wC4c5yFU

· 4 years ago · Apr 18, 2021, 06:30 AM
1* ```reconftw.cfg``` config file is the way to have complete control over the whole execution reconFTW. 
2* Here you can control the which modules you want to run and which not.
3* Specify which **wordlists** to use, **config files**, **threads** to each tool etc.
4* The following explains what each of the options is for:
5
6## Output colors
7* This represents the color of output displayed on the terminal during the execution of reconFTW. 
8* [Here](https://misc.flogisoft.com/bash/tip_colors_and_formatting) you can find a good guide to change those colors if you want.  
9
10__** Warning: A wrong change here can break the output, so be careful **__ 
11
12| OPTION | Default | Description |
13|------------|-------------|--|
14| bred | '\033[1;31m' | Bold red |
15| bblue | '\033[1;34m' | Bold blue |
16| bgreen | '\033[1;32m' | Bold green |
17| yellow | '\033[0;33m' | Yellow |
18| red | '\033[0;31m' | Red |
19| blue | '\033[0;34m' | Blue |
20| green | '\033[0;32m' | Green |
21| reset | '\033[0m' | Reset color |
22
23## General values
24* Values affecting the general workflow of the tool no matter what mode is using.  
25
26| OPTION | Default | Description |
27|------------|-------------|--|
28| tools | ~/Tools/ | Path where all the tools will be installed |
29| SCRIPTPATH | "$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" | Path where reconFTW is placed |
30| profile_shell | ".$(basename $(echo $SHELL))rc" | Name of your shell's config file ( i.e. ```.zshrc``` or ```.bashrc``` ) |
31| reconftw_version | $(git branch --show-current)-$(git describe --tags) | Get git version |
32| dir_output | /custom/output/path (Default:**false**) | User-defined folder for output |
33
34## Golang env vars
35* These are the default values for Golang installation, if you have any other configuration change it here.  
36__** Warning: any wrong here can break the script execution **__
37
38| OPTION | Default | Description |
39|------------|-------------|--|
40| export GOROOT | /usr/local/go | Golang path for root |
41| export GOPATH | $HOME/go | Default golang path for root |
42| export PATH | $GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH | Add Golang to your $PATH |
43
44## Tools config files
45* Path where config files for tools used by reconFTW are defined here.  
46
47| OPTION | Default | Description |
48|------------|-------------|--|
49| AMASS_CONFIG | ~/.config/amass/config.ini | Amass config file location|
50| GITHUB_TOKENS | ${tools}/.github_tokens | File with Github tokens, one per line |
51| NOTIFY_CONFIG | ~/.config/notify/notify.conf | Notify config file location |
52| SUBFINDER_CONFIG | ~/.config/subfinder/config.yaml | Subfinder config file location |
53
54## API/Tokens
55* Here you can define API keys, values or tokens used for by tools, it also can be defined in your ```.bashrc/.zshrc``` or here.
56* In case you want to define here first uncomment and then add the value.  
57
58| OPTION | Default | Description |
59|------------|-------------|--|
60| SHODAN_API_KEY | | Shodan API key |
61| XSS_SERVER | | Server for blind XSS attacks. Can be made from [here](https://xsshunter.com/) (i.e. six2dez.xss.ht) |
62| COLLAB_SERVER | | Collaborator server for SSRF tests |
63| findomain_virustotal_token | | VT api key needed for Findomain|
64| findomain_spyse_token | | Spyse api key needed for Findomain  |
65| findomain_securitytrails_token | | ST api key needed for Findomain |
66| findomain_fb_token | | FB token needed for Findomain |
67
68## File descriptors
69* As you can see, reconFTW doesn't outputs the original stdout of the tools, this is because the output is redirected to get a cleaner execution.
70* You can comment out these variables to output everything (same behavior of -v flag), or just comment out ```DEGUB_ERROR``` to show only tools errors
71
72| OPTION | Default | Description |
73|------------|-------------|--|
74| DEBUG_STD | "&>/dev/null" | Standard message redirection |
75| DEBUG_ERROR | "2>/dev/null" | Error message redirection |
76
77## OSINT 
78* The sub modules of the OSINT module, can be controlled by setting the value to ```false```.  
79| OPTION | Default | Description |
80|------------|-------------|--|
81| GOOGLE_DORKS | true | Google dorking |
82| GITHUB_DORKS | false | GitHub dorking, default to false because is slow |
83| METADATA | true | Extract metadata from public files |
84| EMAILS | true | Extract emails/users/passwords related to target |
85| DOMAIN_INFO | true | Whois info and domains related to the same registrant |
86
87## Subdomains
88* Various subdomain enumeration techniques used by reconFTW can be disabled as per user's need. 
