search

First 30 Minutes

Get from zero to your first scan results in 30 minutes or less.

hashtag
Minute 0-5: Install

# Clone and install
git clone https://github.com/six2dez/reconftw.git
cd reconftw
./install.sh

While it installs (~15-20 min): Read the next sections.

hashtag
Minute 5-10: Understand What You're Running

hashtag
reconFTW in One Sentence

reconFTW finds subdomains, probes them, and scans for vulnerabilities—automatically.

hashtag
Available Scan Modes

reconFTW offers multiple modes for different use cases:

Mode
Flag
Description
Activity Level

Passive

-p

No direct contact with target, uses only public sources

None

Subdomains

-s

Subdomain enumeration only

Low-Medium

OSINT

-n

OSINT gathering only

Low

Web

-w

Web analysis on known subdomains

Medium

Recon

-r

Default/recommended. Full recon + light vuln scan (nuclei on webs)

Medium-High

All

-a

Full recon + aggressive vulnerability scanning

Very High

⚠️ Important: Even -r mode performs active scanning (DNS queries, HTTP requests, port scans). Always ensure you have authorization.

hashtag
About the -a (All) Mode

🔴 WARNING: The -a flag runs aggressive vulnerability testing including SQLi payloads, fuzzing, and multiple scanner tools. This generates significant traffic and may trigger security alerts. Only use when you have explicit written authorization for penetration testing.

hashtag
Quick Decision Tree

hashtag
Minute 10-15: Configure API Keys (Optional but Recommended)

API keys improve results by adding more data sources. Set up at least these 3:

hashtag
1. Shodan (Free tier available)

hashtag
2. GitHub Token (Free)

hashtag
3. SecurityTrails (Free tier)

No keys? reconFTW still works, just with fewer data sources.

hashtag
Minute 15-20: Verify Installation

hashtag
Common Issues

Problem
Fix

go: command not found

source ~/.bashrc or restart terminal

Tool shows ✗

Run ./install.sh again

Permission denied

chmod +x reconftw.sh

hashtag
Minute 20-25: Run Your First Scan

hashtag
Option A: Safe Passive Scan (Recommended First)

This:

  • ✅ No direct contact with target

  • ✅ Uses only public data sources

  • ✅ Fast (~15 minutes)

  • ✅ Safe for any authorized target

hashtag
Option B: Quick Subdomain Discovery

This:

  • ⚠️ Makes DNS queries (minimal noise)

  • ✅ Finds subdomains only

  • ✅ ~30 minutes

hashtag
What's Happening?

hashtag
Minute 25-30: Check Your Results

hashtag
Where Are Results?

hashtag
Quick Results Check

hashtag
What's Next?

hashtag
If Passive Scan Looks Good → Run Full Recon

hashtag
If You Need Vulnerabilities → Run All

hashtag
If Scan Was Interrupted → Just Resume

hashtag
Quick Reference Card

hashtag
Essential Commands

hashtag
Essential Locations

What
Where

Results

Recon/<domain>/

Config

reconftw.cfg

API Keys

secrets.cfg

Logs

Recon/<domain>/.log/

hashtag
Getting Help

hashtag
Common First-Timer Questions

hashtag
"It's taking forever"

Normal! Full scans take 1-8 hours. Use -p for quick results.

hashtag
"I got rate limited"

Add to reconftw.cfg:

hashtag
"Results are empty"

  1. Check target exists: dig target.com

  2. Check API keys are set

  3. Look at logs: cat Recon/target.com/.log/*.log

hashtag
"Can I stop and resume?"

Yes! Just Ctrl+C to stop, run same command to resume.

hashtag
🎉 You're Ready!

You now know enough to:

Next steps:

PreviousIntroductionNextFAQ

Last updated