#!/bin/bash | |
#################################### | |
# Config | |
################## | |
HTTPROBE_CONCURRENCY=100 | |
HTTPROBE_TIMEOUT=3000 | |
DIRSEARCH_THREADS=50 | |
DIRSEARCH_EXTENSIONS=\* | |
ATTENTION_PATTERN='(api|dev|stag|stg|test|tst|corp|int|inter|infra|priv|demo|promo|config|docker|s3|vip|jira|jenkins|splunk|archive|backup|secure|dash|vip|vpn|auth)' | |
################## | |
# End Config | |
#################################### | |
cd `pwd` | |
TARGET=$1 | |
OUTPATH=recon-$(date +%F) | |
mkdir -p $OUTPATH | |
cd $OUTPATH | |
echo | |
echo "/===========================================" | |
echo "|" | |
echo "| Recon started on $TARGET" | |
echo "| Saving results in ./$OUTPATH" | |
echo "|" | |
echo "\===========================================" | |
echo | |
echo "Starting asset discovery" | |
echo " Running assetfinder" | |
assetfinder --subs-only $TARGET >> assetfinder.tmp | |
echo " - Found: $(cat assetfinder.tmp | wc -l)" | |
echo " Running knockpy" | |
knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp | |
KNOCKPY_REPORT=$(cat knockpy.tmp | grep : | awk -F': ' '{print $2}') | |
cat $KNOCKPY_REPORT | jq '.found.subdomain[]' | sed 's/"//g' >> knockpy.tmp | |
echo " - Found: $(cat knockpy.tmp | wc -l)" | |
mkdir -p reports/knockpy | |
mv $KNOCKPY_REPORT reports/knockpy | |
echo " Checking certspotter" | |
certspotter $TARGET >> certspotter.tmp | |
echo " - Found: $(cat certspotter.tmp | wc -l)" | |
echo " Sorting and removing duplicate assets" | |
cat assetfinder.tmp knockpy.tmp certspotter.tmp | sort -u | grep "$TARGET$" > all.txt | |
echo " - Discovered $(cat all.txt | wc -l) unique assets" | |
echo " Running massdns" | |
massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt | |
echo " Running httprobe" | |
cat all.txt | httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt | |
echo " - $(cat alive.txt | wc -l) assets are responding" | |
echo " Looking for interesting assets" | |
cat all.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-all.txt | |
cat alive.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-alive.txt | |
echo " - Found $(cat attention-all.txt | wc -l) interesting assets, of which $(cat attention-alive.txt | wc -l) are responding" | |
echo " Asset discovery complete" | |
echo | |
echo "Starting content gathering" | |
echo " Running dirsearch" | |
mkdir -p reports/dirsearch | |
for host in `cat alive.txt`; do | |
DIRSEARCH_FILE=$(echo $host | sed -E 's/[\.|\/|:]+/_/g').txt | |
dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host | |
done | |
echo " Running webscreenshot" | |
webscreenshot -i alive.txt -r chromium -o reports/screenshots | |
echo " - Total $(ls -l reports/screenshots/*.txt | wc -l) screenshots stored in $OUTPATH/reports/screenshots" | |
echo "Cleaning up temporary files" | |
rm -f *.tmp | |
echo | |
echo "All done. Happy hunting!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment