├── README.md
├── asub.png
└── subsurface.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # subsurface
 2 | 
 3 | ![we all live in a nuclear submarine...](asub.png)
 4 | 
 5 | A domain recon tool capable of finding subdomains and subnets and then harvesting HTTP screen shots and whois data about them.
 6 | 
 7 | ## Usage
 8 | 
 9 | Subsurfce has two modes, in the default mode it just enumerates subdomains.
10 | To use this just type:
11 | ```{bash}
12 | $ ./subsurface.sh fbi.gov
13 | ```
14 | This will output results into a new `./fbi.gov` in the current directory.
15 | 
16 | In the other mode subsurface also enumerates all the subnets that the identified subdomains are a part of and scans these for active hosts which then are also used to harvest screen grabs of any running http servers.
17 | To do this just add the `-subnet` flag:
18 | ```{bash}
19 | $ ./subsurface.sh cia.gov -subnet
20 | ```
21 | 
22 | ## Installation
23 | 
24 | Before you can run subsurface you will need to make sure that you have the following programs installed and available via your `PATH` environmental variable.
25 | 
26 | * subfinder
27 | * amass
28 | * assetfinder
29 | * sublist3r
30 | * gowitness
31 | * fping
32 | * whois
33 | 
34 | ## Problems and Contributions
35 | 
36 | If you have noticed any bugs or wish to contribute to the project by all means go ahead and open and issue or pull request respectively and I'll be sure to take a look!
37 | Any help with this is project is quite welcome.
38 | 


--------------------------------------------------------------------------------
/asub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CellEight/subsurface/77f60bc8d9f8f9fbe11471d005d20352d7f5f4b6/asub.png


--------------------------------------------------------------------------------
/subsurface.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | test_make_dir(){
 4 |     if [ ! -d "$1" ]; then
 5 |         mkdir $1
 6 |     fi
 7 | }
 8 | 
 9 | # parse/validate arguments here
10 | if [ ! -n "$1" ]; then
11 |     echo "[!] Please enter a domain."
12 |     echo "[*] Usage: subsurface.sh <domain> [-subnet]"
13 |     exit 1
14 | fi
15 | 
16 | # Create output folder structure if not already extant
17 | domain=$1 
18 | ips=$domain/ips
19 | subdomains=$domain/subdomains
20 | info=$domain/info
21 | captures=$domain/captures
22 | test_make_dir $domain
23 | test_make_dir $ips
24 | test_make_dir $subdomains
25 | test_make_dir $info
26 | test_make_dir $captures
27 | subdomains_temp=$subdomains/temp.txt
28 | subdomains_file=$subdomains/subdomains.txt
29 | live_subdomains_file=$subdomains/live.txt
30 | 
31 | # Enumerate subdomains using subfinder, amass, assetfinder and sublist3r more to follow
32 | echo "[*] Enumerating subdomains of $domain"
33 | subfinder -d $domain > $subdomains_temp
34 | amass enum -d $domain >> $subdomains_temp
35 | assetfinder $domain >> $subdomains_temp
36 | #sublist3r -d $domain >> $subdomains_temp
37 | 
38 | # filter out any out of scope domains, duplicates or stdio junk from the scripts
39 | cat $subdomains_temp | grep $domain | sort -u > $subdomains_file
40 | rm $subdomains_temp
41 | 
42 | # List discovered domains
43 | numdomains=$(cat $subdomains_file | wc | cut -d ' ' -f 6)
44 | echo "[*] Found $numdomains subdomains."
45 | cat $subdomains_file
46 | 
47 | # perform whois lookup
48 | for subdomain in $(cat $subdomains_file); do
49 |     whois $subdomain > $info/${subdomain}.txt
50 | done
51 | 
52 | # if the -subnet flag is set get the CIDR subnet ranges from whois pulls and add all live ips to the list of tragets
53 | if [ $2 = "-subnet" ]; then
54 |     echo "[%] Be forewarned, THIS WILL TAKE AGES, I advise going for a walk/having a nap..."
55 |     for subdomain in $(cat $subdomains_file); do
56 |         whois $(dig $subdomain +short) 2>/dev/null | grep -e 'CIDR:' -e 'inetnum:' | rev | cut -d ' ' -f 1 | rev | tee $ips/subnet_ranges_temp.txt
57 |     done
58 |     cat $ips/subnet_ranges_temp.txt | sort -u > $ips/subnet_ranges.txt
59 |     rm $ips/subnet_ranges_temp.txt
60 |     for subnet_range in $(cat $ips/subnet_ranges.txt); do
61 |         subnet_ip=$(echo $subnet_range | cut -d '/' -f 1)
62 |         subnet_cidr=$(echo $subnet_range | cut -d '/' -f 2)
63 |         whois $subnet_ip 2>/dev/null > $info/${subnet_ip}-${subnet_cidr}.txt
64 |         fping -a -g $subnet_range 2>/dev/null >> $ips/live_ips.txt
65 |     done
66 |     cat $ips/live_ips.txt >> $subdomains_file
67 | fi
68 | 
69 | # Enumerate subdomains hosting live http servers on port 80
70 | echo "[*] Checking to see which hosts are severing websites"
71 | cat $subdomains_file | httprobe-bin -p http:8080,https:8443  > $live_subdomains_file 
72 | numalive=$(cat $live_subdomains_file | wc | cut -d ' ' -f 6)
73 | echo "[*] Found $numdomains live subdomains."
74 | 
75 | # Grab screen shots from all live hosts
76 | echo "[*] Gathering screen captures from live hosts."
77 | gowitness file -f $live_subdomains_file -t 50 -P $captures 
78 | echo "[*] Done, captures can be found in $captures"
79 | 
80 | # probably should delete the database but can mess with other instances of the script
81 | # maybe add a check that there are no open handles to it? 
82 | #rm gowitness.sqlite3
83 | 
84 | 


--------------------------------------------------------------------------------