├── .github └── ISSUE_TEMPLATE │ └── --------------------feature-request-.md ├── .gitignore ├── .token ├── KARMA_V2.pdf ├── README.md ├── img ├── README.md ├── karma_v2_help.png ├── karma_v2_logo.png ├── shodan osint recon.png └── shodan_osint_manual_recon.txt ├── install.sh └── karma_v2 /.github/ISSUE_TEMPLATE/--------------------feature-request-.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "⡷⠂\U0001D694\U0001D68A\U0001D69B\U0001D696\U0001D68A \U0001D69F\U0001D7F8⠐⢾ 3 | Feature request " 4 | about: Suggest an (idea, dorks, workflow, platform like shodan, unique technique, 5 | ...) for this project 6 | title: '' 7 | labels: '' 8 | assignees: '' 9 | 10 | --- 11 | 12 | **Request to add more DORKS, please write it down :** 13 | * [ Your dork must be unique, validate from the list "https://github.com/Dheerajmadhukar/karma_v2/blob/main/README.md". Please make sure the DORK must be very specific to vendor/leak/vuln/cve etc. ] 14 | 15 | **Any other OSINT platform like `shodan` you want to suggest:** 16 | * [ Please describe why and share some example dorks or article or reference for the same. ] 17 | 18 | **Is your feature request related to a problem? Please describe.** 19 | * [ A clear and concise description of what the problem is. Ex. I'm always frustrated when ... ] 20 | 21 | **Describe the solution you'd like** 22 | * [ A clear and concise description of what you want to happen. ] 23 | 24 | **Describe alternatives you've considered** 25 | * [ A clear and concise description of any alternative solutions or features you've considered. ] 26 | 27 | **Additional context** 28 | * [ Add any other context or screenshots about the feature request here. ] 29 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .token 2 | -------------------------------------------------------------------------------- /.token: -------------------------------------------------------------------------------- 1 | SHODAN_PREMIUM_API_KEY 2 | -------------------------------------------------------------------------------- /KARMA_V2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dheerajmadhukar/karma_v2/2e893cb2981f80a40dc474fd4e0306e851f38000/KARMA_V2.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | karma_v2 3 |
4 | 5 | ⡷⠂𝚔𝚊𝚛𝚖𝚊 𝚟𝟸⠐⢾ 6 |

7 | 8 |

9 | 𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) 10 | 11 | ![Follow on Twitter](https://img.shields.io/twitter/follow/Dheerajmadhukar?style=social) [![Version](https://img.shields.io/badge/Release-%E2%A1%B7%E2%A0%82%F0%9D%9A%94%F0%9D%9A%8A%F0%9D%9A%9B%F0%9D%9A%96%F0%9D%9A%8A%20%F0%9D%9A%9F%F0%9D%9F%B8%E2%A0%90%E2%A2%BE-white.svg)]() [![Build](https://img.shields.io/badge/Supported_OS-Linux-white.svg)]() [![Build](https://img.shields.io/badge/Supported_WSL-Windows-white.svg)]() [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.me/dheerajkmadhukar) 12 |

13 | 𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 can be used by Infosec Researchers, Penetration Testers, Bug Hunters to find deep information, more assets, WAF/CDN bypassed IPs, Internal/External Infra, Publicly exposed leaks and many more about their target. Shodan Premium API key is required to use this automation. Output from the 𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 is displayed to the screen and saved to files/directories. 14 |

15 | ℹ Regarding Premium Shodan API, Please see the Shodan site for more information. 16 |
17 | 18 | Shodan website: [Shodan Website](https://shodan.io) 19 | API : [Developer API](https://developer.shodan.io/api) 20 | 21 | ## Features 22 | - Powerful and flexible results via Shodan Dorks 23 | - SSL SHA1 checksum/fingerprint Search 24 | - Only hit In-Scope IPs 25 | - Verify each IP with SSL/TLS certificate issuer match RegEx 26 | - Provide Out-Of-Scope IPs 27 | - Find out all ports including well known/uncommon/dynamic 28 | - Grab all targets vulnerabilities related to CVEs 29 | - Banner grab for each IP, Product, OS, Services & Org etc. 30 | - Grab favicon Icons 31 | - Generate Favicon Hash using python3 mmh3 Module 32 | - Favicon Technology Detection using nuclei custom template 33 | - ASN Scan 34 | - BGP Neighbour 35 | - IPv4 & IPv6 Profixes for ASN 36 | - **Interesting Leaks like Indexing, NDMP, SMB, Login, SignUp, OAuth, SSO, Status 401/403/500, VPN, Citrix, Jfrog, Dashboards, OpenFire, Control Panels, Wordpress, Laravel, Jetty, S3 Buckets, Cloudfront, Jenkins, Kubernetes, Node Exports, Grafana, RabbitMQ, Containers, GitLab, MongoDB, Elastic, FTP anonymous, Memcached, DNS Recursion, Kibana, Prometheus, Default Passwords, Protected Objects, Moodle, Spring Boot, Django, Jira, Ruby, Secret Key and many more...** 37 | 38 | ## Installation 39 | ### 1. Clone the repo 40 | ```bash 41 | # git clone https://github.com/Dheerajmadhukar/karma_v2.git 42 | ``` 43 | ### 2. Install shodan & mmh3 python module 44 | ```bash 45 | # python3 -m pip install shodan mmh3 46 | ``` 47 | ### 3. Install JSON Parser [JQ] 48 | ```bash 49 | # apt install jq -y 50 | ``` 51 | ### 4. Install httprobe [@tomnomnom](https://github.com/tomnomnom/httprobe) to probe the requests 52 | ```bash 53 | # go install -v github.com/tomnomnom/httprobe@master 54 | ``` 55 | ### 5. Install Interlace [@codingo](https://github.com/codingo/Interlace.git) to multithread [Follow the codingo interlace repo instructions] 56 | ```bash 57 | # git clone https://github.com/codingo/Interlace.git & install accordingly. 58 | ``` 59 | ### 6. Install nuclei [@projectdiscovery](https://github.com/projectdiscovery/nuclei) 60 | ```bash 61 | # go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest 62 | ``` 63 | ### 7. Install lolcat 64 | ```bash 65 | # apt install lolcat -y 66 | ``` 67 | ### 8. Install anew 68 | ```bash 69 | # go install -v github.com/tomnomnom/anew@master 70 | ``` 71 | 72 | ## Ok, how do I use it? 73 | ```bash 74 | # cat > .token 75 | SHODAN_PREMIUM_API_HERE 76 | ``` 77 | 78 | ## Usage 79 | You can use this command to check help: 80 | ```bash 81 | $ bash karma_v2 -h 82 | ``` 83 | karma_v2 84 | 85 | ## MODEs 86 | | **MODE** | **Examples** | 87 | |:-------------|:----------------| 88 | |**-ip**|``` bash karma_v2 -d -l -ip```| 89 | |**-asn**|``` bash karma_v2 -d -l -asn```| 90 | |**-cve**|``` bash karma_v2 -d -l -cve```| 91 | |**-cveid**|``` bash karma_v2 -d -l -cveid CVE-2021-34473```| 92 | |**-favicon**|``` bash karma_v2 -d -l -favicon```| 93 | |**-leaks**|``` bash karma_v2 -d -l -leaks```| 94 | |**-deep**|``` bash karma_v2 -d -l -deep```| 95 | |**-count**|``` bash karma_v2 -d -l -count```| 96 | 97 | 98 | ## Demo 99 | 100 | - karma_v2 [mode -ip] 101 | [![asciicast](https://asciinema.org/a/1aKFM3oyQZ14t9H8V0qjp2lUV.svg)](https://asciinema.org/a/1aKFM3oyQZ14t9H8V0qjp2lUV?t=25&speed=5&theme=tango) 102 | 103 | --- 104 | 105 | - karma_v2 [mode -asn] 106 | [![asciicast](https://asciinema.org/a/0RcsIp6f6xxX81JmEHvvlepBT.svg)](https://asciinema.org/a/0RcsIp6f6xxX81JmEHvvlepBT?t=25&speed=5&theme=tango) 107 | 108 | --- 109 | 110 | - karma_v2 [mode -cve] 111 | [![asciicast](https://asciinema.org/a/4Ri9FW97qnVV37v3Mb2mNTKz8.svg)](https://asciinema.org/a/4Ri9FW97qnVV37v3Mb2mNTKz8?t=25&speed=5&theme=tango) 112 | 113 | --- 114 | 115 | - karma_v2 [mode -favicon] 116 | [![asciicast](https://asciinema.org/a/6bnPXhwacmCOanRRsdNIA1rs4.svg)](https://asciinema.org/a/6bnPXhwacmCOanRRsdNIA1rs4?t=25&speed=5&theme=tango) 117 | 118 | --- 119 | 120 | - karma_v2 [mode -leaks] 121 | 122 | [![asciicast](https://asciinema.org/a/433322.svg)](https://asciinema.org/a/433322?t=25&speed=10&theme=tango) 123 | 124 | --- 125 | 126 | - karma_v2 [mode -deep] 127 | 128 | **`-deep` support all the above modes e.g. -count,-ip,-asn,-favicon,-cve,-leaks !** 129 | 130 | --- 131 | 132 | # Output 133 | ```bash 134 | output/bugcrowd.com-YYYY-MM-DD/ 135 | 136 | . 137 | ├── ASNs_Detailed_bugcrowd.com.txt 138 | ├── Collect 139 | │ ├── host_domain_domain.tld.json.gz 140 | │ ├── ssl_SHA1_12289a814...83029f8944b6088d60204a92e_domain.tld.json.gz 141 | │ ├── ssl_SHA1_17537bf84...73cb1d684a495db7ea5aa611b_domain.tld.json.gz 142 | │ ├── ssl_SHA1_198d6d4ec...681b77585190078b07b37c5e1_domain.tld.json.gz 143 | │ ├── ssl_SHA1_26a9c5618...d60eae2947b42263e154d203f_domain.tld.json.gz 144 | │ ├── ssl_SHA1_3da3825a2...3b852a42470410183adc3b9ee_domain.tld.json.gz 145 | │ ├── ssl_SHA1_4d0eab730...68cf11d2db94cc2454c906532_domain.tld.json.gz 146 | │ ├── ssl_SHA1_8907dab4c...12fdbdd6c445a4a8152f6b7b7_domain.tld.json.gz 147 | │ ├── ssl_SHA1_9a9b99eba...5dc5106cea745a591bf96b044_domain.tld.json.gz 148 | │ ├── ssl_SHA1_a7c14d201...b6fd4bc4e95ab2897e6a0bsfd_domain.tld.json.gz 149 | │ ├── ssl_SHA1_a90f4ddb0...85780bdb06de83fefdc8a612d_domain.tld.json.gz 150 | │ ├── ssl_domain_domain.tld.json.gz 151 | │ ├── ssl_subjectCN_domain.tld.json.gz 152 | │ └── ssl_subject_domain.tld.json.gz 153 | | └── . . . 154 | ├── IP_VULNS 155 | │ ├── 104.x.x.x.json.gz 156 | │ ├── 107.x.x.x.json.gz 157 | │ ├── 107.x.x.x.json.gz 158 | │ └── 99.x.x.x.json.gz 159 | | └── . . . 160 | ├── favicons_domain.tld.txt 161 | ├── host_enum_domain.tld.txt 162 | ├── ips_inscope_domain.tld.txt 163 | ├── main_domain.tld.data 164 | ├── . . . 165 | ``` 166 | 167 | 168 | 169 | ## karma_v2 Newly Added Shodan Dorks 170 | 171 | - SonarQube 172 | - Apache hadoop node 173 | - Directory Listing 174 | - Oracle Business intelligence 175 | - Oracle Web Login 176 | - Docker Exec 177 | - Apache Status 178 | - Apache-Coyote/1.1 Tomcat-5.5 179 | - Swagger UI 180 | - H-SPHERE 181 | - Splunk 182 | - JBoss 183 | - phpinfo 184 | - ID_VC 185 | - Confluence 186 | - TIBCO_Jaspersoft 187 | - Shipyard_Docker_management 188 | - Symfony PHP info AWS creds 189 | - Ignored-by_CDNs 190 | - Django_Exposed 191 | - Cluster_Node_etcd 192 | - SAP_NetWeaver_Application 193 | 194 | # 𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 Supported Shodan Dorks 195 | | **DORKs** | **DORKs** | **DORKs** | 196 | |:-------------|:----------------|:----------------| 197 | | **`ssl.cert.fingerprint`** | **`http.status:"302" oauth`** | **`"Server: Jetty"`** | 198 | | **`ssl`** | **`http.status:"302" sso`** | **`X-Amz-Bucket-Region`** | 199 | | **`org`** | **`title:"401 Authorization Required"`** | **`"development" org:"Amazon.com"`** | 200 | | **`hostname`** | **`http.html:"403 Forbidden"`** | **`"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]"`** | 201 | | **`ssl.cert.issuer.cn`** | **`http.html:"500 Internal Server Error"`** | **`http.favicon.hash:81586312 200`** | 202 | | **`ssl.cert.subject.cn`** | **`ssl.cert.subject.cn:*vpn*`** | **`product:"Kubernetes" port:"10250, 2379"`** | 203 | | **`ssl.cert.expired:true`** | **`title:"citrix gateway"`** | **`port:"9100" http.title:"Node Exporter"`** | 204 | | **`ssl.cert.subject.commonName`** | **`http.html:"JFrog"`** | **`http.title:"Grafana"`** | 205 | | **`http.title:"Index of /"`** | **`"X-Jfrog"`** | **`http.title:"RabbitMQ"`** | 206 | | **`ftp port:"10000"`** | **`http.title:"dashboard"`** | **`HTTP/1.1 307 Temporary Redirect "Location: /containers"`** | 207 | | **`"Authentication: disabled" port:445 product:"Samba"`** | **`http.title:"Openfire Admin Console"`** | **`http.favicon.hash:1278323681`** | 208 | | **`title:"Login - Adminer"`** | **`http.title:"control panel"`** | **`"MongoDB Server Information" port:27017 -authentication`** | 209 | | **`http.title:"sign up"`** | **`http.html:"* The wp-config.php creation script uses this file"`** | **`port:"9200" all:"elastic indices" `** | 210 | | **`http.title:"LogIn"`** | **`clockwork`** | **`"220" "230 Login successful." port:21`** | 211 | | **`port:"11211" product:"Memcached"`** | **`"port: 53" Recursion: Enabled`** | **`title:"kibana"`** | 212 | | **`port:9090 http.title:"Prometheus Time Series Collection and Processing Server"`** | **`"default password"`** | **`title:protected`** | 213 | | **`http.component:Moodle`** | **`http.favicon.hash:116323821`** | **`html:"/login/?next=" title:"Django"`** | 214 | | **`html:"/admin/login/?next=" title:"Django"`** | **`title:"system dashboard" html:jira`** | **`http.component:ruby port:3000`** | 215 | | **`html:"secret_key_base"`** | **`I will add more soon`** | **`. . .`** | 216 | 217 | 218 | # 𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 Newly Added Shodan Dorks 219 | | **DORKs** | **DORKs** | **DORKs** | 220 | |:-------------|:----------------|:----------------| 221 | | **`"netweaver"`** | **`port:"2379" product:"etcd"`** | **`http.title:"DisallowedHost"`** | 222 | | **`ssl:"${target}" "-AkamaiGHost" "-GHost"`** | **`ssl:"${target}" "-Cloudflare"`** | **`ssl:"${target}" "-Cloudfront"`** | 223 | | **`"X-Debug-Token-Link" port:443`** | **`http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664`** | **`http.title:"TIBCO Jaspersoft:" port:"443" "1970"`** | 224 | | **`"Confluence"`** | **`http.title:"SonarQube"`** | **`html:"jmx?qry=Hadoop:*"`** | 225 | | **`http.title:"Directory Listing"`** | **`http.title:"H-SPHERE"`** | **`http.title:"Swagger UI - "`** | 226 | | **`Server: Apache-Coyote/1.1 Tomcat-5.5"`** | **`port:2375 product:"Docker"`** | **`http.title:"phpinfo()"`** | 227 | | **`http.title:"ID_VC_Welcome"`** | **`"x-powered-by" "jboss"`** | **`jboss http.favicon.hash:-656811182`** | 228 | | **`http.title:"Welcome to JBoss"`** | **`port:"8089, 8000" "splunkd"`** | **`http.favicon.hash:-316785925`** | 229 | | **`title:"splunkd" org:"Amazon.com"`** | **`http.title:"oracle business intelligence sign in"`** | **`http.title:"Oracle WebLogic Server Administration Console"`** | 230 | | **`http.title:"Apache Status"`** | **`I will add more soon`** | **`. . .`** | 231 | 232 | 233 | ## Support 234 | If you like `⡷⠂𝚔𝚊𝚛𝚖𝚊 𝚟𝟸⠐⢾` and it help you in work, money/bounty, pentesting, recon or just brings you happy feelings, please show your support ! 235 | :stop_sign: **Please avoid opening GitHub issues for support requests or questions!** 236 | buy me a beer to keep me powered :) 237 | 238 | Buy Me A Beer 239 | -------------------------------------------------------------------------------- /img/README.md: -------------------------------------------------------------------------------- 1 |

2 | axio m 3 |
4 |

5 | -------------------------------------------------------------------------------- /img/karma_v2_help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dheerajmadhukar/karma_v2/2e893cb2981f80a40dc474fd4e0306e851f38000/img/karma_v2_help.png -------------------------------------------------------------------------------- /img/karma_v2_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dheerajmadhukar/karma_v2/2e893cb2981f80a40dc474fd4e0306e851f38000/img/karma_v2_logo.png -------------------------------------------------------------------------------- /img/shodan osint recon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dheerajmadhukar/karma_v2/2e893cb2981f80a40dc474fd4e0306e851f38000/img/shodan osint recon.png -------------------------------------------------------------------------------- /img/shodan_osint_manual_recon.txt: -------------------------------------------------------------------------------- 1 | #SHODAN OSINT RECON #BUGBOUNTY 2 | ssl.cert.fingerprint:"${target}" 3 | ssl:"${target}" 4 | org:"${target}" 5 | hostname:"${target}" 6 | ssl.cert.issuer.cn:"${target}" 7 | ssl.cert.subject.cn:"${target}" 8 | ssl.cert.expired:true hostname:"*.${target}" 9 | ssl.cert.subject.commonName:"*.${target}" 10 | http.title:"Index of /" hostname:"*.${target}" 11 | http.title:"Index of /" ssl.cert.subject.cn:"${target}" 12 | ftp port:"10000" hostname:"*.${target}" 13 | ftp port:"10000" ssl.cert.subject.cn:"${target}" 14 | "Authentication: disabled" port:445 product:"Samba" hostname:"*.${target}" 15 | title:"Login - Adminer" hostname:"*.${target}" 16 | title:"Login - Adminer" ssl.cert.subject.cn:"${target}" 17 | http.title:"sign up" ssl.cert.subject.cn:"${target}" 18 | http.title:"sign up" ssl:"${target}" 19 | http.title:"sign up" hostname:"*.${target}" 20 | "sign up" ssl.cert.subject.cn:"${target}" 21 | "sign up" ssl:"${target}" 22 | "sign up" hostname:"*.${target}" 23 | http.title:"LogIn" ssl.cert.subject.cn:"${target}" 24 | http.title:"LogIn" ssl:"${target}" 25 | http.title:"LogIn" hostname:"*.${target}" 26 | "LogIn" ssl.cert.subject.cn:"${target}" 27 | "LogIn" ssl:"${target}" 28 | "LogIn" hostname:"*.${target}" 29 | http.status:"302" oauth ssl.cert.subject.cn:"${target}" 30 | http.status:"302" oauth ssl:"${target}" 31 | http.status:"302" oauth hostname:"*.${target}" 32 | http.title:"log in with" ssl.cert.subject.cn:"${target}" 33 | http.title:"log in with" ssl:"${target}" 34 | http.title:"log in with" hostname:"*.${target}" 35 | "log in with" ssl.cert.subject.cn:"${target}" 36 | "log in with" ssl:"${target}" 37 | "log in with" hostname:"*.${target}" 38 | http.status:"302" sso ssl.cert.subject.cn:"${target}" 39 | http.status:"302" sso ssl:"${target}" 40 | http.status:"302" sso hostname:"*.${target}" 41 | http.title:"login sso" ssl.cert.subject.cn:"${target}" 42 | http.title:"login sso" ssl:"${target}" 43 | http.title:"login sso" hostname:"*.${target}" 44 | "login sso" ssl.cert.subject.cn:"${target}" 45 | "login sso" ssl:"${target}" 46 | "login sso" hostname:"*.${target}" 47 | title:"401 Authorization Required" hostname:"*.${target}" 48 | http.html:"403 Forbidden" ssl.cert.subject.cn:"${target}" 49 | http.html:"403 Forbidden" ssl:"${target}" 50 | http.html:"403 Forbidden" hostname:"*.${target}" 51 | http.html:"500 Internal Server Error" ssl.cert.subject.cn:"${target}" 52 | http.html:"500 Internal Server Error" ssl:"${target}" 53 | http.html:"500 Internal Server Error" hostname:"*.${target}" 54 | "500 Internal Server Error" ssl.cert.subject.cn:"${target}" 55 | "500 Internal Server Error" ssl:"${target}" 56 | "500 Internal Server Error" hostname:"*.${target}" 57 | ssl.cert.subject.cn:*vpn* ssl.cert.subject.cn:"${target}" 58 | ssl.cert.subject.cn:*vpn* ssl:"${target}" 59 | ssl.cert.subject.cn:*vpn* hostname:"*.${target}" 60 | title:"citrix gateway" ssl.cert.subject.cn:"${target}" 61 | title:"citrix gateway" ssl:"${target}" 62 | title:"citrix gateway" hostname:"*.${target}" 63 | http.html:"JFrog" ssl.cert.subject.cn:"${target}" 64 | http.html:"JFrog" ssl:"${target}" 65 | http.html:"JFrog" hostname:"*.${target}" 66 | "X-Jfrog" ssl.cert.subject.cn:"${target}" 67 | "X-Jfrog" ssl:"${target}" 68 | "X-Jfrog" hostname:"*.${target}" 69 | http.title:"dashboard" hostname:"*.${target}" 70 | http.title:"dashboard" ssl.cert.subject.cn:"${target}" 71 | dashboard ssl.cert.subject.cn:"${target}" 72 | http.title:"Openfire Admin Console" hostname:"*.${target}" 73 | http.title:"control panel" hostname:"*.${target}" 74 | http.title:"control panel" ssl.cert.subject.cn:"${target}" 75 | control panel ssl.cert.subject.cn:"${target}" 76 | http.html:"* The wp-config.php creation script uses this file" hostname:"*.${target}" 77 | http.html:"* The wp-config.php creation script uses this file" ssl.cert.subject.cn:"${target}" 78 | clockwork hostname:"*.${target}" 79 | clockwork ssl.cert.subject.cn:"${target}" 80 | "Server: Jetty" ssl.cert.subject.cn:"${target}" 81 | "Server: Jetty" ssl:"${target}" 82 | "Server: Jetty" hostname:"*.${target}" 83 | X-Amz-Bucket-Region hostname:"*.${target}" 84 | X-Amz-Bucket-Region ssl.cert.subject.cn:"${target}" 85 | Cloudfront_AWS_ssl:"development" org:"Amazon.com" ssl.cert.subject.cn:"${target}" 86 | "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]" hostname:"*.${target}" 87 | "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]" ssl.cert.subject.cn:"${target}" 88 | http.favicon.hash:81586312 200 hostname:"*.${target}" 89 | http.favicon.hash:81586312 200 ssl.cert.subject.cn:"${target}" 90 | product:"Kubernetes" port:"10250, 2379" ssl.cert.subject.cn:"${target}" 91 | product:"Kubernetes" port:"10250, 2379" ssl:"${target}" 92 | product:"Kubernetes" port:"10250, 2379" hostname:"*.${target}" 93 | port:"9100" http.title:"Node Exporter" ssl.cert.subject.cn:"${target}" 94 | port:"9100" http.title:"Node Exporter" ssl:"${target}" 95 | port:"9100" http.title:"Node Exporter" hostname:"*.${target}" 96 | http.title:"Grafana" ssl.cert.subject.cn:"${target}" 97 | http.title:"Grafana" ssl:"${target}" 98 | http.title:"Grafana" hostname:"*.${target}" 99 | http.title:"RabbitMQ" ssl.cert.subject.cn:"${target}" 100 | http.title:"RabbitMQ" ssl:"${target}" 101 | http.title:"RabbitMQ" hostname:"*.${target}" 102 | HTTP/1.1 307 Temporary Redirect "Location: /containers" ssl.cert.subject.cn:"${target}" 103 | HTTP/1.1 307 Temporary Redirect "Location: /containers" ssl:"${target}" 104 | HTTP/1.1 307 Temporary Redirect "Location: /containers" hostname:"*.${target}" 105 | http.favicon.hash:1278323681 ssl.cert.subject.cn:"${target}" 106 | http.favicon.hash:1278323681 ssl:"${target}" 107 | http.favicon.hash:1278323681 hostname:"*.${target}" 108 | "MongoDB Server Information" port:27017 "-authentication" hostname:"*.${target}" 109 | "MongoDB Server Information" port:27017 "-authentication" ssl.cert.subject.cn:"${target}" 110 | "Set-Cookie: mongo-express=" "200 OK" hostname:"*.${target}" 111 | "Set-Cookie: mongo-express=" "200 OK" ssl.cert.subject.cn:"${target}" 112 | all:"mongodb server information" all:"metrics" hostname:"*.${target}" 113 | all:"mongodb server information" all:"metrics" ssl.cert.subject.cn:"${target}" 114 | port:"9200" all:"elastic indices" hostname:"*.${target}" 115 | port:"9200" all:"elastic indices" ssl.cert.subject.cn:"${target}" 116 | "220" "230 Login successful." port:21 hostname:"*.${target}" 117 | "220" "230 Login successful." port:21 ssl.cert.subject.cn:"${target}" 118 | port:"11211" product:"Memcached" hostname:"*.${target}" 119 | port:"11211" product:"Memcached" ssl.cert.subject.cn:"${target}" 120 | "port: 53" Recursion: Enabled hostname:"*.${target}" 121 | "port: 53" Recursion: Enabled ssl.cert.subject.cn:"${target}" 122 | title:"kibana" hostname:"*.${target}" 123 | title:"kibana" ssl.cert.subject.cn:"${target}" 124 | port:9090 http.title:"Prometheus Time Series Collection and Processing Server" ssl.cert.subject.cn:"${target}" 125 | port:9090 http.title:"Prometheus Time Series Collection and Processing Server" ssl:"${target}" 126 | port:9090 http.title:"Prometheus Time Series Collection and Processing Server" hostname:"*.${target}" 127 | "default password" hostname:"*.${target}" 128 | "default password" ssl.cert.subject.cn:"${target}" 129 | title:protected hostname:"*.${target}" 130 | title:protected ssl.cert.subject.cn:"${target}" 131 | http.component:Moodle hostname:"*.${target}" 132 | http.component:Moodle ssl.cert.subject.cn:"${target}" 133 | http.favicon.hash:116323821 hostname:"*.${target}" 134 | http.favicon.hash:116323821 ssl.cert.subject.cn:"${target}" 135 | html:"/login/?next=" title:"Django" hostname:"*.${target}" 136 | html:"/login/?next=" title:"Django" ssl.cert.subject.cn:"${target}" 137 | html:"/admin/login/?next=" title:"Django" hostname:"*.${target}" 138 | html:"/admin/login/?next=" title:"Django" ssl.cert.subject.cn:"${target}" 139 | title:"system dashboard" html:jira hostname:"*.${target}" 140 | title:"system dashboard" html:jira ssl.cert.subject.cn:"${target}" 141 | "system dashboard" html:jira ssl.cert.subject.cn:"${target}" 142 | http.component:ruby port:3000 hostname:"*.${target}" 143 | http.component:ruby port:3000 ssl.cert.subject.cn:"${target}" 144 | html:"secret_key_base" hostname:"*.${target}" 145 | html:"secret_key_base" ssl.cert.subject.cn:"${target}" 146 | 147 | [+] #karma_v2 Newly Added #Shodan #Dorks FOR MANUAL STUFF ;) 148 | 149 | "netweaver" hostname:"*.${target}" 150 | "netweaver" ssl.cert.subject.cn:"${target}" 151 | port:"2379" product:"etcd" hostname:"*.${target}" 152 | port:"2379" product:"etcd" ssl.cert.subject.cn:"${target}" 153 | http.title:"DisallowedHost" hostname:"*.${target}" 154 | http.title:"DisallowedHost" ssl.cert.subject.cn:"${target}" 155 | ssl:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 156 | hostname:"*.${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 157 | ssl.cert.issuer.cn:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 158 | ssl.cert.subject.cn:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 159 | hostname:"*.${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 160 | "X-Debug-Token-Link" port:443 hostname:"*.${target}" 161 | "X-Debug-Token-Link" port:443 ssl.cert.subject.cn:"${target}" 162 | http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 hostname:"*.${target}" 163 | http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 ssl.cert.subject.cn:"${target}" 164 | http.title:"TIBCO Jaspersoft:" port:"443" "1970" hostname:"*.${target}" 165 | http.title:"TIBCO Jaspersoft:" port:"443" "1970" ssl.cert.subject.cn:"${target}" 166 | "Confluence" hostname:"*.${target}" 167 | "Confluence" ssl.cert.subject.cn:"${target}" 168 | http.title:"SonarQube" hostname:"*.${target}" 169 | http.title:"SonarQube" ssl.cert.subject.cn:"${target}" 170 | html:"jmx?qry=Hadoop:*" hostname:"*.${target}" 171 | html:"jmx?qry=Hadoop:*" ssl.cert.subject.cn:"${target}" 172 | http.title:"Directory Listing" hostname:"*.${target}" 173 | http.title:"Directory Listing" ssl.cert.subject.cn:"${target}" 174 | http.title:"H-SPHERE" hostname:"*.${target}" 175 | http.title:"H-SPHERE" ssl.cert.subject.cn:"${target}" 176 | http.title:"Swagger UI - " hostname:"*.${target}" 177 | http.title:"Swagger UI - " ssl.cert.subject.cn:"${target}" 178 | Server: Apache-Coyote/1.1 Tomcat-5.5 hostname:"*.${target}" 179 | Server: Apache-Coyote/1.1 Tomcat-5.5 ssl.cert.subject.cn:"${target}" 180 | port:2375 product:"Docker" hostname:"*.${target}" 181 | port:2375 product:"Docker" ssl.cert.subject.cn:"${target}" 182 | http.title:"phpinfo()" hostname:"*.${target}" 183 | http.title:"phpinfo()" ssl.cert.subject.cn:"${target}" 184 | http.title:"ID_VC_Welcome" hostname:"*.${target}" 185 | http.title:"ID_VC_Welcome" ssl.cert.subject.cn:"${target}" 186 | "x-powered-by" "jboss" hostname:"*.${target}" 187 | "x-powered-by" "jboss" ssl.cert.subject.cn:"${target}" 188 | jboss http.favicon.hash:-656811182 hostname:"*.${target}" 189 | jboss http.favicon.hash:-656811182 ssl.cert.subject.cn:"${target}" 190 | http.title:"Welcome to JBoss" hostname:"*.${target}" 191 | http.title:"Welcome to JBoss" ssl.cert.subject.cn:"${target}" 192 | port:"8089, 8000" "splunkd" hostname:"*.${target}" 193 | port:"8089, 8000" "splunkd" ssl.cert.subject.cn:"${target}" 194 | http.favicon.hash:-316785925 hostname:"*.${target}" 195 | http.favicon.hash:-316785925 ssl.cert.subject.cn:"${target}" 196 | title:"splunkd" org:"Amazon.com" hostname:"*.${target}" 197 | title:"splunkd" org:"Amazon.com" ssl.cert.subject.cn:"${target}" 198 | http.title:"oracle business intelligence sign in" hostname:"*.${target}" 199 | http.title:"oracle business intelligence sign in" ssl.cert.subject.cn:"${target}" 200 | http.title:"Oracle WebLogic Server Administration Console" hostname:"*.${target}" 201 | http.title:"Oracle WebLogic Server Administration Console" ssl.cert.subject.cn:"${target}" 202 | http.title:"Apache Status" hostname:"*.${target}" 203 | http.title:"Apache Status" ssl.cert.subject.cn:"${target}" 204 | Ivanti_hostname::http.title:"Ivanti Connect" hostname:"*.${target}" 205 | Ivanti_ssl::http.title:"Ivanti Connect" ssl:"${target}" 206 | Ivanti_subject::http.title:"Ivanti Connect" ssl.cert.subject.cn:"${target}" 207 | - twitter.com/Dheerajmadhukar 208 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | black='\e[38;5;016m' 3 | bluebg='\e[48;5;038m'${black} 4 | red='\e[31m' 5 | redbg='\e[30;41m'${black} 6 | lightred='\e[91m' 7 | blink='\e[5m' 8 | lightblue='\e[38;5;109m' 9 | green='\e[32m' 10 | greenbg='\e[48;5;038m'${black} 11 | yellow='\e[33m' 12 | logo='\033[0;36m' 13 | upper="${lightblue}╔$(printf '%.0s═' $(seq "80"))╗${end}" 14 | lower="${lightblue}╚$(printf '%.0s═' $(seq "80"))╝${end}" 15 | right=$(printf '\u2714') 16 | cross=$(printf '\u2718') 17 | end='\e[0m' 18 | program="⡷⠂𝚔𝚊𝚛𝚖𝚊 𝚟𝟸⠐⢾" 19 | version="v2" 20 | description="Premium Shodan Recon" 21 | BASE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 22 | 23 | declare -A tools='( 24 | ["python3"]="sudo apt install python3 -y -qq" 25 | ["cvemap"]="go install github.com/projectdiscovery/cvemap/cmd/cvemap@latest" 26 | ["pip3"]="sudo apt install python3-pip -y -qq" 27 | ["shodan"]="sudo python3 -m pip install -U shodan" 28 | ["mmh3"]="sudo python3 -m pip install -U mmh3" 29 | ["jq"]="sudo apt install jq -y -qq" 30 | ["httprobe"]="go install github.com/tomnomnom/httprobe@master" 31 | ["interlace"]="sudo git clone https://github.com/codingo/Interlace.git" 32 | ["nuclei"]="go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest" 33 | ["lolcat"]="sudo apt install lolcat -y -qq" 34 | ["anew"]="go install github.com/tomnomnom/anew@master" 35 | )' 36 | ########## 37 | function banner(){ 38 | printf "\n${upper}\n\t${logo}${program} helper script to prepare the environment\n${lower}${end}\n\n">&2 39 | } 40 | 41 | function help(){ 42 | printf "Usage:\n">&2 43 | printf "\t--check :\t\tTo check installed prerequisite packages/tools/libs\n">&2 44 | printf "\t--install :\t\tTo install prerequisite packages/tools/libs\n">&2 45 | printf "\t-h/--help :\t\tHelp\n">&2 46 | printf '\n\n' >&2 47 | printf "╔════════[ ${lightred}me_dheeraj [Author]${end} ]═════════════════════════════════════════════════════════════╗\n\n" >&2 48 | printf "${logo}\t - https://buymeacoffee.com/medheeraj${end}\n" >&2 49 | printf "${logo}\t - https://github.com/Dheerajmadhukar${end}\n" >&2 50 | printf "${logo}\t - https://twitter.com/Dheerajmadhukar${end}\n" >&2 51 | printf "${logo}\t - https://www.youtube.com/c/DheerajMadhukar${end}\n" >&2 52 | printf "${logo}\t - https://linkedin.com/in/dheerajtechnolegends${end}\n" >&2 53 | printf "╚════════════════════════════════════════════════════════════════════════════════════════════╝\n\n" >&2 54 | } 55 | function check_install(){ 56 | for i in "${!tools[@]}";do 57 | if [[ $i == "go" ]];then 58 | if ${i} version &> /dev/null;then 59 | printf "${green} [+] ${i} ${end}\t:\t${logo}`go version | awk '{print $3}'`${end}\n" 60 | else 61 | printf " ${redbg}[-] ${i} ${end}\t:\t${red}Manually install: \`${tools[$i]}\` OR \`bash install.sh --install\`${end}\n" 62 | fi 63 | elif [[ $i == "mmh3" ]];then 64 | if python3 -c "import mmh3" &> /dev/null;then 65 | printf "${green} [+] ${i} ${end}\t:\t${logo}`pip3 list | grep 'mmh3'|awk '{print $NF}'`${end}\n" 66 | else 67 | printf "${redbg} [-] ${i} ${end}\t:\t${red}Manually install: \`pip3 install -U mmh3\` OR \`bash install.sh --install\`${end}\n" 68 | fi 69 | elif [[ $i == "python3" ]];then 70 | if ${i} <<<"exit()"&>/dev/null;then 71 | printf "${green} [+] ${i} ${end}\t:\t${logo}`python3 -V | awk '{print $NF}'`${end}\n" 72 | else 73 | printf " ${redbg}[-] ${i} ${end}\t:\t${red}Manually install: \`${tools[$i]}\` OR \`bash install.sh --install\`${end}\n" 74 | fi 75 | elif [[ $i == "lolcat" ]];then 76 | if ${i} --version&>/dev/null;then 77 | printf "${green} [+] ${i} ${end}\t:\t${logo}`lolcat --version | awk '{print $2}'`${end}\n" 78 | else 79 | printf " ${redbg}[-] ${i} ${end}\t:\t${red}Manually install: \`${tools[$i]}\` OR \`bash install.sh --install\`${end}\n" 80 | fi 81 | 82 | else 83 | ${i} --help &> /dev/null 84 | if [[ ! $? -eq 0 ]];then 85 | printf "${redbg} [-] ${i} ${end}\t:\t${red}Manually install: \`${tools[$i]}\` OR \`bash install.sh --install\`${end}\n" 86 | else 87 | if [[ ${i} == "cvemap" ]];then 88 | printf " ${green}[+] ${i} ${end}\t:\t${logo}`cvemap -version 2>&1| awk '{print $NF}'`\n${end}" 89 | elif [[ ${i} == "pip3" ]];then 90 | printf " ${green}[+] ${i} ${end}\t:\t${logo}`pip3 -V | awk '{print $2}'`${end}\n" 91 | elif [[ ${i} == "shodan" ]];then 92 | printf " ${green}[+] ${i} ${end}\t:\t${logo}`shodan version`${end}\n" 93 | elif [[ ${i} == "jq" ]];then 94 | printf " ${green}[+] ${i} ${end}\t:\t${logo}`jq --version`${end}\n" 95 | elif [[ ${i} == "nuclei" ]];then 96 | printf " ${green}[+] ${i} ${end}\t:\t${logo}`nuclei -version 2>&1|head -1|awk '{print $NF}'`${end}\n" 97 | elif [[ ${i} == "anew" ]];then 98 | printf " ${green}[+] ${i} ${end}\n" 99 | elif [[ ${i} == "httprobe" ]];then 100 | printf " ${green}[+] ${i} ${end}\n" 101 | elif [[ ${i} == "interlace" ]];then 102 | printf " ${green}[+] ${i} ${end}\n" 103 | fi 104 | fi 105 | fi 106 | done 107 | } 108 | function install_tools(){ 109 | for i in ${!tools[@]};do 110 | if [[ $i == "mmh3" ]];then 111 | if ! python3 -c "import mmh3" &> /dev/null;then 112 | echo "Installing tool...: ${tools[$i]}" 113 | ${tools[$i]} pip setuptools #&> /dev/null 114 | printf "${green} [+] ${i} Installed${end}\n" 115 | fi 116 | elif [[ $i == "lolcat" ]];then 117 | if ! ${i} --version &> /dev/null;then 118 | ${tools[${i}]} #&> /dev/null 119 | fi 120 | elif [[ $i == "interlace" ]];then 121 | if ! ${i} --help &> /dev/null;then 122 | ${tools[${i}]} #&> /dev/null 123 | cd ${BASE_DIR}/Interlace #&> /dev/null 124 | pip3 install -r requirements.txt #&> /dev/null 125 | python3 setup.py install #&>/dev/null 126 | fi 127 | else 128 | ${i} --help &> /dev/null 129 | if [[ ! $? -eq 0 ]];then 130 | ${tools[$i]} #&> /dev/null 131 | if [[ $? -eq 0 ]];then 132 | echo "Installing tool...: ${tools[$i]}" 133 | printf "${green} [+] ${i} Installed${end}\n" 134 | fi 135 | fi 136 | fi 137 | done 138 | } 139 | prarg(){ 140 | set +u 141 | case $1 in 142 | '--check') 143 | banner 144 | check_install 145 | shift 146 | ;; 147 | '--install') 148 | banner 149 | if ! go version &> /dev/null;then 150 | #${tools[${i}]} 151 | OS="$(uname -s)" 152 | ARCH="$(uname -m)" 153 | case $OS in 154 | "Linux") 155 | case $ARCH in 156 | "x86_64") 157 | ARCH=amd64 158 | ;; 159 | "aarch64") 160 | ARCH=arm64 161 | ;; 162 | "armv6" | "armv7l") 163 | ARCH=armv6l 164 | ;; 165 | "armv8") 166 | ARCH=arm64 167 | ;; 168 | "i686") 169 | ARCH=386 170 | ;; 171 | .*386.*) 172 | ARCH=386 173 | ;; 174 | esac 175 | PLATFORM="linux-$ARCH" 176 | ;; 177 | "Darwin") 178 | case $ARCH in 179 | "x86_64") 180 | ARCH=amd64 181 | ;; 182 | "arm64") 183 | ARCH=arm64 184 | ;; 185 | esac 186 | PLATFORM="darwin-$ARCH" 187 | ;; 188 | esac 189 | 190 | 191 | LATEST_GO_VERSION="$(curl --silent 'https://go.dev/VERSION?m=text' | head -n 1)"; 192 | LATEST_GO_DOWNLOAD_URL="https://go.dev/dl/${LATEST_GO_VERSION}.${PLATFORM}.tar.gz" 193 | printf "cd to home ($USER) directory \n" 194 | cd $HOME 195 | printf "Downloading ${LATEST_GO_DOWNLOAD_URL}\n\n"; 196 | curl -kOJ -L --progress-bar $LATEST_GO_DOWNLOAD_URL 197 | printf "Extracting file...\n" 198 | tar -xf ${HOME}/${LATEST_GO_VERSION}.linux-amd64.tar.gz -C ${HOME} 199 | 200 | export GOROOT="$HOME/go" 2>&1 > /dev/null 201 | export GOPATH="$HOME/go/packages" 2>&1 > /dev/null 202 | export PATH=$PATH:$GOROOT/bin:$GOPATH/bin 2>&1 > /dev/null 203 | printf "APPENDING THIS LINE BELOW TO YOUR ~/.bashrc OR ~/.zshrc: \n 204 | export GOROOT=\"$HOME/go\"\n 205 | export GOPATH=\"$HOME/go/packages\"\n 206 | export PATH=$PATH:$GOROOT/bin:$GOPATH/bin\n 207 | \n" 208 | install_tools 209 | go version 210 | else 211 | install_tools 212 | printf "${bluebg}Ready to rock the digital realm !!!${end}\n" 213 | printf " ${green}[+] GO ${end}\t:\t${logo}`go version 2>&1| grep -v 'warning:'| awk '{print $3}'`${end}\n" 214 | check_install 215 | fi 216 | shift 217 | ;; 218 | '-h'|'--help') 219 | banner 220 | help 221 | exit 0 222 | ;; 223 | *) 224 | printf "${red}Error: unknown/invalid: $1, check '-h/--help'${end}\n" 225 | help 226 | exit 1 227 | ;; 228 | "") 229 | printf "${red}Error: option/argument required, check '-h/--help'${end}\n" 230 | help 231 | exit 2 232 | ;; 233 | 234 | esac 235 | } 236 | prarg $@ 237 | tput sgr0 238 | 239 | ##################### 240 | -------------------------------------------------------------------------------- /karma_v2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #KARMA IS MY BITCH.....🧠 4 | #- twitter.com/Dheerajmadhukar : @me_dheeraj 5 | 6 | ######################################################################################################################################### 7 | ### 8 | ### >>> Description: 9 | ### Query credits are used to download data via the website, command-line interface or the API. 10 | ### If you're using the CLI or API then query credits are deducted if one of the following 2 conditions is met: 11 | ### - A search filter is used 12 | ### - Page 2 or beyond is requested 13 | ### 14 | ### >>> 1 query credit lets you download 100 results${end} 15 | ### 16 | ######################################################################################################################################### 17 | 18 | 19 | black='\e[38;5;016m' 20 | bluebg='\e[48;5;038m'${black} 21 | red='\e[31m' 22 | lightred='\e[91m' 23 | blink='\e[5m' 24 | lightblue='\e[38;5;109m' 25 | green='\e[32m' 26 | greenbg='\e[48;5;038m'${black} 27 | yellow='\e[33m' 28 | logo='\033[0;36m' 29 | upper="${lightblue}╔$(printf '%.0s═' $(seq "80"))╗${end}" 30 | lower="${lightblue}╚$(printf '%.0s═' $(seq "80"))╝${end}" 31 | right=$(printf '\u2714') 32 | cross=$(printf '\u2718') 33 | end='\e[0m' 34 | program="⡷⠂𝚔𝚊𝚛𝚖𝚊 𝚟𝟸⠐⢾" 35 | version="v2" 36 | description="Premium Shodan Recon" 37 | 38 | # ╭──────────────────────────────╮ 39 | # │ BANNER │ 40 | # ╰──────────────────────────────╯ 41 | 42 | banner(){ 43 | [ "$silent" == "False" ] && printf "${logo}" >&2 44 | [ "$silent" == "False" ] && echo ' ..,,,,,,,,,.. ' >&2 45 | [ "$silent" == "False" ] && echo ' .,;%%%%%%%%%%%%%%%%%%%%;,. ' >&2 46 | [ "$silent" == "False" ] && echo ' %%%%%%%%%%%%%%%%%%%%////%%%%%%, .,;%%;, ' >&2 47 | [ "$silent" == "False" ] && echo ' .;%/,%%%%%/////%%%%%%%%%%%%%%////%%%%,%%//%%%, ' >&2 48 | [ "$silent" == "False" ] && echo ' .,;%%%%/,%%%///%%%%%%%%%%%%%%%%%%%%%%%%%%%%,////%%%%;, ' >&2 49 | [ "$silent" == "False" ] && echo ' .,%%%%%%//,%%%%%%%%%%%%%%%%@@%a%%%%%%%%%%%%%%%%,%%/%%%%%%%;, ' >&2 50 | [ "$silent" == "False" ] && echo ' .,%//%%%%//,%%%%///////%%%%%%%@@@%%%%%%///////%%%%,%%//%%%%%%%%, ' >&2 51 | [ "$silent" == "False" ] && echo ' ,%%%%%///%%//,%%//%%%%%///%%%%%@@@%%%%%////%%%%%%%%%,/%%%%%%%%%%%%% ' >&2 52 | [ "$silent" == "False" ] && echo '.%%%%%%%%%////,%%%%%%%//%///%%%%@@@@%%%////%%/////%%%,/;%%%%%%%%/%%% ' >&2 53 | [ "$silent" == "False" ] && echo '%/%%%%%%%/////,%%%%///%%////%%%@@@@@%%%///%%/%%%%%//%,////%%%%//%%% ' >&2 54 | [ "$silent" == "False" ] && echo '%//%%%%%//////,%/%a\` a%///%%%@@@@@@%%////a a%%%%,//%///%/%%%%% ' >&2 55 | [ "$silent" == "False" ] && echo '%///%%%%%%///,%%%%@@aa@@%//%%%@@@@S@@@%%///@@aa@@%%%%%,/%////%%%%% ' >&2 56 | [ "$silent" == "False" ] && echo '%%//%%%%%%%//,%%%%%///////%%%@S@@@@SS@@@%%/////%%%%%%%,%////%%%%% ' >&2 57 | [ "$silent" == "False" ] && echo '%%//%%%%%%%//,%%%%/////%%@%@SS@@@@@@@S@@@@%%%%/////%%%,////%%%%% ' >&2 58 | [ "$silent" == "False" ] && echo ' `%%%//%%%%/,%%%%@%@@@@@@@@@@@@@@@@@@@@@@@@@S@@%%%%%,/////%% ' >&2 59 | [ "$silent" == "False" ] && echo ' `%%%//%%%/,%%%@@@SS@@SSs@@@@@@@@@@@@@sSS@@@@@@%%%,//%%//% ' >&2 60 | [ "$silent" == "False" ] && echo ' `%%%%%%/ %%S@@SS@@@@@Ss` .,,. .sS@@@S@@@@%. ///%/% ' >&2 61 | [ "$silent" == "False" ] && echo ' `%%%/ %SS@@@@SSS@@S. .S@@SSS@@@@. //%% ' >&2 62 | [ "$silent" == "False" ] && echo ' /`S@@@@@@SSSSSs, ,sSSSSS@@@@@. ' >&2 63 | [ "$silent" == "False" ] && echo ' \@@@@@@@@@@@@@Ss,sS@@@@@@@@@@@./ ' >&2 64 | [ "$silent" == "False" ] && echo ' \@@@@@@@@@@@@@.@@@@@@@@@@@.// ' >&2 65 | [ "$silent" == "False" ] && echo ' \00aaaaaaaaa00a00aaaaaaa00/ ' >&2 66 | [ "$silent" == "False" ] && echo ' \@@000000000000000000@@@/ ' >&2 67 | [ "$silent" == "False" ] && echo ' 00000000000000@@@@@@@@@ ' >&2 68 | [ "$silent" == "False" ] && printf "${logo}╭───────────────────────────────────────────────────────────────────────────────╮${end}\n" >&2 69 | [ "$silent" == "False" ] && printf " ${greenbg} ${program} ${end}\t\t\t\t\t${green}KARMA IS MY BITCH.....🧠${end}\n\n" >&2 70 | [ "$silent" == "False" ] && printf "${logo}\t\t - https://github.com/Dheerajmadhukar${end}\n" >&2 71 | [ "$silent" == "False" ] && printf "${logo}\t\t - https://twitter.com/Dheerajmadhukar${end}\n" >&2 72 | [ "$silent" == "False" ] && printf "${logo}╰───────────────────────────────────────────────────────────────────────────────╯${end}\n" >&2 73 | [ "$silent" == "False" ] && printf '\n\n' >&2 74 | } 75 | 76 | secret(){ 77 | echo -e " xxkXWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXdollllllooolooooxd 78 | xxOXNWWWWWWXKX00XNXNWNXNNWNNXNNXXWWWXxollcllloododdddkx 79 | xxxkOKWWWX0kxxxkkkkkkkkxokd:cccccoxO0OOOOOO0000000000KK 80 | kxxdxOXWWXkddxdddddddd;,,;,,,,;;;:;;cox00000K0000000000 81 | kkkkOxk0Okxddoooooldd:'''''''''',,,,,::lO00000000000000 82 | xddkOOxdooddolooodo:.......'''''''''',;:cxkxxxoooolllld 83 | ooodoxxxxxkkxxxdol;,'.......;occ:;,'',;;;:dkkxollllllod 84 | oddooxkkkd';loollollolc:;,...',ccld:',,,,oOOOOOOOkkxxdo 85 | kk0OOkkxxx,  .,;:ccc:,',,'..      ...',,;kOOOOOkkkddolo 86 | ddkxOkkxxk0xc:::c;,....,;;:;..  .;:c:.''cOOOkkocclccllo 87 | 0dddxxkOdkOxk00odl;,.,,,;:cc...c:.,::...,xOOkolcccccccc 88 | doollokkOkkxxdxxxo;,;clc:::,...oc;:;,...'OOOOox0Odllloo 89 | 00OxoclxkxdllllO0o;;.,cc;...  .c:llc'.''ckdxOxxOdlcc:c: 90 | K0KK0Okk0ddxkOO00kc... ..     .';c:,.';cldokOkkdlllcc:, 91 | K0OxOOxxoclkOOOOOoxx;'..       ..'.',;;:cllodloool:::;, 92 | K0xooc:locoxxdkkOdcd, .         .',,',,;clodxxool:::;;c 93 | 0kxdlooodooddodOkdxo'         ..',,,:codxxxk000000Oxolc 94 | xkOklcloolldookkoccl:'.......',:ldk0OOkOkkkkO000O0O00KK 95 | olkOxolloxxdl:lc;;,;;;;;::;.:dOKK0KXXKX0kdodddxxxOk0O00 96 | xdoO0Oxlol;:;:looddldc::,cdOKKKXK0OKNKKNKOoooooxxxxxkxk 97 | OOkOkk0kkollodkOOO0Oxddk0KKK0KXKKKOKNXKXXKkodoodxxookkO 98 | OOkOOkOkOOkOOxxO0kxkkdox000000OXK0OKKK00KXKxoxdxxdcckxO 99 | OkkdxOO000000kk0OkdoclxlOdddkkok0OO0Kk0XKNNOllddxo::kxx 100 | xOOOxxkOk0OO00OOkoolloc:c:c;ldxcdOOkXOOXKKN0llokdo:;dOo 101 | xO00kokkxdddxkkxdollc:::c'.';c:;dO0OKkx0X0N0ocokoo;;dko 102 | dkOOkxxkxolxxoodoolc::;;;'...,:c:kkkOxk0KOX0ocdxol;;ddo 103 | okk0kkOkxddoooodolc:::;;,,.....;loxx:okkkkK0dlxdl:,;dcl 104 | coooxkxdxodkOkkdllc::;,,,:c;,'..:dc,;kO:xOKOoodl:,';l:c 105 | oklcoddxxdxxkkxdoc::;,'',;,,,,'':,..:kc;cxOxoll:'.'c::c 106 | odolllddlcoddoooc:;,,'',',''''':....oc,:cxdl:c:,..;c::: 107 | ddooloddccoddooc:,,''''',,'''',,. .lc',ccoc;;:;..'c;;:: 108 | l:cclxxd:lkxcdc:;,,''''',,,,'';  'lc,,cl;:,,::...;:;::c 109 | ;;:llolc::llll::;,'''''';cloo:. .:c,;c;',,';;...;c;;::: 110 | ol:clol:;:clddl:;,,',,'''c::c' .'',;,''.',,;'..,c:;:::; 111 | Okxcoxkdoc::cll:;;,;,,,''o:,'...';;'','',;,...,c:;:;;,, 112 | llocllllll:;:lcccc:::c:,,:c.  .';,''...';,...'c:;;;;,', 113 | :;;;,:;',;:;,lcclc:;:kOo:lc .','.....',,'...,::;;;,'',: 114 | :;,,.','';c:ccccccccckkdo:,.''.....','.....,::;;,,'',:l 115 | ;';:,;::;,;llllccllcxK0Okx,......','......,:c:,,,,,,;cl 116 | ',,,,;;,',;clllllcccokkxx,.....',,......',::;,',,',;clc 117 | c:;;;'''',;clollc:cllccc:.....,,'..'''.',::;,,',,,;:cc: 118 | :;'',cc;,,;:coooocokOOO;.....,,''',''.';:;,,'',,;;:cc:: 119 | cc,,.,:,',,:cclolllldo' ....',,,,'...'::;,''',,;;:cc::: 120 | ;;,'..'..,,:ccc:cccc:,.....',,,'...',,;,,'.',;;;:cc:::: 121 | ;;;...'.',;;ccc:c:c:;' ...,,''...',;;,;''.';;;;::c:::;; 122 | ;'...';;,'..;cc::::,'...',,'...',,,,'',,'';;;;::::c:::: 123 | ;,,,;;,,''.'::c:::;,. .'','..'',,,,;;;:;;;;;,,c;::::;,, 124 | " >&2 125 | printf "╔════════[ ${lightred}me_dheeraj [Author]${end} ]═════════════════════════════════════════════════════════════╗\n\n" >&2 126 | printf "${logo}\t - https://buymeacoffee.com/medheeraj${end}\n" >&2 127 | printf "${logo}\t - https://github.com/Dheerajmadhukar${end}\n" >&2 128 | printf "${logo}\t - https://twitter.com/Dheerajmadhukar${end}\n" >&2 129 | printf "${logo}\t - https://instagram.com/me_dheeraj${end}\n" >&2 130 | printf "${logo}\t - https://linkedin.com/in/dheerajtechnolegends${end}\n" >&2 131 | printf "╚════════════════════════════════════════════════════════════════════════════════════════════╝\n\n" >&2 132 | printf '\n\n' >&2 133 | } 134 | 135 | # ╭──────────────────────────────╮ 136 | # │ DORK LIST │ 137 | # ╰──────────────────────────────╯ 138 | dorks(){ 139 | #SHA1 Fingerprints 140 | shodan stats --facets ssl.cert.fingerprint ssl:"${target}"|grep -Eo "[[:xdigit:]]{40}" | grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 141 | shodan stats --facets ssl.cert.fingerprint org:"${target}"|grep -Eo "[[:xdigit:]]{40}" | grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 142 | shodan stats --facets ssl.cert.fingerprint ssl.cert.issuer.cn:"${target}"|grep -Eo "[[:xdigit:]]{40}" | grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 143 | shodan stats --facets ssl.cert.fingerprint ssl.cert.subject.cn:"${target}"|grep -Eo "[[:xdigit:]]{40}" | grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 144 | shodan stats --facets ssl.cert.fingerprint ssl.cert.expired:true hostname:"*.${target}"|grep -Eo "[[:xdigit:]]{40}"|grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 145 | shodan stats --facets ssl.cert.fingerprint ssl.cert.subject.commonName:"*.${target}"|grep -Eo "[[:xdigit:]]{40}"|grep -v "^[[:blank:]]*$" | anew -q /tmp/fingerprints.txt;sleep 2 146 | #Dork List Start 147 | 148 | cat << ! 149 | `cat /tmp/fingerprints.txt|while read -r line;do echo "ssl_SHA1_${line}::ssl.cert.fingerprint:\"$line\"";done;rm /tmp/fingerprints.txt > /dev/null` 150 | SSL_Domain::ssl:"${target}" 151 | Org_Domain::org:"${target}" 152 | Hostname_Domain::hostname:"${target}" 153 | SSL_Issuer::ssl.cert.issuer.cn:"${target}" 154 | SSL_Subject::ssl.cert.subject.cn:"${target}" 155 | SSL_Expired::ssl.cert.expired:true hostname:"*.${target}" 156 | SSL_SubjectCN::ssl.cert.subject.commonName:"*.${target}" 157 | Ignored-by_CDNs_SSL::ssl:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 158 | Ignored-by_CDNs_hostname::hostname:"*.${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 159 | Ignored-by_CDNs_issuer_cn::ssl.cert.issuer.cn:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 160 | Ignored-by_CDNs_subject_cn::ssl.cert.subject.cn:"${target}" "-AkamaiGHost" "-GHost" "-Cloudflare" "-Cloudfront" 161 | Directory_Listing_hostname::http.title:"Directory Listing" hostname:"*.${target}" 162 | Directory_Listing_subject::http.title:"Directory Listing" ssl.cert.subject.cn:"${target}" 163 | Indexing_Hostname::http.title:"Index of /" hostname:"*.${target}" 164 | Indexing_SSL::http.title:"Index of /" ssl.cert.subject.cn:"${target}" 165 | phpinfo_hostname::http.title:"phpinfo()" hostname:"*.${target}" 166 | phpinfo_subject::http.title:"phpinfo()" ssl.cert.subject.cn:"${target}" 167 | Apache_Status_hostname::http.title:"Apache Status" hostname:"*.${target}" 168 | Apache_Status_subject::http.title:"Apache Status" ssl.cert.subject.cn:"${target}" 169 | Apache_Coyote_hostname::Server: Apache-Coyote/1.1 Tomcat-5.5 hostname:"*.${target}" 170 | Apache_Coyote_subject::Server: Apache-Coyote/1.1 Tomcat-5.5 ssl.cert.subject.cn:"${target}" 171 | Apache_hadoop_node_hostname::html:"jmx?qry=Hadoop:*" hostname:"*.${target}" 172 | Apache_hadoop_node_subject::html:"jmx?qry=Hadoop:*" ssl.cert.subject.cn:"${target}" 173 | NDMP_Hostname::ftp port:"10000" hostname:"*.${target}" 174 | NDMP_SSL::ftp port:"10000" ssl.cert.subject.cn:"${target}" 175 | SMB_file_sharing_Hostname::"Authentication: disabled" port:445 product:"Samba" hostname:"*.${target}" 176 | Login_Adminer_Hostname::title:"Login - Adminer" hostname:"*.${target}" 177 | Login_Adminer_SSL::title:"Login - Adminer" ssl.cert.subject.cn:"${target}" 178 | SignUp_title_SSL_subject::http.title:"sign up" ssl.cert.subject.cn:"${target}" 179 | SignUp_title_SSL::http.title:"sign up" ssl:"${target}" 180 | SignUp_title_Hostname::http.title:"sign up" hostname:"*.${target}" 181 | SignUp_body_SSL_subject::"sign up" ssl.cert.subject.cn:"${target}" 182 | SignUp_body_SSL::"sign up" ssl:"${target}" 183 | SignUp_body_Hostname::"sign up" hostname:"*.${target}" 184 | LogIn_title_SSL_subject::http.title:"LogIn" ssl.cert.subject.cn:"${target}" 185 | LogIn_title_SSL::http.title:"LogIn" ssl:"${target}" 186 | LogIn_title_Hostname::http.title:"LogIn" hostname:"*.${target}" 187 | LogIn_body_SSL_subject::"LogIn" ssl.cert.subject.cn:"${target}" 188 | LogIn_body_SSL::"LogIn" ssl:"${target}" 189 | LogIn_body_Hostname::"LogIn" hostname:"*.${target}" 190 | OAuth_status_SSL_subject::http.status:"302" oauth ssl.cert.subject.cn:"${target}" 191 | OAuth_status_SSL::http.status:"302" oauth ssl:"${target}" 192 | OAuth_status_Hostname::http.status:"302" oauth hostname:"*.${target}" 193 | OAuth_title_SSL_subject::http.title:"log in with" ssl.cert.subject.cn:"${target}" 194 | OAuth_title_SSL::http.title:"log in with" ssl:"${target}" 195 | OAuth_title_Hostname::http.title:"log in with" hostname:"*.${target}" 196 | OAuth_body_SSL_subject::"log in with" ssl.cert.subject.cn:"${target}" 197 | OAuth_body_SSL::"log in with" ssl:"${target}" 198 | OAuth_body_Hostname::"log in with" hostname:"*.${target}" 199 | SSO_status_SSL_subject::http.status:"302" sso ssl.cert.subject.cn:"${target}" 200 | SSO_status_SSL::http.status:"302" sso ssl:"${target}" 201 | SSO_status_Hostname::http.status:"302" sso hostname:"*.${target}" 202 | SSO_title_SSL_subject::http.title:"login sso" ssl.cert.subject.cn:"${target}" 203 | SSO_title_SSL::http.title:"login sso" ssl:"${target}" 204 | SSO_title_Hostname::http.title:"login sso" hostname:"*.${target}" 205 | SSO_body_SSL_subject::"login sso" ssl.cert.subject.cn:"${target}" 206 | SSO_body_SSL::"login sso" ssl:"${target}" 207 | SSO_body_Hostname::"login sso" hostname:"*.${target}" 208 | 401_Authorization_Required_Hostname::title:"401 Authorization Required" hostname:"*.${target}" 209 | 403_Forbidden_SSL_subject::http.html:"403 Forbidden" ssl.cert.subject.cn:"${target}" 210 | 403_Forbidden_SSL::http.html:"403 Forbidden" ssl:"${target}" 211 | 403_Forbidden_Hostname::http.html:"403 Forbidden" hostname:"*.${target}" 212 | 500_Status_html_SSL_subject::http.html:"500 Internal Server Error" ssl.cert.subject.cn:"${target}" 213 | 500_Status_html_SSL::http.html:"500 Internal Server Error" ssl:"${target}" 214 | 500_Status_html_Hostname::http.html:"500 Internal Server Error" hostname:"*.${target}" 215 | 500_Status_SSL_subject::"500 Internal Server Error" ssl.cert.subject.cn:"${target}" 216 | 500_Status_SSL::"500 Internal Server Error" ssl:"${target}" 217 | 500_Status_Hostname::"500 Internal Server Error" hostname:"*.${target}" 218 | VPN_SSL_subject::ssl.cert.subject.cn:*vpn* ssl.cert.subject.cn:"${target}" 219 | VPN_SSL::ssl.cert.subject.cn:*vpn* ssl:"${target}" 220 | VPN_Hostname::ssl.cert.subject.cn:*vpn* hostname:"*.${target}" 221 | Citrix_gateway_SSL_subject::title:"citrix gateway" ssl.cert.subject.cn:"${target}" 222 | Citrix_gateway_SSL::title:"citrix gateway" ssl:"${target}" 223 | Citrix_gateway_Hostname::title:"citrix gateway" hostname:"*.${target}" 224 | JFrog_html_SSL_subject::http.html:"JFrog" ssl.cert.subject.cn:"${target}" 225 | JFrog_html_SSL::http.html:"JFrog" ssl:"${target}" 226 | JFrog_html_Hostname::http.html:"JFrog" hostname:"*.${target}" 227 | X_Jfrog_SSL_subject::"X-Jfrog" ssl.cert.subject.cn:"${target}" 228 | X_Jfrog_SSL::"X-Jfrog" ssl:"${target}" 229 | X_Jfrog_Hostname::"X-Jfrog" hostname:"*.${target}" 230 | Dashboard_title_Hostname::http.title:"dashboard" hostname:"*.${target}" 231 | Dashboard_title_SSL::http.title:"dashboard" ssl.cert.subject.cn:"${target}" 232 | Dashboard_title_body::dashboard ssl.cert.subject.cn:"${target}" 233 | Openfire_Admin_Console_Hostname::http.title:"Openfire Admin Console" hostname:"*.${target}" 234 | Openfire_Admin_Console_subject::http.title:"Openfire Admin Console" ssl.cert.subject.cn:"${target}" 235 | Control_panels_Hostname::http.title:"control panel" hostname:"*.${target}" 236 | Control_panels_SSL::http.title:"control panel" ssl.cert.subject.cn:"${target}" 237 | Control_panels_body::control panel ssl.cert.subject.cn:"${target}" 238 | WordPress_misconfigured_Hostname::http.html:"* The wp-config.php creation script uses this file" hostname:"*.${target}" 239 | WordPress_misconfigured_SSL::http.html:"* The wp-config.php creation script uses this file" ssl.cert.subject.cn:"${target}" 240 | Laravel_clockwork_Hostname::clockwork hostname:"*.${target}" 241 | Laravel_clockwork_SSL::clockwork ssl.cert.subject.cn:"${target}" 242 | Jetty_Detect_SSL_subject::"Server: Jetty" ssl.cert.subject.cn:"${target}" 243 | Jetty_Detect_SSL::"Server: Jetty" ssl:"${target}" 244 | Jetty_Detect_Hostname::"Server: Jetty" hostname:"*.${target}" 245 | S3_bucket_AWS_Hostname::X-Amz-Bucket-Region hostname:"*.${target}" 246 | S3_bucket_AWS_SSL::X-Amz-Bucket-Region ssl.cert.subject.cn:"${target}" 247 | Cloudfront_AWS_ssl:"development" org:"Amazon.com" ssl.cert.subject.cn:"${target}" 248 | Jenkins_detect_Hostname::"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]" hostname:"*.${target}" 249 | Jenkins_detect_SSL::"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]" ssl.cert.subject.cn:"${target}" 250 | Jenkins_detect_favicon_Hostname::http.favicon.hash:81586312 200 hostname:"*.${target}" 251 | Jenkins_detect_favicon_SSL::http.favicon.hash:81586312 200 ssl.cert.subject.cn:"${target}" 252 | Kubernetes_Detect_SSL_subject::product:"Kubernetes" port:"10250, 2379" ssl.cert.subject.cn:"${target}" 253 | Kubernetes_Detect_SSL::product:"Kubernetes" port:"10250, 2379" ssl:"${target}" 254 | Kubernetes_Detect_Hostname::product:"Kubernetes" port:"10250, 2379" hostname:"*.${target}" 255 | Node_Exporter_metrics_SSL_subject::port:"9100" http.title:"Node Exporter" ssl.cert.subject.cn:"${target}" 256 | Node_Exporter_metrics_SSL::port:"9100" http.title:"Node Exporter" ssl:"${target}" 257 | Node_Exporter_metrics_Hostname::port:"9100" http.title:"Node Exporter" hostname:"*.${target}" 258 | Grafana_Detect_SSL_subject::http.title:"Grafana" ssl.cert.subject.cn:"${target}" 259 | Grafana_Detect_SSL::http.title:"Grafana" ssl:"${target}" 260 | Grafana_Detect_Hostname::http.title:"Grafana" hostname:"*.${target}" 261 | RabbitMQ_Detect_SSL_subject::http.title:"RabbitMQ" ssl.cert.subject.cn:"${target}" 262 | RabbitMQ_Detect_SSL::http.title:"RabbitMQ" ssl:"${target}" 263 | RabbitMQ_Detect_Hostname::http.title:"RabbitMQ" hostname:"*.${target}" 264 | Containers_SSL_subject::HTTP/1.1 307 Temporary Redirect "Location: /containers" ssl.cert.subject.cn:"${target}" 265 | Containers_SSL::HTTP/1.1 307 Temporary Redirect "Location: /containers" ssl:"${target}" 266 | Containers_Hostname::HTTP/1.1 307 Temporary Redirect "Location: /containers" hostname:"*.${target}" 267 | Docker_exec_hostname::port:2375 product:"Docker" hostname:"*.${target}" 268 | Docker_exec_subject::port:2375 product:"Docker" ssl.cert.subject.cn:"${target}" 269 | Cluster_Node_etcd_hostname::port:"2379" product:"etcd" hostname:"*.${target}" 270 | Cluster_Node_etcd_subject::port:"2379" product:"etcd" ssl.cert.subject.cn:"${target}" 271 | GitLab_repo_SSL_subject::http.favicon.hash:1278323681 ssl.cert.subject.cn:"${target}" 272 | GitLab_repo_SSL::http.favicon.hash:1278323681 ssl:"${target}" 273 | GitLab_repo_Hostname::http.favicon.hash:1278323681 hostname:"*.${target}" 274 | MongoDB_Server_Info_Hostname::"MongoDB Server Information" port:27017 "-authentication" hostname:"*.${target}" 275 | MongoDB_Server_Info_SSL::"MongoDB Server Information" port:27017 "-authentication" ssl.cert.subject.cn:"${target}" 276 | MongoDB_Express_Web_GUI_Hostname::"Set-Cookie: mongo-express=" "200 OK" hostname:"*.${target}" 277 | MongoDB_Express_Web_GUI_SSL::"Set-Cookie: mongo-express=" "200 OK" ssl.cert.subject.cn:"${target}" 278 | MongoDB_Server_Metrics_Hostname::all:"mongodb server information" all:"metrics" hostname:"*.${target}" 279 | MongoDB_Server_Metrics_SSL::all:"mongodb server information" all:"metrics" ssl.cert.subject.cn:"${target}" 280 | ElasticSearch-powered_instances_Hostname::port:"9200" all:"elastic indices" hostname:"*.${target}" 281 | ElasticSearch-powered_instances_SSL::port:"9200" all:"elastic indices" ssl.cert.subject.cn:"${target}" 282 | FTP_anonymous_Hostname::"220" "230 Login successful." port:21 hostname:"*.${target}" 283 | FTP_anonymous_SSL::"220" "230 Login successful." port:21 ssl.cert.subject.cn:"${target}" 284 | Memcached_Hostname::port:"11211" product:"Memcached" hostname:"*.${target}" 285 | Memcached_SSL::port:"11211" product:"Memcached" ssl.cert.subject.cn:"${target}" 286 | DNS_Recursion_Hostname::"port: 53" Recursion: Enabled hostname:"*.${target}" 287 | DNS_Recursion_SSL::"port: 53" Recursion: Enabled ssl.cert.subject.cn:"${target}" 288 | Kibana_detect_Hostname::title:"kibana" hostname:"*.${target}" 289 | Kibana_detect_SSL::title:"kibana" ssl.cert.subject.cn:"${target}" 290 | Prometheus_Detect_SSL_subject::port:9090 http.title:"Prometheus Time Series Collection and Processing Server" ssl.cert.subject.cn:"${target}" 291 | Prometheus_Detect_SSL::port:9090 http.title:"Prometheus Time Series Collection and Processing Server" ssl:"${target}" 292 | Prometheus_Detect_Hostname::port:9090 http.title:"Prometheus Time Series Collection and Processing Server" hostname:"*.