Last active
September 2, 2024 21:28
-
-
Save jhaddix/141d9cb07ca0590dbc43389e0e4af98f to your computer and use it in GitHub Desktop.
reconFTW config file: NO google/osint, wordlist creation, nuclei js analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################################# | |
# reconFTW config file # | |
################################################################# | |
# General values | |
tools=~/Tools # Path installed tools | |
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path | |
profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile | |
reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version | |
generate_resolvers=false # Generate custom resolvers with dnsvalidator | |
update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution | |
resolvers_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers.txt" | |
resolvers_trusted_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt" | |
proxy_url="http://127.0.0.1:8080/" # Proxy url | |
install_golang=true # Set it to false if you already have Golang configured and ready | |
#dir_output=/custom/output/path | |
# Golang Vars (Comment or change on your own) | |
export GOROOT=/usr/local/go | |
export GOPATH=$HOME/go | |
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH | |
# Tools config files | |
#NOTIFY_CONFIG=~/.config/notify/provider-config.yaml # No need to define | |
AMASS_CONFIG=~/.config/amass/config.ini | |
GITHUB_TOKENS=${tools}/.github_tokens | |
#CUSTOM_CONFIG=custom_config_path.txt # In case you use a custom config file, uncomment this line and set your files path | |
# APIs/TOKENS - Uncomment the lines you want removing the '#' at the beginning of the line | |
#SHODAN_API_KEY="XXXXXXXXXXXXX" | |
#WHOISXML_API="XXXXXXXXXX" | |
#XSS_SERVER="XXXXXXXXXXXXXXXXX" | |
#COLLAB_SERVER="XXXXXXXXXXXXXXXXX" | |
#slack_channel="XXXXXXXX" | |
#slack_auth="xoXX-XXX-XXX-XXX" | |
# File descriptors | |
DEBUG_STD="&>/dev/null" # Skips STD output on installer | |
DEBUG_ERROR="2>/dev/null" # Skips ERR output on installer | |
# Osint | |
OSINT=false # Enable or disable the whole OSINT module | |
GOOGLE_DORKS=false | |
GITHUB_DORKS=false | |
GITHUB_REPOS=false | |
METADATA=false # Fetch metadata from indexed office documents | |
EMAILS=false # Fetch emails from differents sites | |
DOMAIN_INFO=false # whois info | |
REVERSE_WHOIS=false # amass intel reverse whois info, takes some time | |
IP_INFO=false # Reverse IP search, geolocation and whois | |
METAFINDER_LIMIT=20 # Max 250 | |
# Subdomains | |
RUNAMASS=true | |
RUNSUBFINDER=true | |
SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module | |
SUBPASSIVE=true # Passive subdomains search | |
SUBCRT=true # crtsh search | |
SUBNOERROR=true # Check DNS NOERROR response and BF on them | |
SUBANALYTICS=true # Google Analytics search | |
SUBBRUTE=true # DNS bruteforcing | |
SUBSCRAPING=true # Subdomains extraction from web crawling | |
SUBPERMUTE=true # DNS permutations | |
SUBREGEXPERMUTE=true # Permutations by regex analysis | |
PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper) | |
GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" # Flags for gotator | |
SUBTAKEOVER=false # Check subdomain takeovers, false by default cuz nuclei already check this | |
SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries | |
DEEP_RECURSIVE_PASSIVE=10 # Number of top subdomains for recursion | |
SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve | |
ZONETRANSFER=true # Check zone transfer | |
S3BUCKETS=true # Check S3 buckets misconfigs | |
REVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP) | |
TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,992,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003" | |
INSCOPE=false # Uses inscope tool to filter the scope, requires .scope file in reconftw folder | |
# Web detection | |
WEBPROBESIMPLE=true # Web probing on 80/443 | |
WEBPROBEFULL=true # Web probing in a large port list | |
WEBSCREENSHOT=true # Webs screenshooting | |
VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header | |
NMAP_WEBPROBE=true # If disabled it will run httpx directly over subdomains list, nmap before web probing is used to increase the speed and avoid repeated requests | |
UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" | |
# You can change to aquatone if gowitness fails, comment the one you don't want | |
AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot | |
# Host | |
FAVICON=true # Check Favicon domain discovery | |
PORTSCANNER=true # Enable or disable the whole Port scanner module | |
PORTSCAN_PASSIVE=true # Port scanner with Shodan | |
PORTSCAN_ACTIVE=true # Port scanner with nmap | |
CDN_IP=true # Check which IPs belongs to CDN | |
# Web analysis | |
WAF_DETECTION=false # Detect WAFs | |
NUCLEICHECK=true # Enable or disable nuclei | |
NUCLEI_SEVERITY="info,low,medium,high,critical" # Set templates criticity | |
NUCLEI_FLAGS=" -silent -t $HOME/nuclei-templates/ -retries 2" # Additional nuclei extra flags, don't set the severity here but the exclusions like " -etags openssh" | |
#NUCLEI_FLAGS_JS=" -silent -tags exposure,token -severity info,low,medium,high,critical" # Additional nuclei extra flags for js secrets | |
