When start scanning Internet is Disconnect

[burper00]

When I start scan 3-5 min after my connection is lost. and Its happend to my all wifi network, not only my virtual machine. I think maybe cdn servers or cloudflare ban to my ip maybe? I try it 3 websites too. Its always happend

my machine on virtualbox

Reconftw full updated

Kali linux 2024.01 fully updated

[six2dez]

Nope, I think this is because of amass getting all the bandwith, set to false the option in the cfg file "REVERSE_WHOIS" and try again. https://github.com/six2dez/reconftw/blob/584352487e934b3a8aabe644f007873365d88bcb/reconftw.cfg#L53C1-L53C14

[burper00]

Thanks for answer <3 I try it but its again block my internet. Im pretty sure its about amass. I try on command console " amass enum -d example.com " it wont block my internet. Maybe its about amass command. What you do think?

Edit: Its happend in subdomain enumeration or bruteforce

[six2dez]

Ok, for this case it's because of mass DNS resolution with puredns, check this line and change it accordingly

https://github.com/six2dez/reconftw/blob/584352487e934b3a8aabe644f007873365d88bcb/reconftw.cfg#L171

[burper00]

Here is my cfg file:

`#############################################

reconFTW config file

#############################################

General values

tools=~/Tools # Path installed tools SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version generate_resolvers=false # Generate custom resolvers with dnsvalidator update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution resolvers_url="https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt" resolvers_trusted_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt" fuzzing_remote_list="https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt" # Used to send to axiom(if used) on fuzzing proxy_url="http://127.0.0.1:8080/" # Proxy url install_golang=true # Set it to false if you already have Golang configured and ready upgrade_tools=true upgrade_before_running=false # Upgrade tools before running

dir_output=/custom/output/path

Golang Vars (Comment or change on your own)

export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

Tools config files

NOTIFY_CONFIG=~/.config/notify/provider-config.yaml # No need to define

AMASS_CONFIG=~/.config/amass/config.ini GITHUB_TOKENS=${tools}/.github_tokens GITLAB_TOKENS=${tools}/.gitlab_tokens

CUSTOM_CONFIG=custom_config_path.txt # In case you use a custom config file, uncomment this line and set your files path

APIs/TOKENS - Uncomment the lines you want removing the '#' at the beginning of the line

SHODAN_API_KEY="XXXXXXXXXXXXX"

WHOISXML_API="XXXXXXXXXX"

XSS_SERVER="XXXXXXXXXXXXXXXXX"

COLLAB_SERVER="XXXXXXXXXXXXXXXXX"

slack_channel="XXXXXXXX"

slack_auth="xoXX-XXX-XXX-XXX"

File descriptors

DEBUG_STD="&>/dev/null" # Skips STD output on installer DEBUG_ERROR="2>/dev/null" # Skips ERR output on installer

Osint

OSINT=true # Enable or disable the whole OSINT module GOOGLE_DORKS=false GITHUB_DORKS=false GITHUB_REPOS=false METADATA=true # Fetch metadata from indexed office documents EMAILS=true # Fetch emails from differents sites DOMAIN_INFO=true # whois info REVERSE_WHOIS=true # amass intel reverse whois info, takes some time IP_INFO=true # Reverse IP search, geolocation and whois API_LEAKS=true # Check for API leaks METAFINDER_LIMIT=20 # Max 250

Subdomains

RUNAMASS=true RUNSUBFINDER=true SUBDOMAINS_GENERAL=true # Enable or disable the whole Subdomains module SUBPASSIVE=true # Passive subdomains search SUBCRT=true # crtsh search CTR_LIMIT=999999 # Limit the number of results SUBNOERROR=false # Check DNS NOERROR response and BF on them SUBANALYTICS=true # Google Analytics search SUBBRUTE=true # DNS bruteforcing SUBSCRAPING=true # Subdomains extraction from web crawling SUBPERMUTE=true # DNS permutations SUBREGEXPERMUTE=true # Permutations by regex analysis PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper) GOTATOR_FLAGS=" -depth 1 -numbers 3 -mindup -adv -md" # Flags for gotator SUBTAKEOVER=true # Check subdomain takeovers, false by default cuz nuclei already check this SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries DEEP_RECURSIVE_PASSIVE=10 # Number of top subdomains for recursion SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve ZONETRANSFER=true # Check zone transfer S3BUCKETS=true # Check S3 buckets misconfigs REVERSE_IP=false # Check reverse IP subdomain search (set True if your target is CIDR/IP) TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,684,695,832,853,854,990,993,989,992,994,995,1129,1131,1184,2083,2087,2089,2096,2221,2252,2376,2381,2478,2479,2482,2484,2679,2762,3077,3078,3183,3191,3220,3269,3306,3410,3424,3471,3496,3509,3529,3539,3535,3660,36611,3713,3747,3766,3864,3885,3995,3896,4031,4036,4062,4064,4081,4083,4116,4335,4336,4536,4590,4740,4843,4849,5443,5007,5061,5321,5349,5671,5783,5868,5986,5989,5990,6209,6251,6443,6513,6514,6619,6697,6771,7202,7443,7673,7674,7677,7775,8243,8443,8991,8989,9089,9295,9318,9443,9444,9614,9802,10161,10162,11751,12013,12109,14143,15002,16995,41230,16993,20003" INSCOPE=false # Uses inscope tool to filter the scope, requires .scope file in reconftw folder

Web detection

WEBPROBESIMPLE=true # Web probing on 80/443 WEBPROBEFULL=true # Web probing in a large port list WEBSCREENSHOT=true # Webs screenshooting VIRTUALHOSTS=false # Check virtualhosts by fuzzing HOST header UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3001,3002,3003,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672"

Host

FAVICON=true # Check Favicon domain discovery PORTSCANNER=true # Enable or disable the whole Port scanner module GEO_INFO=true # Fetch Geolocalization info PORTSCAN_PASSIVE=true # Port scanner with Shodan PORTSCAN_ACTIVE=true # Port scanner with nmap PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners" CDN_IP=true # Check which IPs belongs to CDN

Web analysis

WAF_DETECTION=true # Detect WAFs NUCLEICHECK=true # Enable or disable nuclei NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates" # Set nuclei templates path NUCLEI_SEVERITY="info,low,medium,high,critical" # Set templates criticity NUCLEI_FLAGS=" -silent -t ${NUCLEI_TEMPLATES_PATH}/ -retries 2" # Additional nuclei extra flags, don't set the severity here but the exclusions like " -etags openssh" NUCLEI_FLAGS_JS=" -silent -tags exposure,token -severity info,low,medium,high,critical" # Additional nuclei extra flags for js secrets URL_CHECK=true # Enable or disable URL collection URL_CHECK_PASSIVE=true # Search for urls, passive methods from Archive, OTX, CommonCrawl, etc URL_CHECK_ACTIVE=true # Search for urls by crawling the websites URL_GF=true # Url patterns classification URL_EXT=true # Returns a list of files divided by extension JSCHECKS=true # JS analysis FUZZ=true # Web fuzzing IIS_SHORTNAME=true CMS_SCANNER=true # CMS scanner WORDLIST=true # Wordlist generation ROBOTSWORDLIST=true # Check historic disallow entries on waybackMachine PASSWORD_DICT=true # Generate password dictionary PASSWORD_MIN_LENGTH=5 # Min password length PASSWORD_MAX_LENGTH=14 # Max password length

Vulns

VULNS_GENERAL=false # Enable or disable the vulnerability module (very intrusive and slow) XSS=true # Check for xss with dalfox CORS=true # CORS misconfigs TEST_SSL=true # SSL misconfigs OPEN_REDIRECT=true # Check open redirects SSRF_CHECKS=true # SSRF checks CRLF_CHECKS=true # CRLF checks LFI=true # LFI by fuzzing SSTI=true # SSTI by fuzzing SQLI=true # Check SQLI SQLMAP=true # Check SQLI with sqlmap GHAURI=false # Check SQLI with ghauri BROKENLINKS=true # Check for brokenlinks SPRAY=true # Performs password spraying COMM_INJ=true # Check for command injections with commix PROTO_POLLUTION=true # Check for prototype pollution flaws SMUGGLING=true # Check for HTTP request smuggling flaws WEBCACHE=true # Check for Web Cache issues BYPASSER4XX=true # Check for 4XX bypasses FUZZPARAMS=true # Fuzz parameters values

Extra features

NOTIFICATION=false # Notification for every function SOFT_NOTIFICATION=false # Only for start/end DEEP=false # DEEP mode, really slow and don't care about the number of results DEEP_LIMIT=500 # First limit to not run unless you run DEEP DEEP_LIMIT2=1500 # Second limit to not run unless you run DEEP DIFF=false # Diff function, run every module over an already scanned target, printing only new findings (but save everything) REMOVETMP=false # Delete temporary files after execution (to free up space) REMOVELOG=false # Delete logs after execution PROXY=false # Send to proxy the websites found SENDZIPNOTIFY=false # Send to zip the results (over notify) PRESERVE=true # set to true to avoid deleting the .called_fn files on really large scans FFUF_FLAGS=" -mc all -fc 404 -ach -sf -noninteractive -of json" # Ffuf flags HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" # Httpx flags for simple web probing

HTTP options

HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" # Default header

Threads

FFUF_THREADS=40 HTTPX_THREADS=50 HTTPX_UNCOMMONPORTS_THREADS=100 KATANA_THREADS=20 BRUTESPRAY_THREADS=20 BRUTESPRAY_CONCURRENCE=10 GAU_THREADS=10 DNSTAKE_THREADS=100 DALFOX_THREADS=200 PUREDNS_PUBLIC_LIMIT=2000 # Set between 2000 - 10000 if your router blows up, 0 means unlimited PUREDNS_TRUSTED_LIMIT=400 PUREDNS_WILDCARDTEST_LIMIT=30 PUREDNS_WILDCARDBATCH_LIMIT=1500000 RESOLVE_DOMAINS_THREADS=150 DNSVALIDATOR_THREADS=200 INTERLACE_THREADS=10 TLSX_THREADS=1000 XNLINKFINDER_DEPTH=3

Rate limits

HTTPX_RATELIMIT=150 NUCLEI_RATELIMIT=150 FFUF_RATELIMIT=0

Timeouts

AMASS_INTEL_TIMEOUT=15 # Minutes AMASS_ENUM_TIMEOUT=180 # Minutes CMSSCAN_TIMEOUT=3600 # Seconds FFUF_MAXTIME=900 # Seconds HTTPX_TIMEOUT=10 # Seconds HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds PERMUTATIONS_LIMIT=21474836480 # Bytes, default is 20 GB

lists

fuzz_wordlist=${tools}/fuzz_wordlist.txt lfi_wordlist=${tools}/lfi_wordlist.txt ssti_wordlist=${tools}/ssti_wordlist.txt subs_wordlist=${tools}/subdomains.txt subs_wordlist_big=${tools}/subdomains_n0kovo_big.txt resolvers=${tools}/resolvers.txt resolvers_trusted=${tools}/resolvers_trusted.txt

Axiom Fleet

Will not start a new fleet if one exist w/ same name and size (or larger)

AXIOM=false Uncomment only to overwrite command line flags

AXIOM_FLEET_LAUNCH=true # Enable or disable spin up a new fleet, if false it will use the current fleet with the AXIOM_FLEET_NAME prefix AXIOM_FLEET_NAME="reconFTW" # Fleet's prefix name AXIOM_FLEET_COUNT=10 # Fleet's number AXIOM_FLEET_REGIONS="eu-central" # Fleet's region AXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execution

This is a script on your reconftw host that might prep things your way...

AXIOM_POST_START="~/Tools/axiom_config.sh" # Useful to send your config files to the fleet

AXIOM_EXTRA_ARGS="" # Leave empty if you don't want to add extra arguments

AXIOM_EXTRA_ARGS=" --rm-logs" # Example

TERM COLORS

bred='\033[1;31m' bblue='\033[1;34m' bgreen='\033[1;32m' byellow='\033[1;33m' red='\033[0;31m' blue='\033[0;34m' green='\033[0;32m' yellow='\033[0;33m' reset='\033[0m' `

I try it too but it isnt work. My internet disonnect when start to bruteforce enum. This reason is port scan or puredns maybe.

[six2dez]

Then reduce even more the rate limit, this is not a reconftw issue but your network/router limitation