V4.0 : Merge AutoRecon & AutoScan

README.md

@@ -1,59 +1,71 @@
 
+
+
 # AutoRecon
-![Banner](https://zupimages.net/up/19/01/uikg.png)![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg) ![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)  ![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)
+
+![Banner](https://zupimages.net/up/19/01/uikg.png)![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg) ![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg) ![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)
 
 ## Features
+
 - Enum subdomains, create permutation & wildcard removing with [Amass](https://github.com/OWASP/Amass/)
+- Search subdomains on github with [Github-Subdomains](https://github.com/gwen001/github-search/blob/master/github-subdomains.py)
 - Find web services and screenshots with[Aquatone](https://github.com/michenriksen/aquatone)
+-  [Nuclei](https://github.com/projectdiscovery/nuclei) : Configurable targeted scanning based on templates
+-  [Gau](https://github.com/lc/gau) : Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
+-  [Hakrawler](https://github.com/hakluke/hakrawler) : Simple, fast web crawler
+-  [ParamSpider](https://github.com/devanshbatham/ParamSpider) : Mining parameters from dark corners of Web Archives
+-  [Gf](https://github.com/tomnomnom/gf) : A wrapper around grep, to help you grep for things
+	- With somes GF profiles from [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns) and [ParamSpider](https://github.com/devanshbatham/ParamSpider/tree/master/gf_profiles)
+-  [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) : Designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.
 
-How I use this tool for BugBounty : [My subdomains enumeration process](https://www.jomar.fr/posts/2020/03/en-my-subdomains-enumeration-process/)
-
-![Workflow](https://zupimages.net/up/20/19/cj3p.png)
+![Workflow](https://zupimages.net/up/20/28/mclg.png)
 
 ## Installation
-- Installation & Recon tested on Debian 10
+- Installation & Recon tested on Ubuntu 20.04
 
 Run installer :
 ```bash
 ./install.sh
 ```
+
 If wanted (recommended), configure [Amass](https://github.com/OWASP/Amass/) with the desired API keys by creating a [config.ini](https://github.com/OWASP/Amass/blob/master/examples/config.ini) file.
 
-## Usage
+Create the file `.tokens` in `/root/Tools/Github-Subdomains/` with one or more github token.
 
+## Usage
 ```bash
-./recon.sh -d domain.tld -c ~/Tools/Amass/config.ini
+./recon.sh -d domain.tld -r -s -c /root/Tools/Amass/config.ini
 ```
 
 Options :
 ```bash
--d  | --domain      (required) : Launch passive scan (Amass & DnsGen)
--c  | --amassconfig (optional) : Provide Amass configuration files for better results
+-d | --domain (required) : Domain in domain.tld format
+-r | --recon (optional) : Search subdomains for the specified domain
+-s | --scan (optional) : Scan the specified domain
+-c | --amassconfig (optional) : Provide Amass configuration files for better results
 -rp | --resultspath (optional) : Defines the output folder
 ```
 
-![RunningScript](https://zupimages.net/up/20/19/exzj.png)
+![RunningScript](https://zupimages.net/up/20/28/j650.png)
+
 ## Domain monitoring
 The advantage of using amass with the "-dir" option is that it also allows monitoring with a bash script.
-
 For example, you can create a cron task that executes the following content at regular intervals:
 
 ```bash
 #!/bin/bash
-
 DOMAIN=your-domain.tld
 
 /root/AutoRecon.sh -d $DOMAIN -c /root/Tools/Amass/config.ini
 
 MSG=$(amass track -d $DOMAIN -dir /root/Recon/$DOMAIN/Amass/ | grep 'Found:')
-
 PAYLOAD="payload={\"text\": \"$MSG\"}"
 HOOK=https://hooks.slack.com/services/XXXX/XXXX/XXXX
 
 if [ ! -z "$var" ]
 then
-  curl -X POST --data-urlencode "$PAYLOAD" "$HOOK"
+  curl -X POST --data-urlencode "$PAYLOAD"  "$HOOK"
 fi
 ```
 
-![SlackAlert](https://zupimages.net/up/20/19/yozr.png)
+![SlackAlert](https://zupimages.net/up/20/19/yozr.png)

install.sh

@@ -1,15 +1,25 @@
 #!/bin/bash
 
+Tools="/root/Tools"
+mkdir $Tools
+
 #Update & Upgrade
 apt-get update && apt-get upgrade -y
-rm README.md
 
-#Install requierements
-apt-get install unzip libldns-dev git snapd dnsutils -y
+#Install requirements
+apt-get install unzip libldns-dev git snapd dnsutils python3 python3-pip jq -y
+pip3 install colored
 
 #Ensures that the snapd service is running.
 systemctl start snapd
 
+## Install Golang
+wget https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz
+tar -C /usr/local -xzf go1.14.2.linux-amd64.tar.gz
+rm go1.14.2.linux-amd64.tar.gz
+echo -e "export PATH=$PATH:/usr/local/go/bin" >> ~/.profile
+source ~/.profile
+
 #Install Aquatone
 wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip
 unzip aquatone_linux_amd64_1.7.0.zip
@@ -22,9 +32,71 @@ snap install chromium
 #Install Amass for recon
 snap install amass
 
+## Install Nuclei
+wget https://github.com/projectdiscovery/nuclei/releases/download/v1.1.3/nuclei-linux-amd64.gz
+gunzip nuclei-linux-amd64.gz
+mv nuclei-linux-amd64 /usr/bin/nuclei
+chmod +x /usr/bin/nuclei
+
+cd $Tools
+git clone https://github.com/projectdiscovery/nuclei-templates
+cd nuclei-templates
+mkdir all
+cp $(find . -type f -name '*.yaml') all/
+
+## Install Httprobe
+go get -u github.com/tomnomnom/httprobe
+mv ~/go/bin/httprobe /usr/bin/
+
+## Install Hakrawler
+go get github.com/hakluke/hakrawler
+mv ~/go/bin/hakrawler /usr/bin/
+
+## Install Kxss
+git clone https://github.com/tomnomnom/hacks
+cd hacks/kxss
+go build main.go
+mv main /usr/bin/kxss
+cd ../.. && rm -r hacks/
+
+## Install ParamSpider
+cd $Tools
+git clone https://github.com/devanshbatham/ParamSpider
+cd ParamSpider 
+pip3 install -r requirements.txt
+
+## Install GF
+go get -u github.com/tomnomnom/gf
+echo 'source /root/go/src/github.com/tomnomnom/gf/gf-completion.bash' >> ~/.bashrc
+source ~/.bashrc
+cp -r /root/go/src/github.com/tomnomnom/gf/examples ~/.gf
+mv ~/go/bin/gf /usr/bin/
+cd ~/.gf
+cp $Tools/ParamSpider/gf_profiles/* .
+
+## Add more GF patterns
+git clone https://github.com/1ndianl33t/Gf-Patterns
+mv Gf-Patterns/*.json .
+rm -r Gf-Patterns/
+
+## Install GAU
+GO111MODULE=on go get -u -v github.com/lc/gau
+mv ~/go/bin/gau /usr/bin/
+
+## Install SubDomainizer
+cd $Tools
+git clone https://github.com/nsonaniya2010/SubDomainizer.git
+cd SubDomainizer
+pip3 install -r requirements.txt
+
+## Install Github-Subdomains.py
+mkdir $Tools/Github-Subdomains/ && cd $Tools/Github-Subdomains
+wget https://raw.githubusercontent.com/gwen001/github-search/master/github-subdomains.py
+
 #Add /snap/bin to $PATH
 echo -e "export PATH=\"$PATH:/snap/bin\"" >> ~/.profile
 source ~/.profile
 
