reconFTW

reconFTW is a comprehensive, automated reconnaissance framework designed for bug bounty hunters, penetration testers, and security researchers. It is an open-source tool written primarily in Bash that acts as a wrapper, chaining together dozens of the most powerful reconnaissance tools available in the cybersecurity community into a single, cohesive execution pipeline.

In cybersecurity, reconFTW automates the tedious, time-consuming process of information gathering. Instead of manually running individual tools for subdomain discovery, port scanning, and vulnerability detection, a user provides a target domain to reconFTW, which then executes the entire workflow—from initial discovery to vulnerability identification—automatically, organizing the results into a structured file system.

Core Capabilities and Workflow

reconFTW operates by executing a sequential pipeline of tasks, using industry-standard tools such as Amass, Subfinder, Nuclei, and HTTPX under the hood.

• Comprehensive Subdomain Enumeration: The tool performs deep discovery using passive sources (OSINT), active brute-forcing (guessing subdomains), and permutations (predicting names like dev-api based on api). This ensures the widest possible scope of the attack surface is identified.

• Web Probing and Screenshotting: Once subdomains are identified, reconFTW filters for live web servers (using tools such as HTTPX) and captures screenshots of every active page. This allows analysts to visually scan thousands of assets for interesting targets, such as login portals or debug pages.

• Vulnerability Scanning: The framework integrates automated vulnerability scanners to check for low-hanging fruit. It scans for common issues such as Cross-Site Scripting (XSS), Open Redirects, Subdomain Takeovers, and Server-Side Request Forgery (SSRF).

• JavaScript and Content Analysis: reconFTW downloads and analyzes JavaScript files found on target websites. It searches these files for sensitive information, such as leaked API keys, credentials, or hidden endpoints that are not linked on the main site.

• Cloud Asset Discovery: The tool specifically searches for misconfigured cloud resources, such as open AWS S3 buckets or Azure blobs, associated with the target organization.

Strategic Benefits for Security Professionals

Automation of Repetitive Tasks: Reconnaissance often accounts for 80% of the effort in a security assessment. reconFTW handles repetitive script execution, freeing the security professional to focus on manual analysis and complex exploitation of the anomalies the tool discovers.

Standardization of Methodology By using a framework like reconFTW, security teams ensure a consistent baseline of coverage. Every target is scanned with the same rigorous set of checks, reducing the likelihood of human error or oversight, such as an analyst forgetting to run a specific scan type.

Continuous Reconnaissance reconFTW is designed to be run repeatedly. It includes logic to compare new scan results against previous ones, allowing it to highlight "diffs" or changes. This is critical for monitoring an attack surface over time, as it alerts the user to new subdomains or vulnerabilities that have appeared since the last scan.

Frequently Asked Questions

Is reconFTW a vulnerability scanner? It is primarily a reconnaissance framework, but it also includes vulnerability-scanning capabilities. Its primary goal is to map the attack surface, but it also runs tools (such as Nuclei) that actively scan for specific vulnerabilities (CVEs) across the assets it discovers.

What language is reconFTW written in? It is written in Bash script. This makes it highly portable and easy for Linux users to modify or debug, as it essentially strings together standard command-line tools.

Who is the target audience for reconFTW? It is built for Bug Bounty Hunters (who need to scan large scopes quickly to find bugs before others) and Red Teams (who need deep visibility into a target's external infrastructure).

Does it require installation of other tools? Yes. Since it is a wrapper, it relies on approximately 40-50 external tools (e.g., Go-based tools from ProjectDiscovery) to function. However, it includes an installer script that automates dependency setup.

ThreatNG and reconFTW: Unifying Strategic Intelligence and Tactical Execution

ThreatNG and reconFTW function as a comprehensive External Attack Surface Management (EASM) ecosystem. ThreatNG operates as the strategic Intelligence Layer, providing high-level discovery, business context, and risk governance. reconFTW operates as the tactical Execution Layer, performing deep technical enumeration and automated vulnerability scanning.

Together, they create a closed-loop security process: ThreatNG defines the scope and assesses the business risk, while reconFTW rigorously tests the technical defenses of the assets ThreatNG identifies.

External Discovery: The Target Acquisition Engine

reconFTW is a powerful enumeration tool, but it requires a starting point (a seed domain). ThreatNG’s External Discovery engine maximizes the effectiveness of reconFTW by feeding it a complete, verified target list that includes assets outside the reach of standard wordlists.

• Seedless Discovery Injection: ThreatNG uses advanced Open-Source Intelligence (OSINT) to identify assets through business relationships, copyright filings, and historical records. It identifies subsidiaries, forgotten brands, and cloud infrastructure that are not clearly linked to the main domain. ThreatNG provides these "Unknown Unknowns" to the security team, who then feed them into reconFTW. This ensures that reconFTW scans the entire organizational footprint, not just the obvious main website.

• Cloud Bucket Identification: While reconFTW searches for subdomains, ThreatNG actively discovers Exposed Open Cloud Buckets (S3, Azure Blob) via keyword permutations and passive analysis. When ThreatNG identifies a public bucket, it directs the reconnaissance effort to that storage asset, enabling reconFTW (or manual testing) to probe for misconfigurations and data leaks.

External Assessment: Contextualizing Technical Findings

reconFTW excels at finding technical flaws (e.g., "XSS found on page A"). ThreatNG’s External Assessment engine enriches these technical findings with business and legal context, transforming a list of bugs into a prioritized risk register.

• Business Viability Assessment (Financial & Legal Resources):

  • The reconFTW Finding: reconFTW identifies a subdomain hosting a third-party login portal with several low-severity misconfigurations.

  • ThreatNG Contribution: ThreatNG assesses the vendor managing that portal using Financial and Legal Resources. It determines the vendor is legally compromised or financially unstable. This external intelligence raises the asset risk from "Low" (technical view) to "Critical" (business view), prompting the organization to migrate away from the vendor rather than patching the portal alone.

• Technology Stack Validation (Technical Resources):

  • The reconFTW Finding: reconFTW reports that a server is running an older version of PHP.

  • ThreatNG Contribution: ThreatNG validates this finding against its global technology database. It confirms that the specific version is End of Life (EOL) and no longer receives security updates. This confirms that patching is not feasible and that the asset requires decommissioning or isolation, informing the remediation strategy.

Investigation Modules: From Alert to Attribution

When reconFTW flags a potential issue, analysts need to investigate the broader context. ThreatNG’s investigation modules provide the forensic capabilities to attribute the asset and understand the threat landscape surrounding it.

• Sanitized Dark Web Investigation:

  • The Scenario: reconFTW discovers an exposed administrative interface on dev-admin.company.com.

  • ThreatNG Deep Dive: Analysts use the Sanitized Dark Web module to search for credentials associated with this domain. If they find "Admin" credentials for sale on a dark web marketplace, it confirms that the exposure identified by reconFTW is an active breach. This moves the response from "Vulnerability Management" to "Incident Response."

• Domain Intelligence and Pivoting:

  • The Scenario: reconFTW identifies a suspicious subdomain pointing to an external IP address.

  • ThreatNG Deep Dive: Analysts use Recursive Attribute Pivoting to trace the ownership of that IP. If ThreatNG identifies the IP as belonging to a known "Bulletproof Hosting" provider often used by phishing gangs, it confirms that the subdomain has been hijacked or is pointing to malicious infrastructure, necessitating an immediate takedown.

• Archived Web Page Investigation:

  • The Scenario: reconFTW reports a "403 Forbidden" error on a discovered asset, but flags it as interesting.

  • ThreatNG Deep Dive: Analysts use the Archived Web Page module to view historical snapshots of the site. They discovered that the page had been publicly accessible for 48 hours and contained sensitive internal documentation. This allows the team to assess the impact of data exposure, even though the site is currently locked down.

Continuous Monitoring: Event-Driven Reconnaissance

reconFTW scans are typically resource-intensive and run periodically. ThreatNG’s Continuous Monitoring ensures that reconnaissance happens exactly when it is needed.

• Drift-Triggered Scanning: ThreatNG monitors the attack surface for Infrastructure Drift. If it detects a change—such as a new subdomain appearing or a firewall port opening—it triggers an alert. This signal can be used to immediately launch a targeted reconFTW scan against that new asset. This "Event-Driven" approach ensures that new risks are enumerated instantly without waiting for the next full weekly scan.

Intelligence Repositories: Prioritizing the Attack Path

ThreatNG’s Intelligence Repositories help teams filter the massive volume of data produced by reconFTW.

• Threat Actor Correlation: reconFTW might return thousands of open ports. ThreatNG identifies that a specific set of those ports (e.g., a specific VPN interface) is currently being targeted by a known Advanced Persistent Threat (APT) group. By correlating technical scan results with global threat intelligence, ThreatNG enables the team to prioritize securing assets in the crosshairs of active adversaries.

Reporting: Strategic Governance

ThreatNG’s Reporting capabilities translate tactical data into strategic value.

• The Executive View: While reconFTW generates technical logs and CSVs for engineers, ThreatNG aggregates this data into executive governance reports. It highlights the "Total Risk Score" and "Attack Surface Reduction" metrics, providing the high-level visibility needed to justify security budgets and demonstrate compliance to the board.

Complementary Solutions

ThreatNG and reconFTW work in concert with other tools to create a robust defensive architecture.

Security Orchestration, Automation, and Response (SOAR) ThreatNG triggers the workflow.

• Cooperation: ThreatNG acts as the Discovery Trigger. When it finds a new high-risk asset, it sends a webhook to the SOAR platform. The SOAR platform then automatically spins up a cloud instance to run reconFTW against that specific target. This automates the "Discovery-to-Scan" pipeline, ensuring no human intervention is needed to initiate deep reconnaissance on new threats.

Vulnerability Management (VM) Platforms ThreatNG provides the context.

• Cooperation: reconFTW feeds the VM platform with a list of technical vulnerabilities. ThreatNG enriches these findings with External Context. It tells the VM platform which of those vulnerabilities are on "Mission Critical" assets versus "Low Impact" staging servers. This allows the VM team to prioritize remediation based on actual business risk rather than CVSS scores alone.

Red Team Operations ThreatNG is the strategist; reconFTW is the operator.

• Cooperation: In a Red Team engagement, ThreatNG is used during the Passive Reconnaissance phase to map the organization without touching the infrastructure to avoid detection. Once the targets are selected, reconFTW is deployed during the Active Reconnaissance phase to perform noisy scanning and enumeration to plan the attack.

Frequently Asked Questions

Does ThreatNG run the same tools as reconFTW? No. reconFTW runs aggressive, active tools like Nuclei and Masscan. ThreatNG focuses on passive, non-intrusive discovery and business intelligence. They use different methods to achieve different goals (Discovery vs. Enumeration).

Can ThreatNG replace reconFTW? No. ThreatNG does not perform deep, noisy port scanning or directory brute-forcing as reconFTW does. Conversely, reconFTW cannot provide the business context, dark web intelligence, or legal assessment that ThreatNG offers. They are distinct and complementary.

How do they help with Shadow IT? ThreatNG finds the Shadow IT asset (e.g., a rogue marketing site). reconFTW scans it to see if it is vulnerable. Together, they ensure that Shadow IT is both identified and secured.