URL_CHECK=true # Enable or disable URL collection | |
URL_CHECK_PASSIVE=true # Search for urls, passive methods from Archive, OTX, CommonCrawl, etc | |
URL_CHECK_ACTIVE=true # Search for urls by crawling the websites | |
URL_GF=true # Url patterns classification | |
URL_EXT=true # Returns a list of files divided by extension | |
JSCHECKS=true # JS analysis | |
FUZZ=true # Web fuzzing | |
CMS_SCANNER=true # CMS scanner | |
WORDLIST=false # Wordlist generation | |
ROBOTSWORDLIST=true # Check historic disallow entries on waybackMachine | |
PASSWORD_DICT=false # Generate password dictionary | |
PASSWORD_MIN_LENGTH=5 # Min password lenght | |
PASSWORD_MAX_LENGTH=14 # Max password lenght | |
# Vulns | |
VULNS_GENERAL=true # Enable or disable the vulnerability module (very intrusive and slow) | |
XSS=true # Check for xss with dalfox | |
CORS=true # CORS misconfigs | |
TEST_SSL=true # SSL misconfigs | |
OPEN_REDIRECT=true # Check open redirects | |
SSRF_CHECKS=true # SSRF checks | |
CRLF_CHECKS=true # CRLF checks | |
LFI=true # LFI by fuzzing | |
SSTI=true # SSTI by fuzzing | |
SQLI=true # Check SQLI with sqlmap | |
BROKENLINKS=true # Check for brokenlinks | |
SPRAY=true # Performs password spraying | |
COMM_INJ=true # Check for command injections with commix | |
PROTO_POLLUTION=true # Check for prototype pollution flaws | |
SMUGGLING=true # Check for HTTP request smuggling flaws | |
WEBCACHE=true # Check for HTTP request smuggling flaws | |
# Extra features | |
NOTIFICATION=false # Notification for every function | |
SOFT_NOTIFICATION=false # Only for start/end | |
DEEP=false # DEEP mode, really slow and don't care about the number of results | |
DEEP_LIMIT=500 # First limit to not run unless you run DEEP | |
DEEP_LIMIT2=1500 # Second limit to not run unless you run DEEP | |
DIFF=false # Diff function, run every module over an already scanned target, printing only new findings (but save everything) | |
REMOVETMP=false # Delete temporary files after execution (to free up space) | |
REMOVELOG=false # Delete logs after execution | |
PROXY=false # Send to proxy the websites found | |
SENDZIPNOTIFY=false # Send to zip the results (over notify) | |
PRESERVE=true # set to true to avoid deleting the .called_fn files on really large scans | |
FFUF_FLAGS=" -mc all -fc 404 -ac -sf" # Ffuf flags | |
HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location" # Httpx flags for simple web probing | |
# HTTP options | |
HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" # Default header | |
# Threads | |
FFUF_THREADS=40 | |
HTTPX_THREADS=50 | |
HTTPX_UNCOMMONPORTS_THREADS=100 | |
GOSPIDER_THREADS=20 | |
BRUTESPRAY_THREADS=20 | |
BRUTESPRAY_CONCURRENCE=10 | |
GAU_THREADS=10 | |
DNSTAKE_THREADS=100 | |
DALFOX_THREADS=200 | |
PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 means unlimited | |
PUREDNS_TRUSTED_LIMIT=400 | |
PUREDNS_WILDCARDTEST_LIMIT=30 | |
PUREDNS_WILDCARDBATCH_LIMIT=1500000 | |
WEBSCREENSHOT_THREADS=200 | |
GOWITNESS_THREADS=8 | |
RESOLVE_DOMAINS_THREADS=150 | |
PPFUZZ_THREADS=30 | |
DNSVALIDATOR_THREADS=200 | |
INTERLACE_THREADS=10 | |
TLSX_THREADS=1000 | |
XNLINKFINDER_DEPTH=3 | |
# Rate limits | |
HTTPX_RATELIMIT=150 | |
NUCLEI_RATELIMIT=150 | |
FFUF_RATELIMIT=0 | |
# Timeouts | |
AMASS_INTEL_TIMEOUT=15 # Minutes | |
AMASS_ENUM_TIMEOUT=180 # Minutes | |
CMSSCAN_TIMEOUT=3600 # Seconds | |
FFUF_MAXTIME=900 # Seconds | |
HTTPX_TIMEOUT=10 # Seconds | |
HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds | |
PERMUTATIONS_LIMIT=21474836480 # Bytes, default is 20 GB | |
# lists | |
fuzz_wordlist=${tools}/fuzz_wordlist.txt | |
lfi_wordlist=${tools}/lfi_wordlist.txt | |
ssti_wordlist=${tools}/ssti_wordlist.txt | |
subs_wordlist=${tools}/subdomains.txt | |
subs_wordlist_big=${tools}/subdomains_big.txt | |
resolvers=${tools}/resolvers.txt | |
resolvers_trusted=${tools}/resolvers_trusted.txt | |
# Axiom Fleet | |
# Will not start a new fleet if one exist w/ same name and size (or larger) | |
# AXIOM=false Uncomment only to overwrite command line flags | |
AXIOM_FLEET_LAUNCH=true # Enable or disable spin up a new fleet, if false it will use the current fleet with the AXIOM_FLEET_NAME prefix | |
AXIOM_FLEET_NAME="reconFTW" # Fleet's prefix name | |
AXIOM_FLEET_COUNT=5 # Fleet's number | |
AXIOM_FLEET_REGIONS="eu-central" # Fleet's region | |
AXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execution | |
# This is a script on your reconftw host that might prep things your way... | |
#AXIOM_POST_START="~/Tools/axiom_config.sh" # Useful to send your config files to the fleet | |
AXIOM_EXTRA_ARGS="" # Leave empty if you don't want to add extra arguments | |
#AXIOM_EXTRA_ARGS=" --rm-logs" # Example | |
# BBRF | |
BBRF_CONNECTION=false | |
BBRF_SERVER=https://demo.bbrf.me/bbrf | |
BBRF_USERNAME="user" | |
BBRF_PASSWORD="password" | |
# TERM COLORS | |
bred='\033[1;31m' | |
bblue='\033[1;34m' | |
bgreen='\033[1;32m' | |
byellow='\033[1;33m' | |
red='\033[0;31m' | |
blue='\033[0;34m' | |
green='\033[0;32m' | |
yellow='\033[0;33m' | |
reset='\033[0m' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment