Configuration Reference

Documentation for reconFTW dev branch | Variables match reconftw.cfg

This guide provides a complete reference for reconFTW's configuration file (reconftw.cfg), covering every option with detailed explanations.

Configuration Files Overview

reconFTW uses several configuration files:

File

Purpose

Git Tracked

reconftw.cfg

Main configuration

✅ Yes

secrets.cfg

API keys and tokens

❌ No (gitignored)

custom_config.cfg

User overrides (optional)

❌ No

Load Order

reconftw.cfg is loaded first (defaults)
secrets.cfg is sourced if it exists (API keys)
Custom config via -f flag overrides all

General Settings

Tool Paths

# Path where tools are installed
tools=$HOME/Tools

# Auto-detected script path (don't change)
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"

Shell Configuration

# Detected shell profile (.bashrc, .zshrc, etc.)
profile_shell=".$(basename "${SHELL:-/bin/bash}")rc"

Version Information

# Auto-detected from git
reconftw_version="$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags)"

Resolver Settings

# Generate custom resolvers with dnsvalidator
generate_resolvers=false

# Fetch resolvers from trickest before scanning
update_resolvers=true

# Resolver URLs
resolvers_url="https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt"
resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/.../trusted_resolvers.txt"

When to change:

Set generate_resolvers=true for custom resolver validation (slower but more accurate)
Set update_resolvers=false if you maintain your own resolver list

Proxy Settings

# HTTP proxy for tools that support it
proxy_url="http://127.0.0.1:8080/"

# Enable proxy usage
PROXY=false

Usage: Set PROXY=true to route web requests through Burp Suite or similar proxy.

Golang Configuration

install_golang=true              # Install Go if not found
export GOROOT="/usr/local/go"    # Go installation path
export GOPATH="$HOME/go"         # Go workspace

Update Settings

upgrade_tools=true               # Allow tool updates
upgrade_before_running=false     # Update tools before each scan

Output Settings

# Custom output directory (uncomment to enable)
#dir_output=/custom/output/path

# Log executed commands (verbose, may contain sensitive data)
SHOW_COMMANDS=false

Disk Space Check

# Minimum required disk space in GB (0 to disable)
MIN_DISK_SPACE_GB=0

API Keys and Tokens

Environment Variables (Preferred)

Set these in your shell or secrets.cfg:

# Shodan API for passive port scanning
SHODAN_API_KEY="your_shodan_api_key"

# WhoisXML API for domain lookups
WHOISXML_API="your_whoisxml_api_key"

# Blind XSS callback server
XSS_SERVER="https://your.xss.hunter"

# SSRF/OOB callback server
COLLAB_SERVER="https://your.interact.sh"

# Slack notifications
slack_channel="C0XXXXXXXXX"
slack_auth="xoxb-xxxxx-xxxxx-xxxxx"

secrets.cfg File

Create from the example:

cp secrets.cfg.example secrets.cfg
chmod 600 secrets.cfg  # Restrict permissions

Edit secrets.cfg:

# API Keys
SHODAN_API_KEY="abc123..."
WHOISXML_API="xyz789..."

# Callback servers
XSS_SERVER="https://xss.example.com"
COLLAB_SERVER="https://interact.example.com"

# Notifications
slack_channel="C0XXXXXXXXX"
slack_auth="xoxb-..."

Token Files

# GitHub tokens (one per line for rate limit distribution)
GITHUB_TOKENS=${tools}/.github_tokens

# GitLab tokens
GITLAB_TOKENS=${tools}/.gitlab_tokens

Create GitHub tokens file:

cat > $HOME/Tools/.github_tokens << EOF
ghp_token1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ghp_token2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ghp_token3xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
EOF
chmod 600 $HOME/Tools/.github_tokens

Module Toggles

OSINT Module

OSINT=true                   # Master toggle for OSINT module
GOOGLE_DORKS=true            # Google dorking
GITHUB_DORKS=true            # GitHub secret searching
GITHUB_REPOS=true            # GitHub repository analysis
METADATA=true                # Document metadata extraction
EMAILS=true                  # Email harvesting
DOMAIN_INFO=true             # WHOIS lookups
IP_INFO=true                 # IP reverse lookup and geolocation
API_LEAKS=true               # Postman/Swagger leak detection
THIRD_PARTIES=true           # Third-party misconfiguration checks
SPOOF=true                   # Domain spoofing checks
MAIL_HYGIENE=true            # SPF/DMARC analysis
CLOUD_ENUM=true              # Cloud storage enumeration
METAFINDER_LIMIT=20          # Max documents to analyze (max 250)

Subdomain Module

SUBDOMAINS_GENERAL=true      # Master toggle for subdomain module
SUBPASSIVE=true              # Passive enumeration (APIs, CT logs)
SUBCRT=true                  # Certificate transparency search
CTR_LIMIT=999999             # Max CT results
DNS_TIME_FENCE_DAYS=0        # Filter CT results to last N days (0=disabled)
DEEP_WILDCARD_FILTER=false   # Multi-level wildcard detection
EXCLUDE_SENSITIVE=false      # Skip gov/mil/edu domains
SUBNOERROR=false             # DNS NOERROR response checking
SUBANALYTICS=true            # Google Analytics correlation
SUBBRUTE=true                # DNS bruteforcing
SUBSCRAPING=true             # Web scraping for subdomains
SUBPERMUTE=true              # DNS permutations
SUBIAPERMUTE=true            # AI-powered permutations
SUBREGEXPERMUTE=true         # Regex-based permutations
SUBTAKEOVER=true             # Subdomain takeover checks
SUB_RECURSIVE_PASSIVE=false  # Recursive passive (uses many API queries)
DEEP_RECURSIVE_PASSIVE=10    # Top N subdomains for recursion
SUB_RECURSIVE_BRUTE=false    # Recursive bruteforce (disk/time intensive)
ZONETRANSFER=true            # DNS zone transfer checks
S3BUCKETS=true               # S3 bucket misconfiguration checks
REVERSE_IP=false             # Reverse IP lookups (enable for IP/CIDR targets)
INSCOPE=false                # Apply inscope filtering

DNS_TIME_FENCE_DAYS

Filters Certificate Transparency (crt.sh) results to certificates issued within the last N days.

DNS_TIME_FENCE_DAYS=90  # Only certificates from last 90 days
DNS_TIME_FENCE_DAYS=0   # Disabled (default) - return all results

Why use this:

CT logs contain historical certificates, including expired and decommissioned domains
Old certificates often point to infrastructure that no longer exists
Setting to 90 days typically reduces noise by 20-40% while keeping relevant results

DEEP_WILDCARD_FILTER

Enables iterative wildcard detection at all subdomain levels, not just the root.

DEEP_WILDCARD_FILTER=true   # Enable multi-level wildcard detection
DEEP_WILDCARD_FILTER=false  # Standard wildcard detection only (default)

How it works:

Extracts unique parent domains from resolved subdomains
Generates random probe hostname for each parent (e.g., a1b2c3d4.api.example.com)
If random probe resolves, parent is a wildcard
Filters all subdomains under detected wildcard parents
Repeats up to 5 iterations to catch nested wildcards

Why use this:

Enterprise targets often have deep wildcards (e.g., *.na45.salesforce.com)
Standard detection only checks *.example.com
Removes 50-80% false positives on enterprise infrastructure
Detected wildcards saved to subdomains/wildcards_detected.txt

EXCLUDE_SENSITIVE

Prevents scanning domains that match patterns in config/sensitive_domains.txt.

