├── README.md
├── install.sh
└── script.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # recon_automation
 2 | ![recon](https://user-images.githubusercontent.com/82051128/121772811-50217b00-cb91-11eb-8df7-42b362f2afc4.png)
 3 | 
 4 | 
 5 | # Note:
 6 |      If u are using .bashrc/bash shell then just replace .zshrc to .bashrc in the line 58 of install.sh script.
 7 | # Requirements:
 8 |     1)Make Sure go language is installed and set to $PATH.
 9 |     2)or Download the go language from its official website.
10 |     3)Open terminal and move to directory where you downloaded go.
11 |     4)Now run tar -c /usr/local -xzf {go .gz folder}.
12 |     5)then open sudo nano $HOME/.zshrc or sudo nano $HOME/.bashrc add the following commands.
13 |     6)export PATH=$PATH:/usr/local/go/bin 
14 |     export GOPATH=$HOME/go   
15 |     export PATH=$PATH:$HOME/go/bin 
16 |     export PATH=$PATH:$HOME/go/  
17 |     7) sudo source ~/.zshrc or source ~/.bashrc
18 | 
19 | # Installation:
20 |     1)  Simply Clone the repository
21 |     2)  chmod +x install.sh
22 |     3)  ./install.sh
23 |     4)  chmod +x script.sh
24 |    
25 | 
26 | 
27 | # Usage:
28 |     ./script.sh 
29 | 
30 | # Current Features:
31 |     1) This script will collect all the subdomains using amass, assetfinder, subfinder and crt.sh
32 |     2) For subdomain bruteforcing, shuffledns is used in the script.
33 |     3) This script will gather all the subdomains and put them in a single .txt file.
34 |     4) This script will resolves all the subdomains using shuffledns.
35 |     5) And Finally will check http/https services on the given domains using httpx tool.
36 |     6) Gf tool and its patterns installation and also will set their path automatically.
37 |     7) It will check for the Following Vulnerablities:
38 |     a) Subdomain takeover
39 |     b) CORS misconfiguration
40 |     c) nuclei scan
41 |     d) Open Redirect Scanner
42 |     e) LFI Scanner
43 |     f) Advance XSS Scanner and method used.
44 |     g) Sqli Scan
45 |     7) This script will collect all the urls using waybackurls and will filter them and store them in single file.
46 |     8) ffuf is used in this script to find valid urls.
47 |     9) This script will generate target based paths/parameters using unfurl for further attack.
48 | 
49 | # Future Features:
50 |     1. SSRF Automation
51 |     2. Host Header Injection Automation
52 |     3. Hidden and Sensitive Directories bruteforce
53 |     4. CRLF Injection
54 |     5. HTTP Request Smuggling Automation
55 | 
56 | 
57 | # Special Thanks To:
58 | 1) @tomnomnom
59 | 2) @projectdiscovery
60 | 3) and other infosec community.
61 | 
62 | # TOOLS Used:
63 |     Subfinder
64 |     Amass
65 |     Assetfinder
66 |     waybackurls
67 |     unfurl
68 |     subjack
69 |     subzy
70 |     ffuf
71 |     shuffledns
72 |     httpx
73 |     nuclei
74 |     crt.sh
75 |     massdns
76 |     
77 | 
78 | # Author
79 |   1. https://www.facebook.com/pakhack01 
80 |   2. https://instagram.com/invisibleclay100 
81 |   3. https://www.youtube.com/channel/UCC_aPnmV_zGfdwktCFE9cPQ 
82 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | NC='\033[0m'
  3 | RED='\033[1;38;5;196m'
  4 | GREEN='\033[1;38;5;040m'
  5 | ORANGE='\033[1;38;5;202m'
  6 | BLUE='\033[1;38;5;012m'
  7 | BLUE2='\033[1;38;5;032m'
  8 | PINK='\033[1;38;5;013m'
  9 | GRAY='\033[1;38;5;004m'
 10 | NEW='\033[1;38;5;154m'
 11 | YELLOW='\033[1;38;5;214m'
 12 | CG='\033[1;38;5;087m'
 13 | CP='\033[1;38;5;221m'
 14 | CPO='\033[1;38;5;205m'
 15 | CN='\033[1;38;5;247m'
 16 | CNC='\033[1;38;5;051m'
 17 | echo -e ${RED}"##################################################################"
 18 | echo -e ${CP}"        ____  _            _      ____  _____           _   _    #"                                                  
 19 | echo -e ${CP}"       | __ )| | __ _  ___| | __ |  _ \|___ /  ___ ___ | \ | |   #"                                                  
 20 | echo -e ${CP}"       |  _ \| |/ _  |/ __| |/ / | |_) | |_ \ / __/ _ \|  \| |   #"                                                 
 21 | echo -e ${CP}"       | |_) | | (_| | (__|   <  |  _ < ___) | (_| (_) | |\  |   #"                                               
 22 | echo -e ${CP}"       |____/|_|\__ _|\___|_|\_\ |_| \_\____/ \___\___/|_| |_|   #"       
 23 | echo -e ${CP}"              Automate Your Bug Bounty R3cOn                     #"                                           
 24 | echo -e ${BLUE}"              https://facebook.com/unknownclay                   #"  
 25 | echo -e ${YELLOW}"              Coded By: Machine404                               #"
 26 | echo -e ${CG}"              https://github.com/machine1337                     #"
 27 | echo -e ${RED}"################################################################## \n "
 28 | sleep 2
 29 | d=$(date +"%b-%d-%y %H:%M")
 30 | echo -e ${CP}"[+]Installtion Started On: $d \n"
 31 | sleep 1
 32 | echo -e ${BLUE}"[+]Checking Go Installation\n"
 33 | if [[ -z "$GOPATH" ]]; then
 34 |   echo -e ${RED}"[+]Go is not Installed....Plz Install it and run the script again"
 35 |   echo -e ${CP}"[+]For Installation Plz Check my recon-automation repo pre-requisite part!"
 36 |   exit 1
 37 |   else
 38 |   echo -e ${BLUE}"..........Go is installed..............\n"
 39 |  fi
 40 | echo -e ${GREEN}"[+]Installing Assetfinder\n"
 41 | sleep 1
 42 | assetfinder_checking(){
 43 | command -v "assetfinder" >/dev/null 2>&1
 44 | command -v "assetfinder" >/dev/null 2>&1
 45 | if [[ $? -ne 0 ]]; then 
 46 |         go get -u github.com/tomnomnom/assetfinder >/dev/null 2>&1
 47 |         echo -e ".............assetfinder successfully installed..............\n"
 48 |         else
 49 |         echo -e ".......assetfinder already installed..........\n"
 50 |     fi
 51 | sleep 1
 52 | echo -e ${CP}"[+]Installing gau\n"
 53 | command -v "gau" >/dev/null 2>&1
 54 | if [[ $? -ne 0 ]]; then
 55 |             
 56 |             go get -u -v github.com/lc/gau >/dev/null 2>&1
 57 |             echo -e ".........gau successfully installed................\n"
 58 |             else
 59 |             echo -e "...........gau already exists..................... \n"
 60 |        fi
 61 | sleep 1
 62 | echo -e ${CPO}"[+]Installing qsreplace\n"
 63 | command -v "qsreplace" >/dev/null 2>&1
 64 | if [[ $? -ne 0 ]]; then
 65 |             
 66 |             go get -u github.com/tomnomnom/qsreplace >/dev/null 2>&1
 67 |             echo -e ".........qsreplace successfully installed............\n"
 68 |             else
 69 |             echo -e "...........qsreplace already exists.................. \n"
 70 |        fi
 71 | }
 72 | assetfinder_checking
 73 | sleep 1
 74 | echo -e ${PINK}"[+]Installing gf tool\n"
 75 | checking_gf(){
 76 | command -v "gf" >/dev/null 2>&1
 77 | if [[ $? -ne 0 ]]; then
 78 |          go get -u github.com/tomnomnom/gf >/dev/null 2>&1
 79 |          echo 'source $GOPATH/pkg/mod/github.com/tomnomnom/gf*/gf-completion.zsh' >> ~/.zshrc
 80 |          cp -r $GOPATH/pkg/mod/github.com/tomnomnom/gf*/examples ~/.gf
 81 |          source ~/.zshrc
 82 |          echo -e "..............Gf tool Successfully installed..............\n"
 83 |          else
 84 |          echo -e "................Gf tool already exsist....................\n"
 85 |     fi
 86 | sleep 1
 87 | echo -e ${BLUE}"[+]Installing Gf Patterns\n"
 88 | if [[ ! -d ~/Gf-Patterns  ]]; then       
 89 |         cd ~
 90 |         git clone https://github.com/1ndianl33t/Gf-Patterns.git
 91 |         sudo mv ~/Gf-Patterns/*.json ~/.gf
 92 |         echo -e "...........Gf Patterns Successfully Installed............\n"
 93 |         else
 94 |         echo -e "...........Gf Patterns Already exsist.....................\n"
 95 |     fi    
 96 | }
 97 | checking_gf
 98 | sleep 1
 99 | echo -e ${CP}"[+]Installing Amass\n"
100 | amass_checking(){
101 | command -v "amass" >/dev/null 2>&1
102 | if [[ $? -ne 0 ]]; then
103 |          
104 |          
105 |          sudo apt-get install amass -y
106 |          echo -e "................Amass successfully installed..............\n"
107 |          else
108 |          echo -e "...............Amass is already installed.................\n"
109 |    fi
110 | }
111 | amass_checking
112 | sleep 1
113 | echo -e ${CP}"[+]Installing Jq\n"
114 | jq_checking(){
115 | command -v "jq" >/dev/null 2>&1
116 | if [[ $? -ne 0 ]]; then
117 |          
118 |          
119 |          sudo apt-get install jq -y
120 |          echo -e ".................jq successfully installed..............\n"
121 |          else
122 |          echo -e ".............jq is already installed.....................\n"
123 |    fi
124 | 
125 | }
126 | jq_checking
127 | sleep 1
128 | echo -e ${CG}"[+]Installing subfinder\n"
129 | subfinder_checking(){
130 | command -v "subfinder" >/dev/null 2>&1
131 | if [[ $? -ne 0 ]]; then
132 |          
133 |          GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder 
134 |          echo -e "................subfinder successfully installed.............\n"
135 |          else
136 |          echo -e "............subfinder is already installed...................\n"
