├── README.md
├── install.sh
└── recon.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # AutoRecon
 2 | 
 3 | ![Banner](https://zupimages.net/up/19/01/uikg.png)![Maintenance](https://img.shields.io/badge/Maintained%3F-no-red.svg) ![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg) ![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)
 4 | 
 5 | ## CHECK [RENGINE](https://github.com/yogeshojha/rengine/) FOR A MORE INTERESTING AND ACTIVELY MAINTENED PROJECT
 6 | 
 7 | ## Features
 8 | 
 9 | - Enum subdomains, create permutation & wildcard removing with [Amass](https://github.com/OWASP/Amass/)
10 | - Search subdomains on github with [Github-Subdomains](https://github.com/gwen001/github-search/blob/master/github-subdomains.py)
11 | - Find web services and screenshots with [Aquatone](https://github.com/michenriksen/aquatone)
12 | -  [Nuclei](https://github.com/projectdiscovery/nuclei) : Configurable targeted scanning based on templates
13 | -  [Gau](https://github.com/lc/gau) : Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
14 | -  [Hakrawler](https://github.com/hakluke/hakrawler) : Simple, fast web crawler
15 | -  [ParamSpider](https://github.com/devanshbatham/ParamSpider) : Mining parameters from dark corners of Web Archives
16 | -  [Gf](https://github.com/tomnomnom/gf) : A wrapper around grep, to help you grep for things
17 | 	- With somes GF profiles from [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns) and [ParamSpider](https://github.com/devanshbatham/ParamSpider/tree/master/gf_profiles)
18 | -  [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) : Designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.
19 | 
20 | ![Workflow](https://zupimages.net/up/20/28/mclg.png)
21 | 
22 | ## Installation
23 | - Installation & Recon tested on Ubuntu 20.04
24 | 
25 | Run installer :
26 | ```bash
27 | ./install.sh
28 | ```
29 | 
30 | If wanted (recommended), configure [Amass](https://github.com/OWASP/Amass/) with the desired API keys by creating a [config.ini](https://github.com/OWASP/Amass/blob/master/examples/config.ini) file.
31 | 
32 | Create the file `.tokens` in `/root/Tools/Github-Subdomains/` with one or more github token.
33 | 
34 | ## Usage
35 | ```bash
36 | ./recon.sh -d domain.tld -r -s -c /root/Tools/Amass/config.ini
37 | ```
38 | 
39 | Options :
40 | ```bash
41 | -d | --domain (required) : Domain in domain.tld format
42 | -r | --recon (optional) : Search subdomains for the specified domain
43 | -s | --scan (optional) : Scan the specified domain
44 | -c | --amassconfig (optional) : Provide Amass configuration files for better results
45 | -rp | --resultspath (optional) : Defines the output folder
46 | ```
47 | 
48 | ![RunningScript](https://zupimages.net/up/20/28/j650.png)
49 | 
50 | ## Domain monitoring
51 | The advantage of using amass with the "-dir" option is that it also allows monitoring with a bash script.
52 | For example, you can create a cron task that executes the following content at regular intervals:
53 | 
54 | ```bash
55 | #!/bin/bash
56 | DOMAIN=your-domain.tld
57 | 
58 | /root/AutoRecon.sh -d $DOMAIN -c /root/Tools/Amass/config.ini
59 | 
60 | MSG=$(amass track -d $DOMAIN -dir /root/Recon/$DOMAIN/Amass/ | grep 'Found:')
61 | PAYLOAD="payload={\"text\": \"$MSG\"}"
62 | HOOK=https://hooks.slack.com/services/XXXX/XXXX/XXXX
63 | 
64 | if [ ! -z "$var" ]
65 | then
66 |   curl -X POST --data-urlencode "$PAYLOAD"  "$HOOK"
67 | fi
68 | ```
69 | 
70 | ![SlackAlert](https://zupimages.net/up/20/19/yozr.png)
71 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | Tools="/root/Tools"
  4 | mkdir $Tools
  5 | 
  6 | #Update & Upgrade
  7 | apt-get update && apt-get upgrade -y
  8 | 
  9 | #Install requirements
 10 | apt-get install unzip libldns-dev git snapd dnsutils python3 python3-pip jq -y
 11 | pip3 install colored
 12 | 
 13 | #Ensures that the snapd service is running.
 14 | systemctl start snapd
 15 | 
 16 | ## Install Golang
 17 | wget https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz
 18 | tar -C /usr/local -xzf go1.14.2.linux-amd64.tar.gz
 19 | rm go1.14.2.linux-amd64.tar.gz
 20 | echo -e "export PATH=$PATH:/usr/local/go/bin" >> ~/.profile
 21 | source ~/.profile
 22 | 
 23 | #Install Aquatone
 24 | wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip
 25 | unzip aquatone_linux_amd64_1.7.0.zip
 26 | rm aquatone_linux_amd64_1.7.0.zip README.md LICENSE.txt
 27 | mv aquatone /usr/local/bin/
 28 | 
 29 | #Install Chromium for Aquatone
 30 | snap install chromium
 31 | 
 32 | #Install Amass for recon
 33 | snap install amass
 34 | 
 35 | ## Install Nuclei
 36 | wget https://github.com/projectdiscovery/nuclei/releases/download/v2.1.0/nuclei_2.1.0_linux_amd64.tar.gz
 37 | tar -xzvf nuclei_2.1.0_linux_amd64.tar.gz
 38 | rm LICENSE.md README.md
 39 | mv nuclei /usr/bin/nuclei
 40 | 
 41 | nuclei -update-templates -update-directory $Tools
 42 | 
 43 | ## Install Httprobe
 44 | go get -u github.com/tomnomnom/httprobe
 45 | mv ~/go/bin/httprobe /usr/bin/
 46 | 
 47 | ## Install Hakrawler
 48 | go get github.com/hakluke/hakrawler
 49 | mv ~/go/bin/hakrawler /usr/bin/
 50 | 
 51 | ## Install Kxss
 52 | git clone https://github.com/tomnomnom/hacks
 53 | cd hacks/kxss
 54 | go build main.go
 55 | mv main /usr/bin/kxss
 56 | cd ../.. && rm -r hacks/
 57 | 
 58 | ## Install ParamSpider
 59 | cd $Tools
 60 | git clone https://github.com/devanshbatham/ParamSpider
 61 | cd ParamSpider 
 62 | pip3 install -r requirements.txt
 63 | 
 64 | ## Install GF
 65 | go get -u github.com/tomnomnom/gf
 66 | echo 'source /root/go/src/github.com/tomnomnom/gf/gf-completion.bash' >> ~/.bashrc
 67 | source ~/.bashrc
 68 | cp -r /root/go/src/github.com/tomnomnom/gf/examples ~/.gf
 69 | mv ~/go/bin/gf /usr/bin/
 70 | cd ~/.gf
 71 | cp $Tools/ParamSpider/gf_profiles/* .
 72 | 
 73 | ## Add more GF patterns
 74 | git clone https://github.com/1ndianl33t/Gf-Patterns
 75 | mv Gf-Patterns/*.json .
 76 | rm -r Gf-Patterns/
 77 | 
 78 | ## Install GAU
 79 | GO111MODULE=on go get -u -v github.com/lc/gau
 80 | mv ~/go/bin/gau /usr/bin/
 81 | 
 82 | ## Install SubDomainizer
 83 | cd $Tools
 84 | git clone https://github.com/nsonaniya2010/SubDomainizer.git
 85 | cd SubDomainizer
 86 | pip3 install -r requirements.txt
 87 | 
 88 | ## Install Github-Subdomains.py
 89 | mkdir $Tools/Github-Subdomains/ && cd $Tools/Github-Subdomains
 90 | wget https://raw.githubusercontent.com/gwen001/github-search/master/github-subdomains.py
 91 | 
 92 | #Add /snap/bin to $PATH
 93 | echo -e "export PATH=\"$PATH:/snap/bin\"" >> ~/.profile
 94 | source ~/.profile
 95 | 
 96 | ## END
 97 | SCRIPT_PATH="`dirname \"$0\"`"              # relative
 98 | SCRIPT_PATH="`( cd \"$SCRIPT_PATH\" && pwd )`"  # absolutized and normalized
 99 | if [ -z "$SCRIPT_PATH" ] ; then
100 |   # error; for some reason, the path is not accessible
101 |   # to the script (e.g. permissions re-evaled after suid)
102 |   exit 1  # fail
103 | fi
104 | 
105 | rm $SCRIPT_PATH/install.sh
106 | 


--------------------------------------------------------------------------------
/recon.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | ## VARIABLES
  4 | ResultsPath="/root/Recon"
  5 | ToolsPath="/root/Tools"
  6 | 
  7 | ## FUNCTION
  8 | die() {
  9 |     printf '%s\n' "$1" >&2
 10 |     exit 1
 11 | }
 12 | 
 13 | help() {
 14 |   banner
 15 |   echo -e "Usage : ./recon.sh -d domain.tld -r -s
 16 |       -d  | --domain      (required) : Domain in domain.tld format
 17 |       -r  | --recon       (optional) : Search subdomains for the specified domain
 18 |       -s  | --scan        (optional) : Scan the specified domain
 19 |       -c  | --amassconfig (optional) : Provide Amass configuration files for better results
 20 |       -rp | --resultspath (optional) : Defines the output folder
 21 |   "
 22 | }
 23 | 
 24 | banner() {
 25 |   echo -e "
 26 |  █████╗ ██╗   ██╗████████╗ ██████╗ ██████╗ ███████╗ ██████╗ ██████╗ ███╗   ██╗
 27 | ██╔══██╗██║   ██║╚══██╔══╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██╔═══██╗████╗  ██║
 28 | ███████║██║   ██║   ██║   ██║   ██║██████╔╝█████╗  ██║     ██║   ██║██╔██╗ ██║
 29 | ██╔══██║██║   ██║   ██║   ██║   ██║██╔══██╗██╔══╝  ██║     ██║   ██║██║╚██╗██║
 30 | ██║  ██║╚██████╔╝   ██║   ╚██████╔╝██║  ██║███████╗╚██████╗╚██████╔╝██║ ╚████║
 31 | ╚═╝  ╚═╝ ╚═════╝    ╚═╝    ╚═════╝ ╚═╝  ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝
 32 |  "
 33 | }
 34 | 
 35 | scan() {
 36 |   echo -e "Scan of \e[31m$1\e[0m is in progress"
 37 |   mkdir -p $ResultsPath/$domain/$(date +%F)/$1
 38 | 
 39 |   ## Nuclei
 40 | 	echo -e ">> \e[36mNuclei\e[0m is in progress"
 41 | 	echo -e $1 | httprobe -p http:81 -p https:81 -p https:8443 -p http:8080 -p https:8080 > $ResultsPath/$domain/$(date +%F)/$1/httprobe.txt
 42 |   nuclei -l $ResultsPath/$domain/$(date +%F)/$1/httprobe.txt -t $ToolsPath/nuclei-templates/ -o $ResultsPath/$domain/$(date +%F)/$1/nuclei.txt > /dev/null 2>&1
 43 | 
 44 |   ## GAU
 45 |   echo -e ">> \e[36mGAU\e[0m is in progress"
 46 |   gau $1 >> $ResultsPath/$domain/$(date +%F)/$1/gau.txt
 47 | 
 48 |   ## Hawkraler
 49 | 	echo -e ">> \e[36mHakrawler\e[0m is in progress"
 50 | 	echo -e $1 | hakrawler -forms -js -linkfinder -plain -robots -sitemap -usewayback -outdir $ResultsPath/$domain/$(date +%F)/$1/hakrawler | kxss >> $ResultsPath/$domain/$(date +%F)/$1/kxss.txt
 51 | 
 52 |   ## ParamSpider
 53 | 	echo -e ">> \e[36mParamSpider\e[0m is in progress"
 54 | 	cd $ToolsPath/ParamSpider/
 55 | 	python3 paramspider.py --domain $1 --exclude woff,css,js,png,svg,jpg -o paramspider.txt > /dev/null 2>&1
 56 | 
 57 |   if [ -s $ToolsPath/ParamSpider/output/paramspider.txt ]
 58 |   then
 59 |     	mv ./output/paramspider.txt $ResultsPath/$domain/$(date +%F)/$1/
 60 | 
 61 |       ## GF
 62 |       echo -e ">> \e[36mGF\e[0m is in progress"
 63 |       mkdir $ResultsPath/$domain/$(date +%F)/$1/GF
 64 | 
 65 |       gf xss $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/xss.txt
 66 |       gf potential $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/potential.txt
 67 |       gf debug_logic $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/debug_logic.txt
 68 |       gf idor $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/idor.txt
 69 |       gf lfi $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/lfi.txt
 70 |       gf rce $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/rce.txt
 71 |       gf redirect $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/redirect.txt
 72 |       gf sqli $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/sqli.txt
 73 |       gf ssrf $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/ssrf.txt
 74 |       gf ssti $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/ssti.txt
 75 |   fi
 76 | 
 77 |   ## SubDomainizer
 78 |   echo -e ">> \e[36mSubDomainizer\e[0m is in progress"
 79 |   python3 $ToolsPath/SubDomainizer/SubDomainizer.py -u $1 -o $ResultsPath/$domain/$(date +%F)/$1/SubDomainizer.txt > /dev/null 2>&1
 80 | 
 81 |   ## RM ParamSpider output
 82 |   if [ -s $ToolsPath/ParamSpider/output/paramspider.txt ]
 83 |   then
 84 |     rm $ToolsPath/ParamSpider/output/paramspider.txt
 85 |   fi
 86 | }
 87 | 
 88 | main() {
 89 |   banner
 90 | 
 91 |   if [ -v recon ] ## IF SCAN OPTION WAS PROVIDE
 92 |   then
 93 |     echo -e "Recon is in \e[31mprogress\e[0m, take a coffee"
 94 | 
 95 |     ## ENUM SUB-DOMAINS
 96 |     echo -e ">> \e[36mAmass\e[0m is in progress"
 97 | 
 98 |     ## LAUNCH AMASS
 99 |     mkdir -p $ResultsPath/$domain/Amass
100 |     wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -P $ResultsPath/$domain/ > /dev/null 2>&1
101 |     
102 |     if [ -z "$ac" ]
103 |     then
104 |       amass enum -active -o $ResultsPath/$domain/$(date +%F)/domains_tmp.txt -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -dir $ResultsPath/$domain/Amass > /dev/null 2>&1
105 |     else
106 |       amass enum -active -o $ResultsPath/$domain/$(date +%F)/domains_tmp.txt -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -config $ac -dir $ResultsPath/$domain/Amass > /dev/null 2>&1
107 |     fi
108 | 
109 |     ## LAUNCH GITHUB-SUBDOMAINS.PY
110 |     echo -e ">> \e[36mGithub-Subdomains.py\e[0m is in progress"
111 |     python3 /root/Tools/Github-Subdomains/github-subdomains.py -d $domain >> $ResultsPath/$domain/$(date +%F)/domains_tmp.txt
112 | 
113 |     ## SORT & REMOVE DUPLICATES ON DOMAINES.TXT
114 |     cat $ResultsPath/$domain/$(date +%F)/domains_tmp.txt | sort -u > $ResultsPath/$domain/$(date +%F)/domains.txt
115 |     rm $ResultsPath/$domain/$(date +%F)/domains_tmp.txt
116 |     
117 |     ## LAUNCH AQUATONE
118 |     echo -e ">> \e[36mAquatone\e[0m is in progress"
119 |     mkdir $ResultsPath/$domain/$(date +%F)/Aquatone
120 |     cd $ResultsPath/$domain/$(date +%F)/Aquatone
121 |     cat ../domains.txt | aquatone -chrome-path /snap/bin/chromium -ports xlarge > /dev/null 2>&1
122 | 
123 |     ## REMOVE USELESS FILES
124 |     rm $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt
125 |   fi
126 | 
127 |   if [ -v scan ] ## IF SCAN OPTION WAS PROVIDE
128 |   then
129 |     if [ -v recon ] ## IF RECON OPTION WAS PROVIDE
130 |     then
131 |       while read line; do
132 |         scan $line
133 |       done < $ResultsPath/$domain/$(date +%F)/domains.txt
134 |     else
135 |       scan $domain
136 |     fi
137 |   fi
138 | 
139 |   echo -e "=========== Recon is \e[32mfinish\e[0m ==========="
140 | }
141 | 
142 | while :; do
143 |     case $1 in
144 |         -h|-\?|--help)
145 |             help
146 |             exit
147 |             ;;
148 |         -d|--domain)
149 |             if [ "$2" ]; then
150 |                 domain=$2
151 |                 shift
152 |             else
153 |                 die 'ERROR: "--domain" requires a non-empty option argument.'
154 |             fi
155 |             ;;
156 |         --domain=)
157 |             die 'ERROR: "--domain" requires a non-empty option argument.'
158 |             ;;
159 |         -c|--amassconfig)
160 |             if [ "$2" ]; then
161 |                 ac=$2
162 |                 shift
163 |             fi
164 |             ;;
165 |         -rp|--resultspath)
166 |             if [ "$2" ]; then
167 |                 ResultsPath=$2
168 |                 shift
169 |             fi
170 |             ;;
171 |         -s|--scan)
172 |             scan=true
173 |             ;;
174 |         -r|--recon)
175 |             recon=true
176 |             ;;
177 |         --)
178 |             shift
179 |             break
180 |             ;;
181 |         -?*)
182 |             printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
183 |             ;;
184 |         *)
185 |             break
186 |     esac
187 | 
188 |     shift
189 | done
190 | 
191 | if [ -z "$domain" ]
192 | then
193 |   help
194 |   die 'ERROR: "--domain" requires a non-empty option argument.'
195 | else
196 |   if [ ! -d "$ResultsPath/$domain" ];then
197 |     mkdir -p $ResultsPath/$domain/$(date +%F)
198 |   fi
199 |   main
200 | fi


--------------------------------------------------------------------------------