├── LICENSE
├── README.md
└── SubScanner


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 muneebwanee
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SubScanner
 2 | An automation tool that scans sub-domains, sub-domain takeover and then filters out xss, ssti, ssrf and more injection point parameters.<br/>
 3 | 
 4 | + **Requirements:** Go Language, Python 2.7 or Python 3.
 5 | + **System requirements:** Recommended to run on vps with 1VCPU and 2GB ram.
 6 | + **Tools used - You must need to install these tools to use this script**<br/>
 7 | 
 8 |   + [SubFinder](https://github.com/projectdiscovery/subfinder)
 9 |   + [Sublist3r](https://github.com/aboul3la/Sublist3r)
10 |   + [GF Patterns](https://github.com/1ndianl33t/Gf-Patterns)
11 |   + [Get Title](https://github.com/tomnomnom/hacks/tree/master/get-title)
12 |   + [Gau](https://github.com/lc/gau)
13 |   + [Subzy](https://github.com/LukaSikic/subzy)
14 |   + [Subjack](https://github.com/haccer/subjack): save [fingerprints.json](https://github.com/haccer/subjack/blob/master/fingerprints.json) file into ~/tools/ directory.
15 |   + [Assetfinder](https://github.com/tomnomnom/assetfinder)
16 |   + [HTTPX](https://github.com/projectdiscovery/httpx)
17 |   + [Waybackurls](https://github.com/tomnomnom/waybackurls)
18 |   
19 | + **Installation**
20 | ```sh
21 | git clone https://github.com/muneebwanee/SubScanner.git && cd SubScanner/ && chmod +x SubScanner && mv SubScanner /usr/local/bin/
22 | ```
23 | 
24 | + **Usage**
25 | ```sh
26 | SubScanner -d target.com -f filename
27 | ```
28 | 
29 | ### About SubScanner
30 | I made this tool to automate my recon and save my time. It really give me headache always type such command and then wait to complete one command and I type other command. So I collected some of the tools which is widely used in the bugbounty field. In this script I used Assetfinder, get-titles, httprobe, subjack, subzy, sublister, gau and gf patterns.<br/> 
31 | The script first enumerates all the subdomains of the give target domain using assetfinder and sublister then filters all live domains from the whole subdomain list then it extarct titles of the subdomains using get-title then it scans for subdomain takeover using subjack and subzy. Then it uses gau to extract paramters of the given subdomains then it use gf patterns to filters xss, ssti, ssrf, sqli params from that given subdomains. Then it'll save all the output in a text file like target-xss.txt. <bR/>
32 | 
33 | ![forthebadge](https://forthebadge.com/images/badges/open-source.svg) 
34 | ![forthebadge](https://forthebadge.com/images/badges/built-with-love.svg)
35 | 
36 | #### Thanks to the authors of the tools used in this script.
37 | [@muneebwanee](https://github.com/muneebwanee) [@thedeepnet](https://github.com/thedeepnet)
38 | 
39 | 
40 | 
41 | **Warning:** This code was originally created for personal use, it generates a substantial amount of traffic, please use with caution.
42 | 
43 | <p align="center">
44 | <a href="#"><img title="Version" src="https://img.shields.io/badge/Version-1.0-green.svg?style=flat-square"></a>
45 | <a href="https://github.com/muneebwanee"><img title="Followers" src="https://img.shields.io/github/followers/muneebwanee?color=blue&style=flat-square"></a>
46 | <a href="https://twitter.com/muneebwanee"><img title="Twitter" src="https://img.shields.io/twitter/follow/muneebwanee?style=social"></a>
47 | <a href="https://twitter.com/the_deepnet"><img title="Contributer" src="https://img.shields.io/twitter/follow/the_deepnet?label=%40the_deepnet&style=social"></a>
48 | <a href="https://instagram.com/muneebwanee"><img title="Instagram" src="https://img.shields.io/badge/IG-%40muneebwanee-red?style=for-the-badge&logo=instagram"></a>
49 | <a href="https://linkedin.com/in/muneebwanee"><img title="LinkedIn" src="https://img.shields.io/badge/LinkedIn%20-muneebwanee-orange?colorA=%23ff9696&colorB=%237E7B4E&style=for-the-badge"></a>
50 | <a href="https://m.me/me.muneebwanee"><img title="Facebook" src="https://img.shields.io/badge/Chat-Messenger-blue?style=for-the-badge&logo=messenger"></a>
51 | <a href="https://github.com/muneebwanee"><img title="GitHub" src="https://img.shields.io/badge/Github-Muneeb--Wanee-green?style=for-the-badge&logo=github"></a>
52 | <a href="https://www.buymeacoffee.com/muneebwanee" target="_blank"><img src="https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png" alt="Buy Me A Coffee" style="height: 41px !important;width: 174px !important;box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;-webkit-box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;" ></a>
53 | </p>
54 | 
55 | 


--------------------------------------------------------------------------------
/SubScanner:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #coded by muneebwanee
  3 | 
  4 | wget -q --spider http://google.com
  5 | if [ $? -ne 0 ];then
  6 |     echo "Connect to internet before running this tool!"