137 |    fi
138 | }
139 | subfinder_checking
140 | sleep 1
141 | echo -e ${CN}"[+]Installing Massdns\n"
142 | massdns_checking(){
143 | mkdir -p ~/tools
144 | command -v "massdns" >/dev/null 2>&1
145 | if [[ $? -ne 0 ]]; then
146 |         mkdir -p ~/tools
147 |          cd ~/tools
148 |          git clone https://github.com/blechschmidt/massdns.git
149 |          cd massdns
150 |           make
151 |           cd bin
152 |           sudo mv massdns /usr/local/bin
153 |           echo -e "............massdns installed successfully..............\n"
154 |          else
155 |          echo -e "..............massdns is already installed................\n"
156 |     fi
157 | }
158 | massdns_checking
159 | sleep 1
160 | echo -e ${CP}"[+]Installing Nuclei\n"
161 | command -v "nuclei" >/dev/null 2>&1
162 | if [[ $? -ne 0 ]]; then
163 |          GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei   
164 |          echo -e "...........Nuclei tool successfully installed...................\n"   
165 |           else
166 |           echo -e "...........Nuclei tool already exists...................\n"
167 |        fi
168 | sleep 1
169 | echo -e ${NEW}"[+]Installing Nuclei Templates\n"
170 | if [[ ! -d ~/tools/nuclei-templates ]]; then
171 |          mkdir -p ~/tools
172 |          cd ~/tools
173 |          git clone https://github.com/projectdiscovery/nuclei-templates.git
174 |          echo -e "...............Nuclei templates installation done..............\n"
175 |          else
176 |          echo -e "................nuclei templates already exists................\n"
177 |   fi
178 | sleep 1
179 | echo -e ${CP}"[+]Installing dnsvalidator\n"
180 | dnsvalidator_installing(){
181 | mkdir -p ~/tools
182 | mkdir -p ~/tools/resolvers
183 | command -v "dnsvalidator" >/dev/null 2>&1
184 | if [[ $? -ne 0 ]]; then
185 |         cd ~/tools
186 |        git clone  https://github.com/vortexau/dnsvalidator.git
187 |        cd dnsvalidator
188 |        sudo apt-get install python3-pip -y
189 |        sudo python3 setup.py install 
190 |        dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 25 -o resolvers.txt
191 |        cat resolvers.txt | tail -n 60 > ~/tools/resolvers/resolver.txt
192 |        else
193 |         echo -e ".......dnsvalidator already exist.........\n"
194 | fi
195 | 
196 | }
197 | 
198 | dnsvalidator_installing
199 | sleep 1
200 | other_tools(){
201 | echo -e ${CPO}"[+]Installing httpx\n"
202 | command -v "httpx" >/dev/null 2>&1
203 | if [[ $? -ne 0 ]]; then       
204 |         go get -v github.com/projectdiscovery/httpx/cmd/httpx
205 |         echo -e ".................httpx successfully installed..............\n"
206 |          else
207 |          echo -e "...............httpx is already installed.............\n"
208 |    fi
209 | sleep 1
210 | echo -e ${CP}"[+]Installing httprobe\n"
211 | command -v "httprobe" >/dev/null 2>&1
212 | if [[ $? -ne 0 ]]; then        
213 |          go get -u github.com/tomnomnom/httprobe 
214 |          echo -e ".............httprobe successfully installed..............\n"
215 |          else
216 |          echo -e "...........httprobe is already installed...............\n"
217 |    fi  
218 | sleep 1
219 | echo -e ${CP}"[+]Installing shuffledns\n"
220 | command -v "shuffledns" >/dev/null 2>&1
221 | if [[ $? -ne 0 ]]; then       
222 |         mkdir -p ~/tools
223 |         cd ~/tools
224 |   wget https://github.com/projectdiscovery/shuffledns/releases/download/v1.0.4/shuffledns_1.0.4_linux_amd64.tar.gz >/dev/null 2>&1
225 |         tar -xvzf shuffledns*.gz     
226 |         sudo mv shuffledns /usr/local/bin
227 |          rm -R shuffledns*.gz
228 |         echo -e "................shuffledns successfully installed..............\n"        
229 |          else
230 |         echo -e "..............shuffledns is already installed..................\n"
231 |    fi
232 | sleep 1
233 | echo -e ${GREEN}"[+]Installing Seclists\n"
234 | command -v "seclists" >/dev/null 2>&1
235 | if [[ ! -d /usr/share/seclists ]]; then 
236 |         
237 |         sudo apt install seclists -y
238 |         echo -e "....................Seclists Successfully Installed.................\n"    
239 |         else
240 |         echo -e ".................Seclists Already Exists.................\n"
241 | fi
242 | sleep 1      
243 | echo -e ${CNC}"[+]Downloading LFI payloads\n"   
244 | if [[ ! -f ~/tools/dotdotpwn.txt ]]; then
245 |          cd ~/tools
246 | wget https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Directory%20Traversal/Intruder/dotdotpwn.txt 
247 |         cat dotdotpwn.txt | head -n 120 > ~/tools/lfipayloads.txt
248 |         echo -e "..............LFI Payloads Successfully Downloaded..........\n"
249 |         else
250 |         echo -e ".................LFI Payloads Already Exists.................\n"
251 | fi  
252 | sleep 1
253 | echo -e ${CP}"[+]Installing Corsy\n"
254 | command -v "Corsy" >/dev/null 2>&1
255 | if [[ ! -d ~/tools/Corsy ]]; then
256 |         cd ~/tools
257 |         git clone  https://github.com/s0md3v/Corsy.git
258 |         cd Corsy
259 |         sudo apt install python3-pip -y
260 |         pip install -r requirements.txt
261 |         echo -e "....................Cors installation done...................\n"
262 |         else
263 |         echo -e ".............Corsy already installed.................\n"
264 |     fi
265 | sleep 1
266 | echo -e ${CNC}"[+]Installing waybackurls\n"
267 | command -v "waybackurls" >/dev/null 2>&1
268 | if [[ $? -ne 0 ]]; then
269 |         go get github.com/tomnomnom/waybackurls >/dev/null 2>&1
270 |         echo -e "......waybackurls installed successfully......\n"
271 |         else
272 |         echo -e "........waybackurls already exists...........\n"
273 |     fi
274 | sleep 1
275 | echo -e ${PINK}"[+]Installing Unfurl\n"
276 | command -v "unfurl" >/dev/null 2>&1
277 | if [[ $? -ne 0 ]]; then
278 |          go get -u github.com/tomnomnom/unfurl >/dev/null 2>&1
279 |         echo -e "......Unfurl installed successfully..........\n"
280 |         else
281 |         echo -e "........Unfurl already exists................\n"   
282 |     fi
283 | sleep 1
284 | echo -e ${CNC}"[+]Installing ffuf\n"
285 | command -v "ffuf" >/dev/null 2>&1
286 | if [[ $? -ne 0 ]]; then
287 |     go get -u github.com/ffuf/ffuf  >/dev/null 2>&1
288 |     echo -e ".......ffuf successfully installed........\n"
289 |     else
290 |     echo -e ".......ffuf already exists................\n"
291 |     fi
292 | sleep 1
293 | echo -e ${CNC}"[+]Installing OpenRedireX\n"
294 | if [ -d ~/tools/OpenRedireX ]; then
295 |      echo -e "..................OpenRedireX already exists...............\n"
296 |      else    
297 |     cd ~/tools
298 |     git clone https://github.com/devanshbatham/OpenRedireX
299 |     echo "...............OpenRedireX Installed successfully..............\n"
300 | fi
301 | sleep 1
302 | echo -e ${BLUE}"[+]Installing kxss\n"
303 | command -v "kxss" >/dev/null 2>&1
304 | if [[ $? -ne 0 ]]; then
305 |     echo "........installing kxss............"
306 |     go get -u github.com/tomnomnom/hacks/kxss 
307 |     echo -e "........kxss installed successfully...........\n"
308 |     else
309 |     echo -e ".........kxss already exists.................\n"
310 |     fi
311 | sleep 1
312 | echo -e ${GREEN}"[+]Installing dalfox\n"
313 | command -v "dalfox" >/dev/null 2>&1
314 | if [[ $? -ne 0 ]]; then
315 |     GO111MODULE=on go get -v github.com/hahwul/dalfox/v2 >/dev/null 2>&1
316 |     echo -e ".........dalfox installed successfully...........\n"
317 |     else
318 |     echo -e "...........dalfox already exists...............\n"
319 |     fi
320 | }
321 | other_tools
322 | sleep 1
323 | subdomain_takeover(){
324 | echo -e ${GREEN}"[+]Installing subzy\n"
325 | command -v "subzy" >/dev/null 2>&1
326 | if [[ $? -ne 0 ]]; then
