├── README.md
└── .bash_profile


/README.md:
--------------------------------------------------------------------------------
1 | # recon_profile
2 | This project is to help  create easy aliases to run via an SSH/terminal. If you see anything missing, feel free to add them. 
3 | 


--------------------------------------------------------------------------------
/.bash_profile:
--------------------------------------------------------------------------------
 1 | #----- AWS -------
 2 | 
 3 | s3ls(){
 4 | aws s3 ls s3://$1
 5 | }
 6 | 
 7 | s3cp(){
 8 | aws s3 cp $2 s3://$1 
 9 | }
10 | 
11 | #---- Content discovery ----
12 | thewadl(){ #this grabs endpoints from a application.wadl and puts them in yahooapi.txt
13 | curl -s $1 | grep path | sed -n "s/.*resource path=\"\(.*\)\".*/\1/p" | tee -a ~/tools/dirsearch/db/yahooapi.txt
14 | }
15 | 
16 | #----- recon -----
17 | crtndstry(){
18 | ./tools/crtndstry/crtndstry $1
19 | }
20 | 
21 | am(){ #runs amass passively and saves to json
22 | amass enum --passive -d $1 -json $1.json
23 | jq .name $1.json | sed "s/\"//g"| httprobe -c 60 | tee -a $1-domains.txt
24 | }
25 | 
26 | certprobe(){ #runs httprobe on all the hosts from certspotter
27 | curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe | tee -a ./all.txt
28 | }
29 | 
30 | mscan(){ #runs masscan
31 | sudo masscan -p4443,2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,744$}
32 | }
33 | 
34 | certspotter(){ 
35 | curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1
36 | } #h/t Michiel Prins
37 | 
38 | crtsh(){
39 | curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'
40 | }
41 | 
42 | certnmap(){
43 | curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1  | nmap -T5 -Pn -sS -i - -$
44 | } #h/t Jobert Abma
45 | 
46 | ipinfo(){
47 | curl http://ipinfo.io/$1
48 | }
49 | 
50 | 
51 | #------ Tools ------
52 | dirsearch(){ runs dirsearch and takes host and extension as arguments
53 | python3 ~/tools/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b 
54 | }
55 | 
56 | sqlmap(){
57 | python ~/tools/sqlmap*/sqlmap.py -u $1 
58 | }
59 | 
60 | ncx(){
61 | nc -l -n -vv -p $1 -k
62 | }
63 | 
64 | crtshdirsearch(){ #gets all domains from crtsh, runs httprobe and then dir bruteforcers
65 | curl -s https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe -c 50 | grep https | xargs -n1 -I{} python3 ~/tools/dirsearch/dirsearch.py -u {} -e $2 -t 50 -b 
66 | }
67 | 


--------------------------------------------------------------------------------