89
90| OPTION | Default | Description |
91|------------|-------------|--|
92| SUBCRT | true | Subdomains from certificate transparency(CT Logs) |
93| SUBBRUTE | true | Subdomain bruteforcing |
94| SUBSCRAPING | true | Subdomain scraping (JS files & Source Code) |
95| SUBPERMUTE | true | Subdomain permutation/alteration |
96| SUBTAKEOVER | true | Subdomain Takeover check |
97| SUBRECURSIVE | true | Subdomain recursive bruteforcing |
98| ZONETRANSFER | true | Zone transfer check |
99| S3BUCKETS | true | Checks for S3 buckets |
100
101## Web detection
102* Tasks for web probing to detect whether the domains have websites hosted on them.
103
104| OPTION | Default | Description |
105|------------|-------------|--|
106| WEBPROBESIMPLE | true | Web probing on port 80&443 (http and https) |
107| WEBPROBEFULL | true | Web probing on common 85 ports which have a possibility on website being hosted(both http & https)  |
108| WEBSCREENSHOT | true | Web screenshot every website found |
109
110## Hosts
111* Tasks performed on hosts found.
112
113| OPTION | Default | Description |
114|------------|-------------|--|
115| FAVICON | true | Check favicon to find more domains or waf bypass with same favicon hash |
116| PORTSCANNER | true | To disable or enable any type of port scan |
117| PORTSCAN_PASSIVE | true | Port scanner passive with Shodan |
118| PORTSCAN_ACTIVE | true | Port scanner with nmap top 1000 |
119
120## Website analysis
121* Tasks performed on websites to retrieve and detect as much information as possible.
122
123| OPTION | Default | Description |
124|------------|-------------|--|
125| WAF_DETECTION | true | Detect if website is behind waf |
126| NUCLEICHECK | true | Run nuclei templates |
127| URL_CHECK | true | Retrieve urls from passive and crawling |
128| URL_GF | true | Analyze urls extracted with gf patterns |
129| URL_EXT | true | Create a file sort by extension type |
130| JSCHECKS | true | Analyze JS files |
131| PARAMS | true | Retrieve urls with GET parameters and force hidden params |
132| FUZZ | true | Web fuzzing |
133| CMS_SCANNER | true | Scan to detect CMS |
134| WORDLIST | true | Set wordlist used in Fuzzer |
135
136## Vulns
137* Every vulnerability check performed, first filtered with uddup, qsreplace and gf-patterns
138
139| OPTION | Default | Description |
140|------------|-------------|--|
141| XSS | true | XSS reflected with Gxss confirmed with dalfox |
142| CORS | true | CORS misconfigurations |
143| TEST_SSL | true | Check SSL |
144| OPEN_REDIRECT | true | Check Open Redirects flaws |
145| SSRF_CHECKS | true | Scan for SSRF |
146| CRLF_CHECKS | true | Scan for CRLF |
147| LFI | true | LFI with fuzzing wordlist |
148| SSTI | true | LFI with fuzzing |
149| SQLI | true | SQLi with SQLmap |
150| BROKENLINKS | true | Check broken links redirections |
151| SPRAY | true | Password spraying with brutespray over ports and services found |
152| BYPASSER4XX | true | Check common 4xx bypasses found in fuzz |
153
154## Extra option
155* Advanced options that you may find interesting
156
157| OPTION | Default | Description |
158|------------|-------------|--|
159| NOTIFICATION | false | Set to true to receive notifications (Telegram, Slack or Discord), need configuration |
160| DEEP | false | Enable deep (and slower) scan, same as --deep flag |
161| DIFF | false | Enable support to run over same targets again and again and it only advice for new findings (for cron mode and monitoring) |
162| REMOVETMP | false | Remove temporary files after finish scan |
163
164## Http options
165* Headers for HTTP requests
166
167| OPTION | Default | Description |
168|------------|-------------|--|
169| COOKIE | "" | Define custom Cookie |
170| HEADER | "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" | Define custom Header or User-Agent |
171
172## Threads
173* Threads control for the tools
174
175| OPTION | Default | Description |
176|------------|-------------|--|
177| FFUF_THREADS | 40 | Fuzzing threads |
178| HTTPX_THREADS | 50 | Http probe threads |
179| HTTPX_UNCOMMONPORTS_THREADS | 100 | Http uncommon ports probe threads |
180| GOSPIDER_THREADS | 50 | Crawler threads |
181| GITDORKER_THREADS | 5 | Github dorking threads |
182| BRUTESPRAY_THREADS | 20 | Password spraying threads |
183| BRUTESPRAY_CONCURRENCE | 10 | Password spraying concurrent hosts |
184| ARJUN_THREADS | 20 | Param discovery threads |
185
186## Lists
187* Wordlists used by default.
188
189| OPTION | Default | Description |
190|------------|-------------|--|
191| fuzz_wordlist | ${tools}/fuzz_wordlist.txt | Fuzzing wordlist |
192| lfi_wordlist | ${tools}/lfi_wordlist.txt | LFI wordlist |
193| subs_wordlist | ${tools}/subdomains.txt | Subdomains wordlist |
194| subs_wordlist_big | ${tools}/subdomains_big.txt | Big subdomain wordlist used with deep flag |
195| resolvers | ${tools}/resolvers.txt | List of resolvers |
196
197***
198