Scribd Logo
Upload

Welcome to Scribd!

  • 17 views

    Rec 2

    Uploaded by

    dipanjan
    This document outlines the steps of a bash script for performing reconnaissance on a target domain. It runs various tools like sublist3r, massdns and dirsearch to discover subdomains and directories. It also checks for DNS records like CNAME and identifies potential domain takeovers.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Rec 2

    Uploaded by

    dipanjan
    17 views5 pages
    This document outlines the steps of a bash script for performing reconnaissance on a target domain. It runs various tools like sublist3r, massdns and dirsearch to discover subdomains and directories. It also checks for DNS records like CNAME and identifies potential domain takeovers.

    Original Title

    rec2

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines the steps of a bash script for performing reconnaissance on a target domain. It runs various tools like sublist3r, massdns and dirsearch to discover subdomains and directories. It also checks for DNS records like CNAME and identifies potential domain takeovers.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    17 views5 pages

    Rec 2

    Uploaded by

    dipanjan
    This document outlines the steps of a bash script for performing reconnaissance on a target domain. It runs various tools like sublist3r, massdns and dirsearch to discover subdomains and directories. It also checks for DNS records like CNAME and identifies potential domain takeovers.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    You are on page 1of 5

    #!

    /bin/bash

    echo "Usage: ./lazyrecon.sh -d domain.com [-e]


    [excluded.domain.com,other.domain.com]\nOptions:\n -e\t-\tspecify excluded
    subdomains\n "
    while getopts ":d:e:r:" o; do
    case "${o}" in
    d)
    domain=${OPTARG}
    ;;

    #### working on subdomain exclusion


    e)
    set -f
    IFS=","
    excluded+=($OPTARG)
    unset IFS
    ;;

    r)
    subreport+=("$OPTARG")
    ;;
    *)
    usage
    ;;
    esac
    done
    shift $((OPTIND - 1))

    if [ -z "${domain}" ] && [[ -z ${subreport[@]} ]]; then


    usage; exit 1;
    fi

    todate=$(date +"%Y-%m-%d")
    path=$(pwd)
    foldername=recon-$todate
    main $domain

    red=`tput setaf 1`
    green=`tput setaf 2`
    yellow=`tput setaf 3`
    reset=`tput sgr0`

    if [ -d "./$domain" ]
    then
    echo "This is a known target."
    else
    mkdir ./$domain
    fi

    mkdir ./$domain/$foldername
    mkdir ./$domain/$foldername/aqua_out
    mkdir ./$domain/$foldername/aqua_out/parsedjson
    mkdir ./$domain/$foldername/reports/
    mkdir ./$domain/$foldername/wayback-data/
    mkdir ./$domain/$foldername/screenshots/
    touch ./$domain/$foldername/crtsh.txt
    touch ./$domain/$foldername/mass.txt
    touch ./$domain/$foldername/cnames.txt
    touch ./$domain/$foldername/pos.txt
    touch ./$domain/$foldername/alldomains.txt
    touch ./$domain/$foldername/temp.txt
    touch ./$domain/$foldername/tmp.txt
    touch ./$domain/$foldername/domaintemp.txt
    touch ./$domain/$foldername/ipaddress.txt
    touch ./$domain/$foldername/cleantemp.txt
    # touch ./$domain/$foldername/master_report.html

    mkdir ./$domain/$foldername/thirdlevel/
    mkdir ./$domain/$foldername/scan/
    mkdir ./$domain/$foldername/eyewitness/

    auquatoneThreads=5
    subdomainThreads=10
    dirsearchThreads=50
    dirsearchWordlist=~/tools/dirsearch/db/dicc.txt
    massdnsWordlist=~/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt
    chromiumPath=/snap/bin/chromium

    echo "${red}

    ██████╗░░█████╗░░█████╗░████████╗░░░░░░██████╗░███████╗░█████╗░  
    ██╔══██╗██╔══██╗██╔══██╗╚══██╔══╝░░░░░░██╔══██╗██╔════╝██╔══██╗  
    ██████╔╝██║░░██║██║░░██║░░░██║░░░█████╗██████╔╝█████╗░░██║░░╚═╝  
    ██╔══██╗██║░░██║██║░░██║░░░██║░░░╚════╝██╔══██╗██╔══╝░░██║░░██╗  
    ██║░░██║╚█████╔╝╚█████╔╝░░░██║░░░░░░░░░██║░░██║███████╗╚█████╔╝  
    ╚═╝░░╚═╝░╚════╝░░╚════╝░░░░╚═╝░░░░░░░░░╚═╝░░╚═╝╚══════╝░╚════╝░  

    ░██████╗░█████╗░██████╗░██╗██████╗░████████╗
    ██╔════╝██╔══██╗██╔══██╗██║██╔══██╗╚══██╔══╝
    ╚█████╗░██║░░╚═╝██████╔╝██║██████╔╝░░░██║░░░
    ░╚═══██╗██║░░██╗██╔══██╗██║██╔═══╝░░░░██║░░░
    ██████╔╝╚█████╔╝██║░░██║██║██║░░░░░░░░██║░░░
    ╚═════╝░░╚════╝░╚═╝░░╚═╝╚═╝╚═╝░░░░░░░░╚═╝░░░
    ${reset} "

    echo "${green}Recon started on $domain ${reset}"


    echo "${red}SUBFINDER$domain ${reset}"
    echo "Listing subdomains using sublister..."
    subfinder -d $domain -t 10 -v -o ./$domain/$foldername/$domain.txt
    echo "Checking certspotter..."
    curl -s https://certspotter.com/api/v0/certs\?domain\=$domain | jq '.
    [].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $domain >>
    ./$domain/$foldername/$domain.txt

    echo "{yellow}3rd level subdomain enumuration start"

    cat ./$domain/$foldername/$domain.txt | grep -Po "(\w+\.\w+\.\w+)$" | sort -u >> ./


    $domain/$foldername/$domain.txt

    for dom in $(cat ./$domain/$foldername/$domain.txt)


    do
    subfinder -d $dom | tee -a
    ./$domain/$foldername/thirdlevel/$dom.txt
    chmod 777 ./$domain/$foldername/thirdlevel/$dom.txt
    cat ./$domain/$foldername/thirdlevel/$dom.txt | sort -u
    >> ./$domain/$foldername/subdomains.txt
    done
    echo "{yellow}3rd level subdomain enumuration end"

    #massdns
    echo "{green}DIRECTORY SEARCH START...(MASSDNS) ..."

    echo "Starting dirsearch..."


    cat ./$domain/$foldername/subdomains.txt | xargs -P$subdomainThreads -I % sh -c
    "python3 ~/tools/dirsearch/dirsearch.py -e php,asp,aspx,jsp,html,zip,jar -w
    $dirsearchWordlist -t $dirsearchThreads -u % | grep Target && tput sgr0 &&
    ./lazyrecon.sh -r $domain -r $foldername -r %"

    echo "Starting aquatone scan..."


    cat ./$domain/$foldername/subdomains.txt | aquatone -chrome-path $chromiumPath
    -out ./$domain/$foldername/aqua_out -threads $auquatoneThreads -silent

    echo "Checking http://crt.sh"


    python3 ~/tools/massdns/scripts/ct.py $domain 2>/dev/null >
    ./$domain/$foldername/tmp.txt
    [ -s ./$domain/$foldername/tmp.txt ] && cat ./$domain/$foldername/tmp.txt |
    ~/tools/massdns/bin/massdns -r ~/tools/massdns/lists/resolvers.txt -t A -q -o S -w
    ./$domain/$foldername/crtsh.txt
    cat ./$domain/$foldername/$domain.txt | ~/tools/massdns/bin/massdns -r
    ~/tools/massdns/lists/resolvers.txt -t A -q -o S -w
    ./$domain/$foldername/domaintemp.txt

    echo "Starting Massdns Subdomain discovery this may take a while"


    python3 ~/tools/massdns/scripts/subbrute.py $massdnsWordlist $domain |
    ~/tools/massdns/bin/massdns -r ~/tools/massdns/lists/resolvers.txt -t A -q -o S |
    grep -v 142.54.173.92 > ./$domain/$foldername/mass.txt >/dev/null

    echo "Massdns finished..."

    echo "{green}DIRECTORY SEARCH END...(MASSDNS) ..."

    echo "${green}Started dns records check...${reset}"


    echo "Looking into CNAME Records..."

    cat ./$domain/$foldername/mass.txt >>


    ./$domain/$foldername/temp.txt
    cat ./$domain/$foldername/domaintemp.txt >>
    ./$domain/$foldername/temp.txt
    cat ./$domain/$foldername/crtsh.txt >>
    ./$domain/$foldername/temp.txt

    cat ./$domain/$foldername/temp.txt | awk '{print $3}' | sort -u |


    while read line; do
    wildcard=$(cat ./$domain/$foldername/temp.txt | grep -m 1 $line)
    echo "$wildcard" >> ./$domain/$foldername/cleantemp.txt
    done

    cat ./$domain/$foldername/cleantemp.txt | grep CNAME >>


    ./$domain/$foldername/cnames.txt
    cat ./$domain/$foldername/cnames.txt | sort -u | while read line;
    do
    hostrec=$(echo "$line" | awk '{print $1}')
    if [[ $(host $hostrec | grep NXDOMAIN) != "" ]]
    then
    echo "${red}Check the following domain for NS takeover: $line $
    {reset}"
    echo "$line" >> ./$domain/$foldername/pos.txt
    else
    echo -ne "working on it...\r"
    fi
    done
    sleep 1
    cat ./$domain/$foldername/$domain.txt >
    ./$domain/$foldername/alldomains.txt
    cat ./$domain/$foldername/cleantemp.txt | awk '{print $1}' | while
    read line; do
    x="$line"
    echo "${x%?}" >> ./$domain/$foldername/alldomains.txt
    cat ./$domain/$foldername/alldomains.txt
    >>./$domain/$foldername/subdomains.txt
    done
    sleep 1

    #-------------------------------------
    # xml-rpc checking
    #-------------------------------------

    bash ~/tools/scriptlists/xml_finder.sh

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy