Command Line Guide

Documentation for reconFTW dev branch | View all flags

This guide covers every command-line option available in reconFTW, with detailed explanations and practical examples.

Basic Syntax

./reconftw.sh [TARGET_OPTIONS] [MODE_OPTIONS] [ADDITIONAL_OPTIONS]

Quick Examples

# Single domain reconnaissance
./reconftw.sh -d example.com -r

# Multiple targets from file
./reconftw.sh -l targets.txt -r

# Full scan with vulnerabilities
./reconftw.sh -d example.com -a

# Passive only (stealth)
./reconftw.sh -d example.com -p

Target Options

-d, --domain <domain>

Specify a single target domain or IP address.

Input Validation:

• Domains are sanitized (lowercase, safe characters only)

• IPs/CIDRs are validated for proper format

• Invalid inputs are rejected with error messages

-l, --list <file>

Specify a file containing multiple targets (one per line).

File Format:

Behavior:

• Each target is scanned sequentially

• Results are saved in separate directories

• Progress continues if one target fails

-m <name>

Multi-target mode with custom name for the output directory.

Output Structure:

Scan Modes

reconFTW offers several scan modes optimized for different use cases.

-r, --recon (Full Reconnaissance)

The standard bug bounty reconnaissance mode. Performs full subdomain enumeration, web analysis, and light vulnerability scanning (nuclei on discovered webs).

⚠️ Note: This is an active scanning mode. It sends requests to the target. Ensure you have authorization.

What it does:

Duration: 1-4 hours depending on target size

Best for: Initial reconnaissance, bug bounty hunting

-s, --subdomains (Subdomain Enumeration Only)

Fast subdomain discovery without web analysis.

What it does:

• Passive subdomain enumeration (APIs, CT logs)

• Active DNS bruteforce

• Permutation generation

• DNS resolution

• Subdomain takeover checks

Does NOT do:

• Web probing

• Screenshot capture

• URL extraction

• Vulnerability scanning

Duration: 15-60 minutes

Best for: Quick attack surface mapping, asset discovery

-p, --passive (Passive Reconnaissance)

Non-intrusive reconnaissance using only passive techniques.

What it does:

• Passive subdomain enumeration only

• No DNS bruteforce

• No active web crawling

• No vulnerability scanning

• OSINT gathering

Techniques disabled:

Duration: 10-30 minutes

Best for: Stealth recon, initial scoping, when you can't touch the target

-a, --all (Full Scan with Vulnerabilities)

Complete reconnaissance plus full vulnerability scanning.

🔴 WARNING: This is the "YOLO mode". It sends attack payloads (SQLi, XSS, etc.) to the target. Only use with explicit written authorization for penetration testing. May trigger WAFs and security alerts.

What it does: Everything in -r mode PLUS:

• Full Nuclei scanning (all severities)

• XSS testing

• SQL injection testing

• SSRF checks

• LFI/SSTI testing

• CORS misconfiguration

• Open redirect testing

• Command injection

• Prototype pollution

• HTTP smuggling

• And more...

Duration: 4-24+ hours

Best for: Full security assessment, when you have explicit authorization and time

⚠️ Warning: This mode performs intrusive testing. Ensure you have explicit authorization.

-w, --web (Web Analysis Only)

Analyze a list of known URLs without subdomain enumeration.

What it does:

• HTTP probing

• Screenshot capture

• URL extraction

• JavaScript analysis

• Directory fuzzing

• CMS detection

Does NOT do:

• Subdomain enumeration

• DNS analysis

• Port scanning

Duration: 30 minutes - 2 hours

Best for: When you already have a list of targets, analyzing specific endpoints

-n, --osint (OSINT Only)

Gather open-source intelligence without active scanning.

What it does:

• Domain WHOIS information

• Email harvesting

• Google dorking

• GitHub repository analysis

• Metadata extraction

• API leak detection

• Third-party misconfiguration checks

• SPF/DMARC analysis

• Cloud storage enumeration

Does NOT do:

• Active subdomain enumeration

• Web crawling

• Port scanning

• Vulnerability testing

Duration: 15-45 minutes

Best for: Intelligence gathering, pre-engagement research

-c <function> (Custom Function)

Execute a specific function from the reconFTW modules.

