-
-
Notifications
You must be signed in to change notification settings - Fork 1k
3. Configuration file
The reconftw.cfg
file controls the execution of reconFTW, allowing you to customize scanning modes, performance settings, API keys, tool paths, wordlists, and integrations (e.g., Ax Framework, Faraday, AI reporting). This guide explains each option in detail, grouped by category, to help you tailor reconFTW to your needs.
Location: reconftw.cfg
is in the root of the reconFTW directory after cloning the repository.
Default Configuration: The default reconftw.cfg
is preconfigured with sensible settings but requires customization for API keys, notifications, and specific use cases. See the Post-Installation Guide for setup instructions.
- 1. General Values
- 2. Golang and Rust Variables
- 3. Tools Config Files
- 4. APIs and Tokens
- 5. File Descriptors
- 6. OSINT
- 7. Subdomains
- 8. Web Detection
- 9. Hosts
- 10. Web Analysis
- 11. Vulnerabilities
- 12. Extra Features
- 13. HTTP Options
- 14. Threads
- 15. Rate Limits
- 16. Timeouts
- 17. Lists
- 18. Ax Framework
- 19. Faraday Integration
- 20. AI Reporting
- 21. Output Colors
- Example Configurations
- Troubleshooting
These options affect the overall workflow of reconFTW, regardless of the scanning mode.
Option | Default | Description |
---|---|---|
tools |
$HOME/Tools |
Directory where reconFTW installs and stores tools. |
SCRIPTPATH |
$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P ) |
Path to the reconFTW directory (auto-detected). |
profile_shell |
.$(basename $(echo $SHELL))rc |
Shell configuration file (e.g., .bashrc , .zshrc ). |
reconftw_version |
$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) |
Current reconFTW version (auto-detected from Git). |
generate_resolvers |
false |
Generate custom DNS resolvers using dnsvalidator . |
update_resolvers |
true |
Update resolvers from resolvers_url if older than 24 hours. |
resolvers_url |
https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt |
Source for DNS resolvers. |
resolvers_trusted_url |
https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt |
Source for trusted DNS resolvers. |
fuzzing_remote_list |
https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt |
Remote wordlist for fuzzing (used with Ax). |
proxy_url |
http://127.0.0.1:8080/ |
Proxy URL for routing traffic (e.g., via Burp Suite). |
install_golang |
true |
Install Golang during setup (set to false if already installed). |
upgrade_tools |
true |
Update tools during installation. |
upgrade_before_running |
false |
Update tools before each scan. |
dir_output |
Commented (#) | Custom output directory (uncomment and set an absolute path). |
Warning: Incorrect changes to SCRIPTPATH
, tools
, or profile_shell
may break reconFTW’s functionality.
These settings configure the environment for Golang and Rust, required by many reconFTW tools.
Option | Default | Description |
---|---|---|
GOROOT |
/usr/local/go |
Golang root directory. |
GOPATH |
$HOME/go |
Golang workspace directory. |
PATH |
$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH |
Adds Golang binaries to the system PATH. |
PATH (Rust) |
$HOME/.cargo/bin:$PATH |
Adds Rust binaries to the system PATH. |
Warning: Modify only if you have a non-standard Golang or Rust setup to avoid breaking tool execution.
Paths to configuration files for tools used by reconFTW.
Option | Default | Description |
---|---|---|
NOTIFY_CONFIG |
~/.config/notify/provider-config.yaml |
Notify configuration for Slack, Discord, or Telegram (auto-detected). |
GITHUB_TOKENS |
${tools}/.github_tokens |
File containing GitHub Personal Access Tokens (one per line). |
GITLAB_TOKENS |
${tools}/.gitlab_tokens |
File containing GitLab Personal Access Tokens (one per line). |
CUSTOM_CONFIG |
Commented (#) | Path to a custom configuration file (uncomment to use). |
Note: See the Post-Installation Guide for setting up GITHUB_TOKENS
and NOTIFY_CONFIG
.
API keys and tokens for tools and services. Uncomment and set values in reconftw.cfg
or define them in your shell configuration (e.g., .bashrc
).
