-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
recon.sh
95 lines (95 loc) · 8.04 KB
/
recon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
if [ "$RECON" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whois $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$SUBLIST3R" = "1" ]; then
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
if [ "$AMASS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA AMASS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
amass -whois -ip -brute -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -min-for-recursive 3 -d $TARGET 2>/dev/null
cut -d, -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d, -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt > $LOOT_DIR/domains/domains-$TARGET-amass-ips-sorted.txt
fi
if [ "$SUBFINDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBFINDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -b -d $TARGET 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$DNSCAN" = "1" ]; then
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
echo ""
if [ "$CRTSH" = "1" ]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/targets.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING DOMAIN FLYOVER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
aquatone-discover -d $TARGET -t 100 --wordlist $PLUGINS_DIR/Sublist3r/subdomains.lst | tee $LOOT_DIR/nmap/aquatone-$TARGET-discover 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-discover > $LOOT_DIR/nmap/aquatone-$TARGET-discover.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-discover 2> /dev/null
aquatone-takeover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-takeovers > $LOOT_DIR/nmap/aquatone-$TARGET-takeovers.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2> /dev/null
aquatone-scan -d $TARGET -t 100 -p80,443 | tee $LOOT_DIR/nmap/aquatone-$TARGET-ports 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-ports > $LOOT_DIR/nmap/aquatone-$TARGET-ports.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-ports 2> /dev/null
aquatone-gather -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-gather > $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-gather 2> /dev/null
mkdir -p $LOOT_DIR/aquatone/ 2> /dev/null
cp -Rf ~/aquatone/$TARGET $LOOT_DIR/aquatone/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
if [ "$SUBOVER" = "1" ]; then
cd $PLUGINS_DIR/SubOver/
python subover.py -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
cd $INSTALL_DIR
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
fi