reNgine-ng is a fork of reNgine.
reNgine-ng is your go-to web application reconnaissance suite that's designed to simplify and streamline the reconnaissance process for security professionals, penetration testers, and bug bounty hunters. With its highly configurable engines, data correlation capabilities, continuous monitoring, database-backed reconnaissance data, and an intuitive user interface, reNgine-ng redefines how you gather critical information about your target web applications.
Traditional reconnaissance tools often fall short in terms of configurability and efficiency. reNgine-ng addresses these shortcomings and emerges as a excellent alternative to existing commercial tools.
reNgine-ng was created to address the limitations of traditional reconnaissance tools and provide a better alternative, even surpassing some commercial offerings. Whether you're a bug bounty hunter, a penetration tester, or a corporate security team, reNgine-ng is your go-to solution for automating and enhancing your information-gathering efforts.
reNgine-ng 2.0 is out now, you can watch reNgine-ng 2.0 release trailer here!
reNgine-ng 2.0 would not have been possible without @ocervell valuable contributions. @ocervell did majority of the refactoring if not all and also added a ton of features. Together, we wish to shape the future of web application reconnaissance, and it's developers like @ocervell and a ton of other developers and hackers from our community who inspire and drive us forward.
Thank you, @ocervell, for your outstanding work and unwavering commitment to reNgine-ng.
Checkout our contributers here: Contributers
You can find detailed documentation in the repository Wiki
- About reNgine-ng
- Workflow
- Features
- Scan Engine
- Quick Installation
- What's new in reNgine-ng 2.0
- Screenshots
- Contributing
- reNgine-ng Support
- Support and Sponsoring
- reNgine-ng Bug Bounty Program
- License
reNgine-ng is not an ordinary reconnaissance suite; it's a game-changer! We've turbocharged the traditional workflow with groundbreaking features that is sure to ease your reconnaissance game. reNgine-ng redefines the art of reconnaissance with highly configurable scan engines, recon data correlation, continuous monitoring, GPT powered Vulnerability Report, Project Management and role based access control etc.
🦾 reNgine-ng has advanced reconnaissance capabilities, harnessing a range of open-source tools to deliver a comprehensive web application reconnaissance experience. With it's intuitive User Interface, it excels in subdomain discovery, pinpointing IP addresses and open ports, collecting endpoints, conducting directory and file fuzzing, capturing screenshots, and performing vulnerability scans. To summarize, it does end-to-end reconnaissance. With WHOIS identification and WAF detection, it offers deep insights into target domains. Additionally, reNgine-ng also identifies misconfigured S3 buckets and find interesting subdomains and URLS, based on specific keywords to helps you identify your next target, making it an go to tool for efficient reconnaissance.
🗃️ Say goodbye to recon data chaos! reNgine-ng seamlessly integrates with a database, providing you with unmatched data correlation and organization. Forgot the hassle of grepping through json, txt or csv files. Plus, our custom query language lets you filter reconnaissance data effortlessly using natural language like operators such as filtering all alive subdomains with http_status>0
and also filter all subdomains that are alive and has admin in name http_status>0&name=admin
🔧 reNgine-ng offers unparalleled flexibility through its highly configurable scan engines, based on a YAML-based configuration. It offers the freedom to create and customize recon scan engines based on any kind of requirement, users can tailor them to their specific objectives and preferences, from thread management to timeout settings and rate-limit configurations, everything is customizable. Additionally, reNgine-ng offers a range of pre-configured scan engines right out of the box, including Full Scan, Passive Scan, Screenshot Gathering, and the OSINT Scan Engine. These ready-to-use engines eliminate the need for extensive manual setup, aligning perfectly with reNgine-ng's core mission of simplifying the reconnaissance process and enabling users to effortlessly access the right reconnaissance data with minimal effort.
💎 Subscans: Subscan is a game-changing feature in reNgine-ng, setting it apart as the only open-source tool of its kind to offer this capability. With Subscan, waiting for the entire pipeline to complete is a thing of the past. Now, users can swiftly respond to newfound discoveries during reconnaissance. Whether you've stumbled upon an intriguing subdomain and wish to conduct a focused port scan or want to delve deeper with a vulnerability assessment, reNgine-ng has you covered.
