Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
####################################
# Config
##################
HTTPROBE_CONCURRENCY=100
HTTPROBE_TIMEOUT=3000
DIRSEARCH_THREADS=50
DIRSEARCH_EXTENSIONS=\*
ATTENTION_PATTERN='(api|dev|stag|stg|test|tst|corp|int|inter|infra|priv|demo|promo|config|docker|s3|vip|jira|jenkins|splunk|archive|backup|secure|dash|vip|vpn|auth)'
##################
# End Config
####################################
cd `pwd`
TARGET=$1
OUTPATH=recon-$(date +%F)
mkdir -p $OUTPATH
cd $OUTPATH
echo
echo "/==========================================="
echo "|"
echo "| Recon started on $TARGET"
echo "| Saving results in ./$OUTPATH"
echo "|"
echo "\==========================================="
echo
echo "Starting asset discovery"
echo " Running assetfinder"
assetfinder --subs-only $TARGET >> assetfinder.tmp
echo " - Found: $(cat assetfinder.tmp | wc -l)"
echo " Running knockpy"
knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp
KNOCKPY_REPORT=$(cat knockpy.tmp | grep : | awk -F': ' '{print $2}')
cat $KNOCKPY_REPORT | jq '.found.subdomain[]' | sed 's/"//g' >> knockpy.tmp
echo " - Found: $(cat knockpy.tmp | wc -l)"
mkdir -p reports/knockpy
mv $KNOCKPY_REPORT reports/knockpy
echo " Checking certspotter"
certspotter $TARGET >> certspotter.tmp
echo " - Found: $(cat certspotter.tmp | wc -l)"
echo " Sorting and removing duplicate assets"
cat assetfinder.tmp knockpy.tmp certspotter.tmp | sort -u | grep "$TARGET$" > all.txt
echo " - Discovered $(cat all.txt | wc -l) unique assets"
echo " Running massdns"
massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt
echo " Running httprobe"
cat all.txt | httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt
echo " - $(cat alive.txt | wc -l) assets are responding"
echo " Looking for interesting assets"
cat all.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-all.txt
cat alive.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-alive.txt
echo " - Found $(cat attention-all.txt | wc -l) interesting assets, of which $(cat attention-alive.txt | wc -l) are responding"
echo " Asset discovery complete"
echo
echo "Starting content gathering"
echo " Running dirsearch"
mkdir -p reports/dirsearch
for host in `cat alive.txt`; do
DIRSEARCH_FILE=$(echo $host | sed -E 's/[\.|\/|:]+/_/g').txt
dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host
done
echo " Running webscreenshot"
webscreenshot -i alive.txt -r chromium -o reports/screenshots
echo " - Total $(ls -l reports/screenshots/*.txt | wc -l) screenshots stored in $OUTPATH/reports/screenshots"
echo "Cleaning up temporary files"
rm -f *.tmp
echo
echo "All done. Happy hunting!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment