13 @@ resolvers_trusted=${tools}/resolvers_trusted.txt # Axiom Fleet # Will not start a new fleet if one exist w/ same name and size (or larger) # AXIOM=false Uncomment only to overwrite command line flags -AXIOM_FLEET_LAUNCH=false -AXIOM_FLEET_NAME="reconFTW" -AXIOM_FLEET_COUNT=5 -AXIOM_FLEET_REGIONS="eu-central" -AXIOM_FLEET_SHUTDOWN=true +AXIOM_FLEET_LAUNCH=true # Enable or disable spin up a new fleet, if false it will use the current fleet with the AXIOM_FLEET_NAME prefix +AXIOM_FLEET_NAME="reconFTW" # Fleet's prefix name +AXIOM_FLEET_COUNT=5 # Fleet's number +AXIOM_FLEET_REGIONS="eu-central" # Fleet's region +AXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execution # This is a script on your reconftw host that might prep things your way... -#AXIOM_POST_START="~/Tools/axiom_config.sh" +#AXIOM_POST_START="~/Tools/axiom_config.sh" # Useful to send your config files to the fleet AXIOM_EXTRA_ARGS="" # Leave empty if you don't want to add extra arguments #AXIOM_EXTRA_ARGS="--rm-logs" # Example @@ -419,8 +442,8 @@ reset='\033[0m' * You can create your own axiom's fleet before running reconFTW or let reconFTW to create and destroy it automatically just modifying reconftw.cfg file. # BBRF Support: :computer: -* To add reconFTW results to your [BBRF instance](https://github.com/honoki/bbrf-server) just add IP and credentials on reconftw.cfg file section dedicated to bbrf. -* During the execution of the scans the results will be added dinamically when each step ends. +* To add reconFTW results to your [BBRF instance](https://github.com/honoki/bbrf-server) just add IP and credentials to reconftw.cfg file section dedicated to bbrf. +* During the execution of the scans the results will be added dynamically when each step ends. * Even you can set up locally your BBRF instance to be able to visualize your results in a fancy web UI. # Sample video: @@ -436,18 +459,19 @@ reset='\033[0m' - Metadata finder ([MetaFinder](https://github.com/Josue87/MetaFinder)) - Google Dorks ([dorks_hunter](https://github.com/six2dez/dorks_hunter)) - Github Dorks ([gitdorks_go](https://github.com/damit5/gitdorks_go)) +- GitHub org analysis ([enumerepo](https://github.com/trickest/enumerepo) and [trufflehog](https://github.com/trufflesecurity/trufflehog)) ## Subdomains - - Passive ([amass](https://github.com/OWASP/Amass) and [github-subdomains](https://github.com/gwen001/github-subdomains)) + - Passive ([amass](https://github.com/OWASP/Amass), [subfinder](https://github.com/projectdiscovery/subfinder) and [github-subdomains](https://github.com/gwen001/github-subdomains)) - Certificate transparency ([ctfr](https://github.com/UnaPibaGeek/ctfr)) - NOERROR subdomain discovery ([dnsx](https://github.com/projectdiscovery/dnsx), more info [here](https://www.securesystems.de/blog/enhancing-subdomain-enumeration-ents-and-noerror/)) - Bruteforce ([puredns](https://github.com/d3mondev/puredns)) - - Permutations ([Gotator](https://github.com/Josue87/gotator)) + - Permutations ([Gotator](https://github.com/Josue87/gotator) and [ripgen](https://github.com/resyncgg/ripgen)) - JS files & Source Code Scraping ([gospider](https://github.com/jaeles-project/gospider)) - DNS Records ([dnsx](https://github.com/projectdiscovery/dnsx)) - Google Analytics ID ([AnalyticsRelationships](https://github.com/Josue87/AnalyticsRelationships)) - TLS handshake ([tlsx](https://github.com/projectdiscovery/tlsx)) - - Recursive search. + - Recursive search ([dsieve](https://github.com/trickest/dsieve)). - Subdomains takeover ([nuclei](https://github.com/projectdiscovery/nuclei)) - DNS takeover ([dnstake](https://github.com/pwnesia/dnstake)) - DNS Zone Transfer ([dig](https://linux.die.net/man/1/dig)) @@ -463,31 +487,34 @@ reset='\033[0m' ## Webs - Web Prober ([httpx](https://github.com/projectdiscovery/httpx) and [unimap](https://github.com/Edu4rdSHL/unimap)) -- Web screenshot ([webscreenshot](https://github.com/maaaaz/webscreenshot) or [gowitness](https://github.com/sensepost/gowitness)) +- Web screenshoting ([webscreenshot](https://github.com/maaaaz/webscreenshot) or [gowitness](https://github.com/sensepost/gowitness)) - Web templates scanner ([nuclei](https://github.com/projectdiscovery/nuclei) and [nuclei geeknik](https://github.com/geeknik/the-nuclei-templates.git)) +- CMS Scanner ([CMSeeK](https://github.com/Tuhinshubhra/CMSeeK)) - Url extraction ([waybackurls](https://github.com/tomnomnom/waybackurls), [gau](https://github.com/lc/gau), [gospider](https://github.com/jaeles-project/gospider), [github-endpoints](https://gist.github.com/six2dez/d1d516b606557526e9a78d7dd49cacd3) and [JSA](https://github.com/w9w/JSA)) -- URLPatterns Search and filtering ([urless](https://github.com/xnl-h4ck3r/urless), [gf](https://github.com/tomnomnom/gf) and [gf-patterns](https://github.com/1ndianl33t/Gf-Patterns)) +- URL patterns Search and filtering ([urless](https://github.com/xnl-h4ck3r/urless), [gf](https://github.com/tomnomnom/gf) and [gf-patterns](https://github.com/1ndianl33t/Gf-Patterns)) +- Favicon Real IP ([fav-up](https://github.com/pielco11/fav-up)) +- Javascript analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder), [getjswords](https://github.com/m4ll0k/BBTz)) +- Fuzzing ([ffuf](https://github.com/ffuf/ffuf)) +- URL sorting by extension +- Wordlist generation +- Passwords dictionary creation ([pydictor](https://github.com/LandGrey/pydictor)) + +## Vulnerability checks - XSS ([dalfox](https://github.com/hahwul/dalfox)) - Open redirect ([Oralyzer](https://github.com/r0075h3ll/Oralyzer)) - SSRF (headers [interactsh](https://github.com/projectdiscovery/interactsh) and param values with [ffuf](https://github.com/ffuf/ffuf)) - CRLF ([crlfuzz](https://github.com/dwisiswant0/crlfuzz)) -- Favicon Real IP ([fav-up](https://github.com/pielco11/fav-up)) -- Javascript analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder), [getjswords](https://github.com/m4ll0k/BBTz)) -- Fuzzing ([ffuf](https://github.com/ffuf/ffuf)) - Cors ([Corsy](https://github.com/s0md3v/Corsy)) - LFI Checks ([ffuf](https://github.com/ffuf/ffuf)) - SQLi Check ([SQLMap](https://github.com/sqlmapproject/sqlmap)) - SSTI ([ffuf](https://github.com/ffuf/ffuf)) -- CMS Scanner ([CMSeeK](https://github.com/Tuhinshubhra/CMSeeK)) - SSL tests ([testssl](https://github.com/drwetter/testssl.sh)) - Broken Links Checker ([gospider](https://github.com/jaeles-project/gospider)) - Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz)) -- URL sorting by extension -- Wordlist generation -- Passwords dictionary creation ([pydictor](https://github.com/LandGrey/pydictor)) +- Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner)) ## Extras -- Multithread ([Rush](https://github.com/shenwei356/rush)) +- Multithreading ([Rush](https://github.com/shenwei356/rush)) - Custom resolvers generated list ([dnsvalidator](https://github.com/vortexau/dnsvalidator)) - Docker container included and [DockerHub](https://hub.docker.com/r/six2dez/reconftw) integration - Ansible + Terraform deployment over AWS @@ -508,13 +535,13 @@ reset='\033[0m' ## Data Keep -Follow these simple steps to end up having a private repository with your `API Keys` and `/Recon` data. +Follow these simple steps to end up with a private repository with your `API Keys` and `/Recon` data. * Create a private __blank__ repository on `Git(Hub|Lab)` (Take into account size limits regarding Recon data upload) * Clone your project: `git clone https://gitlab.com/example/reconftw-data` * Get inside the cloned repository: `cd reconftw-data` -* Create branch with an empty commit: `git commit --allow-empty -m "Empty commit"` -* Add official repo as a new remote: `git remote add upstream https://github.com/six2dez/reconftw` (`upstream` is an example) +* Create a new branch with an empty commit: `git commit --allow-empty -m "Empty commit"` +* Add the official repo as a new remote: `git remote add upstream https://github.com/six2dez/reconftw` (`upstream` is an example) * Update upstream's repo: `git fetch upstream` * Rebase current branch with the official one: `git rebase upstream/main master` @@ -525,7 +552,7 @@ Follow these simple steps to end up having a private repository with your `API K ## How to contribute: -If you want to contribute to this project you can do it in multiple ways: +If you want to contribute to this project, you can do it in multiple ways: - Submitting an [issue](https://github.com/six2dez/reconftw/issues/new/choose) because you have found a bug or you have any suggestion or request. - Making a Pull Request from [dev](https://github.com/six2dez/reconftw/tree/dev) branch because you want to improve the code or add something to the script. @@ -562,8 +589,9 @@ If you want to contribute to this project you can do it in multiple ways: - [Censys](https://censys.io/) - [Fofa](https://fofa.info/) - [intelx](https://intelx.io/) +- [Whoxy](https://www.whoxy.com/) # Disclaimer Usage of this program for attacking targets without consent is illegal. It is the user's responsibility to obey all applicable laws. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Please use responsibly. -The material contained in this repository is licensed under GNU GPLv3. +The material contained in this repository is licensed under GNU GPLv3. \ No newline at end of file From 36be40a902dddb88ecc4e4a1d9950aacf320cdb5 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 23 Oct 2022 01:40:14 +0200 Subject: [PATCH 5/6] Resolvers fix --- install.sh | 12 ++++++------ reconftw.cfg | 2 ++ reconftw.sh | 16 ++++++++-------- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/install.sh b/install.sh index 2fcad44b..f674dc8d 100755 --- a/install.sh +++ b/install.sh @@ -383,8 +383,8 @@ printf "${bblue}\n Running: Downloading required files ${reset}\n\n" wget -q -O - https://raw.githubusercontent.com/devanshbatham/ParamSpider/master/gf_profiles/potential.json > ~/.gf/potential.json wget -q -O - https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py > ${tools}/getjswords.py wget -q -O - https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt > ${subs_wordlist_big} -wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > ${resolvers_trusted} -wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > ${resolvers} +wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw > ${resolvers_trusted} +wget -q -O - https://raw.githubusercontent.com/proabiral/Fresh-Resolvers/master/resolvers.txt > ${resolvers} wget -q -O - https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw > ${subs_wordlist} wget -q -O - https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw > ${tools}/permutations_list.txt wget -q -O - https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt > ${fuzz_wordlist} @@ -452,16 +452,16 @@ if [ "$generate_resolvers" = true ]; then dnsvalidator -tL https://raw.githubusercontent.com/blechschmidt/massdns/master/lists/resolvers.txt -threads $DNSVALIDATOR_THREADS -o tmp_resolvers &>/dev/null [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null - [ ! -s "$resolvers" ] && wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > $resolvers - [ ! -s "$resolvers_trusted" ] && wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted + [ ! -s "$resolvers" ] && wget -q -O - https://raw.githubusercontent.com/proabiral/Fresh-Resolvers/master/resolvers.txt > ${resolvers} + [ ! -s "$resolvers_trusted" ] && wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw > ${resolvers_trusted} printf "${yellow} Resolvers updated\n ${reset}\n\n" fi generate_resolvers=false else [ ! -s "$resolvers" ] || if [[ $(find "$resolvers" -mtime +1 -print) ]] ; then ${reset}"\n\nChecking resolvers lists...