Reconftw

reconftw is an attack surface management framework and reconnaissance workflow orchestrator designed to automate the discovery, mapping, and monitoring of external digital assets. It operates as a modular tool-chain pipeline that coordinates a sequence of security tools to perform intelligence gathering and vulnerability scanning.

The project distinguishes itself through a cloud-native deployment model that parallelizes scanning workloads across a fleet of remote VPS instances to bypass local resource constraints. It utilizes container-based environment isolation to ensure consistent execution across different cloud providers and features a checkpoint system to resume interrupted workflows from the last point of failure.

The toolkit covers a broad range of capabilities, including passive and active subdomain enumeration, open-source intelligence gathering, and network infrastructure analysis. It also incorporates automated vulnerability scanning for common web flaws and CVEs, differential asset tracking to identify new targets, and the generation of security reports using artificial intelligence.

The environment can be deployed via container orchestration and integrated into CI/CD pipelines for recurring security checks.

Features

Cloud Infrastructure Orchestration - Orchestrates a fleet of remote cloud VPS instances to parallelize scanning workloads and bypass local resource constraints.

Attack Surface Management - Provides a comprehensive platform for discovering, inventorying, and monitoring internet-facing assets.

Reconnaissance Workflow Automation - Orchestrates automated pipelines for subdomain enumeration and vulnerability scanning to gather target intelligence.

Cloud Storage Auditing - Discovers and tests for publicly accessible cloud storage buckets using name variations.

Continuous Security Monitoring - Schedules recurring scans and compares results against baselines to detect new assets or vulnerabilities.

Network Scanning - Scans network ports to identify open services and potential entry points on discovered hosts.

Active Vulnerability Scanning - Launches intrusive attacks to identify high-severity security flaws in authorized targets.

Origin IP Discovery - Locates real server IP addresses hidden behind CDNs using techniques like favicon hash matching.

Security and OSINT - Collects WHOIS data, email addresses, and cloud storage misconfigurations using open-source intelligence.

Active Enumeration - Identifies subdomains using active DNS bruteforcing and TLS certificate extraction.

Web - Identifies common web-based security flaws including cross-site scripting, SQL injection, and server-side request forgery.

Vulnerability Scanning Orchestration - Orchestrates a pipeline of security tools to automatically detect common web flaws and CVEs.

State Checkpointing - Implements mechanisms for persisting application state to ensure reliable recovery and resumption of long-running reconnaissance workflows.

OSINT Automation Frameworks - Automates the collection of intelligence from public data sources using search engine dorks and metadata extraction.

Incremental Scan Scoping - Tracks and manages scan state to resume interrupted processes and perform incremental analysis of new findings.

Automation Workflow Orchestrations - Coordinates multiple security tools into automated pipelines to perform full reconnaissance via a single command.

Distributed Scanning Agents - Deploys independent scanning nodes across cloud VPS instances to parallelize target analysis.

Parallel Security Scanners - Implements a system for high-speed security assessments using distributed cloud infrastructure.

Security Scanning Workload Distribution - Parallelizes reconnaissance tasks across multiple cloud instances to significantly reduce total execution time.

DNS Record Resolvers - Resolves multiple DNS record types to map subdomains to IP addresses and verify infrastructure.

Network Discovery Tools - Performs large-scale scanning to identify active hosts and open ports using active and passive data.

Asset Inventory Aggregators - Collects and deduplicates subdomains from various sources into a master inventory of target assets.

Attack Surface Inventories - Maintains a persistent record of discovered assets to identify and highlight high-risk targets.

Attack Surface Mapping - Maps the external attack surface by discovering subdomains via passive enumeration and certificate logs.

Differential Asset Tracking - Compares current enumeration results against stored baselines to isolate and scan only newly discovered assets.

Host Infrastructure Analysis - Identifies open ports and CDN providers for target IP addresses to map the external hosting environment.

Infrastructure Reconnaissance - Identifies content delivery network infrastructure to avoid scanning proxy layers during network discovery.

JavaScript Secret Extraction - Parses JavaScript files to extract sensitive API keys and internal service endpoints.

Open Source Intelligence Tools - Automates the collection of leaked credentials and exposed APIs from public sources.

OSINT Data Aggregators - Collects and unifies public metadata, email addresses, and reputation reports from multiple external OSINT sources.

OSINT Frameworks - Collects registration details, leaked credentials, and cloud exposures from public sources without direct target interaction.

Passive Intelligence Gathering - Collects organizational data using non-intrusive OSINT techniques to build target profiles without direct interaction.

Subdomain Enumeration Tools - Discovers associated subdomains using API queries, DNS bruteforcing, and permutation generation to expand the attack surface.

Passive Reconnaissance - Gathers subdomain information from public APIs and transparency logs without interacting with target servers.

Vulnerability Scanning - Scans targets for known security flaws and exports the results in a structured JSON format.

Web Application Pipelines - Implements an automated pipeline to test discovered web endpoints for common vulnerabilities and server misconfigurations.

Web Application Analysis - Discovers endpoints and secrets by probing HTTP status and fuzzing directories.

Web Asset Probing - Probes servers to capture screenshots and identify installed content management systems.

Security Tool Orchestration Pipelines - Coordinates a sequence of independent security tools through a configurable execution flow with dependency management.

Container-Based Isolation - Encapsulates the security toolset in container images to ensure consistent execution across various cloud providers.

Asset Delta Monitoring - Continuously monitors the attack surface by comparing new scan results against established asset baselines.

Live Server Discovery - Identifies responding HTTP servers by verifying DNS resolution and TCP connectivity.

Workflow Stream Resumers - Implements mechanisms to restart interrupted reconnaissance workflows and continue execution.

AI-Generated Security Reports - Produces intelligence reports by processing scan results through AI models with selectable formats for different audiences.

Security Scan Depth Controllers - Provides settings to automatically adjust the intensity and resource usage of security scans based on target surface size.

Web Content Scraping - Crawls websites and parses JavaScript files to extract hardcoded URLs and identify hidden subdomains.

OSINT and Search Tools - Uses search engine dorks to find exposed secrets and sensitive information in public repositories.

Command Injection - Identifies OS command injection vulnerabilities by testing separators and verifying execution.

Identity Data Harvesting - Collects email addresses and usernames from public sources and identifies leaked credentials.

Open Redirect - Verifies if redirect parameters can be manipulated to send users to unauthorized external domains.

Request Smuggling - Identifies HTTP request smuggling vulnerabilities using CL.TE and TE.CL techniques.

SQL Injection - Identifies error-based and blind SQL injection points within URL parameters.

Certificate Transparency Analysis - Queries public Certificate Transparency logs to identify subdomains linked to security certificates.

DNSSEC Enumeration - Analyzes DNSSEC-signed zones to identify hidden subdomains.

Subdomain Permutation - Generates targeted subdomain wordlists through mutations and patterns to discover hidden endpoints.

Subdomain Takeover Tools - Identifies dangling CNAME records and unclaimed cloud resources that can be hijacked.

Web Cache Poisoning - Identifies web cache poisoning vulnerabilities by analyzing cache key manipulation.

Automated Audit Schedulers - Integrates with CI/CD platforms to execute recurring security audits on a fixed timetable.

Document Metadata Extraction - Extracts author names and internal system paths from indexed documents to gather intelligence.

Exporters - Exports the mapped inventory of discovered subdomains and vulnerabilities into machine-readable formats.

Infrastructure Correlation - Maps related domains owned by the same organization by matching shared analytics identifiers.

Analysis Result Exporters - Serializes reconnaissance scan data into organized formats for external analysis and integration.

IP Geolocation - Maps discovered IP addresses to physical locations and ISP metadata to analyze target distribution.

Public Bucket Discovery - Searches for related Amazon S3 buckets and checks public read permissions.

Scan Scope Restrictions - Defines specific hosts and directories to exclude from the scanning process to ensure legal compliance.

Toolsets - Allows users to enable or disable specific security modules to customize the scanning toolset.

Parallel Execution - Runs multiple security tools concurrently to accelerate the reconnaissance process.

Parallel Task Orchestrators - Orchestrates the parallel execution of discovery tasks across remote infrastructure to accelerate reconnaissance.

Asset Delta Scanning - Implements differential tracking to isolate and scan only assets discovered since the last execution.

Cloud Infrastructure Automation - Automates the deployment of security toolchains across cloud infrastructure to scale intelligence gathering.

Security Scanner Capacity Scaling - Scales reconnaissance capacity via cloud provider APIs to handle large target lists efficiently.

Discovery - Searches for publicly accessible storage buckets across major cloud providers.

Config-Driven Image Building - Enables the addition of custom security tools and configs through custom container image builds.

Container Deployment - Uses containerization to ensure consistent tool execution and dependency isolation across different cloud providers.

Containerized Security Toolsets - Delivers a set of security tools via container images to ensure consistent execution across different cloud providers.

Infrastructure Target Filtering - Implements logic for selecting specific targets to be scanned while respecting authorization boundaries via scope files.

Infrastructure Provisioning - Automates the deployment of the scanning environment onto cloud providers using infrastructure-as-code.

Email Authentication Records - Evaluates SPF, DKIM, and DMARC records to identify potential email spoofing vulnerabilities.

Scan State Persistence - Uses a checkpoint system to restart interrupted scans from the last completed function.

Resolution Validation - Resolves subdomain candidates against trusted servers to filter out non-existent hosts.

DNS Analysis - Extracts and analyzes DNS records to identify infrastructure details and identify dangling CNAMEs.

Adaptive Scan Intensity - Executes high-intensity checks automatically when the target size supports deeper analysis.

IP Address Inventorying - Lists all resolved IP addresses associated with target assets while filtering out CDN addresses.

IP Intelligence Tools - Provides analytical lookups for IP addresses, including ASN, WHOIS, and geolocation data.

Network Host Discoverers - Identifies active hosts on a network and performs port scanning and WAF detection.

Intelligence Enrichment - Integrates third-party intelligence APIs to enrich discovery results and avoid rate limiting during reconnaissance.

API Endpoint Discovery - Scans JavaScript files and public leaks to identify all active API endpoints for further security analysis.

Certificate Data Extraction - Extracts Subject Alternative Names from TLS certificates across multiple ports to discover associated hosts.

SSL/TLS Analyzers - Performs deep security analysis on server SSL and TLS configurations to identify vulnerabilities.

GraphQL Endpoint Discovery - Locates GraphQL endpoints and performs schema extraction to map the available API surface.

Email Harvesting - Collects email addresses associated with a domain using search engines and public databases.

Firewall Detection Tools - Includes utilities designed to identify the presence and type of web application firewalls protecting a target.

Parameter Fuzzing - Uses templates to fuzz parameter values and identify potential injection points.

Prototype Pollution Detection - Analyzes client-side JavaScript to identify prototype pollution vulnerabilities.

Target Exclusions - Provides rules to omit specific network assets or infrastructure from security scan operations to maintain authorized boundaries.

Secret Scanning - Analyzes organization repositories to identify leaked API keys and hardcoded credentials.

Secrets Scanning - Searches git repositories and JavaScript files for exposed API keys and private credentials.

Findings Notifications - Sends alerts and differential reports to communication channels when new security issues are discovered.

Security Report Generation - Utilizes artificial intelligence to process scan results into summarized security reports.

Information Gathering Tools - Retrieves WHOIS records and tenant information to map organizational infrastructure.

Out-of-Band Interaction Monitoring - Integrates with external listener servers to monitor for asynchronous network interactions to detect blind vulnerabilities.

Server-Side Template Injection Detection - Checks for server-side template injection by monitoring for payload execution.

Recursive Discovery - Repeats discovery processes on newly discovered subdomains to map deep-level infrastructure.

Active Wordlist Bruteforcing - Uses extensive wordlists to guess potential subdomains not indexed by passive sources.

Configuration Auditing - Audits external services like Jira and Slack for common security misconfigurations.

Cross-Site Scripting Vulnerabilities - Detects reflected, DOM-based, and blind cross-site scripting vulnerabilities in web applications.

Scanning Template Libraries - Matches target URLs against a library of predefined patterns to detect known CVEs and misconfigurations.

Automated Security Scan Triggers - Triggers aggressive reconnaissance techniques automatically based on subdomain count thresholds.

Service Probing - Interacts with web services to identify live servers and extract status codes and technology stacks.

Web Directory Enumeration Tools - Discovers hidden files and directories on web servers through wordlist-based brute-force testing.

Web Path Scanners - Discovers hidden directories and files on web servers using HTTP probing and fuzzing.

Wildcard DNS Filters - Filters out false-positive subdomains caused by wildcard DNS configurations through random string probing.

Pre-defined Executions - Applies pre-defined scanning profiles tailored for specific scopes such as bug bounties or penetration tests.

Plugin Extenders - Supports the integration of custom scripts and hooks to expand the core reconnaissance pipeline.

Request Rate Limiting - Caps the number of outgoing requests per second to avoid triggering security alerts or server overload.

Adaptive Rate Control - Adjusts scanning speed automatically when encountering rate-limit errors.

Execution Progress Tracking - Monitors the real-time status of long-running reconnaissance tasks via a checkpoint system.

AI-Driven Security Summaries - Creates HTML-based summaries of reconnaissance findings using AI to interpret and condense complex data.

API Documentation Discovery - Searches public workspaces and specifications to uncover exposed API collections.

Visual Snapshot Capture - Captures rendered snapshots of web pages to detect visual changes between scans.

Web Crawling - Systematically discovers and maps web content across domains using recursive fuzzing and crawling.

Reconnaissance Frameworks - Automated reconnaissance framework for bug bounty and pentesting.

Open Source Intelligence - Automated recon framework chaining multiple OSINT tools.

Reconnaissance - Automates subdomain enumeration and vulnerability discovery.

Reconnaissance and Dorking - Perform automated reconnaissance and vulnerability scanning on domains.

six2dezreconftw

Features

Star history