├── LICENSE
├── README.md
├── images
└── scriptkiddi3Nobg.png
├── installer.sh
└── scriptkiddi3.sh
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Neh Patel
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | 
4 |
5 | Streamline your recon and vulnerability detection process with SCRIPTKIDDI3,
6 | A recon and initial vulnerability detection tool built using shell script and open source tools.
7 |
8 |
9 |
10 | 
11 |
12 |
13 | 
14 | 
15 | ![]()
16 |
17 | 
18 |
19 |
20 | How it works •
21 | Installation •
22 | Install with Docker •
23 | Usage •
24 | MODES •
25 | Important Notes | Webhook configurations •
26 | For Developers •
27 | Credits
28 |
29 |
30 | ---
31 |
32 |
33 |
34 | Introducing SCRIPTKIDDI3, a powerful recon and initial vulnerability detection tool for Bug Bounty Hunters. Built using a variety of open-source tools and a shell script, SCRIPTKIDDI3 allows you to quickly and efficiently run a scan on the target domain and identify potential vulnerabilities.
35 |
36 | SCRIPTKIDDI3 begins by performing recon on the target system, collecting information such as subdomains, and running services with nuclei. It then uses this information to scan for known vulnerabilities and potential attack vectors, alerting you to any high-risk issues that may need to be addressed.
37 |
38 | In addition, SCRIPTKIDDI3 also includes features for identifying misconfigurations and insecure default settings with nuclei templates, helping you ensure that your systems are properly configured and secure.
39 |
40 | SCRIPTKIDDI3 is an essential tool for conducting thorough and effective recon and vulnerability assessments.
41 | Let's Find Bugs with SCRIPTKIDDI3
42 |
43 | [Thanks ChatGPT for the Description]
44 |
45 |
46 | ---
47 | ## How it Works ?
48 | This tool mainly performs 3 tasks
49 | 1. Effective Subdomain Enumeration from Various Tools
50 | 2. Get URLs with open HTTP and HTTPS service.
51 | 3. Run a Nuclei and other scans on previous output
52 | So basically, this is an autmation script for your initial recon in bugbounty
53 |
54 | ---
55 |
56 | ## Install SCRIPTKIDDI3
57 | SCRIPTKIDDI3 requires different tools to run successfully. Run the following command to install the latest version with all requirments-
58 |
59 | ```sh
60 | git clone https://github.com/thecyberneh/scriptkiddi3.git
61 | cd scriptkiddi3
62 | bash installer.sh
63 | ```
64 | ### Install with Docker
65 |
66 | ScriptKiddi3 is now available as a Docker container, allowing users to access and utilize this powerful tool effortlessly on various platforms, including Windows, Linux, and more. This README provides a quick guide on how to get started with the ScriptKiddi3 Docker container.
67 |
68 | Get the Docker image of scriptkiddi3
69 | ```sh
70 | docker pull thecyberneh/scriptkiddi3:v1
71 | ```
72 |
73 | How to run the Docker image of Scriptkiddi3 ?
74 | ```sh
75 | docker run -it thecyberneh/scriptkiddi3:v1 /bin/bash
76 | ```
77 |
78 | **You can always check [SCRIPTKIDDI3's docker repository](https://hub.docker.com/r/thecyberneh/scriptkiddi3).**
79 |
80 | ---
81 |
82 | ## Usage
83 |
84 | ```sh
85 | scriptkiddi3 -h
86 | ```
87 | This will display help for the tool. Here are all the switches it supports.
88 |
89 | ```console
90 | [ABOUT:]
91 | Streamline your recon and vulnerability detection process with SCRIPTKIDDI3,
92 | A recon and initial vulnerability detection tool built using shell script and open source tools.
93 |
94 |
95 | [Usage:]
96 | scriptkiddi3 [MODE] [FLAGS]
97 | scriptkiddi3 -m EXP -d target.com -c /path/to/config.yaml
98 |
99 |
100 | [MODES:]
101 | ['-m'/'--mode']
102 | Available Options for MODE:
103 | SUB | sub | SUBDOMAIN | subdomain Run scriptkiddi3 in SUBDOMAIN ENUMERATION mode
104 | URL | url Run scriptkiddi3 in URL ENUMERATION mode
105 | EXP | exp | EXPLOIT | exploit Run scriptkiddi3 in Full Exploitation mode
106 |
107 |
108 | Feature of EXPLOI mode : subdomain enumaration, URL Enumeration,
109 | Vulnerability Detection with Nuclei,
110 | and Scan for SUBDOMAINE TAKEOVER
111 |
112 | [FLAGS:]
113 | [TARGET:] -d, --domain target domain to scan
114 |
115 | [CONFIG:] -c, --config path of your configuration file for subfinder
116 |
117 | [HELP:] -h, --help to get help menu
118 |
119 | [UPDATE:] -u, --update to update tool
120 |
121 | [Examples:]
122 | Run scriptkiddi3 in full Exploitation mode
123 | scriptkiddi3 -m EXP -d target.com
124 |
125 |
126 | Use your own CONFIG file for subfinder
127 | scriptkiddi3 -m EXP -d target.com -c /path/to/config.yaml
128 |
129 |
130 | Run scriptkiddi3 in SUBDOMAIN ENUMERATION mode
131 | scriptkiddi3 -m SUB -d target.com
132 |
133 |
134 | Run scriptkiddi3 in URL ENUMERATION mode
135 | scriptkiddi3 -m SUB -d target.com
136 |
137 | ```
138 |
139 | ---
140 |
141 |
142 | ## MODES
143 | #### 1. FULL EXPLOITATION MODE
144 | Run SCRIPTKIDDI3 in FULL EXPLOITATION MODE
145 | ```sh
146 | scriptkiddi3 -m EXP -d target.com
147 | ```
148 |
149 | FULL EXPLOITATION MODE contains following functions
150 | - Effective Subdomain Enumeration with different services and open source tools
151 | - Effective URL Enumeration ( HTTP and HTTPs service )
152 | - Run Vulnerability Detection with Nuclei
153 | - Subdomain Takeover Test on previous results
154 |
155 |
156 | #### 2. SUBDOMAIN ENUMERATION MODE
157 | Run scriptkiddi3 in SUBDOMAIN ENUMERATION MODE
158 | ```sh
159 | scriptkiddi3 -m SUB -d target.com
160 | ```
161 | SUBDOMAIN ENUMERATION MODE contains following functions
162 | - Effective Subdomain Enumeration with different services and open source tools
163 | - You can use this mode if you only want to get subdomains from this tool
164 | or we can say Automation of Subdmain Enumeration by different tools
165 |
166 |
167 | #### 3. URL ENUMERATION MODE
168 | Run scriptkiddi3 in URL ENUMERATION MODE
169 | ```sh
170 | scriptkiddi3 -m URL -d target.com
171 | ```
172 | URL ENUMERATION MODE contains following functions
173 | - Same Feature as SUBDOMAIN ENUMERATION MODE but also identifies HTTP or HTTPS service
174 |
175 | Using your own CONFIG File for subfinder
176 | ```sh
177 | scriptkiddi3 -m EXP -d target.com -c /path/to/config.yaml
178 | ```
179 | You can also provie your own CONDIF file with your API Keys for subdomain enumeration with subfinder
180 |
181 | Updating tool to latest version
182 | You can run following command to update tool
183 | ```sh
184 | scriptkiddi3 -u
185 | ```
186 |
187 | An Example of config.yaml
188 | ```yaml
189 | binaryedge:
190 | - 0bf8919b-aab9-42e4-9574-d3b639324597
191 | - ac244e2f-b635-4581-878a-33f4e79a2c13
192 | censys:
193 | - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
194 | certspotter: []
195 | passivetotal:
196 | - sample-email@user.com:sample_password
197 | securitytrails: []
198 | shodan:
199 | - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
200 | github:
201 | - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
202 | - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
203 | zoomeye:
204 | - zoomeye_username:zoomeye_password
205 | ```
206 |
207 | ---
208 |
209 | ## Important Notes | Webhook configurations
210 | - Scriptkiddi3 is using webhooks to send notifications to your Discord/MSTeam/Telegram and other services, so make sure to configure the web hooks by addind URL of your webhook in
211 | `/$HOME/.config/notify/provider-config.yaml`
212 | - The default links will send the notifiction to my (thecyberneh's) discord and MSTeam.
213 | - You can paste the URL of your own webhook in following `provider-config.yaml` file ( Do not forget to save it in location :- `/$HOME/.config/notify/provider-config.yaml`
214 | ```yaml
215 | slack:
216 | - id: "slack"
217 | slack_channel: "recon"
218 | slack_username: "test"
219 | slack_format: "{{data}}"
220 | slack_webhook_url: "https://hooks.slack.com/services/XXXXXX"
221 |
222 | - id: "vulns"
223 | slack_channel: "vulns"
224 | slack_username: "test"
225 | slack_format: "{{data}}"
226 | slack_webhook_url: "https://hooks.slack.com/services/XXXXXX"
227 |
228 | discord:
229 | - id: "crawl"
230 | discord_channel: "crawl"
231 | discord_username: "test"
232 | discord_format: "{{data}}"
233 | discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX"
234 |
235 | - id: "subs"
236 | discord_channel: "subs"
237 | discord_username: "test"
238 | discord_format: "{{data}}"
239 | discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX"
240 |
241 | telegram:
242 | - id: "tel"
243 | telegram_api_key: "XXXXXXXXXXXX"
244 | telegram_chat_id: "XXXXXXXX"
245 | telegram_format: "{{data}}"
246 | telegram_parsemode: "Markdown" # None/Markdown/MarkdownV2/HTML (https://core.telegram.org/bots/api#formatting-options)
247 |
248 | pushover:
249 | - id: "push"
250 | pushover_user_key: "XXXX"
251 | pushover_api_token: "YYYY"
252 | pushover_format: "{{data}}"
253 | pushover_devices:
254 | - "iphone"
255 |
256 | smtp:
257 | - id: email
258 | smtp_server: mail.example.com
259 | smtp_username: test@example.com
260 | smtp_password: password
261 | from_address: from@email.com
262 | smtp_cc:
263 | - to@email.com
264 | smtp_format: "{{data}}"
265 | subject: "Email subject"
266 | smtp_html: false
267 | smtp_disable_starttls: false
268 |
269 | googlechat:
270 | - id: "gc"
271 | key: "XXXXXXXX"
272 | token: "XXXXXX"
273 | space: "XXXXXX"
274 | google_chat_format: "{{data}}"
275 |
276 | teams:
277 | - id: "recon"
278 | teams_webhook_url: "https://.webhook.office.com/webhookb2/xx@xx/IncomingWebhook/xx"
279 | teams_format: "{{data}}"
280 |
281 | custom:
282 | - id: webhook
283 | custom_webhook_url: http://host/api/webhook
284 | custom_method: GET
285 | custom_format: '{{data}}'
286 | custom_headers:
287 | Content-Type: application/json
288 | X-Api-Key: XXXXX
289 |
290 | custom:
291 | - id: webhookJson
292 | custom_webhook_url: http://host/api/webhook
293 | custom_method: GET
294 | custom_format: '{"text":{{dataJsonString}} }'
295 | custom_headers:
296 | Content-Type: application/json
297 | X-Api-Key: XXXXX
298 |
299 | custom:
300 | - id: webhook
301 | custom_webhook_url: http://host/api/webhook
302 | custom_method: GET
303 | custom_sprig: '{"text":"{{ .url }}"}'
304 | custom_headers:
305 | Content-Type: application/json
306 | X-Api-Key: XXXXX
307 | ```
308 |
309 | ---
310 |
311 | ## For Developers
312 | If you have ideas for new functionality or modes that you would like to see in this tool, you can always submit a pull request (PR) to contribute your changes.
313 |
314 | If you have any other queries, you can always contact me on Twitter(thecyberneh)
315 |
316 |
317 | ## Credits
318 | I would like to express my gratitude to all of the open source projects that have made this tool possible and have made recon tasks easier to accomplish.
319 |
--------------------------------------------------------------------------------
/images/scriptkiddi3Nobg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thecyberneh/scriptkiddi3/934ea1550d87a3aec2ac32df983a19a377c407ee/images/scriptkiddi3Nobg.png
--------------------------------------------------------------------------------
/installer.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | sudo apt-get install shc
3 | sudo apt-get install jq
4 | sudo apt-get install unzip
5 | #sudo apt install cargo
6 | go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
7 | go install -v github.com/owasp-amass/amass/v4/...@master
8 | go install github.com/ffuf/ffuf/v2@latest
9 | go install -v github.com/LukaSikic/subzy@latest
10 | go install -v github.com/projectdiscovery/notify/cmd/notify@latest
11 | wget https://github.com/findomain/findomain/releases/latest/download/findomain-linux.zip
12 | unzip findomain-linux.zip
13 | mv findomain /$HOME/go/bin
14 | chmod 777 /$HOME/go/bin/findomain
15 | go install github.com/tomnomnom/httprobe@latest
16 | go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
17 | go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
18 | #wget https://github.com/junnlikestea/vita/releases/download/0.1.16/vita-0.1.16-x86_64-unknown-linux-musl.tar.gz
19 | #tar xsvf vita-0.1.16-x86_64-unknown-linux-musl.tar.gz
20 | #cp vita-0.1.16-x86_64-unknown-linux-musl/vita /$HOME/go/bin/
21 | #chmod 777 /$HOME/go/bin/vita
22 |
23 | shc -f scriptkiddi3.sh
24 | mv scriptkiddi3.sh.x scriptkiddi3
25 | cp scriptkiddi3 /$HOME/go/bin
26 | chmod 777 /$HOME/go/bin/scriptkiddi3
27 | rm -rf scriptkiddi3.sh
28 |
29 | wget https://wordlists-cdn.assetnote.io/data/automated/httparchive_subdomains_2020_11_18.txt -O subdomains.txt
30 | sudo mv subdomains.txt /usr/share/wordlists/
31 | sudo chmod 777 /usr/share/wordlists/subdomains.txt
32 | cd /$HOME/.config/
33 | mkdir notify
34 |
35 | wget "https://raw.githubusercontent.com/projectdiscovery/notify/main/cmd/integration-test/test-config.yaml"
36 | mv test-config.yaml provider-config.yaml
37 | mv provider-config.yaml /$HOME/.config/notify/
38 |
39 |
40 | echo -e "DO NOT FORGET TO ADD YOUR OWN WEBHOOK URL IN $HOME/.config/notify/provider-config.yaml"
41 |
--------------------------------------------------------------------------------
/scriptkiddi3.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | dblue="\e[0;94m"
4 | dred="\033[1;31m"
5 | lblue="\e[96m"
6 | lred="\033[31m"
7 | lyellow="\e[93m"
8 | yellow="\e[33m"
9 | reset="\e[0m"
10 |
11 |
12 |
13 |
14 | #--------------------------Functions------------------------------#
15 | #-----------------------------------------------------------------#
16 |
17 |
18 | #forBanner
19 | banner () {
20 | printf ""$lblue"
21 | ███████╗ ██████╗██████╗ ██╗██████╗ ████████╗██╗ ██╗██╗██████╗ ██████╗ ██╗██████╗
22 | ██╔════╝██╔════╝██╔══██╗██║██╔══██╗╚══██╔══╝██║ ██╔╝██║██╔══██╗██╔══██╗██║╚════██╗
23 | ███████╗██║ ██████╔╝██║██████╔╝ ██║ █████╔╝ ██║██║ ██║██║ ██║██║ █████╔╝
24 | ╚════██║██║ ██╔══██╗██║██╔═══╝ ██║ ██╔═██╗ ██║██║ ██║██║ ██║██║ ╚═══██╗
25 | ███████║╚██████╗██║ ██║██║██║ ██║ ██║ ██╗██║██████╔╝██████╔╝██║██████╔╝
26 | ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝╚═╝╚═════╝ ╚═════╝ ╚═╝╚═════╝
27 |
28 |
29 | V0.2.0 (beta)
30 | Coded By Neh Patel with Love <3 ❤
31 | "$reset""
32 |
33 |
34 | printf ""$lred"
35 | Twitter :- https://twitter.com/thecyberneh
36 | Instagram :- https://www.instagram.com/thecyberneh/
37 | Linkedin :- https://linkedin.com/in/thecyberneh
38 | "$reset""
39 | echo -e "\n"
40 | }
41 |
42 |
43 |
44 | #-----------------------------------------------------------------#
45 |
46 |
47 | #for_print_INFO
48 | fun_info () {
49 | echo -e "[${dblue}INFO${reset}] "
50 | }
51 |
52 |
53 | #-----------------------------------------------------------------#
54 |
55 |
56 | #for_print_INIT
57 | fun_init () {
58 | echo -e "[${dblue}INIT${reset}] "
59 | }
60 |
61 |
62 | #-----------------------------------------------------------------#
63 |
64 |
65 | #for_print_INPUT
66 | fun_input () {
67 | echo -e "[${dblue}INPUT${reset}]"
68 | }
69 |
70 |
71 | #-----------------------------------------------------------------#
72 |
73 |
74 | #for_print_IMP
75 | fun_imp () {
76 | echo -e "[${dred}IMP${reset}] "
77 | }
78 |
79 |
80 | #-----------------------------------------------------------------#
81 |
82 |
83 | #for_print_ERR
84 | fun_err () {
85 | echo -e "[${dred}ERR${reset}] "
86 | }
87 |
88 |
89 | #-----------------------------------------------------------------#
90 |
91 |
92 | #for_create_directory
93 | fun_dir () {
94 | mkdir ${DOMAIN}
95 | cd ${DOMAIN}
96 | sleep .5
97 | echo -e "$(fun_info) Saving all output files in directory: ${DOMAIN}"
98 | sleep .5
99 | echo -e "\n"
100 | }
101 |
102 |
103 | #-----------------------------------------------------------------#
104 |
105 |
106 | #print_flags
107 | fun_flags () {
108 | sleep .5
109 | echo -e "$(fun_info) Target Domain:- $DOMAIN"
110 | echo -e "\n"
111 | sleep .5
112 | echo -e "$(fun_info) Config File:- $CONFIG"
113 | echo -e "\n"
114 | sleep .5
115 | echo -e "$(fun_info) Mode:- $MODE"
116 | echo -e "\n"
117 | }
118 |
119 |
120 | #-----------------------------------------------------------------#
121 |
122 |
123 | #for_help
124 | fun_help () {
125 | banner
126 | echo -e "${lyellow}[ABOUT]${reset}"
127 | echo -e " Streamline your recon and vulnerability detection process with SCRIPTKIDDI3,"
128 | echo -e " A recon and initial vulnerability detection tool built using shell script and open source tools."
129 | echo -e "\n"
130 | echo -e "${lyellow}[Usage:]${reset}"
131 | echo -e " scriptkiddi3 [MODE] [FLAGS]"
132 | echo -e " scriptkiddi3 -m EXP -d target.com -c /path/to/config.yaml"
133 | echo -e "\n"
134 |
135 | echo -e "${lyellow}[MODES:]${reset}"
136 | echo -e "${yellow} ['-m'/'--mode']${reset}"
137 | echo -e " Available Options for MODE: "
138 | echo -e " SUB | sub | SUBDOMAIN | subdomain Run scriptkiddi3 in SUBDOMAIN ENUMERATION mode"
139 | echo -e " URL | url Run scriptkiddi3 in URL ENUMERATION mode"
140 | echo -e " EXP | exp | EXPLOIT | exploit Run scriptkiddi3 in Full Exploitation mode"
141 | echo -e "\n"
142 | echo -e " Feature of EXPLOIT mode : subdomain enumaration, URL Enumeration,"
143 | echo -e " Vulnerability Detection with Nuclei,"
144 | echo -e " and Scan for SUBDOMAINE TAKEOVER"
145 | echo -e ""
146 |
147 |
148 | echo -e "${lyellow}[FLAGS:]${reset}"
149 | echo -e "${yellow} [TARGET:]${reset} -d, --domain target domain to scan"
150 | #echo -e " -d, --domain target domain to scan"
151 | echo -e "\n"
152 | echo -e "${yellow} [CONFIG:]${reset} -c, --config path of your configuration file for subfinder"
153 | #echo -e " -c, --config path of your configuration file for subfinder"
154 | echo -e "\n"
155 | echo -e "${yellow} [HELP:]${reset} -h, --help to get help menu"
156 | #echo -e " -h, --help to get help menu"
157 | echo -e "\n"
158 | echo -e "${yellow} [UPDATE:]${reset} -u, --update to update tool"
159 | echo -e "\n"
160 | echo -e "${lyellow}[Examples:]${reset}"
161 | echo -e " Run scriptkiddi3 in full Exploitation mode"
162 | echo -e "${lyellow} scriptkiddi3 -m EXP -d target.com${reset}"
163 |
164 | echo -e "\n"
165 | echo -e " Use your own CONFIG file for subfinder"
166 | echo -e "${lyellow} scriptkiddi3 -m EXP -d target.com -c /path/to/config.yaml${reset}"
167 | echo -e "\n"
168 |
169 | echo -e " Run scriptkiddi3 in SUBDOMAIN ENUMERATION mode"
170 | echo -e "${lyellow} scriptkiddi3 -m SUB -d target.com${reset}"
171 | echo -e "\n"
172 |
173 | echo -e " Run scriptkiddi3 in URL ENUMERATION mode"
174 | echo -e "${lyellow} scriptkiddi3 -m URL -d target.com${reset}"
175 | echo -e "\n"
176 | }
177 |
178 |
179 | #-----------------------------------------------------------------#
180 |
181 |
182 | #forRunSubzy
183 | run_subzy () {
184 | echo -e "$(fun_info) Checking for Subdomain Takeover " | notify -silent
185 | subzy run --targets allSubdomains.txt | tee subDomain_takeover_Results.txt
186 | echo -e "\n"
187 | }
188 |
189 |
190 | #-----------------------------------------------------------------#
191 |
192 |
193 | #for_run_Subfinder
194 | fun_subFinderEnum () {
195 | if [ "$CONFIG" = '' ]
196 | then
197 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from subfinder... " | notify -silent
198 | echo -e "\n"
199 | echo -e "$(fun_info) We are not using API Keys "
200 | echo -e "\n"
201 | echo -e "\n"
202 | subfinder -silent -d $DOMAIN -o subfinderWAPIResults.txt
203 | echo -e "\n"
204 | echo -e "\n"
205 | echo -e "$(fun_info) It will take some time depens on your target size "
206 | echo -e "\n"
207 | echo -e "\n"
208 | echo -e "$(fun_info) Subfider Enumeration Completed, Results saves in file: ${lyellow}subfinderWAPIResults.txt${reset}" | notify -silent
209 | touch subfinderNoAPIResults.txt
210 | echo -e "File touch done"
211 | else
212 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from subfinder... " | notify -silent
213 | echo -e "\n"
214 | echo -e "$(fun_info) We are using API Keys "
215 | echo -e "\n"
216 | echo -e "\n"
217 | subfinder -d $DOMAIN -pc $CONFIG -o subfinderNoAPIResults.txt
218 | echo -e "\n"
219 | echo -e "\n"
220 | echo -e "$(fun_info) Subfider Enumeration Completed, Results saves in file: ${lyellow}subfinderNoAPIResults.txt${reset}" | notify -silent
221 | touch subfinderWAPIResults.txt
222 | fi
223 | echo -e "\n"
224 | echo -e "$(fun_info) Removing Duplicates"
225 | echo -e "\n"
226 | sort subfinderWAPIResults.txt subfinderNoAPIResults.txt | uniq | tee subfinerMainResults.txt
227 |
228 | }
229 |
230 |
231 |
232 |
233 | #-----------------------------------------------------------------#
234 |
235 |
236 | #for_run_findomain
237 | fun_findomainEnum () {
238 | echo -e "\n"
239 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from findomain... " | notify -silent
240 | echo -e "\n"
241 | echo -e "\n"
242 | findomain --target $DOMAIN --output
243 | echo -e "\n"
244 | echo -e "\n"
245 | echo -e "$(fun_info) Findomain Enumeration Completed, Results saves in file: ${lyellow}${DOMAIN}.txt${reset}" | notify -silent
246 | }
247 |
248 |
249 | #-----------------------------------------------------------------#
250 |
251 |
252 | #for_ownedBy
253 | ownedby () {
254 | echo -e "\n"
255 | read -t 5 -p "$(fun_input) Want to scan on other Domain/Assets owned by company ? " OWNEDBY
256 | echo -e "\n"
257 | if [ "$OWNEDBY" = 'y' ] || [ "$OWNEDBY" = 'Y' ]
258 | then
259 | sleep .5
260 | echo -e "\n"
261 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from Amass intel... " | notify -silent
262 | echo -e "\n"
263 | echo -e "\n"
264 | amass intel -whois -d $DOMAIN -o amassIntelResults.txt
265 | echo -e "\n"
266 | echo -e "\n"
267 | echo -e "$(fun_info) Amass [Mode:Intel] Enumeration Completed, Results saves in file: ${lyellow}amassIntelResults.txt${reset}" | notify -silent
268 | else
269 | touch amassIntelResults.txt
270 | fi
271 | }
272 |
273 |
274 | #-----------------------------------------------------------------#
275 |
276 |
277 | #for_run_amassEnum
278 | fun_amassEnum () {
279 | echo -e "\n"
280 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from Amass enum... " | notify -silent
281 | echo -e "\n"
282 | echo -e "\n"
283 | amass enum -passive -norecursive -d $DOMAIN | tee amassEnumResults.txt
284 | echo -e "\n"
285 | echo -e "\n"
286 | echo -e "$(fun_info) Amass [Mode:Enum] Enumeration Completed, Results saves in file: ${lyellow}amassEnumResults.txt${reset}" | notify -silent
287 |
288 | ownedby
289 | sort amassEnumResults.txt amassIntelResults.txt | uniq | tee amassMainResults.txt
290 |
291 | }
292 |
293 |
294 | #-----------------------------------------------------------------#
295 |
296 |
297 | #for_run_ffufbrute
298 | fun_ffufBruteEnum () {
299 | echo -e "\n"
300 | read -t 5 -p "$(fun_input) Want to get subdomain with bruteforce ? " FFUFBF
301 | echo -e "\n"
302 | if [ "$FFUFBF" = 'y' ] || [ "$FFUFBF" = 'Y' ]
303 | then
304 | echo -e "\n"
305 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from FFUF Bruteforce... " | notify -silent
306 | echo -e "\n"
307 | echo -e "\n"
308 | ffuf -u "https://FUZZ.${DOMAIN}/" -w /usr/share/wordlists/subdomains.txt -v | grep '| URL |' | grep -Po '.*?//\K.*?(?=/)' | tee ffufBruteSubdResults.txt
309 | echo -e "\n"
310 | echo -e "\n"
311 | echo -e "$(fun_info) FFUF Bruteforce Completed, Results saves in file: ${lyellow}ffufBruteSubdResults.txt${reset}" | notify -silent
312 | else
313 | touch ffufBruteSubdResults.txt
314 | fi
315 | }
316 |
317 |
318 | #-----------------------------------------------------------------#
319 |
320 |
321 | #from_crtsh
322 | fun_crtshEnum () {
323 | echo -e "\n"
324 | echo -e "$(fun_init) Initializing SUBDOMAIN ENUMERATION from crt.sh ... " | notify -silent
325 | echo -e "\n"
326 | echo -e "\n"
327 | curl -s "https://crt.sh?q=${DOMAIN}&output=json" | jq ".[].common_name,.[].name_value" | cut -d'"' -f2 | sed 's/\\n/\n/g' | sed 's/\*.//g'| sed -r 's/([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4})//g' | sort | uniq | tee crtshResults.txt
328 | echo -e "\n"
329 | echo -e "\n"
330 | echo -e "$(fun_info) CRT SH Bruteforce Completed, Results saves in file: ${lyellow}crtshResults.txt${reset}" | notify -silent
331 | }
332 |
333 | #-----------------------------------------------------------------#
334 |
335 |
336 | #for_gather_all_Subdomain
337 | fun_getAllSubd () {
338 | fun_subFinderEnum
339 | fun_findomainEnum
340 | #fun_amassEnum
341 | fun_ffufBruteEnum
342 | fun_crtshEnum
343 | echo -e "\n"
344 | echo -e "$(fun_info) Removing Duplicates"
345 | echo -e "\n"
346 | sort subfinerMainResults.txt ${DOMAIN}.txt ffufBruteSubdResults.txt crtshResults.txt | uniq | tee allSubdomains.txt
347 | }
348 |
349 |
350 | #-----------------------------------------------------------------#
351 |
352 |
353 | #DomainToUrl
354 | fun_getUrl () {
355 | echo -e "\n"
356 | echo -e "$(fun_init) Getting URLs from httprobe... " | notify -silent
357 | echo -e "\n"
358 | echo -e "\n"
359 | cat allSubdomains.txt | httprobe | tee httprobeResults.txt
360 | echo -e "\n"
361 | echo -e "\n"
362 | echo -e "$(fun_init) Getting URLs from httpx... " | notify -silent
363 | echo -e "\n"
364 | echo -e "\n"
365 | echo -e "$(fun_info) It will take some time depens on your target size "
366 | echo -e "\n"
367 | echo -e "\n"
368 | cat allSubdomains.txt | httpx -silent | tee httpxResults.txt
369 | echo -e "\n"
370 | sort httprobeResults.txt httpxResults.txt | uniq | tee allUrls.txt
371 | echo -e "\n"
372 | echo -e "\n"
373 | echo -e "$(fun_info) URL Enumeration, Results saves in file: ${lyellow}allUrls.txt${reset}" | notify -silent
374 |
375 | }
376 |
377 |
378 | #-----------------------------------------------------------------#
379 |
380 |
381 | #run_nuclei
382 | fun_runNuclei () {
383 | echo -e "\n"
384 | echo -e "$(fun_init) Running Vulnerability detection " | notify -silent
385 | echo -e "\n"
386 | echo -e "\n"
387 | nuclei -silent -l allUrls.txt -t $HOME/nuclei-templates/ -o nucleiResults.txt --stats | notify -silent
388 | }
389 |
390 |
391 | #-----------------------------------------------------------------#
392 |
393 |
394 | #for_update
395 | fun_update () {
396 | git clone https://github.com/thecyberneh/scriptkiddi3.git
397 | cd thecyberneh
398 | bash installer.sh
399 | }
400 |
401 | #-----------------------------------------------------------------#
402 | #-----------------------------------------------------------------#
403 |
404 | while true; do
405 | case "$1" in
406 | '-d'|'--domain')
407 | if [ "$2" = '' ]
408 | then
409 | echo -e "$(fun_err) Value of '-d'\'--domain' must not be blank"
410 | exit
411 | fi
412 |
413 | DOMAIN=$2
414 | shift 2
415 | continue
416 | ;;
417 | '-m'|'--mode')
418 |
419 | if [ "$2" = '' ]
420 | then
421 | echo -e "$(fun_err) Value of '-m'\'--mode' must not be blank"
422 | echo -e "$(fun_info) Prining Help Menu"
423 |
424 | exit
425 | fi
426 |
427 | MODE=$2
428 | shift 2
429 | continue
430 | ;;
431 | '-c'|'--config')
432 |
433 | if [ "$2" = '' ]
434 | then
435 | echo -e "$(fun_err) Value of '-c'/'--config' must not be blank"
436 | echo -e "$(fun_info) Remove '-c'/'--config' flag if you want to run with default config"
437 | echo -e "$(fun_info) Prining Help Menu"
438 | exit
439 | fi
440 |
441 | CONFIG=$2
442 | shift 2
443 | continue
444 | ;;
445 |
446 | '-h'| '--help')
447 | fun_help
448 | exit 1
449 | ;;
450 |
451 | '-u'|'--update')
452 | banner
453 | fun_update
454 | exit 1
455 | ;;
456 |
457 | '')
458 | break
459 | ;;
460 |
461 | *)
462 | echo "Unknown argument: $1"
463 | exit 1
464 | ;;
465 |
466 |
467 | esac
468 | done
469 |
470 |
471 | #-----------------------------------------------------------------#
472 |
473 |
474 | if [ "$MODE" = 'sub' ] || [ "$MODE" = 'SUB' ] || [ "$MODE" = 'subdomain' ] || [ "$MODE" = 'SUBDOMAIN' ]
475 | then
476 | banner
477 | fun_flags
478 | fun_dir
479 | fun_getAllSubd
480 |
481 | elif [ "$MODE" = 'url' ] || [ "$MODE" = 'URL' ]
482 | then
483 | banner
484 | fun_flags
485 | fun_dir
486 | fun_getAllSubd
487 | fun_getUrl
488 |
489 | elif [ "$MODE" = 'exploit' ] || [ "$MODE" = 'EXPLOIT' ] || [ "$MODE" = 'EXP' ] || [ "$MODE" = 'exp' ]
490 | then
491 | banner
492 | fun_flags
493 | fun_dir
494 | fun_getAllSubd
495 | fun_getUrl
496 | fun_runNuclei
497 | run_subzy
498 |
499 | else
500 | echo -e "$(fun_err) Unable to understand ${lyellow}MODE${reset}, Running help Menu"
501 | fun_help
502 | fi
503 |
--------------------------------------------------------------------------------