327 |          go get -u -v github.com/lukasikic/subzy >/dev/null 2>&1
328 |          echo -e "..........Subzy takeover tool Installation done........\n"
329 |          else
330 |          echo -e "............subzy is already installed.............\n"
331 |     fi
332 | echo -e ${CP}"[+]Installing subjack\n"
333 | sleep 1
334 | command -v "subjack" >/dev/null 2>&1
335 | if [[ $? -ne 0 ]]; then         
336 |           go get github.com/haccer/subjack >/dev/null 2>&1
337 |           cd ~/go/pkg/mod/github.com/haccer/
338 |           sudo mv subjack@* subjack
339 |           cd ~/go/
340 |           mkdir -p src
341 |           mkdir -p src/github.com
342 |           sudo mv ~/go/pkg/mod/github.com/haccer ~/go/src/github.com/
343 |           
344 |          echo -e ".........Subjack takeover tool installation done.........\n"
345 |           else
346 |           echo -e "...........subjack is already installed.............\n"
347 |     fi
348 | }
349 | subdomain_takeover
350 | sleep 1
351 | echo -e ${CN}"[+]Installing Gxss\n"
352 | xss_tools(){
353 | command -v "Gxss" >/dev/null 2>&1
354 | if [[ $? -ne 0 ]]; then
355 |         go get -u github.com/KathanP19/Gxss >/dev/null 2>&1
356 |         echo -e "...............Gxss successfully installed..................\n"
357 |         else
358 |         echo -e "..................Gxss already installed..................\n"
359 |      fi
360 | sleep 1
361 | echo -e ${CPO}"[+]Installing ParamSpider\n"
362 | if [[ ! -d ~/tools/ParamSpider ]]; then
363 |        cd ~/tools
364 |         git clone https://github.com/devanshbatham/ParamSpider
365 |        cd ParamSpider
366 |        pip3 install -r requirements.txt
367 |        echo -e "............ParamSpider Successfully Installed................\n"
368 |        else
369 |        echo -e "............ParamSpider already installed.....................\n"
370 |     fi
371 | sleep 1
372 | echo -e ${BLUE}"[+]Installing Arjun\n"
373 | if [[ ! -d ~/tools/Arjun ]]; then
374 |        cd ~/tools
375 |       git clone https://github.com/s0md3v/Arjun.git
376 |        cd Arjun
377 |        sudo python3 setup.py install 
378 |        echo -e "............Arjun Successfully Installed................\n"
379 |        else
380 |        echo -e "............Arjun already installed.....................\n"
381 |     fi
382 | }
383 | xss_tools
384 | echo -e ${RED}"[+]***************All Done************************[+]\n"
385 | 


--------------------------------------------------------------------------------
/script.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | NC='\033[0m'
  3 | RED='\033[1;38;5;196m'
  4 | GREEN='\033[1;38;5;040m'
  5 | ORANGE='\033[1;38;5;202m'
  6 | BLUE='\033[1;38;5;012m'
  7 | BLUE2='\033[1;38;5;032m'
  8 | PINK='\033[1;38;5;013m'
  9 | GRAY='\033[1;38;5;004m'
 10 | NEW='\033[1;38;5;154m'
 11 | YELLOW='\033[1;38;5;214m'
 12 | CG='\033[1;38;5;087m'
 13 | CP='\033[1;38;5;221m'
 14 | CPO='\033[1;38;5;205m'
 15 | CN='\033[1;38;5;247m'
 16 | CNC='\033[1;38;5;051m'
 17 | 
 18 | function bounty_recon(){
 19 | echo -e ${RED}"##################################################################"
 20 | echo -e ${CP}"        ____  _            _      ____  _____           _   _    #"                                                  
 21 | echo -e ${CP}"       | __ )| | __ _  ___| | __ |  _ \|___ /  ___ ___ | \ | |   #"                                                  
 22 | echo -e ${CP}"       |  _ \| |/ _  |/ __| |/ / | |_) | |_ \ / __/ _ \|  \| |   #"                                                 
 23 | echo -e ${CP}"       | |_) | | (_| | (__|   <  |  _ < ___) | (_| (_) | |\  |   #"                                               
 24 | echo -e ${CP}"       |____/|_|\__ _|\___|_|\_\ |_| \_\____/ \___\___/|_| |_|   #"       
 25 | echo -e ${CP}"              Automate Your Bug Bounty R3cOn                     #"                                           
 26 | echo -e ${BLUE}"              https://facebook.com/unknownclay                   #"  
 27 | echo -e ${YELLOW}"              Coded By: Machine404                               #"
 28 | echo -e ${CG}"              https://github.com/machine1337                     #"
 29 | echo -e ${RED}"################################################################## \n "
 30 | }
 31 | d=$(date +"%b-%d-%y %H:%M")
 32 | 
 33 | function single_recon(){
 34 | clear
 35 | bounty_recon
 36 | echo -n -e ${ORANGE}"\n[+] Enter Single domain (e.g evil.com) : " 
 37 |            read domain
 38 | mkdir -p $domain $domain/vulnerabilities $domain/vulnerabilities/cors $domain/waybackurls $domain/target_wordlist $domain/gf $domain/vulnerabilities/openredirect/ $domain/vulnerabilities/xss_scan $domain/nuclei_scan $domain/vulnerabilities/LFI $domain/vulnerabilities/sqli
 39 | echo -e ${BLUE}"\n[+] Recon Started On $d: \n"
 40 | sleep 1
 41 | echo -e ${CP}"[+] Checking Services On Target:- \n"
 42 | echo "$domain" | httpx -threads 30 -o $domain/httpx.txt
 43 | sleep 1
 44 | echo -e ${GREEN}"\n[+] Searching For Cors Misconfiguration:- "
 45 | python3 ~/tools/Corsy/corsy.py -i $domain/httpx.txt -t 15 | tee $domain/vulnerabilities/cors/cors_misconfig.txt
 46 | sleep 1
 47 | echo -e ${CPO}"\n[+] Collecting URLS:- \n"
 48 | cat $domain/httpx.txt | gau | tee $domain/waybackurls/tmp.txt
 49 | cat $domain/waybackurls/tmp.txt | egrep -v "\.woff|\.ttf|\.svg|\.eot|\.png|\.jpep|\.jpeg|\.css|\.ico|\jpg" | sed 's/:80//g;s/:443//g' | sort -u >> $domain/waybackurls/wayback.txt
 50 | 
 51 | rm $domain/waybackurls/tmp.txt
 52 | sleep 1
 53 | echo -e ${CNC}"\n[+] FFUF Started On URLS:- "
 54 | ffuf -c -u "FUZZ" -w $domain/waybackurls/wayback.txt -of csv -o $domain/waybackurls/valid-tmp.txt
 55 | 
 56 | cat $domain/waybackurls/valid-tmp.txt | grep http | awk -F "," '{print $1}'  >>  $domain/waybackurls/valid.txt
 57 | 
 58 | rm $domain/waybackurls/valid-tmp.txt
 59 | echo -e ${PINK}"\n[+] Generating Target Based Wordlist:- "
 60 | cat $domain/waybackurls/wayback.txt | unfurl -unique paths > $domain/target_wordlist/paths.txt
 61 | cat $domain/waybackurls/wayback.txt | unfurl -unique keys > $domain/target_wordlist/param.txt
 62 | echo -e ${BLUE}"\n[+] Gf Patterns Started on Valid URLS:- "
 63 | gf xss $domain/waybackurls/valid.txt | tee $domain/gf/xss.txt
 64 | gf ssrf $domain/waybackurls/valid.txt | tee $domain/gf/ssrf.txt
 65 | gf sqli $domain/waybackurls/valid.txt | tee $domain/gf/sql.txt
 66 | gf lfi $domain/waybackurls/valid.txt | tee $domain/gf/lfi.txt
 67 | gf ssti $domain/waybackurls/valid.txt | tee $domain/gf/ssti.txt
 68 | gf aws-keys $domain/waybackurls/valid.txt | tee $domain/gf/awskeys.txt
 69 | gf redirect $domain/waybackurls/valid.txt | tee $domain/gf/redirect.txt
 70 | cat $domain/gf/redirect.txt | sed 's/\=.*/=/' | tee $domain/gf/purered.txt
 71 | gf idor $domain/waybackurls/valid.txt | tee $domain/gf/idor.txt
 72 | echo -e ${CP}"\n [+]Nuclei Scanner Started "
 73 | cat $domain/httpx.txt | nuclei -t ~/tools/nuclei-templates/cves/ -c 50 -o $domain/nuclei_scan/cves.txt
 74 | cat $domain/httpx.txt | nuclei -t ~/tools/nuclei-templates/vulnerabilities/ -c 50 -o $domain/nuclei_scan/vulnerabilities.txt
 75 | cat $domain/httpx.txt | nuclei -t ~/tools/nuclei-templates/misconfiguration/ -c 50 -o $domain/nuclei_scan/misconfiguration.txt
 76 | cat $domain/httpx.txt | nuclei -t ~/tools/nuclei-templates/technologies/ -c 50 -o $domain/nuclei_scan/tech.txt
 77 | echo -e ${ORANGE}"\n[+] Searching For Open Redirection "
 78 | cat $domain/gf/redirect.txt | qsreplace FUZZ | tee $domain/vulnerabilities/openredirect/fuzzredirect.txt
 79 | python3 ~/tools/OpenRedireX/openredirex.py -l $domain/vulnerabilities/openredirect/fuzzredirect.txt -p ~/tools/OpenRedireX/payloads.txt --keyword FUZZ | tee $domain/vulnerabilities/openredirect/confrimopenred.txt
 80 | echo -e ${GREEN}"\n[+] Searching For XSS"
 81 | cat $domain/gf/xss.txt | kxss  | tee $domain/vulnerabilities/xss_scan/kxss.txt
