Dev

README.md

@@ -275,7 +275,7 @@ RESOLVE_DOMAINS_THREADS=150
 PPFUZZ_THREADS=30
 DNSVALIDATOR_THREADS=200
 INTERLACE_THREADS=10
-CERO_THREADS=1000
+TLSX_THREADS=1000
 
 # Rate limits
 HTTPX_RATELIMIT=150
@@ -445,7 +445,7 @@ reset='\033[0m'
   - JS files & Source Code Scraping ([gospider](https://github.com/jaeles-project/gospider))
   - DNS Records ([dnsx](https://github.com/projectdiscovery/dnsx))
   - Google Analytics ID ([AnalyticsRelationships](https://github.com/Josue87/AnalyticsRelationships))
-  - TLS handshake ([cero](https://github.com/glebarez/cero))
+  - TLS handshake ([tlsx](https://github.com/projectdiscovery/tlsx))
   - Recursive search.
   - Subdomains takeover ([nuclei](https://github.com/projectdiscovery/nuclei))
   - DNS takeover ([dnstake](https://github.com/pwnesia/dnstake))
@@ -471,7 +471,7 @@ reset='\033[0m'
 - SSRF (headers [interactsh](https://github.com/projectdiscovery/interactsh) and param values with [ffuf](https://github.com/ffuf/ffuf))
 - CRLF ([crlfuzz](https://github.com/dwisiswant0/crlfuzz))
 - Favicon Real IP ([fav-up](https://github.com/pielco11/fav-up))
-- Javascript analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [LinkFinder](https://github.com/GerbenJavado/LinkFinder), [getjswords](https://github.com/m4ll0k/BBTz))
+- Javascript analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder), [getjswords](https://github.com/m4ll0k/BBTz))
 - Fuzzing ([ffuf](https://github.com/ffuf/ffuf))
 - Cors ([Corsy](https://github.com/s0md3v/Corsy))
 - LFI Checks ([ffuf](https://github.com/ffuf/ffuf))

Terraform/files/reconftw.cfg

@@ -146,7 +146,7 @@ RESOLVE_DOMAINS_THREADS=150
 PPFUZZ_THREADS=30
 DNSVALIDATOR_THREADS=200
 INTERLACE_THREADS=10
-CERO_THREADS=1000
+TLSX_THREADS=1000
 
