Automatización interna para Recon
Mis desarrollos para automatizar procedimientos de reconocimiento. Son extractos mejorados de mi herramienta BugHunterx (https://github.com/iTroxB/Bug-Hunterx)
Permisos de ejecución y enlaces simbólicos
# Asignar permisos de ejecución
chmod +x $HOME/BugBounty/tools/dev/dnsRec.sh
chmod +x $HOME/BugBounty/tools/dev/subdomRec.sh
chmod +x $HOME/BugBounty/tools/dev/httpLives.sh
# Crear enlaces simbólicos
sudo ln -s $HOME/BugBounty/tools/dev/dnsRec.sh /usr/bin/dnsRec
sudo ln -s $HOME/BugBounty/tools/dev/subdomRec.sh /usr/bin/subdomRec
sudo ln -s $HOME/BugBounty/tools/dev/httpLives.sh /usr/bin/httpLivesdnsRec.sh
#!/bin/bash
# Author: iTrox
######################################################
#################### COLOURS EDIT ####################
######################################################
green="\e[0;32m\033[1m"
end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
purple="\e[0;35m\033[1m"
turquoise="\e[0;36m\033[1m"
gray="\e[0;37m\033[1m"
###################################################
#################### FUNCTIONS ####################
###################################################
# Bye Ctrl+C
function ctrl_c(){
echo -e "\n\n ${red}[!] Exit...${end}\n"
tput cnorm && exit 1
}
trap ctrl_c INT
# Help menu
help_menu() {
echo -e "\n ${yellow}Usage: $0 -d <domain>${end}\n"
echo -e " ${yellow}Menu options:${end}"
echo -e " ${turquoise}-d <domain>${end}, ${gray}Target domain${end}\n"
}
# Main function
main() {
if [ -z "$domain" ]; then
echo -e "\n ${red}✘${end} ${gray}No domain provided.${end}"
help_menu
exit 1
fi
mkdir -p $HOME/BugBounty/active/$domain
echo -e "\n ${green}✔${end} ${gray}Directory${end} ${blue}$domain${end} ${gray}created in $HOME/BugBounty/active path${end}"
ip_address=$(ping -c 1 $domain | head -n 1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}')
echo -e " ${green}✔${end} ${gray}Target domain:${end} ${blue}$domain${end} ${green}→${end} ${gray}IP Address:${end} ${blue}$ip_address${end}\n"
sleep 1; echo
# nslookup
mkdir -p "$HOME/BugBounty/active/$domain/nslookup"
nsDir="$HOME/BugBounty/active/$domain/nslookup"
echo -e "${turquoise}➤${end} ${gray}Getting DNS server information with nslookup over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -type=ns $domain > "$nsDir/NS.txt" $domain ${end}"
nslookup -type=ns $domain > "$nsDir/nslookup-type_NS.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -type=A $domain > "$nsDir/A.txt" ${end}"
nslookup -type=A $domain > "$nsDir/nslookup-type_A.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -query=PTR $ip_address > "$nsDir/PTR.txt" ${end}"
nslookup -query=PTR $ip_address > "$nsDir/nslookup-type_PTR.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -query=ANY $domain > "$nsDir/ANY.txt" ${end}"
nslookup -query=ANY $domain > "$nsDir/nslookup-type_ANY.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -query=TXT $domain > "$nsDir/TXT.txt" ${end}"
nslookup -query=TXT $domain > "$nsDir/nslookup-type_TXT.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}nslookup -query=MX $domain > "$nsDir/MX.txt" ${end}"
nslookup -query=MX $domain > "$nsDir/nslookup-type_MX.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish nslookup...${end}\n"
sleep 1; echo
# dig
mkdir -p "$HOME/BugBounty/active/$domain/dig"
digDir="$HOME/BugBounty/active/$domain/dig"
echo -e " ${turquoise}➤${end} ${gray}Getting DNS server information with dig over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig NS $domain > "$digDir/NS.txt" ${end}"
dig NS $domain > "$digDir/dig_NS.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig $domain @1.1.1.1 > "$digDir/A.txt" ${end}"
dig $domain @1.1.1.1 > "$digDir/dig_A.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig -x $ip_address @1.1.1.1 > "$digDir/PTR.txt" ${end}"
dig -x $ip_address @1.1.1.1 > "$digDir/dig_PTR.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig any $domain @1.1.1.1 > "$digDir/ANY.txt" ${end}"
dig any $domain @1.1.1.1 > "$digDir/dig_ANY.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig txt $domain @1.1.1.1 > "$digDir/TXT.txt" ${end}"
dig txt $domain @1.1.1.1 > "$digDir/dig_TXT.txt"
# ----------------------------------------------------------------------------------------------------
echo -e " ${yellow}→${end} ${gray}dig mx $domain @1.1.1.1 > "$digDir/MX.txt" ${end}"
dig mx $domain @1.1.1.1 > "$digDir/dig_MX.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish dig...${end}\n"
}
###################################################
##################### CONTROL #####################
###################################################
while getopts "d:h" opt; do
case $opt in
d)
domain=$OPTARG
;;
h )
help_menu
exit 0
;;
\? )
echo -e "\n ${gray}Invalid option:${end} -$OPTARG\n" 1>&2
help_menu
exit 1
;;
: )
echo -e "\n ${gray}Option requires an argument:${end} -$OPTARG\n" 1>&2
help_menu
exit 1
;;
esac
done
##################################################
###################### RUN #######################
##################################################
mainsubdomRec.sh
#!/bin/bash
# Author: iTrox
######################################################
#################### COLOURS EDIT ####################
######################################################
green="\e[0;32m\033[1m"
end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
purple="\e[0;35m\033[1m"
turquoise="\e[0;36m\033[1m"
gray="\e[0;37m\033[1m"
###################################################
#################### FUNCTIONS ####################
###################################################
# Bye Ctrl+C
function ctrl_c(){
echo -e "\n\n ${red}[!] Exit...${end}\n"
tput cnorm && exit 1
}
trap ctrl_c INT
# Help menu
help_menu() {
echo -e "\n ${yellow}Usage: $0 -d <domain>${end}\n"
echo -e " ${yellow}Menu options:${end}"
echo -e " ${turquoise}-d <domain>${end}, ${gray}Target domain${end}\n"
}
# Main function
main() {
if [ -z "$domain" ]; then
echo -e "\n ${red}✘${end} ${gray}No domain provided.${end}"
help_menu
exit 1
fi
mkdir $HOME/BugBounty/active/$domain
echo -e "\n ${green}✔${end} ${gray}Directory${end} ${blue}$domain${end} ${gray}created in $HOME/BugBounty/active path${end}"
ip_address=$(ping -c 1 $domain | head -n 1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}')
echo -e " ${green}✔${end} ${gray}Target domain:${end} ${blue}$domain${end} ${green}→${end} ${gray}IP Address:${end} ${blue}$ip_address${end}\n"
sleep 1; echo
# cero
mkdir -p "$HOME/BugBounty/active/$domain/cero"
ceroDir="$HOME/BugBounty/active/$domain/cero"
echo -e " ${turquoise}➤${end} ${gray}Searching domain names of arbitrary host SSL certificates with CERO over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
cero -d $domain > "$ceroDir/cero_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish CERO...${end}\n"
sleep 1; echo
# ctfr
mkdir -p "$HOME/BugBounty/active/$domain/ctfr"
ctfrDir="$HOME/BugBounty/active/$domain/ctfr"
echo -e "\n ${turquoise}➤${end} ${gray}Searching certificate transparency logs for subdomains with CTFR over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
ctfr -d $domain -o "$ctfrDir/ctfr.txt" 2>/dev/null
cat "$ctfrDir/ctfr.txt" | unfurl --unique domains > "$ctfrDir/ctfr_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish CTFR...${end}\n"
sleep 1; echo
# dnsx
mkdir -p "$HOME/BugBounty/active/$domain/dnsx"
dnsxDir="$HOME/BugBounty/active/$domain/dnsx"
echo -e "\n ${turquoise}➤${end} ${gray}Querying DNS to discover subdomains and records with DNSX over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
dnsx -l "$subDir/subfinder_subdomains.txt" > "$dnsxDir/dnsx_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish DNSX...${end}\n"
sleep 1; echo
# gau
mkdir -p "$HOME/BugBounty/active/$domain/gau"
gauDir="$HOME/BugBounty/active/$domain/gau"
echo -e "\n ${turquoise}➤${end} ${gray}Obtaining known URLs by Open Threat Exchange from AlienVault, Wayback Machine and Common Crawl with GAU on $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
gau --threads 2 $domain --o "$gauDir/gau.txt" 2>/dev/null
cat "$gauDir/gau.txt" | unfurl --unique domains > "$gauDir/gau_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish GAU...${end}\n"
sleep 1; echo
# subfinder
mkdir -p "$HOME/BugBounty/active/$domain/subfinder"
subDir="$HOME/BugBounty/active/$domain/subfinder"
echo -e "\n ${turquoise}➤${end} ${gray}Discovering subdomains of $domain with SUBFINDER ${end}\n"
# ----------------------------------------------------------------------------------------------------
subfinder -d $domain -all -recursive -o "$subDir/subfinder_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish SUBFINDER...${end}\n"