Option | Default | Description |
---|---|---|
SHODAN_API_KEY |
Commented (#) | Shodan API key for IP resolution and port scanning. |
WHOISXML_API |
Commented (#) | WHOISXML API key for WHOIS lookups. |
XSS_SERVER |
Commented (#) | Blind XSS server for dalfox (e.g., six2dez.xss.ht ). |
COLLAB_SERVER |
Commented (#) | SSRF server for interactsh or ffuf (e.g., i0m1y4j3fu.canarytokens.com ). |
slack_channel |
Commented (#) | Slack channel ID for notifications. |
slack_auth |
Commented (#) | Slack webhook token for notifications. |
Note: Obtain keys from providers (e.g., Shodan, XSS Hunter) and configure them as shown in the Post-Installation Guide.
Control the output of tool logs for cleaner console display.
Option | Default | Description |
---|---|---|
DEBUG_STD |
&>/dev/null |
Redirects standard output to suppress tool logs. |
DEBUG_ERROR |
2>/dev/null |
Redirects error output to suppress tool errors. |
Note: Comment out DEBUG_STD
for verbose output or DEBUG_ERROR
to show only errors, similar to the -v
flag behavior.
Enable or disable OSINT (Open-Source Intelligence) modules.
Option | Default | Description |
---|---|---|
OSINT |
true |
Enable the entire OSINT module. |
GOOGLE_DORKS |
true |
Perform automated Google dork queries. |
GITHUB_DORKS |
true |
Scan GitHub for repositories and secrets. |
GITHUB_REPOS |
true |
Enumerate GitHub repositories. |
METADATA |
true |
Extract metadata from indexed documents. |
EMAILS |
true |
Harvest emails and credentials. |
DOMAIN_INFO |
true |
Perform WHOIS lookups. |
IP_INFO |
true |
Conduct reverse IP and geolocation searches. |
API_LEAKS |
true |
Detect exposed APIs in public sources. |
THIRD_PARTIES |
true |
Identify misconfigured third-party services. |
SPOOF |
true |
Check for spoofable domains. |
METAFINDER_LIMIT |
20 |
Maximum results for metagoofil (max 250). |
Note: Disable specific modules (e.g., GITHUB_DORKS=false
) to reduce API usage or scan time.
Control subdomain enumeration techniques.
Option | Default | Description |
---|---|---|
SUBDOMAINS_GENERAL |
true |
Enable the entire subdomain module. |
SUBPASSIVE |
true |
Use passive sources (e.g., Subfinder, GitHub). |
SUBCRT |
true |
Query certificate transparency logs. |
CTR_LIMIT |
999999 |
Maximum results for certificate transparency. |
SUBNOERROR |
false |
Check DNS NOERROR responses. |
SUBANALYTICS |
true |
Identify subdomains via Google Analytics IDs. |
SUBBRUTE |
true |
Perform DNS bruteforcing. |
SUBSCRAPING |
true |
Extract subdomains from web crawling/JS. |
SUBPERMUTE |
true |
Generate subdomain permutations. |
SUBIAPERMUTE |
true |
Use AI-driven permutation analysis. |
SUBREGEXPERMUTE |
true |
Use regex-based permutation analysis. |
PERMUTATIONS_OPTION |
gotator |
Permutation tool (gotator or ripgen ). |
GOTATOR_FLAGS |
-depth 1 -numbers 3 -mindup -adv -md |
Flags for gotator permutations. |
SUBTAKEOVER |
true |
Check for subdomain takeovers. |
SUB_RECURSIVE_PASSIVE |
false |
Enable recursive passive enumeration (API-heavy). |
DEEP_RECURSIVE_PASSIVE |
10 |
Number of top subdomains for recursive passive scans. |
SUB_RECURSIVE_BRUTE |
false |
Enable recursive bruteforce (disk-intensive). |
ZONETRANSFER |
true |
Check for DNS zone transfers. |
S3BUCKETS |
true |
Identify misconfigured S3 buckets. |
REVERSE_IP |
false |
Perform reverse IP subdomain discovery (for CIDR/IP targets). |
TLS_PORTS |
21,22,25,80,... |
Ports for TLS handshake discovery. |
INSCOPE |
false |
Filter subdomains using an in-scope list (requires .scope file). |
Note: Enable SUB_RECURSIVE_PASSIVE
or SUB_RECURSIVE_BRUTE
only with sufficient API quotas or disk space.
