v4.1: Merge pull request #1018 from six2dez/dev

[v4.1] - 2026-03-06

Added

Advanced Subdomain & Asset Discovery

• sub_srv function: SRV record enumeration (_ldap._tcp, _sip._tcp, _xmpp-server._tcp, etc.) via dnsx. Discovers service infrastructure hosts. Config: SRV_ENUM=true. Output: subdomains/srv_records.txt. Data file: data/wordlists/srv_prefixes.txt (~27 SRV prefixes).
• sub_ptr_cidrs function: PTR sweep over ASN CIDR ranges discovered by sub_asn. Expands CIDRs via mapcidr, runs reverse PTR lookups via dnsx, filters in-scope results. Config: PTR_SWEEP=false (off by default), PTR_SWEEP_MAX_IPS=50000 (safety limit). Output: subdomains/ptr_pivots.txt.
• sub_ns_delegation function: discovers delegated DNS zones (subdomains with their own NS records) and attempts AXFR zone transfers on each delegated nameserver. Complements existing zonetransfer() which only checks the main domain's NS. Config: NS_DELEGATION=true. Output: subdomains/ns_delegated_zones.txt.
• tls_ip_pivots function: TLS certificate harvesting from raw IPs (not just known subdomains like sub_tls). Three phases: (A) passive cert harvest extracting SAN/CN via tlsx -json, (B) SNI brute-force using discovered labels as candidates (DEEP mode only), (C) reverse PTR + SNI probing via tlsx -rev-ptr-sni. Includes delta-only httpx probe for newly discovered subdomains. Config: TLS_IP_PIVOTS=false, TLS_IP_SNI_BATCH_SIZE=1000, TLS_IP_DELTA_PROBE=true. Output: hosts/tls_ip_certs.jsonl, subdomains/tls_ip_pivots.txt.
• sub_js_extract function: extracts hostnames from JS/crawl output files (js/nojs_links.txt, js/js_livelinks.txt, webs/url_extract.txt, js/js_secrets.txt, etc.), resolves new candidates, and delta-probes them. Creates a feedback loop from web analysis back into subdomain discovery. Config: JS_SUB_EXTRACT=true.
• well_known_pivots function: checks well-known metadata endpoints (/.well-known/security.txt, /.well-known/openid-configuration, /.well-known/oauth-authorization-server) for hostname references matching the target domain. Config: WELLKNOWN_PIVOTS=false, WELLKNOWN_MAX_TARGETS=200.
• Reactivated virtualhosts() in all scan modes (recon, subs_menu, webs_menu, zen_menu, multi-domain recon). Was previously commented out. Gated by existing VIRTUALHOSTS=false config flag.

Pipeline Integration

• Subdomain Phase 4 (parallel): added sub_srv and sub_ptr_cidrs alongside sub_noerror and sub_dns.
• Subdomain Phase 5 (parallel): added sub_ns_delegation alongside sub_tls and sub_analytics.
• Web Detection: added tls_ip_pivots and virtualhosts after portscan/geo_info in both parallel and sequential paths.
• Web Analysis: added sub_js_extract and well_known_pivots after jschecks.
• passive() mode: PTR_SWEEP, NS_DELEGATION, and TLS_IP_PIVOTS are saved/restored as false to prevent active techniques in passive-only mode.

Config Profiles

• Full profile (reconftw_full.cfg): enables PTR_SWEEP, SRV_ENUM, NS_DELEGATION, TLS_IP_PIVOTS, JS_SUB_EXTRACT, WELLKNOWN_PIVOTS.
• Quick profile (reconftw_quick.cfg): enables only SRV_ENUM (lightweight); disables all others.
• Stealth profile (reconftw_stealth.cfg): enables only SRV_ENUM; disables all active techniques.

v4.0

What's Changed

This release involves a full code refactoring of the tool. Please take a look at the changelog

Enjoy the release and check the new documentation page at https://docs.reconftw.com/

Full Changelog: v3.2.1...v4.0

If you like this tool or any of my other tools, consider sponsoring them :)

v3.2.1

QoL improvements., small fixes and ip.thc.org added as a source for passive subs and RevDNS entries.

What's Changed

• small fix httpx by @six2dez in #987
• Dev by @six2dez in #991
• Fix macos tests by @six2dez in #992
• Dev by @six2dez in #993

Full Changelog: v3.2.0...v3.2.1

v3.2.0

What's Changed

• Fix sub_dns() extract ips from subdomains_ips.txt by @hongson97 in #964
• Dev by @six2dez in #965
• reconftw output hotfix by @six2dez in #968
• Few small fixes by @kleozzy in #970
• Dev by @six2dez in #971
• Dev by @six2dez in #986

New Contributors

• @hongson97 made their first contribution in #964

Full Changelog: v3.1.0...v3.2.0

v3.1.0

What's Changed

• Update install.sh by @ab2pentest in #937
• Fix Nuclei Severity Filters by @kleozzy in #939
• Dev by @six2dez in #941
• Update README.md by @six2dez in #944
• Dev by @six2dez in #945
• Six2dez patch 1 by @six2dez in #943
• Dev by @six2dez in #947
• nuclei fix, replaced metafinder and emailfinder as no longer works by @six2dez in #948
• Dev by @six2dez in #951
• fix cdncheck by @six2dez in #954
• fix fuzzparams by @kleozzy in #953
• fix(install): update misconfig-mapper install step due to upstream changes by @x9xhack in #952
• Dev by @six2dez in #956
• Dev by @six2dez in #958
• Dev by @six2dez in #960
• misconfig-mapper and timeout favup by @six2dez in #961
• Readme updated finally :) by @six2dez in #963

New Contributors

• @x9xhack made their first contribution in #952

Full Changelog: v3.0.0...v3.1.0

v3.0.0

What's Changed

• Faraday integration for WebUI and reporting
• Update install.sh - Mantra Install Fix by @tux3d0 in #918
• Add --check-tools option and GitHub workflow by @pgrenaud in #920
• Fix macos support by @pgrenaud in #921
• Fix Debian/Ubuntu support and others install fixes by @pgrenaud in #922
• Miscellaneous fixes by @pgrenaud in #924
• Add pipx and virtual env support by @pgrenaud in #923
• Restore changes lost in the last merge by @pgrenaud in #925
• Dev by @six2dez in #936

New Contributors

• @tux3d0 made their first contribution in #918
• @pgrenaud made their first contribution in #920

Full Changelog: v2.9.1...v3.0.0

v2.9.1

What's Changed

• Updated amass v3 config.ini by @six2dez in #884
• Adding Metafinder & Whois to installed tools check. by @0xAW in #889
• Fix touch errors in multi-recon by ensuring directories exist before file operations by @whiskeykilo in #894
• Add soft notfication to multi recon mode by @whiskeykilo in #895
• Added Cloudhunter, improved webs_nuclei.txt , passed webs_nuclei to gf instead. by @kleozzy in #896
• Dev by @six2dez in #898
• Add proxmox Deployment Script by @wanetty in #905
• Dev by @six2dez in #910

New Contributors

• @0xAW made their first contribution in #889
• @whiskeykilo made their first contribution in #894
• @wanetty made their first contribution in #905

Full Changelog: v2.9...v2.9.1

v2.9

Highlights

• API leak checks SwaggerSpy and porch-pirate
• 3rd parties misconfigs with misconfig-mapper
• JS sourcemaps check with sourcemapper and jsluice
• IP geolocation info
• oshi.at for sending huge results zip files
• Improved trufflehog detection
• Updated mind map
• IIS short names added
• Password leaks with LeakSearch
• PPfuzz replaced by ppmap
• Brutespray and nomore403 updated
• Nucleus fuzzing parameters
• Added p1radup

What's Changed

• fix apileaks by @six2dez in #813
• swaggerspy fix by @six2dez in #814
• swaggerspy output by @six2dez in #816
• Fix capitalization Mantra -> mantra by @kleozzy in #820
• Fix Apileak paths by @kleozzy in #822
• Dev by @six2dez in #823
• Dev by @six2dez in #825
• trufflehog arguments fix by @six2dez in #826
• Dev by @six2dez in #830
• fix geoinfo - git update - web mode by @six2dez in #832
• Dev by @six2dez in #834
• comment by @six2dez in #835
• Dev by @six2dez in #840
• Merge 20240227 by @rt-bast in #838
• Dev by @six2dez in #841
• Fix installer by @six2dez in #843
• push wapiti installer by @six2dez in #844
• Dev by @six2dez in #847
• Dev by @six2dez in #848
• final fix? maybe by @six2dez in #849
• Tool installation fixes mainly by @kleozzy in #853
• Fix brutespray Calling by @kleozzy in #860
• Dev by @six2dez in #861
• Fix nuclei fuzzing by @kleozzy in #862
• fix iis shortname scanner dir creations by @kleozzy in #864
• Optimize vuln scan speed and efficiency by @kleozzy in #866
• fix the fuzzparams function with the -fuzz flag by @j0hnZ3RA in #865
• Dev by @six2dez in #867
• Alot of fixes + ffufpostprocessing by @kleozzy in #868
• Add soft flag for p1radup to allow same host different path by @kleozzy in #869
• Detecting arm systems that are not RPIs by @Marmeus in #870
• Dev by @six2dez in #872
• fix 3rd parties var by @six2dez in #874
• transfer.sh replaced with oshi.at by @six2dez in #875
• Fix filename for oshi by @six2dez in #876
• Dev by @six2dez in #882

New Contributors

• @rt-bast made their first contribution in #838
• @j0hnZ3RA made their first contribution in #865
• @Marmeus made their first contribution in #870

Full Changelog: v2.8.1...v2.9

v2.8.1

• Gf potential removed
• New API leaks search included
• Fix for dontgo403
• Fix for smuggler

v2.8

Main changes

• Removed web interface
• Added postman search
• Replaced byp4xx with dontgo403

What's Changed

• Update requirements.txt by @six2dez in #791
• Update reconftw.sh by @six2dez in #794
• Ip geo_info (from dev) by @lorenzocamilli in #801
• Shodan vulns and ports by @lorenzocamilli in #802
• Patch 1 by @Kr1shna4garwal in #803
• Fix Mantra is not found by @abdilahrf in #804
• Update install.sh by @six2dez in #806
• Update reconftw.sh by @six2dez in #807
• Dev by @six2dez in #809

New Contributors

• @lorenzocamilli made their first contribution in #801
• @Kr1shna4garwal made their first contribution in #803
• @abdilahrf made their first contribution in #804

Full Changelog: v2.7.1.1...v2.8