1 | | - | #!/bin/bash |
2 | | - | |
3 | | - | |
4 | | - | function usage() { |
5 | | - | echo "Usage: "$0" <domain>" |
6 | | - | if [ -n "$1" ] ; then |
7 | | - | echo "Error: "$1"!" |
8 | | - | fi |
9 | | - | exit |
10 | | - | } |
11 | | - | |
12 | | - | function unique_file() { |
13 | | - | f=$1 |
14 | | - | f_tmp=/tmp/tmp.tmp |
15 | | - | cat $f | sort -fu > $f_tmp |
16 | | - | mv $f_tmp $f |
17 | | - | } |
18 | | - | |
19 | | - | function count_file() { |
20 | | - | f=$1 |
21 | | - | w=$2 |
22 | | - | if [ $# -eq 2 ] ; then |
23 | | - | cnt=`cat $f | egrep "$w" | wc -l | cut -d ' ' -f 1` |
24 | | - | else |
25 | | - | cnt=`wc -l $f | cut -d ' ' -f 1` |
26 | | - | fi |
27 | | - | } |
28 | | - | |
29 | | - | |
30 | | - | if ! [ $# -eq 1 ] ; then |
31 | | - | usage |
32 | | - | fi |
33 | | - | |
34 | | - | domain=$1 |
35 | | - | domdom=`echo $domain | cut -d '.' -f 1` |
36 | | - | echo "Domain: $domain" |
37 | | - | path="$HOME/aquatone/$domain" |
38 | | - | screen_path="$HOME/aquatone/$domain/screens" |
39 | | - | echo "Path: $path" |
40 | | - | |
41 | | - | |
42 | | - | |
43 | | - | f_tmp="$path/tmp.txt" |
44 | | - | f_host="$path/hosts.txt" |
45 | | - | f_ip="$path/ips.txt" |
46 | | - | f_ip_host="$path/ips_hosts.txt" |
47 | | - | f_url="$path/urls.txt" |
48 | | - | f_bucket="$path/buckets.txt" |
49 | | - | f_techno="$path/technology.txt" |
50 | | - | f_all="$path/all.txt" |
51 | | - | |
52 | | - | if ! [ -d $path ] ; then |
53 | | - | mkdir -p $path |
54 | | - | fi |
55 | | - | |
56 | | - | if ! [ -d $screen_path ] ; then |
57 | | - | mkdir -p $screen_path |
58 | | - | fi |
59 | | - | |
60 | | - | rm $f_tmp 2>/dev/null |
61 | | - | rm $f_host 2>/dev/null |
62 | | - | rm $f_ip 2>/dev/null |
63 | | - | rm $f_ip_host 2>/dev/null |
64 | | - | rm $f_url 2>/dev/null |
65 | | - | rm $f_bucket 2>/dev/null |
66 | | - | rm $f_technology 2>/dev/null |
67 | | - | rm $f_all 2>/dev/null |
68 | | - | rm $screen_path/* 2>/dev/null |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | echo |
73 | | - | echo "## Hosts recon" |
74 | | - | |
75 | | - | #echo "Running subfinder..." |
76 | | - | #tmp="$path/tmp_subfinder.txt" |
77 | | - | #subfinder -d $domain > $tmp |
78 | | - | #if [ -f $tmp ] ; then |
79 | | - | # cat $tmp | tr '[:upper:]' '[:lower:]' | egrep -o "[a-z0-9_\.\-]+\.$domain" > $f_host |
80 | | - | #fi |
81 | | - | |
82 | | - | echo "Running sublist3r..." |
83 | | - | tmp="$path/tmp_sublist3r.txt" |
84 | | - | sublist3r -d $domain -o $f_host 1>/dev/null |
85 | | - | |
86 | | - | |
87 | | - | |
88 | | - | echo "Running amass..." |
89 | | - | tmp="$path/tmp_amass.txt" |
90 | | - | amass -active -d $domain > $tmp |
91 | | - | if [ -f $tmp ] ; then |
92 | | - | cat $tmp | tr '[:upper:]' '[:lower:]' | egrep -o "[a-z0-9_\.\-]+\.$domain" > $f_host |
93 | | - | fi |
94 | | - | |
95 | | - | unique_file $f_host |
96 | | - | count_file $f_host |
97 | | - | echo $cnt hosts found |
98 | | - | |
99 | | - | if [ $cnt -eq 0 ] ; then |
100 | | - | echo |
101 | | - | echo "Exiting!" |
102 | | - | echo |
103 | | - | exit |
104 | | - | fi |
105 | | - | |
106 | | - | |
107 | | - | |
108 | | - | echo |
109 | | - | echo "## IPs recon" |
110 | | - | |
111 | | - | echo "Running host..." |
112 | | - | tmp="$path/tmp_host.txt" |
113 | | - | rm $tmp 2>/dev/null |
114 | | - | for h in `cat $f_host` ; do |
115 | | - | hh=`host $h` |
116 | | - | echo "$hh" >> $tmp |
117 | | - | echo >> $tmp |
118 | | - | echo >> $tmp |
119 | | - | for ip in `echo $hh | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` ; do |
120 | | - | echo "$ip;;$h" >> $f_ip_host |
121 | | - | echo $ip >> $f_ip |
122 | | - | done |
123 | | - | done |
124 | | - | |
125 | | - | unique_file $f_ip |
126 | | - | count_file $f_ip |
127 | | - | echo $cnt ips found |
128 | | - | |
129 | | - | if [ $cnt -eq 0 ] ; then |
130 | | - | echo |
131 | | - | echo "Exiting!" |
132 | | - | echo |
133 | | - | exit |
134 | | - | fi |
135 | | - | |
136 | | - | |
137 | | - | cat $f_ip >> $f_all |
138 | | - | cat $f_host >> $f_all |
139 | | - | |
140 | | - | echo "Running masscan..." |
141 | | - | tmp="$path/tmp_masscan.txt" |
142 | | - | sudo masscan -p0-65535 -v --rate 50000 -iL $f_ip -oX $tmp 2>/dev/null |
143 | | - | #cat $tmp | grep -v "#masscan" | grep -v "# end" > $f_tmp |
144 | | - | #mv $f_tmp $tmp |
145 | | - | count_file $tmp "</host>" |
146 | | - | echo $cnt ports found |
147 | | - | |
148 | | - | if [ $cnt -eq 0 ] ; then |
149 | | - | echo |
150 | | - | echo "Exiting!" |
151 | | - | echo |
152 | | - | exit |
153 | | - | fi |
154 | | - | |
155 | | - | |
156 | | - | |
157 | | - | echo "Creating urls..." |
158 | | - | SAVEIFS=$IFS |
159 | | - | IFS=$(echo -en "\n\b") |
160 | | - | |
161 | | - | for l in `cat $tmp | grep "</host>"` ; do |
162 | | - | ip=`echo $l | awk '{print $3 $6}' | cut -d '"' -f 2` |
163 | | - | port=`echo $l | awk '{print $3 $6}' | cut -d '"' -f 4` |
164 | | - | #echo $ip":"$port |
165 | | - | |
166 | | - | for ip_h in `grep "^$ip;;" $f_ip_host` ; do |
167 | | - | host=`echo $ip_h | awk -F ';;' '{print $2}'` |
168 | | - | if [ $port -eq 80 ] ; then |
169 | | - | echo "http://$ip" >> $f_url |
170 | | - | echo "http://$host" >> $f_url |
171 | | - | else |
172 | | - | if [ $port -eq 443 ] ; then |
173 | | - | echo "https://$ip" >> $f_url |
174 | | - | echo "https://$host" >> $f_url |
175 | | - | else |
176 | | - | echo "http://$ip:$port" >> $f_url |
177 | | - | echo "https://$ip:$port" >> $f_url |
178 | | - | echo "http://$host:$port" >> $f_url |
179 | | - | echo "https://$host:$port" >> $f_url |
180 | | - | fi |
