"ReconFTW — Unified Reconnaissance Engine for Bug‑Bounty Hunters"

ReconFTW is an all‑in‑one reconnaissance framework that automates subdomain enumeration, OSINT, web probing, directory fuzzing, port…

ghostyjoe

Bug Bounty Hunting: A Comprehensive Guide in English and french

· ~5 min read · December 10, 2025 (Updated: December 10, 2025) · Free: No

ReconFTW is an all‑in‑one reconnaissance framework that automates subdomain enumeration, OSINT, web probing, directory fuzzing, port scanning and basic vulnerability checks. It bundles many of the popular recon and scanning tools into one configurable workflow so you can run thorough reconnaissance quickly and reproducibly. ReconFTW is widely used by bug‑bounty hunters, pentesters and security researchers to gather targets and produce sharable results. (GitHub)

Download (official GitHub repositories)

ReconFTW (official repo) — six2dez/reconftw on GitHub: https://github.com/six2dez/reconftw. (GitHub)
KaliGPT (example installer / CLI assistant) — a commonly used community installer repo: SudoHopeX/KaliGPT on GitHub: https://github.com/SudoHopeX/KaliGPT. (GitHub)
Optional LLM analysis helper for ReconFTW outputs — reconftw_ai (analyzes reconFTW output folders and generates LLM reports): https://github.com/six2dez/reconftw_ai. (GitHub)

Quick install — ReconFTW (local machine / VPS / VM)

Install system pre‑reqs (on Debian/Kali‑based system — adjust for your distro): update package list, and install git, curl, python3 and common build tools. (ReconFTW README details additional toolchain requirements.) (GitHub)
Clone the repo:

git clone https://github.com/six2dez/reconftw.git
cd reconftw

Run the installer or review the install script:

# read the install script first
less install.sh
# then run (if you're happy)
sudo bash install.sh

ReconFTW supports direct local installs, Docker, and provisioning via Terraform/Ansible; consult the README for advanced deployment options. (GitHub)

Basic usage (safe reconnaissance examples)

After installation you'll primarily use reconftw.sh. Use -h to view the help menu.

Example commands (non‑destructive reconnaissance modes):

Full recon on a single domain (passive + active non‑exploit checks):

./reconftw.sh -d target.com -r

Recon on multiple targets (targets listed one-per-line in targets.txt):

./reconftw.sh -l targets.txt -r -o /path/to/output/

Lightweight (passive) recon only:

./reconftw.sh -d target.com -p

Deep recon (resource‑heavy; VPS recommended):

./reconftw.sh -d target.com -r --deep

Full recon that also runs active vulnerability checks (use only with explicit authorization):

./reconftw.sh -d target.com -a

Important flags and notes: -r = recon mode (recommended for enumeration), -p = passive only, -a = includes active vulnerability checks, -o = output folder, --deep increases scan depth, -v enables distributed scanning via Ax. See the repo README for complete options and the reconftw.cfg configuration file for per‑tool settings. (GitHub)

Ethics & legal requirement (must read)

Using recon and pentest tools on systems you do not own or do not have explicit authorization to test is illegal in most jurisdictions. This post does not provide instructions for exploiting or taking down systems. If your goal is vulnerability validation or exploitation, do that only in one of these safe scenarios:

You have explicit written authorization (a signed scope from the system owner).
You are testing your own systems or an isolated lab (VMs/containers).
You are using intentionally vulnerable targets built for testing (e.g., OWASP Juice Shop, Damn Vulnerable Web App, VulnHub VMs).
Follow coordinated disclosure / responsible disclosure if you discover real vulnerabilities.

I cannot provide step‑by‑step exploitation instructions. Instead, I'll describe a responsible workflow below. The reconFTW project README also contains a direct disclaimer and a reminder to use the tool responsibly. (GitHub)

Responsible pentest workflow (what to do with recon data)

Gather & organize — run ReconFTW with -r or -p, export results to a timestamped folder. ReconFTW produces directories for subdomains/, webs/, hosts/, osint/, etc. (GitHub)
Triage — review findings to remove duplicates and false positives (identify interesting hosts: admin panels, API endpoints, exposed buckets).
Validate (non‑destructive) — use passive techniques and non‑destructive probes (HTTP header checks, directory listing checks, robots.txt, metadata inspection).
Isolate for validation — if you must do more intrusive testing, replicate the target (or ask permission) and run controlled tests in a lab.
Document & report — collect reproduction steps, risk level, and remediation suggestions; coordinate disclosure with the owner. ReconFTW supports Faraday (for centralized reporting) and has AI integration helpers to format reports. (GitHub)

How to integrate ReconFTW with KaliGPT (or an LLM-assisted workflow)

Short version: use ReconFTW to produce structured output, then feed that output into an LLM assistant (KaliGPT or a local LLM) to accelerate triage, summarization and report drafting — but don't ask the LLM to generate exploit payloads for unauthorized targets.

Install KaliGPT (example community installer) Clone and run the installer script from the SudoHopeX repo:

git clone https://github.com/SudoHopeX/KaliGPT.git cd KaliGPT bash kaligpt_unified.sh --help # to install a backend model (example) sudo bash kaligpt_unified.sh --model 1

KaliGPT supports different backends (OpenAI API, browser web mode, local models via Ollama) — check the README for options and requirements. (GitHub)
Use an LLM to summarize & triage

Option A — Manual: open the relevant ReconFTW output (for example, output/target.com/webs/), copy examples of interesting endpoints or headers, and prompt KaliGPT to summarize likely impact and suggest non‑destructive next steps (e.g., further probing, recommended tests, or mitigation suggestions). Keep prompts focused on analysis, not exploit creation.
Option B — Automated: use reconftw_ai or similar tooling to automatically parse ReconFTW outputs and produce markdown reports using a configured LLM model. This repo is explicitly built to analyze ReconFTW outputs and generate reports for different audiences (executive, bug‑hunter, etc.). (GitHub)

Example safe prompt to KaliGPT (manual workflow) — a policy‑friendly example prompt you might use:

"I ran ReconFTW against target.com and found the following endpoints and headers: [paste sanitized output]. Please summarize likely exposures, prioritize findings by impact (high/medium/low), and suggest next non‑destructive validation steps and remediation notes suitable for a security report."

Avoid prompting KaliGPT for exploit payloads, steps to bypass authentication, or instructions that would enable unauthorized access.
Automation tip — pipe outputs into a local script that extracts the most common endpoints, takes their HTTP status codes and response sizes, and then sends that sanitized summary into KaliGPT for triage. Keep this process logged and run only within scope and with permission.

Example Minimal Integration Flow (conceptual)

./reconftw.sh -d target.com -r -o ./results/target.com
Run simple parser to produce a short summary (domains, top web endpoints, exposed buckets).
kaligpt -c "Summarize these findings for a bug bounty report:" < summary.txt
Review KaliGPT output manually, adjust wording/technical details, and produce final report.

(The exact commands depend on which KaliGPT installer/model and which LLM backend you choose; check the KaliGPT README for the kaligpt CLI usage.) (GitHub)

Additional resources & links

ReconFTW (GitHub): https://github.com/six2dez/reconftw. (GitHub)
ReconFTW AI analysis helper: https://github.com/six2dez/reconftw_ai. (GitHub)
KaliGPT (community installer example): https://github.com/SudoHopeX/KaliGPT. (GitHub)

happy hunting

#cybersecurity #bug-bounty #recon #osint #automation