search

Concepts & Architecture

This guide explains the fundamental concepts behind reconFTW, its architecture, and how it orchestrates reconnaissance workflows.

hashtag
What is reconFTW?

reconFTW is a modular reconnaissance automation framework that integrates 80+ security tools into a unified workflow. Rather than running tools individually and correlating results manually, reconFTW:

  1. Orchestrates tools in the optimal order

  2. Manages input/output between tools automatically

  3. Deduplicates and normalizes results

  4. Resumes interrupted scans from checkpoints

  5. Scales across distributed infrastructure (via Axiom)

hashtag
Philosophy

reconFTW follows these design principles:

  • Thorough over fast: Cover all attack surface, don't miss findings

  • Modular: Enable/disable any component without breaking others

  • Resumable: Never lose progress on long-running scans

  • Configurable: Every behavior can be customized

  • Fail-soft: Continue scanning even if individual tools fail

hashtag
Reconnaissance Methodology

reconFTW implements a structured reconnaissance methodology following industry best practices:

hashtag
Phase 1: OSINT (Open Source Intelligence)

Gather publicly available information about the target:

Technique
Purpose
Tools

Google Dorks

Find exposed files/pages

dorks_hunter

GitHub Dorks

Find leaked credentials

gitdorks_go

Metadata

Extract document metadata

metagoofil, exiftool

Email Harvesting

Discover email addresses

emailfinder

API Leaks

Find exposed APIs

porch-pirate, SwaggerSpy

Domain Info

WHOIS, registrant data

whois, msftrecon

hashtag
Phase 2: Subdomain Enumeration

Discover all subdomains associated with the target:

Technique
Type
Description

Passive

Non-intrusive

Query APIs, CT logs, archives

Active/Bruteforce

Intrusive

DNS queries with wordlists

Permutations

Intrusive

Generate variations

Recursive

Both

Enumerate subdomains of subdomains

Scraping

Semi-passive

Extract from web pages

hashtag
Phase 3: Web Analysis

Analyze discovered web assets:

  • HTTP probing (find live servers)

  • Screenshot capture

  • URL extraction (passive + crawling)

  • JavaScript analysis (secrets, endpoints)

  • Directory fuzzing

  • CMS detection

  • Parameter discovery

hashtag
Phase 4: Vulnerability Scanning

Test for security issues:

  • CVE scanning with Nuclei

  • Injection testing (XSS, SQLi, SSTI, LFI)

  • Server-side vulnerabilities (SSRF, command injection)

  • Misconfigurations (CORS, open redirect)

  • SSL/TLS issues

  • Subdomain takeovers

hashtag
Architecture Overview

reconFTW uses a modular architecture where components are separated by responsibility:

hashtag
Module Loading Order

Modules are loaded in a specific order to ensure dependencies are satisfied:

hashtag
Key Functions

hashtag
Lifecycle Functions (core.sh)

Every scan function follows this pattern:

hashtag
Utility Functions (utils.sh)

Function
Purpose

sanitize_domain()

Clean and validate domain input

sanitize_ip()

Clean and validate IP/CIDR input

deleteOutScoped()

Remove out-of-scope entries

run_command()

Execute with logging (respects DRY_RUN)

should_run_deep()

Check if DEEP mode should activate

retry_with_backoff()

Retry failed operations

check_disk_space()

Verify available storage

hashtag
Data Flow

Understanding how data flows through reconFTW helps interpret results:

hashtag
Data Dependencies

Module
Depends On
Produces

OSINT

Target domain

osint/*.txt

Subdomains

Target domain

subdomains/subdomains.txt

Hosts

subdomains.txt

hosts/ips.txt, hosts/portscan*

Web Probing

subdomains.txt

webs/webs.txt

URL Collection

webs.txt

webs/url_extract.txt

JS Analysis

webs.txt

js/js_secrets.txt

Vulns

webs.txt, urls

vulns/, nuclei_output/

hashtag
Scan Phases

When you run ./reconftw.sh -d target.com -r, the following phases execute:

hashtag
1. Initialization (start())

hashtag
2. OSINT Phase

hashtag
3. Subdomain Phase

hashtag
4. Host Analysis

hashtag
5. Web Analysis

hashtag
6. Vulnerability Phase (if -a flag)

hashtag
7. Finalization (end())

hashtag
Checkpoint System

reconFTW uses a checkpoint system to track completed functions and enable scan resumption.

hashtag
How It Works

Each function creates a marker file when completed:

hashtag
Resume Behavior

When you re-run a scan:

  1. reconFTW checks for existing .called_fn markers

  2. Functions with markers are skipped

  3. Functions without markers are executed

hashtag
Force Re-execution

To re-run a specific function:

hashtag
DIFF Mode

The -r flag with DIFF=true in config enables differential scanning:

In DIFF mode:

  • All functions execute regardless of markers

  • Only new findings are highlighted

  • Previous results are preserved

hashtag
Understanding DEEP Mode

DEEP mode enables thorough scanning for high-value targets:

hashtag
Standard vs DEEP

Aspect
Standard
DEEP

Wordlists

Small (~10k)

Large (~100k+)

Permutations

Basic

Extensive

Recursive depth

Limited

Full

Fuzzing

Common paths

Extended

Time

1-4 hours

4-24+ hours

hashtag
Activation

hashtag
Auto-DEEP

reconFTW can auto-enable DEEP based on result counts:

If subdomains < DEEP_LIMIT, additional enumeration runs automatically.

hashtag
Error Handling

reconFTW uses a "fail-soft" approach:

hashtag
Error Codes

Code
Meaning

0

Success

1

General error

2

Missing dependency

3

Invalid input

4

Network error

5

Disk space error

6

Permission error

7

Timeout

8

Configuration error

hashtag
Error Trapping

Errors are logged but don't stop the scan:

hashtag
Circuit Breaker

For unreliable tools, reconFTW implements a circuit breaker:

hashtag
Global Variables

Key variables used throughout reconFTW:

hashtag
Required Variables

Variable
Description

$SCRIPTPATH

Path to reconFTW installation

$domain

Current target domain

$dir

Output directory for current scan

$called_fn_dir

Directory for checkpoint markers

$LOGFILE

Current log file path

hashtag
Configuration Flags

Variable
Default
Description

$DEEP

false

Enable thorough scanning

$DIFF

false

Differential mode

$AXIOM

false

Distributed scanning

$DRY_RUN

false

Preview without executing

hashtag
Visual: Architecture Diagram

hashtag
OPSEC and Legal

hashtag
Authorization Requirements

NEVER scan without explicit written authorization. This includes:

  1. Bug Bounty Programs: Read rules carefully, some exclude certain asset types

  2. Penetration Tests: Written statement of work (SOW) with defined scope

  3. Internal Testing: Formal approval from asset owners

  4. Personal Projects: Only test assets you own

hashtag
Pre-Scan Checklist

hashtag
OPSEC Best Practices

Consideration
Recommendation

IP Attribution

Use VPS or cloud instances, not personal IP

Rate Limiting

Start conservative, increase gradually

Noise Reduction

Begin with passive mode (-p)

Data Security

Encrypt sensitive findings, secure secrets.cfg

Logging

Keep records of authorization and scan times

Communication

Notify target of critical findings immediately

hashtag
Reducing Detection Risk

hashtag
Legal Risks by Region

Region
Key Laws
Notes

USA

CFAA

Unauthorized access is federal crime

EU

Computer Misuse Acts (varies)

Strict consent requirements

UK

Computer Misuse Act 1990

Even attempting unauthorized access is illegal

Global

Various

Always research local laws

hashtag
What to Do If Something Goes Wrong

  1. Stop scanning immediately

  2. Document what happened (timestamps, commands run)

  3. Contact the target via emergency channels

  4. Preserve evidence of authorization

  5. Consult legal counsel if needed

hashtag
Recommended Workflows

hashtag
Bug Bounty - Standard Recon

Best for: Regular bug bounty hunting on established programs.

hashtag
Bug Bounty - New Program

Best for: New programs where you want full coverage quickly.

hashtag
Large Scope / Multiple Targets

Best for: Programs with many root domains or large scope.

hashtag
Red Team / Pentest

Best for: Authorized penetration tests with defined scope.

hashtag
Automated Weekly Monitoring

Best for: Continuous monitoring of assets.

hashtag
Quick Assessment

Best for: Rapid initial assessment before deeper testing.

hashtag
CI/CD Integration

Best for: Automated security checks in pipelines.

hashtag
Next Steps

Now that you understand how reconFTW works:

  1. Learn the command line options - Master all flags

  2. Configure your setup - Customize behavior

  3. Explore modules in depth - Understand each capability

PreviousInstallation & SetupNextCommand Line Guide

Last updated