sleep 1; echo
# subSpotx
mkdir -p "$HOME/BugBounty/active/$domain/subspotx"
subxDir="$HOME/BugBounty/active/$domain/subspotx"
echo -e "\n ${turquoise}➤${end} ${gray}Discovering subdomains of $domain with SUBSPOTX ${end}\n"
# ----------------------------------------------------------------------------------------------------
subSpotx -d $domain -o "$subxDir/subSpotx_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish SUBSPOTX...${end}\n"
sleep 1; echo
# waybackurls
mkdir -p "$HOME/BugBounty/active/$domain/waybackurls"
wayDir="$HOME/BugBounty/active/$domain/waybackurls"
echo -e "\n ${turquoise}➤${end} ${gray}Obtaining known URLs with WAYBACKURLS on $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
echo "$domain" | waybackurls > "$wayDir/waybackurls.txt"
cat "$wayDir/waybackurls.txt" | unfurl --unique domains > "$wayDir/waybackurls_subdomains.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finish WAYBACKURLS...${end}\n"
sleep 1; echo
# Getting unique subdomains
mkdir -p "$HOME/BugBounty/active/$domain/subdomains"
mkdir -p "$HOME/BugBounty/active/$domain/httpx"
mkdir -p "$HOME/BugBounty/active/$domain/crawling"
mkdir -p "$HOME/BugBounty/active/$domain/vulns"
subdomDir="$HOME/BugBounty/active/$domain/subdomains"
vulnsDir="$HOME/BugBounty/active/$domain/vulnsDir"
echo -e "\n ${turquoise}➤${end} ${gray}Obtaining unique subdomains from $domain scanning...${end}\n"
# ----------------------------------------------------------------------------------------------------
cat "$ceroDir/cero_subdomains.txt" "$ctfrDir/ctfr_subdomains.txt" "$dnsxDir/dnsx_subdomains.txt" "$gauDir/gau_subdomains.txt" "$subDir/subfinder_subdomains.txt" "$subxDir/subSpotx_subdomains.txt" "$wayDir/waybackurls_subdomains.txt" | tee >(grep -iE '^[[:alnum:]_.+-]+@[[:alnum:]_.-]+\.[[:alpha:]]{2,}$' | sort -u > "$vulnsDir/emails1.txt") | grep -iE '^([a-z0-9-]+\.)+[a-z]{2,}$' | grep -vi '@' | sort -u > "$subdomDir/subdomains.txt"
rm -rf {"$ceroDir","$ctfrDir","$dnsxDir","$gauDir","$subDir","$subxDir","$wayDir"}
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}✔${end} ${gray}Finished obtaining subdomains for the $domain domain scanned...${end}\n"
}
###################################################
##################### CONTROL #####################
###################################################
while getopts "d:h" opt; do
case $opt in
d)
domain=$OPTARG
;;
h)
help_menu
exit 0
;;
\?)
echo -e "\n ${gray}Invalid option:${end} -$OPTARG\n" 1>&2
help_menu
exit 1
;;
:)
echo -e "\n ${gray}Option requires an argument:${end} -$OPTARG\n" 1>&2
help_menu
exit 1
;;
esac
done
##################################################
###################### RUN #######################
##################################################
mainhttpLives.sh
#!/bin/bash
# Author: iTrox
######################################################
#################### COLOURS EDIT ####################
######################################################
green="\e[0;32m\033[1m"
end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
purple="\e[0;35m\033[1m"
turquoise="\e[0;36m\033[1m"
gray="\e[0;37m\033[1m"
###################################################
#################### FUNCTIONS ####################
###################################################
# Bye Ctrl+C
function ctrl_c(){
echo -e "\n\n ${red}[!] Exit...${end}\n"
tput cnorm && exit 1
}
trap ctrl_c INT
##################################################
###################### RUN #######################
##################################################
echo -n -e "\n ${turquoise}[➤]${end} ${gray}Insert target domain:${end}"
read -p " " domain; echo
subdomDir="$HOME/BugBounty/active/$domain/subdomains"
httpxDir="$HOME/BugBounty/active/$domain/httpx"
echo -e "\n ${turquoise}[➤]${end} ${gray}Discover lives subdomains with HTTPX over $domain ${end}\n"
# ----------------------------------------------------------------------------------------------------
httpx -l "$subdomDir/subdomains.txt" -cname -title -tech-detect -status-code -mc 200,201,202,204,301,302,303,304,400,401,403,404,429,500,502,503,504 -ip -cdn -probe -o "$httpxDir/sub-200.txt"
# ----------------------------------------------------------------------------------------------------
echo -e "\n ${green}[✔]${end} ${gray}Finish httpx...${end}\n"