diff --git a/reconftw.cfg b/reconftw.cfg index b091d01c..c6655068 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -27,10 +27,10 @@ GITHUB_TOKENS=${tools}/.github_tokens #SHODAN_API_KEY=XXXXXXXXXXXXX #XSS_SERVER=XXXXXXXXXXXXXXXXX #COLLAB_SERVER=XXXXXXXXXXXXXXXXX -findomain_virustotal_token=XXXXXXXXXXXXXXXXX -findomain_spyse_token=XXXXXXXXXXXXXXXXX -findomain_securitytrails_token=XXXXXXXXXXXXXXXXX -findomain_fb_token=XXXXXXXXXXXXXXXXX +#findomain_virustotal_token=XXXXXXXXXXXXXXXXX +#findomain_spyse_token=XXXXXXXXXXXXXXXXX +#findomain_securitytrails_token=XXXXXXXXXXXXXXXXX +#findomain_fb_token=XXXXXXXXXXXXXXXXX # File descriptors DEBUG_STD="&>/dev/null" @@ -64,6 +64,7 @@ PORTSCAN_ACTIVE=true # Web analysis WAF_DETECTION=true NUCLEICHECK=true +URL_CHECK=true URL_GF=true JSCHECKS=true PARAMS=true @@ -90,12 +91,21 @@ FULLSCOPE=false DIFF=false REMOVETMP=false -## HTTP options +# HTTP options COOKIE="" HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" +# Threads +FFUF_THREADS=40 +HTTPX_THREADS=50 +HTTPX_UNCOMMONPORTS_THREADS=150 +SHUFFLEDNS_THREADS=5000 +GOSPIDER_THREADS=50 +GITDORKER_THREADS=5 +XSSTRIKE_THREADS=30 + # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt lfi_wordlist=${tools}/lfi_wordlist.txt subs_wordlist=${tools}/subdomains.txt -resolvers=${tools}/resolvers.txt +resolvers=${tools}/resolvers.txt \ No newline at end of file diff --git a/reconftw.sh b/reconftw.sh index 229cc61d..e82e9f35 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -96,48 +96,38 @@ function tools_installed(){ function google_dorks(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] && [ "$GOOGLE_DORKS" = true ] then - start=`date +%s` - printf "${bgreen}#######################################################################\n" - printf "${bblue} Performing Google Dorks ${reset}\n\n" + start_func "Google Dorks in process" $tools/degoogle_hunter/degoogle_hunter.sh $domain | tee osint/dorks.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/dorks.txt && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="$\n${bblue} Google Dorks finished in ${runtime} Happy hunting! ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/dorks.txt" ${FUNCNAME[0]} else - printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + if [ "$GOOGLE_DORKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi fi } function github_dorks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$GITHUB_DORKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} GitHub Dorks Scanning ${reset}\n\n" - start=`date +%s` + start_func "Github Dorks in process" if [ -s "${GITHUB_TOKENS}" ] then if [ "$DEEP" = true ] ; then - eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e 5 -q $domain -p -d $tools/GitDorker/Dorks/alldorksv3 | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/alldorksv3 | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD else - eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e 5 -q $domain -p -d $tools/GitDorker/Dorks/medium_dorks.txt | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/medium_dorks.txt | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD fi sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/gitdorks.txt else printf "\n${bred} Required file ${GITHUB_TOKENS} not exists or empty${reset}\n" fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n GitHub Dorks Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint/gitdorks.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in osint/gitdorks.txt" ${FUNCNAME[0]} else - if [ "$DORKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + if [ "$GITHUB_DORKS" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -147,22 +137,15 @@ function github_dorks(){ function metadata(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$METADATA" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Metadata scan ${reset}\n" - start=`date +%s` + start_func "Scanning metadata in public files" eval metafinder -d $domain -l 20 -o osint -go -bi -ba $DEBUG_STD eval mv osint/${domain}/* osint/ $DEBUG_ERROR eval rmdir osint/${domain} $DEBUG_ERROR touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Metadata scan finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} else if [ "$METADATA" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -172,15 +155,13 @@ function metadata(){ function emails(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$EMAILS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Emails search ${reset}\n" - start=`date +%s` + start_func "Searching emails/users/passwords leaks" cd $tools/theHarvester eval python3 theHarvester.py -d $domain -b all $DEBUG_ERROR > $dir/.tmp/harvester.txt cd $dir - cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | anew -q osint/emails.txt - cat .tmp/harvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | anew -q osint/users.txt - cat .tmp/harvester.txt | awk '/Links/,/Users/' | sed -e '1,2d' | head -n -2 | anew -q osint/linkedin.txt + cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/emails.txt + cat .tmp/harvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/users.txt + cat .tmp/harvester.txt | awk '/Links/,/Users/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/linkedin.txt eval h8mail -t $domain -q domain --loose -c $tools/h8mail_config.ini -j .tmp/h8_results.json $DEBUG_STD if [ -s ".tmp/h8_results.json" ] @@ -193,22 +174,16 @@ function emails(){ if [ "$PWNDB_STATUS" = 200 ] then cd $tools/pwndb - python3 pwndb.py --target "@${domain}" | anew -q $dir/osint/pwndb.txt + python3 pwndb.py --target "@${domain}" | anew -q $dir/osint/passwords.txt cd $dir else text="${yellow}\n pwndb is currently down :(\n\n Check xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion${reset}\n" printf "${text}" && printf "${text}" | $NOTIFY fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Emails Search Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/[emails/users/h8mail/passwords].txt" ${FUNCNAME[0]} else if [ "$EMAILS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -219,10 +194,7 @@ function emails(){ function domain_info(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$DOMAIN_INFO" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Domain info search ${reset}\n" - start=`date +%s` - + start_func "Searching domain info (whois, registrant name/email domains)" lynx -dump https://domainbigdata.com/${domain} | tail -n +19 > osint/domain_info_general.txt cat osint/domain_info_general.txt | grep '/nj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_name.txt @@ -240,27 +212,21 @@ function domain_info(){ if [ -s ".tmp/domain_registrant_email.txt" ] then - for sub in $(cat .tmp/domain_registrant_email.txt); do + for line in $(cat .tmp/domain_registrant_email.txt); do lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_email.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_email.txt done fi if [ -s ".tmp/domain_registrant_ip.txt" ] then - for sub in $(cat .tmp/domain_registrant_ip.txt); do + for line in $(cat .tmp/domain_registrant_ip.txt); do lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_ip.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_ip.txt done fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Domain Info Search Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} else if [ "$DOMAIN_INFO" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -303,14 +269,11 @@ function subdomains_full(){ NUMOFLINES_probed=$(eval cat webs/webs.txt $DEBUG_ERROR | anew .tmp/probed_old.txt | wc -l) fi printf "${bblue}\n Total subdomains: ${reset}\n\n" - text="${bred}\n - ${NUMOFLINES_subs} new alive subdomains${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "- ${NUMOFLINES_subs} new alive subdomains" good eval cat subdomains/subdomains.txt $DEBUG_ERROR | sort - text="${bred}\n - ${NUMOFLINES_probed} new web probed${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "- ${NUMOFLINES_probed} new web probed" good eval cat webs/webs.txt $DEBUG_ERROR | sort - text="${bblue}\n Subdomain Enumeration Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "Subdomain Enumeration Finished" good printf "${bblue} Results are saved in subdomains/subdomains.txt and webs/webs.txt${reset}\n" printf "${bgreen}#######################################################################\n\n" } @@ -318,8 +281,7 @@ function subdomains_full(){ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then - start=`date +%s` - printf "${yellow} Running : Passive Subdomain Enumeration${reset}\n" + start_subfunc "Running : Passive Subdomain Enumeration" eval subfinder -d $domain -o .tmp/subfinder.txt $DEBUG_STD eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder.txt eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass.txt $DEBUG_STD @@ -327,13 +289,7 @@ function sub_passive(){ eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat.txt timeout 5m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls.txt NUMOFLINES=$(eval cat .tmp/subfinder.txt .tmp/assetfinder.txt .tmp/amass.txt .tmp/findomain.txt .tmp/crobat.txt .tmp/waybackurls.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by passive found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -342,8 +298,7 @@ function sub_passive(){ function sub_crt(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBCRT" = true ] then - start=`date +%s` - printf "${yellow} Running : Crtsh Subdomain Enumeration${reset}\n" + start_subfunc "Running : Crtsh Subdomain Enumeration" cd $tools/crtfinder eval python3 crtfinder.py -u $domain $DEBUG_STD outputfile=${domain%%.*} @@ -372,15 +327,10 @@ function sub_crt(){ fi touch $called_fn_dir/.${FUNCNAME[0]} NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | anew .tmp/crtsh_subs.txt | wc -l) - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by certificate transparency found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} else if [ "$SUBCRT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -390,20 +340,13 @@ function sub_crt(){ function sub_brute(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBBRUTE" = true ] then - start=`date +%s` - printf "${yellow} Running : Bruteforce Subdomain Enumeration${reset}\n" - eval shuffledns -d $domain -w $subs_wordlist -r $resolvers -t 5000 -o .tmp/active_tmp.txt $DEBUG_STD + start_subfunc "Running : Bruteforce Subdomain Enumeration" + eval shuffledns -d $domain -w $subs_wordlist -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/active_tmp.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/active_tmp.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/brute_subs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by bruteforce found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} else if [ "$SUBBRUTE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -413,22 +356,15 @@ function sub_brute(){ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then - start=`date +%s` - printf "${yellow} Running : Active Subdomain Enumeration${reset}\n" + start_subfunc "Running : Active Subdomain Enumeration" cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t 5000 -o .tmp/subdomains_tmp.txt $DEBUG_STD + eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/subdomains_tmp.txt $DEBUG_STD echo $domain | dnsx -silent | anew -q .tmp/subdomains_tmp.txt dnsx -retry 3 -silent -cname -resp-only -l .tmp/subdomains_tmp.txt | grep ".$domain$" | anew -q .tmp/subdomains_tmp.txt eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt $DEBUG_STD - NUMOFLINES=$(cat .tmp/subdomains_tmp.txt | anew subdomains/subdomains.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by dns resolution found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -437,23 +373,16 @@ function sub_dns(){ function sub_scraping(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBSCRAPING" = true ] then - start=`date +%s` - printf "${yellow} Running : Source code scraping subdomain search${reset}\n\n" + start_subfunc "Running : Source code scraping subdomain search" touch .tmp/scrap_subs.txt - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt - gospider -S .tmp/probed_tmp.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/scrap_subs_resolved.txt $DEBUG_STD + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + gospider -S .tmp/probed_tmp.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt + cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/scrap_subs_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by scraping found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} else if [ "$SUBSCRAPING" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -463,30 +392,29 @@ function sub_scraping(){ function sub_permut(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBPERMUTE" = true ] then - start=`date +%s` - printf "${yellow} Running : Permutations Subdomain Enumeration${reset}\n" + start_subfunc "Running : Permutations Subdomain Enumeration" if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 50 ]] then - eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute1_tmp.txt $DEBUG_STD + eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt - eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute2_tmp.txt $DEBUG_STD + eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then - eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute_tmp.txt $DEBUG_STD + eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 50 ]] then - eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute1_tmp.txt $DEBUG_STD + eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt - eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute2_tmp.txt $DEBUG_STD + eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then - eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute_tmp.txt $DEBUG_STD + eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -499,16 +427,10 @@ function sub_permut(){ else NUMOFLINES=0 fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by permutations found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (permutations)" ${FUNCNAME[0]} else if [ "$SUBPERMUTE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -518,26 +440,17 @@ function sub_permut(){ function subtakeover(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBTAKEOVER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Subdomain Takeover ${reset}\n\n" - start=`date +%s` + start_func "Looking for possible subdomain takeover" touch .tmp/tko.txt cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/takeovers/ -o .tmp/tko.txt NUMOFLINES=$(eval cat .tmp/tko.txt $DEBUG_ERROR | anew webs/takeover.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n ${NUMOFLINES} new possible takeovers found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "${NUMOFLINES} new possible takeovers found in ${runtime}" good fi - text="${bblue}\n Subdomain Takeover Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/takeover.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in webs/takeover.txt" ${FUNCNAME[0]} else if [ "$SUBTAKEOVER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -551,21 +464,14 @@ function subtakeover(){ function webprobe_simple(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBESIMPLE" = true ] then - start=`date +%s` - printf "${yellow} Running : Http probing${reset}\n\n" - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + start_subfunc "Running : Http probing" + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new websites resolved in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} else if [ "$WEBPROBESIMPLE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -575,26 +481,15 @@ function webprobe_simple(){ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Web Probe ${reset}\n\n" - printf "${yellow} Running : Http probing non standard ports${reset}\n\n" - start=`date +%s` - cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads 150 -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + start_func "Http probing non standard ports" + cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR - fi - printf "${bblue}\n Web Probe Finished\n" - printf "${bblue} Results are saved in webs/webs_uncommon_ports.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}" good + eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR + end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} else if [ "$WEBPROBEFULL" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -604,21 +499,13 @@ function webprobe_full(){ function screenshot(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Web Screenshot ${reset}\n\n" - start=`date +%s` + start_func "Web Screenshots" eval gowitness file -f webs/webs.txt --disable-db --disable-logging $DEBUG_ERROR eval gowitness file -f webs/webs_uncommon_ports.txt --disable-db --disable-logging $DEBUG_ERROR - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Web Screenshot Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in screenshots folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -632,9 +519,7 @@ function screenshot(){ function favicon(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FAVICON" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} FavIcon Hash Extraction ${reset}\n\n" - start=`date +%s` + start_func "Favicon Ip Lookup" cd $tools/fav-up eval python3 favUp.py -w $domain -sc -o favicontest.json $DEBUG_STD if [ -f "favicontest.json" ] @@ -645,16 +530,11 @@ function favicon(){ eval mv favicontest.txt $dir/hosts/favicontest.txt $DEBUG_ERROR eval rm favicontest.json $DEBUG_ERROR fi - cd $dir && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n FavIcon Hash Extraction Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in hosts/favicontest.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + cd $dir + end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} else if [ "$FAVICON" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -664,10 +544,7 @@ function favicon(){ function portscan(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PORTSCANNER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Port Scan ${reset}\n\n" - start=`date +%s` - + start_func "Port scan" for sub in $(cat subdomains/subdomains.txt); do echo "$sub $(dig +short a $sub | tail -n1)" | anew -q hosts/subdomains_ips.txt done @@ -679,9 +556,10 @@ function portscan(){ printf "${bblue}\n Resolved IP addresses (No WAF) ${reset}\n\n"; eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort - if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "${domain}_portscan_passive.txt" ] + printf "${bblue}\n Scanning ports... ${reset}\n\n"; + if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "hosts/portscan_passive.txt" ] then - for sub in $(cat .tmp/ips_nowaf.txt); do + for sub in $(cat hosts/ips.txt); do shodan host $sub 2>/dev/null >> hosts/portscan_passive.txt && echo -e "\n\n#######################################################################\n\n" >> hosts/portscan_passive.txt done fi @@ -691,17 +569,10 @@ function portscan(){ eval nmap --top-ports 1000 -sV -n --max-retries 2 -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt $DEBUG_STD fi - #eval cat portscan.txt $DEBUG_ERROR - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Port scan Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in portscan_[passive|active].txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else if [ "$PORTSCANNER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -716,23 +587,15 @@ function portscan(){ function waf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WAF_DETECTION" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Detecting WAF in websites ${reset}\n\n" - start=`date +%s` + start_func "Website's WAF detection" wafw00f -i webs/webs.txt -o .tmp/wafs.txt &>/dev/null cat .tmp/wafs.txt | sed -e 's/^[ \t]*//' -e 's/ \+ /\t/g' -e '/(None)/d' | tr -s "\t" ";" > webs/webs_wafs.txt NUMOFLINES=$(eval cat webs/webs_wafs.txt $DEBUG_ERROR | wc -l) - text="${bblue}\n ${NUMOFLINES} websites protected by waf ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - printf "${bblue}\n WAF Detecion Finished in ${runtime}\n" - printf "${bblue} Results are saved in screenshots folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} websites protected by waf" info + end_func "Results are saved in webs/webs_wafs.txt" ${FUNCNAME[0]} else if [ "$WAF" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -742,39 +605,32 @@ function waf_checks(){ function nuclei_check(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$NUCLEICHECK" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Template Scanning with Nuclei ${reset}\n\n" - start=`date +%s` + start_func "Templates based web scanner" eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output - printf "${yellow} Running : Nuclei Technologies${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt; + printf "${yellow}\n Running : Nuclei Technologies${reset}\n\n" + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt printf "${yellow}\n\n Running : Nuclei Exposures${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -o nuclei_output/exposures.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -o nuclei_output/exposures.txt printf "${yellow}\n\n Running : Nuclei CVEs ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -o nuclei_output/cves.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -o nuclei_output/cves.txt printf "${yellow}\n\n Running : Nuclei Default Creds ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -o nuclei_output/default_creds.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -o nuclei_output/default_creds.txt printf "${yellow}\n\n Running : Nuclei DNS ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -o nuclei_output/dns.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -o nuclei_output/dns.txt printf "${yellow}\n\n Running : Nuclei Panels ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -o nuclei_output/panels.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -o nuclei_output/panels.txt printf "${yellow}\n\n Running : Nuclei Security Misconfiguration ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -o nuclei_output/misconfigurations.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -o nuclei_output/misconfigurations.txt printf "${yellow}\n\n Running : Nuclei Vulnerabilites ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -o nuclei_output/vulnerabilities.txt && touch $called_fn_dir/.${FUNCNAME[0]}; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -o nuclei_output/vulnerabilities.txt printf "\n\n" - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Nuclei Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in nuclei_output folder ${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else if [ "$NUCLEICHECK" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -784,28 +640,19 @@ function nuclei_check(){ function fuzz(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FUZZ" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Directory Fuzzing ${reset}\n" - printf "${yellow}\n\n Fuzzing subdomains with ${fuzz_wordlist}${reset}\n\n" - start=`date +%s` + start_func "Web directory fuzzing" mkdir -p $dir/fuzzing for sub in $(cat webs/webs.txt); do printf "${yellow}\n\n Running: Fuzzing in ${sub}${reset}\n" sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') - ffuf -mc all -fc 404 -ac -sf -s -H "${HEADER}" -w $fuzz_wordlist -maxtime 900 -u $sub/FUZZ -or -o $dir/fuzzing/${sub_out}.tmp &>/dev/null + ffuf -mc all -fc 404 -ac -t $FFUF_THREADS -sf -s -H "${HEADER}" -w $fuzz_wordlist -maxtime 900 -u $sub/FUZZ -or -o $dir/fuzzing/${sub_out}.tmp &>/dev/null eval cat $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR | jq '[.results[]|{status: .status, length: .length, url: .url}]' | grep -oP "status\":\s(\d{3})|length\":\s(\d{1,7})|url\":\s\"(http[s]?:\/\/.*?)\"" | paste -d' ' - - - | awk '{print $2" "$4" "$6}' | sed 's/\"//g' | sort |anew -q $dir/fuzzing/${sub_out}.txt eval rm $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Directory Fuzzing Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in fuzzing/*subdomain*.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else if [ "$FUZZ" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -815,9 +662,7 @@ function fuzz(){ function cms_scanner(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CMS_SCANNER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CMS Scanner ${reset}\n" - start=`date +%s` + start_func "CMS Scanner" mkdir -p $dir/cms && rm -rf $dir/cms/* tr '\n' ',' < webs/webs.txt > .tmp/cms.txt eval python3 $tools/CMSeeK/cmseek.py -l .tmp/cms.txt --batch -r $DEBUG_STD @@ -831,16 +676,10 @@ function cms_scanner(){ mv -f $tools/CMSeeK/Result/${sub_out} $dir/cms/ fi done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CMS Scanner finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in cms/*subdomain* folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in cms/*subdomain* folder" ${FUNCNAME[0]} else if [ "$CMS_SCANNER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -850,9 +689,7 @@ function cms_scanner(){ function params(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PARAMS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Parameter Discovery ${reset}\n" - start=`date +%s` + start_func "Parameter Discovery" printf "${yellow}\n\n Running : Searching params with paramspider${reset}\n" cat webs/webs.txt | sed -r "s/https?:\/\///" | anew -q .tmp/probed_nohttp.txt interlace -tL .tmp/probed_nohttp.txt -threads 10 -c "python3 $tools/ParamSpider/paramspider.py -d _target_ -l high -q --exclude eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt,js" &>/dev/null @@ -861,25 +698,20 @@ function params(){ eval rm -rf output/ $DEBUG_ERROR if [ "$DEEP" = true ] ; then printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" - eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD else if [[ $(cat .tmp/param_tmp.txt | wc -l) -le 50 ]] then printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" - eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD else - cp .tmp/param_tmp.txt webs/param.txt && touch $called_fn_dir/.${FUNCNAME[0]} + cp .tmp/param_tmp.txt webs/param.txt fi fi - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Parameter Discovery Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/param.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in webs/param.txt" ${FUNCNAME[0]} else if [ "$PARAMS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -887,38 +719,28 @@ function params(){ } function urlchecks(){ - if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_CHECK" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} URL Extraction ${reset}\n\n" - start=`date +%s` + start_func "URL Extraction" mkdir -p js cat webs/webs.txt | waybackurls | anew -q .tmp/url_extract_tmp.txt cat webs/webs.txt | gau | anew -q .tmp/url_extract_tmp.txt if [ "$DEEP" = true ] ; then - gospider -S webs/webs.txt --js -t 50 -d 3 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt else - gospider -S webs/webs.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt fi if [ -s "${GITHUB_TOKENS}" ] then - eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -raw $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt + eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt $DEBUG_STD + eval cat .tmp/github-endpoints.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt fi eval cat .tmp/url_extract_tmp.txt webs/param.txt $DEBUG_ERROR | grep "${domain}" | grep "=" | eval qsreplace -a $DEBUG_ERROR | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)" | anew -q .tmp/url_extract_tmp2.txt cat .tmp/url_extract_tmp.txt | grep "${domain}" | egrep -i "\.(js)" | anew -q js/url_extract_js.txt eval uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]}; - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n URL Extraction Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bblue}\n ${NUMOFLINES} new urls in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi - printf "${bblue} Results are saved in webs/url_extract.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} new urls with params" good + end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -927,9 +749,7 @@ function urlchecks(){ function url_gf(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_GF" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Vulnerable Pattern Search ${reset}\n\n" - start=`date +%s` + start_func "Vulnerable Pattern Search" mkdir -p gf gf xss webs/url_extract.txt | anew -q gf/xss.txt gf ssti webs/url_extract.txt | anew -q gf/ssti.txt @@ -940,16 +760,10 @@ function url_gf(){ gf potential webs/url_extract.txt | cut -d ':' -f3-5 |anew -q gf/potential.txt cat webs/url_extract.txt | unfurl -u format %s://%d%p | anew -q gf/endpoints.txt gf lfi webs/url_extract.txt | anew -q gf/lfi.