├── README.md ├── linkfinder.sh ├── relative-url-extract.sh ├── secretsfinder.sh └── subdomain-enum.sh /README.md: -------------------------------------------------------------------------------- 1 | # My Bug Bounty shell-scripts 2 | This repo contains scripts i used while bug bounty. 3 | 4 | 1. relative-url-extract.rb is used with jobert abma's [relative url extractor](https://github.com/jobertabma/relative-url-extractor) to recursively look for url from js files, The script just uses a loop. 5 | 2. linkfinder.sh is used with [linkfinder](https://github.com/GerbenJavado/LinkFinder) script which is also usinga loop to extract links from the js files. 6 | 3. Secretsfinder.sh is used with [secretfinder](https://github.com/m4ll0k/SecretFinder) script which is also using a loop to extract links from the js files. 7 | 4. subdomain-enum.sh This is my goto subdomain enum script when i was a beginner, A good improvement can be done by scanning more levels of domains and much more! 8 | ### Make sure to check and add the tools path correctly in your shell scripts, And move them to /usr/bin 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /linkfinder.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | while read url ; do echo e "\n\n --------- URL: " $url "-----------" ; python3 ~/LinkFinder/linkfinder.py -i $url -o cli; done < "$1" 3 | -------------------------------------------------------------------------------- /relative-url-extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | while read url; do echo -e "\n\n -----URL: " $url "------" ; curl -s $url | ruby ~/relative-url-extractor/extract.rb --url ; done < "$1" 3 | -------------------------------------------------------------------------------- /secretsfinder.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | while read url; do python3 ~/SecretFinder/SecretFinder.py -i $url -o cli ; done < "$1" 3 | -------------------------------------------------------------------------------- /subdomain-enum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | d=$(date +"%b-%d-%y %H:%M") 4 | t=$1 5 | dir=targets/"${t}-${d}" 6 | if [ $t >& /dev/null -z ]; 7 | then echo -e "\e[1;31m Please Specify a domain \e[0" 8 | else 9 | echo -e "\e[1;32m Recon started on: \e[0" $d 10 | echo -e "\e[1;32m Buiding Target Directory \e[0" 11 | sleep 1 12 | mkdir "${dir}" 13 | echo -e "\e[1;32m Hunting Subdomains! \e[0" 14 | sleep 2 15 | # python massdns/scripts/subbrute.py massdns/lists/names.txt $t | massdns/bin/massdns -r massdns/lists/resolvers.txt -t A -o S -w "${dir}"/subbrute-domains.txt 16 | # python3 massdns/scripts/ct.py $t | massdns/bin/massdns -r massdns/lists/resolvers.txt -t A -o S -w "${dir}"/cert-domains.txt 17 | python3 virustotal_subdomain_enum.py $t 40 > "${dir}"/virustotal-domains.txt 18 | python3 san_subdomain_enum.py $t > "${dir}"/sans-domains.txt 19 | python3 Turbolist3r/turbolist3r.py -d $t -t 15 -o "${dir}"/turbolister-domains.txt 20 | python3 github-subdomains.py -d $t > "${dir}"/github-subdomains.txt 21 | subfinder -d $t > "${dir}"/subfinder-domains.txt 22 | #sublist3r -d $t -t 5 -o "${dir}"/sublister-domains.txt 23 | findomain-linux -t $t -u "${dir}"/findomain-domains.txt 24 | anubis -t $t -o "${dir}"/anubis-domains.txt 25 | curl -s https://dns.bufferover.run/dns?q=.$t | sed -s 's/,/\n/g' | sed -s 's/"/\n/g' | egrep '(.+)\.'${t}'' | tee "${dir}"/bufferoverun-domains.txt 26 | echo -e "\e[1;31m Subdomains enumeration complete! \e[0" 27 | echo -e "\e[1;31m Extracting subdomains and ip address! \e[0" 28 | sleep 2 29 | #Extract Ips 30 | # egrep -h -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' "${dir}"/subbrute-domains.txt "${dir}"/cert-domains.txt | sort -u > "${dir}"/ips.txt 31 | #Extract domains 32 | #egrep -h -i -o '(.+)\.%s' "${dir}"/subbrute-domains.txt "${dir}"/cert-domains.txt "${dir}"/findomain-domains.txt "${dir}/anubis-domains.txt" | grep -v 'CNAME' > "${dir}"/subdomains.txt 33 | cat "${dir}"/bufferoverun-domains.txt >> "${dir}"/subdomains.txt 34 | cat "${dir}"/turbolister-domains.txt >> "${dir}"/subdomains.txt 35 | cat "${dir}"/github-subdomains.txt >> "${dir}"/subdomains.txt 36 | egrep '(.+)\.${t}' "${dir}"/virustotal-domains.txt >> "${dir}/subdomains.txt" 37 | egrep '(.+)\.${t}' "${dir}"/sans-domains.txt >> "${dir}/subdomains.txt" 38 | egrep '(.+)\.${t}' "${dir}"/subfinder-domains.txt >> "${dir}/subdomains.txt" 39 | sed -i 's/
/\n/g' "${dir}"/subdomains.txt 40 | sort -u "${dir}"/subdomains.txt | uniq >> "${dir}"/domains.txt 41 | echo 'Extracting More assest if there' 42 | ./ex.sh $t "${dir}"/domains.txt 43 | sleep 3 44 | echo -e " \e[1;31m Probing A and CNAMEs for the domains \e[0" 45 | sleep 3 46 | cat "${dir}"/domains.txt | dnsprobe -r A -o "${dir}"/dnsprobe-A.txt 47 | cat "${dir}"/domains.txt | dnsprobe -r CNAME -o "${dir}"/dnsprobe-CNAME.txt 48 | 49 | echo -e " \e[1;31m Recon Done Boss! \e[0" 50 | fi 51 | --------------------------------------------------------------------------------