dumpsterfirevip/st8out.sh

## st8out.sh
#!/bin/bash

#####
#
# St8out - Extra one-liner for reconnaissance
#
# Usage: ./st8out.sh target.com
#
# Resources:
# - https://github.com/j3ssie/metabigor
# - https://github.com/Edu4rdSHL/findomain
# - https://github.com/OWASP/Amass
# - https://github.com/tomnomnom/hacks/tree/master/filter-resolved
# - https://github.com/haccer/subjack
# - https://linux.die.net/man/1/dig
# - https://nmap.org/download.html
# - https://github.com/rverton/webanalyze
# - https://github.com/maurosoria/dirsearch
# - https://github.com/GerbenJavado/LinkFinder
# - https://github.com/EdOverflow/hacks-1/tree/master/cors-blimey
# - https://github.com/sensepost/gowitness
# - https://github.com/s0md3v/Arjun
# - https://github.com/tomnomnom/meg
# - https://github.com/tomnomnom/gf
#
# NOTE: Make sure $GOPATH is exported in $PATH
#		and aliasing every tool that's executed w/o binary
#		and/ binary directories that don't exist in $PATH.
#
#####

[[ -z $1 ]] && echo -e "No target.\nUsage: bash $0 target.com" && exit || mkdir $1 && cd $1 && echo "$1" | cut -d'.' -f1 | metabigor net --org -o metabigor.out && findomain -q -t $1 -u subdomain.out && amass enum -norecursive -noalts -d $1 >> subdomain.out && uniq subdomain.out | filter-resolved > subdomain-resolved.out && subjack -w subdomain-resolved.out -t 100 -timeout 30 -ssl -a -v -o subjack.out && cat subdomain-resolved.out | xargs dig +short > ips.txt && uniq ips.txt | xargs nmap -v --reason -sV -T4 -oG nmap.out --append-output --version-light -p- && egrep -v "^#|Status: Up" nmap.out | cut -d' ' -f2,4- | sed -n -e 's/Ignored.*//p' | awk '{print "Host: " $1 " Ports: " NF-1; $1=""; for(i=2; i<=NF; i++) { a=a" "$i; }; split(a,s,","); for(e in s) { split(s[e],v,"/"); printf "%-8s %s/%-7s %s\n" , v[2], v[3], v[1], v[5]}; a="" }' > nmap-open.txt && cat subdomain-resolved.out | httprobe | tee hosts.out && webanalyze -update && webanalyze -hosts hosts.out > webanalyze.out && dirsearch -L hosts.out -e php,json -x 400,403,429,502,503 -t 200 -F --simple-report dirsearch.out -r && cat hosts.out | xargs -I % linkfinder -d -o cli -i % > linkfinder.out && cat dirsearch.out | cors-blimey > cors.out && gowitness file dirsearch.out --threads 30 && arjun --urls dirsearch.out -t 100 --get > arjun.out && meg -d 1000 -v / hosts.out && gf -list | xargs -I % gf %
	#!/bin/bash

	#####
	#
	# St8out - Extra one-liner for reconnaissance
	#
	# Usage: ./st8out.sh target.com
	#
	# Resources:
	# - https://github.com/j3ssie/metabigor
	# - https://github.com/Edu4rdSHL/findomain
	# - https://github.com/OWASP/Amass
	# - https://github.com/tomnomnom/hacks/tree/master/filter-resolved
	# - https://github.com/haccer/subjack
	# - https://linux.die.net/man/1/dig
	# - https://nmap.org/download.html
	# - https://github.com/rverton/webanalyze
	# - https://github.com/maurosoria/dirsearch
	# - https://github.com/GerbenJavado/LinkFinder
	# - https://github.com/EdOverflow/hacks-1/tree/master/cors-blimey
	# - https://github.com/sensepost/gowitness
	# - https://github.com/s0md3v/Arjun
	# - https://github.com/tomnomnom/meg
	# - https://github.com/tomnomnom/gf
	#
	# NOTE: Make sure $GOPATH is exported in $PATH
	# and aliasing every tool that's executed w/o binary
	# and/ binary directories that don't exist in $PATH.
	#
	#####

	[[ -z $1 ]] && echo -e "No target.\nUsage: bash $0 target.com" && exit \|\| mkdir $1 && cd $1 && echo "$1" \| cut -d'.' -f1 \| metabigor net --org -o metabigor.out && findomain -q -t $1 -u subdomain.out && amass enum -norecursive -noalts -d $1 >> subdomain.out && uniq subdomain.out \| filter-resolved > subdomain-resolved.out && subjack -w subdomain-resolved.out -t 100 -timeout 30 -ssl -a -v -o subjack.out && cat subdomain-resolved.out \| xargs dig +short > ips.txt && uniq ips.txt \| xargs nmap -v --reason -sV -T4 -oG nmap.out --append-output --version-light -p- && egrep -v "^#\|Status: Up" nmap.out \| cut -d' ' -f2,4- \| sed -n -e 's/Ignored.*//p' \| awk '{print "Host: " $1 " Ports: " NF-1; $1=""; for(i=2; i<=NF; i++) { a=a" "$i; }; split(a,s,","); for(e in s) { split(s[e],v,"/"); printf "%-8s %s/%-7s %s\n" , v[2], v[3], v[1], v[5]}; a="" }' > nmap-open.txt && cat subdomain-resolved.out \| httprobe \| tee hosts.out && webanalyze -update && webanalyze -hosts hosts.out > webanalyze.out && dirsearch -L hosts.out -e php,json -x 400,403,429,502,503 -t 200 -F --simple-report dirsearch.out -r && cat hosts.out \| xargs -I % linkfinder -d -o cli -i % > linkfinder.out && cat dirsearch.out \| cors-blimey > cors.out && gowitness file dirsearch.out --threads 30 && arjun --urls dirsearch.out -t 100 --get > arjun.out && meg -d 1000 -v / hosts.out && gf -list \| xargs -I % gf %