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Vulnerable Pattern Search Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in gf folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in gf folder" ${FUNCNAME[0]} else if [ "$URL_GF" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -959,30 +773,23 @@ function url_gf(){ function jschecks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$JSCHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Javascript Scan ${reset}\n\n" - start=`date +%s` + start_func "Javascript Scan" printf "${yellow} Running : Fetching Urls 1/5${reset}\n" cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" - cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -status-code -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -threads $HTTPX_THREADS -status-code -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> js/js_endpoints.txt" &>/dev/null + sed -i '/^\//!d' js/js_endpoints.txt printf "${yellow} Running : Gathering secrets 4/5${reset}\n" cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" cat js/js_livelinks.txt | eval python3 $tools/getjswords.py $DEBUG_ERROR | anew -q webs/dict_words.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Javascript Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in js folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in js folder" ${FUNCNAME[0]} else if [ "$JSCHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -992,19 +799,18 @@ function jschecks(){ function wordlist_gen(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WORDLIST" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Wordlist generation ${reset}\n\n" - start=`date +%s` + start_func "Wordlist generation" cat .tmp/url_extract_tmp.txt | unfurl -u keys | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt cat .tmp/url_extract_tmp.txt | unfurl -u path | anew -q webs/dict_paths.txt touch $called_fn_dir/.${FUNCNAME[0]} - text="${bblue}\n Wordlists Generated\n" - printf "${text}" && printf "${text}" | $NOTIFY + end=`date +%s` + getElapsedTime $start $end + notification "Wordlists Generated in ${runtime}" info printf "${bblue} Results are saved in webs/dict_[words|paths].txt${reset}\n" printf "${bgreen}#######################################################################\n\n" else if [ "$WORDLIST" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1017,24 +823,15 @@ function wordlist_gen(){ function brokenLinks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BROKENLINKS" = true ] ; then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Broken links checks ${reset}\n\n" - start=`date +%s` - gospider -S webs/webs.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep -v ".$domain" | httpx -status-code -follow-redirects -timeout 15 -silent -no-color | grep '\[404\]' | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + start_func "Broken links checks" + interlace -tL webs/webs.txt -threads 10 -c "wget --spider -r -nd -nv -H -l 1 -w 1 --no-check-certificate -U 'Mozilla' -o _output_/_cleantarget__brokenLinks.tmp _target_" -o .tmp &>/dev/null + cat .tmp/*_brokenLinks.tmp | grep "^http" | grep -v ':$' | anew -q .tmp/brokenLinks_total.txt NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | cut -d ' ' -f2 | anew webs/brokenLinks.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n ${NUMOFLINES} new broken links found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi - printf "${bblue}\n Broken links checks Finished in ${runtime}\n" - printf "${bblue} Results are saved in webs/brokenLinks.txt ${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} new broken links found in ${runtime}" good + end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} else if [ "$BROKENLINKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1044,41 +841,34 @@ function brokenLinks(){ function xss(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$XSS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} XSS Analysis ${reset}\n\n" - start=`date +%s` + start_func "XSS Analysis" cat gf/xss.txt | qsreplace FUZZ | Gxss -c 100 -p Xss | anew -q .tmp/xss_reflected.txt if [ "$DEEP" = true ] ; then if [ -n "$XSS_SERVER" ]; then sed -i "s/^blindPayload = \x27\x27/blindPayload = \x27${XSS_SERVER}\x27/" $tools/XSStrike/core/config.py - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} else printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} fi else if [[ $(cat .tmp/xss_reflected.txt | wc -l) -le 200 ]] then if [ -n "$XSS_SERVER" ]; then sed -i "s/^blindPayload = \x27\x27/blindPayload = \x27${XSS_SERVER}\x27/" $tools/XSStrike/core/config.py - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} else printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} fi else printf "${bred} Skipping XSS: Too Much URLs to test, try with --deep flag${reset}\n" fi fi - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n XSS Analysis Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/xss.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in vulns/xss.txt" ${FUNCNAME[0]} else if [ "$XSS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1088,20 +878,13 @@ function xss(){ function cors(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CORS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CORS Scan ${reset}\n\n" - start=`date +%s` + start_func "CORS Scan" eval python3 $tools/Corsy/corsy.py -i webs/webs.txt > webs/cors.txt $DEBUG_STD eval cat webs/cors.txt $DEBUG_ERROR && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CORS Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/cors.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in webs/cors.txt" else if [ "$CORS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1111,43 +894,27 @@ function cors(){ function open_redirect(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$OPEN_REDIRECT" = true ] then + start_func "Open redirects checks" if [ "$DEEP" = true ] ; then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Open redirects checks ${reset}\n" - start=`date +%s` cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Open Redirects Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/openredirex.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in vulns/openredirex.txt" ${FUNCNAME[0]} else if [[ $(cat gf/redirect.txt | wc -l) -le 1000 ]] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Open redirects checks ${reset}\n" - start=`date +%s` cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Open Redirects Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/redirect.txt ${reset}\n" + end_func "Results are saved in vulns/openredirex.txt" ${FUNCNAME[0]} else printf "${bred} Skipping Open redirects: Too Much URLs to test, try with --deep flag${reset}\n" + printf "${bgreen}#######################################################################\n" fi fi - printf "${bgreen}#######################################################################\n" else if [ "$OPEN_REDIRECT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1157,56 +924,41 @@ function open_redirect(){ function ssrf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSRF_CHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSRF checks ${reset}\n" if [ -n "$COLLAB_SERVER" ]; then + start_func "SSRF checks" if [ "$DEEP" = true ] ; then - start=`date +%s` cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done - eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt - - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSRF Finished in ${runtime}, check your callback server\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in ssrf_confirmed.txt ${reset}\n" + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]] then - start=`date +%s` cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSRF Finished in ${runtime}, check your callback server\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/ssrf.txt ${reset}\n" + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} else printf "${bred} Skipping SSRF: Too Much URLs to test, try with --deep flag${reset}\n" fi fi else printf "${bred}\n No COLLAB_SERVER defined\n" + printf "${bgreen}#######################################################################\n" fi - printf "${bgreen}#######################################################################\n" else if [ "$SSRF_CHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1216,19 +968,12 @@ function ssrf_checks(){ function crlf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CRLF_CHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CRLF checks ${reset}\n" - start=`date +%s` - eval crlfuzz -l webs/webs.txt -o vulns/crlf.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CRLF Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in crlf.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + start_func "CRLF checks" + eval crlfuzz -l webs/webs.txt -o vulns/crlf.txt $DEBUG_STD + end_func "Results are saved in vulns/crlf.txt" ${FUNCNAME[0]} else if [ "$CRLF_CHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1238,23 +983,15 @@ function crlf_checks(){ function lfi(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$LFI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} LFI checks ${reset}\n" - start=`date +%s` + start_func "LFI checks" cat gf/lfi.txt | qsreplace FUZZ | anew -q .tmp/tmp_lfi.txt for url in $(cat .tmp/tmp_lfi.txt); do - ffuf -v -mc 200 -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n LFI Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in lfi.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in vulns/lfi.txt" ${FUNCNAME[0]} else if [ "$LFI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1264,26 +1001,15 @@ function lfi(){ function ssti(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSTI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSTI checks ${reset}\n" - start=`date +%s` - + start_func "SSTI checks" cat gf/ssti.txt | qsreplace "ssti{{7*7}}" | anew -q .tmp/ssti_fuzz.txt - ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt - + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt cat gf/ssti.txt | qsreplace "{{''.class.mro[2].subclasses()[40]('/etc/passwd').read()}}" | anew -q .tmp/ssti_fuzz2.txt - ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt - - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSTI Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in ssti.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} else if [ "$SSTI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1293,21 +1019,13 @@ function ssti(){ function sqli(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SQLI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SQLi checks ${reset}\n" - start=`date +%s` + start_func "SQLi checks" cat gf/sqli.txt | qsreplace FUZZ | anew -q .tmp/tmp_sqli.txt interlace -tL .tmp/tmp_sqli.txt -threads 10 -c "python3 $tools/sqlmap/sqlmap.py -u _target_ -b --batch --disable-coloring --random-agent --output-dir=sqlmap" &>/dev/null - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SQLi Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in sqlmap folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in sqlmap folder" ${FUNCNAME[0]} else if [ "$SQLI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1317,19 +1035,12 @@ function sqli(){ function test_ssl(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$TEST_SSL" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSL Test ${reset}\n" - start=`date +%s` + start_func "SSL Test" eval $tools/testssl.sh/testssl.sh --quiet --color 0 -U -iL hosts/ips.txt $DEBUG_ERROR > hosts/testssl.txt && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSL Test Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in hosts/testssl.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in hosts/testssl.txt" ${FUNCNAME[0]} else if [ "$TEST_SSL" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1384,6 +1095,57 @@ function output(){ mv $dir $dir_output } +function notification(){ + if [ ! -z "$1" ] && [ ! -z "$2" ] + then + case $2 in + info) + text="\n${bblue} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + warn) + text="\n${yellow} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + error) + text="\n${bred} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + good) + text="\n${bgreen} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + esac + fi +} + +function start_func(){ + printf "${bgreen}#######################################################################" + notification "${1}" info + start=`date +%s` +} + +function end_func(){ + touch $called_fn_dir/.${2} + end=`date +%s` + getElapsedTime $start $end + notification "${2} Finished in ${runtime}" info + printf "${bblue} ${1} ${reset}\n" + printf "${bgreen}#######################################################################\n" +} + +function start_subfunc(){ + notification "${1}" warn + start_sub=`date +%s` +} + +function end_subfunc(){ + touch $called_fn_dir/.${2} + end_sub=`date +%s` + getElapsedTime $start_sub $end_sub + notification "${1} in ${runtime}" good +} + function start(){ global_start=`date +%s` @@ -1405,7 +1167,7 @@ function start(){ then domain="Multi" dir=$SCRIPTPATH/Recon/$domain - called_fn_dir=$dir/.called + called_fn_dir=$dir/.called_fn fi if [[ "$list" = /* ]]; then install -D $list $dir/webs/webs.txt @@ -1491,10 +1253,10 @@ function end(){ function passive(){ start domain_info + emails google_dorks github_dorks metadata - emails SUBSCRAPING=false WEBPROBESIMPLE=false subdomains_full @@ -1507,10 +1269,10 @@ function passive(){ function all(){ start domain_info + emails google_dorks github_dorks metadata - emails subdomains_full subtakeover webprobe_full @@ -1526,13 +1288,13 @@ function all(){ urlchecks wordlist_gen url_gf + jschecks open_redirect ssrf_checks crlf_checks lfi ssti sqli - jschecks xss brokenLinks test_ssl @@ -1542,10 +1304,10 @@ function all(){ function recon(){ start domain_info + emails google_dorks github_dorks metadata - emails subdomains_full subtakeover webprobe_full @@ -1564,6 +1326,72 @@ function recon(){ end } +function multi_recon(){ + if [ -s "$list" ] + then + targets=$(cat $list) + else + notification "Target list not provided" error + exit + fi + workdir=$SCRIPTPATH/Recon/$multi + mkdir -p $workdir && cd $workdir + mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + for domain in $targets; do + dir=$workdir/targets/$domain + mkdir -p $dir + cd $dir + mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + domain_info + emails + google_dorks + github_dorks + metadata + subdomains_full + subtakeover + webprobe_full + screenshot + favicon + done + cd $workdir + + notification "############################# Total data ############################" info + NUMOFLINES_users_total=$(find . -type f -name 'users.txt' -exec cat {} + | anew -q osint/users.txt | wc -l) + NUMOFLINES_pwndb_total=$(find . -type f -name 'passwords.txt' -exec cat {} + | anew -q osint/passwords.txt | wc -l) + NUMOFLINES_software_total=$(find . -type f -name 'software.txt' -exec cat {} + | anew -q osint/software.txt | wc -l) + NUMOFLINES_authors_total=$(find . -type f -name 'authors.txt' -exec cat {} + | anew -q osint/authors.txt | wc -l) + NUMOFLINES_subs_total=$(find . -type f -name 'subdomains.txt' -exec cat {} + | anew -q subdomains/subdomains.txt | wc -l) + NUMOFLINES_subtko_total=$(find . -type f -name 'takeover.txt' -exec cat {} + | anew -q webs/takeover.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs.txt' -exec cat {} + | anew -q webs/webs.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs_uncommon_ports.txt' -exec cat {} + | anew -q webs/webs_uncommon_ports.txt | wc -l) + + notification "- ${NUMOFLINES_users_total} total users found" good + notification "- ${NUMOFLINES_pwndb_total} total creds leaked" good + notification "- ${NUMOFLINES_software_total} total software found" good + notification "- ${NUMOFLINES_authors_total} total authors found" good + notification "- ${NUMOFLINES_subs_total} total subdomains" good + notification "- ${NUMOFLINES_subtko_total} total probably subdomain takeovers" good + notification "- ${NUMOFLINES_webs_total} total websites" good + + portscan + waf_checks + nuclei_check + for domain in $targets; do + dir=$workdir/targets/$domain + cd $dir + cms_scanner + fuzz + params + urlchecks + wordlist_gen + url_gf + jschecks + done + cd $workdir + dir=$workdir + end +} + function subs_menu(){ start subdomains_full @@ -1615,12 +1443,12 @@ banner if [ -z "$1" ] then - help - tools_installed - exit + help + tools_installed + exit fi -while getopts ":hd:-:l:x:varspxwo:" opt; do +while getopts ":hd:-:l:m:x:varspxwo:" opt; do general=$@ if [[ $general == *"-v"* ]]; then unset DEBUG_STD @@ -1633,6 +1461,11 @@ while getopts ":hd:-:l:x:varspxwo:" opt; do FULLSCOPE=true fi case ${opt} in + + ## TARGETS + + m ) multi=$OPTARG + ;; d ) domain=$OPTARG ;; l ) list=$OPTARG @@ -1645,7 +1478,15 @@ while getopts ":hd:-:l:x:varspxwo:" opt; do exit fi ;; - r ) if [ -n "$list" ] + + ## MODES + + r ) if [ ! -z "$multi" ] + then + multi_recon + exit + fi + if [ -n "$list" ] then for domain in $(cat $list); do recon