├── LICENSE ├── README.md └── lilly.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 me_dheeraj 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | Last updated on 2020/12/29 4 | 5 | ## Introduction 6 | 7 | **Lilly** 8 | Tool to find the real IP behind CDNs/WAFs like cloudflare using passive recon by retrieving the favicon hash. For the same hash value, all the possible IPs, PORTs and SSL/TLS Certs are searched to validate the target in-scope. 9 | 10 | ## Usage 11 | ``` 12 | root@me_dheeraj:$ bash lilly.sh 13 | [-] Argument: -d/--domain target.com -a/--api Required 14 | 15 | Usage: ./lilly.sh -d/--domain target.com -a/--api premium_api 16 | 17 | Output will be saved in output/target.com-YYYY-MM-DD directory 18 | ``` 19 | ##### Prerequisites 20 | - python3 21 | - jq 22 | - pip3 install shodan 23 | - pip3 install mmh3 24 | - Shodan Member Account & API 25 | - httpx [@pdiscoveryio](https://github.com/projectdiscovery/httpx) 26 | - Multi-Threading interlace - [@codingo](https://github.com/codingo/Interlace) 27 | 28 | 29 | ## Tool of the week 30 | https://blog.intigriti.com/2021/01/06/bug-bytes-104-cache-poisoning-dos-burp-themes-a-couple-of-facebook-account-takeovers/ 31 | -------------------------------------------------------------------------------- /lilly.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | red="\e[31m" 3 | green="\e[32m" 4 | yellow="\e[33m" 5 | end="\e[0m" 6 | Usage() { 7 | echo -e "$green 8 | Usage: ./lilly.sh -d/--domain target.com -a/--api premium_api 9 | "$end 10 | exit 1 11 | } 12 | shodan_ip() { 13 | shodan init $shodan_api 14 | folder=$target-$(date '-I') 15 | mkdir -p output/$folder;cd output/$folder 16 | echo -e ">> \e[36mSubdomain Enum\e[0m is in progress" 17 | #CRT.SH 18 | curl -s "https://crt.sh/?q=%25.$target&output=json"| jq -r '.[].name_value' 2>/dev/null | sed 's/\*\.//g' | sort -u | grep -o "\w.*$target" | httpx -threads 100 -silent | tee alive.txt 19 | echo -e ">> \e[36mDONE\e[0m" 20 | echo -e ">> \e[36mFavicon Hash\e[0m is in progress" 21 | cat alive.txt | xargs -I %% bash -c 'echo "%%/favicon.ico"' > favicon_targets.txt 22 | cat favicon_targets.txt | xargs -I %% bash -c "curl %% -k -s -o /dev/null -w '%% ''%{http_code}\n' -X GET | grep 200" > favicon_urls.txt;rm favicon_targets.txt 23 | cat favicon_urls.txt | awk '{print $1}'| xargs -I %% bash -c "echo %% ; curl -s -L -k %% | python3 -c 'import mmh3,sys,codecs; print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),\"base64\")))'"> hash.txt 24 | cat hash.txt | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print $2}' | grep -v '^0$' | tee favicon_hash.txt 25 | if [[ -z "$(cat favicon_hash.txt)" ]];then 26 | echo -e ">> \e[36mNo hash found on /favicon.ico\e[0m" 27 | exit 28 | else 29 | for hasshh in $(cat favicon_hash.txt);do shodan search http.favicon.hash:$hasshh --fields ip_str,port --separator " " | grep -v 'Error' | awk '{print $1 ":" $2}' > favicon_ips.txt;done 30 | echo -e ">> \e[36mLilly $yellow[Alert]$end: shodan API credits used: $(cat favicon_hash.txt | wc -l)" 31 | fi 32 | if [[ -z "$(cat favicon_ips.txt)" ]];then 33 | echo -e ">> \e[36mNo IPs found \e[0m" 34 | exit 35 | else 36 | cat favicon_ips.txt | grep -v "^\:" | httpx -threads 500 -silent | interlace -threads 100 -c "echo _target_; curl --insecure -v _target_ 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'" --silent | grep "https:\/\/\|CN\=\|issuer: " | tee all_certs.txt 37 | fi 38 | } 39 | target=False 40 | shodan_api=False 41 | list=( 42 | shodan_ip 43 | ) 44 | while [ -n "$1" ]; do 45 | case "$1" in 46 | -d | --domain) 47 | target=$2 48 | shift 49 | ;; 50 | -a | --api) 51 | shodan_api=$2 52 | shift 53 | ;; 54 | *) echo -e $red"[-]"$end "Unknown Option: $1" 55 | Usage 56 | ;; 57 | esac 58 | shift 59 | done 60 | [[ $target == "False" ]] && [[ $shodan_api == "False" ]] && { 61 | echo -e $red"[-]"$end "Argument: -d/--domain target.com -a/--api Required" 62 | Usage 63 | } 64 | ( 65 | shodan_ip 66 | ) 67 | --------------------------------------------------------------------------------