recon.sh oyenom

gistfile1.txt

#! /bin/bash

# findomain, subfinder, crtsh, massdns, 
# must include amass, bruteforcing domains , port scanning

# massdns, findomain binaries must be in /usr/local/bin 
# my .bash_profile must be present

# Author oyenom

# takeover script balu subdomain takeover

findomain -t $1 -q | tee findomain-$1.txt

subfinder -d $1 -silent | tee subfinder-$1.txt

#crtsh

crtsh(){
curl -s https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
}

crtsh $1 | tee crtsh-$1.txt

cat findomain-$1.txt subfinder-$1.txt  crtsh-$1.txt | sort -u | tee mass-$1-input.txt

mass(){
	# $1 => for subs && -w livehosts for output	
    #./bin/massdns -r lists/resolvers.txt -t A -o S seek-domains.txt  -w livehosts.txt
    massdns -r ~/tools/massdns/lists/resolvers.txt -t A -o S $1  -w livehosts-$1.txt
   #cat livehosts.txt | sed 's/A.*//' $1 | sed 's/CN.*//' | sed 's/\..$//'  | sort -u | tee uniq-$1.txt
}

mass mass-$1-input.txt

# massdns output sed
sleep 2
un(){	
	#massdns result
	sed 's/A.*//' $1 | sed 's/CN.*//' | sed 's/\..$//'  | sort -u
}

un livehosts-mass-$1-input.txt.txt | tee massdns-$1.txt

cat  mass-$1-input.txt massdns-$1.txt | sort -u |  tee all-$1.txt

dns(){
	curl -s https://dns.bufferover.run/dns?q=.$1 | jq  -r .FDNS_A[]|cut -d',' -f2|sort -u
}

dns $1 | tee dns-$1.txt

cat all-$1.txt dns-$1.txt | sort -u  | httprobe -c 1000 | tee  live-$1.txt


rs(){
	cat $1   | while read LINE; do curl -o /dev/null --silent --head --write-out "%{http_code} $LINE\n" "$LINE";done
}

#rs live-$1.txt | tee status-$1.txt

#cp live-$1.txt hosts

#meg -d 1 -v / 

cat ~/files/wordlist.txt | while read x;do echo $x.$1 ;done | httprobe -c 500 | tee brute-$1.txt

cat brute-$1.txt live-$1.txt | sort -u | tee hosts

meg -d 1 -v /

cat live-$1.txt brute-$1.txt | sed 's/https\?:\/\///' | sort -u | tee all-live-$1.txt