diff --git a/README.md b/README.md index bc16da20..e8249bb8 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,8 @@

- - + + @@ -215,6 +215,7 @@ CLOUD_IP=true # Web analysis WAF_DETECTION=true NUCLEICHECK=true +NUCLEI_SEVERITY="info,low,medium,high,critical" URL_CHECK=true URL_GF=true URL_EXT=true @@ -342,6 +343,7 @@ reset='\033[0m' | -a | All - Perform whole recon and all active attacks | | -w | Web - Perform only vulnerability checks/attacks on particular target | | -n | OSINT - Performs an OSINT scan (no subdomain enumeration and attacks) | +| -c | Custom - Launches specific function against target | | -h | Help - Show this help menu | **GENERAL OPTIONS** @@ -424,7 +426,7 @@ reset='\033[0m' - Google Dorks ([uDork](https://github.com/m3n0sd0n4ld/uDork)) - Github Dorks ([GitDorker](https://github.com/obheda12/GitDorker)) ## Subdomains - - Passive ([subfinder](https://github.com/projectdiscovery/subfinder), [assetfinder](https://github.com/tomnomnom/assetfinder), [amass](https://github.com/OWASP/Amass), [findomain](https://github.com/Findomain/Findomain), [crobat](https://github.com/cgboal/sonarsearch), [waybackurls](https://github.com/tomnomnom/waybackurls), [github-subdomains](https://github.com/gwen001/github-subdomains), [Anubis](https://jldc.me), [gauplus](https://github.com/bp0lr/gauplus) and [mildew](https://github.com/daehee/mildew)) + - Passive ([subfinder](https://github.com/projectdiscovery/subfinder), [assetfinder](https://github.com/tomnomnom/assetfinder), [amass](https://github.com/OWASP/Amass), [findomain](https://github.com/Findomain/Findomain), [crobat](https://github.com/cgboal/sonarsearch), [waybackurls](https://github.com/tomnomnom/waybackurls), [github-subdomains](https://github.com/gwen001/github-subdomains), [Anubis](https://jldc.me), [gauplus](https://github.com/bp0lr/gauplus)) - Certificate transparency ([ctfr](https://github.com/UnaPibaGeek/ctfr), [tls.bufferover](tls.bufferover.run) and [dns.bufferover](dns.bufferover.run))) - Bruteforce ([puredns](https://github.com/d3mondev/puredns)) - Permutations ([Gotator](https://github.com/Josue87/gotator)) @@ -467,6 +469,7 @@ reset='\033[0m' - Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz)) - URL sorting by extension - Wordlist generation +- Passwords dictionary creation ([pydictor](https://github.com/LandGrey/pydictor)) ## Extras - Multithread ([Interlace](https://github.com/codingo/Interlace)) diff --git a/install.sh b/install.sh index 1ad5fc15..8087ce72 100755 --- a/install.sh +++ b/install.sh @@ -14,7 +14,6 @@ gotools["waybackurls"]="go get -u -v github.com/tomnomnom/hacks/waybackurls" gotools["nuclei"]="GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei" gotools["anew"]="go get -u -v github.com/tomnomnom/anew" gotools["notify"]="GO111MODULE=on go get -v github.com/projectdiscovery/notify/cmd/notify" -gotools["mildew"]="go get -u github.com/daehee/mildew/cmd/mildew" gotools["unfurl"]="go get -u -v github.com/tomnomnom/unfurl" gotools["httpx"]="GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx" gotools["github-endpoints"]="go get -u github.com/gwen001/github-endpoints" @@ -62,6 +61,7 @@ repos["JSA"]="w9w/JSA" repos["urldedupe"]="ameenmaali/urldedupe" repos["cloud_enum"]="initstring/cloud_enum" repos["nmap-parse-output"]="ernw/nmap-parse-output" +repos["pydictor"]="LandGrey/pydictor" dir=${tools} double_check=false @@ -154,7 +154,7 @@ if [[ $(eval type go $DEBUG_ERROR | grep -o 'go is') == "go is" ]] && [ "$versio eval wget https://dl.google.com/go/${version}.linux-amd64.tar.gz $DEBUG_STD eval $SUDO tar -C /usr/local -xzf ${version}.linux-amd64.tar.gz $DEBUG_STD fi - eval $SUDO cp /usr/local/go/bin/go /usr/bin + eval $SUDO cp /usr/local/go/bin/go /usr/local/bin rm -rf go$LATEST_GO* export GOROOT=/usr/local/go export GOPATH=$HOME/go @@ -183,7 +183,7 @@ touch $dir/.github_tokens eval wget -N -c https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD eval rm -f get-pip.py $DEBUG_STD -eval ln -s /usr/local/bin/pip3 /usr/bin/pip3 $DEBUG_STD +eval ln -s /usr/local/bin/pip3 /usr/local/bin/pip3 $DEBUG_STD eval pip3 install -I -r requirements.txt $DEBUG_STD printf "${bblue} Running: Installing Golang tools (${#gotools[@]})${reset}\n\n" @@ -235,15 +235,11 @@ for repo in "${!repos[@]}"; do eval $SUDO python3 setup.py install $DEBUG_STD fi if [ "massdns" = "$repo" ]; then - eval make $DEBUG_STD && strip -s bin/massdns && eval $SUDO cp bin/massdns /usr/bin/ $DEBUG_ERROR + eval make $DEBUG_STD && strip -s bin/massdns && eval $SUDO cp bin/massdns /usr/local/bin/ $DEBUG_ERROR elif [ "gf" = "$repo" ]; then eval cp -r examples ~/.gf $DEBUG_ERROR elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR - elif [ "urldedupe" = "$repo" ]; then - eval cmake CMakeLists.txt $DEBUG_STD - eval make $DEBUG_STD - eval $SUDO cp ./urldedupe /usr/bin/ $DEBUG_STD fi cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done @@ -251,22 +247,22 @@ done if [ "True" = "$IS_ARM" ] then eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-armv7 $DEBUG_STD - eval $SUDO mv findomain-armv7 /usr/bin/findomain + eval $SUDO mv findomain-armv7 /usr/local/bin/findomain else eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux $DEBUG_STD eval wget -N -c https://github.com/sensepost/gowitness/releases/download/2.3.4/gowitness-2.3.4-linux-amd64 $DEBUG_STD eval wget -N -c https://github.com/Edu4rdSHL/unimap/releases/download/0.4.0/unimap-linux $DEBUG_STD eval wget -N -c https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz $DEBUG_STD - eval $SUDO tar -C /usr/bin/ -xzf ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz $DEBUG_STD + eval $SUDO tar -C /usr/local/bin/ -xzf ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz $DEBUG_STD eval $SUDO rm -rf ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz $DEBUG_STD - eval $SUDO mv gowitness-2.3.4-linux-amd64 /usr/bin/gowitness - eval $SUDO mv findomain-linux /usr/bin/findomain - eval $SUDO mv unimap-linux /usr/bin/unimap + eval $SUDO mv gowitness-2.3.4-linux-amd64 /usr/local/bin/gowitness + eval $SUDO mv findomain-linux /usr/local/bin/findomain + eval $SUDO mv unimap-linux /usr/local/bin/unimap fi -eval $SUDO chmod 755 /usr/bin/findomain -eval $SUDO chmod 755 /usr/bin/gowitness -eval $SUDO chmod 755 /usr/bin/unimap -eval $SUDO chmod 755 /usr/bin/ppfuzz +eval $SUDO chmod 755 /usr/local/bin/findomain +eval $SUDO chmod 755 /usr/local/bin/gowitness +eval $SUDO chmod 755 /usr/local/bin/unimap +eval $SUDO chmod 755 /usr/local/bin/ppfuzz eval $SUDO chmod +x $tools/uDork/uDork.sh eval subfinder $DEBUG_STD eval subfinder $DEBUG_STD @@ -287,6 +283,8 @@ eval wget -O ssti_wordlist.txt https://gist.githubusercontent.com/six2dez/ab5277 eval wget -O headers_inject.txt https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw $DEBUG_STD eval wget -O custom_udork.txt https://gist.githubusercontent.com/six2dez/7245cad74f2da5824080e0cb6bdaac22/raw $DEBUG_STD eval wget -O axiom_config.sh https://gist.githubusercontent.com/six2dez/6e2d9f4932fd38d84610eb851014b26e/raw $DEBUG_STD +eval wget -O ~/nuclei-templates/extra_templates/ssrf.yaml https://raw.githubusercontent.com/NagliNagli/BountyTricks/main/ssrf.yaml $DEBUG_STD +eval wget -O ~/nuclei-templates/extra_templates/sap-redirect.yaml https://raw.githubusercontent.com/NagliNagli/BountyTricks/main/sap-redirect.yaml $DEBUG_STD ## Last check if [ "$double_check" = "true" ]; then @@ -307,7 +305,7 @@ if [ "$double_check" = "true" ]; then eval $SUDO python3 setup.py install $DEBUG_STD fi if [ "massdns" = "$repo" ]; then - eval make $DEBUG_STD && strip -s bin/massdns && eval $SUDO cp bin/massdns /usr/bin/ $DEBUG_ERROR + eval make $DEBUG_STD && strip -s bin/massdns && eval $SUDO cp bin/massdns /usr/local/bin/ $DEBUG_ERROR elif [ "gf" = "$repo" ]; then eval cp -r examples ~/.gf $DEBUG_ERROR elif [ "Gf-Patterns" = "$repo" ]; then @@ -340,13 +338,16 @@ if [ ! -s "resolvers.txt" ] || [ $(find "resolvers.txt" -mtime +1 -print) ]; the printf "${yellow} Resolvers seem older than 1 day\n Generating custom resolvers... ${reset}\n\n" eval rm -f resolvers.txt &>/dev/null eval dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt $DEBUG_STD + eval dnsvalidator -tL https://raw.githubusercontent.com/blechschmidt/massdns/master/lists/resolvers.txt -threads 100 -o tmp_resolvers $DEBUG_STD + eval cat tmp_resolvers $DEBUG_ERROR | anew -q resolvers.txt + eval rm -f tmp_resolvers $DEBUG_STD fi eval h8mail -g $DEBUG_STD ## Stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD -eval $SUDO cp $HOME/go/bin/* /usr/bin/ $DEBUG_STD +eval $SUDO cp $HOME/go/bin/* /usr/local/bin/ $DEBUG_STD printf "${yellow} Remember set your api keys:\n - amass (~/.config/amass/config.ini)\n - subfinder (~/.config/subfinder/config.yaml)\n - GitHub (~/Tools/.github_tokens)\n - SHODAN (SHODAN_API_KEY in reconftw.cfg)\n - SSRF Server (COLLAB_SERVER in reconftw.cfg) \n - Blind XSS Server (XSS_SERVER in reconftw.cfg) \n - notify (~/.config/notify/provider-config.yaml) \n - theHarvester (~/Tools/theHarvester/api-keys.yml)\n - H8mail (~/Tools/h8mail_config.ini)\n - uDork FB cookie (UDORK_COOKIE in reconftw.cfg)\n\n${reset}" printf "${bgreen} Finished!${reset}\n\n" diff --git a/reconftw.cfg b/reconftw.cfg index 610d9177..4aed2b9d 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -80,6 +80,7 @@ CLOUD_IP=true # Web analysis WAF_DETECTION=true NUCLEICHECK=true +NUCLEI_SEVERITY="info,low,medium,high,critical" URL_CHECK=true URL_GF=true URL_EXT=true @@ -88,6 +89,9 @@ FUZZ=true CMS_SCANNER=true WORDLIST=true ROBOTSWORDLIST=true +PASSWORD_DICT=true +PASSWORD_MIN_LENGTH=5 +PASSWORD_MAX_LENGTH=14 # Vulns VULNS_GENERAL=false @@ -173,8 +177,9 @@ BBRF_PASSWORD=password bred='\033[1;31m' bblue='\033[1;34m' bgreen='\033[1;32m' -yellow='\033[0;33m' +byellow='\033[1;33m' red='\033[0;31m' blue='\033[0;34m' green='\033[0;32m' +yellow='\033[0;33m' reset='\033[0m' diff --git a/reconftw.sh b/reconftw.sh index 0d96ceeb..12097c52 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -60,6 +60,7 @@ function tools_installed(){ [ -f "$tools/JSA/jsa.py" ] || { printf "${bred} [*] JSA [NO]${reset}\n"; allinstalled=false;} [ -f "$tools/cloud_enum/cloud_enum.py" ] || { printf "${bred} [*] cloud_enum [NO]${reset}\n"; allinstalled=false;} [ -f "$tools/nmap-parse-output/nmap-parse-output" ] || { printf "${bred} [*] nmap-parse-output [NO]${reset}\n"; allinstalled=false;} + [ -f "$tools/pydictor/pydictor.py" ] || { printf "${bred} [*] pydictor [NO]${reset}\n"; allinstalled=false;} type -P github-endpoints &>/dev/null || { printf "${bred} [*] github-endpoints [NO]${reset}\n"; allinstalled=false;} type -P github-subdomains &>/dev/null || { printf "${bred} [*] github-subdomains [NO]${reset}\n"; allinstalled=false;} type -P gospider &>/dev/null || { printf "${bred} [*] gospider [NO]${reset}\n"; allinstalled=false;} @@ -71,7 +72,6 @@ function tools_installed(){ type -P findomain &>/dev/null || { printf "${bred} [*] Findomain [NO]${reset}\n"; allinstalled=false;} type -P amass &>/dev/null || { printf "${bred} [*] Amass [NO]${reset}\n"; allinstalled=false;} type -P crobat &>/dev/null || { printf "${bred} [*] Crobat [NO]${reset}\n"; allinstalled=false;} - type -P mildew &>/dev/null || { printf "${bred} [*] mildew [NO]${reset}\n"; allinstalled=false;} type -P waybackurls &>/dev/null || { printf "${bred} [*] Waybackurls [NO]${reset}\n"; allinstalled=false;} type -P gauplus &>/dev/null || { printf "${bred} [*] gauplus [NO]${reset}\n"; allinstalled=false;} type -P dnsx &>/dev/null || { printf "${bred} [*] dnsx [NO]${reset}\n"; allinstalled=false;} @@ -97,7 +97,6 @@ function tools_installed(){ type -P unimap &>/dev/null || { printf "${bred} [*] unimap [NO]${reset}\n${reset}"; allinstalled=false;} type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} - type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} type -P analyticsrelationships &>/dev/null || { printf "${bred} [*] analyticsrelationships [NO]${reset}\n"; allinstalled=false;} type -P mapcidr &>/dev/null || { printf "${bred} [*] mapcidr [NO]${reset}\n"; allinstalled=false;} type -P ppfuzz &>/dev/null || { printf "${bred} [*] ppfuzz [NO]${reset}\n"; allinstalled=false;} @@ -106,8 +105,7 @@ function tools_installed(){ type -P interactsh-client &>/dev/null || { printf "${bred} [*] interactsh-client [NO]${reset}\n"; allinstalled=false;} type -P uro &>/dev/null || { printf "${bred} [*] uro [NO]${reset}\n"; allinstalled=false;} type -P bbrf &>/dev/null || { printf "${bred} [*] bbrf [NO]${reset}\n"; allinstalled=false;} - type -P axiom-ls &>/dev/null || { printf "${bred} [*] axiom [NO]${reset}\n${reset}"; allinstalled=false;} - + if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" else @@ -188,7 +186,7 @@ function emails(){ emailfinder -d $domain 2>>"$LOGFILE" | anew -q .tmp/emailfinder.txt [ -s ".tmp/emailfinder.txt" ] && cat .tmp/emailfinder.txt | awk 'matched; /^-----------------$/ { matched = 1 }' | anew -q osint/emails.txt cd "$tools/theHarvester" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - python3 theHarvester.py -d $domain -b all 2>>"$LOGFILE" > $dir/.tmp/harvester.txt + python3 theHarvester.py -d $domain -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, netcraft, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye" 2>>"$LOGFILE" > $dir/.tmp/harvester.txt cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } if [ -s ".tmp/harvester.txt" ]; then cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/emails.txt @@ -345,11 +343,6 @@ function sub_passive(){ curl -s -k "https://jldc.me/anubis/subdomains/${domain}" 2>>"$LOGFILE" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/curl_psub.txt curl -s -k "https://dns.bufferover.run/dns?q=.${domain}" 2>>"$LOGFILE" | jq -r '.FDNS_A'[],'.RDNS'[] 2>>"$LOGFILE" | cut -d ',' -f2 | grep -F ".$domain" | anew -q .tmp/curl_psub.txt curl -s -k "https://tls.bufferover.run/dns?q=.${domain}" 2>>"$LOGFILE" | jq -r .Results[] 2>>"$LOGFILE" | cut -d ',' -f3 | grep -F ".$domain" | anew -q .tmp/curl_psub.txt - if echo $domain | grep -q ".mil$"; then - mildew - mv mildew.out .tmp/mildew.out - [ -s ".tmp/mildew.out" ] && cat .tmp/mildew.out | grep ".