\n Accurate resolvers are the key to great results\n Downloading new resolvers ${reset}\n\n" - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > $resolvers - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted + wget -q -O - https://raw.githubusercontent.com/proabiral/Fresh-Resolvers/master/resolvers.txt > ${resolvers} + wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw > ${resolvers_trusted} printf "${yellow} Resolvers updated\n ${reset}\n\n" fi fi diff --git a/reconftw.cfg b/reconftw.cfg index 07ef11e8..556a66ab 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -9,6 +9,8 @@ profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version generate_resolvers=false # Generate custom resolvers with dnsvalidator update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution +resolvers_url="https://raw.githubusercontent.com/proabiral/Fresh-Resolvers/master/resolvers.txt" +resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw" proxy_url="http://127.0.0.1:8080/" # Proxy url install_golang=true # Set it to false if you already have Golang configured and ready #dir_output=/custom/output/path diff --git a/reconftw.sh b/reconftw.sh index 249c81bc..8009b768 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -2034,16 +2034,16 @@ function resolvers_update(){ dnsvalidator -tL https://raw.githubusercontent.com/blechschmidt/massdns/master/lists/resolvers.txt -threads $DNSVALIDATOR_THREADS -o tmp_resolvers &>/dev/null [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null - [ ! -s "$resolvers" ] && wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > $resolvers - [ ! -s "$resolvers_trusted" ] && wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted + [ ! -s "$resolvers" ] && wget -q -O - $resolvers_url > $resolvers + [ ! -s "$resolvers_trusted" ] && wget -q -O - $resolvers_trusted_url > $resolvers_trusted notification "Updated\n" good fi else notification "Checking resolvers lists...\n Accurate resolvers are the key to great results\n This may take around 10 minutes if it's not updated" warn # shellcheck disable=SC2016 axiom-exec 'if [ $(find "/home/op/lists/resolvers.txt" -mtime +1 -print) ] || [ $(cat /home/op/lists/resolvers.txt | wc -l) -le 40 ] ; then dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200 -o /home/op/lists/resolvers.txt ; fi' &>/dev/null - axiom-exec 'wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > /home/op/lists/resolvers.txt' &>/dev/null - axiom-exec 'wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > /home/op/lists/resolvers_trusted.txt' &>/dev/null + axiom-exec "wget -q -O - ${resolvers_url} > /home/op/lists/resolvers.txt" &>/dev/null + axiom-exec "wget -q -O - ${resolvers_trusted_url} > /home/op/lists/resolvers_trusted.txt" &>/dev/null notification "Updated\n" good fi generate_resolvers=false @@ -2051,8 +2051,8 @@ function resolvers_update(){ if [ ! -s "$resolvers" ] || [[ $(find "$resolvers" -mtime +1 -print) ]] ; then notification "Resolvers seem older than 1 day\n Downloading new resolvers..." warn - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > $resolvers - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted + wget -q -O - $resolvers_url > $resolvers + wget -q -O - $resolvers_trusted_url > $resolvers_trusted notification "Resolvers updated\n" good fi fi @@ -2060,8 +2060,8 @@ function resolvers_update(){ function resolvers_update_quick_local(){ if [ "$update_resolvers" = true ]; then - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > $resolvers - wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted + wget -q -O - $resolvers_url > $resolvers + wget -q -O - $resolvers_trusted_url > $resolvers_trusted fi } From 7885685988d7969396a8edb44159465c4955c42f Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 23 Oct 2022 02:45:12 +0200 Subject: [PATCH 6/6] v2.5 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3df08258..a66ad5b3 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,8 @@

- - + + @@ -138,7 +138,7 @@ SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current sc profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version generate_resolvers=false # Generate custom resolvers with dnsvalidator -update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution +update_resolvers=true # Fetch and rewrite resolvers before DNS resolution proxy_url="http://127.0.0.1:8080/" # Proxy url install_golang=true # Set it to false if you already have Golang configured and ready #dir_output=/custom/output/path