 # Timeouts
 CMSSCAN_TIMEOUT=3600

install.sh

@@ -32,6 +32,8 @@ else
 fi
 
 # Check Bash version
+#(bash --version | awk 'NR==1{print $4}' | cut -d'.' -f1) 2&>/dev/null || echo "Unable to get bash version, for MacOS run 'brew install bash' and rerun installer in a new terminal" && exit 1
+
 BASH_VERSION=$(bash --version | awk 'NR==1{print $4}' | cut -d'.' -f1)
 if [ ${BASH_VERSION} -lt 4 ]; then
      printf "${bred} Your Bash version is lower than 4, please update${reset}\n"
@@ -70,7 +72,7 @@ gotools["mapcidr"]="go install -v github.com/projectdiscovery/mapcidr/cmd/mapcid
 gotools["ipcdn"]="go install -v github.com/six2dez/ipcdn@latest"
 gotools["dnstake"]="go install -v github.com/pwnesia/dnstake/cmd/dnstake@latest"
 gotools["gowitness"]="go install -v github.com/sensepost/gowitness@latest"
-gotools["cero"]="go install -v github.com/glebarez/cero@latest"
+gotools["tlsx"]="go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest"
 gotools["gitdorks_go"]="go install -v github.com/damit5/gitdorks_go@latest"
 gotools["smap"]="go install -v github.com/s0md3v/smap/cmd/smap@latest"
 gotools["dsieve"]="go install -v github.com/trickest/dsieve@latest"
@@ -85,7 +87,7 @@ repos["wafw00f"]="EnableSecurity/wafw00f"
 repos["gf"]="tomnomnom/gf"
 repos["Gf-Patterns"]="1ndianl33t/Gf-Patterns"
 repos["ctfr"]="UnaPibaGeek/ctfr"
-repos["LinkFinder"]="dark-warlord14/LinkFinder"
+repos["xnLinkFinder"]="xnl-h4ck3r/xnLinkFinder"
 repos["Corsy"]="s0md3v/Corsy"
 repos["CMSeeK"]="Tuhinshubhra/CMSeeK"
 repos["fav-up"]="pielco11/fav-up"
@@ -220,7 +222,7 @@ if [[ $(eval type go $DEBUG_ERROR | grep -o 'go is') == "go is" ]] && [ "$versio
             eval $SUDO tar -C /usr/local -xzf ${version}.linux-amd64.tar.gz $DEBUG_STD
         fi
         eval $SUDO ln -sf /usr/local/go/bin/go /usr/local/bin/
-        rm -rf $version*
+        #rm -rf $version*
         export GOROOT=/usr/local/go
         export GOPATH=$HOME/go
         export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH
@@ -369,7 +371,7 @@ wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers
 wget -q -O - https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt > ${resolvers} 
 wget -q -O - https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw > ${subs_wordlist}
 wget -q -O - https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw > ${tools}/permutations_list.txt
-wget -q -O - https://media.githubusercontent.com/media/six2dez/OneListForAll/main/onelistforallmicro.txt > ${fuzz_wordlist}
+wget -q -O - https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt > ${fuzz_wordlist}
 wget -q -O - https://gist.githubusercontent.com/six2dez/a89a0c7861d49bb61a09822d272d5395/raw > ${lfi_wordlist}
 wget -q -O - https://gist.githubusercontent.com/six2dez/ab5277b11da7369bf4e9db72b49ad3c1/raw > ${ssti_wordlist}
 wget -q -O - https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw > ${tools}/headers_inject.txt

reconftw.cfg

@@ -3,13 +3,13 @@
 #################################################################
 
 # General values
-tools=~/Tools
-SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
-profile_shell=".$(basename $(echo $SHELL))rc"
-reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags)
-generate_resolvers=false
-update_resolvers=true
-proxy_url="http://127.0.0.1:8080/"
+tools=~/Tools   # Path installed tools
+SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path
+profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile
+reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version
+generate_resolvers=false # Generate custom resolvers with dnsvalidator
+update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution
+proxy_url="http://127.0.0.1:8080/" # Proxy url
 #dir_output=/custom/output/path
 
 # Golang Vars (Comment or change on your own)
@@ -32,102 +32,105 @@ GITHUB_TOKENS=${tools}/.github_tokens
 #slack_auth="xoXX-XXX-XXX-XXX"
 
 # File descriptors
-DEBUG_STD="&>/dev/null"
-DEBUG_ERROR="2>/dev/null"
+DEBUG_STD="&>/dev/null" # Skips STD output on installer
+DEBUG_ERROR="2>/dev/null" # Skips ERR output on installer
 
 # Osint
-OSINT=true
+OSINT=true # Enable or disable the whole OSINT module
 GOOGLE_DORKS=true
 GITHUB_DORKS=true
-METADATA=true
-EMAILS=true
-DOMAIN_INFO=true
-IP_INFO=true
+METADATA=true # Fetch metadata from indexed office documents
+EMAILS=true # Fetch emails from differents sites 
+DOMAIN_INFO=true # whois info
+REVERSE_WHOIS=true # amass intel reverse whois info, takes some time
+IP_INFO=true    # Reverse IP search, geolocation and whois
 METAFINDER_LIMIT=20 # Max 250
 
 # Subdomains
-SUBDOMAINS_GENERAL=true
-SUBPASSIVE=true
-SUBCRT=true
-SUBANALYTICS=true
-SUBBRUTE=true
-SUBSCRAPING=true
-SUBPERMUTE=true
+SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module
+SUBPASSIVE=true # Passive subdomains search
+SUBCRT=true # crtsh search
+SUBANALYTICS=true # Google Analytics search
+SUBBRUTE=true # DNS bruteforcing
+SUBSCRAPING=true # Subdomains extraction from web crawling
+SUBPERMUTE=true # DNS permutations
 PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper)
-SUBTAKEOVER=true
+SUBTAKEOVER=true # Check subdomain takeovers
 SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries
 DEEP_RECURSIVE_PASSIVE=4 # This means it will iterate over sub.sub.domain.tld and below (3, 2 and 1 deep level subdomains)
 SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve
-ZONETRANSFER=true
-S3BUCKETS=true
-REVERSE_IP=false
+ZONETRANSFER=true # Check zone transfer
+S3BUCKETS=true # Check S3 buckets misconfigs
+REVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP)
 TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,990,992,993,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,6697,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003"
 