Tasks to detect live web servers.
Option | Default | Description |
---|---|---|
WEBPROBESIMPLE |
true |
Probe standard ports (80, 443). |
WEBPROBEFULL |
true |
Probe uncommon ports. |
WEBSCREENSHOT |
true |
Capture screenshots of web pages. |
VIRTUALHOSTS |
false |
Fuzz HTTP headers for virtual hosts. |
UNCOMMON_PORTS_WEB |
81,300,591,... |
List of uncommon ports for web probing. |
Note: Adjust UNCOMMON_PORTS_WEB
to include or exclude specific ports based on your target.
Tasks performed on identified hosts.
Option | Default | Description |
---|---|---|
FAVICON |
true |
Discover IPs via favicon analysis. |
PORTSCANNER |
true |
Enable the entire port scanning module. |
PORTSCAN_PASSIVE |
true |
Passive port scanning with Shodan. |
PORTSCAN_ACTIVE |
true |
Active port scanning with nmap . |
PORTSCAN_ACTIVE_OPTIONS |
--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners |
Nmap flags for active scanning. |
CDN_IP |
true |
Detect IPs behind CDNs. |
GEO_INFO |
true |
Map IPs to geolocations. |
Note: Set PORTSCAN_ACTIVE_OPTIONS
to customize nmap
behavior (e.g., add --script ssl-cert
).
Tasks to analyze web servers and extract information.
Option | Default | Description |
---|---|---|
WAF_DETECTION |
true |
Detect Web Application Firewalls. |
NUCLEICHECK |
true |
Run Nuclei vulnerability scans. |
NUCLEI_TEMPLATES_PATH |
$HOME/nuclei-templates |
Path to Nuclei templates. |
NUCLEI_SEVERITY |
info,low,medium,high,critical |
Severity levels for Nuclei scans. |
NUCLEI_EXTRA_ARGS |
Empty | Additional Nuclei flags (e.g., -etags openssh ). |
NUCLEI_FLAGS |
-silent -retries 2 |
General Nuclei flags. |
NUCLEI_FLAGS_JS |
-silent -tags exposure,token -severity info,low,medium,high,critical |
Nuclei flags for JS analysis. |
URL_CHECK |
true |
Collect URLs passively and actively. |
URL_CHECK_PASSIVE |
true |
Passive URL collection (e.g., Archive, OTX). |
URL_CHECK_ACTIVE |
true |
Active URL collection via crawling. |
URL_GF |
true |
Classify URLs using gf patterns. |
URL_EXT |
true |
Sort URLs by file extension. |
JSCHECKS |
true |
Analyze JavaScript files for secrets/endpoints. |
FUZZ |
true |
Perform directory and parameter fuzzing. |
IIS_SHORTNAME |
true |
Detect IIS shortname vulnerabilities. |
CMS_SCANNER |
true |
Identify Content Management Systems. |
WORDLIST |
true |
Generate custom wordlists for fuzzing. |
ROBOTSWORDLIST |
true |
Extract historical robots.txt entries. |
PASSWORD_DICT |
true |
Generate password dictionaries. |
PASSWORD_MIN_LENGTH |
5 |
Minimum password length for dictionaries. |
PASSWORD_MAX_LENGTH |
14 |
Maximum password length for dictionaries. |
CLOUDHUNTER_PERMUTATION |
NORMAL |
S3 bucket permutation mode (DEEP , NORMAL , NONE ). |
NUCLEI_FUZZING_TEMPLATES_PATH |
${tools}/fuzzing-templates |
Path to Nuclei fuzzing templates. |
Note: Customize NUCLEI_SEVERITY
to focus on specific vulnerability levels (e.g., high,critical
).
Control vulnerability scanning modules (intrusive, use with caution).
Option | Default | Description |
---|---|---|
VULNS_GENERAL |
false |
Enable the entire vulnerability module (slow and intrusive). |
XSS |
true |
Test for cross-site scripting with dalfox . |
CORS |
true |
Check for CORS misconfigurations. |
TEST_SSL |
true |
Identify SSL/TLS misconfigurations. |
OPEN_REDIRECT |
true |
Detect open redirect vulnerabilities. |
SSRF_CHECKS |
true |
Test for server-side request forgery. |
CRLF_CHECKS |
true |
Check for CRLF injection. |
LFI |
true |
Test for local file inclusion via fuzzing. |
SSTI |
true |
Detect server-side template injection. |
SQLI |
true |
Test for SQL injection. |
SQLMAP |
true |
Use sqlmap for SQL injection testing. |
GHAURI |
false |
Use ghauri for SQL injection testing. |
BROKENLINKS |
true |
Identify broken links on web pages. |
SPRAY |
true |
Perform password spraying on services. |
COMM_INJ |
true |
Test for command injection. |
PROTO_POLLUTION |
true |
Detect JavaScript prototype pollution. |
SMUGGLING |
true |
Check for HTTP request smuggling. |
WEBCACHE |
true |
Identify web cache vulnerabilities. |
BYPASSER4XX |
true |
Attempt to bypass 4XX responses. |
FUZZPARAMS |
true |
Fuzz URL parameters for vulnerabilities. |
Note: Enable VULNS_GENERAL
only with explicit target permission, as it is highly intrusive.
Advanced options for enhanced functionality.
Option | Default | Description |
---|---|---|
NOTIFICATION |
false |
Send notifications for every function (requires NOTIFY_CONFIG ). |
SOFT_NOTIFICATION |
false |
Send notifications only for scan start/end. |
DEEP |
false |
Enable deep scanning (same as --deep flag, slow). |
DEEP_LIMIT |
500 |
First limit for deep scanning. |
DEEP_LIMIT2 |
1500 |
Second limit for deep scanning. |
DIFF |
false |
Highlight new findings in subsequent scans (for monitoring). |
REMOVETMP |
false |
Delete temporary files after scan completion. |
REMOVELOG |
false |
Delete log files after scan completion. |
PROXY |
false |
Route web traffic through a proxy (e.g., Burp Suite). |
SENDZIPNOTIFY |
false |
Zip and send results via notifications. |
PRESERVE |
true |
Avoid deleting .called_fn files on large scans. |
FFUF_FLAGS |
-mc all -fc 404 -sf -noninteractive -of json |
Flags for ffuf fuzzing. |
HTTPX_FLAGS |
-follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length |
Flags for httpx web probing. |
Note: Enable NOTIFICATION
or SOFT_NOTIFICATION
after configuring NOTIFY_CONFIG
(see Post-Installation Guide).
Customize HTTP request headers.
Option | Default | Description |
---|---|---|
HEADER |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0 |
Default HTTP header for requests. |
Note: Modify HEADER
to mimic specific browsers or add custom headers (e.g., Authorization
).
Control the number of concurrent threads for performance optimization.
Option | Default | Description |
---|---|---|
FFUF_THREADS |
40 |
Threads for ffuf fuzzing. |
HTTPX_THREADS |
50 |
Threads for httpx standard port probing. |
HTTPX_UNCOMMONPORTS_THREADS |
100 |
Threads for httpx uncommon port probing. |
KATANA_THREADS |
20 |
Threads for katana web crawling. |
BRUTESPRAY_THREADS |
20 |
Threads for brutespray password spraying. |
BRUTESPRAY_CONCURRENCE |
10 |
Concurrent hosts for brutespray . |
DNSTAKE_THREADS |
100 |
Threads for dnstake takeover checks. |
DALFOX_THREADS |
200 |
Threads for dalfox XSS testing. |
PUREDNS_PUBLIC_LIMIT |
0 |
Thread limit for puredns public resolvers (0 = unlimited). |
PUREDNS_TRUSTED_LIMIT |
400 |
Thread limit for puredns trusted resolvers. |
PUREDNS_WILDCARDTEST_LIMIT |
30 |
Thread limit for puredns wildcard tests. |
PUREDNS_WILDCARDBATCH_LIMIT |
1500000 |
Batch size for puredns wildcard checks. |
RESOLVE_DOMAINS_THREADS |
150 |
Threads for resolving domain IPs. |
DNSVALIDATOR_THREADS |
200 |
Threads for dnsvalidator resolver generation. |
INTERLACE_THREADS |
10 |
Threads for Interlace multithreading. |
TLSX_THREADS |
1000 |
Threads for tlsx TLS scanning. |
XNLINKFINDER_DEPTH |
3 |
Depth for xnLinkFinder JS analysis. |
Note: Increase threads on high-performance systems or decrease to avoid overwhelming targets or routers.