$domain$" | anew -q .tmp/mil_psub.txt - fi NUMOFLINES=$(cat .tmp/*_psub.txt 2>>"$LOGFILE" | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} else @@ -840,7 +833,7 @@ function screenshot(){ start_func "Web Screenshots" cat webs/webs.txt webs/webs_uncommon_ports.txt 2>>"$LOGFILE" | anew -q .tmp/webs_screenshots.txt if [ ! "$AXIOM" = true ]; then - [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot -r chromium -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null #gowitness file -f .tmp/webs_screenshots.txt --disable-logging 2>>"$LOGFILE" else [ "$AXIOM_SCREENSHOT_MODULE" = "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null @@ -990,47 +983,34 @@ function nuclei_check(){ nuclei -update-templates 2>>"$LOGFILE" &>/dev/null mkdir -p nuclei_output if [ ! "$AXIOM" = true ]; then - printf "${yellow}\n Running : Nuclei Info${reset}\n\n" - cat subdomains/subdomains.txt webs/webs.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity info -r $resolvers_trusted -o nuclei_output/info.txt - printf "${yellow}\n\n Running : Nuclei Low${reset}\n\n" - cat subdomains/subdomains.txt webs/webs.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity low -r $resolvers_trusted -o nuclei_output/low.txt - printf "${yellow}\n\n Running : Nuclei Medium${reset}\n\n" - cat subdomains/subdomains.txt webs/webs.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity medium -r $resolvers_trusted -o nuclei_output/medium.txt - printf "${yellow}\n\n Running : Nuclei High${reset}\n\n" - cat subdomains/subdomains.txt webs/webs.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity high -r $resolvers_trusted -o nuclei_output/high.txt - printf "${yellow}\n\n Running : Nuclei Critical${reset}\n\n" - cat subdomains/subdomains.txt webs/webs.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity critical -r $resolvers_trusted -o nuclei_output/critical.txt - if [ "$BBRF_CONNECTION" = true ]; then - [ -s "nuclei_output/info.txt" ] && cat nuclei_output/info.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:info 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/low.txt" ] && cat nuclei_output/low.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:low 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/medium.txt" ] && cat nuclei_output/medium.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:medium 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/high.txt" ] && cat nuclei_output/high.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:high 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/critical.txt" ] && cat nuclei_output/critical.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:critical 2>>"$LOGFILE" &>/dev/null - fi + set -f # avoid globbing (expansion of *). + array=(${NUCLEI_SEVERITY//,/ }) + for i in "${!array[@]}" + do + crit=${array[i]} + printf "${yellow}\n Running : Nuclei $crit ${reset}\n\n" + cat subdomains/subdomains.txt webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | nuclei -silent -t ~/nuclei-templates/ -severity $crit -r $resolvers_trusted -o nuclei_output/${crit}.txt + done printf "\n\n" else [ ! -s ".tmp/webs_subs.txt" ] && cat webs/webs.txt subdomains/subdomains.txt 2>>"$LOGFILE" | anew -q .tmp/webs_subs.txt if [ -s ".tmp/webs_subs.txt" ]; then - printf "${yellow}\n Running : Nuclei Info${reset}\n\n" - axiom-scan .tmp/webs_subs.txt -m nuclei -severity info -o nuclei_output/info.txt 2>>"$LOGFILE" &>/dev/null - printf "${yellow}\n\n Running : Nuclei Low${reset}\n\n" - axiom-scan .tmp/webs_subs.txt -m nuclei -severity low -o nuclei_output/low.txt 2>>"$LOGFILE" &>/dev/null - printf "${yellow}\n\n Running : Nuclei Medium${reset}\n\n" - axiom-scan .tmp/webs_subs.txt -m nuclei -severity medium -o nuclei_output/medium.txt 2>>"$LOGFILE" &>/dev/null - printf "${yellow}\n\n Running : Nuclei High${reset}\n\n" - axiom-scan .tmp/webs_subs.txt -m nuclei -severity high -o nuclei_output/high.txt 2>>"$LOGFILE" &>/dev/null - printf "${yellow}\n\n Running : Nuclei Critical${reset}\n\n" - axiom-scan .tmp/webs_subs.txt -m nuclei -severity critical -o nuclei_output/critical.txt 2>>"$LOGFILE" &>/dev/null - if [ "$BBRF_CONNECTION" = true ]; then - [ -s "nuclei_output/info.txt" ] && cat nuclei_output/info.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:info 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/low.txt" ] && cat nuclei_output/low.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:low 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/medium.txt" ] && cat nuclei_output/medium.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:medium 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/high.txt" ] && cat nuclei_output/high.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:high 2>>"$LOGFILE" &>/dev/null - [ -s "nuclei_output/critical.txt" ] && cat nuclei_output/critical.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:critical 2>>"$LOGFILE" &>/dev/null - fi + for i in "${!array[@]}" + do + crit=${array[i]} + printf "${yellow}\n Running : Nuclei $crit ${reset}\n\n" + axiom-scan .tmp/webs_subs.txt -m nuclei -severity ${crit} -o nuclei_output/${crit}.txt 2>>"$LOGFILE" &>/dev/null + done printf "\n\n" fi fi + if [ "$BBRF_CONNECTION" = true ]; then + [ -s "nuclei_output/info.txt" ] && cat nuclei_output/info.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:${crit} 2>>"$LOGFILE" &>/dev/null + [ -s "nuclei_output/low.txt" ] && cat nuclei_output/low.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:${crit} 2>>"$LOGFILE" &>/dev/null + [ -s "nuclei_output/medium.txt" ] && cat nuclei_output/medium.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:${crit} 2>>"$LOGFILE" &>/dev/null + [ -s "nuclei_output/high.txt" ] && cat nuclei_output/high.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:${crit} 2>>"$LOGFILE" &>/dev/null + [ -s "nuclei_output/critical.txt" ] && cat nuclei_output/critical.txt | cut -d' ' -f6 | sort -u | bbrf url add - -t nuclei:${crit} 2>>"$LOGFILE" &>/dev/null + fi end_func "Results are saved in $domain/nuclei_output folder" ${FUNCNAME[0]} else if [ "$NUCLEICHECK" = false ]; then @@ -1171,7 +1151,7 @@ function urlchecks(){ [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | python3 $tools/JSA/jsa.py | anew -q .tmp/url_extract_tmp.txt fi [ -s ".tmp/url_extract_tmp.txt" ] && cat .tmp/url_extract_tmp.txt | grep "${domain}" | grep "=" | qsreplace -a 2>>"$LOGFILE" | grep -Eiv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt - [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | urldedupe -s -qs | uro | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | uro | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]} @@ -1323,6 +1303,21 @@ function wordlist_gen_roboxtractor(){ fi } +function password_dict(){ + if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$PASSWORD_DICT" = true ]; then + start_func "Password dictionary generation" + word=${domain%%.*} + python3 $tools/pydictor/pydictor.py -extend $word --leet 0 1 2 11 21 --len ${PASSWORD_MIN_LENGTH} ${PASSWORD_MAX_LENGTH} -o webs/password_dict.txt 2>>"$LOGFILE" &>/dev/null + end_func "Results are saved in $domain/webs/password_dict.txt" ${FUNCNAME[0]} + else + if [ "$PASSWORD_DICT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + ############################################################################################################### ######################################### VULNERABILITIES ##################################################### ############################################################################################################### @@ -1483,7 +1478,7 @@ function ssrf_checks(){ else end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi - pkill -f interactsh-client + pkill -f interactsh-client & else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1636,7 +1631,7 @@ function prototype_pollution(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$PROTO_POLLUTION" = true ] ; then start_func "Prototype Pollution checks" if [ "$DEEP" = true ] || [[ $(cat webs/url_extract.txt | wc -l) -le $DEEP_LIMIT ]]; then - [ -s "webs/url_extract.txt" ] && ppfuzz -l webs/url_extract.txt -c $PPFUZZ_THREADS > anew -q .tmp/prototype_pollution.txt + [ -s "webs/url_extract.txt" ] && ppfuzz -l webs/url_extract.txt -c $PPFUZZ_THREADS 2>/dev/null | anew -q .tmp/prototype_pollution.txt [ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | sed -e '1,8d' | sed '/^\[ERR/d' | anew -q vulns/prototype_pollution.txt end_func "Results are saved in vulns/prototype_pollution.txt" ${FUNCNAME[0]} else @@ -1972,6 +1967,10 @@ function start(){ } function end(){ + + find $dir -type f -empty -print | grep -v '.called_fn' | grep -v '.log' | grep -v '.tmp' | xargs rm -f &>/dev/null + find $dir -type d -empty -print -delete &>/dev/null + if [ ! "$PRESERVE" = true ]; then find $dir -type f -empty | grep -v "called_fn" | xargs rm -f &>/dev/null find $dir -type d -empty | grep -v "called_fn" | xargs rm -rf &>/dev/null @@ -1981,9 +1980,9 @@ function end(){ rm -rf $dir/.tmp fi - if [ "$REMOVELOG" = true ]; then - rm -rf $dir/.log - fi + if [ "$REMOVELOG" = true ]; then + rm -rf $dir/.log + fi if [ -n "$dir_output" ]; then output @@ -2159,6 +2158,7 @@ function recon(){ url_gf wordlist_gen wordlist_gen_roboxtractor + password_dict url_ext } @@ -2325,6 +2325,7 @@ function multi_recon(){ url_gf wordlist_gen wordlist_gen_roboxtractor + password_dict url_ext currently=$(date +"%H:%M:%S") loopend=$(date +%s) @@ -2377,6 +2378,7 @@ function webs_menu(){ url_gf wordlist_gen wordlist_gen_roboxtractor + password_dict url_ext vulns end @@ -2429,7 +2431,7 @@ function help(){ ########################################### START SCRIPT ##################################################### ############################################################################################################### -PROGARGS=$(getopt -o 'd:m:l:x:i:o:f:rspanwvh::' --long 'domain:,list:,recon,subdomains,passive,all,web,osint,deep,help,vps' -n 'reconFTW' -- "$@") +PROGARGS=$(getopt -o 'd:m:l:x:i:o:f:c:rspanwvh::' --long 'domain:,list:,recon,subdomains,passive,all,web,osint,deep,help,vps' -n 'reconFTW' -- "$@") # Note the quotes around "$PROGARGS": they are essential! @@ -2499,7 +2501,12 @@ while true; do shift continue ;; - + '-c') + custom_function=$2 + opt_mode='c' + shift 2 + continue + ;; # extra stuff '-o') if [[ "$2" != /* ]]; then @@ -2511,6 +2518,7 @@ while true; do continue ;; '-v'|'--vps') + type -P axiom-ls &>/dev/null || { printf "\n Axiom is needed for this mode and is not installed \n You have to install it manually \n" && exit; allinstalled=false;} AXIOM=true shift continue @@ -2694,6 +2702,14 @@ case $opt_mode in end fi ;; + 'c') + export DIFF=true + dir="$SCRIPTPATH/Recon/$domain" + cd $dir || { echo "Failed to cd directory '$dir'"; exit 1; } + $custom_function + cd $SCRIPTPATH || { echo "Failed to cd directory '$dir'"; exit 1; } + exit + ;; # No mode selected. EXIT! *) help