I made these scripts for my needs and tried to understand a little bit of how some bug hunters work and put some of those steps in a logical order for me.
Until I consider this work finished, I'll continue to study and saw how some people work and put it in features within recon.sh script. :D
Recommended to run on vps with 1VCPU and 2GB ram.
Why I need run get-tools.sh with root ou sudo?
'Cos you need to keep your system updated and install some packages from your distribution repository to prepare your environment to run the recon.sh.
This script detect some systems like Arch Linux, Ubuntu and Kali.
The ideia of this script is prepare your new VPS or VM with some tools to use on reconnaissance and attack phase.
I also put some wordlists and tools used during reconnaissance phase.
Profiles:
- recon: tries to ensure the installation of the necessary binaries for recon.sh, if you notice the only binary checks have been focused on what recon.sh needs;
- attack: get some tools to help on attack phase;
- all: will install all tools from recon and attack profile;
How get-tools.sh work?
# ./get-tools.sh -u your_user -p profile
or
$ sudo -H ./get-tools.sh -u your_user -p profile
After execution you will have the follow directories structure on user home:
~/pentest
├── exploits
├── local_recon
├── pentest-scripts
├── tools
└── wordlists
Attention: I'm using the attack function of get-tools.sh to get a collection of scripts or tools to help me with my tasks and, more importantly, keep a backup of the tools or scripts for me. Feel free to use or just move on.
recon.sh is a script written in Bash, it is intended to automate some tedious tasks of reconnaissance and information gathering.
This tool allows you to gather some information that should help you identify what to do next and where to look.
For now recon.sh use amass, Sublist3r, certspotter, crt.sh, dnssearch, gobuster, dirsearch, wayback, aquatone.
In the future I pretend to use subfinder, massdns, dnsrecon and others tools to get more subdomains and others information.
Default reconnaissance:
./recon.sh -d domain.com
Reconnaissance throught tor using privoxy:
./recon.sh -d domain.com -p yes
Reconnaissance with excluded domains:
./recon.sh -d domain.com -e excluded.domain.com,other.domain.com
Reconnaissance informing a new DNS resolver, by default use 8.8.8.8:
./recon.sh -d domain.com -r 1.1.1.1
Reconnaissance with brute force using Sublist3r:
./recon.sh -d domain.com -b yes
Attention: If -b option is omitted, the Sublist3r will execute without brute force.
Reconnaissance with brute force using gobuster and dnssearch:
./recon.sh -d domain.com -s /path/to/wordlist1,/path/to/wordlist2
Reconnaissance with directories and files brute force with gobuster and dirsearch:
./recon.sh -d domain.com -w /path/to/wordlist1,/path/to/wordlist2
Attention: If any word list won't be provided the dicc.txt wordlist from dirsearch will be used by default and just dirsearch will be executed
You can put more than one option, example:
./recon.sh -d domain.com -b yes -e excluded.domain.com,other.domain.com -s /path/to/wordlist1,/path/to/wordlist2
or
./recon.sh -d domain.com -w /path/to/wordlist1,/path/to/wordlist2 -b yes
Use as you need.
- Create a dated folder with recon notes
- Grab subdomains using:
- Amass, Sublist3r, certspotter and cert.sh
- Dns bruteforcing using gobuster and dnssearch
- The diff_domains function to improve the time of execution, get just what change on target infraestructure
- Perform nmap to live hosts
- Probe for live hosts over some ports like 80, 443, 8080, etc
- The web_data funtion from recon.sh work when you put a list of URLs from file.
- Perform dirsearch and gobuster for all subdomains
- Scrape wayback
- use docker to setup instances of privoxy to provide a proxy to dirsearch and gobuster
Icaro Torres with the ideia to diff files from a day ago to improve the execution time of the script.
Enderson Maia with the help on Dockerfile and shellcheck tip.
https://0xsp.com/offensive/red-teaming-toolkit-collection
https://medium.com/@ricardoiramar/subdomain-enumeration-tools-evaluation-57d4ec02d69e
https://github.com/riramar/Web-Attack-Cheat-Sheet
https://inteltechniques.com/blog/2018/03/06/updated-osint-flowcharts/
https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md
https://github.com/renergr1nch/splitter
https://bitbucket.org/splazit/docker-privoxy-alpine/src/master/
https://github.com/essandess/adblock2privoxy
https://0xpatrik.com/subdomain-enumeration-2019/
https://blog.securitybreached.org/2017/11/25/guide-to-basic-recon-for-bugbounty/
Warning: This code was originally created for personal use, it generates a substantial amount of traffic, please use with caution.