├── http
├── header-brute.yaml
├── crlf-scan.yaml
├── xss-wayback.yaml
├── open-redirect.yaml
└── gau-check-html-reflection.yaml
├── recon
├── extract-urls-from-apk.yaml
├── check-alive-ips.yaml
├── generate-dns-wordlist.yaml
└── mutate-subdomains-radamsa.yaml
└── README.md
/http/header-brute.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | URLS_FILE: "urls.txt"
3 | HEADERS_FILE: "headers.txt"
4 | OUTPUT_DIR: "headerpwn-results"
5 | USAGE: "rayder -w workflow.yaml URLS_FILE=urls.txt HEADERS_FILE=headers.txt"
6 |
7 | parallel: false
8 | modules:
9 | - name: headerpwn
10 | cmds:
11 | - mkdir -p {{OUTPUT_DIR}}
12 | - xargs -a {{URLS_FILE}} -n 1 -P 10 headerpwn -headers {{HEADERS_FILE}} -q -url | tee {{OUTPUT_DIR}}/headerpwn_results.txt
13 | silent: false
--------------------------------------------------------------------------------
/recon/extract-urls-from-apk.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | APK: "app.apk"
3 | OUTPUT_DIR: "apk-urls"
4 | USAGE: "rayder -w workflow.yaml APK=app.apk"
5 |
6 | parallel: false
7 |
8 | modules:
9 |
10 | - name: decompile-apk
11 | silent: false
12 | cmds:
13 | - mkdir -p {{OUTPUT_DIR}}
14 | - apktool d {{APK}} -o {{OUTPUT_DIR}}/apk-decompiled
15 |
16 | - name: extract-urls
17 | silent: false
18 | cmds:
19 | - grep -roIhE 'http(s)?://[^\s"]+' {{OUTPUT_DIR}}/apk-decompiled | sort -u | while read -r line; do python3 -c "from urllib.parse import urlparse; result = urlparse('$line'); print('$line') if result.scheme and result.netloc else None"; done | tee {{OUTPUT_DIR}}/extracted-urls.txt
--------------------------------------------------------------------------------
/recon/check-alive-ips.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | TARGETS_FILE: "targets.txt"
3 | OUTPUT_DIR: "masscan-results"
4 | RATE: "20000"
5 | USAGE: "rayder -w workflow.yaml TARGETS_FILE=targets.txt"
6 |
7 | parallel: false
8 | modules:
9 | - name: masscan-scan
10 | cmds:
11 | - mkdir -p {{OUTPUT_DIR}}
12 | - masscan -p80,443 -iL {{TARGETS_FILE}} -oG {{OUTPUT_DIR}}/masscan_results.txt --rate={{RATE}}
13 | silent: true
14 | - name: generate-output
15 | cmds:
16 | - awk -F'\t' '/Ports:.*443\/open/ { split($2, host, " "); print "https://" host[2] } /Ports:.*80\/open/ { split($2, host, " "); print "http://" host[2] }' {{OUTPUT_DIR}}/masscan_results.txt > {{OUTPUT_DIR}}/alive-ips.txt
17 | silent: true
18 | - name: saving-results
19 | cmds:
20 | - echo 'Results saved in {{OUTPUT_DIR}}/alive-ips.txt'
21 | - rm {{OUTPUT_DIR}}/masscan_results.txt
22 | silent: false
--------------------------------------------------------------------------------
/http/crlf-scan.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | DOMAIN: "example.tld"
3 | OUTPUT_DIR: "crlf-vuln-results"
4 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
5 |
6 | parallel: false
7 |
8 | modules:
9 | - name: subdomain-discovery
10 | silent: true
11 | cmds:
12 | - mkdir -p {{OUTPUT_DIR}}
13 | - subfinder -d {{DOMAIN}} -silent | tee {{OUTPUT_DIR}}/subdomains.txt
14 |
15 | - name: http-probing
16 | silent: true
17 | cmds:
18 | - httpx -silent -threads 100 < {{OUTPUT_DIR}}/subdomains.txt | tee {{OUTPUT_DIR}}/http-probe-results.txt
19 |
20 | - name: crlf-vulnerability-check
21 | silent: true
22 | cmds:
23 | - cat {{OUTPUT_DIR}}/http-probe-results.txt | crlfuzz -c 50 -o {{OUTPUT_DIR}}/crlf-vuln-results.txt
24 |
25 | - name: cleaning-temp-files
26 | silent: false
27 | cmds:
