Automated framework to do big bounty recon
- Generates a subdomain wordlist with
commonspeak2-wordlists
- Runs
amass
in passive mode on the domain provided - Merges
commonspeak
andamass
domains - Resolves domains with
massdns
- Outputs the resolved hosts to
domains.tmp
- Runs
httprobe
on the resolved subdomains - Runs
masscan
on the resolved ips - Runs
aquatone
on the subdomains thathttprobe
found to be alive - Runs
ffuf
on the found domains...domain.com/FUZZ
You'll get a few files. I decided it's best to let you figure out what you want to keep:
domains.out
: The unique list of domains fromcommonspeak
,assetfinder
, andamass
massdns.out
: The results ofmassdns
(subdomains & resolved IPs)httprobe.out
: The results ofhttprobe
(subdomains that responded to ports 3000,4567,5000,5104,8000,8008,8080,8088,8443,8280,8333,11371,16080)masscan.out
: The results ofmasscan
(provided in greppable format)ips.out
: Results ofmassdns
with only the ip addressessubs.out
: Results ofmassdns
with only the subdomainsffuf.out
: Results offfuf
with onlystatus code
andurl
aquatone/
: Directory of theaquatone
resultsffuf/
: Directory containing ffuf fuzzed directories
There are some variables you need to pass:
<domain>
: is the TLD or subdomain you want to run against (Ex: domain.com).<resolver_check>
: is eithertrue
orfalse
. If you notice that you're not getting any final output set this value tofalse
to disable the offending resolver check from massdns.<wordlist_size>
: is eitherlarge
orsmall
.
git clone [email protected]:godzilla74/pentest-tools.git
cd pentest-tools
docker build -t recon .
docker run -it -v $(pwd):/opt/results recon <domain> <resolver_check> <wordlist_size>
- dockerize
- masscan the resulting IPs
- add user mount for wordlists
- ffuf the domains - directory brute force
- add assetfinder to the mix
- add meg
- add aquatone
- add httprobe
- massdns CNAME results into their own file (for subdomain takeover?)
- add
parallel
support to run some jobs in tandem (masscan, httprobe, aquatone) - get ASNs and IP ranges for better masscan results
Have a problem or suggestion? Make an issue. I might get to it.