├── .gitattributes ├── arsenal ├── config_file.py ├── portscan_single.sh ├── takeover.sh ├── portscan.sh ├── autoxss.sh ├── gitter.sh ├── nuclear.sh ├── parameter.sh ├── corser.sh ├── extractor.sh ├── bleed.sh ├── prober.sh ├── probe_single.sh ├── faver.sh ├── requirements.txt ├── dirfuzz.sh ├── params_loop.sh ├── subbruter.sh ├── secrets.sh ├── pattern.sh ├── jscan.sh ├── subdomain.sh ├── discord_bot.py ├── Bheem.sh ├── small.sh ├── medium.sh ├── providers.json ├── large.sh └── resolvers.txt ├── install.sh └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /arsenal/config_file.py: -------------------------------------------------------------------------------- 1 | discord_url = "" 2 | # add your discord webhook to the variable. -------------------------------------------------------------------------------- /arsenal/portscan_single.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | naabu $1 > $dir/$1_portscan; 6 | 7 | -------------------------------------------------------------------------------- /arsenal/takeover.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | SubOver -l $dir/$1_subdomains -o $dir/$1_takeover; 6 | -------------------------------------------------------------------------------- /arsenal/portscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | naabu -iL $dir/$1_subdomains > $dir/$1_portscan; 6 | 7 | -------------------------------------------------------------------------------- /arsenal/autoxss.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | dalfox -b hahwul.xss.ht file $dir/$1_params > $dir/$1_xss; 6 | -------------------------------------------------------------------------------- /arsenal/gitter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | dir=~/Recon/$1 3 | cat $dir/$1_probed | git-hound --dig-files --dig-commits > $dir/$1_gitrecon 4 | 5 | -------------------------------------------------------------------------------- /arsenal/nuclear.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dir=~/Recon/$1 4 | 5 | cat $dir/$1_probed | nuclei -c 500 -silent -t ~/nuclei-templates/ -o $dir/$1_nuclei; 6 | 7 | -------------------------------------------------------------------------------- /arsenal/parameter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | python3 ~/Tools/ParamSpider/paramspider.py -d $1 -l high -o $dir/$1_params --exclude woff,css,js,png,svg,php,jpg; 6 | -------------------------------------------------------------------------------- /arsenal/corser.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | #python ~/Tools/CORScanner/cors_scan.py -i $dir/$1_probed -t 200 > $dir/$1_cors; 6 | corscanner -i $dir/$1_probed -t 200 > $dir/$1_cors; 7 | -------------------------------------------------------------------------------- /arsenal/extractor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | waybackurls $1 > $dir/$1_extraction; 6 | gau $1 >> $dir/$1_extraction; cat $dir/$1_extraction | sort -u > $dir/$1_archive_extracts; 7 | -------------------------------------------------------------------------------- /arsenal/bleed.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | dir=~/Recon/$1 3 | cat $dir/$1_probed | while read line ; do echo "QUIT"|openssl s_client -connect $line:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done 4 | 5 | 6 | -------------------------------------------------------------------------------- /arsenal/prober.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | cat $dir/$1_subdomains | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep "[200]" | cut -d [ -f1 | sort -u | sed 's/[[:blank:]]*$//' >> $dir/$1_probed 6 | 7 | -------------------------------------------------------------------------------- /arsenal/probe_single.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | mkdir $dir 5 | 6 | echo $1 | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep "[200]" | cut -d [ -f1 | sort -u | sed 's/[[:blank:]]*$//' >> $dir/$1_probed; 7 | -------------------------------------------------------------------------------- /arsenal/faver.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | 6 | echo https://$1 | python3 ~/Tools/FavFreak/favfreak.py > $dir/$1_faver; 7 | 8 | cat $dir/$1_faver | grep 'h]' | cut -d ] -f2 | cut -d " " -f2 | tee $dir/$1_faviconhash; 9 | 10 | 11 | -------------------------------------------------------------------------------- /arsenal/requirements.txt: -------------------------------------------------------------------------------- 1 | mmh3==2.5.1 2 | jsbeautifier 3 | idna==2.9 4 | requests==2.23.0 5 | requests_file 6 | argparse 7 | jsbeautifier 8 | lxml 9 | certifi>=2020.11.8 10 | chardet<3.1.0 11 | urllib3<=1.24.3 12 | cryptography>1.3.4 13 | PySocks<=1.6.8 -------------------------------------------------------------------------------- /arsenal/dirfuzz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | res=$dir/directoryEnum 5 | mkdir $res; 6 | 7 | python3 ~/Tools/dirsearch/dirsearch.py -l $dir/$1_probed -t 300 -i 200,201,202,203,204,301,302,303,304 -b; 8 | mv ~/Tools/dirsearch/reports/ $res; 9 | 10 | 11 | -------------------------------------------------------------------------------- /arsenal/params_loop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | dir=~/Recon/$1 3 | params=$dir/param; 4 | mkdir params; 5 | for sub in $(cat $dir/$1_subdomains); do 6 | 7 | python3 paramspider.py -d $sub -l high -o $params/$sub_param.txt --exclude woff,css,js,png,svg,php,jpg; 8 | 9 | done 10 | -------------------------------------------------------------------------------- /arsenal/subbruter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | echo $1 | shuffledns -w ~/arsenal/subdomains.txt -r ~/arsenal/resolvers.txt -v -o $1_brute; 6 | mv $1_brute $dir/$1_brute; 7 | cat $dir/$1_brute >> $dir/$1_unfilter_subdomains; 8 | cat $dir/$1_unfilter_subdomains | sort -u > $dir/$1_subdomains; 9 | 10 | -------------------------------------------------------------------------------- /arsenal/secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | 5 | cat $dir/$1_probed | xargs -I %% bash -c 'python3 ~/Tools/SecretFinder/SecretFinder.py -i %% -e -o cli' > $dir/$1_secretfinder; 6 | #interlace -tL $dir/$1_probed -threads 5 -c "python3 ~/Tools/SecretFinder/SecretFinder.py -i _target_ -o cli >> $dir/$1_secretfinder" -v 7 | cat $dir/$1_secretfinder | grep 'google_api' -B 1 | sort -u > $dir/$1_gmapapi; 8 | 9 | -------------------------------------------------------------------------------- /arsenal/pattern.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | dir=~/Recon/$1 3 | 4 | gf xss $dir/$1_archive_extracts | cut -d : -f3- | sort -u > $dir/$1_xss; 5 | gf ssti $dir/$1_archive_extracts | sort -u > $dir/$1_ssti; 6 | gf ssrf $dir/$1_archive_extracts | sort -u > $dir/$1_ssrf; 7 | gf sqli $dir/$1_archive_extracts | sort -u > $dir/$1_sqli; 8 | gf redirect $dir/$1_archive_extracts | cut -d : -f3- | sort -u > $dir/$1_redirect; 9 | gf rce $dir/$1_archive_extracts | sort -u > $dir/$1_rce; 10 | gf potential $dir/$1_archive_extracts| cut -d : -f3- | sort -u > $dir/$1_potential; 11 | gf lfi $dir/$1_archive_extracts | sort -u > $dir/$1_lfi; 12 | -------------------------------------------------------------------------------- /arsenal/jscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | dir=~/Recon/$1 3 | 4 | echo $1 | gau | grep -iE "\.js$" | uniq | sort >> $dir/$1_jsfile_links; 5 | echo $1 | subjs >> $dir/$1_jsfile_links; 6 | echo $1 | hakrawler -js -depth 2 -scope subs -plain >> $dir/$1_jsfile_links; 7 | 8 | cat $dir/$1_jsfile_links | httpx -follow-redirects -silent -status-code | grep "[200]" | cut -d ' ' -f1 | sort -u > $dir/$1_live_jsfile_links; 9 | 10 | python3 ~/Tools/LinkFinder/linkfinder.py -d -i $1 -o cli >> $dir/$1_JSEndpoints; 11 | 12 | cat $dir/$1_live_jsfile_links | python3 ~/Tools/getjswords.py | sort -u > $dir/$1_JSWords; 13 | 14 | cat $dir/$1_live_jsfile_links | while read url ; do bash ~/Tools/jsvar.sh $url | sort -u | tee $dir/$1_JSXSS ; done; 15 | -------------------------------------------------------------------------------- /arsenal/subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=~/Recon/$1 4 | mkdir -p $dir 5 | 6 | subfinder -d $1 > $dir/$1_unfilter_subdomains; 7 | assetfinder --subs-only $1 >> $dir/$1_unfilter_subdomains; 8 | #amass enum -d $1 >> $dir/$1_unfilter_subdomains; 9 | 10 | if [ -z "$exclude" ] 11 | then 12 | cat $dir/$1_unfilter_subdomains | sort -u > $dir/$1_subdomains; 13 | else 14 | echo -e "\e[92m[~] Excluding domains..\e[00m" 15 | echo "${exclude[*]}" | cut -d',' --output-delimiter=$'\n' -f1- | tee -a $dir/"$1"_excluded.txt 16 | cat $dir/"$1"_unfilter_subdomains | sort -u | grep "\.$1" > $dir/tmp_Bunique.txt 17 | grep -vFf $dir/"$1"_excluded.txt $dir/tmp_Bunique.txt > $dir/$1_subdomains 18 | rm $dir/tmp_Bunique.txt 19 | fi 20 | -------------------------------------------------------------------------------- /arsenal/discord_bot.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import config_file 4 | 5 | def DiscordWebHook(discordUrl): 6 | # rename your bot here 7 | botName = "Bheem Bot" 8 | 9 | message = f'```yaml\n [{sys.argv[1]}]: Finished Bheem Script for {sys.argv[2]}``` Results stored in **folder**: {sys.argv[3]}' 10 | data = { 11 | "content": message, 12 | "username": botName 13 | } 14 | 15 | response = requests.post(discordUrl, json=data) 16 | 17 | if (response.status_code == 204): 18 | print('Notified ') 19 | else: 20 | print('Some error occured.') 21 | 22 | 23 | def getHooks(): 24 | discordUrl = config_file.discord_url 25 | # space to grab more URLS 26 | 27 | 28 | if (discordUrl): 29 | DiscordWebHook(discordUrl) 30 | else: 31 | print("Please add a discord web Hook!") 32 | 33 | 34 | getHooks() -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | sudo apt-get install python3; 4 | sudo apt-get install python3-pip; 5 | sudo apt-get install ruby; 6 | sudo apt-get install screen; 7 | sudo apt-get install git; 8 | mkdir ~/.gf 9 | mkdir ~/Tools; 10 | mkdir ~/Recon; 11 | dir=~/Tools; 12 | go get github.com/Ice3man543/SubOver; 13 | go get -u github.com/tomnomnom/gf; 14 | go get -u github.com/tomnomnom/assetfinder; 15 | go get -u -v github.com/projectdiscovery/naabu/v2/cmd/naabu; 16 | go get github.com/tomnomnom/hacks/waybackurls; 17 | go get -u -v github.com/lukasikic/subzy; 18 | go install -v github.com/lukasikic/subzy; 19 | go get -u -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei; 20 | git clone https://github.com/projectdiscovery/nuclei-templates $dir/nuclei-templates; 21 | go get github.com/haccer/subjack; 22 | GO111MODULE=on go get -u -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder 23 | GO111MODULE=on go get -v github.com/projectdiscovery/chaos-client/cmd/chaos; 24 | go get -u -v github.com/hahwul/dalfox; 25 | go get -u -v github.com/lc/gau; 26 | GO111MODULE=on go get -u -v github.com/lc/subjs 27 | go get github.com/hakluke/hakcheckurl; 28 | go get github.com/hakluke/hakrawler; 29 | go get github.com/hakluke/hakrevdns; 30 | go get -u -v github.com/projectdiscovery/httpx/cmd/httpx; 31 | git clone https://github.com/blechschmidt/massdns $dir/massdns; 32 | git clone https://github.com/devanshbatham/FavFreak $dir/FavFreak; 33 | git clone https://github.com/GerbenJavado/LinkFinder $dir/LinkFinder; 34 | git clone https://github.com/m4ll0k/SecretFinder $dir/SecretFinder; 35 | git clone https://github.com/devanshbatham/ParamSpider $dir/ParamSpider; 36 | go get -u -v github.com/projectdiscovery/dnsprobe; 37 | git clone https://github.com/maurosoria/dirsearch $dir/dirsearch; 38 | git clone https://github.com/ozguralp/gmapsapiscanner $dir/gmapsapiscanner; 39 | go get -u -v github.com/projectdiscovery/shuffledns/cmd/shuffledns; 40 | git clone https://github.com/1ndianl33t/Gf-Patterns $dir/Gf-Patterns; 41 | pip3 install corscanner 42 | pip3 install -r ~/Tools/*/requirements.txt; 43 | mv $dir/Gf-Patterns/*.json /root/.gf/; 44 | rm -r $dir/Gf-Patterns; 45 | git clone https://github.com/KathanP19/JSFScan.sh $dir/JSFScan.sh; 46 | mv arsenal ~/arsenal; 47 | cd ~/arsenal; 48 | chmod +x *.sh; 49 | cd $dir/massdns; make; 50 | cp $dir/massdns/bin/massdns /usr/bin/; 51 | cd ~/.gf; wget https://raw.githubusercontent.com/devanshbatham/ParamSpider/master/gf_profiles/potential.json; 52 | cd ~/go/bin; wget https://raw.githubusercontent.com/Ice3man543/SubOver/master/providers.json; 53 | cd ~/Tools; wget https://gist.githubusercontent.com/KathanP19/d2cda2f99c0b60d64b76ee6039b37e47/raw/eb105a4de06502b2732df9d682c61189c3703685/jsvar.sh; 54 | -------------------------------------------------------------------------------- /arsenal/Bheem.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | logo(){ 4 | echo ' '; 5 | echo -e '\e[38;5;88m______ _______ _______ _______ '; 6 | echo -e '\e[38;5;88m( ___ \ |\ /|( ____ \( ____ \( )'; 7 | echo -e '\e[38;5;215m| ( ) )| ) ( || ( \/| ( \/| () () |'; 8 | echo -e '\e[38;5;215m| (__/ / | (___) || (__ | (__ | || || |'; 9 | echo -e '\e[38;5;215m| __ ( | ___ || __) | __) | |(_)| |'; 10 | echo -e '\e[38;5;208m| ( \ \ | ( ) || ( | ( | | | |'; 11 | echo -e '\e[38;5;208m| )___) )| ) ( || (____/\| (____/\| ) ( |'; 12 | echo -e '\e[38;5;208m|/ \___/ |/ \|(_______/(_______/|/ \|'; 13 | echo -e '\e[38;5;208m '; 14 | 15 | echo -e '\e[38;5;208mAutomated with <3 by Harsh Bothra (@harshbothra_) & Kathan Patel (@KathanP19)\e[0m'; 16 | } 17 | 18 | logo 19 | 20 | red=`tput setaf 1` 21 | green=`tput setaf 2` 22 | reset=`tput sgr0` 23 | 24 | small_recon(){ 25 | echo '-----------------------------------------------------' 26 | echo "${red} Starting Small Scope Recon on : ${green} [$(echo $target)] ${reset}" 27 | echo '-----------------------------------------------------' 28 | 29 | bash ~/arsenal/small.sh $target 30 | 31 | echo '-----------------------------------------------------' 32 | echo "${red} Starting Small Scope Recon on : ${green} [$(echo $target)] ${reset}" 33 | echo '-----------------------------------------------------' 34 | 35 | } 36 | 37 | medium_recon(){ 38 | echo '-----------------------------------------------------' 39 | echo "${red} Starting Medium Scope Recon on : ${green} [$(echo $target)] ${reset}" 40 | echo '-----------------------------------------------------' 41 | 42 | bash ~/arsenal/medium.sh $target 43 | 44 | echo '-----------------------------------------------------' 45 | echo "${red} Starting Medium Scope Recon on : ${green} [$(echo $target)] ${reset}" 46 | echo '-----------------------------------------------------' 47 | 48 | } 49 | 50 | large_recon(){ 51 | echo '-----------------------------------------------------' 52 | echo "${red} Starting Large Scope Recon on : ${green} [$(echo $target)] ${reset}" 53 | echo '-----------------------------------------------------' 54 | 55 | bash ~/arsenal/large.sh $target 56 | 57 | echo '-----------------------------------------------------' 58 | echo "${red} Starting Large Scope Recon on : ${green} [$(echo $target)] ${reset}" 59 | echo '-----------------------------------------------------' 60 | 61 | } 62 | 63 | while getopts ":t:eSMLh" opt; do 64 | case ${opt} in 65 | t ) target=$OPTARG 66 | ;; 67 | e ) exclude=$OPTARG 68 | ;; 69 | S ) small_recon 70 | ;; 71 | M ) medium_recon 72 | ;; 73 | L ) large_recon 74 | ;; 75 | \? | h ) echo "Usage :"; 76 | echo " -t List of target"; 77 | echo " -e Exclude target.(eg: sub1.ex.com,sub2.ex.com)"; 78 | echo " -S Perform Small Recon"; 79 | echo " -M Perform Medium Recon"; 80 | echo " -L Perform Large Recon"; 81 | echo " -h Displays the usage details"; 82 | ;; 83 | : ) echo "Invalid Argument"; 84 | ;; 85 | esac 86 | done 87 | shift $((OPTIND -1)) 88 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Project Bheem 2 | 3 | Project Bheem is a simple collection of small bash-scripts which runs iteratively to carry out various tools and recon process & store output in an organized way. This project was created initially for automation of Recon for personal usage and was never meant to be public as there is nothing fancy about it but due to request by community, Project Bheem is now Public. 4 | Please feel free to improve it in any way you can. There is no secret sauce involved and it's just a set of commands and existing tools written in bash-scripts for simple Recon Automation. 5 | 6 | Project Bheem Supports an approach of Recon from @harshbothra_'s Scope Based Recon Methodology. Currently this tools supports performing recon for: 7 | 8 | 1. Small Scope (single urls in scope) : Performs a limited recon & useful when only a few urls are provided in scope 9 | 2. Medium Scope (\*.target.com in scope) : Performs recon to enumerate more assets and give you more options to attack on. 10 | 3. Large Scope (Everything in Scope) : Performs almost every possible recon vector from subdomain enumeration to fuzzing. 11 | 12 | A few features like port scanning might not be working in the current build and some of the newly released tools might also be missed. we are working on upgrading the tool but feel free to fork, upgrade and make a pull request (Ensure that tool is not breaking). 13 | 14 | 15 | ### A big thanks to "Kathan Patel" for restructuring Project Bheem to Support Scope Based Recon. 16 | 17 | # Pre-Requisite 18 | 19 | 1. Make sure to have "Go" latest version is installed and paths are correctly set. 20 | 21 | # Installation 22 | 23 | 1. Clone the repository 24 | 2. Run the following script to install necessary tools: ``sh install.sh`` 25 | 3. The ``arsenal`` directory contains a set of small scripts used to automate Bheem. Give executable permissions to scripts in this directory. 26 | 4. Navigate to ``~/arsenal`` directory and Simply run following command to see all the supported options provided in Bheem: 27 | 28 | ``./Bheem.sh -h`` 29 | 30 | 31 | 5. To use it over vps for performing recon on larger set of targets perform following command: 32 | 33 | ``screen -S `` 34 | ``~/arsenal/Bheem.sh -h`` 35 | 36 | 6. This will keep ``Bheem`` running even if the SSH Connection is terminated or you turn off your local machine. 37 | 38 | # Docker Installation 39 | 40 | - If you are lazy like me and hate wasting time in setup don't worry,we have created the docker env. to use Bheem without any setup 41 | - we have integrate Bheem with [Hacktools](https://github.com/xavier9909/IIEC-RISE-DOCKER-1.0-HackTools) 42 | 43 | - ``docker pull xavier9909/hacktools_bheem`` 44 | - ``docker run -it xavier9909/hacktools_bheem`` 45 | - ``cd arsenal && ./Bheem.sh`` 46 | - ``or just simply type bheem from any directory`` 47 | - Simply interect with the terminal and hit the target 48 | - one liner image publishing soon 49 | 50 | 51 | # Sample Usage 52 | 53 | 1. Small Scope Recon : ``Bheem -t targetfile -S`` 54 | 2. Medium Scope Recon : ``Bheem -t targetfile -M`` 55 | 3. Large Scope Recon : ``Bheem -t targetfile -L`` 56 | 57 | ``targetfile`` contains list of domains to perform Recon. For example: `targettest.com` 58 | 59 | ### Exclude out-of-scope subdomains 60 | 61 | Bheem has a flag to remove out-of-scope subdomains from the scan. To do so you have to use "-e" flag with comma separated subdomains. 62 | 63 | ``Bheem -t targetfile -S -e sub.ex.com,sub1.ex.com`` 64 | 65 | # Side Notes 66 | 67 | 1. If you don't want to use specific module, just comment it out and it won't be used anymore. 68 | 2. Change the Blind XSS Payload in the following file `/Bheem/arsenal/autoxss.sh` to yours . Visit [XSS Hunter](https://xsshunter.com/) to get your Blind XSS Payload 69 | 70 | # Tools Used 71 | 72 | 1. Nuclei 73 | 2. HTTPX 74 | 3. GF & GF-Patterns 75 | 4. Secret Finder 76 | 5. Heartbleed Oneliner 77 | 6. AMASS 78 | 7. Subfinder 79 | 8. Assetfinder 80 | 9. JSScan 81 | 10. FavFreak 82 | 11. Waybackurls 83 | 12. Gau 84 | 13. Parallel 85 | 14. asnip 86 | 15. dirsearch 87 | 16. gowitness 88 | 17. subjack 89 | 18. CORS Scanner 90 | 19. git-hound 91 | 20. Shuffledns 92 | 21. Massdns 93 | 94 | ~ Other onliners and tools to be added. 95 | 96 | # PR Notes 97 | 98 | 1. If there is any GO Version/Path related issues, please do not create a PR for it. 99 | 2. Please create a PR for the Feature Request. 100 | 3. If there is any missing part in ``install.sh`` please create a PR for it. 101 | 4. For specific tool related issue such as installation for `X` tool used by Bheem is not successful, please do not create a PR for it. As this issue is required to be Raise to the specific Tool Owner. 102 | 103 | # Future Plans/Under Development 104 | 105 | 1. Adding Directory Enumeration_ 106 | 2. Adding Subdomain Bruteforcing_ 107 | 3. Adding HTTP Desync Scanner_ 108 | 4. Adding Vulnerable Software & Exploit Suggester 109 | 5. Adding Oneline Scanner for _CORS_, CRLF & Other Vectors 110 | 6. Adding Visual Recon 111 | 7. Adding Web Based Handling Of Results 112 | 113 | # Special Thanks 114 | 115 | Every single application security community member and tool developers. Special Thanks to: 116 | 117 | 1. Project Discovery (Httpx, Subfinder, chaos, nuclei) 118 | 2. OWASP (Amass) 119 | 3. Tomnomnom (Assetfinder, Waybackurls, GF) 120 | 4. Devansh (FavFreak) 121 | 5. Imran (Heartbleed oneliner) 122 | 6. M4ll0k (Secret Finder) 123 | 7. lc (gau) 124 | 8. tillson (git-hound) 125 | 9. ffuf (ffuf) 126 | 10. sensepost (gowitness) 127 | 11. defparam (smuggler) 128 | 12. haccer (subjack) 129 | 13. crt.sh (YashGoti) 130 | 131 | ### Please feel free to contribute. 132 | -------------------------------------------------------------------------------- /arsenal/small.sh: -------------------------------------------------------------------------------- 1 | gpath=~/go/bin/ 2 | dir=~/arsenal 3 | results=~/Recon/$domain 4 | red=`tput setaf 1` 5 | green=`tput setaf 2` 6 | reset=`tput sgr0` 7 | script_name="Small_Recon" 8 | 9 | for domain in $(cat $1); do 10 | echo '-----------------------------------------------------' 11 | echo "${red} Testing : ${green} ${domain} ${reset}" 12 | echo '-----------------------------------------------------' 13 | 14 | # Performing Probing 15 | echo '-----------------------------------------------------' 16 | echo "${red} Performing : ${green} Probing ${reset}" 17 | echo '-----------------------------------------------------' 18 | $dir/probe_single.sh $domain; 19 | echo '-----------------------------------------------------' 20 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 21 | echo '-----------------------------------------------------' 22 | # Finished Probing 23 | 24 | # Performing Template Scanning with Nuclei 25 | echo '-----------------------------------------------------' 26 | echo "${red} Performing : ${green} Template Scanning with Nuclei ${reset}" 27 | echo '-----------------------------------------------------' 28 | $dir/nuclear.sh $domain; 29 | echo '-----------------------------------------------------' 30 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 31 | echo '-----------------------------------------------------' 32 | # Finished Template Scanning with Nuclei 33 | 34 | # Performing Port Scanning with Naabu 35 | echo '-----------------------------------------------------' 36 | echo "${red} Performing : ${green} Port Scanning with Naabu ${reset}" 37 | echo '-----------------------------------------------------' 38 | $dir/portscan_single.sh $domain; 39 | echo '-----------------------------------------------------' 40 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 41 | echo '-----------------------------------------------------' 42 | # Finished Port Scanning with Naabu 43 | 44 | # Performing URL Extraction 45 | echo '-----------------------------------------------------' 46 | echo "${red} Performing : ${green} URL Extraction ${reset}" 47 | echo '-----------------------------------------------------' 48 | $dir/extractor.sh $domain; 49 | echo '-----------------------------------------------------' 50 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 51 | echo '-----------------------------------------------------' 52 | # Finished URL Extraction 53 | 54 | # Performing Vulnerable Pattern Search 55 | echo '-----------------------------------------------------' 56 | echo "${red} Performing : ${green} Vulnerable Pattern Search ${reset}" 57 | echo '-----------------------------------------------------' 58 | $dir/pattern.sh $domain; 59 | echo '-----------------------------------------------------' 60 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 61 | echo '-----------------------------------------------------' 62 | # Finished Vulnerable Pattern Search 63 | 64 | # Performing Parameter Discovery 65 | echo '-----------------------------------------------------' 66 | echo "${red} Performing : ${green} Parameter Discovery ${reset}" 67 | echo '-----------------------------------------------------' 68 | $dir/parameter.sh $domain; 69 | echo '-----------------------------------------------------' 70 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 71 | echo '-----------------------------------------------------' 72 | # Finished Parameter Discovery 73 | 74 | # Performing XSS Automation 75 | echo '-----------------------------------------------------' 76 | echo "${red} Performing : ${green} XSS Automation ${reset}" 77 | echo '-----------------------------------------------------' 78 | $dir/autoxss.sh $domain; 79 | echo '-----------------------------------------------------' 80 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 81 | echo '-----------------------------------------------------' 82 | # Finished XSS Automation 83 | 84 | # Performing Javascript Scan 85 | echo '-----------------------------------------------------' 86 | echo "${red} Performing : ${green} Javascript Scan ${reset}" 87 | echo '-----------------------------------------------------' 88 | $dir/jscan.sh $domain; 89 | echo '-----------------------------------------------------' 90 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 91 | echo '-----------------------------------------------------' 92 | # Finished Javascript Scan 93 | 94 | # Performing Secret Finder 95 | echo '-----------------------------------------------------' 96 | echo "${red} Performing : ${green} Performing Secret Finder ${reset}" 97 | echo '-----------------------------------------------------' 98 | $dir/secrets.sh $domain; 99 | echo '-----------------------------------------------------' 100 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 101 | echo '-----------------------------------------------------' 102 | # Finished Secret Finder 103 | 104 | # Performing Directory Fuzzing 105 | echo '-----------------------------------------------------' 106 | echo "${red} Performing : ${green} Performing Directory Fuzzing ${reset}" 107 | echo '-----------------------------------------------------' 108 | $dir/dirfuzz.sh $domain; 109 | echo '-----------------------------------------------------' 110 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 111 | echo '-----------------------------------------------------' 112 | # Finished Directory Fuzzing 113 | 114 | # Performing HeartBleed Scan 115 | echo '-----------------------------------------------------' 116 | echo "${red} Performing : ${green} Performing HeartBleed Scan ${reset}" 117 | echo '-----------------------------------------------------' 118 | $dir/bleed.sh $domain; 119 | echo '-----------------------------------------------------' 120 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 121 | echo '-----------------------------------------------------' 122 | # Finished HeartBleed Scan 123 | 124 | # Finished Recon 125 | echo '-----------------------------------------------------' 126 | echo "${red} Finished Recon on: ${green} ${domain} ${reset}" 127 | echo '-----------------------------------------------------' 128 | 129 | done 130 | 131 | # Notify discord 132 | python3 $dir/discord_bot.py ${script_name} $1 ${results} 133 | -------------------------------------------------------------------------------- /arsenal/medium.sh: -------------------------------------------------------------------------------- 1 | gpath=~/go/bin/ 2 | dir=~/arsenal 3 | results=~/Recon/$domain 4 | red=`tput setaf 1` 5 | green=`tput setaf 2` 6 | reset=`tput sgr0` 7 | script_name="Medium_Recon" 8 | 9 | for domain in $(cat $1); do 10 | 11 | echo '-----------------------------------------------------' 12 | echo "${red} Testing : ${green} ${domain} ${reset}" 13 | echo '-----------------------------------------------------' 14 | # Performing Subdomain Enumeration 15 | echo '-----------------------------------------------------' 16 | echo "${red} Performing : ${green} Subdomain Enumeration ${reset}" 17 | echo '-----------------------------------------------------' 18 | $dir/subdomain.sh $domain; 19 | echo '-----------------------------------------------------' 20 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 21 | echo '-----------------------------------------------------' 22 | # Finished Subdomain Enumeration 23 | 24 | # Performing Subdomain Bruteforcing 25 | echo '-----------------------------------------------------' 26 | echo "${red} Performing : ${green} Subdomain Bruteforcing ${reset}" 27 | echo '-----------------------------------------------------' 28 | $dir/subbruter.sh $domain; 29 | echo '-----------------------------------------------------' 30 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 31 | echo '-----------------------------------------------------' 32 | # Finished Subdomain Bruteforcing 33 | 34 | # Performing Subdomain Takeover 35 | echo '-----------------------------------------------------' 36 | echo "${red} Performing : ${green} Subdomain Takeover ${reset}" 37 | echo '-----------------------------------------------------' 38 | $dir/takeover.sh $domain; 39 | echo '-----------------------------------------------------' 40 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 41 | echo '-----------------------------------------------------' 42 | # Finished Subdomain Takeover 43 | 44 | # Performing Probing 45 | echo '-----------------------------------------------------' 46 | echo "${red} Performing : ${green} Probing ${reset}" 47 | echo '-----------------------------------------------------' 48 | $dir/prober.sh $domain; 49 | echo '-----------------------------------------------------' 50 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 51 | echo '-----------------------------------------------------' 52 | # Finished Probing 53 | 54 | # Performing Template Scanning with Nuclei 55 | echo '-----------------------------------------------------' 56 | echo "${red} Performing : ${green} Template Scanning with Nuclei ${reset}" 57 | echo '-----------------------------------------------------' 58 | $dir/nuclear.sh $domain; 59 | echo '-----------------------------------------------------' 60 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 61 | echo '-----------------------------------------------------' 62 | # Finished Template Scanning with Nuclei 63 | 64 | # Performing Port Scanning with Naabu 65 | echo '-----------------------------------------------------' 66 | echo "${red} Performing : ${green} Port Scanning with Naabu ${reset}" 67 | echo '-----------------------------------------------------' 68 | $dir/portscan.sh $domain; 69 | echo '-----------------------------------------------------' 70 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 71 | echo '-----------------------------------------------------' 72 | # Finished Port Scanning with Naabu 73 | 74 | # Performing URL Extraction 75 | echo '-----------------------------------------------------' 76 | echo "${red} Performing : ${green} URL Extraction ${reset}" 77 | echo '-----------------------------------------------------' 78 | $dir/extractor.sh $domain; 79 | echo '-----------------------------------------------------' 80 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 81 | echo '-----------------------------------------------------' 82 | # Finished URL Extraction 83 | 84 | # Performing Vulnerable Pattern Search 85 | echo '-----------------------------------------------------' 86 | echo "${red} Performing : ${green} Vulnerable Pattern Search ${reset}" 87 | echo '-----------------------------------------------------' 88 | $dir/pattern.sh $domain; 89 | echo '-----------------------------------------------------' 90 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 91 | echo '-----------------------------------------------------' 92 | # Finished Vulnerable Pattern Search 93 | 94 | # Performing Javascript Scan 95 | echo '-----------------------------------------------------' 96 | echo "${red} Performing : ${green} Javascript Scan ${reset}" 97 | echo '-----------------------------------------------------' 98 | $dir/jscan.sh $domain; 99 | echo '-----------------------------------------------------' 100 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 101 | echo '-----------------------------------------------------' 102 | # Finished Javascript Scan 103 | 104 | # Performing Secret Finder 105 | echo '-----------------------------------------------------' 106 | echo "${red} Performing : ${green} Performing Secret Finder ${reset}" 107 | echo '-----------------------------------------------------' 108 | $dir/secrets.sh $domain; 109 | echo '-----------------------------------------------------' 110 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 111 | echo '-----------------------------------------------------' 112 | # Finished Secret Finder 113 | 114 | # Performing Directory Fuzzing 115 | echo '-----------------------------------------------------' 116 | echo "${red} Performing : ${green} Performing Directory Fuzzing ${reset}" 117 | echo '-----------------------------------------------------' 118 | $dir/dirfuzz.sh $domain; 119 | echo '-----------------------------------------------------' 120 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 121 | echo '-----------------------------------------------------' 122 | # Finished Directory Fuzzing 123 | 124 | # Performing CORS Scan 125 | echo '-----------------------------------------------------' 126 | echo "${red} Performing : ${green} Performing CORS Scan ${reset}" 127 | echo '-----------------------------------------------------' 128 | $dir/corser.sh $domain; 129 | echo '-----------------------------------------------------' 130 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 131 | echo '-----------------------------------------------------' 132 | # Finished CORS Scan 133 | 134 | # Performing HeartBleed Scan 135 | echo '-----------------------------------------------------' 136 | echo "${red} Performing : ${green} Performing HeartBleed Scan ${reset}" 137 | echo '-----------------------------------------------------' 138 | $dir/bleed.sh $domain; 139 | echo '-----------------------------------------------------' 140 | echo "${red} Finished : ${green} Results are saved in ${results} folder ${reset}" 141 | echo '-----------------------------------------------------' 142 | # Finished HeartBleed Scan 143 | 144 | # Finished Recon 145 | echo '-----------------------------------------------------' 146 | echo "${red} Finished Recon on: ${green} ${domain} ${reset}" 147 | echo '-----------------------------------------------------' 148 | 149 | done 150 | 151 | # Notify discord 152 | python3 $dir/discord_bot.py ${script_name} $1 ${results} 153 | -------------------------------------------------------------------------------- /arsenal/providers.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "name":"github", 4 | "cname":["github.io", "github.map.fastly.net"], 5 | "response":["There isn't a GitHub Pages site here.", "For root URLs (like http://example.com/) you must provide an index.html file"] 6 | }, 7 | { 8 | "name":"heroku", 9 | "cname":["herokudns.com", "herokussl.com", "herokuapp.com"], 10 | "response":["There's nothing here, yet.", "herokucdn.com/error-pages/no-such-app.html", "No such app"] 11 | }, 12 | { 13 | "name":"unbounce", 14 | "cname":["unbouncepages.com"], 15 | "response":["The requested URL / was not found on this server.", "The requested URL was not found on this server"] 16 | }, 17 | { 18 | "name":"tumblr", 19 | "cname":["tumblr.com"], 20 | "response":["There's nothing here.", "Whatever you were looking for doesn't currently exist at this address."] 21 | }, 22 | { 23 | "name":"shopify", 24 | "cname":["myshopify.com"], 25 | "response":["Sorry, this shop is currently unavailable.", "Only one step left!"] 26 | }, 27 | { 28 | "name":"instapage", 29 | "cname":["pageserve.co", "secure.pageserve.co", "https://instapage.com/"], 30 | "response":["You've Discovered A Missing Link. Our Apologies!"] 31 | }, 32 | { 33 | "name":"desk", 34 | "cname":["desk.com"], 35 | "response":["Please try again or try Desk.com free for 14 days.", "Sorry, We Couldn't Find That Page"] 36 | }, 37 | { 38 | "name":"tictail", 39 | "cname":["tictail.com", "domains.tictail.com"], 40 | "response":["Building a brand of your own?", "to target URL: Trying to access your account?"] 