├── .bash_aliases
├── .bashrc
├── God-Fuzz.txt
└── README.md


/.bash_aliases:
--------------------------------------------------------------------------------
1 | alias domained='python3 /home/ubuntu/domained/domained.py'
2 | alias ctfr='python3 /home/ubuntu/ctfr/ctfr.py'
3 | alias vhost='ruby /home/ubuntu/virtual-host-discovery/scan.rb'
4 | alias tld='python3 /home/ubuntu/tld_scanner/tld_scanner.py'
5 | alias gitgraber='python3 /home/ubuntu/tool/gitGraber/gitGraber.py'
6 | 


--------------------------------------------------------------------------------
/.bashrc:
--------------------------------------------------------------------------------
 1 | #add all this in your .bashrc file
 2 | export GOPATH=$HOME/go
 3 | export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
 4 | 
 5 | 
 6 | function subenum(){
 7 | 	subfinder -d $1 -all | tee domains.$1.txt
 8 | 	#cat domains.$1.txt | dnsgen - | massdns -r /root/wordlists/resolvers.txt -t A -o S -w massdns.txt
 9 | 	assetfinder --subs-only $1 | tee -a domains.$1.txt
10 | 	amass enum -d $1  | tee -a $1.amass 
11 | 	#ctfr -d $1 | tee -a domains.$1.txt
12 | 	curl -sk "http://web.archive.org/cdx/search/cdx?url=*.$1&output=txt&fl=original&collapse=urlkey&page=" | awk -F/ '{gsub(/:.*/, "", $3); print $3}' | sort -u | tee -a domains.$1.txt
13 | 	curl -sk "https://crt.sh/?q=%.$1&output=json" | tr ',' '\n' | awk -F'"' '/name_value/ {gsub(/\*\./, "", $4); gsub(/\\n/,"\n",$4);print $4}' | tee -a domains.$1.txt
14 | 	curl -s "https://riddler.io/search/exportcsv?q=pld:$1" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u | tee -a domains.$1.txt
15 | 	curl -s "https://www.virustotal.com/ui/domains/$1/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u | tee -a domains.$1.txt
16 | 	curl https://subbuster.cyberxplore.com/api/find?domain=$1 -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | tee -a domains.$1.txt
17 | 	#curl -s "https://certspotter.com/api/v1/issuances?domain=$1&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u  | tee -a domains.$1.txt
18 |  	curl -s "https://jldc.me/anubis/subdomains/$1" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u | tee -a domains.$1.txt
19 | 	curl -s "https://securitytrails.com/list/apex_domain/$1" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".$1" | sort -u | tee -a domains.$1.txt
20 | 	curl --silent https://sonar.omnisint.io/subdomains/$1 | grep -oE "[a-zA-Z0-9._-]+\.$1" | sort -u | tee -a domains.$1.txt
21 | 	curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2F$1" | grep -oE "[a-zA-Z0-9._-]+\.$1" | sort -u | tee -a domains.$1.txt
22 |   	curl -s "https://recon.dev/api/search?key=apikey&domain=$1" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | tee -a domains.$1.txt
23 |  	
24 | 	puredns bruteforce /root/wordlists/subs/altdns.txt $1 -r /root/wordlists/resolvers.txt | tee  resolved.txt
25 | 	cat  * | sort -u | uniq  | tee $1_uniq
26 | 	cat $1_uniq | dnsgen - | massdns -r /root/wordlists/resolvers.txt -t A -o S -w massdns.txt 
27 | 	gotator -sub $1_uniq -perm /root/wordlists/subs/perm.txt -depth 3 -mindup | uniq | tee $1_perm.txt
28 | 	cat  $1_perm.txt | massdns -r /root/wordlists/resolvers.txt -t A -o S -w permuteddomains.txt
29 | 
30 | }
31 | 
32 | function virtualhost()
33 | {
34 | 	vhost --ip=$1 --host=$2 --wordlist=/home/ubuntu/virtual-host-discover/wordlist --output=$2.txt | grep $2 | cut -d " " -f2 | cut -d "/" -f 3 | grep -v __cf_bm | grep -v = | grep $2
35 | }
36 | 
37 | function sublist()
38 | {
39 | 	cat $1 | while read i; do subenum $i; done 
40 | }
41 | 
42 | function alive()
43 | {
44 | 	cat $1 | httpx --ports "80,443,3000,3001,3306,21,444,8080,8443,8888,8082,8888,9000,9001,9002" | tee $1.alive
45 | 	cat $1.alive | csp -c 20 | tee $1.csp
46 | } 
47 | 
48 | function slacknotify(){
49 | 	nuclei -t /home/ubuntu/nuclei-templates -l $1 --severity low,medium,high,critical -c 100 -o $1.nuclei | notify -silent
50 | }
51 | 
52 | 
53 | function getdirs(){
54 | 	ffuf -w $1:URL -w /home/ubuntu/words.txt:WORD -u URL/WORD -t 100 -o  $1.dirs -H "Host: localhost"  -s  -mc 200,301,302,401,403
55 | }
56 | 
57 | function tldenum(){
58 | 	tld  -n -d $1 -i /home/ubuntu/tld_scanner/topTLDs.txt -o $1.tld
59 | 	cat $1.tld | tr ':' '\n' | grep $1 | cut -d "/" -f 3 | cut -d '"' -f1 | tee $1.tld2
60 | 	rm $1.tld
61 | 	mv $1.tld2 $1.tld
62 | 	cat $1.tld | while read i; do subenum $i ;done 
63 | }
64 | 
65 | function gitauto()
66 | {
67 | 	gitgraber -k /home/ubuntu/tool/gitGraber/wordlists/keywords.txt -q $1 -s
68 | }
69 | 


--------------------------------------------------------------------------------
/God-Fuzz.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Virdoexhunter/Bash-scripting-recon/d50a43486d2f1c72f5b5c49c0e207fe1d720d448/God-Fuzz.txt


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Bash-scripting-recon
 2 | Power of .bashrc and .bash_aliases
 3 | In last stream I have explained how to user .bashrc and .bash_aliases for easy and powerfull recon.
 4 | 
 5 | # Tools:
 6 | 
 7 | 1. [Subfinder](https://github.com/projectdiscovery/subfinder)
 8 | 2. [Assestfinder](https://github.com/tomnomnom/assetfinder)
 9 | 3. [Domained](https://github.com/TypeError/domained)
10 | 4. [AltDns](https://github.com/infosec-au/altdns)
11 | 5. [CTFR](https://github.com/UnaPibaGeek/ctfr)
12 | 6. [CSP](https://github.com/EdOverflow/csp/)
13 | 7. [Wayback](http://web.archive.org/)
14 | 8. [Ffuf](https://github.com/ffuf/ffuf)
15 | 9. [Notify](https://github.com/projectdiscovery/notify)
16 | 10. [Nuclei](https://github.com/projectdiscovery/nuclei)
17 | 11. [Virtual-host-discovery](https://github.com/jobertabma/virtual-host-discovery)
18 | 12. [Httpx](https://github.com/projectdiscovery/httpx)
19 | 13. [Tld-Scanner](https://github.com/ozzi-/tld_scanner)
20 | 14. [GitGrabber](https://github.com/hisxo/gitGraber)
21 | 
22 | # USE:
23 | 
24 | Save both file .bashrc and .bash_aliases in your vps (linux based)
25 | 
26 | **when you have only single target**
27 | 
28 | ```
29 | subenum target.com
30 | alive target.com_unique
31 | slacknotify target.com_unqiue.alive
32 | getdirs target.com_unique.alive
33 | ```
34 | 
35 | **when you have list of target**
36 | 
37 | ```
38 | sublist targetlist.txt
39 | cat targetname* | sort -u | uniq | tee domains.txt
40 | alive domains.txt
41 | slacknotify domains.txt.alive
42 | getdirs domains.txt.alive
43 | ```
44 | 
45 | **virtual host discovery**
46 | 
47 | ```
48 | vhost server-ip target.com
49 | ```
50 | 
51 | **Github recon**
52 | 
53 | ```
54 | gitauto target
55 | ```
56 | 
57 | **tld enumeration and subdomain enumeration**
58 | 
59 | ```
60 | tldenum target
61 | ```
62 | 
63 | # SUPPORT-ME:
64 | 
65 | [![Buy Me A Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/Virdoexhunter)
66 | 
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------