${target}" 293 | Default_password_Hostname::"default password" hostname:"*.${target}" 294 | Default_password_SSL::"default password" ssl.cert.subject.cn:"${target}" 295 | Protected_Objects_Hostname::title:protected hostname:"*.${target}" 296 | Protected_Objects_SSL::title:protected ssl.cert.subject.cn:"${target}" 297 | Moodle_RXSS_Hostname::http.component:Moodle hostname:"*.${target}" 298 | Moodle_RXSS_SSL::http.component:Moodle ssl.cert.subject.cn:"${target}" 299 | Spring_Boot_Hostname::http.favicon.hash:116323821 hostname:"*.${target}" 300 | Spring_Boot_SSL::http.favicon.hash:116323821 ssl.cert.subject.cn:"${target}" 301 | Django_login_Hostname::html:"/login/?next=" title:"Django" hostname:"*.${target}" 302 | Django_login_SSL::html:"/login/?next=" title:"Django" ssl.cert.subject.cn:"${target}" 303 | Django_admin_Hostname::html:"/admin/login/?next=" title:"Django" hostname:"*.${target}" 304 | Django_admin_SSL::html:"/admin/login/?next=" title:"Django" ssl.cert.subject.cn:"${target}" 305 | Django_Exposed_hostname::http.title:"DisallowedHost" hostname:"*.${target}" 306 | Django_Exposed_subject::http.title:"DisallowedHost" hostname:"*.${target}" ssl.cert.subject.cn:"${target}" 307 | Jira_Dashboard_Hostname::title:"system dashboard" html:jira hostname:"*.${target}" 308 | Jira_Dashboard_SSL::title:"system dashboard" html:jira ssl.cert.subject.cn:"${target}" 309 | Jira_Dashboard_SSL::"system dashboard" html:jira ssl.cert.subject.cn:"${target}" 310 | Ruby_Login_Hostname::http.component:ruby port:3000 hostname:"*.${target}" 311 | Ruby_Login_SSL::http.component:ruby port:3000 ssl.cert.subject.cn:"${target}" 312 | Secret_key_base_Hostname::html:"secret_key_base" hostname:"*.${target}" 313 | Secret_key_base_SSL::html:"secret_key_base" ssl.cert.subject.cn:"${target}" 314 | H-SPHERE_hostname::http.title:"H-SPHERE" hostname:"*.${target}" 315 | H-SPHERE_subject::http.title:"H-SPHERE" ssl.cert.subject.cn:"${target}" 316 | ID_VC_hostname::http.title:"ID_VC_Welcome" hostname:"*.${target}" 317 | ID_VC_subject::http.title:"ID_VC_Welcome" ssl.cert.subject.cn:"${target}" 318 | JBoss_header_hostname::"x-powered-by" "jboss" hostname:"*.${target}" 319 | JBoss_header_subject::"x-powered-by" "jboss" ssl.cert.subject.cn:"${target}" 320 | JBoss_favicon_hostname::jboss http.favicon.hash:-656811182 hostname:"*.${target}" 321 | JBoss_favicon_subject::jboss http.favicon.hash:-656811182 ssl.cert.subject.cn:"${target}" 322 | JBoss_Application_hostname::http.title:"Welcome to JBoss" hostname:"*.${target}" 323 | JBoss_Application_subject::http.title:"Welcome to JBoss" ssl.cert.subject.cn:"${target}" 324 | Splunkd_hostname::port:"8089, 8000" "splunkd" hostname:"*.${target}" 325 | Splunkd_subject::port:"8089, 8000" "splunkd" ssl.cert.subject.cn:"${target}" 326 | Splunkd_Atom_hostname::title:"splunkd" org:"Amazon.com" hostname:"*.${target}" 327 | Splunkd_Atom_hostname::title:"splunkd" org:"Amazon.com" ssl.cert.subject.cn:"${target}" 328 | Splunk_favicon_hostname::http.favicon.hash:-316785925 hostname:"*.${target}" 329 | Splunk_favicon_subject::http.favicon.hash:-316785925 ssl.cert.subject.cn:"${target}" 330 | Oracle_Business_hostname::http.title:"oracle business intelligence sign in" hostname:"*.${target}" 331 | Oracle_Business_subject::http.title:"oracle business intelligence sign in" ssl.cert.subject.cn:"${target}" 332 | Oracle_WebLogic_hostname::http.title:"Oracle WebLogic Server Administration Console" hostname:"*.${target}" 333 | Oracle_WebLogic_subject::http.title:"Oracle WebLogic Server Administration Console" ssl.cert.subject.cn:"${target}" 334 | Swagger_UI_hostname::http.title:"Swagger UI - " hostname:"*.${target}" 335 | Swagger_UI_subject::http.title:"Swagger UI - " ssl.cert.subject.cn:"${target}" 336 | SonarQube_hostname::http.title:"SonarQube" hostname:"*.${target}" 337 | SonarQube_subject::http.title:"SonarQube" ssl.cert.subject.cn:"${target}" 338 | Confluence_hostname::"Confluence" hostname:"*.${target}" 339 | Confluence_subject::"Confluence" ssl.cert.subject.cn:"${target}" 340 | TIBCO_Jaspersoft_hostname::http.title:"TIBCO Jaspersoft:" port:"443" "1970" hostname:"*.${target}" 341 | TIBCO_Jaspersoft_subject::http.title:"TIBCO Jaspersoft:" port:"443" "1970" ssl.cert.subject.cn:"${target}" 342 | Shipyard_Docker_mngmnt_hostname::http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 hostname:"*.${target}" 343 | Shipyard_Docker_mngmnt_subject::http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 ssl.cert.subject.cn:"${target}" 344 | Symfony_phpinfo_AWS_creds_hostname::"X-Debug-Token-Link" port:443 hostname:"*.${target}" 345 | Symfony_phpinfo_AWS_creds_subject::"X-Debug-Token-Link" port:443 ssl.cert.subject.cn:"${target}" 346 | SAP_NetWeaver_Application_hostname::"netweaver" hostname:"*.${target}" 347 | SAP_NetWeaver_Application_subject::"netweaver" ssl.cert.subject.cn:"${target}" 348 | Ivanti_hostname::http.title:"Ivanti Connect" hostname:"*.${target}" 349 | Ivanti_ssl::http.title:"Ivanti Connect" ssl:"${target}" 350 | Ivanti_subject::http.title:"Ivanti Connect" ssl.cert.subject.cn:"${target}" 351 | CheckPointSVN_ssl::"Server: Check Point SVN" "X-UA-Compatible: IE=EmulateIE7" ssl:"${target}" 352 | CheckPointSVN_subject::"Server: Check Point SVN" "X-UA-Compatible: IE=EmulateIE7" ssl.cert.subject.cn:"${target}" 353 | ! 354 | #Dork List End 355 | } 356 | # ╭──────────────────────╮ 357 | # │ Usage │ 358 | # ╰──────────────────────╯ 359 | 360 | usage(){ 361 | printf "Usage:\n" 362 | printf "\tkarma_v2 [flags]\n">&2 363 | printf '\n' >&2 364 | printf "Flags:\nTARGET:\n">&2 365 | printf "\t-d, --domain string\ttarget DOMAIN.TLD to scan [${lightred}*${end} Required]\n">&2 366 | printf "\t-b, --banner\t\tKarma Is My Bitch\n">&2 367 | printf "\t-h, --help\t\tshow this help message and exit\n">&2 368 | printf "\t-s, --silent\t\tIf set only findings will be displayed and banners will be redacted.\n">&2 369 | printf "\t-v, --version\t\tshow Karma version\n">&2 370 | printf '\n' >&2 371 | printf "DOWNLOAD-LIMIT:\n" 372 | printf "\t-l, --limit integer\tDownload , Use -1 to unlimited download [${lightred}*${end} Required]\n">&2 373 | printf '\n' >&2 374 | printf "MODEs: [${lightred}*${end} Required]\n">&2 375 | printf "\t-ip\t\t\tScan for In-Scope-IPs Validated by CN=*.{target} and Out-Of-Scope-IPs\n" >&2 376 | printf "\t-asn\t\t\tDetailed Autonomous system number lookup with BGP stats, neighbours, IPv4 & IPv6 Prefixes\n" >&2 377 | printf "\t-cve\t\t\tScan hosts for such as OS, Host, Servers, Products, CVEs, Ports are open and which organization owns the IP\n" >&2 378 | printf "\t-cveid\t\t\tScan a host/domain for specific CVE ID for vulnerabilities & exploits \n" >&2 379 | printf "\t-favicon\t\tSearch for Favicon Icons, Calculate Favicon Hashes and Technology Detection with ${nuclei_bin} custom template\n" >&2 380 | printf "\t-cdn\t\t\tSSL/TLS, Hostnames, IPs Ignored any CDN Nodes [ Supported: Akamighost, Cloud(flare||front) ]\n" >&2 381 | printf "\t-leaks\t\t\tLook for interesting findings\n">&2 382 | printf "\t-deep\t\t\tDeep Scan support all modules/modes [ count, ip, asn, cve, favicon, leaks ]\n" >&2 383 | printf "\t-count\t\t\tReturns the number of results count for DORKs search [ No API Credit will use ]\n">&2 384 | printf '\n' >&2 385 | printf "UPDATE:\n" 386 | printf "\t-u, --update\t\tUpdate karma to the latest released version\n">&2 387 | printf '\n' >&2 388 | printf "SECRET:\n" 389 | printf "\t--secret\t\tReveal me !!!\n">&2 390 | printf '\n' >&2 391 | } 392 | # ╭──────────────────────╮ 393 | # │ HELP │ 394 | # ╰──────────────────────╯ 395 | help(){ 396 | printf "\n${upper}\n\t${logo}${program} is a ${description} based OSINT scanner.\n${lower}${end}\n\n" 397 | usage 398 | } 399 | # ╭──────────────────────╮ 400 | # │ ARGS │ 401 | # ╰──────────────────────╯ 402 | args(){ 403 | BASE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 404 | shodan_bin="shodan" 405 | httprobe_bin="httprobe" 406 | interlace_bin="interlace" 407 | lolcat_bin="lolcat" 408 | jq_bin="jq" 409 | anew_bin="anew" 410 | python3_bin="python3" 411 | nuclei_bin="nuclei" 412 | sleep_time="5" 413 | silent=False 414 | token="${BASE_DIR}/.token" 415 | nuclei_template="${BASE_DIR}/favicon-detect.yaml" 416 | } 417 | # ╭──────────────────────────────╮ 418 | # │ Prerequisites │ 419 | # ╰──────────────────────────────╯ 420 | check_requirements(){ 421 | 422 | # shodan && httprobe && interlace && jq && lolcat && anew && nuclei && python3 && mmh3 423 | type -P "${shodan_bin}" &>/dev/null 424 | if [[ ! $? -eq 0 ]]; then 425 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${shodan_bin}. Make sure it installed OR \n\t - pip3 install shodan${end}\n";exit 1 426 | fi 427 | type -P "${httprobe_bin}" &>/dev/null 428 | if [[ ! $? -eq 0 ]]; then 429 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${httprobe_bin}. Make sure it installed OR \n\t - GO111MODULE=on go get -v github.com/tomnomnom/httprobe${end}\n";exit 1 430 | fi 431 | type -P "${interlace_bin}" &>/dev/null 432 | if [[ ! $? -eq 0 ]]; then 433 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${interlace_bin}. Make sure it installed OR \n\t - Clone https://github.com/codingo/Interlace.git${end}\n";exit 1 434 | fi 435 | type -P "${jq_bin}" &>/dev/null 436 | if [[ ! $? -eq 0 ]]; then 437 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${jq_bin}. Make sure it installed OR \n\t - apt install jq -y${end}\n";exit 1 438 | fi 439 | type -P "${lolcat_bin}" &>/dev/null 440 | if [[ ! $? -eq 0 ]]; then 441 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${lolcat_bin}. Make sure it installed OR \n\t - apt install lolcat -y${end}\n";exit 1 442 | fi 443 | type -P "${anew_bin}" &>/dev/null 444 | if [[ ! $? -eq 0 ]]; then 445 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${anew_bin}. Make sure it installed OR \n\t - GO111MODULE=on go get -u github.com/tomnomnom/anew${end}\n";exit 1 446 | fi 447 | type -P "${nuclei_bin}" &>/dev/null 448 | if [[ ! $? -eq 0 ]]; then 449 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${nuclei_bin}. Make sure it installed OR \n\t - GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei${end}\n";exit 1 450 | fi 451 | type -P "${python3_bin}" &>/dev/null 452 | if [[ ! $? -eq 0 ]]; then 453 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${python3_bin}. Make sure it installed OR \n\t - apt install python3 python3-pip -y${end}\n";exit 1 454 | fi 455 | $(which "${python3_bin}") -c 'import mmh3' > /dev/null 2>&1 456 | if [[ ! $? -eq 0 ]]; then 457 | printf "\n[${red}!${end}] ${yellow}Error: Unable to find ${python3_bin} mmh3 module. Make sure it installed OR \n\t - ${python3_bin} -m pip install mmh3${end}\n";exit 1 458 | fi 459 | } 460 | # ╭──────────────────────────────╮ 461 | # │ Check Update │ 462 | # ╰──────────────────────────────╯ 463 | check_update(){ 464 | timeout 20 git fetch &>/dev/null 465 | exit_code=$? 466 | if [ $exit_code -eq 0 ]; then 467 | BRANCH=$(git rev-parse --abbrev-ref HEAD) 468 | HEADHASH=$(git rev-parse HEAD) 469 | UPSTREAMHASH=$(git rev-parse ${BRANCH}@{upstream}) 470 | if [ "$HEADHASH" != "$UPSTREAMHASH" ]; then 471 | printf "${upper}\n [${right}] ${yellow}There is a new version, ${end} run 'git pull' to get latest version \n${lower}\n" 472 | #git pull 473 | fi 474 | else 475 | printf "${upper}\n [${cross}] ${yellow}Unable to check updates OR not a git repository OR any of the parent dir ${end}\n${lower}\n" 476 | fi 477 | } 478 | # ╭──────────────────────────────╮ 479 | # │ Domain_RegEx │ 480 | # ╰──────────────────────────────╯ 481 | domain_check(){ 482 | echo "${target}" | grep -E '^([a-zA-Z0-9](([a-zA-Z0-9-]){0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$' &> /dev/null 2>&1 ;if [[ "$?" -gt "0" ]];then printf "\n[${red}!${end}] ${yellow}Domain${end} ${red}${target}${end} ${yellow}seems down or invalid. Make sure its a valid one.${end}\n\n";exit 1;fi 483 | } 484 | # ╭──────────────────────────────────────╮ 485 | # │ SHODAN API CHECK │ 486 | # ╰──────────────────────────────────────╯ 487 | api_check(){ 488 | 489 | cat ${BASE_DIR}/.token &> /dev/null 490 | SUCCESS=$? 491 | if [[ $SUCCESS -eq 1 ]]; then 492 | printf "\n${yellow} No Premium Shodan API key found, Make sure you store API key in ${BASE_DIR}/.token ${end}\n\n" 493 | exit 0 494 | else 495 | if [[ $SUCCESS -eq 0 ]] ; then 496 | "${shodan_bin}" init $(cat ${BASE_DIR}/.token) &> /dev/null 497 | fi 498 | fi 499 | } 500 | # ╭─────────────────────────────────────────────────────╮ 501 | # │ SHODAN COUNT [ WithOUT API Credits ] │ 502 | # ╰─────────────────────────────────────────────────────╯ 503 | counts(){ 504 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Use ] \n${lower}${end}\n" 505 | result_count=$(cat "${BASE_DIR}/dorks.txt" | while IFS='::' read a b c;do z=$("${shodan_bin}" count "${c}" 2> /dev/null;sleep 2); printf "${a} ${z}\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t );echo -e "\n${result_count}" | ${lolcat_bin} -a 506 | } 507 | # ╭─────────────────────────────────────────────────────────────────────────────╮ 508 | # │ SHODAN COLLECT TARGET INFO [ With API Credits ] │ 509 | # ╰─────────────────────────────────────────────────────────────────────────────╯ 510 | collect(){ 511 | folder=${target}-$(date '-I') 512 | rm -rf ${BASE_DIR}/output/$folder > /dev/null;mkdir -p ${BASE_DIR}/output/${folder}/Collect #;cd ${BASE_DIR}/output/$folder; 513 | printf "\n" 514 | "${shodan_bin}" info 515 | 516 | echo "${result_count}" | sed 's/ /,/g' | awk -F"," '{print $1}' > /tmp/results 517 | cat ${BASE_DIR}/dorks.txt | grep -f /tmp/results | while IFS='::' read a b c;do z=$(${shodan_bin} download ${BASE_DIR}/output/$folder/Collect/"${a}"_"${target}" --limit "${count}" "${c}" |grep "Saved";sleep 5);zero=$(echo ${z} | awk '{print $2}');if [[ ${zero} -gt 0 ]];then printf ">> ${green}${z}${end}\n";fi;done 518 | 519 | #SHODAN PARSE 520 | ${shodan_bin} parse --fields ip_str,asn,hostnames,port,product,org,os --separator "::" ${BASE_DIR}/output/$folder/Collect/*.json.gz | anew -q ${BASE_DIR}/output/$folder/main_${target}.data 521 | } 522 | # ╭──────────────────────────────────────╮ 523 | # │ Get In-Scope IPs │ 524 | # ╰──────────────────────────────────────╯ 525 | inscope_ip(){ 526 | #printf "\n${green}────> In-Scope IPs\n${end}" 527 | printf "${upper}\n ${greenbg}In-Scope-IPs${end} [ Validated by CN=*.${target} ] \n${lower}\n" 528 | cat ${BASE_DIR}/output/$folder/main_${target}.data | awk -F"::" '{print $1":"$4}'|sort -u|grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"|${httprobe_bin} -prefer-https -c 200 | interlace -threads 500 -c "echo _target_; curl --insecure -v _target_ 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'" --silent | egrep '(http|https)://[^/"]+|CN\=|issuer: |cn: |expired:|org:' | grep -v "^[[:blank:]]*$" | grep -B 1 "${target}" | grep -Eo '(http|https)://[^/"]+'|tee ${BASE_DIR}/output/$folder/ips_inscope_${target}.txt|while read -r line;do printf "${yellow}├──►${end} ${line}\n";done 529 | 530 | #cat ${BASE_DIR}/output/$folder/main_${target}.data | awk -F"::" '{print $1}' | sort -u | httpx -threads 500 -silent | interlace -threads 100 -c "echo _target_; curl --insecure -v _target_ 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'" --silent | egrep "https:\/\/|CN\=|issuer: |cn: |expired:|org:" | grep -v "^[[:blank:]]*$" | tee ${BASE_DIR}/output/$folder/curl_issuer_$target.data | grep -B 1 "${target}$" | grep -Eo '(http|https)://[^/"]+' | tee ${BASE_DIR}/output/$folder/ips_inscope_${target}.txt;printf "\n" 531 | } 532 | # ╭──────────────────────────────────────╮ 533 | # │ Get Out-Of-Scope IPs │ 534 | # ╰──────────────────────────────────────╯ 535 | out_of_scope_ip(){ 536 | printf "${upper}\n ${bluebg}Out-Of-Scope-IPs${end} [ Verified by SSL/TLS certificate subject CN ] \n${lower}\n" 537 | awk -F"::" '{print $1":"$4}' ${BASE_DIR}/output/$folder/main_${target}.data|sort -u|grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"|grep -Ev `cat ${BASE_DIR}/output/$folder/ips_inscope_${target}.txt|cut -d"/" -f3|cut -d":" -f1 | paste -sd "|"`|sort -u| grep -v "^[[:blank:]]*$"|while read -r line;do printf "${red}├──►${end} ${line}\n";done;printf "\n" 538 | } 539 | 540 | # ╭──────────────────────────────╮ 541 | # │ Favicon Icons │ 542 | # ╰──────────────────────────────╯ 543 | favicons(){ 544 | printf "${upper}\n ${greenbg}Favicons${end} [ Validated URLs via Shodan Collects ] \n${lower}${end}\n" 545 | o=$(zcat ${BASE_DIR}/output/$folder/Collect/*.json.gz | jq -r '.http.favicon.location|select (.!= null)' | sort -u | grep -v "^data:" | tee ${BASE_DIR}/output/$folder/favicons_${target}.txt);if [ -z "$o" ];then printf "[${red}!${end}] ${yellow}No results found [ By increasing shodan download limit=-1 may help !]\n"${end};else printf "$o \n";fi;printf "\n" 546 | } 547 | # ╭──────────────────────────────────────╮ 548 | # │ Favicon HASH │ 549 | # ╰──────────────────────────────────────╯ 550 | favicons_hash(){ 551 | printf "${upper}\n ${greenbg}Favicon Hash${end} [ Generated Favicon Hash using ${python3_bin} mmh3 Module ] \n${lower}${end}\n" 552 | o=$(cat ${BASE_DIR}/output/$folder/favicons_${target}.txt | interlace -threads 500 -c "echo _target_; curl --insecure -v _target_ 2>&1 | ${python3_bin} -c 'import mmh3,sys,codecs; print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),\"base64\")))'" --silent 2> /dev/null|grep -Ev "^Generated|^Repeat set to|^[[:blank:]]*$"|awk 'ORS=(FNR%2)?FS:RS'|sed 's/ /,|,/g' | column -s ',' -t);if [ -z "$o" ];then printf "[${red}!${end}] ${yellow}No results found [ By increasing shodan download limit=-1 may help !]\n"${end};else printf "$o \n";fi;printf "\n" 553 | } 554 | # ╭──────────────────────────────────────╮ 555 | # │ Favicon Detection │ 556 | # ╰──────────────────────────────────────╯ 557 | favicons_detection(){ 558 | rm -f ${BASE_DIR}/favicon-detect.yaml 2> /dev/null 559 | wget -q https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/technologies/favicon-detect.yaml -O ${BASE_DIR}/favicon-detect.yaml > /dev/null 560 | sed -i 's/\- \"{{BaseURL}}\/favicon.ico"/- "{{BaseURL}}\"/g' ${BASE_DIR}/favicon-detect.yaml 561 | printf "${upper}\n ${greenbg}Favicons Hash Detection${end} [ Technology Detection via Nuclei custom template ] \n${lower}${end}\n" 562 | o=$(cat "${BASE_DIR}/output/$folder/favicons_${target}.txt" | ${nuclei_bin} -t ${nuclei_template} -bs 100 -c 100 -silent|awk '{print $NF " : " $3}'|sed 's/ /,|,/g' | column -s ',' -t);if [ -z "$o" ];then printf "\n[${red}!${end}] ${yellow}No results found [ By increasing shodan download limit=-1 may help !]\n"${end};else printf "$o \n";fi;printf "\n" 563 | } 564 | # ╭──────────────────────╮ 565 | # │ ASNs │ 566 | # ╰──────────────────────╯ 567 | asn(){ 568 | printf "${upper}\n ${greenbg}ASN${end} [ Detailed Scan ASN || BGP neighbours || IPv4 & IPv6 Prefixes ] \n${lower}\n" 569 | asn=$(zcat ${BASE_DIR}/output/$folder/Collect/*.json.gz | jq -r 'select(.asn != null)|.asn' 2> /dev/null | sort -u) 570 | 571 | if [ -z "$asn" ];then 572 | printf "[${cross}] ${red}IPs:${end} ${yellow}No ASN found ${end}\n" 573 | else 574 | 575 | printf "${asn}\n" | grep -Eo "[0-9]*$" | while read -r line; do 576 | name=$(host -t TXT "AS${line}.asn.cymru.com" | grep -v "NXDOMAIN" | awk -F'|' 'NR==1{print substr($NF,2,length($NF)-2)}') 577 | if [ -n "$name" ]; then 578 | info=$(whois -h whois.pwhois.org "registry source-as=${line}" | grep -E "^Org-Name:|^Create-Date:") 579 | org=$(printf "${info}" | grep -E "^Org-Name:" | cut -d ':' -f 2 | sed 's/^[ \t]*//') 580 | [[ -z "$org" ]] && org="N/A" 581 | createdate=$(printf "${info}" | grep -E "^Create-Date:" | cut -d ':' -f 2- | sed 's/^[ \t]*//') 582 | [[ -z "$createdate" ]] && createdate="N/A" || createdate=$(date -d "${createdate}" "+%Y-%m-%d %H:%M:%S") 583 | fi 584 | 585 | data=$(curl -sk "https://stat.ripe.net/data/routing-status/data.json?resource=AS${line}&sourceapp=nitefood-asn") 586 | 587 | if [ -n "$data" ]; then ipv4=$(printf "${data}" | jq -r '.data.announced_space.v4.prefixes');ipv6=$(printf "${data}" | jq -r '.data.announced_space.v6.prefixes');bgp=$(printf "${data}" | jq -r '.data.observed_neighbours'); fi 588 | ipv4_inetnums="" 589 | ipv6_inetnums="" 590 | for prefix in $(curl -ks "https://stat.ripe.net/data/announced-prefixes/data.json?resource=${line}&sourceapp=nitefood-asn" | jq -r '.data.prefixes | .[] | .prefix'); do 591 | 592 | if [[ "$prefix" == *':'* ]]; then inet6nums=$(xargs -P500 whois -h whois.ripe.net -- "-T inet6num -K -L --resource $prefix" 2> /dev/null | grep -m2 inet6num | cut -d ':' -f 2- | sed 's/^[ \t]*//') 593 | for inet6num in $inet6nums; do 594 | prefix_size=$(echo "$inet6num" | cut -d '/' -f2);[[ "$prefix_size" -lt 29 ]] && continue || ipv6_inetnums+="${inet6num}\n"; 595 | done 596 | 597 | else 598 | ipv4_inetnums+=$(xargs -P500 whois -h whois.ripe.net -- "-T inetnum -K -L --resource $prefix" 2> /dev/null | grep -m1 inetnum | cut -d ':' -f 2 | sed 's/^[ \t]*//' | xargs -P500 ipcalc -r 2> /dev/null | grep -v "deaggregate\|INVALID ADDRESS") 599 | ipv4_inetnums+="\n" 600 | fi 601 | done 602 | 603 | if [ -n "$ipv4_inetnums" ]; then ipv4_inetnums=$(echo -e "$ipv4_inetnums" | sort -u);out="";for inetnum in $ipv4_inetnums; do out+="$inetnum\n";done ; ipv4_inetnums="$out";fi 604 | if [ -n "$ipv6_inetnums" ]; then ipv6_inetnums=$(echo -e "$ipv6_inetnums" | sort -u);out="";for inet6num in $ipv6_inetnums; do out+="$inet6num\n";done ; ipv6_inetnums="$out";fi 605 | ipv4_inet=$(printf "${ipv4_inetnums}" | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 606 | ipv6_inet=$(printf "${ipv6_inetnums}" | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 607 | 608 | printf "${asn}\n" | while read -r asn_num;do 609 | printf "[${right}] ${red}${asn_num}${end}\n\t┌${bluebg}ASN Name${end}\t\t────>\t $( [[ ! -z $name ]] && printf "${green}${name}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}Org Name${end}\t\t────>\t $( [[ ! -z $org ]] && printf "${green}${org}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}AS Reg Date${end}\t\t────>\t $( [[ ! -z $createdate ]] && printf "${green}${createdate}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}IPv4 Prefixes${end}\t\t────>\t $( [[ ! -z $ipv4 ]] && printf "${green}${ipv4}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}IPv6 Prefixes${end}\t\t────>\t $( [[ ! -z $ipv6 ]] && printf "${green}${ipv6}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}BGP Neighbours${end}\t\t────>\t $( [[ ! -z $bgp ]] && printf "${green}${bgp}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}IPv4 INET${end}\t\t────>\t $( [[ ! -z $ipv4_inet ]] && printf "${green}${ipv4_inet}${end}" || printf "${yellow}No results found"${end} )\n\t└${bluebg}IPv6 INET${end}\t\t────>\t $( [[ ! -z $ipv4_inet ]] && printf "${green}${ipv6_inet}${end}" || printf "${yellow}No results found"${end} )\n\n" 610 | done | tee ${BASE_DIR}/output/$folder/ASNs_Detailed_${target}.txt 611 | done 612 | fi 613 | 614 | } 615 | # ╭──────────────────────────────╮ 616 | # │ Other Findings │ 617 | # ╰──────────────────────────────╯ 618 | findings(){ 619 | cd ${BASE_DIR}/output/$folder/Collect/ 620 | printf "╔════════[ ${red}Ineresting Findings${end} ]═══════════════════════════════════════════════════════════════════════╗\n\n" 621 | ls -1 | grep -f "/tmp/results" | grep -Ev "ssl_SHA1|Org_Domain|SSL_Domain|SSL_Expired|SSL_Issuer|SSL_SubjectCN|SSL_Subject|Host_Domain" | 622 | while read -r line;do printf "├─${bluebg}${line}${end}\n";zcat ${line} | jq -r 'select(.ip_str != null)|.ip_str + ":" + "\(select(.port != null)|.port)"'|awk 'NR%2{printf "%s ",$0;next;}1'|sed 's/ /,|,/g'|column -s"," -t|while read -r leaks;do printf "$( [[ ! -z ${leaks} ]] && printf "\t\t${green}╰─${end} ${leaks}\n" || printf "${yellow}No results found"${end})\n";done;done 623 | } 624 | # ╭──────────────────────────────────────────────╮ 625 | # │ Collect Data for each IP │ 626 | # ╰──────────────────────────────────────────────╯ 627 | host_scan(){ 628 | printf "${upper}\n ${greenbg}Scanning In-Scope Hosts${end} [ Validated IPs via Shodan Collects ] \n${lower}${end}\n" 629 | mkdir -p ${BASE_DIR}/output/$folder/IP_VULNS 630 | cd ${BASE_DIR}/output/$folder/IP_VULNS;cat ${BASE_DIR}/output/$folder/ips_inscope_${target}.txt |grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"| while read -r line;do shodan host -S --format pretty $line > /dev/null;sleep 5;[ "$silent" == "False" ] && echo -en "💀${bold}${green}🍺💀${end}${normal}";done;printf "\n" 631 | } 632 | # ╭──────────────────────────────────────────────────────────────╮ 633 | # │ IPs, Ports, CVEs, Org, Server, Product, OS │ 634 | # ╰──────────────────────────────────────────────────────────────╯ 635 | host_enum(){ 636 | printf "${upper}\n ${greenbg}Host Enumuration${end} [ OS, Host, Servers, Products, CVEs, Ports, Org owns the IP ] \n${lower}${end}\n" 637 | cd ${BASE_DIR}/output/$folder/IP_VULNS/ > /dev/null 638 | ls -1 | while read -r x; do 639 | IP=$(zcat $x | jq -r 'select(.ip_str != null)|.ip_str' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 640 | OS=$(zcat $x | jq -r 'select(.os != null)|.os' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 641 | CVE=$(zcat $x | jq -r '.vulns | to_entries[] | select(.key != null) |.key' 2> /dev/null|sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 642 | ORG=$(zcat $x | jq -r 'select(.org != null)|.org' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 643 | PORT=$(zcat $x | jq -r 'select(.port != null)|.port' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 644 | SERVER=$(zcat $x | jq -r '.http|select(.server != null)|.server' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 645 | PRODUCT=$(zcat $x | jq -r 'select(.product != null)|.product' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 646 | HOSTNAME=$(zcat $x | jq -r 'select(.hostnames != null)|.hostnames[]' | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;s/<----- key \(start\|stop\) ----->//g;p}') 647 | 648 | if [ -z "$IP" ];then 649 | printf "[${cross}] ${red}IPs:${end} ${yellow}No results found ${end}\n"; 650 | else 651 | echo ${IP} | while read -r line;do 652 | printf "[${right}] ${red}${IP}${end}\n\t┌${bluebg}OS${end}\t\t────>\t $( [[ ! -z $OS ]] && printf "${green}${OS}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}HOST${end}\t\t────>\t $( [[ ! -z $HOSTNAME ]] && printf "${green}${HOSTNAME}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}ORGS${end}\t\t────>\t $( [[ ! -z $ORG ]] && printf "${green}${ORG}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}PORTS${end}\t\t────>\t $( [[ ! -z $PORT ]] && printf "${green}${PORT}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}SERVERS${end}\t────>\t $( [[ ! -z $SERVER ]] && printf "${green}${SERVER}${end}" || printf "${yellow}No results found"${end} )\n\t├${bluebg}PRODUCTS${end}\t────>\t $( [[ ! -z $PRODUCT ]] && printf "${green}${PRODUCT}${end}" || printf "${yellow}No results found"${end} )\n\t└${bluebg}CVE VULNs${end}\t────>\t $( [[ ! -z $CVE ]] && printf "${green}${CVE}${end}" || printf "${yellow}No results found"${end} )\n\n" 653 | 654 | done 655 | fi 656 | done | tee ${BASE_DIR}/output/$folder/host_enum_${target}.txt 657 | 658 | } 659 | # ╭──────────────────────────────────────╮ 660 | # │ KARMA IS MY BITCH │ 661 | # ╰──────────────────────────────────────╯ 662 | karma(){ 663 | banner 664 | args 665 | check_requirements 666 | domain_check 667 | api_check 668 | dorks > ${BASE_DIR}/dorks.txt 669 | counts 670 | collect 671 | inscope_ip 672 | out_of_scope_ip 673 | favicons 674 | favicons_hash 675 | favicons_detection 676 | asn 677 | findings 678 | host_scan 679 | host_enum 680 | } 681 | # ╭──────────────────────────────╮ 682 | # │ LIST │ 683 | # ╰──────────────────────────────╯ 684 | ip(){ 685 | banner 686 | api_check 687 | dorks > ${BASE_DIR}/dorks.txt 688 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Use ] \n${lower}\n" 689 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep -E "ssl_SHA1|SSL_Domain|Org_Domain|Hostname_Domain|SSL_Issuer|SSL_Subject|SSL_Expired|SSL_SubjectCN" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 690 | collect 691 | inscope_ip 692 | out_of_scope_ip 693 | } 694 | asn_scan(){ 695 | banner 696 | api_check 697 | dorks > ${BASE_DIR}/dorks.txt 698 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Use ] \n${lower}\n" 699 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep -E "SSL_Domain|Hostname_Domain" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 700 | collect 701 | asn 702 | } 703 | favicon_scan(){ 704 | banner 705 | api_check 706 | dorks > ${BASE_DIR}/dorks.txt 707 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Used ] \n${lower}\n" 708 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep -E "SSL_Domain|Org_Domain|Hostname_Domain|SSL_Issuer|SSL_Subject|SSL_Expired|SSL_SubjectCN" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 709 | collect 710 | favicons 711 | favicons_hash 712 | favicons_detection 713 | } 714 | cve(){ 715 | banner 716 | api_check 717 | dorks > ${BASE_DIR}/dorks.txt 718 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Use ] \n${lower}\n" 719 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep -E "ssl_SHA1|SSL_Domain|Org_Domain|Hostname_Domain|SSL_Issuer|SSL_Subject|SSL_Expired|SSL_SubjectCN" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 720 | collect 721 | inscope_ip >/dev/null 2>/dev/null 722 | host_scan 723 | host_enum 724 | } 725 | cveid(){ 726 | banner 727 | api_check 728 | printf "${upper}\n ${greenbg}Shodan Result CVE ID ${end} [ ${cveid} ] \n${lower}\n" 729 | printf "CVE_ID::vuln:${cveid} ssl:${target}\n" > ${BASE_DIR}/dorks.txt 730 | result_count=$(cat "${BASE_DIR}/dorks.txt" | while IFS='::' read a b c; do z=$(${shodan_bin} count "$c");printf "$a $z\n";done | awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 731 | o=$(echo ${result_count}|awk '{print $NF}');if [ -z ${o} ]; then printf "[${red}!${end}] ${yellow}Not vulnerable to ${red}${cveid}${end}\n\n";exit 0;fi 732 | collect 733 | inscope_ip >/dev/null 2>/dev/null 734 | host_scan >/dev/null 2>/dev/null 735 | host_enum 736 | } 737 | run_counts(){ 738 | banner 739 | api_check 740 | dorks > ${BASE_DIR}/dorks.txt 741 | counts 742 | } 743 | leaks(){ 744 | banner 745 | api_check 746 | dorks > ${BASE_DIR}/dorks.txt 747 | printf "${upper}\n ${greenbg}Shodan Result Count ${end} [ No API Credits Use ] \n${lower}\n" 748 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep -Ev "ssl_SHA1|SSL_Domain|Org_Domain|Hostname_Domain|SSL_Issuer|SSL_Subject|SSL_Expired|SSL_SubjectCN" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 749 | collect 750 | findings 751 | } 752 | cnd_ignore_ips(){ 753 | banner 754 | api_check 755 | dorks > ${BASE_DIR}/dorks.txt 756 | printf "${upper}\n ${greenbg}SSL/TLS, Hosts, IPs Ignored any CDN Nodes.${end} [ Akamighost, Cloud(flare||front) ] \n${lower}\n" 757 | result_count=$(cat "${BASE_DIR}/dorks.txt"|grep "Ignored-by_CDNs" | while IFS='::' read a b c;do z=$(shodan count "$c";sleep 2); printf "$a $z\n";done| awk '{if ($NF > 0)print $1 " " $NF }' | sed 's/ /,|,/g' | column -s ',' -t);echo -e "\n$result_count" | ${lolcat_bin} -a 758 | collect 759 | inscope_ip 760 | out_of_scope_ip 761 | } 762 | 763 | prarg(){ 764 | set +u 765 | while :;do 766 | case $1 in 767 | '-d'|'--domain') 768 | target=$2 769 | shift 770 | ;; 771 | '-l'|'--limit') 772 | count=$2 773 | shift 774 | ;; 775 | '-s'|'--silent') 776 | silent='true' 777 | ;; 778 | '-u'|'--update') 779 | check_update 780 | exit 0 781 | ;; 782 | '-b'|'--banner') 783 | banner 784 | exit 0 785 | ;; 786 | '--secret') 787 | secret 788 | exit 0 789 | ;; 790 | '-v'|'--version') 791 | banner 792 | printf "Corrent Version: ${version}\n\n" 793 | exit 0 794 | ;; 795 | '-h'|'--help') 796 | help 797 | exit 0 798 | ;; 799 | ################# MODES 800 | '-ip') 801 | mode='ip' 802 | ;; 803 | '-asn') 804 | mode='asn' 805 | ;; 806 | '-cve') 807 | mode='cve' 808 | ;; 809 | '-cveid') 810 | mode='cveid' 811 | cveid=$2 812 | shift 813 | ;; 814 | '-favicon') 815 | mode='favicon' 816 | ;; 817 | '-cdn') 818 | mode='cdn' 819 | ;; 820 | '-leaks') 821 | mode='leaks' 822 | ;; 823 | '-count') 824 | mode='count' 825 | ;; 826 | '-deep') 827 | mode='deep' 828 | ;; 829 | "") 830 | shift 831 | break 832 | ;; 833 | '*') 834 | echo "Error: unknown: $1" 835 | usage 836 | exit 1 837 | ;; 838 | esac 839 | shift 840 | done 841 | if [[ ! -z "${target}" ]];then 842 | domain_check 843 | else 844 | printf "\n[${red}${cross}${end}] ${yellow}No target/domain given. Make sure you go through the usage/help${end}\n\n" 845 | usage 846 | exit 1 847 | fi 848 | if [[ -z "${count}" ]];then 849 | printf "\n[${red}${cross}${end}] ${yellow}No limit given. Make sure you go through the usage/help${end}\n\n" 850 | usage 851 | exit 1 852 | fi 853 | if [[ -z "${mode}" ]];then 854 | printf "\n[${red}${cross}${end}] ${yellow}No mode given. Make sure you go through the usage/help${end}\n\n" 855 | usage 856 | exit 1 857 | fi 858 | if [ "${mode}" == 'ip' ];then 859 | ip 860 | exit 0 861 | elif [ "${mode}" == 'asn' ];then 862 | #echo "Your target is : ${target}" 863 | echo "ASN" 864 | asn_scan 865 | exit 0 866 | elif [ "${mode}" == 'cve' ];then 867 | cve 868 | exit 0 869 | elif [ "${mode}" == 'cveid' ];then 870 | cveid 871 | exit 0 872 | elif [ "${mode}" == 'cdn' ];then 873 | cnd_ignore_ips 874 | exit 0 875 | elif [ "${mode}" == 'favicon' ];then 876 | favicon_scan 877 | exit 0 878 | elif [ "${mode}" == 'leaks' ];then 879 | leaks 880 | exit 0 881 | elif [ "${mode}" == 'count' ];then 882 | run_counts 883 | exit 0 884 | elif [ "${mode}" == 'deep' ];then 885 | karma 886 | exit 0 887 | fi 888 | } 889 | # check_update 890 | args 891 | check_requirements 892 | prarg $@ 893 | tput sgr0 894 | --------------------------------------------------------------------------------