 ## END
+cd ~
 rm install.sh

recon.sh

@@ -2,6 +2,7 @@
 
 ## VARIABLES
 ResultsPath="/root/Recon"
+ToolsPath="/root/Tools"
 
 ## FUNCTION
 die() {
@@ -11,8 +12,10 @@ die() {
 
 help() {
   banner
-  echo -e "Usage : ./recon.sh -d domain.tld -m
+  echo -e "Usage : ./recon.sh -d domain.tld -r -s
       -d  | --domain      (required) : Domain in domain.tld format
+      -r  | --recon       (optional) : Search subdomains for the specified domain
+      -s  | --scan        (optional) : Scan the specified domain
       -c  | --amassconfig (optional) : Provide Amass configuration files for better results
       -rp | --resultspath (optional) : Defines the output folder
   "
@@ -30,33 +33,109 @@ banner() {
 }
 
 scan() {
+  echo -e "Scan of \e[31m$1\e[0m is in progress"
+  mkdir -p $ResultsPath/$domain/$(date +%F)/$1
+
+  ## Nuclei
+	echo -e ">> \e[36mNuclei\e[0m is in progress"
+	echo -e $1 | httprobe -p http:81 -p https:81 -p https:8443 -p http:8080 -p https:8080 > $ResultsPath/$domain/$(date +%F)/$1/httprobe.txt
+  nuclei -l $ResultsPath/$domain/$(date +%F)/$1/httprobe.txt -t "$ToolsPath/nuclei-templates/all/*.yaml" -o $ResultsPath/$domain/$(date +%F)/$1/nuclei.txt > /dev/null 2>&1
+
+  ## GAU
+  echo -e ">> \e[36mGAU\e[0m is in progress"
+  gau $1 >> $ResultsPath/$domain/$(date +%F)/$1/gau.txt
+
+  ## Hawkraler
+	echo -e ">> \e[36mHakrawler\e[0m is in progress"
+	echo -e $1 | hakrawler -forms -js -linkfinder -plain -robots -sitemap -usewayback -outdir $ResultsPath/$domain/$(date +%F)/$1/hakrawler | kxss >> $ResultsPath/$domain/$(date +%F)/$1/kxss.txt
+
+  ## ParamSpider
+	echo -e ">> \e[36mParamSpider\e[0m is in progress"
+	cd $ToolsPath/ParamSpider/
+	python3 paramspider.py --domain $1 --exclude woff,css,js,png,svg,jpg -o paramspider.txt > /dev/null 2>&1
+
+  if [ -s $ToolsPath/ParamSpider/output/paramspider.txt ]
+  then
+    	mv ./output/paramspider.txt $ResultsPath/$domain/$(date +%F)/$1/
+
+      ## GF
+      echo -e ">> \e[36mGF\e[0m is in progress"
+      mkdir $ResultsPath/$domain/$(date +%F)/$1/GF
+
+      gf xss $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/xss.txt
+      gf potential $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/potential.txt
+      gf debug_logic $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/debug_logic.txt
+      gf idor $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/idor.txt
+      gf lfi $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/lfi.txt
+      gf rce $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/rce.txt
+      gf redirect $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/redirect.txt
+      gf sqli $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/sqli.txt
+      gf ssrf $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/ssrf.txt
+      gf ssti $ResultsPath/$domain/$(date +%F)/$1/paramspider.txt >> $ResultsPath/$domain/$(date +%F)/$1/GF/ssti.txt
+  fi
+
+  ## SubDomainizer
+  echo -e ">> \e[36mSubDomainizer\e[0m is in progress"
+  python3 $ToolsPath/SubDomainizer/SubDomainizer.py -u $1 -o $ResultsPath/$domain/$(date +%F)/$1/SubDomainizer.txt > /dev/null 2>&1
+
+  ## RM ParamSpider output
+  if [ -s $ToolsPath/ParamSpider/output/paramspider.txt ]
+  then
+    rm $ToolsPath/ParamSpider/output/paramspider.txt
+  fi
+}
+
+main() {
   banner
-  echo -e "Recon is in \e[31mprogress\e[0m, take a coffee"
 
-  ## ENUM SUB-DOMAINS
-  echo -e ">> \e[36mAmass\e[0m is in progress"
+  if [ -v recon ] ## IF SCAN OPTION WAS PROVIDE
+  then
+    echo -e "Recon is in \e[31mprogress\e[0m, take a coffee"
+
+    ## ENUM SUB-DOMAINS
+    echo -e ">> \e[36mAmass\e[0m is in progress"
 
-  ## LAUNCH AMASS
-  if [ ! -d "$ResultsPath/$domain/Amass" ];then
+    ## LAUNCH AMASS
     mkdir -p $ResultsPath/$domain/Amass
+    wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -P $ResultsPath/$domain/ > /dev/null 2>&1
+
+    if [ -z "$ac" ]
+    then
+      amass enum -active -o $ResultsPath/$domain/$(date +%F)/domains_tmp.txt -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -dir $ResultsPath/$domain/Amass > /dev/null 2>&1
+    else
+      amass enum -active -o $ResultsPath/$domain/$(date +%F)/domains_tmp.txt -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -config $ac -dir $ResultsPath/$domain/Amass > /dev/null 2>&1
+    fi
+
+    ## LAUNCH GITHUB-SUBDOMAINS.PY
+    echo -e ">> \e[36mGithub-Subdomains.py\e[0m is in progress"
+    python3 /root/Tools/Github-Subdomains/github-subdomains.py -d $domain >> $ResultsPath/$domain/$(date +%F)/domains_tmp.txt
+
+    ## SORT & REMOVE DUPLICATES ON DOMAINES.TXT
+    cat $ResultsPath/$domain/$(date +%F)/domains_tmp.txt | sort -u > $ResultsPath/$domain/$(date +%F)/domains.txt
+    rm $ResultsPath/$domain/$(date +%F)/domains_tmp.txt
+
+    ## LAUNCH AQUATONE
+    echo -e ">> \e[36mAquatone\e[0m is in progress"
+    mkdir $ResultsPath/$domain/$(date +%F)/Aquatone
+    cd $ResultsPath/$domain/$(date +%F)/Aquatone
+    cat ../domains.txt | aquatone -chrome-path /snap/bin/chromium -ports xlarge > /dev/null 2>&1
+
+    ## REMOVE USELESS FILES
+    rm $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt
   fi
-  wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -P $ResultsPath/$domain/ > /dev/null 2>&1
-  if [ -z "$ac" ]
+
+  if [ -v scan ] ## IF SCAN OPTION WAS PROVIDE
   then
-    amass enum -active -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -dir $ResultsPath/$domain/Amass -o $ResultsPath/$domain/domains_$(date +%F).txt > /dev/null 2>&1
-  else
-    amass enum -active -d $domain -brute -w $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt -config $ac -dir $ResultsPath/$domain/Amass -o $ResultsPath/$domain/domains_$(date +%F).txt > /dev/null 2>&1
+    if [ -v recon ] ## IF RECON OPTION WAS PROVIDE
+    then
+      while read line; do
+        scan $line
+      done < $ResultsPath/$domain/$(date +%F)/domains.txt
+    else
+      scan $domain
+    fi
   fi
-
-  ## LAUNCH AQUATONE
-  echo -e ">> \e[36mAquatone\e[0m is in progress"
-  mkdir $ResultsPath/$domain/Aquatone_$(date +%F)
-  cd $ResultsPath/$domain/Aquatone_$(date +%F)
-  cat ../domains_$(date +%F).txt | aquatone -chrome-path /snap/bin/chromium -ports xlarge > /dev/null 2>&1
-
-  ## REMOVE USELESS FILES
-  rm $ResultsPath/$domain/deepmagic.com-prefixes-top50000.txt
-
+
   echo -e "=========== Recon is \e[32mfinish\e[0m ==========="
 }
 
@@ -89,6 +168,12 @@ while :; do
                 shift
             fi
             ;;
+        -s|--scan)
+            scan=true
+            ;;
+        -r|--recon)
+            recon=true
+            ;;
         --)
             shift
             break
@@ -109,7 +194,7 @@ then
   die 'ERROR: "--domain" requires a non-empty option argument.'
 else
   if [ ! -d "$ResultsPath/$domain" ];then
-    mkdir -p $ResultsPath/$domain
+    mkdir -p $ResultsPath/$domain/$(date +%F)
   fi
-  scan
+  main
 fi