 # Web detection
-WEBPROBESIMPLE=true
-WEBPROBEFULL=true
-WEBSCREENSHOT=true
-VIRTUALHOSTS=false
+WEBPROBESIMPLE=true # Web probing on 80/443
+WEBPROBEFULL=true # Web probing in a large port list
+WEBSCREENSHOT=true # Webs screenshooting
+VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header
 UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672"
 # You can change to aquatone if gowitness fails, comment the one you don't want
 AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot
 
 # Host
-FAVICON=true
-PORTSCANNER=true
-PORTSCAN_PASSIVE=true
-PORTSCAN_ACTIVE=true
-CDN_IP=true
+FAVICON=true # Check Favicon domain discovery
+PORTSCANNER=true # Enable or disable the whole Port scanner module 
+PORTSCAN_PASSIVE=true # Port scanner with Shodan
+PORTSCAN_ACTIVE=true # Port scanner with nmap
+CDN_IP=true # Check which IPs belongs to CDN
 
 # Web analysis
-WAF_DETECTION=true
-NUCLEICHECK=true
-NUCLEI_SEVERITY="info,low,medium,high,critical"
-URL_CHECK=true
-URL_GF=true
-URL_EXT=true
-JSCHECKS=true
-FUZZ=true
-CMS_SCANNER=true
-WORDLIST=true
-ROBOTSWORDLIST=true
-PASSWORD_DICT=true
-PASSWORD_MIN_LENGTH=5
-PASSWORD_MAX_LENGTH=14
+WAF_DETECTION=true # Detect WAFs
+NUCLEICHECK=true # Enable or disable nuclei
+NUCLEI_SEVERITY="info,low,medium,high,critical" # Set templates criticity
+URL_CHECK=true # Enable or disable URL collection
+URL_CHECK_PASSIVE=true # Search for urls, passive methods from Archive, OTX, CommonCrawl, etc
+URL_CHECK_ACTIVE=true # Search for urls by crawling the websites
+URL_GF=true # Url patterns classification
+URL_EXT=true # Returns a list of files divided by extension
+JSCHECKS=true # JS analysis
+FUZZ=true # Web fuzzing
+CMS_SCANNER=true # CMS scanner
+WORDLIST=true # Wordlist generation
+ROBOTSWORDLIST=true # Check historic disallow entries on waybackMachine
+PASSWORD_DICT=true # Generate password dictionary
+PASSWORD_MIN_LENGTH=5 # Min password lenght
+PASSWORD_MAX_LENGTH=14 # Max password lenght
 
 # Vulns
-VULNS_GENERAL=false
-XSS=true
-CORS=true
-TEST_SSL=true
-OPEN_REDIRECT=true
-SSRF_CHECKS=true
-CRLF_CHECKS=true
-LFI=true
-SSTI=true
-SQLI=true
-BROKENLINKS=true
-SPRAY=true
-COMM_INJ=true
-PROTO_POLLUTION=true
+VULNS_GENERAL=false # Enable or disable the vulnerability module (very intrusive and slow)
+XSS=true # Check for xss with dalfox
+CORS=true # CORS misconfigs
+TEST_SSL=true # SSL misconfigs
+OPEN_REDIRECT=true # Check open redirects
+SSRF_CHECKS=true # SSRF checks
+CRLF_CHECKS=true # CRLF checks
+LFI=true # LFI by fuzzing
+SSTI=true # SSTI by fuzzing
+SQLI=true # Check SQLI with sqlmap
+BROKENLINKS=true # Check for brokenlinks
+SPRAY=true # Performs password spraying
+COMM_INJ=true # Check for command injections with commix
+PROTO_POLLUTION=true # Check for prototype pollution flaws
 
