Reconftw Simple Script for full Reconnaissance
Reconftw Simple Script for full Reconnaissance

Reconftw: Simple Script for full Reconnaissance


Run script or set your tools path in the script in $tools var (line 10)

This is a simple script intended to perform a full recon on an objective with multiple subdomains. It performs multiples steps listed below:

  1. Tools checker
  2. Google Dorks (based on deggogle_hunter)
  3. Subdomain enumeration (passive, resolution, bruteforce and permutations)
  4. Sub TKO (subjack and nuclei)
  5. Probing (httpx)
  6. Websscreenshot (aquatone)
  7. Template scanner (nuclei)
  8. Port Scan (naabu)
  9. Url extraction (waybackurls and gau)
  10. Pattern Search (gf and gf-patterns)
  11. Param discovery (paramspider and arjun)
  12. XSS (Gxss and dalfox)
  13. Github Check (git-hound)
  14. Favicon Real IP (fav-up)
  15. Javascript Checks (
  16. Directory fuzzing/discovery (dirsearch and ffuf)
  17. Cors (CORScanner)
  18. SSL Check (testssl)

Also you can perform just subdomain scan, webscan or google dorks. Remember webscan needs target lists with -l flag.

It generates and output in Recon/ folder with the name of the target domain, for example Recon/

Capture reconftw
Capture reconftw


  • Requires Go
  • uses apt for installing packages, modify for your needs
git clone
cd reconftw
chmod +x *.sh
./ -d -a


Full scan:

./ -d -a

Subdomains scan:

./ -d -s

Web scan (target list required):

./ -d -l targets.txt -w


./ -d -g


  • Some tools in this script need or can use multiple API keys, such as amass, subfinder, or git-hound. It is up to you to configure them correctly, consult the documentation of each tool to do it correctly.
  • This script uses dalfox with blind-xss option, you must change to your own server, check

Short-term improvement plan:

  • Enhance this Readme
  • Customize output folder
  • Interlace usage
  • Notification support (Slack, Discord and Telegram)
  • CMS tools (wpscan, drupwn/droopescan, joomscan)
  • Any other interesting suggestion