EXCLUDE_SENSITIVE=true   # Skip sensitive domains
EXCLUDE_SENSITIVE=false  # Scan all domains (default)

Excluded patterns include:

Government: *.gov, *.gob.*, *.gouv.*
Military: *.mil, *.defense.*
Educational: *.edu, *.ac.*
Financial: *.bank, *.banking.*
Critical infrastructure: *.nhs.*, *.hospital.*, *.police.*

Why use this:

Legal protection when scanning wildcard scopes
Prevents accidental contact with sensitive infrastructure
Patterns can be customized in config/sensitive_domains.txt

Permutation Settings

# Permutation tool: "gotator" (deeper) or "ripgen" (faster)
PERMUTATIONS_OPTION=gotator

# Gotator flags
GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md"

TLS Port Discovery

# Ports to check for TLS certificates
TLS_PORTS="21,22,25,80,110,135,143,261,443,465,563,587,636,853,990,993,995,..."

Web Detection Module

WEBPROBESIMPLE=true          # Probe ports 80/443
WEBPROBEFULL=true            # Probe uncommon web ports
WEBSCREENSHOT=true           # Capture screenshots
VIRTUALHOSTS=false           # Virtual host fuzzing (slower)

# Uncommon web ports to probe
UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,..."

Host Module

FAVICON=true                 # Favicon-based IP discovery
PORTSCANNER=true             # Port scanning module
GEO_INFO=true                # IP geolocation
PORTSCAN_PASSIVE=true        # Shodan passive port scan
PORTSCAN_ACTIVE=true         # Nmap active port scan
CDN_IP=true                  # CDN detection

# Nmap options
PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners"

Web Analysis Module

WAF_DETECTION=true           # WAF detection
NUCLEICHECK=true             # Nuclei vulnerability scanning
URL_CHECK=true               # URL collection
URL_CHECK_PASSIVE=true       # Passive URL collection (archives)
URL_CHECK_ACTIVE=true        # Active URL crawling
URL_GF=true                  # URL pattern matching
URL_EXT=true                 # File extension sorting
JSCHECKS=true                # JavaScript analysis
FUZZ=true                    # Directory fuzzing
IIS_SHORTNAME=true           # IIS shortname scanning
CMS_SCANNER=true             # CMS detection
WORDLIST=true                # Custom wordlist generation
ROBOTSWORDLIST=true          # Robots.txt historical analysis
PASSWORD_DICT=true           # Password dictionary generation
PASSWORD_MIN_LENGTH=5        # Min password length
PASSWORD_MAX_LENGTH=14       # Max password length
GRAPHQL_CHECK=true           # GraphQL endpoint detection
GQLSPECTION=false            # Deep GraphQL introspection
PARAM_DISCOVERY=true         # Parameter discovery with Arjun
GRPC_SCAN=false              # gRPC reflection probing

Vulnerability Module

VULNS_GENERAL=false          # Master toggle for vuln scanning
XSS=true                     # XSS testing
CORS=true                    # CORS misconfiguration
TEST_SSL=true                # SSL/TLS analysis
OPEN_REDIRECT=true           # Open redirect detection
SSRF_CHECKS=true             # SSRF testing
CRLF_CHECKS=true             # CRLF injection
LFI=true                     # Local file inclusion
SSTI=true                    # Server-side template injection
SQLI=true                    # SQL injection
SQLMAP=true                  # SQLMap testing
GHAURI=false                 # Ghauri SQLi testing
BROKENLINKS=true             # Broken link detection
SPRAY=true                   # Password spraying
COMM_INJ=true                # Command injection
PROTO_POLLUTION=true         # Prototype pollution
SMUGGLING=true               # HTTP request smuggling
WEBCACHE=true                # Web cache issues
BYPASSER4XX=true             # 4XX bypass attempts
FUZZPARAMS=true              # Parameter fuzzing

Nuclei Configuration

# Nuclei templates path
NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates"

# Severity levels to run
NUCLEI_SEVERITY="info,low,medium,high,critical"

# Extra arguments (exclusions, etc.)
NUCLEI_EXTRA_ARGS=""
# Example with exclusions:
# NUCLEI_EXTRA_ARGS="-etags openssh,ssl -eid node-express-dev-env"