 # Extra features
 NOTIFICATION=false # Notification for every function
 SOFT_NOTIFICATION=false # Only for start/end
-DEEP=false
-DEEP_LIMIT=500
-DEEP_LIMIT2=1500
-DIFF=false
-REMOVETMP=false
-REMOVELOG=false
-PROXY=false
-SENDZIPNOTIFY=false
+DEEP=false # DEEP mode, really slow and don't care about the number of results
+DEEP_LIMIT=500 # First limit to not run unless you run DEEP
+DEEP_LIMIT2=1500 # Second limit to not run unless you run DEEP
+DIFF=false # Diff function, run every module over an already scanned target, printing only new findings (but save everything)
+REMOVETMP=false # Delete temporary files after execution (to free up space)
+REMOVELOG=false # Delete logs after execution
+PROXY=false # Send to proxy the websites found
+SENDZIPNOTIFY=false # Send to zip the results (over notify)
 PRESERVE=true      # set to true to avoid deleting the .called_fn files on really large scans
-FFUF_FLAGS="-mc all -fc 404 -ac -sf -s"
-HTTPX_FLAGS="-follow-host-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -no-color -json"
+FFUF_FLAGS="-mc all -fc 404 -ac -sf -s" # Ffuf flags
+HTTPX_FLAGS="-follow-host-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location" # Httpx flags for simple web probing
 
 # HTTP options
-HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"
+HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" # Default header
 
 # Threads
 FFUF_THREADS=40
@@ -139,7 +142,7 @@ BRUTESPRAY_CONCURRENCE=10
 GAU_THREADS=10
 DNSTAKE_THREADS=100
 DALFOX_THREADS=200
-PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited
+PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 means unlimited
 PUREDNS_TRUSTED_LIMIT=400
 PUREDNS_WILDCARDTEST_LIMIT=30
 PUREDNS_WILDCARDBATCH_LIMIT=1500000
@@ -149,15 +152,15 @@ RESOLVE_DOMAINS_THREADS=150
 PPFUZZ_THREADS=30
 DNSVALIDATOR_THREADS=200
 INTERLACE_THREADS=10
-CERO_THREADS=1000
+TLSX_THREADS=1000
 
 # Rate limits
 HTTPX_RATELIMIT=150
 NUCLEI_RATELIMIT=150
 FFUF_RATELIMIT=0
 
 # Timeouts
-CMSSCAN_TIMEOUT=3600
+CMSSCAN_TIMEOUT=3600            # Seconds
 FFUF_MAXTIME=900                # Seconds
 HTTPX_TIMEOUT=10                # Seconds
 HTTPX_UNCOMMONPORTS_TIMEOUT=10  # Seconds
@@ -175,13 +178,13 @@ resolvers_trusted=${tools}/resolvers_trusted.txt
 # Axiom Fleet
 # Will not start a new fleet if one exist w/ same name and size (or larger)
 # AXIOM=false Uncomment only to overwrite command line flags
-AXIOM_FLEET_LAUNCH=false
-AXIOM_FLEET_NAME="reconFTW"
-AXIOM_FLEET_COUNT=5
-AXIOM_FLEET_REGIONS="eu-central"
-AXIOM_FLEET_SHUTDOWN=true
+AXIOM_FLEET_LAUNCH=true # Enable or disable spin up a new fleet, if false it will use the current fleet with the AXIOM_FLEET_NAME prefix
+AXIOM_FLEET_NAME="reconFTW" # Fleet's prefix name
+AXIOM_FLEET_COUNT=5 # Fleet's number
+AXIOM_FLEET_REGIONS="eu-central" # Fleet's region
+AXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execution
 # This is a script on your reconftw host that might prep things your way...
-#AXIOM_POST_START="~/Tools/axiom_config.sh"
+#AXIOM_POST_START="~/Tools/axiom_config.sh" # Useful  to send your config files to the fleet
 AXIOM_EXTRA_ARGS="" # Leave empty if you don't want to add extra arguments
 #AXIOM_EXTRA_ARGS="--rm-logs" # Example