forked from freyxfi/BugRecon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bug_recon.py
211 lines (183 loc) · 8.79 KB
/
bug_recon.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
import subprocess
import requests
import os
import sys
import argparse
import json
LOGO = r"""
██████╗ ██╗ ██╗ ██████╗ ██████╗ ███████╗ ██████╗ ██████╗ ███╗ ██╗
██╔══██╗██║ ██║██╔════╝ ██╔══██╗██╔════╝██╔════╝██╔═══██╗████╗ ██║
██████╔╝██║ ██║██║ ███╗██████╔╝█████╗ ██║ ██║ ██║██╔██╗ ██║
██╔══██╗██║ ██║██║ ██║██╔══██╗██╔══╝ ██║ ██║ ██║██║╚██╗██║
██████╔╝╚██████╔╝╚██████╔╝██║ ██║███████╗╚██████╗╚██████╔╝██║ ╚████║
╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝
[ Created by Frey ]
[ Automate your bug hunting process ]
"""
def subdomain_enum(domain):
print(f"[*] Enumerating subdomains for {domain}")
url = f"https://crt.sh/?q=%25.{domain}&output=json"
try:
response = requests.get(url)
if response.status_code == 200:
subdomains = set()
if response.content.strip(): # Check for non-empty response
json_response = json.loads(response.content)
for entry in json_response:
subdomains.add(entry['name_value'].replace("*.",""))
return sorted(list(subdomains))
else:
print(f"[!] No valid JSON response from crt.sh for {domain}")
return []
else:
print(f"[!] Failed to retrieve subdomains for {domain}")
return []
except Exception as e:
print(f"[!] Error in subdomain enumeration: {e}")
return []
def save_subdomains(subdomains, output_file):
try:
with open(output_file, "w") as f:
for subdomain in subdomains:
f.write(f"{subdomain}\n")
print(f"[*] Subdomains saved to {output_file}")
except Exception as e:
print(f"[!] Error saving subdomains: {e}")
def port_scan(domain):
print(f"[*] Scanning ports for {domain}")
try:
result = subprocess.run(
["nmap", "-p-", "-T4", domain, "-oG", "-"],
capture_output=True,
text=True
)
open_ports = []
for line in result.stdout.splitlines():
if "open" in line:
parts = line.split()
port = parts[0].split("/")[0]
open_ports.append(port)
return open_ports
except Exception as e:
print(f"[!] Error during port scanning: {e}")
return []
def dir_bruteforce(domain, port, wordlist="wordlist.txt", threads="50"):
print(f"[*] Brute-forcing directories for {domain}:{port}")
try:
protocol = "https" if port == "443" else "http"
url = f"{protocol}://{domain}:{port}"
result = subprocess.run(
["ffuf", "-w", wordlist, "-u", f"{url}/FUZZ", "-t", threads, "-o", f"dir_{domain}_{port}.txt"],
capture_output=True,
text=True
)
if result.returncode == 0:
print(f"[*] Directory brute-force results saved for {domain}:{port}")
else:
print(f"[!] No directories found for {domain}:{port}")
except Exception as e:
print(f"[!] Error in directory brute-forcing: {e}")
def vuln_scan(domain, port):
print(f"[*] Scanning for vulnerabilities on {domain}:{port}")
vulnerabilities = []
def check_sqli(url):
test_url = f"{url}?id=1'"
response = requests.get(test_url)
if "syntax" in response.text.lower() or "error" in response.text.lower():
vulnerabilities.append("Possible SQL Injection")
def check_xss(url):
payload = "<script>alert('XSS')</script>"
response = requests.get(f"{url}?search={payload}")
if payload in response.text:
vulnerabilities.append("Possible XSS")
protocol = "https" if port == "443" else "http"
url = f"{protocol}://{domain}:{port}"
check_sqli(url)
check_xss(url)
if vulnerabilities:
for vuln in vulnerabilities:
print(f"[+] Vulnerability found: {vuln}")
else:
print(f"[-] No vulnerabilities found for {domain}:{port}")
def screenshot(domain_list):
print(f"[*] Capturing screenshots for {len(domain_list)} subdomains")
try:
with open("domains.txt", "w") as f:
for domain in domain_list:
f.write(f"http://{domain}\n")
subprocess.run(["eyewitness", "--web", "--input", "domains.txt", "--directory", "eyewitness_output"], check=True)
print("[*] Screenshots saved in 'eyewitness_output' directory")
except Exception as e:
print(f"[!] Error capturing screenshots: {e}")
def generate_report(domain, subdomains, open_ports, output_dir):
output_path = os.path.join(output_dir, f"{domain}_report.txt")
print(f"[*] Generating report for {domain} at {output_path}")
with open(output_path, "w") as report:
report.write(f"Bug Recon Report for {domain}\n")
report.write(f"Subdomains Found:\n")
for subdomain in subdomains:
report.write(f"- {subdomain}\n")
report.write(f"\nOpen Ports:\n")
for port in open_ports:
report.write(f"- {port}\n")
print(f"[*] Report saved as {output_path}")
def verify_bounty_program(domain):
# This is a placeholder function. Implement logic to check if the domain is part of a bug bounty program.
authorized_domains = ['example.com', 'government.gov'] # Add more authorized domains as needed
return domain in authorized_domains
def bug_recon(domain, recon_depth, output_file, output_dir, threads, mode):
if mode == 1: print(LOGO)
print(f"BugRecon - Automated Bug Hunting Tool on {domain} with {recon_depth} depth")
# Verify that the domain is part of a bug bounty program
if not verify_bounty_program(domain):
print(f"[!] The domain {domain} is not authorized for testing.")
return
subdomains = subdomain_enum(domain)
if not subdomains:
print("[!] No subdomains found. Aborting recon.")
return
save_subdomains(subdomains, output_file)
open_ports = []
for subdomain in subdomains:
open_ports += port_scan(subdomain)
if recon_depth == "shallow":
generate_report(domain, subdomains, [], output_dir)
return
if recon_depth == "medium":
for subdomain in subdomains:
for port in open_ports:
dir_bruteforce(subdomain, port, threads=threads)
generate_report(domain, subdomains, open_ports, output_dir)
return
if recon_depth == "deep":
for subdomain in subdomains:
for port in open_ports:
vuln_scan(subdomain, port)
dir_bruteforce(subdomain, port, threads=threads)
screenshot(subdomains)
generate_report(domain, subdomains, open_ports, output_dir)
return
def help_menu():
print(LOGO)
help_text = """
Usage: python bug_recon.py -d <domain> -r <recon_depth> -o <output_directory> -t <threads>
Options:
-h, --help Show this help message and exit
-d, --domain Target domain for bug reconnaissance (required)
-r, --recon-depth Reconnaissance depth: shallow, medium, deep (required)
-o, --output-file Output file for saving subdomains (default: subdomains.txt)
-t, --threads Number of threads for brute-forcing directories (default: 50)
"""
print(help_text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('-d', '--domain', type=str, help="Target domain for bug reconnaissance")
parser.add_argument('-r', '--recon-depth', type=str, choices=['shallow', 'medium', 'deep'], help="Reconnaissance depth: shallow, medium, deep")
parser.add_argument('-o', '--output-file', type=str, default="subdomains.txt", help="Output file for saving subdomains (default: subdomains.txt)")
parser.add_argument('-t', '--threads', type=str, default="50", help="Number of threads for brute-forcing directories (default: 50)")
parser.add_argument('-m', '--mode', type=int, default=1, help="Mode for the tool: 1 for standard, 0 for silent")
args = parser.parse_args()
if args.domain and args.recon_depth:
bug_recon(args.domain, args.recon_depth, args.output_file, os.getcwd(), args.threads, args.mode)
else:
help_menu()