Skip to content

6. Output files

Jump to bottom
six2dez edited this page May 16, 2025 · 4 revisions

Output Files Guide

reconFTW generates a variety of output files and folders, organized by scan module, to provide detailed reconnaissance and vulnerability data. This guide explains each file and folder, including their contents, the tools used to generate them, and their purpose. Understanding these outputs is essential for analyzing results and prioritizing findings.

Output Location: Results are saved in the Recon/<target>/ directory, where <target> is the domain or scope (e.g., Recon/example.com/).

Note: Enable specific modules in reconftw.cfg (e.g., OSINT=true, VULNS_GENERAL=true) to generate corresponding outputs. See the Configuration File Guide for details.

📔 Table of Contents

1. OSINT

The OSINT/ folder contains results from open-source intelligence gathering, such as dorking, metadata extraction, and credential harvesting.

Filename (*.txt) Description Tool Used
dorks URLs and data from Google dork queries targeting the domain. degoogle_hunter
gitdorks Sensitive data (e.g., secrets, configs) found in GitHub repositories. GitDorker
github_repos List of GitHub repositories associated with the target. GitDorker
software Potential software used by the target, extracted from public documents. metagoofil
authors Names of individuals associated with the target’s documents. metagoofil
metadata_results Metadata (e.g., creation dates, authors) from indexed files. metagoofil
emails Email addresses linked to the target domain. theHarvester
users Usernames associated with the target. theHarvester
h8mail Emails and passwords from data breaches. h8mail
passwords Passwords from breaches or leaks. theHarvester, pwndb
domain_info_general WHOIS data (e.g., registrant, creation date) for the target domain. whoisxmlapi
domain_info_name Domains registered under the same name as the target. whoisxmlapi
domain_info_email Domains registered with the same email as the target. whoisxmlapi
domain_info_ip Domains hosted on the same IP as the target. whoisxmlapi
ip_info Geolocation and reverse IP data for target IPs. ip-api
third_parties Misconfigured third-party services (e.g., S3 buckets, Firebase). cloud_enum
api_leaks Exposed API keys or endpoints in public sources. nuclei
spoof Domains vulnerable to spoofing (e.g., missing DMARC). dnsx

Example: OSINT/emails.txt might contain:

[email protected]
[email protected]

Note: Enable OSINT=true in reconftw.cfg to generate these files. Set API keys (e.g., WHOISXML_API) for enhanced results.

2. Subdomains

The Subdomains/ folder contains results from subdomain enumeration and related checks.

Filename (*.txt) Description Tool Used
subdomains List of discovered subdomains (DNS-resolved). Multiple (e.g., subfinder, dnsx, gotator)
subdomains_cname CNAME records for each subdomain. dnsx
zonetransfer Results of DNS zone transfer attempts. dnsrecon
s3buckets Identified S3 buckets and their status. cloudhunter
takeover Potential subdomain takeover vulnerabilities. dnstake

Example: Subdomains/subdomains.txt might contain:

api.example.com
dev.example.com
staging.example.com

Note: Enable SUBDOMAINS_GENERAL=true in reconftw.cfg. Use SUBTAKEOVER=true for takeover checks and verify findings manually.

3. Hosts

The Hosts/ folder contains data about IP addresses and host-related scans.

Filename (*.txt) Description Tool Used
ips IPs associated with subdomains. dnsx
subs_ips_vhosts Subdomains sharing the same IP (virtual hosts). dnsx
portscan_passive Ports identified via passive scanning. shodan-cli
portscan_active Open ports from active scanning (top 200 ports). nmap
favicontest IPs sharing the same favicon as the target. favUp
testssl SSL/TLS vulnerabilities and configurations. testssl
cloud_providers Cloud providers hosting target IPs. ip2provider
brutespray Results of password spraying on services. brutespray
geo_info Geolocation data for IPs. ip-api

Example: Hosts/ips.txt might contain:

192.168.1.1
10.0.0.1

Note: Enable PORTSCANNER=true in reconftw.cfg. Set SHODAN_API_KEY for passive port scanning.

4. Webs

The Webs/ folder contains data about web servers and their properties.

Filename (*.txt) Description Tool Used
webs Subdomains with active HTTP/HTTPS services. httpx
webs_uncommon_ports Web services on uncommon ports (e.g., 8080, 8443). httpx
webs_wafs Detected Web Application Firewalls (WAFs). wafw00f
param URLs with query parameters. katana, Arjun
url_extract Endpoints from crawling and passive sources. katana, waybackurls, gau
dict_words Wordlist generated from target content. getjswords.py
dict_paths Paths extracted from URLs. unfurl
brokenLinks Broken links found during crawling. katana
cors Subdomains with CORS misconfigurations. Corsy
urls_by_ext URLs sorted by file extension (e.g., .php, .js). Custom script
robots Historical robots.txt entries. waybackurls
virtualhosts Virtual hosts identified via HTTP header fuzzing. ffuf

Example: Webs/webs.txt might contain:

http://api.example.com
https://www.example.com

Note: Enable WEBPROBESIMPLE=true and WEBPROBEFULL=true in reconftw.cfg. Use VIRTUALHOSTS=true for virtual host fuzzing.

5. Vulnerabilities

The Vulns/ folder contains results from vulnerability scans (intrusive, requires permission).

Filename (*.txt) Description Tool Used
xss Potential cross-site scripting vulnerabilities. dalfox
openredirect Open redirect vulnerabilities. OpenRedireX
ssrf Server-side request forgery attempts (manual callback verification needed). interactsh-client
crlf CRLF injection vulnerabilities. crlfuzz
lfi Local file inclusion vulnerabilities. ffuf
ssti Server-side template injection vulnerabilities. ffuf
4xxbypass Bypassed 403/401 directories. DirDar
sqli SQL injection vulnerabilities. sqlmap, ghauri
proto_pollution JavaScript prototype pollution vulnerabilities. nuclei
smuggling HTTP request smuggling vulnerabilities. smuggler
webcache Web cache poisoning vulnerabilities. nuclei
comm_inj Command injection vulnerabilities. commix

Example: Vulns/xss.txt might contain:

https://example.com/search?q=<script>alert(1)</script>

Note: Enable VULNS_GENERAL=true in reconftw.cfg. Always obtain permission before running vulnerability scans, as they are intrusive.

6. JavaScript Analysis

The JS/ folder contains results from analyzing JavaScript files for endpoints and secrets.

Filename (*.txt) Description Tool Used
js_endpoints Endpoints extracted from JavaScript files. katana
jsfile_links URLs of JavaScript files found on the target. xnLinkFinder
js_livelinks Reachable JavaScript files. httpx
js_secrets Sensitive data (e.g., API keys, tokens) in JavaScript. nuclei
url_extract_js URLs embedded in JavaScript files. katana

Example: JS/js_secrets.txt might contain:

AWS_KEY: AKIAxxxxxxxxxxxxxxxx

Note: Enable JSCHECKS=true in reconftw.cfg. Manually verify secrets to avoid false positives.

7. Nuclei Output

The Nuclei_output/ folder contains vulnerability scan results from Nuclei, categorized by severity or template type.

Filename (*.txt) Description Tool Used
info_*.txt Informational findings (e.g., exposed panels). nuclei
low_*.txt Low-severity vulnerabilities. nuclei
medium_*.txt Medium-severity vulnerabilities. nuclei
high_*.txt High-severity vulnerabilities. nuclei
critical_*.txt Critical-severity vulnerabilities. nuclei

Example: Nuclei_output/high_cve.txt might contain:

[high] [cve-2021-44228] https://example.com/log4j

Note: Enable NUCLEICHECK=true in reconftw.cfg. Customize NUCLEI_SEVERITY to filter severity levels.

8. Fuzzing

The Fuzzing/ folder contains results from directory and parameter fuzzing, organized by subdomain.

Folder/Filename Description Tool Used
<subdomain>/*.txt Fuzzed directories and parameters for each subdomain. ffuf

Example: Fuzzing/api.example.com/results.txt might contain:

/admin
/config
/api/v1

Note: Enable FUZZ=true in reconftw.cfg. Adjust fuzz_wordlist for custom wordlists.

9. Screenshots

The Screenshots/ folder contains PNG images of web pages hosted on subdomains.

Filename (*.png) Description Tool Used
<subdomain>.png Screenshot of the web page for each live subdomain. webscreenshot

Example: Screenshots/www.example.com.png is a screenshot of https://www.example.com.

Note: Enable WEBSCREENSHOT=true in reconftw.cfg. Use these for visual verification of web services.

10. CMS

The CMS/ folder identifies Content Management Systems (CMS) used by web servers.

Filename (*.txt) Description Tool Used
cms_results Detected CMS platforms (e.g., WordPress, Drupal). CMSeeK

Example: CMS/cms_results.txt might contain:

www.example.com: WordPress 6.2

Note: Enable CMS_SCANNER=true in reconftw.cfg. Check for CMS-specific vulnerabilities manually.

11. GF Patterns

The gf/ folder contains URLs and endpoints matched against gf patterns for vulnerability analysis.

Filename (*.txt) Description Tool Used
<pattern>.txt URLs matching specific vulnerability patterns (e.g., xss, sql, aws-keys). gf

Example: gf/xss.txt might contain:

https://example.com/search?q=<script>alert(1)</script>

Note: Enable URL_GF=true in reconftw.cfg. Review patterns for potential vulnerabilities.

12. AI Reports

The Report/ folder contains AI-generated reports summarizing scan findings (Markdown or plain text).

Filename (.md/.txt) Description Tool Used
report_<target>.md Markdown report with prioritized findings (e.g., bug hunter style). reconftw_ai
report_<target>.txt Plain text report for executive or brief summaries. reconftw_ai

Example: Report/example.com.md might contain:

# ReconFTW Report for example.com
## Critical Findings
- Subdomain takeover on dev.example.com
- XSS vulnerability on api.example.com

Note: Enable AI reporting with -y flag and set AI_MODEL in reconftw.cfg. Requires Ollama running locally.

Best Practices

  • Organize Outputs: Use Recon/<target>/ subdirectories to keep results organized for multiple targets.
  • Manual Verification: Always verify critical findings (e.g., takeover, xss, sqli) to avoid false positives.
  • Backup Results: Regularly back up the Recon/ directory, especially for Ax Framework scans, as instances are ephemeral.
  • Filter Noise: Adjust NUCLEI_SEVERITY or disable low-value modules (e.g., GOOGLE_DORKS=false) to reduce output volume.
  • Use AI Reports: Leverage -y for automated summaries to prioritize findings, especially for large scans.
  • Secure Outputs: Restrict access to Recon/ (e.g., chmod -R 700 Recon/) to protect sensitive data like passwords or secrets.
  • Cross-Reference: Combine gf/ patterns with Nuclei_output/ and Vulns/ for comprehensive vulnerability analysis.

Troubleshooting

  • Missing Files:
    • Check reconftw.cfg to ensure relevant modules are enabled (e.g., OSINT=true, VULNS_GENERAL=true).
    • Verify API keys (e.g., SHODAN_API_KEY, WHOISXML_API) are set for tools like shodan-cli or whoisxmlapi.
  • Empty Files:
    • Increase timeouts (e.g., HTTPX_TIMEOUT=20) or rate limits (e.g., HTTPX_RATELIMIT=200) in reconftw.cfg.
    • Ensure the target is in scope and accessible (e.g., no WAF blocking).
  • Corrupted Screenshots:
    • Enable WEBSCREENSHOT_THREADS=50 in reconftw.cfg to reduce load.
    • Check for sufficient disk space in Recon/.
  • AI Report Errors:
    • Confirm Ollama is running and AI_MODEL (e.g., llama3:8b) is set correctly.
    • Use --network host in Docker if Ollama is hosted locally.
  • Large Output Volumes:
    • Disable verbose modules (e.g., SUB_RECURSIVE_BRUTE=false) for smaller targets.
    • Use REMOVETMP=true in reconftw.cfg to clean temporary files.

For further assistance, join the reconFTW Discord or Telegram group.

Next Steps

Clone this wiki locally