# Standard flags
NUCLEI_FLAGS="-silent -retries 2"

# JS secret scanning flags
NUCLEI_FLAGS_JS="-silent -tags exposure,token -severity info,low,medium,high,critical"

Threading and Rate Limits

Thread Configuration

FFUF_THREADS=40                      # Directory fuzzing
HTTPX_THREADS=50                     # HTTP probing
HTTPX_UNCOMMONPORTS_THREADS=100      # Uncommon port probing
KATANA_THREADS=20                    # Web crawling
BRUTESPRAY_THREADS=20                # Password spraying
BRUTESPRAY_CONCURRENCE=10            # Concurrent targets
DNSTAKE_THREADS=100                  # DNS takeover checks
DALFOX_THREADS=200                   # XSS testing
TLSX_THREADS=1000                    # TLS certificate scanning
INTERLACE_THREADS=10                 # Parallel tool execution
RESOLVE_DOMAINS_THREADS=150          # DNS resolution
DNSVALIDATOR_THREADS=200             # Resolver validation
XNLINKFINDER_DEPTH=3                 # Link finder depth
ARJUN_THREADS=10                     # Parameter discovery

Rate Limits

HTTPX_RATELIMIT=150                  # HTTP requests/second
NUCLEI_RATELIMIT=150                 # Nuclei requests/second
FFUF_RATELIMIT=0                     # Fuzzing requests/second (0=unlimited)

PureDNS Limits

PUREDNS_PUBLIC_LIMIT=0               # Public resolver limit (0=unlimited)
PUREDNS_TRUSTED_LIMIT=400            # Trusted resolver limit
PUREDNS_WILDCARDTEST_LIMIT=30        # Wildcard detection limit
PUREDNS_WILDCARDBATCH_LIMIT=1500000  # Wildcard batch size

Adaptive Rate Limiting

ADAPTIVE_RATE_LIMIT=false            # Auto-adjust on errors
MIN_RATE_LIMIT=10                    # Minimum rate limit
MAX_RATE_LIMIT=500                   # Maximum rate limit
RATE_LIMIT_BACKOFF_FACTOR=0.5        # Reduce by 50% on error
RATE_LIMIT_INCREASE_FACTOR=1.2       # Increase by 20% on success

Timeouts

SUBFINDER_ENUM_TIMEOUT=180           # Subfinder timeout (minutes)
CMSSCAN_TIMEOUT=3600                 # CMS scan timeout (seconds)
FFUF_MAXTIME=900                     # Fuzzing timeout (seconds)
HTTPX_TIMEOUT=10                     # HTTP request timeout (seconds)
HTTPX_UNCOMMONPORTS_TIMEOUT=10       # Uncommon port timeout (seconds)
PERMUTATIONS_LIMIT=21474836480       # Max permutation file size (bytes, 20GB)

Wordlists

# Fuzzing wordlist
fuzz_wordlist=${tools}/fuzz_wordlist.txt

# LFI payloads
lfi_wordlist=${tools}/lfi_wordlist.txt

# SSTI payloads
ssti_wordlist=${tools}/ssti_wordlist.txt

# Subdomain wordlists
subs_wordlist=${tools}/subdomains.txt
subs_wordlist_big=${tools}/subdomains_n0kovo_big.txt

# Resolver lists
resolvers=${tools}/resolvers.txt
resolvers_trusted=${tools}/resolvers_trusted.txt

Cloud Hunter Settings

# Cloud permutation depth: DEEP, NORMAL, or NONE
CLOUDHUNTER_PERMUTATION=NORMAL

DEEP Mode Settings

DEEP=false                           # Deep scanning mode
DEEP_LIMIT=500                       # First auto-deep threshold
DEEP_LIMIT2=1500                     # Second auto-deep threshold

Behavior:

If subdomain count < DEEP_LIMIT, additional techniques run
If < DEEP_LIMIT2, even more intensive techniques run

Axiom Settings

# Axiom fleet configuration
AXIOM_FLEET_LAUNCH=true              # Auto-launch fleet
AXIOM_FLEET_NAME="reconFTW"          # Fleet name prefix
AXIOM_FLEET_COUNT=10                 # Number of instances
AXIOM_FLEET_REGIONS="eu-central"     # Cloud regions
AXIOM_FLEET_SHUTDOWN=true            # Auto-shutdown after scan

# Resolver paths on Axiom instances
AXIOM_RESOLVERS_PATH="/home/op/lists/resolvers.txt"
AXIOM_RESOLVERS_TRUSTED_PATH="/home/op/lists/resolvers_trusted.txt"

# Post-start script (optional)
#AXIOM_POST_START="~/Tools/axiom_config.sh"

# Extra arguments
AXIOM_EXTRA_ARGS=""

Faraday Settings

FARADAY=false                        # Enable Faraday integration
FARADAY_SERVER="http://localhost:5985"
FARADAY_USER="faraday"
FARADAY_PASS="FARADAY_PASSWORD"
FARADAY_WORKSPACE="reconftw"

AI Settings

AI_MODEL="llama3:8b"                 # AI model to use
AI_REPORT_TYPE="md"                  # Report format (md, txt)
AI_REPORT_PROFILE="bughunter"        # Profile: executive, brief, bughunter

Extra Features

Notification Settings

NOTIFICATION=false                   # Notifications for every function
SOFT_NOTIFICATION=false              # Only start/end notifications
SENDZIPNOTIFY=false                  # Send zipped results via notify

Diff/Incremental Mode

DIFF=false                           # Differential scanning
INCREMENTAL_MODE=false               # Incremental scanning

Cleanup Settings

REMOVETMP=false                      # Delete .tmp after scan
REMOVELOG=false                      # Delete logs after scan
PRESERVE=true                        # Keep .called_fn markers

Cache Settings

CACHE_MAX_AGE_DAYS=30                # Cache validity (days)

Log Rotation

MAX_LOG_FILES=10                     # Max log files per target
MAX_LOG_AGE_DAYS=30                  # Delete logs older than this

Structured Logging

STRUCTURED_LOGGING=false             # JSON format logging

Asset Tracking

ASSET_STORE=true                     # Append to assets.jsonl
QUICK_RESCAN=false                   # Skip heavy steps if no new assets
CHUNK_LIMIT=2000                     # Split large lists
HOTLIST_TOP=50                       # Top risky assets to highlight

IPv6

IPV6_SCAN=true                       # Enable IPv6 discovery

Intrusive Mode

INTRUSIVE=false                      # Dangerous cloud/CORS tests

HTTP Options

# Default User-Agent header
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

Tool Flags

# FFUF default flags
FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json"

# HTTPX probing flags
HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length"

Color Configuration

# Terminal colors (ANSI codes)
bred='\033[1;31m'      # Bold red
bblue='\033[1;34m'     # Bold blue
bgreen='\033[1;32m'    # Bold green
byellow='\033[1;33m'   # Bold yellow
red='\033[0;31m'       # Red
blue='\033[0;34m'      # Blue
green='\033[0;32m'     # Green
yellow='\033[0;33m'    # Yellow
reset='\033[0m'        # Reset

Debug Settings

DEBUG_STD="&>/dev/null"              # Skip stdout in installer
DEBUG_ERROR="2>/dev/null"            # Skip stderr in installer

Configuration Examples

Stealth Configuration

# Minimal noise configuration
SUBBRUTE=false
SUBPERMUTE=false
PORTSCAN_ACTIVE=false
FUZZ=false
VULNS_GENERAL=false
HTTPX_RATELIMIT=10
NUCLEI_RATELIMIT=10

Aggressive Configuration

# Maximum coverage
DEEP=true
SUBBRUTE=true
SUBPERMUTE=true
SUB_RECURSIVE_BRUTE=true
VULNS_GENERAL=true
FUZZ=true
HTTPX_THREADS=100
NUCLEI_RATELIMIT=500

Bug Bounty Configuration

# Balanced for bug bounty
OSINT=true
SUBDOMAINS_GENERAL=true
VULNS_GENERAL=false  # Enable with -a flag
NOTIFICATION=true
DIFF=true

Using Custom Config Files

# Create custom config
cp reconftw.cfg client_config.cfg

# Edit for specific client
vim client_config.cfg

# Use custom config
./reconftw.sh -d target.com -r -f client_config.cfg

Environment Variable Priority

Environment variables override config file settings:

# Override via environment
export SHODAN_API_KEY="my_key"
export NUCLEI_RATELIMIT=50

# Run scan (uses environment values)
./reconftw.sh -d target.com -r

Next Steps

Module Documentation - Understand each module in detail
Tools Reference - Learn about integrated tools
Advanced Usage - Custom functions and optimization

Documentation Info Branch: dev | Version: v3.0.0+ | Last updated: February 2026 Variables documented match reconftw.cfg in the repository root.

PreviousCommand Line Guide NextModules Overview

Last updated 1 month ago

Good morning

hashtagConfiguration Files Overview

hashtagLoad Order

hashtagGeneral Settings

hashtagTool Paths

hashtagShell Configuration

hashtagVersion Information

hashtagResolver Settings

hashtagProxy Settings

hashtagGolang Configuration

hashtagUpdate Settings

hashtagOutput Settings

hashtagDisk Space Check

hashtagAPI Keys and Tokens

hashtagEnvironment Variables (Preferred)

hashtagsecrets.cfg File

hashtagToken Files

hashtagModule Toggles

hashtagOSINT Module

hashtagSubdomain Module

hashtagDNS_TIME_FENCE_DAYS

hashtagDEEP_WILDCARD_FILTER

hashtagEXCLUDE_SENSITIVE

hashtagPermutation Settings

hashtagTLS Port Discovery

hashtagWeb Detection Module

hashtagHost Module

hashtagWeb Analysis Module

hashtagVulnerability Module

hashtagNuclei Configuration

hashtagThreading and Rate Limits

hashtagThread Configuration

hashtagRate Limits

hashtagPureDNS Limits

hashtagAdaptive Rate Limiting

hashtagTimeouts

hashtagWordlists

hashtagCloud Hunter Settings

hashtagDEEP Mode Settings

hashtagAxiom Settings

hashtagFaraday Settings

hashtagAI Settings

hashtagExtra Features

hashtagNotification Settings

hashtagDiff/Incremental Mode

hashtagCleanup Settings

hashtagCache Settings

hashtagLog Rotation

hashtagStructured Logging

hashtagAsset Tracking

hashtagIPv6

hashtagIntrusive Mode

hashtagHTTP Options

hashtagTool Flags

hashtagColor Configuration

hashtagDebug Settings

hashtagConfiguration Examples

hashtagStealth Configuration

hashtagAggressive Configuration

hashtagBug Bounty Configuration

hashtagUsing Custom Config Files

hashtagEnvironment Variable Priority

hashtagNext Steps

Configuration Files Overview

Load Order

General Settings

Tool Paths

Shell Configuration

Version Information

Resolver Settings

Proxy Settings

Golang Configuration

Update Settings

Output Settings

Disk Space Check

API Keys and Tokens

Environment Variables (Preferred)

secrets.cfg File

Token Files

Module Toggles

OSINT Module

Subdomain Module

DNS_TIME_FENCE_DAYS

DEEP_WILDCARD_FILTER

EXCLUDE_SENSITIVE

Permutation Settings

TLS Port Discovery

Web Detection Module

Host Module

Web Analysis Module

Vulnerability Module

Nuclei Configuration

Threading and Rate Limits

Thread Configuration

Rate Limits

PureDNS Limits

Adaptive Rate Limiting

Timeouts

Wordlists

Cloud Hunter Settings

DEEP Mode Settings

Axiom Settings

Faraday Settings

AI Settings

Extra Features

Notification Settings

Diff/Incremental Mode

Cleanup Settings

Cache Settings

Log Rotation

Structured Logging

Asset Tracking

IPv6

Intrusive Mode

HTTP Options

Tool Flags

Color Configuration

Debug Settings

Configuration Examples

Stealth Configuration

Aggressive Configuration

Bug Bounty Configuration

Using Custom Config Files

Environment Variable Priority

Next Steps