Control the rate of requests to prevent blocking or rate-limiting.
Option | Default | Description |
---|---|---|
HTTPX_RATELIMIT |
150 |
Requests per second for httpx . |
NUCLEI_RATELIMIT |
150 |
Requests per second for nuclei . |
FFUF_RATELIMIT |
0 |
Requests per second for ffuf (0 = unlimited). |
Note: Lower rate limits (e.g., 100
) for sensitive targets to avoid detection.
Set maximum execution times for tools or tasks.
Option | Default | Description |
---|---|---|
SUBFINDER_ENUM_TIMEOUT |
180 |
Timeout for subfinder enumeration (minutes). |
CMSSCAN_TIMEOUT |
3600 |
Timeout for CMS scanning (seconds). |
FFUF_MAXTIME |
900 |
Timeout for ffuf per URL (seconds). |
HTTPX_TIMEOUT |
10 |
Timeout for httpx standard port probes (seconds). |
HTTPX_UNCOMMONPORTS_TIMEOUT |
10 |
Timeout for httpx uncommon port probes (seconds). |
PERMUTATIONS_LIMIT |
21474836480 |
Maximum permutation file size (bytes, ~20 GB). |
Note: Increase timeouts for slow networks or large targets (e.g., HTTPX_TIMEOUT=20
).
Specify wordlists and resolvers for various tasks.
Option | Default | Description |
---|---|---|
fuzz_wordlist |
${tools}/fuzz_wordlist.txt |
Wordlist for fuzzing. |
lfi_wordlist |
${tools}/lfi_wordlist.txt |
Wordlist for LFI testing. |
ssti_wordlist |
${tools}/ssti_wordlist.txt |
Wordlist for SSTI testing. |
subs_wordlist |
${tools}/subdomains.txt |
Wordlist for subdomain bruteforcing. |
subs_wordlist_big |
${tools}/subdomains_n0kovo_big.txt |
Large wordlist for deep subdomain bruteforcing. |
resolvers |
${tools}/resolvers.txt |
List of DNS resolvers. |
resolvers_trusted |
${tools}/resolvers_trusted.txt |
List of trusted DNS resolvers. |
Note: Replace with custom wordlists for targeted scans (e.g., fuzz_wordlist=/path/to/custom.txt
).
Configure distributed scanning with the Ax Framework.
Option | Default | Description |
---|---|---|
AXIOM_FLEET_LAUNCH |
true |
Launch a new Ax fleet automatically. |
AXIOM_FLEET_NAME |
reconFTW |
Prefix for the Ax fleet name. |
AXIOM_FLEET_COUNT |
10 |
Number of instances in the fleet. |
AXIOM_FLEET_REGIONS |
eu-central |
Cloud region for the fleet. |
AXIOM_FLEET_SHUTDOWN |
true |
Delete the fleet after scan completion. |
AXIOM_POST_START |
Commented (#) | Script to run after fleet startup (e.g., ~/Tools/axiom_config.sh ). |
AXIOM_EXTRA_ARGS |
Empty | Additional Ax arguments (e.g., --rm-logs ). |
Note: See the Ax Framework Version Guide for setup instructions.
Configure integration with Faraday for reporting.