  7 |     exit 1
  8 | fi
  9 | 
 10 | domain=
 11 | file=
 12 | 
 13 | while getopts ":d:f:" o; do
 14 |     case "${o}" in
 15 |         d)
 16 |             domain=${OPTARG} ;;
 17 | 
 18 |         f)
 19 |             file=${OPTARG} ;;
 20 | 
 21 |     esac
 22 | done
 23 | 
 24 | if [ -z "$domain" ]
 25 |   then
 26 |     echo "Target domain not supplied"
 27 |     echo "Usage : garud -d target.com -f filename"
 28 |     exit 1
 29 | fi
 30 | 
 31 | if [ -z "$file" ]
 32 |   then
 33 |     echo "Output filename not supplied"
 34 |     echo "Usage : garud -d target.com -f filename"
 35 |     exit 1
 36 | fi
 37 | 
 38 | if [ ! -d "$file" ]; then
 39 |         mkdir $file
 40 | fi
 41 | 
 42 | cd $file/
 43 | 
 44 | show_menus() {
 45 | 	clear
 46 | 
 47 | __¶_____________________________________________¶
 48 | __¶¶___________________________________________¶¶
 49 | __¶¶¶¶________________________________________¶¶¶
 50 | __¶¶_¶¶_____________________________________¶¶_¶¶
 51 | __¶¶__¶¶___________________________________¶¶__¶¶
 52 | __¶¶_¶_¶¶_________________________________¶¶_¶_¶¶
 53 | __¶¶__¶__¶_______________________________¶¶_¶__¶¶
 54 | __¶¶___¶__¶¶____________________________¶__¶___¶¶
 55 | ___¶¶___¶¶_¶¶_________________________¶¶__¶___¶¶
 56 | ____¶¶___¶¶_¶¶_______________________¶¶_¶¶___¶¶¶
 57 | _____¶¶___¶¶__¶_____________________¶¶_¶¶____¶¶
 58 | ______¶¶___¶¶__¶¶__________________¶__¶¶___¶¶¶
 59 | _______¶¶____¶¶_¶¶_______________¶¶_¶¶¶____¶¶
 60 | ________¶¶____¶¶_¶¶_____________¶¶_¶¶____¶¶¶
 61 | _________¶¶____¶¶__¶¶__________¶__¶¶____¶¶¶
 62 | __________¶¶_____¶¶_¶¶_______¶¶__¶¶____¶¶
 63 | ___________¶¶_____¶¶_¶¶_____¶¶_¶¶_____¶¶
 64 | _____________¶¶____¶¶__¶¶__¶__¶¶____¶¶¶
 65 | ______________¶¶¶____¶¶_¶¶¶_¶¶¶___¶¶¶
 66 | ________________¶¶¶___¶¶__¶¶¶___¶¶¶¶
 67 | __________________¶¶¶___¶¶_¶¶__¶¶¶
 68 | ____________________¶¶¶__¶¶_¶¶¶¶
 69 | ____________________¶_¶¶¶__¶¶_¶¶___¶¶¶¶¶¶
 70 | _________¶¶¶¶¶¶¶¶_¶¶_¶¶_¶¶__¶¶_¶¶¶¶¶¶¶¶_¶¶
 71 | ________¶¶_¶¶¶¶¶¶¶¶_¶¶_¶¶¶¶¶__¶¶¶¶¶¶__¶¶_¶¶
 72 | ________¶¶¶¶___¶¶¶¶¶__¶¶___¶¶¶¶¶¶¶¶¶¶__¶¶¶¶
 73 | _____________¶¶¶¶¶¶¶¶¶_______¶¶¶¶¶_¶¶¶
 74 | ___________¶¶¶_¶_¶¶¶¶¶______¶¶¶_¶¶¶_¶¶¶¶
 75 | __________¶¶¶_¶_¶¶__¶¶¶_____¶¶¶__¶¶¶__¶¶¶
 76 | _________¶¶_¶¶_¶¶__¶¶_¶_____¶_¶¶__¶¶_¶_¶¶¶
 77 | _______¶¶¶_¶_¶¶¶__¶¶_¶¶_____¶¶_¶___¶¶_¶¶_¶¶¶
 78 | ______¶¶_¶¶_¶¶¶____¶¶¶_______¶¶¶_____¶¶_¶_¶¶¶¶
 79 | _¶¶¶¶¶¶_¶_¶¶¶_________________________¶¶_¶¶_¶¶¶¶¶¶
 80 | ¶¶____¶¶_¶¶¶____________________________¶¶_¶¶____¶
 81 | ¶¶_____¶¶¶¶______________________________¶¶_____¶¶
 82 | _¶¶¶____¶¶_______________________________¶____¶¶¶
 83 | __¶¶¶¶__¶¶_______________________________¶¶¶¶¶¶¶
 84 | ____¶¶¶¶¶_________________________________¶¶¶
 85 | 
 86 |     
 87 | █▀ █░█ █▄▄ █▀ █▀▀ ▄▀█ █▄░█ █▄░█ █▀▀ █▀█
 88 | ▄█ █▄█ █▄█ ▄█ █▄▄ █▀█ █░▀█ █░▀█ ██▄ █▀▄
 89 |     echo -e "${NORMAL}${BOLD}\n                           coded by ${GREEN} muneebwanee${NORMAL}${BOLD} with ${RED}<3"
 90 | 
 91 |     sleep 1
 92 |     echo -e "${NORMAL}${BOLD}\n   Target:${NORMAL}${GREEN} $domain ${NORMAL}"
 93 |     echo -e "${BOLD}   Output:${NORMAL}${GREEN} $file ${NORMAL} \n "
 94 |     echo -e "${BOLD}${RED}   Warning:${NORMAL}You must need to run Sudomain Enum before using any other tool. ${NORMAL} \n "
 95 |     echo "   0. Install all the tools"
 96 |     echo "   1. Subdomain Enumeration"
 97 |     echo "   2. Get Titles"
 98 |     echo "   3. Subdomain Takeover"
 99 |     echo "   4. Waybackurls"
100 |     echo "   5. Gau"
101 |     echo "   6. Gf Patterns (You must have to run waybackurls or gau before using GF)"
102 |     echo "   7. Full scan"
103 |     echo -e "   8. Exit \n"
104 | }
105 | 
106 | read_option(){
107 | 	local choice
108 | 	read -p "   Enter choice [ 0 - 8 ] " choice
109 | 	case $choice in
110 |     
111 |     0) install_tools ;;
112 | 	1) run_subenum ;;
113 | 	2) run_gettitle ;;
114 | 	3) run_subtake ;;
115 | 	4) run_wayback ;;
116 | 	5) run_gau ;;
117 | 	6) run_gf ;;
118 |     7) run_all ;;
119 | 	8) exit 0;;
120 | 	*) echo -e "${RED}   Error...${NORMAL}" && sleep 2
121 | 	esac
122 | }
123 | 
124 | pause(){
125 |   read -p "   Press [Enter] key to continue..." fackEnterKey
126 | }
127 |  
128 | load_colors() {
129 |     RED="\e[31m"
130 |     BOLD="\e[1m"
131 |     NORMAL="\e[0m"
132 |     GREEN="\e[92m"
133 |     YELLOW="\e[93m"
134 | }
135 | 
136 | install_tools() {
137 |     git clone https://github.com/aboul3la/Sublist3r.git $HOME/tools/Sublist3r &> /dev/null
138 |     sudo pip3 install -r $HOME/tools/Sublist3r/requirements.txt &> /dev/null
139 |     echo "alias sublister='python3 $HOME/tools/Sublist3r/sublist3r.py'" >> ~/.bashrc
140 |     wget https://raw.githubusercontent.com/haccer/subjack/master/fingerprints.json $HOME/tools/ &> /dev/null
141 |     git clone https://github.com/Edu4rdSHL/findomain.git $HOME/tools/findomain &> /dev/null
142 |     cd $HOME/tools/findomain && cargo build --release && sudo cp $HOME/tools/findomain/target/release/findomain /usr/bin/
143 |     sudo rm -r $HOME/tools/findomain
144 |     apt-get install amass &> /dev/null
145 |     GO111MODULE=on go get -u -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder &> /dev/null
146 |     go get -u github.com/tomnomnom/waybackurls &> /dev/null
147 |     go get -u github.com/tomnomnom/gf &> /dev/null
148 |     echo 'source $GOPATH/src/github.com/tomnomnom/gf/gf-completion.bash' >> ~/.bashrc
149 |     mkdir ~/.gf
150 |     cp -r $GOPATH/src/github.com/tomnomnom/gf/examples ~/.gf
151 |     git clone https://github.com/1ndianl33t/Gf-Patterns &> /dev/null
152 |     mv ~/Gf-Patterns/*.json ~/.gf
153 |     GO111MODULE=on go get -u -v github.com/lc/gau &> /dev/null
154 |     go get -u -v github.com/lukasikic/subzy && go install -v github.com/lukasikic/subzy &> /dev/null
155 |     go get github.com/haccer/subjack &> /dev/null
156 |     go get -u github.com/tomnomnom/assetfinder &> /dev/null
157 |     GO111MODULE=auto go get -u -v github.com/projectdiscovery/httpx/cmd/httpx &> /dev/null
158 |     echo -e "${YELLOW}   Finished installing tools ${NORMAL}\n"
159 |     pause
160 | }
161 | 
162 | run_subenum() {
163 |     assetfinder --subs-only $domain | sort -u > $file-assetfinder.txt
164 |     python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o $file-sublister.txt &> /dev/null
165 |     subfinder -silent -d $domain -o $file-subfinder.txt > /dev/null
166 |     amass enum -passive -norecursive -noalts -d $domain -o $file-amass.txt &> /dev/null
167 |     sleep 2
168 |     cat $file-sublister.txt $file-assetfinder.txt $file-subfinder.txt $file-amass.txt | grep -v "*" | sort -u | sed '/@/d' | sed '/<BR>/d' | sed '/\_/d'| sed '/*/d' > $file-finalsubdomains.txt
169 |     sleep 2
170 |     cat $file-finalsubdomains.txt | sort -u | uniq -u | httpx -silent > $file-alive.txt
171 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
172 |     pause
173 | }
174 | 
175 | run_gettitle() {
176 |     cat $file-alive.txt | get-title > $file-gettitle.txt
177 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
178 |     pause
179 | }
180 | 
181 | run_subtake() {
182 |     subjack -w $file-finalsubdomains.txt -t 20 -ssl -c ~/tools/fingerprints.json -o $file-subjack.txt
183 |     subzy -targets $file-finalsubdomains.txt -hide_fails --verify_ssl -concurrency 20 | sort -u > $file-subzy.txt
184 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
185 |     pause
186 | }
187 | 
188 | run_wayback() {
189 |     cat $file-finalsubdomains.txt | waybackurls > $file-params.txt
190 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
191 |     pause
192 | }
193 | 
194 | run_gau() {
195 |     cat $file-finalsubdomains.txt | gau >> $file-params.txt
196 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
197 |     pause
198 | }
199 | 
200 | run_gf() {
201 |     cat $file-params.txt | gf xss > $file-xss.txt
202 |     cat $file-params.txt | gf ssrf > $file-ssrf.txt
203 |     cat $file-params.txt | gf ssti > $file-ssti.txt
204 |     cat $file-params.txt | gf redirect > $file-redirect.txt
205 |     cat $file-params.txt | gf sqli > $file-sqli.txt
206 |     cat $file-params.txt | gf lfi > $file-lfi.txt
207 |     cat $file-params.txt | gf rce > $file-rce.txt
208 |     echo -e "${YELLOW}   Done. ${NORMAL}\n"
209 |     pause
210 | }
211 | 
212 | run_all () {
213 |     assetfinder --subs-only $domain | sort -u > $file-assetfinder.txt
214 |     python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o $file-sublister.txt &> /dev/null
215 |     subfinder -silent -d $domain -o $file-subfinder.txt > /dev/null
216 |     cat $file-sublister.txt $file-assetfinder.txt $file-subfinder.txt | grep -v "*" | sort -u | sed '/@/d' | sed '/<BR>/d' | sed '/\_/d'| sed '/*/d' > $file-finalsubdomains.txt
217 |     sleep 2
218 |     cat $file-finalsubdomains.txt | sort -u | uniq -u | httpx -silent > $file-alive.txt
219 |     cat $file-alive.txt | get-title > $file-gettitle.txt
220 |     subjack -w $file-finalsubdomains.txt -t 20 -ssl -c ~/tools/fingerprints.json -o $file-subjack.txt
221 |     subzy -targets $file-finalsubdomains.txt -hide_fails --verify_ssl -concurrency 20 | sort -u > $file-subzy.txt
222 |     cat $file-finalsubdomains.txt | waybackurls >> $file-params.txt
223 |     cat $file-finalsubdomains.txt | gau >> $file-params.txt
224 |     cat $file-params.txt | gf xss > $file-xss.txt
225 |     cat $file-params.txt | gf ssrf > $file-ssrf.txt
226 |     cat $file-params.txt | gf ssti > $file-ssti.txt
227 |     cat $file-params.txt | gf redirect > $file-redirect.txt
228 |     cat $file-params.txt | gf sqli > $file-sqli.txt
229 |     cat $file-params.txt | gf lfi > $file-lfi.txt
230 |     cat $file-params.txt | gf rce > $file-rce.txt
231 |     pause
232 | }
233 | 
234 | trap '' SIGINT SIGQUIT SIGTSTP
235 | 
236 | while true
237 | do
238 |     load_colors
239 |     show_menus
240 |     read_option
241 | done
242 | 


--------------------------------------------------------------------------------