├── .gitignore ├── README.md ├── VERSION ├── bin ├── cloud_bucket_enum ├── crawl_js ├── crawl_urls ├── dir_brute ├── enumerate_subdomains ├── git_scan ├── handle_diff ├── notify_changes ├── notify_general ├── notify_xss ├── nuclei_scan ├── probe_subdomains ├── take_screenshots ├── xss_advanced └── xss_basic ├── configure ├── cron └── daily.sh ├── includes └── init.sh ├── scans ├── bombard.sh ├── comsat.sh ├── dumpster_dive.sh ├── nuke.sh ├── snipe.sh ├── sweep.sh ├── template.sh.example └── template_targeted.sh.example └── vars.example /.gitignore: -------------------------------------------------------------------------------- 1 | vars.sh -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ________ _________ ____ _______________(_)___ / /______ 3 | / ___/ _ \/ ___/ __ \/ __ \ / ___/ ___/ ___/ / __ \/ __/ ___/ 4 | / / / __/ /__/ /_/ / / / / (__ ) /__/ / / / /_/ / /_(__ ) 5 | /_/ \___/\___/\____/_/ /_/ /____/\___/_/ /_/ .___/\__/____/ 6 | /_/ 7 | ``` 8 | 9 | ![v0.2.3](https://img.shields.io/badge/version-0.2.3-brightgreen?style=flat) 10 | 11 | [![asciicast](https://asciinema.org/a/QJTDlVbRxLNhsSbe5MBqKhENg.svg)](https://asciinema.org/a/QJTDlVbRxLNhsSbe5MBqKhENg) 12 |                                                                                      13 | # A simple recon framework for bug bounty hunting 14 | 15 | - Enumerate subdomains using [Sublist3r](https://github.com/aboul3la/Sublist3r) and [Subdominizer](https://github.com/nsonaniya2010/SubDomainizer) 16 | - Probe subdomains using [httpx](https://github.com/projectdiscovery/httpx) 17 | - Check cloud buckets using [cloud_enum](https://github.com/initstring/cloud_enum) and [S3Scanner](https://github.com/OWASP/Amass) 18 | - Scan webpages using [nuclei](https://github.com/projectdiscovery/nuclei) 19 | - Take screenshots using [Aquatone](https://github.com/michenriksen/aquatone) 20 | - Asset discovery using [hakrawler](https://github.com/hakluke/hakrawler) 21 | - Scan for XSS from asset discovery using [XSStrike](https://github.com/s0md3v/XSStrike) 22 | - Directory bruteforcing using [ffuf](https://github.com/ffuf/ffuf) 23 | - Notify for new URLs or JS files discovered via Slack 24 | 25 | **The idea is to turn this:** 26 | ``` 27 | targets 28 | ├── tesla 29 | │   └── domains.txt 30 | └── shopify 31 |    └── domains.txt 32 | ``` 33 | 34 | **into this:** 35 | ``` 36 | targets 37 | ├── tesla 38 | │   ├── screenshots/ 39 | │   ├── urls.txt 40 | │   ├── js.txt 41 | │   ├── githound.txt 42 | │   ├── cloud_enum.txt 43 | │   ├── webservers.txt 44 | │   ├── domains.txt 45 | │   └── subdomains.txt 46 | ├── shopify 47 | │   ├── screenshots/ 48 | │   ├── urls.txt 49 | │   ├── js.txt 50 | │   ├── cloud_enum.txt 51 | │   ├── webservers.txt 52 | │   ├── domains.txt 53 | │   └── subdomains.txt 54 | │ 55 | . 56 | . 57 | ``` 58 | 59 | \* Inspired by [lazyrecon](https://github.com/nahamsec/lazyrecon) by [nahamsec](https://github.com/nahamsec) 60 | 61 | \* This code is created for personal use. But feel free to try it out 62 | 63 | \* I'm not very good at bash, please point out any weird quirks that could use some improvements ♥ 64 | 65 | ## Setup 66 | 67 | **Bash one-line setup. Installs recon-scripts to $HOME/.recon-scripts** 68 | ```sh 69 | bash <(curl -s https://raw.githubusercontent.com/tedmdelacruz/recon-scripts/master/configure) 70 | ``` 71 | 72 | **Initialize a vars.sh from vars.sh.example** 73 | ``` 74 | cd .recon-scripts 75 | cp vars.sh.example vars.sh 76 | vim vars.sh 77 | ``` 78 | 79 | ## Usage: 80 | **Run predefined scans** 81 | ```sh 82 | cd .recon_scripts 83 | $ scans/sweep.sh # Initial scann of all targets in recon folder 84 | $ scans/snipe.sh tesla shopify # Probe and quick scan 85 | $ scans/bombard.sh shopify # Comprehensive scan 86 | ``` 87 | 88 | **Set up crontab** 89 | ```sh 90 | $ crontab -e 91 | 30 21 * * * /home/tedm/.recon-scripts/cron/daily.sh 92 | ``` 93 | 94 | **Or execute individual functions like so:** 95 | ```sh 96 | $ enumerate_subdomains domain.com path/to/targets_dir/target 97 | $ probe_subdomains path/to/target 98 | $ cloud_bucket_enum path/to/target 99 | $ nuclei_scan path/to/target 100 | $ take_screenshots path/to/target 101 | ``` 102 | 103 | ## TODO 104 | - Configure API key inclusion to subdomain enumerations 105 | - Monitor interesting files and web pages for changes 106 | - Show GitHub dorking links 107 | - Setup port scanning using `dnmasscan`, `masscan`, and `nmap` 108 | - Support multithreading 109 | - Add script for scaffolding directories 110 | - Add reporting 111 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | v0.2.3 -------------------------------------------------------------------------------- /bin/cloud_bucket_enum: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/subdomains.txt" ]; then 6 | echo -e "$Error subdomains.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Checking cloud buckets of $target_name using cloud_enum..." 12 | python3 $CLOUD_ENUM_PATH -m $CLOUD_ENUM_WORDLIST_PATH -kf "$1/subdomains.txt" -l "$1/cloud_enum.txt" || true 13 | echo -e "$Run Checking S3 buckets of $target_name using S3Scanner..." 14 | python3 $S3SCANNER_PATH -o "$1/s3scanner.txt" "$1/subdomains.txt" || true 15 | -------------------------------------------------------------------------------- /bin/crawl_js: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/webservers.txt" ]; then 6 | echo -e "$Error webservers.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Fetching JS files of $target_name using hakrawler..." 12 | cat "$1/webservers.txt" | hakrawler -plain -js -insecure -depth 1 > "$1/new_js.txt" 13 | handle_diff $1 "js" 14 | -------------------------------------------------------------------------------- /bin/crawl_urls: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/webservers.txt" ]; then 6 | echo -e "$Error webservers.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Fetching urls of $target_name using hakrawler..." 12 | cat "$1/webservers.txt" | hakrawler -plain -wayback -sitemap -robots -urls -insecure -depth 1 > "$1/new_urls.txt" 13 | handle_diff $1 "urls" 14 | -------------------------------------------------------------------------------- /bin/dir_brute: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/webservers.txt" ]; then 6 | echo -e "$Error webservers.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Directory bruteforcing directories of $target_name webpages using ffuf..." 12 | 13 | if [[ ! -d "$1/dir_brute" ]]; then 14 | mkdir "$1/dir_brute" 15 | fi 16 | while IFS= read -r webpage; do 17 | logfile="$1/dir_brute/${webpage//[\/,:]/_}.html" 18 | ffuf -w "$SECLISTS_PATH/Discovery/Web-Content/common.txt" \ 19 | -mc 200 -c -v -sf -p 0.2-1.5 \ 20 | -o $logfile -of html \ 21 | -u "$webpage/FUZZ" 22 | done < "$1/webservers.txt" 23 | -------------------------------------------------------------------------------- /bin/enumerate_subdomains: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | source "$HOME/.recon-scripts/vars.sh" 6 | 7 | TARGET_DIR=$1 8 | domains_file="$TARGET_DIR/domains.txt" 9 | if [ ! -f $domains_file ]; then 10 | echo -e "$Error domains.txt not found in $TARGET_DIR" 11 | exit 0 12 | fi 13 | 14 | while IFS= read -r domain; do 15 | [[ ! -z $domain ]] || continue 16 | 17 | echo -e "$Run Enumerating subdomains of $domain using Sublist3r..." 18 | python3 $SUBLIST3R_PATH -o "$TARGET_DIR/sublist3r.txt" -d $domain || true 19 | if [ -f "$TARGET_DIR/sublist3r.txt" ]; then 20 | cat "$TARGET_DIR/sublist3r.txt" >> "$TARGET_DIR/subdomains.txt" 21 | fi 22 | echo -e "$Run Enumerating subdomains of $domain using SubDomainizer..." 23 | python3 $SUBDOMAINIZER_PATH -u $domain -o "$TARGET_DIR/subdomainizer.txt" || true 24 | if [ -f "$TARGET_DIR/subdomainizer.txt" ]; then 25 | cat "$TARGET_DIR/subdomainizer.txt" >> "$TARGET_DIR/subdomains.txt" 26 | fi 27 | if [ ! -f "$TARGET_DIR/subdomains.txt" ]; then 28 | echo -e "$Error No subdomains found for $domain" 29 | exit 0 30 | fi 31 | sort -u -o "$TARGET_DIR/subdomains.txt" "$TARGET_DIR/subdomains.txt" 32 | rm -f "$TARGET_DIR/sublist3r.txt $TARGET_DIR/subdomainizer.txt" 33 | done < "$domains_file" 34 | -------------------------------------------------------------------------------- /bin/git_scan: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/subdomains.txt" ]; then 6 | echo -e "$Error subdomains.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Checking for possible leaked secrets of $target_name on GitHub using githound..." 12 | git-hound --dig-files --dig-commits --many-results --threads 100 \ 13 | --subdomain-file "$1/subdomains.txt" | tee "$1/githound.txt" 14 | -------------------------------------------------------------------------------- /bin/handle_diff: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sort -u -o "$1/new_$2.txt" "$1/new_$2.txt" 4 | if [[ ! -f "$1/$2.txt" ]]; then 5 | mv "$1/new_$2.txt" "$1/$2.txt" 6 | else 7 | diff -u "$1/$2.txt" "$1/new_$2.txt" | tee "$1/$2.diff" 8 | rm -f "$1/$2.txt" 9 | mv "$1/new_$2.txt" "$1/$2.txt" 10 | sort -u -o "$1/$2.txt" "$1/$2.txt" 11 | fi 12 | -------------------------------------------------------------------------------- /bin/notify_changes: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | target_name=$(basename "$1") 6 | if [ -s "$1/$2.diff" ]; then 7 | comment="Changes detected in $2.txt of $target_name" 8 | curl -F file="@$1/$2.diff" \ 9 | -F "initial_comment=$comment" \ 10 | -F "channels=$3" \ 11 | -H "Authorization: Bearer $SLACKBOT_TOKEN" \ 12 | https://slack.com/api/files.upload 13 | echo "" 14 | else 15 | echo -e "$Info No changes detected in $1/$2.txt" 16 | fi 17 | -------------------------------------------------------------------------------- /bin/notify_general: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | curl -X POST \ 6 | -H "Content-type: application/json" \ 7 | -H "Authorization: Bearer $SLACKBOT_TOKEN" \ 8 | -d "{\"channel\": \"$SLACK_ALERT_GENERAL_CHANNEL_ID\", \"text\": \"$1\"}" \ 9 | https://slack.com/api/chat.postMessage > /dev/null 2>&1 10 | 11 | echo -e "$Info Slack notification sent to #general" 12 | -------------------------------------------------------------------------------- /bin/notify_xss: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | target_name=$(basename "$1") 6 | if [ -f "$1/$2.txt" ]; then 7 | comment="XSS detected in $2.txt of $target_name" 8 | curl -F file="@$1/$2.txt" \ 9 | -F "initial_comment=$comment" \ 10 | -F "channels=$3" \ 11 | -H "Authorization: Bearer $SLACKBOT_TOKEN" \ 12 | https://slack.com/api/files.upload 13 | echo "" 14 | else 15 | echo -e "$Info No XSS detected in $1/$2.txt" 16 | fi 17 | -------------------------------------------------------------------------------- /bin/nuclei_scan: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/webservers.txt" ]; then 6 | echo -e "$Error webservers.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | nuclei_dir="$1/nuclei" 11 | if [[ ! -d $nuclei_dir ]]; then 12 | mkdir $nuclei_dir 13 | fi 14 | 15 | target_name=$(basename "$1") 16 | echo -e "$Run Scanning for low-hanging fruits on $target_name assets using nuclei..." 17 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/cves" -o "$nuclei_dir/cves.txt" 18 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/subdomain-takeover" -o "$nuclei_dir/subdomain-takeover.txt" 19 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/dns" -o "$nuclei_dir/dns.txt" 20 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/vulnerabilities" -o "$nuclei_dir/vulnerabilities.txt" 21 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/default-credentials" -o "$nuclei_dir/default-credentials.txt" 22 | nuclei -silent -pbar -l "$1/webservers.txt" -t "$NUCLEI_TEMPLATES_PATH/workflows" -o "$nuclei_dir/workflows.txt" 23 | 24 | if [ ! -f "$1/urls.txt" ]; then 25 | exit 0 26 | fi 27 | nuclei -silent -pbar -l "$1/urls.txt" -t $CUSTOM_NUCLEI_TEMPLATES_PATH -o "$nuclei_dir/custom.txt" 28 | -------------------------------------------------------------------------------- /bin/probe_subdomains: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/subdomains.txt" ]; then 6 | echo -e "$Error subdomains.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Probing subdomains of $target_name using httpx..." 12 | httpx -verbose -l "$1/subdomains.txt" -o "$1/new_webservers.txt" 13 | cat "$1/new_webservers.txt" >> "$1/webservers.txt" 14 | sort -u -o "$1/webservers.txt" "$1/webservers.txt" 15 | rm -f "$1/new_webservers.txt" 16 | -------------------------------------------------------------------------------- /bin/take_screenshots: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/webservers.txt" ]; then 6 | echo -e "$Error webservers.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | screenshots_dir="$1/screenshots" 11 | if [[ ! -d $screenshots_dir ]]; then 12 | mkdir $screenshots_dir 13 | fi 14 | target_name=$(basename "$1") 15 | echo -e "$Run Taking screenshots of $target_name sites using aquatone..." 16 | cat "$1/webservers.txt" | aquatone -debug -threads=5 -ports=80,443 -resolution=800,600 -chrome-path=$CHROME_PATH -out $screenshots_dir 17 | -------------------------------------------------------------------------------- /bin/xss_advanced: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/urls.txt" ]; then 6 | echo -e "$Error urls.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | # Note: configure blind XSS payload in xsstrike/core/config.py 11 | target_name=$(basename "$1") 12 | echo -e "$Run Scanning for XSS on $target_name urls using xsstrike..." 13 | if [[ ! -f $XSSTRIKE_PATH ]]; then return; fi 14 | if [[ ! -d "$1/xsstrike" ]]; then 15 | mkdir "$1/xsstrike" 16 | fi 17 | while IFS= read -r site; do 18 | echo -e "$Run Testing: $site" 19 | logfile="$1/xsstrike/${site//[\/,:]/_}.log" 20 | python3 $XSSTRIKE_PATH \ 21 | --crawl --blind --params --skip \ 22 | --file-log-level VULN --log-file $logfile \ 23 | -u $site || true 24 | done < "$1/urls.txt" 25 | -------------------------------------------------------------------------------- /bin/xss_basic: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | if [ ! -f "$1/urls.txt" ]; then 6 | echo -e "$Error urls.txt not found. Skipping..." 7 | exit 0 8 | fi 9 | 10 | target_name=$(basename "$1") 11 | echo -e "$Run Scanning for XSS on $target_name assets using nuclei..." 12 | nuclei -silent -pbar -l "$1/urls.txt" -t "$NUCLEI_TEMPLATES_PATH/generic-detections/basic-xss-prober.yaml" -o "$1/basic_xss.txt" 13 | nuclei -silent -pbar -l "$1/urls.txt" -t "$NUCLEI_TEMPLATES_PATH/generic-detections/top-15-xss.yaml" -o "$1/top_15_xss.txt" 14 | -------------------------------------------------------------------------------- /configure: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -d "$HOME/.recon-scripts" ]; then 4 | echo "Looks like recon-scripts is already installed in your system" 5 | exit 1 6 | fi 7 | 8 | git clone https://github.com/tedmdelacruz/recon-scripts.git "$HOME/.recon-scripts" 9 | 10 | if [ ! -z $RECON_SCRIPTS_PATH ]; then 11 | exit 1 12 | fi 13 | 14 | if [ "$SHELL" == "/usr/local/bin/zsh" ] || [ "$SHELL" == "/usr/bin/zsh" ] || [ "$SHELL" == "/bin/zsh" ]; then 15 | echo "Shell detected: zsh" 16 | echo "Installing recon-scripts to \$PATH..." 17 | echo "export PATH=\"\$PATH:\$RECON_SCRIPTS_PATH/bin\"" >>~/.zshrc 18 | elif [ "$SHELL" == "/bin/bash" ]; then 19 | echo "Shell detected: bash" 20 | echo "Installing recon-scripts to \$PATH..." 21 | echo "export PATH=\"\$PATH:\$RECON_SCRIPTS_PATH/bin\"" >>~/.bashrc 22 | else 23 | echo "Could not detect shell" 24 | echo "Please add the following to your shell startup file" 25 | echo "export PATH=\"\$PATH:\$RECON_SCRIPTS_PATH/bin\"" 26 | fi 27 | 28 | echo "" 29 | echo "Please configure vars.sh from $HOME/.recon-scripts/vars.sh.example" 30 | echo "then restart your shell with exec \$SHELL" 31 | -------------------------------------------------------------------------------- /cron/daily.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Crawls all targets in the targets directory 3 | # and scans each target for basic XSS. 4 | # Also notifies for any changes in JS URLs 5 | 6 | set -e 7 | 8 | source "$HOME/.recon-scripts/includes/init.sh" 9 | 10 | cd $TARGETS_DIR 11 | for target in *; do 12 | [[ -d $target ]] || continue 13 | target_dir="$TARGETS_DIR/$target" 14 | 15 | crawl_urls $target_dir 16 | xss_basic $target_dir 17 | notify_xss $target_dir "basic_xss" $SLACK_ALERT_XSS_CHANNEL_ID 18 | notify_xss $target_dir "top_15_xss" $SLACK_ALERT_XSS_CHANNEL_ID 19 | crawl_js $target_dir 20 | notify_changes $target_dir "js" $SLACK_ALERT_JS_FILES_CHANNEL_ID 21 | done 22 | find . -size 0 -delete 23 | -------------------------------------------------------------------------------- /includes/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source "$HOME/.recon-scripts/vars.sh" 4 | 5 | echo -e "${BPurple} 6 | ________ _________ ____ _______________(_)___ / /______ 7 | / ___/ _ \/ ___/ __ \/ __ \ / ___/ ___/ ___/ / __ \/ __/ ___/ 8 | / / / __/ /__/ /_/ / / / / (__ ) /__/ / / / /_/ / /_(__ ) 9 | /_/ \___/\___/\____/_/ /_/ /____/\___/_/ /_/ .___/\__/____/ 10 | /_/ 11 | " 12 | echo -e "${BPurple}Version:${Reset} $(cat "$HOME/.recon-scripts/VERSION") " 13 | echo -e "${BPurple}Author:${Reset} tedm.infosec" 14 | # echo -e "${BPurple}Contributors:${Reset} Your name here!" 15 | echo "" 16 | 17 | sleep 1 18 | 19 | if [ ! -d "$TARGETS_DIR" ]; then 20 | echo -e "${Red}Directory '$TARGETS_DIR' does not exist${Reset}" 21 | exit 0 22 | fi 23 | 24 | if [ "$#" -gt 0 ]; then 25 | for target in $@; do 26 | if [ ! -d "$TARGETS_DIR/$target" ]; then 27 | echo -e "${Red}$target is not a valid target in $TARGETS_DIR${Reset}" 28 | exit 0 29 | fi 30 | done 31 | SELECTED_TARGETS=$@ 32 | fi 33 | 34 | echo -e "$Info Directory containing targets: $TARGETS_DIR" 35 | if [ ! -z "$SELECTED_TARGETS" ]; then 36 | echo -e "$Info Selected targets in $TARGETS_DIR: $SELECTED_TARGETS" 37 | fi 38 | 39 | delete_empty_files() { 40 | find $1 -size 0 -delete 41 | } 42 | -------------------------------------------------------------------------------- /scans/bombard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Comprehensive scan against a target 3 | # Includes a nuclei vulnerability scan 4 | # and an XSStrike scan against assets 5 | # Quite noisy, can risk getting IP-blocked by a WAF 6 | 7 | set -e 8 | 9 | source "$HOME/.recon-scripts/includes/init.sh" 10 | 11 | if [ -z "$SELECTED_TARGETS" ]; then 12 | echo "" 13 | echo -e "${Red} Target(s) in $TARGETS_DIR must be provided${Reset}" 14 | exit 0 15 | fi 16 | 17 | for target in $SELECTED_TARGETS; do 18 | target_dir="$TARGETS_DIR/$target" 19 | 20 | dir_brute $target_dir 21 | xss_basic $target_dir 22 | xss_advanced $target_dir 23 | notify_general ":boom: Done running bombardment on target: $target" 24 | delete_empty_files $target_dir 25 | done 26 | -------------------------------------------------------------------------------- /scans/comsat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Takes screenshots of webservers 3 | # and checks for GitHub leaks of selected targets 4 | 5 | set -e 6 | 7 | source "$HOME/.recon-scripts/includes/init.sh" 8 | 9 | if [ -z "$SELECTED_TARGETS" ]; then 10 | echo "" 11 | echo -e "${Red} Target(s) in $TARGETS_DIR must be provided${Reset}" 12 | exit 0 13 | fi 14 | 15 | for target in $SELECTED_TARGETS; do 16 | target_dir="$TARGETS_DIR/$target" 17 | 18 | nuclei_scan $target_dir 19 | take_screenshots $target_dir 20 | notify_general ":satellite: Done running comsat on target: $target" 21 | done 22 | -------------------------------------------------------------------------------- /scans/dumpster_dive.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Checks for GitHub leaks and vulnerable cloud buckets of selected targets 3 | 4 | set -e 5 | 6 | source "$HOME/.recon-scripts/includes/init.sh" 7 | 8 | if [ -z "$SELECTED_TARGETS" ]; then 9 | echo "" 10 | echo -e "${Red} Target(s) in $TARGETS_DIR must be provided${Reset}" 11 | exit 0 12 | fi 13 | 14 | for target in $SELECTED_TARGETS; do 15 | target_dir="$TARGETS_DIR/$target" 16 | 17 | cloud_bucket_enum $target_dir 18 | git_scan $target_dir 19 | notify_general ":recycle: Done dumpster diving on target: $target" 20 | done 21 | -------------------------------------------------------------------------------- /scans/nuke.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Comprehensive scan on all targets in the targets directory 3 | 4 | set -e 5 | 6 | source "$HOME/.recon-scripts/includes/init.sh" 7 | 8 | cd $TARGETS_DIR 9 | for target in *; do 10 | [[ -d $target ]] || continue 11 | target_dir="$TARGETS_DIR/$target" 12 | 13 | enumerate_subdomains $target_dir 14 | probe_subdomains $target_dir 15 | crawl_urls $target_dir 16 | cloud_bucket_enum $target_dir 17 | dir_brute $target_dir 18 | nuclei_scan $target_dir 19 | xss_basic $target_dir 20 | xss_advanced $target_dir 21 | notify_general ":boom: Done nuking target: $target" 22 | delete_empty_files $target_dir 23 | done 24 | -------------------------------------------------------------------------------- /scans/snipe.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Scans a single target in the targets directory 3 | 4 | set -e 5 | 6 | source "$HOME/.recon-scripts/includes/init.sh" 7 | 8 | if [ -z "$SELECTED_TARGETS" ]; then 9 | echo "" 10 | echo -e "${Red} Target(s) in $TARGETS_DIR must be provided${Reset}" 11 | exit 0 12 | fi 13 | 14 | for target in $SELECTED_TARGETS; do 15 | echo -e "$Run Sniping $target..." 16 | target_dir="$TARGETS_DIR/$target" 17 | 18 | enumerate_subdomains $target_dir 19 | probe_subdomains $target_dir 20 | cloud_bucket_enum $target_dir 21 | crawl_urls $target_dir 22 | crawl_js $target_dir 23 | xss_basic $target_dir 24 | take_screenshots $target_dir 25 | notify_general ":dart: Done sniping target: $target" 26 | delete_empty_files $target_dir 27 | done 28 | -------------------------------------------------------------------------------- /scans/sweep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Initial scan for all targets in the targets directory 3 | # Populates the following: 4 | # - subdomains.txt 5 | # - webservers.txt 6 | # - urls.txt 7 | 8 | set -e 9 | 10 | source "$HOME/.recon-scripts/includes/init.sh" 11 | 12 | cd $TARGETS_DIR 13 | for target in *; do 14 | [[ -d $target ]] || continue 15 | target_dir="$TARGETS_DIR/$target" 16 | 17 | enumerate_subdomains $target_dir 18 | probe_subdomains $target_dir 19 | crawl_urls $target_dir 20 | notify_general ":satellite_antenna: Done sweeping target: $target" 21 | delete_empty_files $target_dir 22 | done 23 | -------------------------------------------------------------------------------- /scans/template.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Scans all targets in the targets directory 3 | 4 | set -e 5 | 6 | includes/init.sh 7 | 8 | for target in *; do 9 | [[ -d $target ]] || continue 10 | 11 | target_dir="$TARGETS_DIR/$target" 12 | 13 | # Add your tooling on all of your targets here 14 | # enumerate_subdomains $domain $target_dir 15 | # probe_subdomains $target_dir 16 | # cloud_bucket_enum $target_dir 17 | # crawl_urls $target_dir 18 | # crawl_js $target_dir 19 | # take_screenshots $target_dir 20 | done 21 | -------------------------------------------------------------------------------- /scans/template_targeted.sh.example: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Scans a single target in the targets directory 3 | 4 | set -e 5 | 6 | TARGET_DIR=$1 7 | if [ -z "$TARGET_DIR" ]; then 8 | echo "A valid directory must be provided" 9 | exit 0 10 | fi 11 | 12 | if [ ! -d $TARGET_DIR ]; then 13 | echo "$TARGET_DIR is not a valid directory" 14 | exit 0 15 | fi 16 | 17 | # enumerate_subdomains $TARGET_DIR 18 | # probe_subdomains $TARGET_DIR 19 | # xss_strike $TARGET_DIR 20 | # cloud_bucket_enum $TARGET_DIR 21 | # crawl_urls $TARGET_DIR 22 | # crawl_js $TARGET_DIR 23 | # nuclei_scan $TARGET_DIR 24 | # take_screenshots $TARGET_DIR 25 | 26 | echo "" 27 | echo "Done." 28 | -------------------------------------------------------------------------------- /vars.example: -------------------------------------------------------------------------------- 1 | # Path to targets/ directory containing your targets 2 | # Each target should be a directory with at least a domains.txt to get things started 3 | # The targets folder should look something like this: 4 | # targets/ 5 | # tesla/ 6 | # └── domains.txt 7 | # shopify/ 8 | # └── domains.txt 9 | TARGETS_DIR="$HOME/paths/to/targets" 10 | 11 | # Tooling paths 12 | CHROME_PATH="path/to/chrome" 13 | SECLISTS_PATH="path/to/SecLists-master" 14 | CLOUD_ENUM_PATH="$HOME/path/to/cloud_enum/cloud_enum.py" 15 | CLOUD_ENUM_WORDLIST_PATH="$HOME/path/to/wordlist.txt" 16 | SUBLIST3R_PATH="$HOME/path/to/sublist3r/sublist3r.py" 17 | SUBDOMAINIZER_PATH="$HOME/path/to/subdomainizer/SubDomainizer.py" 18 | S3SCANNER_PATH="$HOME/path/to/s3scanner/s3scanner.py" 19 | XSSTRIKE_PATH="$HOME/path/to/s0md3v/xsstrike/xsstrike.py" 20 | NUCLEI_TEMPLATES_PATH="$HOME/path/to/nuclei-templates" 21 | CUSTOM_NUCLEI_TEMPLATES_PATH="$HOME/path/to/custom-nuclei-templates" 22 | SLACKBOT_TOKEN="xoxb-abcdef123456" 23 | SLACK_ALERT_GENERAL_CHANNEL_ID="ABCDEF123456" 24 | SLACK_ALERT_URLS_CHANNEL_ID="ABCDEF123456" 25 | SLACK_ALERT_JS_FILES_CHANNEL_ID="ABCDEF123456" 26 | SLACK_ALERT_XSS_CHANNEL_ID="ABCDEF123456" 27 | 28 | # Reset 29 | Color_Off='\033[0m' # Text Reset 30 | 31 | # Regular Colors 32 | export Black='\033[0;30m' # Black 33 | export Red='\033[0;31m' # Red 34 | export Green='\033[0;32m' # Green 35 | export Yellow='\033[0;33m' # Yellow 36 | export Blue='\033[0;34m' # Blue 37 | export Purple='\033[0;35m' # Purple 38 | export Cyan='\033[0;36m' # Cyan 39 | export White='\033[0;37m' # White 40 | 41 | # Bold 42 | export BBlack='\033[1;30m' # Black 43 | export BRed='\033[1;31m' # Red 44 | export BGreen='\033[1;32m' # Green 45 | export BYellow='\033[1;33m' # Yellow 46 | export BBlue='\033[1;34m' # Blue 47 | export BPurple='\033[1;35m' # Purple 48 | export BCyan='\033[1;36m' # Cyan 49 | export BWhite='\033[1;37m' # White --------------------------------------------------------------------------------