Recon.md

#!/usr/bin/env zsh

# Download JSON file containing a list of bug bounty programs and their domains
curl -O "https://raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/master/chaos-bugbounty-list.json"

# Create folders for each bug bounty program
cat chaos-bugbounty-list.json | jq -r '.programs[] | select(.bounty==true) | .name' | while read folder; do mkdir -p "$folder" -v; done

# For each bug bounty program, get the domains and save them to a file
for (( i=0; i < $(cat chaos-bugbounty-list.json | jq -r '.programs | length'); i++ ))
do
   PROGRAM=$(cat chaos-bugbounty-list.json | jq --arg i "$i" -r '.programs | .[$i | tonumber]')
   PROGRAM_NAME=$(echo "$PROGRAM" | jq -r '.name')
   PROGRAM_BOUNTY=$(echo "$PROGRAM" | jq -r '.bounty')

   if [ "$PROGRAM_BOUNTY" = "true" ]; then
        echo "Processing $PROGRAM_NAME ..."
        echo "$PROGRAM" | jq -r '.domains[]' > "$PROGRAM_NAME/assets.txt"
   fi
done

# For each bug bounty program, run subdomain enumeration and technology identification
for BBP in ~/Recon/*; do
    if [ -d "$BBP" ]
    then
        cd "$BBP"
        subfinder -dL assets.txt -o subdomains.txt

        while read TARGET; do
            echo "Finding technology for $TARGET"
            HTTP_TARGET=$(echo "$TARGET" | httpx -silent | xargs)

            if [ -z "$HTTP_TARGET" ]
            then
                echo "Target not active"
            else
                wappalyzer "$HTTP_TARGET" | jq '.' > "$(echo $HTTP_TARGET | sed -e 's/[^[:alnum:]]/_/g').tech.json"
            fi
        done < subdomains.txt
    fi
done