gregorynicholas/noobrecon.sh

## noobrecon.sh
#!/bin/bash

####################################
# Config
##################

HTTPROBE_CONCURRENCY=100
HTTPROBE_TIMEOUT=3000

DIRSEARCH_THREADS=50
DIRSEARCH_EXTENSIONS=\*

ATTENTION_PATTERN='(api|dev|stag|stg|test|tst|corp|int|inter|infra|priv|demo|promo|config|docker|s3|vip|jira|jenkins|splunk|archive|backup|secure|dash|vip|vpn|auth)'

##################
# End Config
####################################

cd `pwd`
TARGET=$1
OUTPATH=recon-$(date +%F)

mkdir -p $OUTPATH
cd $OUTPATH

echo
echo "/==========================================="
echo "|"
echo "| Recon started on $TARGET"
echo "| Saving results in ./$OUTPATH"
echo "|"
echo "\==========================================="
echo

echo "Starting asset discovery"

echo "  Running assetfinder"
assetfinder --subs-only $TARGET >> assetfinder.tmp
echo "  - Found: $(cat assetfinder.tmp | wc -l)"

echo "  Running knockpy"
knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp
KNOCKPY_REPORT=$(cat knockpy.tmp | grep : | awk -F': ' '{print $2}')
cat $KNOCKPY_REPORT | jq '.found.subdomain[]' | sed 's/"//g' >> knockpy.tmp
echo "  - Found: $(cat knockpy.tmp | wc -l)"
mkdir -p reports/knockpy
mv $KNOCKPY_REPORT reports/knockpy

echo "  Checking certspotter"
certspotter $TARGET >> certspotter.tmp
echo "  - Found: $(cat certspotter.tmp | wc -l)"

echo "  Sorting and removing duplicate assets"
cat assetfinder.tmp knockpy.tmp certspotter.tmp | sort -u | grep "$TARGET$" > all.txt
echo "  - Discovered $(cat all.txt | wc -l) unique assets"

echo "  Running massdns"
massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt

echo "  Running httprobe"
cat all.txt | httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt
echo "  - $(cat alive.txt | wc -l) assets are responding"

echo "  Looking for interesting assets"
cat all.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-all.txt
cat alive.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-alive.txt
echo "  - Found $(cat attention-all.txt | wc -l) interesting assets, of which $(cat attention-alive.txt | wc -l) are responding"

echo "  Asset discovery complete"

echo
echo "Starting content gathering"
echo "  Running dirsearch"
mkdir -p reports/dirsearch
for host in `cat alive.txt`; do
    DIRSEARCH_FILE=$(echo $host | sed -E 's/[\.|\/|:]+/_/g').txt
    dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host
done

echo "  Running webscreenshot"
webscreenshot -i alive.txt -r chromium -o reports/screenshots
echo "  - Total $(ls -l reports/screenshots/*.txt | wc -l) screenshots stored in $OUTPATH/reports/screenshots"

echo "Cleaning up temporary files"
rm -f *.tmp

echo
echo "All done. Happy hunting!"
	#!/bin/bash

	####################################
	# Config
	##################

	HTTPROBE_CONCURRENCY=100
	HTTPROBE_TIMEOUT=3000

	DIRSEARCH_THREADS=50
	DIRSEARCH_EXTENSIONS=\*

	ATTENTION_PATTERN='(api\|dev\|stag\|stg\|test\|tst\|corp\|int\|inter\|infra\|priv\|demo\|promo\|config\|docker\|s3\|vip\|jira\|jenkins\|splunk\|archive\|backup\|secure\|dash\|vip\|vpn\|auth)'

	##################
	# End Config
	####################################

	cd `pwd`
	TARGET=$1
	OUTPATH=recon-$(date +%F)

	mkdir -p $OUTPATH
	cd $OUTPATH

	echo
	echo "/==========================================="
	echo "\|"
	echo "\| Recon started on $TARGET"
	echo "\| Saving results in ./$OUTPATH"
	echo "\|"
	echo "\==========================================="
	echo

	echo "Starting asset discovery"

	echo " Running assetfinder"
	assetfinder --subs-only $TARGET >> assetfinder.tmp
	echo " - Found: $(cat assetfinder.tmp \| wc -l)"

	echo " Running knockpy"
	knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp
	KNOCKPY_REPORT=$(cat knockpy.tmp \| grep : \| awk -F': ' '{print $2}')
	cat $KNOCKPY_REPORT \| jq '.found.subdomain[]' \| sed 's/"//g' >> knockpy.tmp
	echo " - Found: $(cat knockpy.tmp \| wc -l)"
	mkdir -p reports/knockpy
	mv $KNOCKPY_REPORT reports/knockpy

	echo " Checking certspotter"
	certspotter $TARGET >> certspotter.tmp
	echo " - Found: $(cat certspotter.tmp \| wc -l)"

	echo " Sorting and removing duplicate assets"
	cat assetfinder.tmp knockpy.tmp certspotter.tmp \| sort -u \| grep "$TARGET$" > all.txt
	echo " - Discovered $(cat all.txt \| wc -l) unique assets"

	echo " Running massdns"
	massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt

	echo " Running httprobe"
	cat all.txt \| httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt
	echo " - $(cat alive.txt \| wc -l) assets are responding"

	echo " Looking for interesting assets"
	cat all.txt \| sed "s/.$TARGET$//" \| grep -E $ATTENTION_PATTERN \| sed "s/$/.$TARGET/" > attention-all.txt
	cat alive.txt \| sed "s/.$TARGET$//" \| grep -E $ATTENTION_PATTERN \| sed "s/$/.$TARGET/" > attention-alive.txt
	echo " - Found $(cat attention-all.txt \| wc -l) interesting assets, of which $(cat attention-alive.txt \| wc -l) are responding"

	echo " Asset discovery complete"

	echo
	echo "Starting content gathering"
	echo " Running dirsearch"
	mkdir -p reports/dirsearch
	for host in `cat alive.txt`; do
	DIRSEARCH_FILE=$(echo $host \| sed -E 's/[\.\|\/\|:]+/_/g').txt
	dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host
	done

	echo " Running webscreenshot"
	webscreenshot -i alive.txt -r chromium -o reports/screenshots
	echo " - Total $(ls -l reports/screenshots/*.txt \| wc -l) screenshots stored in $OUTPATH/reports/screenshots"

	echo "Cleaning up temporary files"
	rm -f *.tmp

	echo
	echo "All done. Happy hunting!"