📃 PDF Reports: In addition to its robust reconnaissance capabilities, reNgine-ng goes the extra mile by simplifying the report generation process, recognizing the crucial role that PDF reports play in the realm of end-to-end reconnaissance. Users can effortlessly generate and customize PDF reports to suit their exact needs. Whether it's a Full Scan Report, Vulnerability Report, or a concise reconnaissance report, reNgine-ng provides the flexibility to choose the report type that best communicates your findings. Moreover, the level of customization is unparalleled, allowing users to select report colors, fine-tune executive summaries, and even add personalized touches like company names and footers. With GPT integration, your reports aren't just a report, with remediation steps, and impacts, you get 360-degree view of the vulnerabilities you've uncovered.
🔖 Say Hello to Projects! reNgine-ng 2.0 introduces a powerful addition that enables you to efficiently organize your web application reconnaissance efforts. With this feature, you can create distinct project spaces, each tailored to a specific purpose, such as personal bug bounty hunting, client engagements, or any other specialized recon task. Each projects will have separate dashboard and all the scan results will be separated from each projects, while scan engines and configuration will be shared across all the projects.
⚙️ Roles and Permissions! Begining reNgine-ng 2.0, we've taken your web application reconnaissance to a whole new level of control and security. Now, you can assign distinct roles to your team members—Sys Admin, Penetration Tester, and Auditor—each with precisely defined permissions to tailor their access and actions within the reNgine-ng ecosystem.
- 🔐 Sys Admin: Sys Admin is a super user that has permission to modify system and scan related configurations, scan engines, create new users, add new tools etc. Super user can initiate scans and subscans effortlessly.
- 🔍 Penetration Tester: Penetration Tester will be allowed to modify and initiate scans and subscans, add or update targets, etc. A penetration tester will not be allowed to modify system configurations.
- 📊 Auditor: Auditor can only view and download the report. An auditor can not change any system or scan related configurations nor can initiate any scans or subscans.
🚀 GPT Vulnerability Report Generation: Get ready for the future of penetration testing reports with reNgine-ng's groundbreaking feature: "GPT-Powered Report Generation"! With the power of OpenAI's GPT, reNgine-ng now provides you with detailed vulnerability descriptions, remediation strategies, and impact assessments that read like they were written by a human security expert! But that's not all! Our GPT-driven reports go the extra mile by scouring the web for related news articles, blogs, and references, so you have a 360-degree view of the vulnerabilities you've uncovered. With reNgine-ng 2.0 revolutionize your penetration testing game and impress your clients with reports that are not just informative but engaging and comprehensive with detailed analysis on impact assessment and remediation strategies.
🥷 GPT-Powered Attack Surface Generation: With reNgine-ng 2.0, reNgine-ng seamlessly integrates with GPT to identify the attacks that you can likely perform on a subdomain. By making use of reconnaissance data such as page title, open ports, subdomain name etc, reNgine-ng can advice you the attacks you could perform on a target. reNgine-ng will also provide you the rationale on why the specific attack is likely to be successful.
🧭 Continuous monitoring: Continuous monitoring is at the core of reNgine-ng's mission, and it's robust continuous monitoring feature ensures that their targets are under constant scrutiny. With the flexibility to schedule scans at regular intervals, penetration testers can effortlessly stay informed about their targets. What sets reNgine-ng apart is its seamless integration with popular notification channels such as Discord, Slack, and Telegram, delivering real-time alerts for newly discovered subdomains, vulnerabilities, or any changes in reconnaissance data.
- Reconnaissance:
- Subdomain Discovery
- IP and Open Ports Identification
- Endpoints Discovery
- Directory/Files fuzzing
- Screenshot Gathering
- Vulnerability Scan
- Nuclei
- Dalfox XSS Scanner
- CRLFuzzer
- Misconfigured S3 Scanner
- WHOIS Identification
- WAF Detection
- OSINT Capabilities
- Meta info Gathering
- Employees Gathering
- Email Address gathering
- Google Dorking for sensitive info and urls
- Projects, create distinct project spaces, each tailored to a specific purpose, such as personal bug bounty hunting, client engagements, or any other specialized recon task.
- Perform Advanced Query lookup using natural language alike and, or, not operations
- Highly configurable YAML-based Scan Engines
- Support for Parallel Scans
- Support for Subscans
- Recon Data visualization
- GPT Vulnerability Description, Impact and Remediation generation
- GPT Attack Surface Generator
- Multiple Roles and Permissions to cater a team's need
- Customizable Alerts/Notifications on Slack, Discord, and Telegram
- Automatically report Vulnerabilities to HackerOne
- Recon Notes and Todos
- Clocked Scans (Run reconnaissance exactly at X Hours and Y minutes) and Periodic Scans (Runs reconnaissance every X minutes/- hours/days/week)
- Proxy Support
- Screenshot Gallery with Filters
- Powerful recon data filtering with autosuggestions
- Recon Data changes, find new/removed subdomains/endpoints
- Tag targets into the Organization
- Smart Duplicate endpoint removal based on page title and content length to cleanup the reconnaissance data
- Identify Interesting Subdomains
- Custom GF patterns and custom Nuclei Templates
- Edit tool-related configuration files (Nuclei, Subfinder, Naabu, amass)
- Add external tools from Github/Go
- Interoperable with other tools, Import/Export Subdomains/Endpoints
- Import Targets via IP and/or CIDRs
- Report Generation
- Toolbox: Comes bundled with most commonly used tools during penetration testing such as whois lookup, CMS detector, CVE lookup, etc.
- Identification of related domains and related TLDs for targets
- Find actionable insights such as Most Common Vulnerability, Most Common CVE ID, Most Vulnerable Target/Subdomain, etc.
# Global vars for all tools
#
# custom_header: 'Cookie: Test' # FFUF, Nuclei, Dalfox, CRL Fuzz, HTTP Crawl, Fetch URL
# user_agent: '' # Dalfox only
# enable_http_crawl: true # All tools
# timeout: 10 # Subdomain discovery, Screenshot, Port scan, FFUF, Nuclei
# threads: 30 # All tools
# rate_limit: 150 # Port scan, FFUF, Nuclei
# intensity: 'normal' # Screenshot (grab only the root endpoints of each subdomain), Nuclei (reduce number of endpoints to scan), OSINT (not implemented yet)
# retries: 1 # Nuclei
subdomain_discovery: {
'uses_tools': ['subfinder', 'ctfr', 'sublist3r', 'tlsx', 'oneforall', 'netlas'], # amass-passive, amass-active, All
'enable_http_crawl': true,
'threads': 30,
'timeout': 5,
# 'use_subfinder_config': false,
# 'use_amass_config': false,
# 'amass_wordlist': 'deepmagic.com-prefixes-top50000'
}
http_crawl: {
# 'custom_header': 'Cookie: Test',
# 'threads': 30,
# 'follow_redirect': false
}
port_scan: {
'enable_http_crawl': true,
'timeout': 5,
# 'exclude_ports': [],
# 'exclude_subdomains': [],
'ports': ['top-100'],
'rate_limit': 150,
'threads': 30,
'passive': false,
# 'use_naabu_config': false,
# 'enable_nmap': true,
# 'nmap_cmd': '',
# 'nmap_script': '',
# 'nmap_script_args': ''
}
osint: {
'discover': [
'emails',
'metainfo',
'employees'
],
'dorks': [
'login_pages',
'admin_panels',
'dashboard_pages',
'stackoverflow',
'social_media',
'project_management',
'code_sharing',
'config_files',
'jenkins',
'wordpress_files',
'php_error',
'exposed_documents',
'db_files',
'git_exposed'
],
# 'custom_dorks': [],
'intensity': 'normal',
'documents_limit': 50
}
dir_file_fuzz: {
'auto_calibration': true,
'enable_http_crawl': true,
'rate_limit': 150,
'extensions': ['html', 'php','git','yaml','conf','cnf','config','gz','env','log','db','mysql','bak','asp','aspx','txt','conf','sql','json','yml','pdf'],
'follow_redirect': false,
'max_time': 0,
'match_http_status': [200, 204],
'recursive_level': 2,
'stop_on_error': false,
'timeout': 5,
'threads': 30,
'wordlist_name': 'dicc'
}
fetch_url: {
'uses_tools': [
'gospider',
'hakrawler',
'waybackurls',
'katana'
],
'remove_duplicate_endpoints': true,
'duplicate_fields': ['content_length', 'page_title'],
'enable_http_crawl': true,
'gf_patterns': ['debug_logic', 'idor', 'interestingEXT', 'interestingparams', 'interestingsubs', 'lfi', 'rce', 'redirect', 'sqli', 'ssrf', 'ssti', 'xss'],
'ignore_file_extensions': ['png', 'jpg', 'jpeg', 'gif', 'mp4', 'mpeg', 'mp3'],
'threads': 30,
# 'exclude_subdomains': false
}
vulnerability_scan: {
'run_nuclei': true,
'run_dalfox': false,
'run_crlfuzz': false,
'run_s3scanner': false,
'enable_http_crawl': true,
'concurrency': 50,
'intensity': 'normal',
'rate_limit': 150,
'retries': 1,
'timeout': 5,
'fetch_gpt_report': true,
'nuclei': {
'use_nuclei_config': false,
'severities': ['unknown', 'info', 'low', 'medium', 'high', 'critical'],
# 'tags': [], # Nuclei tags (https://github.com/projectdiscovery/nuclei-templates)
# 'templates': [], # Nuclei templates (https://github.com/projectdiscovery/nuclei-templates)
# 'custom_templates': [] # Nuclei custom templates uploaded in reNgine-ng
}
}
waf_detection: {
'enable_http_crawl': true
}
screenshot: {
'enable_http_crawl': true,
'intensity': 'normal',
'timeout': 10,
'threads': 40
}
Note: Only Ubuntu/VPS
-
Clone this repo
git clone https://github.com/Security-Tools-Alliance/rengine-ng && cd rengine
-
Edit the dotenv file, please make sure to change the password for postgresql
POSTGRES_PASSWORD
!nano .env
-
In the dotenv file, you may also modify the Scaling Configurations
MAX_CONCURRENCY=80 MIN_CONCURRENCY=10
MAX_CONCURRENCY: This parameter specifies the maximum number of reNgine-ng's concurrent Celery worker processes that can be spawned. In this case, it's set to 80, meaning that the application can utilize up to 80 concurrent worker processes to execute tasks concurrently. This is useful for handling a high volume of scans or when you want to scale up processing power during periods of high demand. If you have more CPU cores, you will need to increase this for maximised performance.
MIN_CONCURRENCY: On the other hand, MIN_CONCURRENCY specifies the minimum number of concurrent worker processes that should be maintained, even during periods of lower demand. In this example, it's set to 10, which means that even when there are fewer tasks to process, at least 10 worker processes will be kept running. This helps ensure that the application can respond promptly to incoming tasks without the overhead of repeatedly starting and stopping worker processes.
These settings allow for dynamic scaling of Celery workers, ensuring that the application efficiently manages its workload by adjusting the number of concurrent workers based on the workload's size and complexity
-
Run the installation script, Please keep an eye for any prompt, you will also be asked for username and password for reNgine-ng.
sudo ./install.sh
If
install.sh
does not have install permission, please change it,chmod +x install.sh
reNgine-ng can now be accessed from https://127.0.0.1 or if you're on the VPS https://your_vps_ip_address
Unless you are on development branch, please do not access reNgine-ng via any ports
Installation instructions can be found at https://github.com/Security-Tools-Alliance/rengine-ng/wiki/install/detailed/
-
Updating is as simple as running the following command:
cd rengine && sudo ./update.sh
If
update.sh
does not have execution permissions, please change it,sudo chmod +x update.sh
NOTE: if you're updating from 1.3.6 and you're getting a 'password authentication failed' error, consider uninstalling 1.3.6 first, then install 2.x.x as you'd normally do.
Please find the latest release notes and changelog here.
Contributions are what make the open-source community such an amazing place to learn, inspire and create. Every contributions you make is greatly appreciated. Your contributions can be as simple as fixing the indentation or UI, or as complex as adding new modules and features.
See the Contributing Guide to get started.
You can also join our Discord channel #development for any development related questions.
Please note that reNgine-ng is beginner friendly. If you have never done open-source before, we encourage you to do so. We will be happy and proud of your first PR ever.
You can start by resolving any open issues.
Please do not use GitHub for support requests. Instead, join our Discord channel #support.
We are volunteers, working hard on reNgine-ng to add new features with the sole aim of making it the de facto standard for reconnaissance. Help is welcome, you can help us out by opening a PR. Come to the Discord to discuss with the reNgine-ng team.
- Add a GitHub Star to the project.
- Tweet about this project, or maybe blogs?
- Maybe nominate us for GitHub Stars?
Any support is greatly appreciated! Thank you!
Distributed under the GNU GPL v3 License. See LICENSE for more information.
(ChatGPT was used to write some or most part of this README section.)