28 | - rm {{OUTPUT_DIR}}/subdomains.txt
29 | - rm {{OUTPUT_DIR}}/http-probe-results.txt
--------------------------------------------------------------------------------
/http/xss-wayback.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | DOMAIN: ""
3 | OUTPUT_DIR: "results"
4 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
5 | parallel: false
6 | modules:
7 | - name: fetch-urls-from-wayback
8 | cmds:
9 | - mkdir -p {{OUTPUT_DIR}}
10 | - echo {{DOMAIN}} | waybackurls | grep '=' > {{OUTPUT_DIR}}/filtered-urls.txt
11 | silent: false
12 |
13 | - name: replace-querystring
14 | cmds:
15 | - cat {{OUTPUT_DIR}}/filtered-urls.txt | qsreplace "" > {{OUTPUT_DIR}}/replaced-urls.txt
16 | silent: true
17 |
18 | - name: checking-reflection
19 | cmds:
20 | - cat {{OUTPUT_DIR}}/replaced-urls.txt | httpx -silent -threads 300 -ms "" > {{OUTPUT_DIR}}/final-results.txt
21 | silent: true
22 |
23 | - name: cleaning-temp-files
24 | cmds:
25 | - rm {{OUTPUT_DIR}}/filtered-urls.txt {{OUTPUT_DIR}}/replaced-urls.txt
26 | silent: true
--------------------------------------------------------------------------------
/http/open-redirect.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | DOMAIN: ""
3 | OUTPUT_DIR: "open-redirect-results"
4 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
5 | parallel: false
6 | modules:
7 | - name: fetching-urls
8 | silent: true
9 | cmds:
10 | - mkdir -p {{OUTPUT_DIR}}
11 | - paramspider -d {{DOMAIN}}
12 | - mv results/{{DOMAIN}}.txt {{OUTPUT_DIR}}/{{DOMAIN}}.txt
13 |
14 | - name: processing-urls
15 | cmds:
16 | - cat {{OUTPUT_DIR}}/{{DOMAIN}}.txt | grep '=' > {{OUTPUT_DIR}}/{{DOMAIN}}-parameters.txt
17 | silent: true
18 |
19 | - name: exeuting-openredirex
20 | cmds:
21 | - cat {{OUTPUT_DIR}}/{{DOMAIN}}-parameters.txt | openredirex | grep 'FOUND' | tee {{OUTPUT_DIR}}/{{DOMAIN}}-open.txt
22 | silent: true
23 |
24 | - name: cleaning-temp-files
25 | cmds:
26 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-parameters.txt
27 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}.txt
28 | silent: true
29 |
--------------------------------------------------------------------------------
/recon/generate-dns-wordlist.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | DOMAIN: ""
3 | OUTPUT_DIR: "wordlist-results"
4 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
5 | parallel: false
6 | modules:
7 | - name: getting-subdomains
8 | silent: true
9 | cmds:
10 | - mkdir -p {{OUTPUT_DIR}}
11 | - subfinder -d {{DOMAIN}} -silent > {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt
12 |
13 | - name: extracting-words
14 | cmds:
15 | - cat {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt | awk -F'.' '{print $(NF-2)}' > {{OUTPUT_DIR}}/{{DOMAIN}}-words.txt
16 | silent: true
17 |
18 | - name: generating-wordlist-using-dnsgen
19 | cmds:
20 | - dnsgen {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt -w {{OUTPUT_DIR}}/{{DOMAIN}}-words.txt > {{OUTPUT_DIR}}/{{DOMAIN}}-wordlist.txt
21 | silent: true
22 |
23 | - name: cleaning-temp-files
24 | cmds:
25 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt
26 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-words.txt
27 | silent: true
28 |
--------------------------------------------------------------------------------
/http/gau-check-html-reflection.yaml:
--------------------------------------------------------------------------------
1 | #OFJAAAH
2 | vars:
3 | DOMAIN: ""
4 | OUTPUT_DIR: "gau-check-html-reflection"
5 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
6 | parallel: false
7 | modules:
8 | - name: fetch-urls-from-gau
9 | cmds:
10 | - mkdir -p {{OUTPUT_DIR}}
11 | - echo {{DOMAIN}} | gau | grep '=' > {{OUTPUT_DIR}}/filtered-urls.txt
12 | silent: false
13 |
14 | - name: replace-querystring-gau
15 | cmds:
16 | - cat {{OUTPUT_DIR}}/filtered-urls.txt | qsreplace '">checkreflection
' > {{OUTPUT_DIR}}/replaced-urls.txt
17 | silent: true
18 |
19 | - name: checking-reflection-gau
20 | cmds:
21 | - cat {{OUTPUT_DIR}}/replaced-urls.txt | httpx -silent -threads 300 -ms '">checkreflection
' > {{OUTPUT_DIR}}/final-results1.txt
22 | silent: true
23 |
24 | - name: clearing-duplicate-urls
25 | cmds:
26 | - cat {{OUTPUT_DIR}}/final-results1.txt | sort -u | tee {{OUTPUT_DIR}}/{{DOMAIN}}-results.txt
27 | silent: true
28 |
29 | - name: cleaning-temp-files-gau
30 | cmds:
31 | - rm {{OUTPUT_DIR}}/filtered-urls.txt {{OUTPUT_DIR}}/replaced-urls.txt {{OUTPUT_DIR}}/final-results1.txt
32 | silent: false
33 |
--------------------------------------------------------------------------------
/recon/mutate-subdomains-radamsa.yaml:
--------------------------------------------------------------------------------
1 | vars:
2 | DOMAIN: "example.tld"
3 | OUTPUT_DIR: "dns-bruteforce-results"
4 | USAGE: "rayder -w workflow.yaml DOMAIN=example.tld"
5 |
6 | parallel: false
7 |
8 | modules:
9 | - name: finding-subdomains
10 | silent: true
11 | cmds:
12 | - mkdir -p {{OUTPUT_DIR}}
13 | - subfinder -d {{DOMAIN}} -silent > {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt
14 |
15 | - name: fetching-fresh-resolvers
16 | silent: true
17 | cmds:
18 | - getresolvers
19 |
20 | - name: resolving-subdomains-with-massdns
21 | silent: true
22 | cmds:
23 | - massdns -r resolvers.txt -t A -o S -w {{OUTPUT_DIR}}/{{DOMAIN}}-unmutated-resolved.txt {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt
24 |
25 | - name: cleaning-massdns-output
26 | silent: true
27 | cmds:
28 | - awk '{print $1, "[" $3 "]"}' {{OUTPUT_DIR}}/{{DOMAIN}}-unmutated-resolved.txt > {{OUTPUT_DIR}}/{{DOMAIN}}-unmutated-formatted.txt
29 |
30 | - name: mutating-subdomains-with-radamsa
31 | silent: true
32 | cmds:
33 | - cat {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt | radamsa -n 200 | sort -u | tee {{OUTPUT_DIR}}/{{DOMAIN}}-mutated.txt
34 |
35 | - name: resolving-mutated-subdomains-with-massdns
36 | silent: true
37 | cmds:
38 | - massdns -r resolvers.txt -t A -o S -w {{OUTPUT_DIR}}/{{DOMAIN}}-mutated-resolved.txt {{OUTPUT_DIR}}/{{DOMAIN}}-mutated.txt
39 |
40 | - name: cleaning-massdns-mutated-output
41 | silent: true
42 | cmds:
43 | - awk '{print $1, "[" $3 "]"}' {{OUTPUT_DIR}}/{{DOMAIN}}-mutated-resolved.txt > {{OUTPUT_DIR}}/{{DOMAIN}}-mutated-formatted.txt
44 |
45 | - name: cleaning-temp-files
46 | silent: false
47 | cmds:
48 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-unmutated-resolved.txt
49 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-mutated-resolved.txt
50 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-mutated.txt
51 | - rm {{OUTPUT_DIR}}/{{DOMAIN}}-subdomains.txt
52 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Rayder Workflows
2 |
3 | Repo for hosting rayder workflows. Install [Rayder](https://github.com/devanshbatham/rayder/) from [here](https://github.com/devanshbatham/rayder/)
4 |
5 |
6 |
7 | ## Workflows
8 |
9 |
10 |
11 |
12 | | Category | Workflow | Description | Placeholder(s) | Dependencies |
