Last active
July 26, 2020 08:44
-
-
Save 444xxk/723f14abe0ef05c4c36d84b3d8e3beae to your computer and use it in GitHub Desktop.
The script recons a domain, like example.com, using various techniques to find related hosts / subdomain name and output CSV file using recon-ng
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Usage $0 domain fileoutput"; | |
| echo "This script prepares and run the domain reconng script."; | |
| echo "It should be run in Kali with recon-ng installed and custom scripts from https://github.com/scumsec/Recon-ng-modules in /usr/share/recon-ng/modules/custom"; | |
| echo "Blog post about the script available at https://goblinsecurity.blogspot.com/"; | |
| # INSTALL | |
| #apt install recon-ng -y | |
| #git clone https://github.com/scumsec/Recon-ng-modules | |
| #mkdir /usr/share/recon-ng/modules/custom/ | |
| #cp Recon-ng-modules/*.py /usr/share/recon-ng/modules/custom/ | |
| domainattacked=$1; | |
| fileoutput=$2; | |
| pwd=$(pwd); | |
| my_dns=$(cat /etc/resolv.conf |grep -i '^nameserver'|head -n1|cut -d ' ' -f2) | |
| soa=$(dig $domainattacked +short SOA | cut -d ' ' -f1) | |
| soa_ip=$(dig +short "$soa") | |
| echo "The domain reckoned is $domainattacked using auth NS server $soa at $soa_ip, current DNS is $my_dns"; | |
| { | |
| # prepare workspace | |
| # reset workspace | |
| echo "workspaces delete $domainattacked"; | |
| echo "workspaces add $domainattacked"; | |
| echo "workspaces select $domainattacked"; | |
| echo "add domains $domainattacked"; | |
| # set NS auth | |
| echo "set NAMESERVER $my_dns"; | |
| # start recon | |
| # axfr | |
| echo "use custom/axfr"; | |
| echo "run"; | |
| # brute | |
| echo "use recon/domains-hosts/brute_hosts"; | |
| echo "run"; | |
| # third party dbs | |
| echo "use recon/domains-hosts/hackertarget"; | |
| echo "run"; | |
| echo "use recon/domains-hosts/netcraft"; | |
| echo "run"; | |
| echo "use recon/domains-hosts/threatcrowd"; | |
| echo "run"; | |
| echo "use recon/domains-hosts/builtwith"; | |
| echo "run"; | |
| # spf and mx | |
| echo "use recon/domains-hosts/mx_spf_ip"; | |
| echo "run"; | |
| echo "use custom/spf-ip"; | |
| echo "run"; | |
| echo "use custom/mx-ip"; | |
| echo "run"; | |
| echo "use custom/censys-mx"; | |
| echo "run"; | |
| # reverse whois | |
| echo "use custom/threatcrowd_domain"; | |
| echo "run" | |
| # search engines crawlers | |
| echo "use recon/domains-hosts/google_site_web"; | |
| echo "run"; | |
| echo "use recon/domains-hosts/bing_domain_web"; | |
| echo "run"; | |
| echo "use custom/baidu_site"; | |
| echo "run"; | |
| # cert names | |
| echo "use recon/domains-hosts/certificate_transparency"; | |
| echo "run"; | |
| # SSL san names | |
| echo "use recon/domains-hosts/ssl_san"; | |
| echo "run"; | |
| # whois IP to netblock, companies; might break scope | |
| #echo "use custom/arin"; | |
| #echo "run"; | |
| # resolve IPs | |
| echo "use recon/hosts-hosts/resolve"; | |
| echo "run"; | |
| # vhost | |
| # todo | |
| # reverse PTR , rPTR with SSL | |
| echo "use recon/hosts-hosts/reverse_resolve"; | |
| echo "run"; | |
| echo "use recon/netblocks-hosts/reverse_resolve"; | |
| echo "run"; | |
| echo "use recon/hosts-hosts/ssltools"; | |
| echo "run"; | |
| # add linked domains , might break scope | |
| # echo "use recon/hosts-domains/migrate_hosts"; | |
| # echo "run"; | |
| # other TLDs # optional , slow , might break scope | |
| # echo "use recon/domains-domains/brute_suffix"; | |
| # echo "run"; | |
| # report | |
| echo "use reporting/csv"; | |
| echo "set FILENAME $pwd/$fileoutput.csv"; | |
| echo "set TABLE hosts"; | |
| echo "run"; | |
| echo "exit"; | |
| } > "scan.reconng"; | |
| # run reconng | |
| recon-ng --no-check --no-analytics -r "$pwd/scan.reconng"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment