insi2304/my_recon.sh

## my_recon.sh
#!/usr/bin/env bash

# This was created during a red team activity

#set -x
if [ ! -x "$(command -v jq)" ]; then
	echo "[-] This script requires jq. Exiting."
	exit 1
fi

certdata(){
	#give it patterns to look for within crt.sh for example %api%.site.com
	declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal" "aes" "aesws" "an" "community" "dms" "s4" "suppliermanagement" "supplierrisk" "snow" "scc" "guidedbuying" "spotbuy" "sellerdirect" "buyer" "cxml" "doc" "ebs" "help" "mon" "perf" "ws" "ssws" "ows" "pws" "cws" "mws" "mobile" "anl" "acm" "s2" "pe" "logi" "sdb" "piwik" "estore" "aod" "arches" "hadoop" "testdb" "dms"  "dev" "dev10" "dev100" "dev101" "dev11" "dev12" "dev13" "dev14" "dev16" "dev17" "dev18" "dev19" "dev2" "dev20" "dev21" "dev22" "dev23" "dev24" "dev25" "dev26" "dev27" "dev28" "dev29" "dev3" "dev4" "dev5" "dev6" "dev7" "dev8" "dev9" "eng" "hf" "hf2" "itg" "itg2" "itg3" "load" "load100" "load101" "load102" "load103" "load104" "load106" "load2" "load200" "load3" "load4" "load5" "load6" "load7" "load8" "load9" "lq" "lq10" "lq11" "lq12" "lq13" "lq14" "lq15" "lq16" "lq17" "lq18" "lq19" "lq2" "lq20" "lq21" "lq22" "lq23" "lq24" "lq25" "lq26" "lq3" "lq4" "lq5" "lq6" "lq7" "lq9" "mach" "mig" "mig2" "mig3" "mig4" "qa" "rel" "scdev1" "scdev2" "scdev3" "scdev4" "scdev5" "scinfra1" "scinfra2" "scperf" "scperfh102" "scperfh106" "scperfh2" "scperfh6" "sctest1" "sp" "stage" "test")
	for i in "${arr[@]}"
	do
		#get a list of domains based on our patterns in the array
		crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee rawdata/$1-crtsh.txt )
	done
		#get a list of domains from certspotter
		certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep -w $1\$ | tee rawdata/$1-certspotter.txt)
		#get a list of domains from digicert
		digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$1 -o rawdata/$1-digicert.json)
		#echo "$crtsh"
		#echo "$certspotter"
		#echo "$digicert"
}


assetfind(){
	#run assetfinder on domains
	assetfinder -subs-only $1 | tee $1-temp2.txt
}


amassfind(){
amass enum --passive -d $1  | tee $1-temp3.txt
}

sublisterfind(){
python ~/tools/Sublist3r/sublist3r.py -d $1 -t 10 -v -o ./$1-temp4.txt > /dev/null
}

rootdomains() { #this creates a list of all unique root sub domains
	cat rawdata/$1-crtsh.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev > ./$1-temp.txt
	cat rawdata/$1-certspotter.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev >> ./$1-temp.txt
	domain=$1
	jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' rawdata/$1-digicert.json | sed 's/"//g' | grep -w "$domain$" | grep -v '^*.' | rev | cut -d "."  -f 1,2,3 | sort -u | rev >> ./$1-temp.txt
	cat $1-temp.txt $1-temp2.txt $1-temp3.txt $1-temp4.txt | sort -u | tee ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt; rm $1-temp.txt $1-temp2.txt $1-temp3.txt $1-temp4.txt
#	echo "[+] Number of domains found: $(cat ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt | wc -l)"
}


certdata $1
assetfind $1
amassfind $1
sublisterfind $1
rootdomains $1
	#!/usr/bin/env bash

	# This was created during a red team activity

	#set -x
	if [ ! -x "$(command -v jq)" ]; then
	echo "[-] This script requires jq. Exiting."
	exit 1
	fi

	certdata(){
	#give it patterns to look for within crt.sh for example %api%.site.com
	declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal" "aes" "aesws" "an" "community" "dms" "s4" "suppliermanagement" "supplierrisk" "snow" "scc" "guidedbuying" "spotbuy" "sellerdirect" "buyer" "cxml" "doc" "ebs" "help" "mon" "perf" "ws" "ssws" "ows" "pws" "cws" "mws" "mobile" "anl" "acm" "s2" "pe" "logi" "sdb" "piwik" "estore" "aod" "arches" "hadoop" "testdb" "dms" "dev" "dev10" "dev100" "dev101" "dev11" "dev12" "dev13" "dev14" "dev16" "dev17" "dev18" "dev19" "dev2" "dev20" "dev21" "dev22" "dev23" "dev24" "dev25" "dev26" "dev27" "dev28" "dev29" "dev3" "dev4" "dev5" "dev6" "dev7" "dev8" "dev9" "eng" "hf" "hf2" "itg" "itg2" "itg3" "load" "load100" "load101" "load102" "load103" "load104" "load106" "load2" "load200" "load3" "load4" "load5" "load6" "load7" "load8" "load9" "lq" "lq10" "lq11" "lq12" "lq13" "lq14" "lq15" "lq16" "lq17" "lq18" "lq19" "lq2" "lq20" "lq21" "lq22" "lq23" "lq24" "lq25" "lq26" "lq3" "lq4" "lq5" "lq6" "lq7" "lq9" "mach" "mig" "mig2" "mig3" "mig4" "qa" "rel" "scdev1" "scdev2" "scdev3" "scdev4" "scdev5" "scinfra1" "scinfra2" "scperf" "scperfh102" "scperfh106" "scperfh2" "scperfh6" "sctest1" "sp" "stage" "test")
	for i in "${arr[@]}"
	do
	#get a list of domains based on our patterns in the array
	crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$1\&output\=json \| jq -r '.[].name_value' \| sed 's/\*\.//g' \| sort -u \| tee rawdata/$1-crtsh.txt )
	done
	#get a list of domains from certspotter
	certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$1 \| jq '.[].dns_names[]' \| sed 's/\"//g' \| sed 's/\*\.//g' \| sort -u \| grep -w $1\$ \| tee rawdata/$1-certspotter.txt)
	#get a list of domains from digicert
	digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$1 -o rawdata/$1-digicert.json)
	#echo "$crtsh"
	#echo "$certspotter"
	#echo "$digicert"
	}


	assetfind(){
	#run assetfinder on domains
	assetfinder -subs-only $1 \| tee $1-temp2.txt
	}


	amassfind(){
	amass enum --passive -d $1 \| tee $1-temp3.txt
	}

	sublisterfind(){
	python ~/tools/Sublist3r/sublist3r.py -d $1 -t 10 -v -o ./$1-temp4.txt > /dev/null
	}

	rootdomains() { #this creates a list of all unique root sub domains
	cat rawdata/$1-crtsh.txt \| rev \| cut -d "." -f 1,2,3 \| sort -u \| rev > ./$1-temp.txt
	cat rawdata/$1-certspotter.txt \| rev \| cut -d "." -f 1,2,3 \| sort -u \| rev >> ./$1-temp.txt
	domain=$1
	jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' rawdata/$1-digicert.json \| sed 's/"//g' \| grep -w "$domain$" \| grep -v '^*.' \| rev \| cut -d "." -f 1,2,3 \| sort -u \| rev >> ./$1-temp.txt
	cat $1-temp.txt $1-temp2.txt $1-temp3.txt $1-temp4.txt \| sort -u \| tee ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt; rm $1-temp.txt $1-temp2.txt $1-temp3.txt $1-temp4.txt
	# echo "[+] Number of domains found: $(cat ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt \| wc -l)"
	}



	certdata $1
	assetfind $1
	amassfind $1
	sublisterfind $1
	rootdomains $1