46 | }, 47 | { 48 | "name":"cargocollective", 49 | "cname":["cargocollective.com"], 50 | "response":["404 Not Found"] 51 | }, 52 | { 53 | "name":"statuspage", 54 | "cname":["statuspage.io"], 55 | "response":["Better Status Communication", "You are being redirected"] 56 | }, 57 | { 58 | "name":"amazonaws", 59 | "cname":["amazonaws.com"], 60 | "response":["NoSuchBucket", "The specified bucket does not exist"] 61 | }, 62 | { 63 | "name":"cloudfront", 64 | "cname":["cloudfront.net"], 65 | "response":["The request could not be satisfied", "ERROR: The request could not be satisfied"] 66 | }, 67 | { 68 | "name":"bitbucket", 69 | "cname":["bitbucket.org"], 70 | "response":["The page you have requested does not exist"] 71 | }, 72 | { 73 | "name":"smartling", 74 | "cname":["smartling.com"], 75 | "response":["Domain is not configured"] 76 | }, 77 | { 78 | "name":"acquia", 79 | "cname":["acquia.com"], 80 | "response":["If you are an Acquia Cloud customer and expect to see your site at this address"] 81 | }, 82 | { 83 | "name":"fastly", 84 | "cname":["fastly.net"], 85 | "response":["Please check that this domain has been added to a service", "Fastly error: unknown domain"] 86 | }, 87 | { 88 | "name":"pantheon", 89 | "cname":["pantheonsite.io"], 90 | "response":["The gods are wise", "The gods are wise, but do not know of the site which you seek."] 91 | }, 92 | { 93 | "name":"zendesk", 94 | "cname":["zendesk.com"], 95 | "response":["Help Center Closed | Zendesk", "Help Center Closed"] 96 | }, 97 | { 98 | "name":"uservoice", 99 | "cname":["uservoice.com"], 100 | "response":["This UserVoice subdomain is currently available!"] 101 | }, 102 | { 103 | "name":"ghost", 104 | "cname":["ghost.io"], 105 | "response":["The thing you were looking for is no longer here", "The thing you were looking for is no longer here, or never was"] 106 | }, 107 | { 108 | "name":"pingdom", 109 | "cname":["stats.pingdom.com"], 110 | "response":["pingdom"] 111 | }, 112 | { 113 | "name":"tilda", 114 | "cname":["tilda.ws"], 115 | "response":["Domain has been assigned"] 116 | }, 117 | { 118 | "name":"wordpress", 119 | "cname":["wordpress.com"], 120 | "response":["Do you want to register"] 121 | }, 122 | { 123 | "name":"teamwork", 124 | "cname":["teamwork.com"], 125 | "response":["Oops - We didn't find your site."] 126 | }, 127 | { 128 | "name":"helpjuice", 129 | "cname":["helpjuice.com"], 130 | "response":["We could not find what you're looking for."] 131 | }, 132 | { 133 | "name":"helpscout", 134 | "cname":["helpscoutdocs.com"], 135 | "response":["No settings were found for this company:"] 136 | }, 137 | { 138 | "name":"cargo", 139 | "cname":["cargocollective.com"], 140 | "response":["If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel."] 141 | }, 142 | { 143 | "name":"feedpress", 144 | "cname":["redirect.feedpress.me"], 145 | "response":["The feed has not been found."] 146 | }, 147 | { 148 | "name":"surge", 149 | "cname":["surge.sh"], 150 | "response":["project not found"] 151 | }, 152 | { 153 | "name":"surveygizmo", 154 | "cname":["privatedomain.sgizmo.com", "privatedomain.surveygizmo.eu", "privatedomain.sgizmoca.com"], 155 | "response":["data-html-name"] 156 | }, 157 | { 158 | "name":"mashery", 159 | "cname":["mashery.com"], 160 | "response":["Unrecognized domain "] 161 | }, 162 | { 163 | "name":"intercom", 164 | "cname":["custom.intercom.help"], 165 | "response":["This page is reserved for artistic dogs.","

Uh oh. That page doesn’t exist.

"] 166 | }, 167 | { 168 | "name":"webflow", 169 | "cname":["proxy.webflow.io"], 170 | "response":["

The page you are looking for doesn't exist or has been moved.

"] 171 | }, 172 | { 173 | "name":"kajabi", 174 | "cname":["endpoint.mykajabi.com"], 175 | "response":["

The page you were looking for doesn't exist.

"] 176 | }, 177 | { 178 | "name":"thinkific", 179 | "cname":["thinkific.com"], 180 | "response":["You may have mistyped the address or the page may have moved."] 181 | }, 182 | { 183 | "name":"tave", 184 | "cname":["clientaccess.tave.com"], 185 | "response":["

Error 404: Page Not Found

"] 186 | }, 187 | { 188 | "name":"wishpond", 189 | "cname":["wishpond.com"], 190 | "response":["https://www.wishpond.com/404?campaign=true"] 191 | }, 192 | { 193 | "name":"aftership", 194 | "cname":["aftership.com"], 195 | "response":["Oops.

The page you're looking for doesn't exist."] 196 | }, 197 | { 198 | "name":"aha", 199 | "cname":["ideas.aha.io"], 200 | "response":["There is no portal here ... sending you back to Aha!"] 201 | }, 202 | { 203 | "name":"brightcove", 204 | "cname":["brightcovegallery.com", "gallery.video", "bcvp0rtal.com"], 205 | "response":["

Error Code: 404

"] 206 | }, 207 | { 208 | "name":"bigcartel", 209 | "cname":["bigcartel.com"], 210 | "response":["

Oops! We couldn’t find that page.

"] 211 | }, 212 | { 213 | "name":"activecompaign", 214 | "cname":["activehosted.com"], 215 | "response":["alt=\"LIGHTTPD - fly light.\""] 216 | }, 217 | { 218 | "name":"compaignmonitor", 219 | "cname":["createsend.com"], 220 | "response":["Double check the URL or