Introduction

Automated Reconnaissance Framework

Welcome to reconFTW

reconFTW is a modular reconnaissance automation framework designed for security researchers, penetration testers, and bug bounty hunters. It orchestrates 80+ security tools to perform full reconnaissance on your targets, from subdomain enumeration to vulnerability scanning.

Why reconFTW?

Feature

Description

🔄 Automated Workflow

Complete reconnaissance pipeline with a single command

🧩 Modular Design

Enable/disable any module or function as needed

Distributed Scanning

Scale with Axiom across cloud infrastructure

Structured Output

Organized results with multiple export formats

🔧 Highly Configurable

300+ configuration options for fine-tuning

🔄 Incremental Scans

Only scan new findings since last run

🤖 AI Integration

Generate executive reports with local AI models

What Can reconFTW Do?

┌─────────────────────────────────────────────────────────────────┐
│                        reconFTW Capabilities                     │
├─────────────────────────────────────────────────────────────────┤
│  OSINT           │ Google dorks, GitHub secrets, metadata,      │
│                  │ email harvesting, API leaks, cloud enum,     │
│                  │ leaked credentials, S3 buckets               │
├──────────────────┼──────────────────────────────────────────────┤
│  Subdomains      │ 10+ passive sources, DNS bruteforce,         │
│                  │ permutations (AI-powered), recursive enum,   │
│                  │ CT logs, scraping, zone transfer, takeover   │
├──────────────────┼──────────────────────────────────────────────┤
│  Web Analysis    │ HTTP probing, screenshots, JS secrets,       │
│                  │ URL extraction, directory fuzzing, CMS,      │
│                  │ virtual hosts, parameters, GraphQL, gRPC     │
├──────────────────┼──────────────────────────────────────────────┤
│  Vulnerabilities │ Nuclei templates, XSS, SQLi, SSRF, LFI,     │
│                  │ SSTI, CORS, CRLF, command injection,         │
│                  │ prototype pollution, 403 bypass, smuggling   │
├──────────────────┼──────────────────────────────────────────────┤
│  Host Analysis   │ Port scanning (nmap/naabu), CDN detection,   │
│                  │ WAF fingerprinting, geolocation, banners     │
├──────────────────┼──────────────────────────────────────────────┤
│  Automation      │ Checkpoint/resume system, incremental scans, │
│                  │ notifications (Slack/Discord/Telegram),      │
│                  │ Axiom distributed scanning, AI reports       │
└─────────────────────────────────────────────────────────────────┘

Quick Start

# Install reconFTW
git clone https://github.com/six2dez/reconftw.git
cd reconftw
./install.sh

# Run your first scan
./reconftw.sh -d example.com -r

# Full scan with vulnerabilities
./reconftw.sh -d example.com -a

Documentation Overview

This documentation is organized to help you get the most out of reconFTW:

📚 For Beginners

First 30 Minutes - Quick start guide to get scanning
Getting Started - Installation and setup
Concepts - Understanding how reconFTW works
Usage Guide - All command-line options explained

🔧 For Configuration

Configuration - Deep dive into reconftw.cfg
Modules - Detailed documentation for each module
Tools Reference - All 80+ integrated tools

📊 For Results

Output Interpretation - Understanding your results
Data Model & I/O - Complete input/output reference
Integrations - Axiom and Faraday setup

For Advanced Users

Deployment - Docker, Terraform, VPS, CI/CD
Performance Tuning - Optimize for speed and target size
Case Studies - Real-world usage examples
Advanced Usage - Custom functions and optimization
Troubleshooting - Common issues and solutions

⚖️ Legal & Security

OPSEC & Legal - Stay safe and authorized

Scan Modes at a Glance

Mode

Flag

Description

Use Case

Recon

-r

Full reconnaissance

Standard bug bounty recon

Subdomains

-s

Subdomain enumeration only

Quick subdomain discovery

Passive

-p

Passive reconnaissance

Stealth/non-intrusive

All

-a

Full recon + vulnerabilities

Full assessment

Web

-w

Web analysis only

Analyze known URLs

OSINT

-n

OSINT gathering only

Intelligence gathering

Custom

-c

Run custom function

Advanced workflows

Zen

-z

Minimal output mode

Clean terminal output

⚠️ Legal & OPSEC

IMPORTANT: reconFTW is designed for authorized security testing only.

Authorization Checklist

Before running any scan, verify:

Written permission from target owner
Defined scope (in-scope and out-of-scope assets)
Rate limits agreed upon
Testing window defined (if applicable)
Emergency contact available
NDA signed (if required)

OPSEC Considerations

Risk

Mitigation

IP Blocking

Use VPS, rotate IPs with Axiom

WAF Detection

Start with passive mode (-p)

Rate Limiting

Use --adaptive-rate flag

Legal Issues

Always have written authorization

Data Exposure

Keep secrets.cfg secure, never commit

Legal Disclaimer

By using this tool, you confirm that:

You have explicit written permission to test the target
You will comply with all applicable laws and regulations
You understand that unauthorized testing is illegal

The developers assume no liability for misuse of this tool. Use responsibly.

➡️ Full OPSEC Guide

Community & Support

GitHub Issues: Report bugs or request features
Discord: Join our community
Telegram: Discussion group
Twitter: @Six2dez1

Contributing

reconFTW is open source and welcomes contributions! See our Contributing Guide for details.

Made with ❤️ by six2dez and the security community

NextFirst 30 Minutes

Last updated 4 months ago