diff --git a/install.sh b/install.sh index ce15a584..bd43920d 100755 --- a/install.sh +++ b/install.sh @@ -46,14 +46,15 @@ if [[ $(eval type go $DEBUG_ERROR | grep -o 'go is') == "go is" ]] then printf "${bgreen} Golang is already installed ${reset}\n\n" else - printf "${bgreen} Installing Golang ${reset}\n" + printf "${yellow} Running: Installing Golang ${reset}\n\n" + version=$(curl https://golang.org/VERSION?m=text) if [ "True" = "$IS_ARM" ]; then - eval wget https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-armv6l.tar.gz $DEBUG_STD - eval $SUDO tar -C /usr/local -xzf go$LATEST_GO.linux-armv6l.tar.gz $DEBUG_STD + eval wget https://dl.google.com/go/${version}.linux-armv6l.tar.gz $DEBUG_STD + eval $SUDO tar -C /usr/local -xzf ${version}.linux-armv6l.tar.gz $DEBUG_STD $SUDO cp /usr/local/go/bin/go /usr/bin else - eval wget wget https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-amd64.tar.gz $DEBUG_STD - eval $SUDO tar -C /usr/local -xzf go$LATEST_GO.linux-amd64.tar.gz $DEBUG_STD + eval wget https://dl.google.com/go/${version}.linux-amd64.tar.gz $DEBUG_STD + eval $SUDO tar -C /usr/local -xzf ${version}.linux-amd64.tar.gz $DEBUG_STD $SUDO cp /usr/local/go/bin/go /usr/bin fi rm -rf go$LATEST_GO* @@ -81,14 +82,14 @@ export GOPATH=\$HOME/go export PATH=\$GOPATH/bin:\$GOROOT/bin:\$PATH EOF fi -# printf "${yellow} Golang installed! Open a new terminal and run again this script ${reset}\n" +printf "${bgreen} Golang installed${reset}\n" # exit fi [ -n "$GOPATH" ] || { printf "${bred} GOPATH env var not detected, add Golang env vars to your \$HOME/.bashrc or \$HOME/.zshrc:\n\n export GOROOT=/usr/local/go\n export GOPATH=\$HOME/go\n export PATH=\$GOPATH/bin:\$GOROOT/bin:\$PATH\n\n"; exit 1; } [ -n "$GOROOT" ] || { printf "${bred} GOROOT env var not detected, add Golang env vars to your \$HOME/.bashrc or \$HOME/.zshrc:\n\n export GOROOT=/usr/local/go\n export GOPATH=\$HOME/go\n export PATH=\$GOPATH/bin:\$GOROOT/bin:\$PATH\n\n"; exit 1; } - +printf "${yellow} Running: Installing system packages ${reset}\n\n" if [ -f /etc/debian_version ]; then install_apt; elif [ -f /etc/redhat-release ]; then install_yum; elif [ -f /etc/arch-release ]; then install_pacman; @@ -96,7 +97,7 @@ elif [ -f /etc/os-release ]; then install_yum; #/etc/os-release fall in yum for fi printf "${bgreen} System packages installed${reset}\n\n" - +printf "${yellow} Running: Installing requirements ${reset}\n\n" if ! command -v phantomjs &> /dev/null then cd /opt @@ -124,12 +125,14 @@ eval go get -v github.com/tomnomnom/qsreplace $DEBUG_STD eval GO111MODULE=on go get -v github.com/OWASP/Amass/v3/... $DEBUG_STD eval go get -v github.com/ffuf/ffuf $DEBUG_STD eval go get -v github.com/tomnomnom/assetfinder $DEBUG_STD +eval go get -u github.com/gwen001/github-subdomains $DEBUG_STD printf "${bgreen} 10%% done${reset}\n\n" eval go get -v github.com/dwisiswant0/cf-check $DEBUG_STD eval go get -v github.com/tomnomnom/hacks/waybackurls $DEBUG_STD eval GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei $DEBUG_STD eval go get -v github.com/tomnomnom/anew $DEBUG_STD eval GO111MODULE=on go get -v github.com/projectdiscovery/notify/cmd/notify $DEBUG_STD +eval go get -u github.com/daehee/mildew/cmd/mildew $DEBUG_STD printf "${bgreen} 20%% done${reset}\n\n" eval go get -v github.com/tomnomnom/unfurl $DEBUG_STD eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD @@ -154,6 +157,7 @@ eval GO111MODULE=on go get -u -v github.com/lc/subjs $DEBUG_STD eval go get -v github.com/KathanP19/Gxss $DEBUG_STD eval git clone https://github.com/blechschmidt/massdns $dir/massdns $DEBUG_STD eval git clone https://github.com/s0md3v/Arjun $dir/Arjun $DEBUG_STD +eval go get -u github.com/rjeczalik/bin/cmd/gobin $DEBUG_STD printf "${bgreen} 50%% done${reset}\n\n" eval git clone https://github.com/devanshbatham/ParamSpider $dir/ParamSpider $DEBUG_STD eval git clone https://github.com/dark-warlord14/LinkFinder $dir/LinkFinder $DEBUG_STD @@ -203,7 +207,7 @@ cd ~/.gf; eval wget -O potential.json https://raw.githubusercontent.com/devanshb touch $dir/.github_tokens eval wget -O getjswords.py https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py $DEBUG_STD eval wget -O subdomains_big.txt https://gist.githubusercontent.com/jhaddix/86a06c5dc309d08580a018c66354a056/raw/96f4e51d96b2203f19f6381c8c545b278eaa0837/all.txt $DEBUG_STD -eval wget -O subdomains.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt $DEBUG_STD +eval wget -O subdomains.txt https://gist.githubusercontent.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw/1bcdf2d61df08e66fd2d63b6a840f02c3a2ae24c/subdomains.txt $DEBUG_STD eval wget -O resolvers.txt https://raw.githubusercontent.com/BBerastegui/fresh-dns-servers/master/resolvers.txt $DEBUG_STD eval wget -O permutations_list.txt https://gist.githubusercontent.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw/137bb6b60c616552c705e93a345c06cec3a2cb1f/permutations_list.txt $DEBUG_STD eval wget -O ssrf.py https://gist.githubusercontent.com/h4ms1k/adcc340495d418fcd72ec727a116fea2/raw/ea0774de5e27f9bc855207b175249edae2e9ccef/asyncio_ssrf.py $DEBUG_STD diff --git a/reconftw.sh b/reconftw.sh index 3327e775..3b1fdfc4 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -45,23 +45,25 @@ function tools_installed(){ [ -f $tools/degoogle_hunter/degoogle_hunter.sh ] || { printf "${bred} [*] degoogle_hunter [NO]${reset}\n"; allinstalled=false;} [ -f $tools/getjswords.py ] || { printf "${bred} [*] getjswords [NO]${reset}\n"; allinstalled=false;} eval type -P arjun $DEBUG_STD || { printf "${bred} [*] Arjun [NO]${reset}\n"; allinstalled=false;} - eval type -P github-endpoints $DEBUG_STD || { printf "${bred} [*] github-endpoints [NO]${reset}\n"; allinstalled=false;} + eval type -P github-endpoints $DEBUG_STD || { printf "${bred} [*] github-endpoints [NO]${reset}\n"; allinstalled=false;} + eval type -P github-subdomains $DEBUG_STD || { printf "${bred} [*] github-subdomains [NO]${reset}\n"; allinstalled=false;} eval type -P gospider $DEBUG_STD || { printf "${bred} [*] gospider [NO]${reset}\n"; allinstalled=false;} eval type -P wafw00f $DEBUG_STD || { printf "${bred} [*] wafw00f [NO]${reset}\n"; allinstalled=false;} eval type -P subfinder $DEBUG_STD || { printf "${bred} [*] Subfinder [NO]${reset}\n"; allinstalled=false;} - eval type -P assetfinder $DEBUG_STD || { printf "${bred} [*] Assetfinder [NO]${reset}\n"; allinstalled=false;} + eval type -P assetfinder $DEBUG_STD || { printf "${bred} [*] Assetfinder [NO]${reset}\n"; allinstalled=false;} eval type -P gowitness $DEBUG_STD || { printf "${bred} [*] gowitness [NO]${reset}\n"; allinstalled=false;} eval type -P findomain $DEBUG_STD || { printf "${bred} [*] Findomain [NO]${reset}\n"; allinstalled=false;} eval type -P amass $DEBUG_STD || { printf "${bred} [*] Amass [NO]${reset}\n"; allinstalled=false;} eval type -P crobat $DEBUG_STD || { printf "${bred} [*] Crobat [NO]${reset}\n"; allinstalled=false;} - eval type -P waybackurls $DEBUG_STD || { printf "${bred} [*] Waybackurls [NO]${reset}\n"; allinstalled=false;} + eval type -P mildew $DEBUG_STD || { printf "${bred} [*] mildew [NO]${reset}\n"; allinstalled=false;} + eval type -P waybackurls $DEBUG_STD || { printf "${bred} [*] Waybackurls [NO]${reset}\n"; allinstalled=false;} eval type -P gau $DEBUG_STD || { printf "${bred} [*] Gau [NO]${reset}\n"; allinstalled=false;} eval type -P dnsx $DEBUG_STD || { printf "${bred} [*] dnsx [NO]${reset}\n"; allinstalled=false;} eval type -P shuffledns $DEBUG_STD || { printf "${bred} [*] ShuffleDns [NO]${reset}\n"; allinstalled=false;} eval type -P cf-check $DEBUG_STD || { printf "${bred} [*] Cf-check [NO]${reset}\n"; allinstalled=false;} eval type -P nuclei $DEBUG_STD || { printf "${bred} [*] Nuclei [NO]${reset}\n"; allinstalled=false;} [ -d ~/nuclei-templates ] || { printf "${bred} [*] Nuclei templates [NO]${reset}\n"; allinstalled=false;} - eval type -P gf $DEBUG_STD || { printf "${bred} [*] Gf [NO]${reset}\n"; allinstalled=false;} + eval type -P gf $DEBUG_STD || { printf "${bred} [*] Gf [NO]${reset}\n"; allinstalled=false;} eval type -P Gxss $DEBUG_STD || { printf "${bred} [*] Gxss [NO]${reset}\n"; allinstalled=false;} eval type -P subjs $DEBUG_STD || { printf "${bred} [*] subjs [NO]${reset}\n"; allinstalled=false;} eval type -P ffuf $DEBUG_STD || { printf "${bred} [*] ffuf [NO]${reset}\n"; allinstalled=false;} @@ -282,13 +284,27 @@ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Passive Subdomain Enumeration" - eval subfinder -d $domain -o .tmp/subfinder.txt $DEBUG_STD - eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder.txt - eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass.txt $DEBUG_STD - eval findomain --quiet -t $domain -u .tmp/findomain.txt $DEBUG_STD - eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat.txt - timeout 5m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls.txt - NUMOFLINES=$(eval cat .tmp/subfinder.txt .tmp/assetfinder.txt .tmp/amass.txt .tmp/findomain.txt .tmp/crobat.txt .tmp/waybackurls.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) + eval subfinder -d $domain -o .tmp/subfinder_psub.txt $DEBUG_STD + eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder_psub.txt + eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass_psub.txt $DEBUG_STD + eval findomain --quiet -t $domain -u .tmp/findomain_psub.txt $DEBUG_STD + eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat_psub.txt + if [ -s "${GITHUB_TOKENS}" ];then + if [ "$DEEP" = true ] ; then + eval github-subdomains -d $domain -k -raw -t $GITHUB_TOKENS | anew -q .tmp/github_subdomains_psub.txt + else + eval github-subdomains -d $domain -k -q -raw -t $GITHUB_TOKENS | anew -q .tmp/github_subdomains_psub.txt + fi + fi + eval curl -s "https://jldc.me/anubis/subdomains/${domain}" $DEBUG_ERROR | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d' | anew -q .tmp/jldc_psub.txt + timeout 10m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls_psub.txt + timeout 10m gau -subs $domain | unfurl --unique domains | anew -q .tmp/gau_psub.txt + if echo $domain | grep -q ".mil$"; then + mildew + mv mildew.out .tmp/mildew.out + cat .tmp/mildew.out | grep ".$domain$" | anew -q .tmp/mil_psub.txt + fi + NUMOFLINES=$(eval cat .tmp/*_psub.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -357,6 +373,10 @@ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Active Subdomain Enumeration" + if [ -s "${inScope_file}" ] + then + cat ${inScope_file} .tmp/inscope_subs.txt + fi cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/subdomains_tmp.txt $DEBUG_STD @@ -375,8 +395,13 @@ function sub_scraping(){ then start_subfunc "Running : Source code scraping subdomain search" touch .tmp/scrap_subs.txt - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt - gospider -S .tmp/probed_tmp.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + if [ "$DEEP" = true ] ; then + gospider -S .tmp/probed_tmp.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + else + gospider -S .tmp/probed_tmp.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + fi + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/scrap_subs_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} @@ -465,7 +490,7 @@ function webprobe_simple(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBESIMPLE" = true ] then start_subfunc "Running : Http probing" - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} @@ -482,7 +507,7 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR @@ -546,12 +571,13 @@ function portscan(){ then start_func "Port scan" for sub in $(cat subdomains/subdomains.txt); do - echo "$sub $(dig +short a $sub | tail -n1)" | anew -q hosts/subdomains_ips.txt + echo "$sub $(dig +short a $sub | tail -n1)" | anew -q .tmp/subs_ips.txt done + awk '{ print $2 " " $1}' .tmp/subs_ips.txt | sort -k2 -n | anew -q hosts/subs_ips_vhosts.txt - eval cat hosts/subdomains_ips.txt $dir/favicontest.txt $DEBUG_ERROR | cut -d ' ' -f2 | egrep -iv "^(127|10|169|172|192)\." | anew -q hosts/ips.txt + eval cat hosts/subs_ips_vhosts.txt $DEBUG_ERROR | cut -d ' ' -f1 | egrep -iv "^(127|10|169|172|192)\." | anew -q hosts/ips.txt - eval cat hosts/ips.txt | cf-check -c $NPROC | egrep -iv "^(127|10|169|172|192)\." | anew -q .tmp/ips_nowaf.txt + eval cat hosts/ips.txt $DEBUG_ERROR | cf-check -c $NPROC | egrep -iv "^(127|10|169|172|192)\." | anew -q .tmp/ips_nowaf.txt printf "${bblue}\n Resolved IP addresses (No WAF) ${reset}\n\n"; eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort @@ -724,12 +750,17 @@ function urlchecks(){ start_func "URL Extraction" mkdir -p js cat webs/webs.txt | waybackurls | anew -q .tmp/url_extract_tmp.txt - cat webs/webs.txt | gau | anew -q .tmp/url_extract_tmp.txt - if [ "$DEEP" = true ] ; then - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt - else - gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + cat webs/webs.txt | gau -subs | anew -q .tmp/url_extract_tmp.txt + diff_webs=$(diff <(sort -u .tmp/probed_tmp.txt) <(sort -u webs/webs.txt) | wc -l) + if [ $diff_webs != "0" ]; + then + if [ "$DEEP" = true ] ; then + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + else + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + fi fi + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt if [ -s "${GITHUB_TOKENS}" ] then eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt $DEBUG_STD @@ -758,7 +789,7 @@ function url_gf(){ gf redirect webs/url_extract.txt | anew -q gf/redirect.txt && cat gf/ssrf.txt | anew -q gf/redirect.txt gf rce webs/url_extract.txt | anew -q gf/rce.txt gf potential webs/url_extract.txt | cut -d ':' -f3-5 |anew -q gf/potential.txt - cat webs/url_extract.txt | unfurl -u format %s://%d%p | anew -q gf/endpoints.txt + cat .tmp/url_extract_tmp.txt | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)" | unfurl -u format %s://%d%p | anew -q gf/endpoints.txt gf lfi webs/url_extract.txt | anew -q gf/lfi.txt end_func "Results are saved in gf folder" ${FUNCNAME[0]} else @@ -778,14 +809,18 @@ function jschecks(){ cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" - cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -threads $HTTPX_THREADS -status-code -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -threads $HTTPX_THREADS -status-code -retries 2 -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" - interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> js/js_endpoints.txt" &>/dev/null - sed -i '/^\//!d' js/js_endpoints.txt + interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + eval sed -i '/^\//!d' .tmp/js_endpoints.txt $DEBUG_ERROR + cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt.txt printf "${yellow} Running : Gathering secrets 4/5${reset}\n" cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" - cat js/js_livelinks.txt | eval python3 $tools/getjswords.py $DEBUG_ERROR | anew -q webs/dict_words.txt + if [ -s "js/js_livelinks.txt" ] + then + cat js/js_livelinks.txt | eval python3 $tools/getjswords.py $DEBUG_ERROR | anew -q webs/dict_words.txt + fi end_func "Results are saved in js folder" ${FUNCNAME[0]} else if [ "$JSCHECKS" = false ]; then @@ -801,6 +836,9 @@ function wordlist_gen(){ then start_func "Wordlist generation" cat .tmp/url_extract_tmp.txt | unfurl -u keys | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt + cat .tmp/url_extract_tmp.txt | unfurl -u values | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt + cat .tmp/url_extract_tmp.txt | tr "[:punct:]" "\n" | anew -q webs/dict_words.txt + cat .tmp/js_endpoints.txt | unfurl -u path | anew -q webs/dict_paths.txt cat .tmp/url_extract_tmp.txt | unfurl -u path | anew -q webs/dict_paths.txt touch $called_fn_dir/.${FUNCNAME[0]} end=`date +%s` @@ -824,9 +862,15 @@ function wordlist_gen(){ function brokenLinks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BROKENLINKS" = true ] ; then start_func "Broken links checks" - interlace -tL webs/webs.txt -threads 10 -c "wget --spider -r -nd -nv -H -l 1 -w 1 --no-check-certificate -U 'Mozilla' -o _output_/_cleantarget__brokenLinks.tmp _target_" -o .tmp &>/dev/null - cat .tmp/*_brokenLinks.tmp | grep "^http" | grep -v ':$' | anew -q .tmp/brokenLinks_total.txt - NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | cut -d ' ' -f2 | anew webs/brokenLinks.txt | wc -l) + if [ ! -s ".tmp/gospider.txt" ]; then + if [ "$DEEP" = true ] ; then + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + else + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r > .tmp/gospider.txt + fi + fi + cat .tmp/gospider.txt | egrep -o 'https?://[^ ]+' | sed 's/]$//' | sort -u | httpx -follow-redirects -status-code -timeout 15 -silent -retries 2 -no-color | grep "\[4" | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | anew webs/brokenLinks.txt | wc -l) notification "${NUMOFLINES} new broken links found in ${runtime}" good end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} else @@ -839,7 +883,7 @@ function brokenLinks(){ } function xss(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$XSS" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$XSS" = true ] && [ -s "gf/xss.txt" ] then start_func "XSS Analysis" cat gf/xss.txt | qsreplace FUZZ | Gxss -c 100 -p Xss | anew -q .tmp/xss_reflected.txt @@ -869,6 +913,8 @@ function xss(){ else if [ "$XSS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/xss.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to XSS ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -892,7 +938,7 @@ function cors(){ } function open_redirect(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$OPEN_REDIRECT" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$OPEN_REDIRECT" = true ] && [ -s "gf/redirect.txt" ] then start_func "Open redirects checks" if [ "$DEEP" = true ] ; then @@ -915,6 +961,8 @@ function open_redirect(){ else if [ "$OPEN_REDIRECT" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/redirect.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to Open Redirect ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -922,7 +970,7 @@ function open_redirect(){ } function ssrf_checks(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSRF_CHECKS" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ] then if [ -n "$COLLAB_SERVER" ]; then start_func "SSRF checks" @@ -959,6 +1007,8 @@ function ssrf_checks(){ else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/ssrf.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSRF ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -981,7 +1031,7 @@ function crlf_checks(){ } function lfi(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$LFI" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$LFI" = true ] && [ -s "gf/lfi.txt" ] then start_func "LFI checks" cat gf/lfi.txt | qsreplace FUZZ | anew -q .tmp/tmp_lfi.txt @@ -992,6 +1042,8 @@ function lfi(){ else if [ "$LFI" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/lfi.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to LFI ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -999,7 +1051,7 @@ function lfi(){ } function ssti(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSTI" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSTI" = true ] && [ -s "gf/ssti.txt" ] then start_func "SSTI checks" cat gf/ssti.txt | qsreplace "ssti{{7*7}}" | anew -q .tmp/ssti_fuzz.txt @@ -1010,6 +1062,8 @@ function ssti(){ else if [ "$SSTI" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/ssti.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SSTI ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1017,7 +1071,7 @@ function ssti(){ } function sqli(){ - if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SQLI" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SQLI" = true ] && [ -s "gf/sqli.txt" ] then start_func "SQLi checks" cat gf/sqli.txt | qsreplace FUZZ | anew -q .tmp/tmp_sqli.txt @@ -1026,6 +1080,8 @@ function sqli(){ else if [ "$SQLI" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + elif [ ! -s "gf/sqli.txt" ]; then + printf "\n${yellow} ${FUNCNAME[0]} No URLs potentially vulnerables to SQLi ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1400,13 +1456,14 @@ function subs_menu(){ } function help(){ - printf "\n Usage: $0 [-d domain.tld] [-m name] [-l list.txt] [-x oos.txt] [-r] [-s] " - printf "\n [-p] [-a] [-w] [-i] [-v] [-h] [--deep] [--fs] [-o OUTPUT]\n\n" + printf "\n Usage: $0 [-d domain.tld] [-m name] [-l list.txt] [-x oos.txt] [-i in.txt] " + printf "\n [-r] [-s] [-p] [-a] [-w] [-i] [-v] [-h] [--deep] [--fs] [-o OUTPUT]\n\n" printf " ${bblue}TARGET OPTIONS${reset}\n" printf " -d domain.tld Target domain\n" printf " -m company Target company name\n" printf " -l list.txt Targets list, one per line\n" printf " -x oos.txt Exclude subdomains list (Out Of Scope)\n" + printf " -i in.txt Include subdomains list\n" printf " \n" printf " ${bblue}MODE OPTIONS${reset}\n" printf " -r Recon - Full recon process (only recon without attacks)\n" @@ -1452,7 +1509,7 @@ then exit fi -while getopts ":hd:-:l:m:x:varspxwo:" opt; do +while getopts ":hd:-:l:m:x:i:varspxwo:" opt; do general=$@ if [[ $general == *"-v"* ]]; then unset DEBUG_STD @@ -1482,6 +1539,14 @@ while getopts ":hd:-:l:m:x:varspxwo:" opt; do exit fi ;; + i ) inScope_file=$OPTARG + isAsciiText $inScope_file + if [ "False" = "$IS_ASCII" ] + then + printf "\n\n${bred} Out of Scope file is not a text file${reset}\n\n" + exit + fi + ;; ## MODES diff --git a/update.sh b/update.sh index 7d1c5fc1..8b44a77d 100755 --- a/update.sh +++ b/update.sh @@ -2,7 +2,6 @@ #@TODO: # - Update testssl.sh - # - Update Go packages bred='\033[1;31m' bblue='\033[1;34m' @@ -97,7 +96,7 @@ eval wget -N -c -O ~/.gf/potential.json https://raw.githubusercontent.com/devans eval wget -N -c -O ~/.config/amass/config.ini https://raw.githubusercontent.com/OWASP/Amass/master/examples/config.ini $DEBUG_STD eval wget -N -C -O ~/.config/notify/notify.conf https://gist.githubusercontent.com/six2dez/23a996bca189a11e88251367e6583053/raw/a66c4d8cf47a3bc95f5e9ba84773428662ea760c/notify_sample.conf $DEBUG_ERROR eval wget -N -c -O $dir/getjswords.py https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py $DEBUG_STD -eval wget -N -c -O $dir/subdomains.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt $DEBUG_STD +eval wget -N -c -O $dir/subdomains.txt subdomains.txt https://gist.githubusercontent.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw/1bcdf2d61df08e66fd2d63b6a840f02c3a2ae24c/subdomains.txt $DEBUG_STD $DEBUG_STD eval wget -N -c -O $dir/subdomains_big.txt https://gist.githubusercontent.com/jhaddix/86a06c5dc309d08580a018c66354a056/raw/96f4e51d96b2203f19f6381c8c545b278eaa0837/all.txt $DEBUG_STD eval wget -N -c -O $dir/resolvers.txt https://raw.githubusercontent.com/BBerastegui/fresh-dns-servers/master/resolvers.txt $DEBUG_STD eval wget -N -c -O $dir/permutations_list.txt https://gist.githubusercontent.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw/137bb6b60c616552c705e93a345c06cec3a2cb1f/permutations_list.txt $DEBUG_STD @@ -137,6 +136,22 @@ fi printf "${bblue}\n Updating Golang is finished ${reset}\n" printf "${bgreen}#######################################################################\n" +#Updating Golang Tools +printf "${bgreen}#######################################################################\n" +printf "${bblue} Updating Golang Tools \n" +eval gobin -u $DEBUG_STD +eval GO111MODULE=on go get -v github.com/OWASP/Amass/v3/... $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/notify/cmd/notify $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/dnsx/cmd/dnsx $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder $DEBUG_STD +eval GO111MODULE=on go get -u -v github.com/lc/subjs $DEBUG_STD +eval GO111MODULE=on go get -v github.com/projectdiscovery/shuffledns/cmd/shuffledns $DEBUG_STD +eval GO111MODULE=on go get -v github.com/dwisiswant0/crlfuzz/cmd/crlfuzz $DEBUG_STD +printf "${bblue}\n Updating Golang Tools finished ${reset}\n" +printf "${bgreen}#######################################################################\n" + #stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD