-
Notifications
You must be signed in to change notification settings - Fork 2
/
reconold
executable file
·75 lines (65 loc) · 3.41 KB
/
reconold
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
# Written by Rafe Hart (@rafael_hart)
import sys
import os
from config import *
from enumeratesubdomains import *
from enumeratelinks import *
from enumerateflaws import *
def main():
if len(sys.argv) == 1:
print("\nUsage: recon example.com\nNOTE: You must have permission to scan this domain\n")
sys.exit(1)
target = sys.argv[1]
run_checks(amass_config)
# Discover subdomains with HTTP/HTTPS servers
create_directory(target)
create_directory(target + "/tool_output")
run_amass(target, amass_config, outfile="tool_output/subs.amass.txt")
run_assetfinder(target, FB_APP_ID, FB_APP_SECRET, VT_API_KEY, SPYSE_API_TOKEN, outfile="tool_output/subs.assetfinder.txt")
run_subfinder(target, outfile="tool_output/subs.subfinder.txt")
run_dnsbuffer(target, outfile="tool_output/subs.dnsbuffer.txt")
combine_results(target,
infile1="tool_output/subs.amass.txt",
infile2="tool_output/subs.assetfinder.txt",
infile3="tool_output/subs.subfinder.txt",
infile4="tool_output/subs.dnsbuffer.txt",
outfile="tool_output/subs.combined.txt")
with open(target + "/tool_output/subs.combined.txt", 'a') as file:
file.write(target + '\n')
run_dnsgen_and_massdns(target, massdns_resolvers, infile="tool_output/subs.combined.txt",
massdns_output="tool_output/subs.massdns.txt",
outfile="subs.resolved.txt")
remove_wildcard_domains(target, infile="subs.resolved.txt", outfile="subs.non-wildcard.txt")
find_web_servers(target, infile="subs.non-wildcard.txt", outfile="responding_web_servers.txt")
# Discover URLs
run_hakcrawler(target, infile="responding_web_servers.txt", outfile="hakrawler.txt")
run_getallurls(target, outfile="getallurls.txt")
combine_results(target, infile1="hakrawler.txt", infile2="getallurls.txt",
outfile="urls.raw.txt")
find_injection_points(target, infile="urls.raw.txt", outfile="urls.interesting.txt")
validate_links(target, 200, infile="urls.interesting.txt", outfile="urls.totest.txt")
# ------------------------------------------
# Past this point we should be requiring an additional directive to actively scan
# Find flaws
look_for_xss(xsshunter_domain, custom_xss_payloads, target,
infile="urls.totest.txt", outfile="xss.results.txt")
look_for_sqli(target, infile="urls.totest.txt", outfile="sqli.results.txt")
if __name__ == '__main__':
main()
'''
TODO:
* Implement https://github.com/tomnomnom/hacks/tree/master/anti-burl
* Add aquatone
* Combine results should be a single function for subdomains, links, and anything else
* Use gobuster to brute force out additional links
* Use fuff to search for secrets
* grep crawled results for .git directories and use https://github.com/arthaud/git-dumper
* Add a domain regex check: ^(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$
* Add argparse
* Detect that assetfinder and other go modules have been installed
* Confirm that the user has authorization to attack the target before running anything non-passive
* Allow excluding a text file of subdomains
* Need to test subdomain takeover: https://github.com/EdOverflow/can-i-take-over-xyz
* status messages > timestamp, info/error/warn... maybe implement loguru
'''