Skip to content

5. Ax Framework

Jump to bottom
six2dez edited this page May 16, 2025 · 1 revision

Ax Framework Version Guide

This guide explains how to use reconFTW with the Ax Framework, a platform for orchestrating distributed cloud instances to perform high-speed, scalable reconnaissance scans. By integrating reconFTW with Ax, you can distribute tasks across multiple virtual private servers (VPSs), reducing scan time and minimizing the risk of IP bans.

Note: The Ax Framework is the successor to Axiom, which is now in maintenance mode. This guide focuses on Ax Framework compatibility, as recommended by the reconFTW and Ax communities.

📔 Table of Contents

Why Use Ax Framework?

The Ax Framework (https://ax.attacksurge.com/) is a cloud orchestration tool that enables you to spin up and manage multiple VPS instances for distributed task processing. Unlike traditional single-system scans, Ax distributes workloads across cloud instances, offering:

  • Speed: Parallel execution of reconFTW modules (e.g., subdomain enumeration, fuzzing) across multiple instances reduces scan time significantly.
  • Scalability: Easily scale from 1 to 100+ instances based on target size or scan complexity.
  • IP Rotation: Distributing requests across multiple VPSs minimizes the risk of IP bans or rate-limiting by targets.
  • Cost Efficiency: Spin up instances only when needed and terminate them after scans to save cloud costs.

reconFTW is a resource-intensive tool that actively probes targets with time-consuming modules (e.g., bruteforcing, vulnerability scanning). The Ax Framework enhances reconFTW by:

  • Distributing tasks like subfinder, nuclei, and ffuf across instances for faster execution.
  • Leveraging pre-installed tools in Ax images, optimized for reconFTW compatibility.
  • Supporting large-scale scans (e.g., --deep or -a) without overwhelming a single system.

reconFTW’s Ax integration was developed in collaboration with the Ax team, ensuring all required tools (e.g., katana, dnsx, nuclei) are included in Ax images, delivering high-quality results with minimal setup.

Installation

To use reconFTW with Ax Framework, you need to install reconFTW on your controller system and configure Ax to manage cloud instances. A VPS (e.g., AWS, Linode, DigitalOcean) is recommended as the controller for stability, but a local system can also be used.

Prerequisites

  • System: Linux (Ubuntu 22.04+ recommended) or macOS with at least 4 GB RAM and 20 GB free disk space.
  • Cloud Provider: Account with AWS, Linode, DigitalOcean, or Hetzner (Hetzner offers strong specs at low cost).
  • API Key: Cloud provider API key with permissions to create and delete instances.
  • Docker: Required for Ax Framework (version 20.10 or higher).
  • Git: For cloning repositories.

Step 1: Install reconFTW

Install reconFTW on your controller system to prepare the environment and tools.

  1. Clone the Repository:

    git clone https://github.com/six2dez/reconftw.git
cd reconftw

    Clones the reconFTW repository and navigates to its directory.

  2. Run the Installer:

    ./install.sh

    Installs dependencies, tools, and wordlists (takes ~15–30 minutes).

  3. Verify Installation:

    ./reconftw.sh --version

    Confirms reconFTW is installed and displays the current version.

Note: If errors occur, set DEBUG_STD="" in reconftw.cfg and rerun ./install.sh to debug. See the Post-Installation Guide for API key setup.

Step 2: Install and Configure Ax Framework

Install the Ax Framework to manage distributed instances. For detailed instructions, refer to the Ax Framework Documentation.

  1. Clone the Ax Repository:

    git clone https://github.com/attacksurge/ax ~/.ax/

    Clones the Ax Framework repository to ~/.ax/.

  2. Run the Configuration Script:

    ~/.ax/interact/ax-configure

    Launches an interactive setup for cloud provider credentials and settings.

  3. Configure Ax: During setup, provide:

    • Cloud Provider: Select your provider (e.g., linode, aws, digitalocean, hetzner).
    • API Key: Enter your provider’s API key (e.g., Linode Personal Access Token).
    • Region: Choose a region (e.g., us-east for Linode, us-east-1 for AWS).
    • Instance Type: Select a size (e.g., g6-standard-1 for Linode, t3.micro for AWS).
    • Provisioner: Enter reconftw when prompted to use the reconFTW-optimized image.

    Example Configuration (Linode):

    {
  "provider": "linode",
  "do_key": "YOUR_LINODE_API_KEY",
  "region": "us-east",
  "default_size": "g6-standard-1"
}

    Saved to ~/.ax/accounts/personal.json.

  4. Verify Installation:

    ax-fleet ls

    Checks if Ax is configured and can communicate with your cloud provider (takes ~25–30 minutes for initial setup).

  5. Initialize a Fleet:

    ax-fleet testy -i=10

    Creates a fleet named testy with 10 instances (e.g., testy01, testy02, ..., testy10). Adjust -i based on your needs and budget.

Note: Ensure your cloud provider supports the number of instances requested (check quotas). Hetzner is recommended for cost-effective, high-performance instances.

Running Scans with Ax

Once reconFTW and Ax Framework are installed, you can run distributed scans by adding the -v flag to reconFTW commands. The -v flag enables Ax mode, distributing tasks across the initialized fleet.

Example Commands

  1. Full Recon Scan:

    ./reconftw.sh -d target.com -r -v

    Performs a full reconnaissance scan (-r) on target.com using Ax instances.

  2. Subdomain Enumeration:

    ./reconftw.sh -d target.com -s -v

    Runs subdomain enumeration (-s) with Ax distribution.

  3. Deep Scan with AI Reporting:

    ./reconftw.sh -d target.com -a -y -v

    Executes an all-encompassing scan (-a) with AI-generated reports (-y) using Ax.

Notes

  • Fleet Management:
    • Check fleet status: ax-fleet ls.
    • Terminate fleet: ax-fleet rm testy.
    • Adjust instance count in reconftw.cfg (AXIOM_FLEET_COUNT) or via -i.
  • Output: Results are saved to the Recon/ directory on the controller, synced from Ax instances.
  • Cost Control: Set AXIOM_FLEET_SHUTDOWN=true in reconftw.cfg to automatically delete instances after scans.
  • Verbose Mode: Add --verbose to reconFTW commands for detailed Ax task logs.

Best Practices

  • Use a VPS Controller: Run Ax on a cloud VPS (e.g., AWS t3.micro, Linode Nanode) for reliability, especially for long scans. Local systems may face network interruptions.
  • Optimize Instance Count: Start with 5–10 instances (-i=5) for small targets and scale up (e.g., 20–50) for large scopes. Check cloud provider quotas.
  • Monitor Costs: Use low-cost providers like Hetzner and enable AXIOM_FLEET_SHUTDOWN=true to avoid idle instance charges.
  • Secure API Keys: Store cloud API keys in ~/.ax/accounts/personal.json with restricted permissions (chmod 600).
  • Customize reconFTW: Edit reconftw.cfg to adjust Ax settings (e.g., AXIOM_FLEET_COUNT, AXIOM_FLEET_REGIONS) and scan modules (see Configuration File Guide).
  • Test Small Scans: Run a subdomain scan (-s -v) on a test domain to verify Ax setup before full scans.
  • Backup Results: Regularly back up the Recon/ directory, as Ax instances are ephemeral.
  • AI Integration: For -y scans, ensure Ollama is running on the controller or a reachable host (--network host in Docker).

Troubleshooting

  • Ax Configuration Errors:
    • Verify ~/.ax/accounts/personal.json has valid credentials and region/instance settings.
    • Check cloud provider quotas: ax-fleet ls --debug.
    • Re-run ax-configure if setup fails.
  • Fleet Initialization Fails:
    • Ensure sufficient disk space on the controller (>20 GB).
    • Check provider limits (e.g., Linode’s default instance cap is 10).
    • Use a different region: Edit AXIOM_FLEET_REGIONS in reconftw.cfg.
  • Scan Tasks Hang:
    • Increase timeouts in reconftw.cfg (e.g., HTTPX_TIMEOUT=20).
    • Reduce instance count (-i=5) to avoid overwhelming the target.
    • Check Ax logs: ax-logs testy.
  • Tools Missing in Ax Image:
    • Verify the reconftw provisioner was selected during ax-configure.
    • Manually update the Ax image: ax-build reconftw.
  • Permission Issues:
    • Ensure ~/.ax/ and reconftw/Recon/ have correct permissions (chmod -R 755).
    • Run Docker as a non-root user or use --user $(id -u):$(id -g).
  • AI Reporting Fails:
    • Confirm Ollama is running and AI_MODEL is set in reconftw.cfg.
    • Use --network host if running in Docker.

For further help, join the reconFTW Discord, Ax Framework Discord, or reconFTW Telegram.

Next Steps

Clone this wiki locally