181 | | - | fi |
182 | | - | done |
183 | | - | done |
184 | | - | |
185 | | - | IFS=$SAVEIFS |
186 | | - | |
187 | | - | count_file $f_url |
188 | | - | echo $cnt urls found |
189 | | - | |
190 | | - | if [ $cnt -eq 0 ] ; then |
191 | | - | echo |
192 | | - | echo "Exiting!" |
193 | | - | echo |
194 | | - | exit |
195 | | - | fi |
196 | | - | |
197 | | - | |
198 | | - | |
199 | | - | echo |
200 | | - | echo "## Technology recon" |
201 | | - | echo "Running wappalyzer..." |
202 | | - | for u in $(cat $f_url) ; do |
203 | | - | echo $u >> $f_techno |
204 | | - | echo >> $f_techno |
205 | | - | wappalyzer $u 2>/dev/null >> $f_techno |
206 | | - | echo >> $f_techno |
207 | | - | echo >> $f_techno |
208 | | - | echo >> $f_techno |
209 | | - | done |
210 | | - | |
211 | | - | |
212 | | - | |
213 | | - | echo |
214 | | - | echo "## Visual recon" |
215 | | - | #cd $screen_path |
216 | | - | #echo "Running httpscreenshot..." |
217 | | - | #httpscreenshot -l $f_url --headless -w 10 > /dev/null |
218 | | - | #rm *.html geckodriver.log ghostdriver.log 2>/dev/null |
219 | | - | #EyeWitness -f $f_url --headless --no-prompt 2>&1 > /dev/null |
220 | | - | #echo `find . -name "*.png" | wc -l` screenshots found |
221 | | - | #cd $path |
222 | | - | |
223 | | - | echo "Running aquatone..." |
224 | | - | cat $f_url | aquatone -ports xlarge -out $path -screenshot-timeout 5000 |
225 | | - | |
226 | | - | |
227 | | - | |
228 | | - | echo |
229 | | - | echo "## Testing buckets" |
230 | | - | tmp="$path/tmp_buckets.txt" |
231 | | - | echo "Testing subdomains..." |
232 | | - | s3-buckets-bruteforcer --no-color --detect-region --bucket $f_host --verbosity 1 >> $tmp |
233 | | - | s3-buckets-bruteforcer --no-color --bucket $f_host --verbosity 1 --provider google >> $tmp |
234 | | - | s3-buckets-bruteforcer --no-color --bucket $f_host --verbosity 1 --provider digitalocean >> $tmp |
235 | | - | |
236 | | - | echo "Testing *.$domain..." |
237 | | - | s3-buckets-bruteforcer --no-color --thread 50 --detect-region --bucket $domain --prefix /opt/SecLists/Discovery/Web_Content/common.txt --glue "." --verbosity 1 >> $tmp |
238 | | - | echo "Testing $domdom-*..." |
239 | | - | s3-buckets-bruteforcer --no-color --thread 50 --detect-region --bucket $domdom --suffix /opt/SecLists/Discovery/Web_Content/common.txt --glue "-" --verbosity 1 >> $tmp |
240 | | - | |
241 | | - | cat $tmp | grep FOUND | awk '{print $2}' | sort -fu > $f_bucket |
242 | | - | |
243 | | - | |
244 | | - | |
245 | | - | echo |
246 | | - | echo "## Discovery" |
247 | | - | echo "Running quick-hits..." |
248 | | - | quick-hits -h $f_all -f /opt/SecLists/mine/myhardw.txt -c -e 200 -d $path -g -o -t 8-30 -s -k |
249 | | - | |
250 | | - | |
251 | | - | |
252 | | - | echo |
253 | | - | echo "## The end." |
254 | | - | |