├── .github ├── dependabot.yml └── workflows │ └── semgrep.yml ├── .gitignore ├── Dockerfile ├── README.md ├── docker-compose.yml ├── lazyrecon.sh ├── lazyrecon_results └── .gitignore ├── recon.gif ├── report.gif ├── run.bat └── run.sh /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "docker" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | -------------------------------------------------------------------------------- /.github/workflows/semgrep.yml: -------------------------------------------------------------------------------- 1 | on: 2 | pull_request: {} 3 | push: 4 | branches: 5 | - main 6 | - master 7 | paths: 8 | - .github/workflows/semgrep.yml 9 | schedule: 10 | # random HH:MM to avoid a load spike on GitHub Actions at 00:00 11 | - cron: 26 8 * * * 12 | name: Semgrep 13 | jobs: 14 | semgrep: 15 | name: Scan 16 | runs-on: ubuntu-20.04 17 | env: 18 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} 19 | container: 20 | image: returntocorp/semgrep 21 | steps: 22 | - uses: actions/checkout@v3 23 | - run: semgrep ci 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/* -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.13.1-buster AS build 2 | RUN go get github.com/michenriksen/aquatone; exit 0 3 | RUN go get -u github.com/tomnomnom/httprobe; exit 0 4 | RUN go get github.com/tomnomnom/waybackurls; exit 0 5 | RUN go get github.com/OWASP/Amass; exit 0 6 | RUN go get -u github.com/tomnomnom/unfurl; exit 0 7 | ENV GO111MODULE on 8 | WORKDIR /go/src/github.com/OWASP/Amass 9 | RUN go install ./... 10 | 11 | FROM ubuntu:18.04 12 | LABEL maintainer soaringswine 13 | ENV HOME="/home/lazyrecon_user" 14 | ENV TOOLS="$HOME/tools" 15 | ENV TERM="xterm-256color" 16 | ENV LC_ALL="en_US.UTF-8" 17 | ENV LANG="en_US.UTF-8" 18 | ENV LANGUAGE="en_US.UTF-8" 19 | RUN set -x \ 20 | && apt-get -y update \ 21 | && apt-get install -y --no-install-recommends --no-install-suggests \ 22 | libcurl4-openssl-dev \ 23 | libssl-dev \ 24 | jq \ 25 | ruby-full \ 26 | libcurl4-openssl-dev \ 27 | libxml2 \ 28 | libxml2-dev \ 29 | libxslt1-dev \ 30 | ruby-dev \ 31 | build-essential \ 32 | libgmp-dev \ 33 | zlib1g-dev \ 34 | libssl-dev \ 35 | libffi-dev \ 36 | python-dev \ 37 | python-setuptools \ 38 | libldns-dev \ 39 | python3-pip \ 40 | python-pip \ 41 | python-dnspython \ 42 | git \ 43 | rename \ 44 | nmap \ 45 | wget \ 46 | curl \ 47 | chromium-browser \ 48 | locales \ 49 | dnsutils \ 50 | && apt-get clean autoclean \ 51 | && apt-get autoremove -y \ 52 | && rm -rf /var/lib/{apt,dpkg,cache,log}/ \ 53 | && ulimit -n 2048 \ 54 | && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 55 | RUN set -x \ 56 | && addgroup --gid 1000 lazyrecon_user \ 57 | && adduser --uid 1000 --ingroup lazyrecon_user --home /home/lazyrecon_user --shell /bin/bash --disabled-password --gecos "" lazyrecon_user 58 | WORKDIR $TOOLS 59 | RUN set -x \ 60 | && git clone https://github.com/aboul3la/Sublist3r.git \ 61 | && git clone https://github.com/maurosoria/dirsearch.git \ 62 | && git clone https://github.com/blechschmidt/massdns.git \ 63 | && git clone https://github.com/gnebbia/pdlist \ 64 | && pip3 install dnsgen 65 | WORKDIR $TOOLS/lazyrecon 66 | RUN set -x \ 67 | && wget https://raw.githubusercontent.com/soaringswine/lazyrecon_docker/master/lazyrecon.sh 68 | WORKDIR $TOOLS/Sublist3r 69 | RUN set -x \ 70 | && pip install -r requirements.txt 71 | WORKDIR $TOOLS/massdns 72 | RUN set -x \ 73 | && make 74 | WORKDIR $TOOLS/pdlist 75 | RUN set -x \ 76 | && pip3 install -r requirements.txt \ 77 | && python3 setup.py install 78 | WORKDIR $TOOLS/SecLists/Discovery/DNS/ 79 | RUN set -x \ 80 | && wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/dns-Jhaddix.txt \ 81 | && cat dns-Jhaddix.txt | head -n -14 > clean-jhaddix-dns.txt 82 | COPY --from=build /go/bin/amass /bin/amass 83 | COPY --from=build /go/bin/aquatone /bin/aquatone 84 | COPY --from=build /go/bin/httprobe /bin/httprobe 85 | COPY --from=build /go/bin/waybackurls /bin/waybackurls 86 | COPY --from=build /go/bin/unfurl /bin/unfurl 87 | # Change home directory ownership and fix TLDextract caching permission error. 88 | RUN set -x \ 89 | && chown -R lazyrecon_user:lazyrecon_user $HOME \ 90 | && chown -R lazyrecon_user:lazyrecon_user /usr/local/lib/python3.6/dist-packages/tldextract/ 91 | # Using fixuid to fix bind mount permission issues. 92 | RUN set -x \ 93 | && USER=lazyrecon_user \ 94 | && GROUP=lazyrecon_user \ 95 | && curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4/fixuid-0.4-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - \ 96 | && chown root:root /usr/local/bin/fixuid \ 97 | && chmod 4755 /usr/local/bin/fixuid \ 98 | && mkdir -p /etc/fixuid \ 99 | && printf "user: $USER\ngroup: $GROUP\npaths: \n - /\n - $TOOLS/lazyrecon/lazyrecon_results\n" > /etc/fixuid/config.yml 100 | USER lazyrecon_user:lazyrecon_user 101 | # Fix Chromium working with Aquatone in Docker. Chromium now runs without a sandbox, but since we're in a container, it's an ok trade-off. 102 | RUN set -x \ 103 | && printf 'CHROMIUM_FLAGS="--no-sandbox --headless"\n' > $HOME/.chromium-browser.init 104 | #ENTRYPOINT ["fixuid", "/bin/bash"] 105 | WORKDIR $TOOLS/lazyrecon 106 | ENTRYPOINT ["fixuid", "bash", "./lazyrecon.sh"] 107 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # lazyrecon_docker 2 | Containerized version of my fork of Nahamsec's Lazyrecon. 3 | 4 | I'm sure I can optimize the build process and I'm willing to bet I'm not following best practices. 5 | 6 | # How to run 7 | ``` 8 | Build locally: 9 | 1) git clone https://github.com/soaringswine/lazyrecon_docker.git 10 | 2) cd lazyrecon_docker 11 | 3) docker build --rm -f "Dockerfile" -t lazyrecon_docker:latest . 12 | 4) docker run --user $(id -u):$(id -g) -v $(pwd)/lazyrecon_results:/home/lazyrecon_user/tools/lazyrecon/lazyrecon_results/ lazyrecon_docker -d DOMAIN.TLD 13 | 5) Results will be stored in ./lazyrecon_results on Docker host 14 | 6) ??? 15 | 7) Hopefully profit?! 16 | 17 | From Dockerhub: 18 | 1) docker run --user $(id -u):$(id -g) -v $(pwd)/lazyrecon_results:/home/lazyrecon_user/tools/lazyrecon/lazyrecon_results/ soaringswine/lazyrecon_docker -d DOMAIN.TLD 19 | 2) Results will be stored in ./lazyrecon_results on Docker host 20 | 3) ??? 21 | 4) Hopefully profit (but faster)?! 22 | ``` 23 | 24 | # soaringswine's Lazyrecon fork 25 | soaringswine: I've added amass, Project Sonar (old data but someone graciously is hosting a script to let you query it nicely!), pdlist, and dnsgen into the mix and expanded the nmap and Aquatone port scanning. There were some issues with how cat and sort were being used that would leave the $domain.txt file blank, so I fixed those. Also removed one of the $domain.txt cats that was undoing the wildcard dupe pruning and added some echos to help understand what's going on in different stages. Fixed some other misc. things and tidied up the code a tad. 26 | 27 | ``` 28 | _ ____ ____ ___ _ ____ _____ ____ ____ _ 29 | / \ / _ \/_ \\ \/// __\/ __// _Y _ \/ \ /| 30 | | | | / \| / / \ / | \/|| \ | / | / \|| |\ || 31 | | |_/\| |-||/ /_ / / | /| /_ | \_| \_/|| | \|| 32 | \____/\_/ \|\____//_/ \_/\_\\____\\____|____/\_/ \| 33 | 34 | ``` 35 | 36 | # Usage 37 | 38 | `./lazyrecon.sh -d target.com` 39 | 40 | # About 41 | 42 | LazyRecon is a script written in Bash, it is intended to automate some tedious tasks of reconnaissance and information gathering. 43 | This tool allows you to gather some information that should help you identify what to do next and where to look. 44 | 45 | 46 | # Main Features 47 | - Create a dated folder with recon notes 48 | - Grab subdomains using: 49 | 50 | * Sublist3r, certspotter and cert.sh 51 | * Dns bruteforcing using massdns 52 | 53 | - Find any CNAME records pointing to unused cloud services like aws 54 | - Probe for live hosts over ports 80/443 55 | - Grab a screenshots of responsive hosts 56 | - Scrape wayback for data: 57 | 58 | * Extract javascript files 59 | * Build custom parameter wordlist, ready to be loaded later into Burp intruder or any other tool 60 | * Extract any urls with .jsp, .php or .aspx and store them for further inspection 61 | 62 | - Perform nmap on specific ports 63 | - Get dns information about every subdomain 64 | - Perform dirsearch for all subdomains 65 | - Generate a HTML report with output from the tools above 66 | - Improved reporting and less output while doing the work 67 | - Dark mode for html reports 68 | 69 | 70 | # New features 71 | - Directory search module is now MULTITHREADED (up to 10 subdomains scanned at a time) 72 | - Enhanced html reports with the ability to search for strings, endpoints, reponse sizes or status codes 73 | 74 | # DEMO 75 | ![cli output](https://github.com/plenumlab/lazyrecon/raw/dev/upgrade/recon.gif) 76 | ================================================================================= 77 | ![report demo](https://github.com/plenumlab/lazyrecon/raw/dev/upgrade/report.gif) 78 | 79 | 80 | # Installation & Requirements 81 | - Download the install script from https://github.com/nahamsec/bbht. 82 | - Go version 1.10 or later. 83 | 84 | ### System Requirements 85 | - Recommended to run on vps with 1VCPU and 2GB ram. 86 | 87 | 88 | 89 | # Authors and Thanks 90 | This script makes use of tools developped by the following people 91 | - [Tom Hudson - Tomonomnom](https://github.com/tomnomnom) 92 | - [Ahmed Aboul-Ela - Aboul3la](https://github.com/aboul3la) 93 | - [B. Blechschmidt - Blechschmidt](https://github.com/blechschmidt) 94 | - [Thomas D. - Maaaaz](https://github.com/maaaaz) 95 | - [Daniel Miessler - Danielmiessler](https://github.com/danielmiessler) 96 | 97 | 98 | # TO DO 99 | - Report only mode to generate reports for old dirsearch data 100 | - SubDomain exclusion 101 | 102 | 103 | 104 | 105 | 106 | **Warning:** This code was originally created for personal use, it generates a substantial amount of traffic, please use with caution. 107 | 108 | 109 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | lazyrecon: 4 | build: . 5 | container_name: lazyrecon_docker 6 | image: lazyrecon_docker:latest 7 | user: ${UID}:${GID} 8 | volumes: 9 | - ./lazyrecon_results/:/home/lazyrecon_user/tools/lazyrecon/lazyrecon_results/ -------------------------------------------------------------------------------- /lazyrecon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | ######################################## 5 | # /// \\\ 6 | # You can edit your configuration here 7 | # 8 | # 9 | ######################################## 10 | aquatoneThreads=5 11 | # see https://github.com/michenriksen/aquatone/blob/93c79694068733186878f50a545fa69f3dcec9ce/core/ports.go for Aquatone port aliases. 12 | aquatonePorts=xlarge 13 | subdomainThreads=10 14 | dirsearchThreads=50 15 | dirsearchWordlist=$HOME/tools/dirsearch/db/dicc.txt 16 | dirsearchExtensions=php,asp,aspx,jsp,html,zip,jar,json,js,inc,inc.php,config,old,sql,db,cfg 17 | massdnsWordlist=$HOME/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt 18 | nmapPorts="1,100,1000,10000,10001,10002,10003,10004,10009,1001,10010,10012,1002,10024,10025,1007,10082,1009,1010,1011,10180,1021,10215,1022,1023,1024,10243,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,10566,1057,1058,1059,106,1060,1061,10616,10617,1062,10621,10626,10628,10629,1063,1064,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,1075,1076,1077,10778,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,109,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,110,1100,1102,1104,1105,1106,1107,1108,111,1110,1111,11110,11111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,113,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,1174,1175,1183,1185,1186,1187,119,1192,11967,1198,1199,12000,1201,1213,1216,1217,12174,1218,12265,1233,1234,12345,1236,1244,1247,1248,125,1259,1271,1272,1277,1287,1296,13,1300,1301,1309,1310,1311,1322,1328,1334,13456,135,1352,13722,13782,13783,139,14000,1417,14238,143,1433,1434,144,1443,14441,14442,1455,146,1461,1494,1500,15000,15002,15003,15004,1501,1503,1521,1524,1533,1556,15660,15672,15742,1580,1583,1594,1600,16000,16001,16012,16016,16018,16080,161,16113,163,1641,1658,1666,1687,1688,16992,16993,17,1700,1717,1718,1719,1720,1721,1723,1755,1761,1782,1783,17877,179,17988,1801,18040,1805,18101,1812,1839,1840,1862,1863,1864,1875,18988,19,1900,19000,19080,19101,1914,19283,19315,1935,19350,1947,1971,1972,1974,19780,19801,1984,19842,199,1998,1999,20,2000,20000,20005,2001,2002,2003,20031,2004,2005,2006,2007,2008,2009,2010,2013,2020,2021,2022,20221,20222,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2075,2076,20828,2099,21,2100,2103,2105,2106,2107,211,2111,2119,212,2121,2126,2135,2144,21571,2160,2161,2170,2179,2190,2191,2196,22,2200,222,2222,2251,2260,2288,22939,23,2301,2323,23502,2366,2381,2382,2383,2393,2394,2399,24,2401,24444,24800,2492,25,2500,2522,2525,254,255,2557,256,25734,25735,259,26,2601,2602,2604,2605,2607,2608,26214,2638,264,27000,2701,2702,2710,2717,2718,2725,27352,27353,27355,27356,27715,280,2800,2809,2811,28201,2869,2875,2909,2910,2920,2967,2968,2998,3,30,3000,30000,3001,3003,3005,3006,3007,301,3011,3013,3017,3030,3031,3052,306,3071,30718,3077,30951,31038,311,3128,31337,3168,32,3211,3221,3260,3261,3268,3269,32768,32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,3283,33,3300,3301,3306,3322,3323,3324,3325,3333,33354,3351,3366,3367,3369,3370,3371,3372,3389,33899,3390,340,3404,34571,34572,34573,3476,3493,3517,3527,3546,35500,3551,3580,3659,366,3689,3690,37,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,38292,3851,3868,3869,3871,3878,3880,3889,389,3905,3914,3918,3920,3945,3971,3986,3995,3998,4,4000,4001,4002,4003,4004,4005,4006,40193,4040,4044,4045,406,407,40911,4111,4125,4126,4129,41511,416,417,42,4224,4242,425,42510,427,4279,43,4321,4343,44176,443,444,4443,4444,44442,44443,4445,4446,4449,445,44501,45100,4550,4567,458,464,465,4662,48080,481,4848,4899,49,4900,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,497,4998,49999,500,5000,50000,50001,50002,50003,50006,5001,5002,5003,5004,5009,5030,50300,5033,50389,5050,50500,5051,5054,5060,5061,50636,5080,50800,5087,5100,5101,5102,51103,512,5120,513,514,51493,515,5190,5200,5214,5221,5222,5225,5226,524,52673,5269,5280,52822,52848,52869,5298,53,5357,54045,5405,541,5414,543,5431,5432,54328,544,5440,545,548,5500,55055,55056,5510,554,5544,555,5550,5555,55555,5560,55600,5566,563,5631,5633,5666,5673,56737,56738,5678,5679,5718,57294,5730,57797,5800,5801,5802,58080,5810,5811,5815,5822,5825,5850,5859,5862,587,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,593,5950,5952,5959,5960,5961,5962,5963,5987,5988,5989,5998,5999,6,6000,6001,6002,60020,6003,6004,6005,6006,6007,6009,6025,60443,6059,6100,6101,6106,6112,6123,6129,61532,6156,616,617,61900,62078,625,631,63331,6346,636,6389,6443,646,64623,64680,648,65000,6502,6510,65129,65389,6543,6547,6565,6566,6567,6580,6646,666,6666,6667,6668,6669,667,668,6689,6692,6699,6779,6788,6789,6792,683,6839,687,6881,6901,691,6969,7,70,700,7000,7001,7002,7004,7007,7019,7025,705,7070,7077,7080,7100,7103,7106,711,714,720,7200,7201,722,726,7402,7435,7443,7447,749,7496,7512,7625,7627,765,7676,7741,777,7777,7778,7800,783,787,79,7911,7920,7921,7937,7938,7999,80,800,8000,8001,8002,8007,8008,8009,801,8010,8011,8021,8022,8031,8042,8045,808,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,81,8100,8180,8181,8192,8193,8194,82,8200,8222,8254,8290,8291,8292,83,8300,8333,8383,84,8400,8402,843,8443,85,8500,8600,8649,8651,8652,8654,8701,873,88,880,8800,8873,888,8880,8888,8899,89,898,8983,8994,9,90,900,9000,9001,9002,9003,9009,901,9010,9011,902,903,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,911,9110,9111,912,9200,9207,9220,9290,9415,9418,9443,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,981,987,9876,9877,9878,9898,99,990,9900,9917,992,9929,993,9943,9944,995,9968,999,9998,9999" 19 | outputDirectory="./lazyrecon_results" 20 | ######################################## 21 | # Happy Hunting 22 | ######################################## 23 | 24 | 25 | 26 | 27 | 28 | 29 | red=`tput setaf 1` 30 | green=`tput setaf 2` 31 | yellow=`tput setaf 3` 32 | reset=`tput sgr0` 33 | 34 | SECONDS=0 35 | 36 | domain= 37 | subreport= 38 | usage() { echo -e 'Usage: $0 -d domain [-e] [-o "outputDirectory"]\n' 1>&2; exit 1; } 39 | 40 | while getopts ":d:e:r:o:" options; do 41 | case "${options}" in 42 | d) 43 | domain=${OPTARG} 44 | ;; 45 | #### working on subdomain exclusion 46 | e) 47 | excluded=${OPTARG} 48 | ;; 49 | r) 50 | subreport+=("$OPTARG") 51 | ;; 52 | o) 53 | outputDirectory=${OPTARG} 54 | ;; 55 | *) 56 | usage 57 | ;; 58 | esac 59 | done 60 | shift $((OPTIND - 1)) 61 | 62 | if [ -z "${domain}" ] && [[ -z ${subreport[@]} ]]; then 63 | usage; exit 1; 64 | fi 65 | 66 | discovery(){ 67 | hostalive $domain 68 | cleandirsearch $domain 69 | aqua $domain 70 | cleanup $domain 71 | waybackrecon $domain 72 | dirsearcher 73 | 74 | 75 | } 76 | waybackrecon () { 77 | echo "Scraping Wayback Machine for data..." 78 | cat $outputDirectory/$domain/$foldername/urllist.txt | waybackurls > $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt 79 | cat $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt | sort -u | unfurl --unique keys > $outputDirectory/$domain/$foldername/wayback-data/paramlist.txt 80 | [ -s $outputDirectory/$domain/$foldername/wayback-data/paramlist.txt ] && echo "Wordlist saved to /$domain/$foldername/wayback-data/paramlist.txt" 81 | 82 | cat $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt | sort -u | grep -P "\w+\.js(\?|$)" | sort -u > $outputDirectory/$domain/$foldername/wayback-data/jsurls.txt 83 | [ -s $outputDirectory/$domain/$foldername/wayback-data/jsurls.txt ] && echo "JS URLs saved to /$domain/$foldername/wayback-data/jsurls.txt" 84 | 85 | cat $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt | sort -u | grep -P "\w+\.php(\?|$)" | sort -u > $outputDirectory/$domain/$foldername/wayback-data/phpurls.txt 86 | [ -s $outputDirectory/$domain/$foldername/wayback-data/phpurls.txt ] && echo "PHP URLs saved to /$domain/$foldername/wayback-data/phpurls.txt" 87 | 88 | cat $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt | sort -u | grep -P "\w+\.aspx(\?|$)" | sort -u > $outputDirectory/$domain/$foldername/wayback-data/aspxurls.txt 89 | [ -s $outputDirectory/$domain/$foldername/wayback-data/aspxurls.txt ] && echo "ASP URLs saved to /$domain/$foldername/wayback-data/aspxurls.txt" 90 | 91 | cat $outputDirectory/$domain/$foldername/wayback-data/waybackurls.txt | sort -u | grep -P "\w+\.jsp(\?|$)" | sort -u > $outputDirectory/$domain/$foldername/wayback-data/jspurls.txt 92 | [ -s $outputDirectory/$domain/$foldername/wayback-data/jspurls.txt ] && echo "JSP URLs saved to /$domain/$foldername/wayback-data/jspurls.txt" 93 | } 94 | 95 | cleanup(){ 96 | cd $outputDirectory/$domain/$foldername/screenshots/ 97 | rename 's/_/-/g' -- * 98 | 99 | cd $path 100 | } 101 | 102 | hostalive(){ 103 | echo "Probing for live hosts..." 104 | cat $outputDirectory/$domain/$foldername/alldomains.txt | sort -u | httprobe -c 50 -t 3000 >> $outputDirectory/$domain/$foldername/responsive.txt 105 | cat $outputDirectory/$domain/$foldername/responsive.txt | sed 's/\http\:\/\///g' | sed 's/\https\:\/\///g' | sort -u | while read line; do 106 | probeurl=$(cat $outputDirectory/$domain/$foldername/responsive.txt | sort -u | grep -m 1 $line) 107 | echo "$probeurl" >> $outputDirectory/$domain/$foldername/urllist.txt 108 | done 109 | echo "$(cat $outputDirectory/$domain/$foldername/urllist.txt | sort -u)" > $outputDirectory/$domain/$foldername/urllist.txt 110 | echo "${yellow}Total of $(wc -l $outputDirectory/$domain/$foldername/urllist.txt | awk '{print $1}') live subdomains were found${reset}" 111 | } 112 | 113 | 114 | 115 | recon(){ 116 | 117 | echo "${green}Recon started on $domain ${reset}" 118 | echo "Finding subdomains using Sublist3r..." 119 | python $HOME/tools/Sublist3r/sublist3r.py -b -d $domain -t 10 -v -o $outputDirectory/$domain/$foldername/$domain.txt > /dev/null 120 | echo "Finding subdomains using Amass..." 121 | amass enum -active -brute -d $domain >> $outputDirectory/$domain/$foldername/$domain.txt 122 | echo "$(cat $outputDirectory/$domain/$foldername/$domain.txt | sort -u | grep $domain)" > $outputDirectory/$domain/$foldername/$domain.txt 123 | echo "Finding domains using Certspotter..." 124 | curl -s "https://api.certspotter.com/v1/issuances?domain=$domain&include_subdomains=true&expand=dns_names" | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $domain >> $outputDirectory/$domain/$foldername/$domain.txt 125 | echo "Finding domains using (old) Project Sonar data script hosted by erbbysam.com (thx m8).." 126 | curl -s "https://dns.bufferover.run/dns?q=$domain" 2> /dev/null | jq -r '.FDNS_A,.RDNS | .[]' | sed 's/\*\.//g' | cut -d ',' -f2 | grep -F ".$domain" | sort -u >> $outputDirectory/$domain/$foldername/$domain.txt 127 | echo "Finding domains passively with pdlist.." 128 | pdlist $domain --strict -o $outputDirectory/$domain/$foldername/pdlist.txt 129 | echo "$(cat $outputDirectory/$domain/$foldername/$domain.txt $outputDirectory/$domain/$foldername/pdlist.txt | sort -u | grep $domain)" > $outputDirectory/$domain/$foldername/$domain.txt 130 | echo "Running DNSgen for new possible domain name combinations.." 131 | dnsgen $outputDirectory/$domain/$foldername/$domain.txt > $outputDirectory/$domain/$foldername/dnsgen.txt 132 | echo "$(cat $outputDirectory/$domain/$foldername/$domain.txt $outputDirectory/$domain/$foldername/dnsgen.txt | sort -u | grep $domain)" > $outputDirectory/$domain/$foldername/$domain.txt 133 | nsrecords $domain 134 | 135 | echo "Starting discovery of found subdomains..." 136 | discovery $domain 137 | echo "$(cat $outputDirectory/$domain/$foldername/$domain.txt | sort -u)" > $outputDirectory/$domain/$foldername/$domain.txt 138 | 139 | 140 | } 141 | 142 | 143 | dirsearcher(){ 144 | 145 | echo "Starting Dirsearch..." 146 | cat $outputDirectory/$domain/$foldername/urllist.txt | xargs -P$subdomainThreads -I % sh -c "python3 $HOME/tools/dirsearch/dirsearch.py -e $dirsearchExtensions -w $dirsearchWordlist -t $dirsearchThreads -u % | grep Target && tput sgr0 && bash ./lazyrecon.sh -r $outputDirectory -r $domain -r $foldername -r %" 147 | } 148 | 149 | aqua(){ 150 | 151 | echo "Starting Aquatone scan..." 152 | cat $outputDirectory/$domain/$foldername/urllist.txt | aquatone -out $outputDirectory/$domain/$foldername/aqua_out -threads $aquatoneThreads -silent -scan-timeout 900 -ports $aquatonePorts 153 | 154 | 155 | } 156 | 157 | searchcrtsh(){ 158 | 159 | $HOME/tools/massdns/scripts/ct.py $domain 2>/dev/null > $outputDirectory/$domain/$foldername/tmp.txt 160 | [ -s $outputDirectory/$domain/$foldername/tmp.txt ] && cat $outputDirectory/$domain/$foldername/tmp.txt | $HOME/tools/massdns/bin/massdns -r $HOME/tools/massdns/lists/resolvers.txt -t A -q -o S -w $outputDirectory/$domain/$foldername/crtsh.txt 161 | cat $outputDirectory/$domain/$foldername/$domain.txt | $HOME/tools/massdns/bin/massdns -r $HOME/tools/massdns/lists/resolvers.txt -t A -q -o S -w $outputDirectory/$domain/$foldername/domaintemp.txt 162 | } 163 | 164 | mass(){ 165 | $HOME/tools/massdns/scripts/subbrute.py $massdnsWordlist $domain | $HOME/tools/massdns/bin/massdns -r $HOME/tools/massdns/lists/resolvers.txt -t A -q -o S | grep -v 142.54.173.92 > $outputDirectory/$domain/$foldername/mass.txt 166 | } 167 | nsrecords(){ 168 | 169 | 170 | echo "Checking http://crt.sh..." 171 | searchcrtsh $domain 172 | echo "Starting MassDNS subdomain discovery, this may take a while..." 173 | mass $domain > /dev/null 174 | echo "MassDNS finished..." 175 | echo "${green}Started DNS records check...${reset}" 176 | 177 | 178 | echo "Merging MassDNS results from Subbrute..." 179 | cat $outputDirectory/$domain/$foldername/mass.txt >> $outputDirectory/$domain/$foldername/temp.txt 180 | echo "Merging MassDNS results from $domain.txt..." 181 | cat $outputDirectory/$domain/$foldername/domaintemp.txt >> $outputDirectory/$domain/$foldername/temp.txt 182 | echo "Merging MassDNS results from crt.sh..." 183 | cat $outputDirectory/$domain/$foldername/crtsh.txt >> $outputDirectory/$domain/$foldername/temp.txt 184 | 185 | echo "Checking for and removing wildcard DNS entry dupes..." 186 | cat $outputDirectory/$domain/$foldername/temp.txt | awk '{print $3}' | sort -u | while read line; do 187 | wildcard=$(cat $outputDirectory/$domain/$foldername/temp.txt | grep -m 1 $line) 188 | echo "$wildcard" >> $outputDirectory/$domain/$foldername/cleantemp.txt 189 | done 190 | 191 | 192 | echo "Looking into CNAME records..." 193 | cat $outputDirectory/$domain/$foldername/cleantemp.txt | grep CNAME >> $outputDirectory/$domain/$foldername/cnames.txt 194 | cat $outputDirectory/$domain/$foldername/cnames.txt | sort -u | while read line; do 195 | hostrec=$(echo "$line" | awk '{print $1}') 196 | if [[ $(host $hostrec | grep NXDOMAIN) != "" ]] 197 | then 198 | echo "${red}Check the following domain for NS takeover: $line ${reset}" 199 | echo "$line" >> $outputDirectory/$domain/$foldername/pos.txt 200 | else 201 | echo -ne "Working on it...\r" 202 | fi 203 | done 204 | sleep 1 205 | # Commenting this out because it seems to get rid of all the wildcard dupe checking from earlier..? 206 | #cat $outputDirectory/$domain/$foldername/$domain.txt > $outputDirectory/$domain/$foldername/alldomains.txt 207 | cat $outputDirectory/$domain/$foldername/cleantemp.txt | awk '{print $1}' | while read line; do 208 | x="$line" 209 | echo "${x%?}" >> $outputDirectory/$domain/$foldername/alldomains.txt 210 | done 211 | sleep 1 212 | 213 | } 214 | 215 | report(){ 216 | subdomain=$(echo $subd | sed 's/\http\:\/\///g' | sed 's/\https\:\/\///g') 217 | echo "${yellow} [+] Generating report for $subdomain" 218 | 219 | cat $outputDirectory/$domain/$foldername/aqua_out/aquatone_session.json | jq --arg v "$subd" -r '.pages[$v].headers[] | keys[] as $k | "\($k), \(.[$k])"' | grep -v "decreasesSecurity\|increasesSecurity" >> $outputDirectory/$domain/$foldername/aqua_out/parsedjson/$subdomain.headers 220 | dirsearchfile=$(ls $HOME/tools/dirsearch/reports/$subdomain/ | grep -v old) 221 | 222 | touch $outputDirectory/$domain/$foldername/reports/$subdomain.html 223 | echo ' 224 | ' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 225 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 226 | echo "Recon Report for $subdomain 227 | 229 | " >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 234 | echo ' 235 | 236 | 237 | '>> $outputDirectory/$domain/$foldername/reports/$subdomain.html 238 | echo ''>> $outputDirectory/$domain/$foldername/reports/$subdomain.html 249 | 250 | echo '
251 |

' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 252 | echo "🌓 Light|dark mode 253 |

254 |
255 |
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 256 | echo '
' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 257 | echo "

Recon Report for $subdomain

" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 258 | echo "

Generated by LazyRecon on $(date)

" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 259 | echo '
260 |
261 |
262 |
263 |
264 |

Content Discovery

' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 265 | 266 | 267 | 268 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 269 | echo " 270 | 271 | 272 | 273 | " >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 274 | 275 | cat $HOME/tools/dirsearch/reports/$subdomain/$dirsearchfile | while read nline; do 276 | status_code=$(echo "$nline" | awk '{print $1}') 277 | size=$(echo "$nline" | awk '{print $2}') 278 | url=$(echo "$nline" | awk '{print $3}') 279 | path=${url#*[0-9]/} 280 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 281 | if [[ "$status_code" == *20[012345678]* ]]; then 282 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 283 | elif [[ "$status_code" == *30[012345678]* ]]; then 284 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 285 | elif [[ "$status_code" == *40[012345678]* ]]; then 286 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 287 | elif [[ "$status_code" == *50[012345678]* ]]; then 288 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 289 | else 290 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 291 | fi 292 | echo "">> $outputDirectory/$domain/$foldername/reports/$subdomain.html 293 | done 294 | 295 | echo "
Status CodeContent-LengthUrl
$status_code$size/$path$status_code$size/$path$status_code$size/$path$status_code$size/$path$status_code$size/$path
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 296 | 297 | echo '
298 |
299 |
300 |
301 |

Screenshots

302 | 
' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
303 | echo '

304 | 

305 | Port 80' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
306 | scpath=$(echo "$subdomain" | sed 's/\./_/g')
307 | httpsc=$(ls $outputDirectory/$domain/$foldername/aqua_out/screenshots/http__$scpath*  2>/dev/null)
308 | echo " " >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
309 | echo '

310 |   

311 | Port 443' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
312 | httpssc=$(ls $outputDirectory/$domain/$foldername/aqua_out/screenshots/https__$scpath*  2>/dev/null)
313 | echo "" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
314 | echo "
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 315 | #echo "

Dig Info

$(dig $subdomain)
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 316 | echo "

Host Info

$(host $subdomain)
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 317 | echo "

Response Headers

" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
318 | 
319 | 
320 | 
321 | 
322 | cat $outputDirectory/$domain/$foldername/aqua_out/parsedjson/$subdomain.headers | while read ln;do
323 | check=$(echo "$ln" | awk '{print $1}')
324 | 
325 | [ "$check" = "name," ] && echo -n "$ln : " | sed 's/name, //g' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
326 | [ "$check" = "value," ] && echo " $ln" | sed 's/value, //g' >> $outputDirectory/$domain/$foldername/reports/$subdomain.html
327 | 	
328 | done
329 | 
330 | 
331 |  
332 | echo "
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 333 | echo "

Nmap Results

334 | 
335 | $(nmap -A -T3 -Pn -p$nmapPorts $subdomain -oA $outputDirectory/$domain/$foldername/nmap_results/$subdomain)
336 |
337 |
338 |
" >> $outputDirectory/$domain/$foldername/reports/$subdomain.html 339 | 340 | 341 | } 342 | master_report() 343 | { 344 | 345 | #this code will generate the html report for target it will have an overview of the scan 346 | echo ' 347 | 348 | ' >> $outputDirectory/$domain/$foldername/master_report.html 349 | echo "Recon Report for $domain 350 | 351 | " >> $outputDirectory/$domain/$foldername/master_report.html 356 | echo ' 357 | 358 | 359 | '>> $outputDirectory/$domain/$foldername/master_report.html 360 | echo ''>> $outputDirectory/$domain/$foldername/master_report.html 368 | 369 | 370 | 371 | echo '
372 |

' >> $outputDirectory/$domain/$foldername/master_report.html 373 | echo "🌓 Light|dark mode 374 |

375 |
376 |
" >> $outputDirectory/$domain/$foldername/master_report.html 377 | 378 | 379 | echo '
' >> $outputDirectory/$domain/$foldername/master_report.html 380 | echo "

Recon Report for $domain

" >> $outputDirectory/$domain/$foldername/master_report.html 381 | echo "

Generated by LazyRecon on $(date)

" >> $outputDirectory/$domain/$foldername/master_report.html 382 | echo '
383 |
384 |
385 |
386 |
387 |

Total scanned subdomains

388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | ' >> $outputDirectory/$domain/$foldername/master_report.html 396 | 397 | 398 | cat $outputDirectory/$domain/$foldername/urllist.txt | sed 's/\http\:\/\///g' | sed 's/\https\:\/\///g' | while read nline; do 399 | diresults=$(ls $HOME/tools/dirsearch/reports/$nline/ | grep -v old) 400 | echo " 401 | 402 | 403 | " >> $outputDirectory/$domain/$foldername/master_report.html 404 | done 405 | echo "
SubdomainsScanned Urls
$nline$(wc -l $HOME/tools/dirsearch/reports/$nline/$diresults | awk '{print $1}')
406 |

Possible NS Takeovers

407 | 
" >> $outputDirectory/$domain/$foldername/master_report.html
408 | cat $outputDirectory/$domain/$foldername/pos.txt >> $outputDirectory/$domain/$foldername/master_report.html
409 | 
410 | echo "

Wayback data

" >> $outputDirectory/$domain/$foldername/master_report.html 411 | echo "" >> $outputDirectory/$domain/$foldername/master_report.html 412 | [ -s $outputDirectory/$domain/$foldername/wayback-data/paramlist.txt ] && echo "" >> $outputDirectory/$domain/$foldername/master_report.html 413 | [ -s $outputDirectory/$domain/$foldername/wayback-data/jsurls.txt ] && echo "" >> $outputDirectory/$domain/$foldername/master_report.html 414 | [ -s $outputDirectory/$domain/$foldername/wayback-data/phpurls.txt ] && echo "" >> $outputDirectory/$domain/$foldername/master_report.html 415 | [ -s $outputDirectory/$domain/$foldername/wayback-data/aspxurls.txt ] && echo "" >> $outputDirectory/$domain/$foldername/master_report.html 416 | echo "
Params wordlist
Javscript files
PHP Urls
ASP Urls
" >> $outputDirectory/$domain/$foldername/master_report.html 417 | 418 | echo '
419 |
420 |
421 |
' >> $outputDirectory/$domain/$foldername/master_report.html 422 | echo "

View Aquatone Report

" >> $outputDirectory/$domain/$foldername/master_report.html 423 | #cat $outputDirectory/$domain/$foldername/ipaddress.txt >> $outputDirectory/$domain/$foldername/master_report.html 424 | echo "

Dig Info

425 | 
426 | $(dig $domain)
427 |
" >> $outputDirectory/$domain/$foldername/master_report.html 428 | echo "

Host Info

429 | 
430 | $(host $domain)
431 |
" >> $outputDirectory/$domain/$foldername/master_report.html 432 | 433 | echo "

Nmap Results

434 | 
435 | $(nmap -A -T3 -Pn -p$nmapPorts $domain -oA $outputDirectory/$domain/$foldername/nmap_results/$domain)
436 |
437 |
438 |
" >> $outputDirectory/$domain/$foldername/master_report.html 439 | 440 | 441 | } 442 | 443 | logo(){ 444 | #can't have a bash script without a cool logo :D 445 | echo "${red} 446 | _ ____ ____ ___ _ ____ _____ ____ ____ _ 447 | / \ / _ \/_ \\\ \/// __\/ __// _\/ _ \/ \ /| 448 | | | | / \| / / \ / | \/|| \ | / | / \|| |\ || 449 | | |_/\| |-||/ /_ / / | /| /_ | \__| \_/|| | \|| 450 | \____/\_/ \|\____//_/ \_/\_\\\____\\\____/\____/\_/ \\| 451 | ${reset} " 452 | } 453 | cleandirsearch(){ 454 | cat $outputDirectory/$domain/$foldername/urllist.txt | sed 's/\http\:\/\///g' | sed 's/\https\:\/\///g' | sort -u | while read line; do 455 | [ -d $HOME/tools/dirsearch/reports/$line/ ] && ls $HOME/tools/dirsearch/reports/$line/ | grep -v old | while read i; do 456 | mv $HOME/tools/dirsearch/reports/$line/$i $HOME/tools/dirsearch/reports/$line/$i.old 457 | done 458 | done 459 | } 460 | cleantemp(){ 461 | 462 | rm $outputDirectory/$domain/$foldername/temp.txt 463 | rm $outputDirectory/$domain/$foldername/tmp.txt 464 | rm $outputDirectory/$domain/$foldername/domaintemp.txt 465 | rm $outputDirectory/$domain/$foldername/cleantemp.txt 466 | 467 | } 468 | main(){ 469 | if [ -z "${domain}" ]; then 470 | outputDirectory=${subreport[1]} 471 | domain=${subreport[2]} 472 | foldername=${subreport[3]} 473 | subd=${subreport[4]} 474 | report $outputDirectory $domain $subdomain $foldername $subd; exit 1; 475 | fi 476 | clear 477 | logo 478 | if [ -d "$outputDirectory/$domain" ] 479 | then 480 | echo "This is a known target." 481 | else 482 | mkdir $outputDirectory/$domain 483 | fi 484 | 485 | mkdir $outputDirectory/$domain/$foldername 486 | mkdir $outputDirectory/$domain/$foldername/aqua_out/ 487 | mkdir $outputDirectory/$domain/$foldername/aqua_out/parsedjson/ 488 | mkdir $outputDirectory/$domain/$foldername/reports/ 489 | mkdir $outputDirectory/$domain/$foldername/wayback-data/ 490 | mkdir $outputDirectory/$domain/$foldername/screenshots/ 491 | mkdir $outputDirectory/$domain/$foldername/nmap_results/ 492 | touch $outputDirectory/$domain/$foldername/crtsh.txt 493 | touch $outputDirectory/$domain/$foldername/mass.txt 494 | touch $outputDirectory/$domain/$foldername/cnames.txt 495 | touch $outputDirectory/$domain/$foldername/pos.txt 496 | touch $outputDirectory/$domain/$foldername/alldomains.txt 497 | touch $outputDirectory/$domain/$foldername/temp.txt 498 | touch $outputDirectory/$domain/$foldername/tmp.txt 499 | touch $outputDirectory/$domain/$foldername/domaintemp.txt 500 | touch $outputDirectory/$domain/$foldername/ipaddress.txt 501 | touch $outputDirectory/$domain/$foldername/cleantemp.txt 502 | touch $outputDirectory/$domain/$foldername/master_report.html 503 | 504 | cleantemp 505 | recon $domain 506 | master_report $domain 507 | echo "${green}Scan for $domain finished successfully${reset}" 508 | duration=$SECONDS 509 | echo "Scan completed in : $(($duration / 60)) minutes and $(($duration % 60)) seconds." 510 | cleantemp 511 | stty sane 512 | tput sgr0 513 | } 514 | todate=$(date +"%Y-%m-%d") 515 | path=$(pwd) 516 | foldername=recon-$todate 517 | #source $HOME/.zshrc 518 | main $domain 519 | 520 | -------------------------------------------------------------------------------- /lazyrecon_results/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | */ 3 | !.gitignore -------------------------------------------------------------------------------- /recon.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/soaringswine/lazyrecon_docker/b61a719d26332edea4ccf028a16e0afa5b6a5dbf/recon.gif -------------------------------------------------------------------------------- /report.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/soaringswine/lazyrecon_docker/b61a719d26332edea4ccf028a16e0afa5b6a5dbf/report.gif -------------------------------------------------------------------------------- /run.bat: -------------------------------------------------------------------------------- 1 | docker build --rm -f "Dockerfile" -t lazyrecon_docker:latest . && docker run -v %cd%\lazyrecon_results:/home/lazyrecon_user/tools/lazyrecon/lazyrecon_results/ lazyrecon_docker -d %1 -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | docker build --rm -f "Dockerfile" -t lazyrecon_docker:latest . \ 3 | && docker run --user $(id -u):$(id -g) -v $(pwd)/lazyrecon_results:/home/lazyrecon_user/tools/lazyrecon/lazyrecon_results/ lazyrecon_docker -d $1 --------------------------------------------------------------------------------