-
Notifications
You must be signed in to change notification settings - Fork 14
/
bountyRecon.sh
executable file
·106 lines (59 loc) · 3.11 KB
/
bountyRecon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/bash
##Script to Automate Bug Bounty Recon
if ! [[ ${1} && ${2} ]] ;then
echo -e "\n[!] Please pass the required arguments :"
echo -e "\tusage : ./bountyRecon.sh TARGET_NAME [list of domains]\n"
exit
fi
if ! [[ -f ${2} ]]; then
echo -e "\n[-] File does not exist : ${2}\n"
exit
fi
######Reading Config File
function getValueFromConfig() {
echo `grep ${1} config.conf | cut -d '=' -f 2`
}
#######Initializing variables
TARGET_NAME=${1}
domains=${2}
Recon_Home="$(getValueFromConfig "Recon_Home")/${TARGET_NAME}"
amass_config_path=$(getValueFromConfig "amass_config_path")
mkdir -p "${Recon_Home}/logs"
start_time=`date "+%d%m%y_%H%M%S"`
logfile="${Recon_Home}/logs/${start_time}.log"
######Subdomain Enumeration########
mkdir -p "${Recon_Home}/subdomains"
echo -e "\n[+] Started Subdomain Enumeration at ${start_time}"| tee -a ${logfile}
echo $domains | parallel ./subdomains.sh {} "${Recon_Home}/subdomains"
echo -e "[+] Subdomain Enumeration Finished at `date '+%d%m%y_%H%M%S'`"| tee -a ${logfile}
cat "${Recon_Home}/subdomains/subfinder.txt" "${Recon_Home}/subdomains/amass.txt" |sed "/^[\.*]/d" |sort -u > "${Recon_Home}/subdomains/subdomains.txt"
##########Screenshot the target with aquatone######
mkdir -p "${Recon_Home}/aquatone"
echo -e "[+] Attempting Screenshot for the target subdomains..." | tee -a ${logfile}
aquatone_home=$(getValueFromConfig "aquatone_home")
cat "${Recon_Home}/subdomains/subdomains.txt"| ${aquatone_home}/aquatone -out "${Recon_Home}/aquatone" -http-timeout 30000 -scan-timeout 30000 -screenshot-timeout 60000
echo -e "[+] Screenshot Finished for subdomains" | tee -a ${logfile}
#######Extract javascript files and urls
echo -e "[+] Extracting javascript from html source" | tee -a ${logfile}
./jsextractor.sh "${Recon_Home}"
echo -e "[+] javascript extracted successfully" | tee -a ${logfile}
########Subdomain takeover
mkdir -p "${Recon_Home}/takeover"
echo $Recon_Home | parallel ./takeover.sh {}
#Test put method on all subdomains
########Testing for Alive and Resolvable domains####
#echo "[+] Checking for alive domains..\n" | tee -a ${logfile}
#cat "${Recon_Home}/subdomains/subdomains.txt" | httprobe -p http:8080 https:8080 https:8443 http:8000 https:8000 -c 50| tee -a "${Recon_Home}/subdomains/alive.txt"
#echo "[+] Finished Checking Alive domains\n" | tee -a ${logfile}
#massdns_home=$(getValueFromConfig "massdns_home")
#echo -e "[+] Checking for Resolvable domains.." | tee -a ${logfile}
#${massdns_home}/bin/massdns -r ${massdns_home}/lists/resolvers.txt -o S -w "${Recon_Home}/subdomains/massdns.txt" "${Recon_Home}/subdomains/subdomains.txt"
#echo -e "[+] Finished Checking Resolvable domains" | tee -a ${logfile}
#cat "${Recon_Home}/subdomains/massdns.txt" |cut -d " " -f 1|sed "s/\.$//"|sort -u > "${Recon_Home}/subdomains/resolvable.txt"
###TO do list
#Check hidden files and other important files like .git, .DS_Store and swagger-ui.html on all subdomains
#Masscan the target
#Check for cve 2019 19781 exploit - grep "citrix login" in title or "citrix" occurences >3
#pdf ssrf - html rendering to pdf
#ffuf
#cloud_enum - https://github.com/initstring/cloud_enum