From 1cb2008fbb2a2f530158f84d67ce17829fc39066 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 30 Apr 2021 11:58:07 +0200 Subject: [PATCH 1/2] Fixes in scope control %% subs_brute double check axiom --- reconftw.sh | 10 +++++----- reconftw_axiom.sh | 16 ++++++++++------ 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index b47a48da..0b8f05ea 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -378,7 +378,7 @@ function sub_active(){ deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD echo $domain | eval dnsx -retry 3 -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt - NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -392,7 +392,7 @@ function sub_dns(){ eval dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -435,7 +435,7 @@ function sub_scraping(){ sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else @@ -530,7 +530,7 @@ function sub_recursive(){ eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt - NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else @@ -639,7 +639,7 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - eval nmap -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -iL subdomains/subdomains.txt -oG .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') + eval nmap -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -iL subdomains/subdomains.txt -oG .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | grep "open" | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') if [ -n "$uncommon_ports_checked" ] then cat subdomains/subdomains.txt | httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 30345508..67b1e4a0 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -378,7 +378,7 @@ function sub_active(){ deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -o .tmp/subdomains_tmp.txt $DEBUG_STD echo $domain | eval dnsx -retry 3 -silent -r /home/op/recon/puredns/trusted.txt $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt - NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -392,7 +392,7 @@ function sub_dns(){ eval axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -o subdomains/subdomains_cname.txt $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt eval axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -o .tmp/subdomains_dns_resolved.txt $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -408,7 +408,11 @@ function sub_brute(){ else eval axiom-scan $subs_wordlist -m puredns-single $domain -o .tmp/subs_brute.txt $DEBUG_STD fi - NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) + if [[ -s ".tmp/subs_brute.txt" ]] + then + eval axiom-scan .tmp/subs_brute.txt -m puredns-resolve -o .tmp/subs_brute_valid.txt $DEBUG_STD + fi + NUMOFLINES=$(eval cat .tmp/subs_brute_valid.txt $DEBUG_ERROR | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} else if [ "$SUBBRUTE" = false ]; then @@ -435,7 +439,7 @@ function sub_scraping(){ cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt eval axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -o .tmp/scrap_subs_resolved.txt $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) eval axiom-scan .tmp/diff_scrap.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap4.txt $DEBUG_STD && eval cat .tmp/probed_tmp_scrap4.txt $DEBUG_ERROR | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else @@ -530,7 +534,7 @@ function sub_recursive(){ eval axiom-scan .tmp/DNScewl2_recursive.txt -m puredns-resolve -o .tmp/permute2_recursive_tmp.txt $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt - NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else @@ -640,7 +644,7 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - eval axiom-scan subdomains/subdomains.txt -m nmapx -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -o .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') + eval axiom-scan subdomains/subdomains.txt -m nmapx -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -o .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | grep "open" | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') if [ -n "$uncommon_ports_checked" ] then eval axiom-scan subdomains/subdomains.txt -m httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color -o .tmp/probed_uncommon_ports_tmp_.txt $DEBUG_STD && cat .tmp/probed_uncommon_ports_tmp_.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_uncommon_ports_tmp.txt From 028edf45cecc2ca0af54627cded56337b6a53ec9 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sat, 1 May 2021 00:02:46 +0200 Subject: [PATCH 2/2] Puredns rate limit, resolvers reference and findomain install update --- install.sh | 4 ++-- reconftw.cfg | 1 + reconftw.sh | 32 ++++++++++++++++---------------- reconftw_axiom.sh | 34 +++++++++++++++++----------------- 4 files changed, 36 insertions(+), 35 deletions(-) diff --git a/install.sh b/install.sh index 5e472760..9a760c6a 100755 --- a/install.sh +++ b/install.sh @@ -219,10 +219,10 @@ done if [ "True" = "$IS_ARM" ] then - eval wget -N -c https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-rpi $DEBUG_STD + eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-rpi $DEBUG_STD eval $SUDO mv findomain-rpi /usr/local/bin/findomain else - eval wget -N -c https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux $DEBUG_STD + eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux $DEBUG_STD eval wget -N -c https://github.com/sensepost/gowitness/releases/download/2.3.4/gowitness-2.3.4-linux-amd64 $DEBUG_STD eval wget -N -c https://github.com/codingo/DNSCewl/raw/master/DNScewl $DEBUG_STD eval $SUDO mv DNScewl /usr/local/bin/DNScewl diff --git a/reconftw.cfg b/reconftw.cfg index 55a9273b..28d60d88 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -123,6 +123,7 @@ BRUTESPRAY_CONCURRENCE=10 ARJUN_THREADS=20 GAUPLUS_THREADS=10 DALFOX_THREADS=200 +PUREDNS_PUBLIC_LIMIT=0 # Set between 2000 - 10000 if your router blows up, 0 is unlimited PUREDNS_TRUSTED_LIMIT=400 # lists diff --git a/reconftw.sh b/reconftw.sh index 0b8f05ea..e1917b26 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -376,7 +376,7 @@ function sub_active(){ fi cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD echo $domain | eval dnsx -retry 3 -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} @@ -391,7 +391,7 @@ function sub_dns(){ start_subfunc "Running : DNS Subdomain Enumeration" eval dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt - eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else @@ -404,9 +404,9 @@ function sub_brute(){ then start_subfunc "Running : Bruteforce Subdomain Enumeration" if [ "$DEEP" = true ] ; then - eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD else - eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD fi NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} @@ -434,7 +434,7 @@ function sub_scraping(){ fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} @@ -453,41 +453,41 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] ; then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 200 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -521,13 +521,13 @@ function sub_recursive(){ for sub in $(cat subdomains/subdomains.txt); do sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt done - eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT -w .tmp/brute_recursive_result.txt $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT -w .tmp/brute_recursive_result.txt $DEBUG_STD cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt eval DNScewl --tL .tmp/brute_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt eval DNScewl --tL .tmp/permute1_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 67b1e4a0..166b9d52 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -376,7 +376,7 @@ function sub_active(){ fi cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -o .tmp/subdomains_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subdomains_tmp.txt $DEBUG_STD echo $domain | eval dnsx -retry 3 -silent -r /home/op/recon/puredns/trusted.txt $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} @@ -391,7 +391,7 @@ function sub_dns(){ start_subfunc "Running : DNS Subdomain Enumeration" eval axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -o subdomains/subdomains_cname.txt $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt - eval axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -o .tmp/subdomains_dns_resolved.txt $DEBUG_STD + eval axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subdomains_dns_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else @@ -404,13 +404,13 @@ function sub_brute(){ then start_subfunc "Running : Bruteforce Subdomain Enumeration" if [ "$DEEP" = true ] ; then - eval axiom-scan $subs_wordlist_big -m puredns-single $domain -o .tmp/subs_brute.txt $DEBUG_STD + eval axiom-scan $subs_wordlist_big -m puredns-single $domain -r /home/op/lists/resolvers.txt -o .tmp/subs_brute.txt $DEBUG_STD else - eval axiom-scan $subs_wordlist -m puredns-single $domain -o .tmp/subs_brute.txt $DEBUG_STD + eval axiom-scan $subs_wordlist -m puredns-single $domain -r /home/op/lists/resolvers.txt -o .tmp/subs_brute.txt $DEBUG_STD fi if [[ -s ".tmp/subs_brute.txt" ]] then - eval axiom-scan .tmp/subs_brute.txt -m puredns-resolve -o .tmp/subs_brute_valid.txt $DEBUG_STD + eval axiom-scan .tmp/subs_brute.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subs_brute_valid.txt $DEBUG_STD fi NUMOFLINES=$(eval cat .tmp/subs_brute_valid.txt $DEBUG_ERROR | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} @@ -438,7 +438,7 @@ function sub_scraping(){ fi cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - eval axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -o .tmp/scrap_subs_resolved.txt $DEBUG_STD + eval axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/scrap_subs_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) eval axiom-scan .tmp/diff_scrap.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap4.txt $DEBUG_STD && eval cat .tmp/probed_tmp_scrap4.txt $DEBUG_ERROR | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} @@ -457,41 +457,41 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] ; then eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt - eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && eval cat .tmp/DNScewl2_.txt $DEBUG_ERROR | grep ".$domain$" > .tmp/DNScewl2.txt - eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then eval axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt - eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && eval cat .tmp/DNScewl2_.txt $DEBUG_ERROR | grep ".$domain$" > .tmp/DNScewl2.txt - eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ]] then eval axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt - eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt - eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && eval cat .tmp/DNScewl2_.txt $DEBUG_ERROR | grep ".$domain$" > .tmp/DNScewl2.txt - eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 200 ]] then eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt - eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -525,13 +525,13 @@ function sub_recursive(){ for sub in $(cat subdomains/subdomains.txt); do sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt done - eval axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -o .tmp/brute_recursive_result.txt $DEBUG_STD + eval axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/brute_recursive_result.txt $DEBUG_STD cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt eval axiom-scan .tmp/brute_recursive.txt -m dnscewl -o .tmp/DNScewl1_recursive_.txt $DEBUG_STD && eval cat .tmp/DNScewl1_recursive_.txt $DEBUG_ERROR | grep ".$domain$" > .tmp/DNScewl1_recursive.txt - eval axiom-scan .tmp/DNScewl1_recursive.txt -m puredns-resolve -o .tmp/permute1_recursive_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl1_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_recursive_tmp.txt $DEBUG_STD eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt eval axiom-scan .tmp/permute1_recursive.txt -m dnscewl -o .tmp/DNScewl2_recursive_.txt $DEBUG_STD && eval cat .tmp/DNScewl2_recursive_.txt $DEBUG_ERROR | grep ".$domain$" > .tmp/DNScewl2_recursive.txt - eval axiom-scan .tmp/DNScewl2_recursive.txt -m puredns-resolve -o .tmp/permute2_recursive_tmp.txt $DEBUG_STD + eval axiom-scan .tmp/DNScewl2_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2_recursive_tmp.txt $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | wc -l)