 82 | cat $domain/vulnerabilities/xss_scan/kxss.txt | awk '{print $9}' | sed 's/=.*/=/' | tee $domain/vulnerabilities/xss_scan/kxss1.txt
 83 | cat $domain/vulnerabilities/xss_scan/kxss1.txt | dalfox pipe | tee $domain/vulnerabilities/xss_scan/dalfoxss.txt
 84 | cat $domain/gf/xss.txt | grep "=" | qsreplace "'><sCriPt class=khan>prompt(1)</script>" | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "'><sCriPt class=khan>prompt(1)" && echo "$host \033[0;31mVulnerable\n";done | tee $domain/vulnerabilities/xss_scan/vulnxss.txt
 85 | echo -e ${CG}"\n[+] Searching For SQL Injection"
 86 | sqlmap -m $domain/gf/sql.txt --batch --random-agent --level 1 | tee $domain/vulnerabilities/sqli/sqlmap.txt
 87 | sleep 1
 88 | echo -e ${BLUE}"\n[+] Searching For LFI VULN"
 89 | cat $domain/gf/lfi.txt | qsreplace FUZZ | while read url ; do ffuf -u $url -mr "root:x" -w ~/tools/lfipayloads.txt -of csv -o $domain/vulnerabilities/LFI/lfi.txt -t 50 -c  ; done
 90 | }
 91 | 
 92 | function massive_recon(){
 93 | clear
 94 | bounty_recon
 95 | echo -n -e ${BLUE2}"\n[+] Full Recon with subdomains (e.g *.example.com): "
 96 | read domain
 97 | mkdir -p $domain $domain/domain_enum $domain/final_domains $domain/takeovers $domain/vulnerabilities $domain/vulnerabilities/xss_scan $domain/vulnerabilities/sqli $domain/vulnerabilities/cors  $domain/nuclei_scan $domain/waybackurls $domain/target_wordlist $domain/gf  $domain/vulnerabilities/LFI $domain/vulnerabilities/openredirect
 98 | echo -e ${RED}"\n[+] Massive Recon Started On $d:  "
 99 | sleep 1
100 | echo -e ${CPO}"\n[+] Crt.sh Enumeration Started:- "
101 | curl -s https://crt.sh/\?q\=%25.$domain\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee $domain/domain_enum/crt.txt
102 | echo -e ${CP}"\n[+] subfinder Enumeration Started:- "
103 | subfinder -d $domain -o $domain/domain_enum/subfinder.txt
104 | echo -e ${PINK}"\n[+] Assetfinder Enumeration Started:- "
105 | assetfinder -subs-only $domain | tee $domain/domain_enum/assetfinder.txt
106 | echo -e ${ORANGE}"\n[+] Amass Enumeration Started:- "
107 | amass enum -passive -d $domain -o $domain/domain_enum/amass.txt
108 | echo -e ${CN}"\n[+] Shuffledns Enumeration Started:- "
109 | shuffledns -d $domain -w /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -r ~/tools/resolvers/resolver.txt -o $domain/domain_enum/shuffledns.txt
110 | echo -e ${CP}"\n[+] Collecting All Subdomains Into Single File:- "
111 | cat $domain/domain_enum/*.txt > $domain/domain_enum/all.txt
112 | echo -e ${BLUE}"\n[+] Resolving All Subdomains:- "
113 | shuffledns -d $domain -list $domain/domain_enum/all.txt -o $domain/final_domains/domains.txt -r ~/tools/resolvers/resolver.txt
114 | echo -e ${PINK}"\n[+] Checking Services On Subdomains:- "
115 | cat $domain/final_domains/domains.txt | httpx -threads 30 -o $domain/final_domains/httpx.txt
116 | echo -e ${CP}"\n[+] Searching For Subdomain TakeOver:- "
117 | subzy -hide_fails -targets $domain/domain_enum/all.txt | tee $domain/takeovers/subzy.txt
118 | subjack -w $domain/domain_enum/all.txt -t 100 -timeout 30 -o $domain/takeovers/take.txt -ssl
119 | echo -e ${GREEN}"\n[+] Searching For Cors Misconfiguration:- "
120 | python3 ~/tools/Corsy/corsy.py -i $domain/final_domains/httpx.txt -t 15 | tee $domain/vulnerabilities/cors/cors_misconfig.txt
121 | echo -e ${CP}"\n[+] Nuclei Scanner Started:- "
122 | cat $domain/final_domains/httpx.txt | nuclei -t ~/tools/nuclei-templates/cves/ -c 50 -o $domain/nuclei_scan/cves.txt
123 | cat $domain/final_domains/httpx.txt | nuclei -t ~/tools/nuclei-templates/vulnerabilities/ -c 50 -o $domain/nuclei_scan/vulnerabilities.txt
124 | cat $domain/final_domains/httpx.txt | nuclei -t ~/tools/nuclei-templates/misconfiguration/ -c 50 -o $domain/nuclei_scan/misconfiguration.txt
125 | cat $domain/final_domains/httpx.txt | nuclei -t ~/tools/nuclei-templates/technologies/ -c 50 -o $domain/nuclei_scan/tech.txt
126 | echo -e ${CPO}"\n[+] Collecting URLS:- "
127 | cat $domain/final_domains/domains.txt | gau | tee $domain/waybackurls/tmp.txt
128 | cat $domain/waybackurls/tmp.txt | egrep -v "\.woff|\.ttf|\.svg|\.eot|\.png|\.jpep|\.jpeg|\.css|\.ico|\jpg" | sed 's/:80//g;s/:443//g' | sort -u >> $domain/waybackurls/wayback.txt
129 | 
130 | rm $domain/waybackurls/tmp.txt
131 | echo -e ${CNC}"\n[+] FFUF Started On URLS:- "
132 | ffuf -c -u "FUZZ" -w $domain/waybackurls/wayback.txt -of csv -o $domain/waybackurls/valid-tmp.txt
133 | 
134 | cat $domain/waybackurls/valid-tmp.txt | grep http | awk -F "," '{print $1}'  >>  $domain/waybackurls/valid.txt
135 | 
136 | rm $domain/waybackurls/valid-tmp.txt
137 | echo -e ${PINK}"\n[+] Generating Target Based Wordlist:- "
138 | cat $domain/waybackurls/wayback.txt | unfurl -unique paths > $domain/target_wordlist/paths.txt
139 | cat $domain/waybackurls/wayback.txt | unfurl -unique keys > $domain/target_wordlist/param.txt
140 | echo -e ${BLUE}"\n[+] Gf Patterns Started on Valid URLS:- "
141 | gf xss $domain/waybackurls/valid.txt | tee $domain/gf/xss.txt
142 | gf ssrf $domain/waybackurls/valid.txt | tee $domain/gf/ssrf.txt
143 | gf sqli $domain/waybackurls/valid.txt | tee $domain/gf/sql.txt
144 | gf lfi $domain/waybackurls/valid.txt | tee $domain/gf/lfi.txt
145 | gf ssti $domain/waybackurls/valid.txt | tee $domain/gf/ssti.txt
146 | gf aws-keys $domain/waybackurls/valid.txt | tee $domain/gf/awskeys.txt
147 | gf redirect $domain/waybackurls/valid.txt | tee $domain/gf/redirect.txt
148 | cat $domain/gf/redirect.txt | sed 's/\=.*/=/' | tee $domain/gf/purered.txt
149 | gf idor $domain/waybackurls/valid.txt | tee $domain/gf/idor.txt
150 | echo -e ${ORANGE}"\n[+] Searching For Open Redirection:- "
151 | cat $domain/gf/redirect.txt | qsreplace FUZZ | tee $domain/vulnerabilities/openredirect/fuzzredirect.txt
152 | python3 ~/tools/OpenRedireX/openredirex.py -l $domain/vulnerabilities/openredirect/fuzzredirect.txt -p ~/tools/OpenRedireX/payloads.txt --keyword FUZZ | tee $domain/vulnerabilities/openredirect/confrimopenred.txt
153 | echo -e ${GREEN}"\n[+] Searching For XSS:- "
154 | cat $domain/gf/xss.txt | kxss  | tee $domain/vulnerabilities/xss_scan/kxss.txt
155 | cat $domain/vulnerabilities/xss_scan/kxss.txt | awk '{print $9}' | sed 's/=.*/=/' | tee $domain/vulnerabilities/xss_scan/kxss1.txt
156 | cat $domain/vulnerabilities/xss_scan/kxss1.txt | dalfox pipe | tee $domain/vulnerabilities/xss_scan/dalfoxss.txt
157 | cat $domain/gf/xss.txt | grep "=" | qsreplace "'><sCriPt class=khan>prompt(1)</script>" | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "'><sCriPt class=khan>prompt(1)" && echo "$host \033[0;31mVulnerable\n";done | tee $domain/vulnerabilities/xss_scan/vulnxss.txt
158 | 
159 | echo -e ${CG}"\n[+] Searching For SQL Injection:- "
160 | sqlmap -m $domain/gf/sql.txt --batch --random-agent --level 1 | tee $domain/vulnerabilities/sqli/sqlmap.txt
161 | echo -e ${BLUE}"\n[+] Searching For LFI VULN:- "
162 | cat $domain/gf/lfi.txt | qsreplace FUZZ | while read url ; do ffuf -u $url -mr "root:x" -w ~/tools/lfipayloads.txt -of csv -o $domain/vulnerabilities/LFI/lfi.txt -t 50 -c  ; done
163 | }
164 | menu(){
165 | clear
166 | bounty_recon
167 | echo -e -n ${YELLOW}"\n[*] Which Type of recon u want to Perform\n "
168 | echo -e "  ${NC}[${CG}"1"${NC}]${CNC} Single Target Recon"
169 | echo -e "   ${NC}[${CG}"2"${NC}]${CNC} Full Target Recon With Subdomains "
170 | echo -e "   ${NC}[${CG}"3"${NC}]${CNC} Exit"
171 | echo -n -e ${RED}"\n[+] Select: "
172 |         read bounty_play
173 |                 if [ $bounty_play -eq 1 ]; then
174 |                         single_recon
175 |                 elif [ $bounty_play -eq 2 ]; then
176 |                         massive_recon
177 |                 elif [ $js_play -eq 3 ]; then
178 |                       exit
179 |                 fi
180 | 
181 | }
182 | menu
183 | 


--------------------------------------------------------------------------------