forked from Gr1mmie/sumrecon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sumrecon.sh
177 lines (154 loc) · 6.99 KB
/
sumrecon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
url=$1
# echo $url > var; sed 's/https\?:\/\///g' var >> var1
# sed '1d' var1 | cut -d '/' -f 1 | tee var
# url=$(cat var)
if [ ! -x "$(command -v assetfinder)" ]; then
echo "[-] assetfinder required to run script"
exit 1
fi
if [ ! -x "$(command -v amass)" ]; then
echo "[-] amass required to run script"
exit 1
fi
if [ ! -x "$(command -v certspotter)" ]; then
echo "[-] certspotter required to run script"
exit 1
fi
if [ ! -x "$(command -v subjack)" ]; then
echo "[-] subjack required to run script"
exit 1
fi
if [ ! -x "$(command -v sublist3r)" ]; then
echo "[-] sublist3r required to run script"
exit 1
fi
if [ ! -x "$(find / -type f -name 'EyeWitness')" ];then
echo "[-] Eyewitness required to run script"
exit 1
fi
if [ ! -x "$(command -v httprobe)" ]; then
echo "[-] httprobe required to run script"
exit 1
fi
if [ ! -x "$(command -v waybackurls)" ]; then
echo "[-] waybackurls required to run script"
exit 1
fi
if [ ! -x "$(command -v whatweb)" ]; then
echo "[-] whatweb required to run script"
exit 1
fi
if [ ! -d "$url" ];then
mkdir $url
fi
if [ ! -d "$url/recon" ];then
mkdir $url/recon
fi
if [ ! -d "$url/recon/3rd-lvls" ];then
mkdir $url/recon/3rd-lvls
fi
if [ ! -d "$url/recon/scans" ];then
mkdir $url/recon/scans
fi
if [ ! -d "$url/recon/httprobe" ];then
mkdir $url/recon/httprobe
fi
if [ ! -d "$url/recon/potential_takeovers" ];then
mkdir $url/recon/potential_takeovers
fi
if [ ! -d "$url/recon/wayback" ];then
mkdir $url/recon/wayback
fi
if [ ! -d "$url/recon/wayback/params" ];then
mkdir $url/recon/wayback/params
fi
if [ ! -d "$url/recon/wayback/extensions" ];then
mkdir $url/recon/wayback/extensions
fi
if [ ! -d "$url/recon/whatweb" ];then
mkdir $url/recon/whatweb
fi
if [ ! -f "$url/recon/httprobe/alive.txt" ];then
touch $url/recon/httprobe/alive.txt
fi
if [ ! -f "$url/recon/final.txt" ];then
touch $url/recon/final.txt
fi
if [ ! -f "$url/recon/3rd-lvl" ];then
touch $url/recon/3rd-lvl-domains.txt
fi
echo "[+] Harvesting subdomains with assetfinder..."
assetfinder $url | grep '.$url' | sort -u | tee -a $url/recon/final1.txt
echo "[+] Double checking for subdomains with amass and certspotter..."
amass enum -d $url | tee -a $url/recon/final1.txt
#curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u
certspotter | tee -a $url/recon/final1.txt
sort -u $url/recon/final1.txt >> $url/recon/final.txt
rm $url/recon/final1.txt
echo "[+] Compiling 3rd lvl domains..."
cat ~/$url/recon/final.txt | grep -Po '(\w+\.\w+\.\w+)$' | sort -u >> ~/$url/recon/3rd-lvl-domains.txt
#write in line to recursively run thru final.txt
for line in $(cat $url/recon/3rd-lvl-domains.txt);do echo $line | sort -u | tee -a $url/recon/final.txt;done
echo "[+] Harvesting full 3rd lvl domains with sublist3r..."
for domain in $(cat $url/recon/3rd-lvl-domains.txt);do sublist3r -d $domain -o $url/recon/3rd-lvls/$domain.txt;done
echo "[+] Probing for alive domains..."
cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' | sort -u >> $url/recon/httprobe/alive.txt
sort -u $url/
echo "[+] Checking for possible subdomain takeover..."
if [ ! -f "$url/recon/potential_takeovers/domains.txt" ];then
touch $url/recon/potential_takeovers/domains.txt
fi
if [ ! -f "$url/recon/potential_takeovers/potential_takeovers1.txt" ];then
touch $url/recon/potential_takeovers/potential_takeovers1.txt
fi
for line in $(cat ~/$url/recon/final.txt);do echo $line |sort -u >> ~/$url/recon/potential_takeovers/domains.txt;done
subjack -w $url/recon/httprobe/alive.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> $url/recon/potential_takeovers/potential_takeovers/potential_takeovers1.txt
sort -u $url/recon/potential_takeovers/potential_takeovers1.txt >> $url/recon/potential_takeovers/potential_takeovers.txt
rm $url/recon/potential_takeovers/potential_takeovers1.txt
echo "[+] Running whatweb on compiled domains..."
for domain in $(cat ~/$url/recon/httprobe/alive.txt);do
if [ ! -d "$url/recon/whatweb/$domain" ];then
mkdir $url/recon/whatweb/$domain
fi
if [ ! -d "$url/recon/whatweb/$domain/output.txt" ];then
touch $url/recon/whatweb/$domain/output.txt
fi
if [ ! -d "$url/recon/whaweb/$domain/plugins.txt" ];then
touch $url/recon/whatweb/$domain/plugins.txt
fi
echo "[*] Pulling plugins data on $domain $(date +'%Y-%m-%d %T') "
whatweb --info-plugins -t 50 -v $domain >> $url/recon/whatweb/$domain/plugins.txt; sleep 3
echo "[*] Running whatweb on $domain $(date +'%Y-%m-%d %T')"
whatweb -t 50 -v $domain >> $url/recon/whatweb/$domain/output.txt; sleep 3
done
echo "[+] Scraping wayback data..."
cat $url/recon/final.txt | waybackurls | tee -a $url/recon/wayback/wayback_output1.txt
sort -u $url/recon/wayback/wayback_output1.txt >> $url/recon/wayback/wayback_output.txt
rm $url/recon/wayback/wayback_output1.txt
echo "[+] Pulling and compiling all possible params found in wayback data..."
cat $url/recon/wayback/wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> $url/recon/wayback/params/wayback_params.txt
for line in $(cat $url/recon/wayback/params/wayback_params.txt);do echo $line'=';done
echo "[+] Pulling and compiling js/php/aspx/jsp/json files from wayback output..."
for line in $(cat $url/recon/wayback/wayback_output.txt);do
ext="${line##*.}"
if [[ "$ext" == "js" ]]; then
echo $line | sort -u | tee -a $url/recon/wayback/extensions/js.txt
fi
if [[ "$ext" == "html" ]];then
echo $line | sort -u | tee -a $url/recon/wayback/extensions/jsp.txt
fi
if [[ "$ext" == "json" ]];then
echo $line | sort -u | tee -a $url/recon/wayback/extensions/json.txt
fi
if [[ "$ext" == "php" ]];then
echo $line | sort -u | tee -a $url/recon/wayback/extensions/php.txt
fi
if [[ "$ext" == "aspx" ]];then
echo $line | sort -u | tee -a $url/recon/wayback/extensions/aspx.txt
fi
done
echo "[+] Scanning for open ports..."
nmap -iL $url/recon/httprobe/alive.txt -T4 -oA $url/recon/scans/scanned.txt
echo "[+] Running eyewitness against all compiled domains..."
eyewitness=$(find / -type f -name 'EyeWitness.py')
python3 $eyewitness --web -f $url/recon/httprobe/alive.txt -d $url/recon/eyewitness --resolve --no-prompt