-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrecon.sh
executable file
·64 lines (55 loc) · 2.4 KB
/
recon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/env bash
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$HOME/go/bin
export CC=/usr/bin/clang
export EDITOR=vim
gendns(){
mksub -silent -t 500 -df $OUTPUT_DIR/subs.txt -w $HOME/bugbounty-wordlist/dns.txt -o $OUTPUT_DIR/subs_permutated.txt
}
getcerts(){
curl "https://api.certspotter.com/v1/issuances?domain=$1&include_subdomains=true&expand=dns_names" | jq '.[] | .dns_names | .[]' | tr -d '"' | grep $1 | grep -v '*' >> $OUTPUT_DIR/certs.txt
cat $OUTPUT_DIR/certs.txt >> $OUTPUT_DIR/subs.txt
}
getdns(){
subfinder -d $1 -silent -rL $HOME/bugbounty-wordlist/resolvers.txt -o $OUTPUT_DIR/subs.txt
}
querydns(){
sort -u $OUTPUT_DIR/subs.txt -o $OUTPUT_DIR/subs.txt
dnsx -silent -a -aaaa -cname -retry 1 -r $HOME/bugbounty-wordlist/resolvers.txt -l $OUTPUT_DIR/subs_permutated.txt -o $OUTPUT_DIR/resolved.txt
cat $OUTPUT_DIR/resolved.txt | inscope > $OUTPUT_DIR/resolved_inscope.txt
# CNAMEs can end up pointing to something an A record was pointing to in the first place.
sort -u $OUTPUT_DIR/resolved_inscope.txt -o $OUTPUT_DIR/resolved_inscope.txt
}
http(){
httpx -silent -nc -retries 0 -timeout 1 -sd -sc -title -mc 404,403,401,301,302,200 -r $HOME/bugbounty-wordlist/resolvers.txt -l $OUTPUT_DIR/resolved_inscope.txt -o $OUTPUT_DIR/http.txt
}
split_http_results_by_status_code(){
awk '/200/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/200.txt
awk '/301/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/301.txt
awk '/302/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/302.txt
awk '/401/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/401.txt
awk '/403/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/403.txt
awk '/404/' $OUTPUT_DIR/http.txt | sort -i -k3 >> $OUTPUT_DIR/404.txt
}
start(){
if [[ "$2" == "wildcard" ]]; then
echo "$1" > .scope
elif [[ ! -f ".scope" ]]; then
echo "Define a regular expression of the scope in a .scope file."
echo "Documentation https://github.com/tomnomnom/hacks/tree/master/inscope"
echo
echo "If you want to assume wildcard scope pass 'wildcard' without quotes as the second argument."
echo
echo "Usage: recon somedomain.tld wildcard"
return -1
fi
source $HOME/.bashrc
OUTPUT_DIR="$(mktemp -d -p $HOME/ $1.XXXXXX)"
getdns $1
getcerts $1
gendns
querydns
http
split_http_results_by_status_code
}
start $1 $2