Note: -c accepts a single function per run. To execute multiple functions, run separate commands (or create a custom mode).

Available Functions:

Requirement: The target directory must already exist (from a previous scan).

-z, --zen (Zen Mode)

Minimal terminal output mode for cleaner logs.

Behavior:

• Reduced terminal output

• Progress indicators only

• Full details in log files

• Same functionality as -r

Best for: Running in tmux/screen, CI/CD pipelines

Scope Management

-x <file> (Out-of-Scope)

Exclude specific domains/patterns from results.

Pattern Syntax:

-i <file> (In-Scope)

Only include targets matching the scope file.

How it works:

1. Results are generated normally

2. inscope filter is applied

3. Only matching entries are kept

Enable in config:

Advanced Flags

--deep (Deep/Thorough Mode)

Enable extended scanning with larger wordlists and more techniques.

Changes from standard mode:

-v, --vps (Axiom/Distributed Mode)

Enable distributed scanning using Axiom.

Requirements:

• Axiom must be installed and configured

• Cloud provider account (DigitalOcean, AWS, etc.)

• Fleet configuration in reconftw.cfg

See Axiom Integration for setup details.

-f <file> (Custom Config)

Use a custom configuration file instead of the default.

Use cases:

• Different configs for different clients

• Testing configuration changes

• CI/CD with environment-specific settings

-q <rate> (Rate Limiting)

Set a global rate limit for all tools.

Affects:

• NUCLEI_RATELIMIT

• FFUF_RATELIMIT

• HTTPX_RATELIMIT

-o <path> (Custom Output Directory)

Save results to a custom location.

Output structure:

-y, --ai (AI Report Generation)

Generate AI-powered reports after scan completion.

Requirements:

• Local AI model (e.g., llama3:8b via Ollama)

• reconftw_ai tool installed

• Configured in reconftw.cfg

Report types:

• executive - High-level summary

• brief - Concise findings

• bughunter - Detailed technical report

--quick-rescan

Skip heavy operations if no new subdomains/assets found.

Behavior:

1. Performs subdomain enumeration

2. Compares with previous results

3. If no new subdomains → skips heavy modules

4. Saves significant time on repeat scans

--incremental

Only scan new findings since last run.

How it works:

1. Loads previous scan baseline

2. Performs new enumeration

3. Identifies delta (new findings only)

4. Scans only new assets

5. Generates incremental report

--adaptive-rate

Automatically adjust rate limits when encountering errors.

Behavior:

• Starts at configured rate limit

• Detects 429/503 errors

• Reduces rate by 50% on errors

• Increases rate by 20% on success

• Respects MIN/MAX limits

--dry-run

Preview commands without executing them.

Output:

Best for: Testing configurations, understanding workflow

--parallel

Run independent functions in parallel for faster scans.

What it does:

• Runs passive enumeration sources concurrently

• Runs active DNS checks in parallel after passive completes

• Runs TLS and analytics checks after resolution

• Uses native bash job control (no external dependencies)

Performance impact:

• ~2-3x faster subdomain enumeration

• Higher memory usage (multiple processes)

• Higher CPU usage

When NOT to use:

• Low memory systems (< 4GB RAM)

• Rate-limited targets

• With Axiom (already distributed)

• When debugging issues

--check-tools

Verify all required tools are installed.

Output:

--health-check

Run system health diagnostics.

Checks:

• Critical dependencies installed

• Configuration file valid

• Required directories exist

• Network connectivity

• Disk space available

Usage Examples

Bug Bounty Workflow

Stealth Assessment

Large-Scale Scanning

CI/CD Integration

Scoped Assessment

Custom Function Execution

Flag Reference Table

Next Steps

• Configuration Reference - Customize every setting

• Module Documentation - Deep dive into each module

• Output Interpretation - Understand your results

Documentation Info Branch: dev | Version: v3.0.0+ | Last updated: February 2026