ReconFTW features

BugBounty Recon made easy with this tool

Automate things to the maximum

Siddhesh Parab
11 min readFeb 14, 2021
Logo of ReconFTW
https://github.com/six2dez/reconftw

You would have heard it right ? More attack surface== More bugs

ReconFTW helps you in increasing your attack surface by providing you with best results by combining all the best in-class tools used during web-app pentesting. Let’s look how does this tool performs reconnaissance when given a target.

“ This is an old writeup. There are tons of new techniques & features added to ReconFTW”

Mind map:-

Mindmap of ReconFTW

Information Gathering:-

1)Subdomains Enumeration

The most important step when approaching a target is gathering as much of subdomains you can. ReconFTW uses 5 techniques for generating a list of valid subdomains.

a) Passive Gathering:

Done using 5 most popular tools(subfinder, assetfinder, amass, findomain, crobat).Subfinder & Amass get the most number number of subdomains as they use our API keys to query various datasets/databases. Crobat queries the largest database which is “Rapid7 Sonar DNS database”. Then uses gau to extract domains from the internet archive which once existed.

Tip: Add this command in place of the given amass command to get more subdomains.

eval amass enum -active -d $domain -config ~/.config/amass/config.ini -o amass.txt $DEBUG_STD

b) Bruteforcing subdomains:

Sometimes what happens is ,some subdomains don’t get crawled by the internet-wide crawlers. Hence they don’t appear in queries/search results. Subdomain bruteforcing is technique to find out such hidden subdomains using a dictionary based sub-domain enumeration using a pre-defined wordlist. This tool uses shuffledns for bruteforcing subdomains along with Jhaddix all.txt wordlist.

c) Scraping JS files & source code for subdomains:

Sometimes developers point to different subdomains in their JavaScript files. These may be some internal subdomains. This technique helps to find out such internal subdomains by scanning JS file and finding such subdomains. ReconFTW uses JSFinder for this purpose. Galer is another great tool for gathering subdomains from the website source code.

d) Permutation scanning

Here, new unique subdomains are found by taking a list of already found subdomains and identify new sub-domains using permutations, alterations and mutations. ReconFTW uses dnsgen for this purpose. The catch here if the subdomains found are greater than 100 ,then ReconFTW doesn’t permutate alterations as for such large number of subdomains as this results in a list >8 million combinations; which would be harder to resolve.

e)Certificate Transparency

Certificate Transparency is a project which keeps and account of all the logs and certificates issued by the Certificate Authority(CA).Crt.sh is a web interface that lets you search for certs that have been logged by CT. ReconFTW uses a tool called crtfinder which finds domains or subdomains from CT logs.

2)Collecting valid subdomains

Now, the subdomains collected from the above sources, are the ones which once may existed or include some false positives. Hence, htppx is used to probe on port 80 & 443 to get the valid working subdomains. After this, now we have a huge list subdomains on which we may perform further recon.

Subdomain Takeover

Subdomain Takeover is a type of vulnerability which appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized by that organization. Here the organization forgets to remove the DNS entry hence we can gain control over the subdomain. ReconFTW uses subzy for this purpose. Subzy has a total of 21 fingerprints of services which are prone to subdomain takeover. Also nuclei scans for subdomain takeover which has around 75 fingerprints of services prone to takeovers.

Web Probing on a list of known ports

Now ReconFTW, runs httpx to check whether if any web service is hosted on the gathered subdomains rather than the default port. For this purpose it runs httpx on list of 87 common web ports where web services have possibility to be hosted. As a results we get a good amount of urls who have web interface.

Web Screenshots 📸

Web screenshots come handy when the target has a lot of subdomains. So by just looking at the screenshots hunters can quickly identify which websites look interesting and start hunting on them first. Webscreenshot tool is used for this purpose along with Chromium & PhantomJS for the rendering.(For headless systems like VPS)

Port scan

Enumerating valid ports on host is very important to know what all services are running on which ports ,which further may help in exploitation. Naabu is a fast and reliable port scanner. Naabu takes in a list of urls, finds the IP addresses associated with those urls and performs port scanning in fast and efficient manner. After we have got the IP addresses and open ports, this list is the further sent to nmap for banner grabbing purpose. Nmap further performs service detection(version) on those ports. Now we can search whether any public CVE’s are available for the specific version of the service.

Tip: ReconFTW scans only for top-1000 ports. I recommend to perform a full port(65,535) scan which may be time consuming but would return the best results.

ProjectDiscovery/Nuclei Meme

Nuclei Integration

One stop solution for easy findings is Nuclei (but always end dupes 😢). Nuclei is vulnerability scanner from the great team ProjectDiscovery which performs a series automatic detection of various CVE’s, Misconfigurations, exposed-panels and a lot more with the help of templates. Currently it has 529 templates. ReconFTW saves all the nuclei tool’s output in a folder called nuclei_output

GitHub Dorking

Oftentimes organizations or the employees of the organization host the source code on github. This source code may include sensitive information like hard-coded credentials, API keys, database files etc. GitDorker scrapes secrets of an organization from github using dorks. But due to rate limiting of github its recommended that you create 5–10 personal access token from 2 accounts each. Add these tokens in the ~/Tools/.github_tokens file.

Tip: ReconFTW by default uses the medium_dorks.txt(240 dorks) but you can use alldorksv3 which contains over 500 github dorks.

Favicon Hashes + Shodan

So, web browsers show you a small image/icon to the left side of the webpage title, that icon is known as favicon.ico

Favicon Examples

So what fav-up does is it generates a hash of the favicon image and searches on shodan for the IP’s which have the same favicon. Hence, we get those IP’s which are associated with the same organization. It uses this query http.favicon.hash:[hash-id]to search on shodan and creates a list of IP’s.

CMS-Scanner

Content Management System(CMS) is online platform which helps to create, edit and effortlessly manage the content for your website(Wordpress, Jira,Drupal, Joomla).CMSeek is helps to identify what CMS is used to built/manage a website. Based on this information we can further find for exploits form that version of the CMS. CMSeek can detect over 170 various CMS from websites. Also if a particular CMS like WordPress or Joomla is found it performs further advance scans on that websites.

Fuzzing

One of the most important step is, for fuzzing directories and files to find out hidden files which are publicly accessible and contain sensitive information. ffuf is the best tool for this purpose for the options its provides and its capacity to handle heavy load. ReconFTW uses a well manually curated wordlist to avoid fuzzing unnecessary files and generating a lot of noise. Fuzzing can yield into potential endpoints which are to be accessed by privileged users only and may also reveal secret login panels.

URL Extraction

Extracting urls/endpoints which once existed from the internet archive can be helpful in the recon process. Various tools like waybackurls , gau , gospider used for this purpose. gau & waybackurls use the internet archives like Wayback Machine, Common Crawl, Virus Total, Alien Vault. Gospider is used to for crawl the website and provide the list of urls. These urls are collected in a file and cleaned by removing garbage data. uddup is another great tool which applies logic and removes probably repetitive urls. Hence helps when given a large scope.

Vulnerable Pattern Search (via gf)

The great tomnomnom has created a tool called gf. This is run over the urls we extracted and the urls/endpoints are classified into various categories of vulnerabilities. Gf-Patterns provide a great list of fingerprints to help identify which url would be exploitable to which vulnerability. This creates 8 new text files(sqli,xss,ssrf,redirect,idor,ssti,lfi,rce,potential) containing endpoints which may be vulnerable to these exploits.

Open Redirects

The gf_redirect.txt is fed to a tool called OpenRedireX. This performs testing for potential open redirects. OpenRedirectX is a Asynchronous Open redirect fuzzer which contains a list of 44 payloads which are fuzzed against the urls from the file we specified. It then outputs all the urls along with payloads which returned 3XX status code.

SSRF Testing

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to make outbound requests and send it to a resource he/she owns. For SSRF testing, we can use various third party services like Webhook, Canarytokens, RequestCatcher, Burp Collaborator server which provide us our personal server. We need to make an account on these websites and generate our own personal server and save it in your environment variable. Eg:COLLAB_SERVER=XXXXXXXXXX .asyncio_ssrf.py fuzzes the endpoint with your unique server along with 29 injectable headers in order to bypass and make out bound requests by the target server.

