Skip to content

3. Configuration file

six2dez edited this page May 16, 2025 · 4 revisions

Configuration File Guide

The reconftw.cfg file controls the execution of reconFTW, allowing you to customize scanning modes, performance settings, API keys, tool paths, wordlists, and integrations (e.g., Ax Framework, Faraday, AI reporting). This guide explains each option in detail, grouped by category, to help you tailor reconFTW to your needs.

Location: reconftw.cfg is in the root of the reconFTW directory after cloning the repository.

Default Configuration: The default reconftw.cfg is preconfigured with sensible settings but requires customization for API keys, notifications, and specific use cases. See the Post-Installation Guide for setup instructions.

📔 Table of Contents


1. General Values

These options affect the overall workflow of reconFTW, regardless of the scanning mode.

Option Default Description
tools $HOME/Tools Directory where reconFTW installs and stores tools.
SCRIPTPATH $( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P ) Path to the reconFTW directory (auto-detected).
profile_shell .$(basename $(echo $SHELL))rc Shell configuration file (e.g., .bashrc, .zshrc).
reconftw_version $(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) Current reconFTW version (auto-detected from Git).
generate_resolvers false Generate custom DNS resolvers using dnsvalidator.
update_resolvers true Update resolvers from resolvers_url if older than 24 hours.
resolvers_url https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt Source for DNS resolvers.
resolvers_trusted_url https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt Source for trusted DNS resolvers.
fuzzing_remote_list https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt Remote wordlist for fuzzing (used with Ax).
proxy_url http://127.0.0.1:8080/ Proxy URL for routing traffic (e.g., via Burp Suite).
install_golang true Install Golang during setup (set to false if already installed).
upgrade_tools true Update tools during installation.
upgrade_before_running false Update tools before each scan.
dir_output Commented (#) Custom output directory (uncomment and set an absolute path).

Warning: Incorrect changes to SCRIPTPATH, tools, or profile_shell may break reconFTW’s functionality.


2. Golang and Rust Variables

These settings configure the environment for Golang and Rust, required by many reconFTW tools.

Option Default Description
GOROOT /usr/local/go Golang root directory.
GOPATH $HOME/go Golang workspace directory.
PATH $GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH Adds Golang binaries to the system PATH.
PATH (Rust) $HOME/.cargo/bin:$PATH Adds Rust binaries to the system PATH.

Warning: Modify only if you have a non-standard Golang or Rust setup to avoid breaking tool execution.


3. Tools Config Files

Paths to configuration files for tools used by reconFTW.

Option Default Description
NOTIFY_CONFIG ~/.config/notify/provider-config.yaml Notify configuration for Slack, Discord, or Telegram (auto-detected).
GITHUB_TOKENS ${tools}/.github_tokens File containing GitHub Personal Access Tokens (one per line).
GITLAB_TOKENS ${tools}/.gitlab_tokens File containing GitLab Personal Access Tokens (one per line).
CUSTOM_CONFIG Commented (#) Path to a custom configuration file (uncomment to use).

Note: See the Post-Installation Guide for setting up GITHUB_TOKENS and NOTIFY_CONFIG.


4. APIs and Tokens

API keys and tokens for tools and services. Uncomment and set values in reconftw.cfg or define them in your shell configuration (e.g., .bashrc).

Option Default Description
SHODAN_API_KEY Commented (#) Shodan API key for IP resolution and port scanning.
WHOISXML_API Commented (#) WHOISXML API key for WHOIS lookups.
XSS_SERVER Commented (#) Blind XSS server for dalfox (e.g., six2dez.xss.ht).
COLLAB_SERVER Commented (#) SSRF server for interactsh or ffuf (e.g., i0m1y4j3fu.canarytokens.com).
slack_channel Commented (#) Slack channel ID for notifications.
slack_auth Commented (#) Slack webhook token for notifications.

Note: Obtain keys from providers (e.g., Shodan, XSS Hunter) and configure them as shown in the Post-Installation Guide.


5. File Descriptors

Control the output of tool logs for cleaner console display.

Option Default Description
DEBUG_STD &>/dev/null Redirects standard output to suppress tool logs.
DEBUG_ERROR 2>/dev/null Redirects error output to suppress tool errors.

Note: Comment out DEBUG_STD for verbose output or DEBUG_ERROR to show only errors, similar to the -v flag behavior.


6. OSINT

Enable or disable OSINT (Open-Source Intelligence) modules.

Option Default Description
OSINT true Enable the entire OSINT module.
GOOGLE_DORKS true Perform automated Google dork queries.
GITHUB_DORKS true Scan GitHub for repositories and secrets.
GITHUB_REPOS true Enumerate GitHub repositories.
METADATA true Extract metadata from indexed documents.
EMAILS true Harvest emails and credentials.
DOMAIN_INFO true Perform WHOIS lookups.
IP_INFO true Conduct reverse IP and geolocation searches.
API_LEAKS true Detect exposed APIs in public sources.
THIRD_PARTIES true Identify misconfigured third-party services.
SPOOF true Check for spoofable domains.
METAFINDER_LIMIT 20 Maximum results for metagoofil (max 250).

Note: Disable specific modules (e.g., GITHUB_DORKS=false) to reduce API usage or scan time.


7. Subdomains

Control subdomain enumeration techniques.

Option Default Description
SUBDOMAINS_GENERAL true Enable the entire subdomain module.
SUBPASSIVE true Use passive sources (e.g., Subfinder, GitHub).
SUBCRT true Query certificate transparency logs.
CTR_LIMIT 999999 Maximum results for certificate transparency.
SUBNOERROR false Check DNS NOERROR responses.
SUBANALYTICS true Identify subdomains via Google Analytics IDs.
SUBBRUTE true Perform DNS bruteforcing.
SUBSCRAPING true Extract subdomains from web crawling/JS.
SUBPERMUTE true Generate subdomain permutations.
SUBIAPERMUTE true Use AI-driven permutation analysis.
SUBREGEXPERMUTE true Use regex-based permutation analysis.
PERMUTATIONS_OPTION gotator Permutation tool (gotator or ripgen).
GOTATOR_FLAGS -depth 1 -numbers 3 -mindup -adv -md Flags for gotator permutations.
SUBTAKEOVER true Check for subdomain takeovers.
SUB_RECURSIVE_PASSIVE false Enable recursive passive enumeration (API-heavy).
DEEP_RECURSIVE_PASSIVE 10 Number of top subdomains for recursive passive scans.
SUB_RECURSIVE_BRUTE false Enable recursive bruteforce (disk-intensive).
ZONETRANSFER true Check for DNS zone transfers.
S3BUCKETS true Identify misconfigured S3 buckets.
REVERSE_IP false Perform reverse IP subdomain discovery (for CIDR/IP targets).
TLS_PORTS 21,22,25,80,... Ports for TLS handshake discovery.
INSCOPE false Filter subdomains using an in-scope list (requires .scope file).

Note: Enable SUB_RECURSIVE_PASSIVE or SUB_RECURSIVE_BRUTE only with sufficient API quotas or disk space.


8. Web Detection

Tasks to detect live web servers.

Option Default Description
WEBPROBESIMPLE true Probe standard ports (80, 443).
WEBPROBEFULL true Probe uncommon ports.
WEBSCREENSHOT true Capture screenshots of web pages.
VIRTUALHOSTS false Fuzz HTTP headers for virtual hosts.
UNCOMMON_PORTS_WEB 81,300,591,... List of uncommon ports for web probing.

Note: Adjust UNCOMMON_PORTS_WEB to include or exclude specific ports based on your target.


9. Hosts

Tasks performed on identified hosts.

Option Default Description
FAVICON true Discover IPs via favicon analysis.
PORTSCANNER true Enable the entire port scanning module.
PORTSCAN_PASSIVE true Passive port scanning with Shodan.
PORTSCAN_ACTIVE true Active port scanning with nmap.
PORTSCAN_ACTIVE_OPTIONS --top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners Nmap flags for active scanning.
CDN_IP true Detect IPs behind CDNs.
GEO_INFO true Map IPs to geolocations.

Note: Set PORTSCAN_ACTIVE_OPTIONS to customize nmap behavior (e.g., add --script ssl-cert).


10. Web Analysis

Tasks to analyze web servers and extract information.

Option Default Description
WAF_DETECTION true Detect Web Application Firewalls.
NUCLEICHECK true Run Nuclei vulnerability scans.
NUCLEI_TEMPLATES_PATH $HOME/nuclei-templates Path to Nuclei templates.
NUCLEI_SEVERITY info,low,medium,high,critical Severity levels for Nuclei scans.
NUCLEI_EXTRA_ARGS Empty Additional Nuclei flags (e.g., -etags openssh).
NUCLEI_FLAGS -silent -retries 2 General Nuclei flags.
NUCLEI_FLAGS_JS -silent -tags exposure,token -severity info,low,medium,high,critical Nuclei flags for JS analysis.
URL_CHECK true Collect URLs passively and actively.
URL_CHECK_PASSIVE true Passive URL collection (e.g., Archive, OTX).
URL_CHECK_ACTIVE true Active URL collection via crawling.
URL_GF true Classify URLs using gf patterns.
URL_EXT true Sort URLs by file extension.
JSCHECKS true Analyze JavaScript files for secrets/endpoints.
FUZZ true Perform directory and parameter fuzzing.
IIS_SHORTNAME true Detect IIS shortname vulnerabilities.
CMS_SCANNER true Identify Content Management Systems.
WORDLIST true Generate custom wordlists for fuzzing.
ROBOTSWORDLIST true Extract historical robots.txt entries.
PASSWORD_DICT true Generate password dictionaries.
PASSWORD_MIN_LENGTH 5 Minimum password length for dictionaries.
PASSWORD_MAX_LENGTH 14 Maximum password length for dictionaries.
CLOUDHUNTER_PERMUTATION NORMAL S3 bucket permutation mode (DEEP, NORMAL, NONE).
NUCLEI_FUZZING_TEMPLATES_PATH ${tools}/fuzzing-templates Path to Nuclei fuzzing templates.

Note: Customize NUCLEI_SEVERITY to focus on specific vulnerability levels (e.g., high,critical).


11. Vulnerabilities

Control vulnerability scanning modules (intrusive, use with caution).

Option Default Description
VULNS_GENERAL false Enable the entire vulnerability module (slow and intrusive).
XSS true Test for cross-site scripting with dalfox.
CORS true Check for CORS misconfigurations.
TEST_SSL true Identify SSL/TLS misconfigurations.
OPEN_REDIRECT true Detect open redirect vulnerabilities.
SSRF_CHECKS true Test for server-side request forgery.
CRLF_CHECKS true Check for CRLF injection.
LFI true Test for local file inclusion via fuzzing.
SSTI true Detect server-side template injection.
SQLI true Test for SQL injection.
SQLMAP true Use sqlmap for SQL injection testing.
GHAURI false Use ghauri for SQL injection testing.
BROKENLINKS true Identify broken links on web pages.
SPRAY true Perform password spraying on services.
COMM_INJ true Test for command injection.
PROTO_POLLUTION true Detect JavaScript prototype pollution.
SMUGGLING true Check for HTTP request smuggling.
WEBCACHE true Identify web cache vulnerabilities.
BYPASSER4XX true Attempt to bypass 4XX responses.
FUZZPARAMS true Fuzz URL parameters for vulnerabilities.

Note: Enable VULNS_GENERAL only with explicit target permission, as it is highly intrusive.


12. Extra Features

Advanced options for enhanced functionality.

Option Default Description
NOTIFICATION false Send notifications for every function (requires NOTIFY_CONFIG).
SOFT_NOTIFICATION false Send notifications only for scan start/end.
DEEP false Enable deep scanning (same as --deep flag, slow).
DEEP_LIMIT 500 First limit for deep scanning.
DEEP_LIMIT2 1500 Second limit for deep scanning.
DIFF false Highlight new findings in subsequent scans (for monitoring).
REMOVETMP false Delete temporary files after scan completion.
REMOVELOG false Delete log files after scan completion.
PROXY false Route web traffic through a proxy (e.g., Burp Suite).
SENDZIPNOTIFY false Zip and send results via notifications.
PRESERVE true Avoid deleting .called_fn files on large scans.
FFUF_FLAGS -mc all -fc 404 -sf -noninteractive -of json Flags for ffuf fuzzing.
HTTPX_FLAGS -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length Flags for httpx web probing.

Note: Enable NOTIFICATION or SOFT_NOTIFICATION after configuring NOTIFY_CONFIG (see Post-Installation Guide).


13. HTTP Options

Customize HTTP request headers.

Option Default Description
HEADER User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0 Default HTTP header for requests.

Note: Modify HEADER to mimic specific browsers or add custom headers (e.g., Authorization).


14. Threads

Control the number of concurrent threads for performance optimization.

Option Default Description
FFUF_THREADS 40 Threads for ffuf fuzzing.
HTTPX_THREADS 50 Threads for httpx standard port probing.
HTTPX_UNCOMMONPORTS_THREADS 100 Threads for httpx uncommon port probing.
KATANA_THREADS 20 Threads for katana web crawling.
BRUTESPRAY_THREADS 20 Threads for brutespray password spraying.
BRUTESPRAY_CONCURRENCE 10 Concurrent hosts for brutespray.
DNSTAKE_THREADS 100 Threads for dnstake takeover checks.
DALFOX_THREADS 200 Threads for dalfox XSS testing.
PUREDNS_PUBLIC_LIMIT 0 Thread limit for puredns public resolvers (0 = unlimited).
PUREDNS_TRUSTED_LIMIT 400 Thread limit for puredns trusted resolvers.
PUREDNS_WILDCARDTEST_LIMIT 30 Thread limit for puredns wildcard tests.
PUREDNS_WILDCARDBATCH_LIMIT 1500000 Batch size for puredns wildcard checks.
RESOLVE_DOMAINS_THREADS 150 Threads for resolving domain IPs.
DNSVALIDATOR_THREADS 200 Threads for dnsvalidator resolver generation.
INTERLACE_THREADS 10 Threads for Interlace multithreading.
TLSX_THREADS 1000 Threads for tlsx TLS scanning.
XNLINKFINDER_DEPTH 3 Depth for xnLinkFinder JS analysis.

Note: Increase threads on high-performance systems or decrease to avoid overwhelming targets or routers.


15. Rate Limits

Control the rate of requests to prevent blocking or rate-limiting.

Option Default Description
HTTPX_RATELIMIT 150 Requests per second for httpx.
NUCLEI_RATELIMIT 150 Requests per second for nuclei.
FFUF_RATELIMIT 0 Requests per second for ffuf (0 = unlimited).

Note: Lower rate limits (e.g., 100) for sensitive targets to avoid detection.


16. Timeouts

Set maximum execution times for tools or tasks.

Option Default Description
SUBFINDER_ENUM_TIMEOUT 180 Timeout for subfinder enumeration (minutes).
CMSSCAN_TIMEOUT 3600 Timeout for CMS scanning (seconds).
FFUF_MAXTIME 900 Timeout for ffuf per URL (seconds).
HTTPX_TIMEOUT 10 Timeout for httpx standard port probes (seconds).
HTTPX_UNCOMMONPORTS_TIMEOUT 10 Timeout for httpx uncommon port probes (seconds).
PERMUTATIONS_LIMIT 21474836480 Maximum permutation file size (bytes, ~20 GB).

Note: Increase timeouts for slow networks or large targets (e.g., HTTPX_TIMEOUT=20).


17. Lists

Specify wordlists and resolvers for various tasks.

Option Default Description
fuzz_wordlist ${tools}/fuzz_wordlist.txt Wordlist for fuzzing.
lfi_wordlist ${tools}/lfi_wordlist.txt Wordlist for LFI testing.
ssti_wordlist ${tools}/ssti_wordlist.txt Wordlist for SSTI testing.
subs_wordlist ${tools}/subdomains.txt Wordlist for subdomain bruteforcing.
subs_wordlist_big ${tools}/subdomains_n0kovo_big.txt Large wordlist for deep subdomain bruteforcing.
resolvers ${tools}/resolvers.txt List of DNS resolvers.
resolvers_trusted ${tools}/resolvers_trusted.txt List of trusted DNS resolvers.

Note: Replace with custom wordlists for targeted scans (e.g., fuzz_wordlist=/path/to/custom.txt).


18. Ax Framework

Configure distributed scanning with the Ax Framework.

Option Default Description
AXIOM_FLEET_LAUNCH true Launch a new Ax fleet automatically.
AXIOM_FLEET_NAME reconFTW Prefix for the Ax fleet name.
AXIOM_FLEET_COUNT 10 Number of instances in the fleet.
AXIOM_FLEET_REGIONS eu-central Cloud region for the fleet.
AXIOM_FLEET_SHUTDOWN true Delete the fleet after scan completion.
AXIOM_POST_START Commented (#) Script to run after fleet startup (e.g., ~/Tools/axiom_config.sh).
AXIOM_EXTRA_ARGS Empty Additional Ax arguments (e.g., --rm-logs).

