└── discover.sh /discover.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -i 2 | 3 | banner (){ 4 | echo -e " 5 | @nullenc0de" 6 | } 7 | 8 | kill (){ 9 | banner 10 | echo -e "ASSET RECONNAISSANCE TOOL" 11 | echo "USAGE: recon.sh domain.com" 12 | exit 1 13 | } 14 | 15 | recon (){ 16 | banner 17 | 18 | echo -e "\e[31m[STARTING]\e[0m" 19 | 20 | ##SUB DOMAIN DISCOVERY 21 | mkdir ./output 2> /dev/null 22 | 23 | ##LAUNCH REVERSEWHOIS 24 | echo -e "\nRUNNING \e[31m[KNOCKKNOCK]\e[0m" 25 | knockknock -n $1 -p |grep -v "\[" |tee ./output/$1.reversewhois.log 26 | echo "FOUND HORIZONTAL DOMAINS [$(cat ./output/$1.reversewhois.log | wc -l)]" 27 | echo "RUNNING REVERSEWHOIS \e[32mFINISH\e[0m" 28 | 29 | ## LAUNCH ACTIVE AMASS 30 | echo -e "\nRUNNING \e[31m[AMASS ACTIVE]\e[0m" 31 | amass enum -config /root/config.ini -passive -d $1 -o ./output/$1.amassactive.txt 32 | echo "FOUND SUBDOMAINS [$(cat ./output/$1.amassactive.txt | wc -l)]" 33 | echo "RUNNING AMASS \e[32mFINISH\e[0m" 34 | 35 | ## LAUNCH ASSETFINDER 36 | echo -e "\nRUNNING \e[31m[ASSETFINDER]\e[0m" 37 | assetfinder -subs-only $1 > ./output/$1.assetfinder.txt 38 | echo "FOUND SUBDOMAINS [$(cat ./output/$1.assetfinder.txt | wc -l)]" 39 | echo "RUNNING ASSETFINDER \e[32mFINISH\e[0m" 40 | 41 | ## LAUNCH DNSBUFFER 42 | echo -e "\nRUNNING \e[31m[DNSBUFFEROVER]\e[0m" 43 | curl -s https://dns.bufferover.run/dns?q=.$1 | jq -r .FDNS_A[]|cut -d',' -f2 > ./output/$1.dnsbuffer.txt 44 | echo "FOUND SUBDOMAINS [$(cat ./output/$1.dnsbuffer.txt | wc -l)]" 45 | echo "RUNNING DNSBUFFER \e[32mFINISH\e[0m" 46 | 47 | ## LAUNCH SUBFINDER 48 | echo -e "\nRUNNING \e[31m[SUBFINDER]\e[0m" 49 | subfinder -d $1 -o ./output/$1.subfinder.txt 50 | echo "FOUND SUBDOMAINS [$(cat ./output/$1.subfinder.txt | wc -l)]" 51 | echo "RUNNING SUBFINDER \e[32mFINISH\e[0m" 52 | 53 | ## REMOVING DUPLICATES 54 | echo -e "\nRUNNING \e[31m[REMOVING DUPLICATES]\e[0m" 55 | sort ./output/$1.*.txt | uniq > ./output/$1.alldomains.txt 56 | echo "REMOVING DUPLICATES \e[32mFINISH\e[0m" 57 | 58 | ## LAUNCH LIVEHOSTS 59 | echo -e "\nRUNNING \e[31m[FILTERING THE BAD ONES]\e[0m" 60 | rm ./output/$1.live_subdomains.log 2> /dev/null 61 | cat ./output/$1.alldomains.txt | dnsx > ./output/$1.live_subdomains_wild.log 62 | cat ./output/$1.live_subdomains_wild.log |httpx |goverview probe -N -c 500 |sort -u -t';' -k2,14 |cut -d ';' -f1 > ./output/$1.httpx.log 63 | cat ./output/$1.httpx.log | httpx -silent -tech-detect -title > ./output/$1.httpx_tech.log 64 | cat ./output/$1.live_subdomains_wild.log | dnsx -wd $1 > ./output/$1.live_subdomains.log 65 | rm ./output/$1.live_subdomains_wild.log 66 | rm ./output/$1.alldomains.txt 2> /dev/null 67 | rm ./output/$1.subfinder.txt 2> /dev/null 68 | rm ./output/$1.dnsbuffer.txt 2> /dev/null 69 | rm ./output/$1.assetfinder.txt 2> /dev/null 70 | rm ./output/$1.amassactive.txt 2> /dev/null 71 | 72 | echo "TOTAL GOOD SUBDOMAINS [$(cat ./output/$1.live_subdomains.log | wc -l)]" 73 | echo "FILTERING THE BAD ONES \e[32mFINISH\e[0m" 74 | 75 | ## LAUNCH LIVEHOSTS 76 | echo -e "\nRUNNING \e[31m[RESOLVING SUBS TO IP ADDRESSES]\e[0m" 77 | cat ./output/$1.live_subdomains.log | dnsx -silent -a -resp-only |sort -u > ./output/$1.domain_ips.txt 78 | echo "RESOLVING SUBS TO IP ADDRESSES \e[32mFINISH\e[0m" 79 | 80 | echo " " 81 | echo "NEED TO LOOK UP [$(cat ./output/$1.domain_ips.txt | wc -l)] ADDRESSES FOR ASSIGNED SUBNETS" 82 | 83 | echo -e "\nRUNNING \e[31m[FINDING REGISTERED SUBNETS]\e[0m" 84 | cat ./output/$1.domain_ips.txt |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep -i -B 6 "$(echo $1 |cut -d '.' -f1 | rev |cut -c1-4 |rev)" |grep CIDR |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u > ./output/$1.subnets.txt 85 | echo "FINDING REGISTERED SUBNETS \e[32mFINISH\e[0m" 86 | rm ./output/$1.domain_ips.txt 2> /dev/null 87 | 88 | echo -e "\nRUNNING \e[31m[FINDING OWNED ASN SUBNETS]\e[0m" 89 | cat ./output/$1.live_subdomains.log | dnsx -silent -cname -resp |sort -u > ./output/$1.cloudhost.log 90 | cat ./output/$1.subnets.txt |while read ip ;do whois -h whois.cymru.com " -v $ip" |grep -i "$(echo $1 |cut -d '.' -f1 | rev |cut -c1-4 |rev)" |cut -d '|' -f2 |awk '{$1=$1};1'; done > ./output/$1.asn.txt 91 | cat ./output/$1.asn.txt |while read ip ;do whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net $ip | grep origin: | cut -d ' ' -f 6 | head -1) | grep -w "route:" | awk '{print $NF}' ;done|sort -n >> ./output/$1.subnets.txt 92 | sort -u ./output/$1.subnets.txt > ./output/$1.live_subnets.log 93 | rm ./output/$1.subnets.txt 2> /dev/null 94 | rm ./output/$1.asn.txt 2> /dev/null 95 | echo "FINDING OWNED ASN SUBNETS \e[32mFINISH\e[0m" 96 | echo " " 97 | echo -e "\x1B[01;91m \nFOUND [$(cat ./output/$1.reversewhois.log | wc -l)] HORIZONTAL DOMAINS in ./output/$1.reversewhois.log. \nFOUND [$(cat ./output/$1.live_subnets.log | wc -l)] SUBNETS IN ./output/$1.live_subnets.log. \nFOUND [$(cat ./output/$1.cloudhost.log | wc -l)] CLOUD HOSTED DOMAINS in ./output/$1.cloudhost.log. \nFOUND [$(cat ./output/$1.live_subdomains.log | wc -l)] SUBDOMAINS in ./output/$1.live_subdomains.log. \nFOUND [$(cat ./output/$1.httpx.log | wc -l)] WEB APPS in ./output/$1.httpx.log. \nFOUND MSFT AD, [$(grep "outlook.com" ./output/$1.cloudhost.log > /dev/null && echo TRUE || echo FALSE)]. \nFOUND Amazon Cloud, [$(grep "amazonaws.com" ./output/$1.cloudhost.log > /dev/null && echo TRUE || echo FALSE)]. \nFOUND MSFT Azure Cloud, [$(grep "azure" ./output/$1.cloudhost.log > dev/null && echo TRUE || echo FALSE)]. \nFOUND Phishing addresses, [$(echo 'https://hunter.io/try/search/$1' |httpx -silent -match-string 'All the email addresses found for the domain name' > /dev/null && echo TRUE || echo FALSE)]. \x1B[0m" 98 | find ./output -size 0 -delete 2> /dev/null 99 | echo " " 100 | echo -e "\e[31m[FINISHED. HACK SAFELY]\e[0m" 101 | 102 | } 103 | 104 | if [ -z "$1" ] 105 | then 106 | kill 107 | else 108 | recon $1 109 | fi --------------------------------------------------------------------------------