Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
####################################
# Config
##################
HTTPROBE_CONCURRENCY=100
HTTPROBE_TIMEOUT=3000
DIRSEARCH_THREADS=50
DIRSEARCH_EXTENSIONS=\*
ATTENTION_PATTERN='(api|dev|stag|stg|test|tst|corp|int|inter|infra|priv|demo|promo|config|docker|s3|vip|jira|jenkins|splunk|archive|backup|secure|dash|vip|vpn|auth)'
##################
# End Config
####################################
cd `pwd`
TARGET=$1
OUTPATH=recon-$(date +%F)
mkdir -p $OUTPATH
cd $OUTPATH
echo
echo "/==========================================="
echo "|"
echo "| Recon started on $TARGET"
echo "| Saving results in ./$OUTPATH"
echo "|"
echo "\==========================================="
echo
echo "Starting asset discovery"
echo " Running assetfinder"
assetfinder --subs-only $TARGET >> assetfinder.tmp
echo " - Found: $(cat assetfinder.tmp | wc -l)"
echo " Running knockpy"
knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp
KNOCKPY_REPORT=$(cat knockpy.tmp | grep : | awk -F': ' '{print $2}')
cat $KNOCKPY_REPORT | jq '.found.subdomain[]' | sed 's/"//g' >> knockpy.tmp
echo " - Found: $(cat knockpy.tmp | wc -l)"
mkdir -p reports/knockpy
mv $KNOCKPY_REPORT reports/knockpy
echo " Checking certspotter"
certspotter $TARGET >> certspotter.tmp
echo " - Found: $(cat certspotter.tmp | wc -l)"
echo " Sorting and removing duplicate assets"
cat assetfinder.tmp knockpy.tmp certspotter.tmp | sort -u | grep "$TARGET$" > all.txt
echo " - Discovered $(cat all.txt | wc -l) unique assets"
echo " Running massdns"
massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt
echo " Running httprobe"
cat all.txt | httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt
echo " - $(cat alive.txt | wc -l) assets are responding"
echo " Looking for interesting assets"
cat all.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-all.txt
cat alive.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-alive.txt
echo " - Found $(cat attention-all.txt | wc -l) interesting assets, of which $(cat attention-alive.txt | wc -l) are responding"
echo " Asset discovery complete"
echo
echo "Starting content gathering"
echo " Running dirsearch"
mkdir -p reports/dirsearch
for host in `cat alive.txt`; do
DIRSEARCH_FILE=$(echo $host | sed -E 's/[\.|\/|:]+/_/g').txt
dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host
done
echo " Running webscreenshot"
webscreenshot -i alive.txt -r chromium -o reports/screenshots
echo " - Total $(ls -l reports/screenshots/*.txt | wc -l) screenshots stored in $OUTPATH/reports/screenshots"
echo "Cleaning up temporary files"
rm -f *.tmp
echo
echo "All done. Happy hunting!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.