Note: See the Ax Framework Version Guide for setup instructions.


19. Faraday Integration

Configure integration with Faraday for reporting.

Option Default Description
FARADAY false Enable Faraday integration.
FARADAY_SERVER http://localhost:5985 Faraday server address.
FARADAY_USER faraday Faraday username.
FARADAY_PASS FARADAY_PASSWORD Faraday password.
FARADAY_WORKSPACE reconftw Faraday workspace name.

Note: See the Post-Installation Guide for Faraday setup.


20. AI Reporting

Configure AI-powered report generation with reconftw_ai.

Option Default Description
AI_MODEL llama3:8b AI model for report generation (e.g., llama3:8b).
AI_REPORT_TYPE md Report format (md for Markdown, txt for plain text).
AI_REPORT_PROFILE bughunter Report style (executive, brief, bughunter).

Note: See the AI Integration Guide for setup instructions.


21. Output Colors

Customize console output colors (see this guide for color codes).

Option Default Description
bred \033[1;31m Bold red (errors).
bblue \033[1;34m Bold blue (info).
bgreen \033[1;32m Bold green (success).
byellow \033[1;33m Bold yellow (warnings).
red \033[0;31m Red (normal errors).
blue \033[0;34m Blue (normal info).
green \033[0;32m Green (normal success).
yellow \033[0;33m Yellow (normal warnings).
reset \033[0m Reset color.

Note: Modify colors to match your terminal preferences.


Example Configurations

Below are sample reconftw.cfg snippets for common use cases.

  1. Passive-Only Scan (minimize active requests):

    OSINT=true
    SUBDOMAINS_GENERAL=true
    SUBPASSIVE=true
    SUBBRUTE=false
    SUBSCRAPING=false
    VULNS_GENERAL=false
    NOTIFICATION=true
  2. Deep Recon with Ax Framework (VPS recommended):

    DEEP=true
    SUB_RECURSIVE_PASSIVE=true
    SUB_RECURSIVE_BRUTE=true
    AXIOM_FLEET_LAUNCH=true
    AXIOM_FLEET_COUNT=20
    FFUF_THREADS=80
    HTTPX_RATELIMIT=200
  3. AI-Enhanced Bug Hunting (with vulnerability checks):

    VULNS_GENERAL=true
    XSS=true
    SQLI=true
    AI_MODEL="llama3:8b"
    AI_REPORT_TYPE="md"
    AI_REPORT_PROFILE="bughunter"
    SENDZIPNOTIFY=true
  4. Minimal Resource Usage (for low-end systems):

    FFUF_THREADS=20
    HTTPX_THREADS=30
    HTTPX_RATELIMIT=50
    NUCLEI_RATELIMIT=50
    SUB_RECURSIVE_PASSIVE=false
    DEEP=false
    REMOVETMP=true

Note: Save changes to reconftw.cfg before running scans to apply the configuration.


Troubleshooting

  • Invalid Configuration:
    • Check for syntax errors in reconftw.cfg (e.g., missing quotes, incorrect paths).
    • Ensure paths (e.g., tools, fuzz_wordlist) exist and are accessible.
  • API-Related Issues:
    • Verify API keys are uncommented and correctly formatted.
    • Check provider documentation for rate limits or scope requirements.
  • Performance Problems:
    • Reduce threads (e.g., FFUF_THREADS=20) or rate limits (e.g., HTTPX_RATELIMIT=50) on low-end systems.
    • Disable resource-intensive modules (e.g., SUB_RECURSIVE_BRUTE=false).
  • Tool Failures:
    • Run ./install.sh with DEBUG_STD="" to debug installation issues.
    • Verify tool paths in tools directory and reconftw.cfg.
  • Ax Framework Errors:
    • Check Ax configuration (~/.axiom/axiom.json) and fleet status (axiom-fleet ls).
    • Ensure AXIOM_FLEET_COUNT matches your cloud provider’s capacity.

For further help, join the Discord server or Telegram group.


Next Steps

Clone this wiki locally