13 | |----------|-------------------------------------|------------------------------------------------------------|----------------------------|-------------------------------------------------------------------|
14 | | Recon | [generate-dns-wordlist.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/recon/generate-dns-wordlist.yaml) | Generate custom DNS Bruteforce wordlist for a domain | {{DOMAIN}}, {{OUTPUT_DIR}} | [subfinder](https://github.com/projectdiscovery/subfinder), [dnsgen](https://github.com/ProjectAnte/dnsgen) |
15 | | Scanning | [open-redirect.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/http/open-redirect.yaml) | Scan for Open Redirect vulnerabilities in params found in web archive for a domain | {{DOMAIN}}, {{OUTPUT_DIR}} | [Paramspider](https://github.com/devanshbatham/Paramspider), [Openredirex](https://github.com/devanshbatham/Openredirex) |
16 | | Scanning | [xss-wayback.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/http/xss-wayback.yaml) | Discover potential XSS vulnerabilities on the URLs stored in Wayback archive for a domain | {{DOMAIN}}, {{OUTPUT_DIR}} | [waybackurls](https://github.com/tomnomnom/waybackurls), [qsreplace](https://github.com/tomnomnom/qsreplace), [httpx](https://github.com/projectdiscovery/httpx) |
17 | | Recon | [check-alive-ips.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/recon/check-alive-ips.yaml) | Check alive IPs (port 80, 443) for a file containing target IP addresses or ranges | {{TARGETS_FILE}}, {{OUTPUT_DIR}}, {{RATE}} | [masscan](https://github.com/robertdavidgraham/masscan) |
18 | | Scanning | [header-brute.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/http/header-brute.yaml) | Brute force HTTP headers on a list of URLs | {{URLS_FILE}}, {{HEADERS_FILE}}, {{OUTPUT_DIR}} | [headerpwn](https://github.com/DevanshBatham/HeaderPwn) |
19 | | Recon | [mutate-subdomains-radamsa.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/recon/mutate-subdomains-radamsa.yaml) | Mutate subdomains of a domain using radamsa and resolve using massdns | {{DOMAIN}}, {{OUTPUT_DIR}} | [massdns](https://github.com/blechschmidt/massdns), [radamsa](https://gitlab.com/akihe/radamsa), [getresolvers](https://github.com/devanshbatham/getresolvers), [subfinder](https://github.com/projectdiscovery/subfinder) |
20 | | Scanning | [crlf-scan.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/http/crlf-scan.yaml) | Scan for CRLF vulnerabilities in subdomains of a domain | {{DOMAIN}}, {{OUTPUT_DIR}} | [subfinder](https://github.com/projectdiscovery/subfinder), [httpx](https://github.com/projectdiscovery/httpx), [crlfuzz](https://github.com/dwisiswant0/crlfuzz) |
21 | | Recon | [extract-urls-from-apk.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/recon/extract-urls-from-apk.yaml) | Extract URLs from an APK file for further analysis | {{APK}}, {{OUTPUT_DIR}} | [apktool](https://github.com/iBotPeaches/Apktool) |
22 | | Scanning | [gau-check-html-reflection.yaml](https://github.com/devanshbatham/rayder-workflows/blob/main/http/gau-check-html-reflection.yaml) | Checks for HTML reflection on URL parameters of a domain fetched via gau | {{DOMAIN}}, {{OUTPUT_DIR}} | [httpx](https://github.com/projectdiscovery/httpx), [gau](https://github.com/lc/gau), [qsreplace](https://github.com/tomnomnom/qsreplace) |
23 |
--------------------------------------------------------------------------------