CRLF Check

CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and etc) without proper sanitation, which can result in various forms of security exploits. Security exploits range from XSS, Cache-Poisoning, Cache-based defacement, page injection and etc. crlfuzz is a fast Go tool which scans for such vulnerabilities.

Local File Inclusion(LFI)

LFI is a web vulnerability which allows any user to arbitrarily read files from the server. ReconFTW uses ffuf to fuzz along with 254 payloads list. Currently it tries to read the contents of the /etc/passwd file which is a linux system based file. In near future it may also try to read windows based files.

JavaScript Scanning

This is a 5 step process to collect all the endpoints from JS script, search for API keys or tokens and make a wordlist of all JS words. First subjs is used to extract all the JS files associated with the websites. Now httpx is run to see check with all JS files actually exist. LinkFinder is used to extract urls/endpoints from those JS files. In the 4th step nuclei exposed tokens templates are run to get any hidden API(AWS,Google,Slack,Mailchimp) keys .In the last step a wordlist is made out of words from JS files using a small python script getjswords.py

XSS Analysis

Both Blind XSS & Reflective XSS checks is done by ReconFTW. First using a tool called Gxss the reflecting parameters are checked. Now this list is further passed for Blind XSS to XSStrike. This requires your personal blind XSSserver(XSS-hunter) to be setup in your environment variable XSS_SERVER=detonxx.xss.ht to receive cookies. Reflective XSS scanning also also done by the same tool XSStrike. If any reflection is found then the url along with the payload is saved in a file called _xss_reflective.txt .

Broken Link Hijacking (BLH) check

Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. There are 2 types which are reflected and stored. When a company deletes their social media account they might forget to remove the link from their website. An attacker can create an account on the social media platform with that username and impersonate the company. ReconFTW uses blc for this suppose that outputs broken links. Then later manually we need to check whether we can takeover the social media account.

SQL Injection check

The potential sqli’s obtained from gf_sqli.txt are sent to sqlmap where futher detecting and exploiting SQL injection flaws and taking over of database servers.

Server Side Template Injection (SSTI)

Template injection allows an attacker to include template code into an existing (or not) template, thus allowing for arbitrary code execution. Every potential SSTI parameter is fuzzed with 2 common payloads ssti{{7*7}} & {{".class.mro[2].subclasses()[40]('/etc/passwd').read}} with the help of ffuf. Then each response is matched for “ssti49”/”root:” for confirmation of ssti vulnerability.

SSL/TLS tests

testssl.sh is a command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. Various vulnerabilities like Heartbleed (CVE-2014–0160),CCS (CVE-2014–0224), LUCKY13 and SWEET32 checks, cipher cryptography of certificate checks etc. are done by this tool.

ReconFTW tool is mainly intended to run on VPS as it creates a huge amount of traffic and you don't want your ISP to give you a network level DNS block.

Tip: Its good if you make your own personalized resolvers list, although the current resolvers list used by ReconFTW gets updated frequently but its always good to make a your location-based resolvers list especially for the case of DNS bruteforcing.

$ git clone https://github.com/vortexau/dnsvalidator.git
$ cd dnsvalidator
$ python3 setup.py install
$ dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200 -o resolvers.txt
$ rm ~/Tools/resolvers.txt
$ cp resolvers.txt ~/Tools

Features:-

Along with these, various features are also provided like notification support(notify),resume scanning from last remaining check, docker support, Raspberry Pi support, Out of Scope support, Update tools script, installation script compatible with most distros and many many more features are there in ReconFTW.

Upcoming Features:-

  • Progress bar for subdomain Enumeration
  • HTML Report
  • 403 Bypasses
  • SQL Injection
  • ASN/CIDR/Name Target allowed and many moreeeeeeeeeeeeee…………

This all was possible because of one and only Six2dez.

If you have any queries you can contact me on twitter(https://twitter.com/sidxaparab).

Also remember at the end of the day its upon you how you further exploit and write a good report. Recon is just the beginning to get started on a target and this tool helps you to achieve that.

Bye guyz ! Hunt well !! Wish y’all more P1’s 😉😊

--

--