ReconFTW features

BugBounty Recon made easy with this tool

Automate things to the maximum

Logo of ReconFTW
Logo of ReconFTW
https://github.com/six2dez/reconftw

Mind map:-

Mindmap of ReconFTW

Information Gathering:-

1)Subdomains Enumeration

The most important step when approaching a target is gathering as much of subdomains you can. ReconFTW uses 5 techniques for generating a list of valid subdomains.

eval amass enum -active -d $domain -config ~/.config/amass/config.ini -o amass.txt $DEBUG_STD

2)Collecting valid subdomains

Now, the subdomains collected from the above sources, are the ones which once may existed or include some false positives. Hence, htppx is used to probe on port 80 & 443 to get the valid working subdomains. After this, now we have a huge list subdomains on which we may perform further recon.

Subdomain Takeover

Subdomain Takeover is a type of vulnerability which appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized by that organization. Here the organization forgets to remove the DNS entry hence we can gain control over the subdomain. ReconFTW uses subzy for this purpose. Subzy has a total of 21 fingerprints of services which are prone to subdomain takeover. Also nuclei scans for subdomain takeover which has around 75 fingerprints of services prone to takeovers.

Web Probing on a list of known ports

Now ReconFTW, runs httpx to check whether if any web service is hosted on the gathered subdomains rather than the default port. For this purpose it runs httpx on list of 87 common web ports where web services have possibility to be hosted. As a results we get a good amount of urls who have web interface.

Web Screenshots 📸

Web screenshots come handy when the target has a lot of subdomains. So by just looking at the screenshots hunters can quickly identify which websites look interesting and start hunting on them first. Webscreenshot tool is used for this purpose along with Chromium & PhantomJS for the rendering.(For headless systems like VPS)

Port scan

Enumerating valid ports on host is very important to know what all services are running on which ports ,which further may help in exploitation. Naabu is a fast and reliable port scanner. Naabu takes in a list of urls, finds the IP addresses associated with those urls and performs port scanning in fast and efficient manner. After we have got the IP addresses and open ports, this list is the further sent to nmap for banner grabbing purpose. Nmap further performs service detection(version) on those ports. Now we can search whether any public CVE’s are available for the specific version of the service.

ProjectDiscovery/Nuclei Meme
ProjectDiscovery/Nuclei Meme

Nuclei Integration

One stop solution for easy findings is Nuclei (but always end dupes 😢). Nuclei is vulnerability scanner from the great team ProjectDiscovery which performs a series automatic detection of various CVE’s, Misconfigurations, exposed-panels and a lot more with the help of templates. Currently it has 529 templates. ReconFTW saves all the nuclei tool’s output in a folder called nuclei_output

GitHub Dorking

Oftentimes organizations or the employees of the organization host the source code on github. This source code may include sensitive information like hard-coded credentials, API keys, database files etc. GitDorker scrapes secrets of an organization from github using dorks. But due to rate limiting of github its recommended that you create 5–10 personal access token from 2 accounts each. Add these tokens in the ~/Tools/.github_tokens file.

Favicon Hashes + Shodan

So, web browsers show you a small image/icon to the left side of the webpage title, that icon is known as favicon.ico

Favicon Examples

CMS-Scanner

Content Management System(CMS) is online platform which helps to create, edit and effortlessly manage the content for your website(Wordpress, Jira,Drupal, Joomla).CMSeek is helps to identify what CMS is used to built/manage a website. Based on this information we can further find for exploits form that version of the CMS. CMSeek can detect over 170 various CMS from websites. Also if a particular CMS like WordPress or Joomla is found it performs further advance scans on that websites.

Fuzzing

One of the most important step is, for fuzzing directories and files to find out hidden files which are publicly accessible and contain sensitive information. ffuf is the best tool for this purpose for the options its provides and its capacity to handle heavy load. ReconFTW uses a well manually curated wordlist to avoid fuzzing unnecessary files and generating a lot of noise. Fuzzing can yield into potential endpoints which are to be accessed by privileged users only and may also reveal secret login panels.

URL Extraction

Extracting urls/endpoints which once existed from the internet archive can be helpful in the recon process. Various tools like waybackurls , gau , gospider used for this purpose. gau & waybackurls use the internet archives like Wayback Machine, Common Crawl, Virus Total, Alien Vault. Gospider is used to for crawl the website and provide the list of urls. These urls are collected in a file and cleaned by removing garbage data. uddup is another great tool which applies logic and removes probably repetitive urls. Hence helps when given a large scope.

Vulnerable Pattern Search (via gf)

The great tomnomnom has created a tool called gf. This is run over the urls we extracted and the urls/endpoints are classified into various categories of vulnerabilities. Gf-Patterns provide a great list of fingerprints to help identify which url would be exploitable to which vulnerability. This creates 8 new text files(sqli,xss,ssrf,redirect,idor,ssti,lfi,rce,potential) containing endpoints which may be vulnerable to these exploits.

Open Redirects

The gf_redirect.txt is fed to a tool called OpenRedireX. This performs testing for potential open redirects. OpenRedirectX is a Asynchronous Open redirect fuzzer which contains a list of 44 payloads which are fuzzed against the urls from the file we specified. It then outputs all the urls along with payloads which returned 3XX status code.

SSRF Testing

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to make outbound requests and send it to a resource he/she owns. For SSRF testing, we can use various third party services like Webhook, Canarytokens, RequestCatcher, Burp Collaborator server which provide us our personal server. We need to make an account on these websites and generate our own personal server and save it in your environment variable. Eg:COLLAB_SERVER=XXXXXXXXXX .asyncio_ssrf.py fuzzes the endpoint with your unique server along with 29 injectable headers in order to bypass and make out bound requests by the target server.

CRLF Check

CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and etc) without proper sanitation, which can result in various forms of security exploits. Security exploits range from XSS, Cache-Poisoning, Cache-based defacement, page injection and etc. crlfuzz is a fast Go tool which scans for such vulnerabilities.

Local File Inclusion(LFI)

LFI is a web vulnerability which allows any user to arbitrarily read files from the server. ReconFTW uses ffuf to fuzz along with 254 payloads list. Currently it tries to read the contents of the /etc/passwd file which is a linux system based file. In near future it may also try to read windows based files.

JavaScript Scanning

This is a 5 step process to collect all the endpoints from JS script, search for API keys or tokens and make a wordlist of all JS words. First subjs is used to extract all the JS files associated with the websites. Now httpx is run to see check with all JS files actually exist. LinkFinder is used to extract urls/endpoints from those JS files. In the 4th step nuclei exposed tokens templates are run to get any hidden API(AWS,Google,Slack,Mailchimp) keys .In the last step a wordlist is made out of words from JS files using a small python script getjswords.py

XSS Analysis

Both Blind XSS & Reflective XSS checks is done by ReconFTW. First using a tool called Gxss the reflecting parameters are checked. Now this list is further passed for Blind XSS to XSStrike. This requires your personal blind XSSserver(XSS-hunter) to be setup in your environment variable XSS_SERVER=detonxx.xss.ht to receive cookies. Reflective XSS scanning also also done by the same tool XSStrike. If any reflection is found then the url along with the payload is saved in a file called _xss_reflective.txt .

Broken Link Hijacking (BLH) check

Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. There are 2 types which are reflected and stored. When a company deletes their social media account they might forget to remove the link from their website. An attacker can create an account on the social media platform with that username and impersonate the company. ReconFTW uses blc for this suppose that outputs broken links. Then later manually we need to check whether we can takeover the social media account.

SQL Injection check

The potential sqli’s obtained from gf_sqli.txt are sent to sqlmap where futher detecting and exploiting SQL injection flaws and taking over of database servers.

Server Side Template Injection (SSTI)

Template injection allows an attacker to include template code into an existing (or not) template, thus allowing for arbitrary code execution. Every potential SSTI parameter is fuzzed with 2 common payloads ssti{{7*7}} & {{".class.mro[2].subclasses()[40]('/etc/passwd').read}} with the help of ffuf. Then each response is matched for “ssti49”/”root:” for confirmation of ssti vulnerability.

SSL/TLS tests

testssl.sh is a command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. Various vulnerabilities like Heartbleed (CVE-2014–0160),CCS (CVE-2014–0224), LUCKY13 and SWEET32 checks, cipher cryptography of certificate checks etc. are done by this tool.

$ git clone https://github.com/vortexau/dnsvalidator.git
$ cd dnsvalidator
$ python3 setup.py install
$ dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200 -o resolvers.txt
$ rm ~/Tools/resolvers.txt
$ cp resolvers.txt ~/Tools

Features:-

Along with these, various features are also provided like notification support(notify),resume scanning from last remaining check, docker support, Raspberry Pi support, Out of Scope support, Update tools script, installation script compatible with most distros and many many more features are there in ReconFTW.

  • HTML Report
  • 403 Bypasses
  • SQL Injection
  • ASN/CIDR/Name Target allowed and many moreeeeeeeeeeeeee…………

Cyber Security | n00b | Learner