-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
3. Configuration file
six2dez edited this page May 11, 2021
·
4 revisions
- Through
reconftw.cfgfile the whole execution of the tool can be controlled. - Hunters can set various scanning modes,** execution preferences**, tools, config files, APIs/TOKENS, personalized wordlists and much more. The following explains what each of the options is for:
Values affecting the general workflow of the tool no matter what mode is using
**
| OPTION | Default | Description |
|---|---|---|
| tools | ~/Tools | Directory where all the tools are stored |
| SCRIPTPATH | "$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" | Path where reconFTW directory is placed |
| profile_shell | ".$(basename $(echo $SHELL))rc" | Name of your config shell file (i.e. .zshrc or .bashrc) |
| reconftw_version |
|
Get git version |
| update_resolvers | true | Whether you can to update resolvers if they are more than 24hrs. old |
| proxy_url | http://127.0.0.1"8080/ | Sends the reconFTW traffic through proxy proxify |
| dir_output | Default is ignored (#) = false | Output folder for results, uncomment and set an absolute path to use it |
These are the default values in any Golang installation, if you have any other configuration change it here.
**
| OPTION | Default | Description |
|---|---|---|
| export GOROOT | /usr/local/go | Golang path for root |
| export GOPATH | $HOME/go | Default golang path for root |
| export PATH | $GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH | Add Golang to your $PATH |
Path where config files for tools used by reconFTW is stored.
| OPTION | Default | Description |
|---|---|---|
| AMASS_CONFIG | ~/.config/amass/config.ini | Amass config file |
| GITHUB_TOKENS | ${tools}/.github_tokens | File with Github tokens, one per line |
Here you can define some API keys, values or tokens used for some tools, it also can be defined in your .bashrc/.zshrc instead here. In case you want to define here first uncomment and then add the value. These are the used:
| OPTION | Default | Description |
|---|---|---|
| SHODAN_API_KEY | Shodan API key | |
| XSS_SERVER | Domain for blind XSS attacks (i.e. six2dez.xss.ht) | |
| COLLAB_SERVER | Collaborator server for SSRF tests | |
| findomain_virustotal_token | Findomain VT token | |
| findomain_spyse_token | Findomain Spyse token | |
| findomain_securitytrails_token | Findomain ST token | |
| findomain_fb_token | Findomain FB token | |
| slack_channel | Needed to send zip output over Slack | |
| slack_auth | Needed to send zip output over Slack |
As you can see, reconFTW doesn't outputs the original stdout of the tools, this is because is redirected because of a clean output, you can comment this vars to output everything (same behavior of -v flag), or just comment DEGUB_ERROR to show only tools errors
| OPTION | Default | Description |
|---|---|---|
| DEBUG_STD | "&>/dev/null" | Standard message redirection |
| DEBUG_ERROR | "2>/dev/null" | Error message redirection |
Functions executed for OSINT techniques, you can avoid them if you set to false.
| OPTION | Default | Description |
|---|---|---|
| GOOGLE_DORKS | true | Google dorking |
| GITHUB_DORKS | false | GitHub dorking, default to false because is slow |
| METADATA | true | Extract metadata from public files |
| EMAILS | true | Extract emails/users/passwords related to target |
| DOMAIN_INFO | true | Whois info and domains related to the same registrant |
Various Subdomain techniques used, set to false those that you don't want to run.
| OPTION | Default | Description |
|---|---|---|
| SUBCRT | true | Subdomains from certificate transparency |
| SUBBRUTE | true | Subdomain bruteforce |
| SUBSCRAPING | true | Subdomains scraping from source code |
| SUBPERMUTE | true | Subdomains permutations |
| SUBTAKEOVER | true | Subdomain takeover check |
| SUBRECURSIVE | true | Subdomain recursive searhc |
| ZONETRANSFER | true | Zone transfer check |
| S3BUCKETS | true | Checks for S3 buckets |
Tasks to detect websites in subdomains.
| OPTION | Default | Description |
|---|---|---|
| WEBPROBESIMPLE | true | Web probe on http and https |
| WEBPROBEFULL | true | Web probe on more than 90 ports, where web interface can be hosted |
| WEBSCREENSHOT | true | Web screenshot every website found |
| UNCOMMON_PORTS_WEB | ... | List of ports where web interface can be hosted |
| AXIOM_SCREENSHOT_MODULE | gowitness | Web Screenshots in axiom |
Tasks performed on hosts found.
| OPTION | Default | Description |
|---|---|---|
| FAVICON | true | Check favicon to find more domains or waf bypass with same favicon hash |
| PORTSCANNER | true | To disable or enable any type of port scan |
| PORTSCAN_PASSIVE | true | Port scanner passive with Shodan |
| PORTSCAN_ACTIVE | true | Port scanner with nmap top 1000 |
| CLOUD_IP | true | Shows what IPs belong to cloud providers |
Tasks performed on any web to retrieve as much as info as possible.
| OPTION | Default | Description |
|---|---|---|
| WAF_DETECTION | true | Detect if website is behind waf |
| NUCLEICHECK | true | Run nuclei templates |
| URL_CHECK | true | Retrieve urls from passive and crawling |
| URL_GF | true | Analyze urls extracted with gf patterns |
| URL_EXT | true | Create a file sort by extension type |
| JSCHECKS | true | Analyze JS files |
| PARAMS | true | Retrieve urls with GET parameters and force hidden params |
| FUZZ | true | Web fuzzing |
| CMS_SCANNER | true | Scan to detect CMS |
| WORDLIST | true | Set wordlist used in Fuzzer |
Every vulnerability check performed, first filtered with uddup, qsreplace and gf-patterns.
| OPTION | Default | Description |
|---|---|---|
| XSS | true | XSS reflected with Gxss confirmed with dalfox |
| CORS | true | CORS misconfigurations |
| TEST_SSL | true | Check SSL |
| OPEN_REDIRECT | true | Check Open Redirects flaws |
| SSRF_CHECKS | true | Scan for SSRF |
| CRLF_CHECKS | true | Scan for CRLF |
| LFI | true | LFI with fuzzing wordlist |
| SSTI | true | LFI with fuzzing |
| SQLI | true | SQLi with SQLmap |
| BROKENLINKS | true | Check broken links redirections |
| SPRAY | true | Password spraying with brutespray over ports and services found |
| BYPASSER4XX | true | Check common 4xx bypasses found in fuzz |
Advanced options that you may find interesting.
| OPTION | Default | Description |
|---|---|---|
| NOTIFICATION | false | Set to true to receive notifications (Telegram, Slack or Discord), need configuration |
| DEEP | false | Enable deep (and slower) scan, same as --deep flag |
| DIFF | false | Enable support to run over same targets again and again and it only advice for new findings (for cron mode and monitoring) |
| REMOVETMP | false | Remove temporary files after finish scan |
| PROXY | false | Proxy(burp, zap) to send websites and fuzzing |
| SENDZIPNOTIFY | false | Set to true to send zipped results over Tg, Discord or Slack |
| PRESERVE | false | Set to true to allow repeat every step (only Axiom) |
Headers for HTTP requests.
| OPTION | Default | Description |
|---|---|---|
| HEADER | "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" | Define custom Header or User-Agent |
Threads control for the tools.
| OPTION | Default | Description |
|---|---|---|
| FFUF_THREADS | 40 | Fuzzing threads |
| HTTPX_THREADS | 50 | Http probe threads |
| HTTPX_UNCOMMONPORTS_THREADS | 100 | Http uncommon ports probe threads |
| GOSPIDER_THREADS | 50 | Crawler threads |
| GITDORKER_THREADS | 5 | Github dorking threads |
| BRUTESPRAY_THREADS | 20 | Password spraying threads |
| BRUTESPRAY_CONCURRENCE | 10 | Password spraying concurrent hosts |
| ARJUN_THREADS | 20 | Param discovery threads |
| GAUPLUS_THREADS | 10 | Concurrent threads for gauplus |
| DALFOX_THREADS | 200 | Threads for dalfox |
| PUREDNS_PUBLIC_LIMIT | 0 | Threads for massdns querying public resolvers (when your wifi blows up set between 2000-10000) |
| PUREDNS_TRUSTED_LIMIT | 400 | Puredns threads querying trusted dns resolvers |
| DIRDAR_THREADS | 200 | Dirdar threads |
Maximum execution time for a particular tool or job can be set here.
| OPTION | Default | Description |
|---|---|---|
| CMSSCAN_TIMEOUT | 36000 | Timeout for the whole CMScanner execution |
| FFUF_MAXTIME | 900 | Maximum execution time for a single url |
| HTTPX_TIMEOUT | 10 | Maximum time to wait for a response for web probes on port 80 & 443 |
| HTTPX_UNCOMMONPORTS_TIMEOUT | 10 | Maximum time to wait for a response |
Wordlists to use in reconFTW. Here you can specify your personalized wordlists.
| OPTION | Default | Description |
|---|---|---|
| fuzz_wordlist | ${tools}/fuzz_wordlist.txt | Fuzzing wordlist |
| lfi_wordlist | ${tools}/lfi_wordlist.txt | LFI wordlist |
| subs_wordlist | ${tools}/subdomains.txt | Subdomains wordlist (jhaddix's all.txt) |
| subs_wordlist_big | ${tools}/subdomains_big.txt | Big subdomain wordlist used with deep flag (assetnote) |
| resolvers | ${tools}/resolvers.txt | List of resolvers |
| resolvers_trusted | ${tools}/resolvers_trusted.txt | List of trusted DNS resolvers |
Axiom configurations
| OPTION | Default | Description |
|---|---|---|
| AXIOM_FLEET_LAUNCH | false | Set to true to automatically launch a new axiom instance |
| AXIOM_FLEET_NAME | reconFTW | Axiom's fleet name |
| AXIOM_FLEET_COUNT | 5 | Axiom's fleet size |
| AXIOM_FLEET_REGIONS | "" | Axiom's fleet region |
| AXIOM_FLEET_SHUTDOWN | true | Set to true to automatically delete axiom instance after the work is done |
Just the color to be printed depending on the message typed. Here you can find a good guide to change those colors if you want.
| OPTION | Default | Description |
|---|---|---|
| bred | '\033[1;31m' | Bold red |
| bblue | '\033[1;34m' | Bold blue |
| bgreen | '\033[1;32m' | Bold green |
| yellow | '\033[0;33m' | Yellow |
| red | '\033[0;31m' | Red |
| blue | '\033[0;34m' | Blue |
| green | '\033[0;32m' | Green |
| reset | '\033[0m' | Reset color |