Option | Default | Description |
---|---|---|
FARADAY |
false |
Enable Faraday integration. |
FARADAY_SERVER |
http://localhost:5985 |
Faraday server address. |
FARADAY_USER |
faraday |
Faraday username. |
FARADAY_PASS |
FARADAY_PASSWORD |
Faraday password. |
FARADAY_WORKSPACE |
reconftw |
Faraday workspace name. |
Note: See the Post-Installation Guide for Faraday setup.
Configure AI-powered report generation with reconftw_ai.
Option | Default | Description |
---|---|---|
AI_MODEL |
llama3:8b |
AI model for report generation (e.g., llama3:8b ). |
AI_REPORT_TYPE |
md |
Report format (md for Markdown, txt for plain text). |
AI_REPORT_PROFILE |
bughunter |
Report style (executive , brief , bughunter ). |
Note: See the AI Integration Guide for setup instructions.
Customize console output colors (see this guide for color codes).
Option | Default | Description |
---|---|---|
bred |
\033[1;31m |
Bold red (errors). |
bblue |
\033[1;34m |
Bold blue (info). |
bgreen |
\033[1;32m |
Bold green (success). |
byellow |
\033[1;33m |
Bold yellow (warnings). |
red |
\033[0;31m |
Red (normal errors). |
blue |
\033[0;34m |
Blue (normal info). |
green |
\033[0;32m |
Green (normal success). |
yellow |
\033[0;33m |
Yellow (normal warnings). |
reset |
\033[0m |
Reset color. |
Note: Modify colors to match your terminal preferences.
Below are sample reconftw.cfg
snippets for common use cases.
-
Passive-Only Scan (minimize active requests):
OSINT=true SUBDOMAINS_GENERAL=true SUBPASSIVE=true SUBBRUTE=false SUBSCRAPING=false VULNS_GENERAL=false NOTIFICATION=true
-
Deep Recon with Ax Framework (VPS recommended):
DEEP=true SUB_RECURSIVE_PASSIVE=true SUB_RECURSIVE_BRUTE=true AXIOM_FLEET_LAUNCH=true AXIOM_FLEET_COUNT=20 FFUF_THREADS=80 HTTPX_RATELIMIT=200
-
AI-Enhanced Bug Hunting (with vulnerability checks):
VULNS_GENERAL=true XSS=true SQLI=true AI_MODEL="llama3:8b" AI_REPORT_TYPE="md" AI_REPORT_PROFILE="bughunter" SENDZIPNOTIFY=true
-
Minimal Resource Usage (for low-end systems):
FFUF_THREADS=20 HTTPX_THREADS=30 HTTPX_RATELIMIT=50 NUCLEI_RATELIMIT=50 SUB_RECURSIVE_PASSIVE=false DEEP=false REMOVETMP=true
Note: Save changes to reconftw.cfg
before running scans to apply the configuration.
-
Invalid Configuration:
- Check for syntax errors in
reconftw.cfg
(e.g., missing quotes, incorrect paths). - Ensure paths (e.g.,
tools
,fuzz_wordlist
) exist and are accessible.
- Check for syntax errors in
-
API-Related Issues:
- Verify API keys are uncommented and correctly formatted.
- Check provider documentation for rate limits or scope requirements.
-
Performance Problems:
- Reduce threads (e.g.,
FFUF_THREADS=20
) or rate limits (e.g.,HTTPX_RATELIMIT=50
) on low-end systems. - Disable resource-intensive modules (e.g.,
SUB_RECURSIVE_BRUTE=false
).
- Reduce threads (e.g.,
-
Tool Failures:
- Run
./install.sh
withDEBUG_STD=""
to debug installation issues. - Verify tool paths in
tools
directory andreconftw.cfg
.
- Run
-
Ax Framework Errors:
- Check Ax configuration (
~/.axiom/axiom.json
) and fleet status (axiom-fleet ls
). - Ensure
AXIOM_FLEET_COUNT
matches your cloud provider’s capacity.
- Check Ax configuration (
For further help, join the Discord server or Telegram group.
- Run your first scan with the Usage Guide.
- Set up API keys and notifications with the Post-Installation Guide.
- Explore output files with the Output Files Guide.