2. Usage Guide

Usage Guide

This guide explains how to use reconFTW to perform automated reconnaissance and vulnerability scanning. reconFTW supports various modes for different use cases, from passive OSINT to full active exploitation, and offers flexible options for targeting, performance tuning, and output customization. Use the -h flag to view the help menu:

./reconftw.sh -h

📔 Table of Contents

• Target Options
• Mode Options
• General Options
• Output Options
• Example Usage
• Performance Tips
• Troubleshooting

---

Target Options

reconFTW requires a target to initiate a scan. Targets can be a single domain, a list of domains, or a multi-domain entity (e.g., a company with multiple domains). You can also specify in-scope or out-of-scope subdomains for precise filtering.

Subcommand	Description	Example
-d	Single target domain (root or subdomain)	./reconftw.sh -d target.com -r
-l	File with a list of target domains (one per line)	./reconftw.sh -l targets.txt -r
-m	Multi-domain target (e.g., company name with related domains)	./reconftw.sh -m company -l domains.txt -r
-i	Include subdomains (in-scope list, e.g., in.txt)	./reconftw.sh -d target.com -i in.txt -r
-x	Exclude subdomains (out-of-scope list, e.g., oos.txt)	./reconftw.sh -d target.com -x oos.txt -r

Notes:

• For -l, ensure targets.txt contains one domain per line (e.g., target.com\nsub.target.com).
• Use -m for organizations with multiple domains (e.g., tesla.com, teslamotors.com).
• In-scope (-i) and out-of-scope (-x) lists are text files with one subdomain per line.

---

Mode Options

reconFTW supports multiple modes to cater to different reconnaissance needs. Each mode varies in scope, intrusiveness, and execution time. The -r (Recon) mode is recommended for most use cases, while -a (All) includes active attacks and is highly intrusive.

Subcommand	Description	Example
-r	Recon: Full reconnaissance without active attacks (OSINT, subdomains, web detection, etc.)	./reconftw.sh -d target.com -r
-s	Subdomains: Subdomain enumeration, web probing, and takeover checks	./reconftw.sh -d target.com -s
-p	Passive: Passive-only reconnaissance (no active DNS or web requests)	./reconftw.sh -d target.com -p
-w	Web: Vulnerability checks on provided web targets (requires -l)	./reconftw.sh -l webs.txt -w
-a	All: Full reconnaissance plus active vulnerability checks (highly intrusive)	./reconftw.sh -d target.com -a
-n	OSINT: OSINT-only scan (emails, metadata, dorks, etc.)	./reconftw.sh -d target.com -n
-z	Zen: Lightweight recon with basic checks and select vulnerabilities	./reconftw.sh -d target.com -z
-c	Custom: Run a specific function (requires additional arguments)	./reconftw.sh -d target.com -c subfinder
-h	Show help menu	./reconftw.sh -h

Mode Workflows

Below are the steps performed by each mode, updated to reflect the latest reconftw.sh functionality.

-r (Recon): Full reconnaissance without active attacks

# OSINT
domain_info (WHOIS lookup)
emails (email harvesting)
google_dorks (Google dork queries)
github_dorks (GitHub repo/secret scanning)
metadata (document metadata extraction)
api_leaks (exposed API detection)
third_parties (misconfigured third-party services)
spoof (spoofable domain checks)

# Subdomain Enumeration
subpassive (passive sources via Subfinder, GitHub)
subcrt (certificate transparency logs)
subnoerror (DNS NOERROR discovery)
subbrute (DNS bruteforcing)
subscraping (web crawling/JS scraping)
subpermute (permutations via Gotator/ripgen)
subiapermute (AI-driven permutations)
subregexpermute (regex-based permutations)
subanalytics (Google Analytics ID relationships)
tls_ports (TLS handshake discovery)
subtakeover (subdomain takeover checks)
zonetransfer (DNS zone transfer)
s3buckets (misconfigured S3 buckets)
reverse_ip (reverse IP lookup, if enabled)

# Web Detection
webprobesimple (probe ports 80/443)
webprobefull (probe uncommon ports)
webscreenshot (capture web screenshots)

# Host
favicon (favicon-based IP discovery)
portscan_passive (passive port scanning via Shodan)
portscan_active (active port scanning via nmap)
cdn_ip (CDN detection)
geo_info (IP geolocation)

# Web Analysis
waf_detection (WAF checks)
nucleicheck (Nuclei scans)
cms_scanner (CMS detection)
url_check (passive/active URL collection)
url_gf (URL pattern analysis)
url_ext (file extension sorting)
jschecks (JavaScript analysis)
fuzz (directory/parameter fuzzing)
wordlist (custom wordlist generation)
robotswordlist (robots.txt historical entries)
password_dict (password dictionary generation)
iis_shortname (IIS shortname scanning)

-s (Subdomains): Subdomain enumeration and web probing

# Subdomain Enumeration
subpassive (passive sources)
subcrt (certificate transparency)
subnoerror (DNS NOERROR discovery)
subbrute (DNS bruteforcing)
subscraping (web/JS scraping)
subpermute (permutations)
subiapermute (AI permutations)
subregexpermute (regex permutations)
subanalytics (Google Analytics)
tls_ports (TLS discovery)
subtakeover (subdomain takeover)
zonetransfer (DNS zone transfer)
s3buckets (S3 buckets)

# Web Detection
webprobesimple (ports 80/443)
webprobefull (uncommon ports)
webscreenshot (screenshots)

-p (Passive): Passive-only reconnaissance

# OSINT
domain_info
emails
google_dorks
github_dorks
metadata
api_leaks
third_parties
spoof

# Subdomain Enumeration
subpassive
subcrt
subanalytics
subtakeover (passive checks only)

# Host
favicon
portscan_passive
cdn_ip
geo_info

-w (Web): Web vulnerability checks

# Subdomain Enumeration
subtakeover
s3buckets

# Web Analysis
waf_detection
nucleicheck
cms_scanner
url_check
url_gf
url_ext
jschecks
fuzz
wordlist
robotswordlist
password_dict
iis_shortname

# Vulnerabilities
bypasser4xx (4XX bypass)
cors (CORS misconfigurations)
open_redirect
ssrf_checks
crlf_checks
lfi (local file inclusion)
ssti (server-side template injection)
sqli (SQL injection)
xss (cross-site scripting)
spraying (password spraying)
brokenlinks
test_ssl (SSL/TLS misconfigurations)
comm_inj (command injection)
proto_pollution (prototype pollution)
smuggling (HTTP request smuggling)
webcache (web cache vulnerabilities)

-a (All): Full reconnaissance plus active attacks

# Includes all steps from -r (Recon), plus:
# Vulnerabilities
bypasser4xx
cors
open_redirect
ssrf_checks
crlf_checks
lfi
ssti
sqli
xss
spraying
brokenlinks
test_ssl
comm_inj
proto_pollution
smuggling
webcache

-z (Zen): Lightweight recon with select vulnerabilities

# OSINT
domain_info
emails
google_dorks
github_dorks

# Subdomain Enumeration
subpassive
subcrt
subanalytics
subtakeover

# Web Detection
webprobesimple
webscreenshot

# Host
favicon
portscan_passive

# Web Analysis
waf_detection
nucleicheck (info/low severity only)
cms_scanner
url_check
url_gf

# Vulnerabilities
cors
open_redirect
test_ssl

-c (Custom): Run a specific function

# Example Functions
subfinder (passive subdomain enumeration)
nuclei (vulnerability scanning)
ffuf (fuzzing)
katana (web crawling)
# Usage: Specify the function name as an argument
./reconftw.sh -d target.com -c subfinder

---

General Options

General options modify reconFTW’s behavior, enabling deeper scans, distributed execution, or custom configurations.

Subcommand	Description	Example
--deep	Enable deep scanning (slower, enables resource-intensive options, VPS recommended)	./reconftw.sh -d target.com -r --deep
-v	Enable Ax Framework distributed scanning (requires Ax setup)	./reconftw.sh -d target.com -r -v
-f	Use an alternate reconftw.cfg file	./reconftw.sh -d target.com -r -f custom.cfg
-q	Set rate limit (requests per second)	./reconftw.sh -d target.com -r -q 100
-y	Enable AI results analysis (requires reconftw_ai setup)	./reconftw.sh -d target.com -r -y
--check-tools	Exit if required tools are missing	./reconftw.sh --check-tools

Notes:

• --deep enables options like SUB_RECURSIVE_BRUTE and increases limits (e.g., DEEP_LIMIT=500).
• -v requires Ax Framework configuration (see Ax Framework Version Guide).
• -y generates AI-powered reports (see AI Integration Guide).

---

Output Options

reconFTW saves results to a user-defined or default output directory.

Subcommand	Description	Example
-o	Define the output directory	./reconftw.sh -d target.com -r -o /output/directory/

Notes:

• Default output: Recon/<target> in the reconFTW directory.
• Results are organized by module (e.g., subdomains, webs, vulns).
• Enable SENDZIPNOTIFY in reconftw.cfg to zip and send results via notifications.
• See the Output Files Guide for details on output structure.

---

Example Usage

Below are practical examples demonstrating different use cases.

1. Full Recon on a Single Domain:

   ./reconftw.sh -d target.com -r

   Performs comprehensive reconnaissance without active attacks.

2. Recon on Multiple Domains:

   ./reconftw.sh -l targets.txt -r -o /path/to/output/

   Scans each domain in targets.txt and saves results to /path/to/output/.

3. Deep Recon (VPS Recommended):

   ./reconftw.sh -d target.com -r --deep

   Enables resource-intensive options for deeper scanning.

4. Multi-Domain Recon for a Company:

   ./reconftw.sh -m company -l domains.txt -r

   Scans related domains listed in domains.txt for the company.

5. Ax Framework Distributed Scanning:

   ./reconftw.sh -d target.com -r -v

   Distributes tasks across Ax fleet for faster execution.

6. Passive-Only Recon:

   ./reconftw.sh -d target.com -p

   Performs passive OSINT and subdomain enumeration.

7. Web Vulnerability Checks:

   ./reconftw.sh -l webs.txt -w

   Runs vulnerability checks on URLs in webs.txt.

8. Full Recon with Attacks (YOLO Mode):

   ./reconftw.sh -d target.com -a

   Performs all checks, including intrusive vulnerability tests (use with caution).

9. AI-Powered Report Generation:

   ./reconftw.sh -d target.com -r -y

   Generates an AI-analyzed report in Markdown format.

10. Custom Function (e.g., Subfinder):

    ./reconftw.sh -d target.com -c subfinder

    Runs only the Subfinder module for passive subdomain enumeration.

Expected Outputs:

• Subdomains: Text files in Recon/target/subdomains/ (e.g., subdomains.txt, takeovers.txt).
• Web: Screenshots in Recon/target/webs/screenshots/ and URLs in Recon/target/webs/urls.txt.
• Vulnerabilities: Reports in Recon/target/vulns/ (e.g., xss.txt, sqli.txt).
• AI Reports: Markdown or text files in Recon/target/report/ (if -y is used).

---

Performance Tips

• Adjust Threads and Rate Limits:
  • Increase FFUF_THREADS, HTTPX_THREADS in reconftw.cfg for faster scans on powerful systems.
  • Set HTTPX_RATELIMIT, NUCLEI_RATELIMIT to avoid overwhelming targets (e.g., 100 for sensitive domains).
• Use Ax Framework:
  • Enable -v for distributed scanning on cloud instances to reduce execution time.
• Enable Deep Mode Sparingly:
  • Use --deep only on VPS or high-performance systems, as it increases resource usage.
• Optimize API Usage:
  • Configure multiple API keys (e.g., GitHub, Shodan) to avoid rate limits.
• Filter Scope:
  • Use -i and -x to focus on relevant subdomains and reduce scan scope.
• Clean Up:
  • Enable REMOVETMP=true and REMOVELOG=true in reconftw.cfg to free disk space after scans.

---

Troubleshooting

• Scan Hangs or Fails:
  • Check logs in Recon/target/logs/.
  • Reduce threads (e.g., FFUF_THREADS=20) or increase timeouts (e.g., HTTPX_TIMEOUT=20).
• API Rate Limits:
  • Add more GitHub tokens or rotate API keys in reconftw.cfg.
  • Enable SUB_RECURSIVE_PASSIVE=false to reduce API queries.
• Missing Results:
  • Verify API keys are configured (see Post-Installation Guide).
  • Check if modules are enabled in reconftw.cfg (e.g., SUBDOMAINS_GENERAL=true).
• Ax Framework Issues:
  • Ensure Ax is configured and fleets are running (axiom-fleet ls).
  • Check AXIOM_FLEET_COUNT and AXIOM_FLEET_REGIONS in reconftw.cfg.
• AI Report Errors:
  • Confirm Ollama is running and the model is installed (ollama list).
  • Check AI_MODEL and AI_REPORT_TYPE in reconftw.cfg.

For further assistance, join the Discord server or Telegram group.

---

Next Steps

• Configure reconFTW settings in reconftw.cfg (see Configuration File Guide).
• Explore output files (see Output Files Guide).
• Set up AI reporting (see AI Integration Guide).