From 2bd72854e0753bc4c8e2e8981d54e9ad7316ecf3 Mon Sep 17 00:00:00 2001 From: Ebraam Mesak Date: Mon, 10 Oct 2022 02:14:23 +0200 Subject: [PATCH 1/5] Fix some issues This script had some issues like it has to be run from home directory and removed certspotter because it wasn't working. Amass had some error in command ".$url" which make it always return empty as it should be .$url. Some path for potential_takeovers had more folder name potential_takeovers in path so fixed that part the final.txt of domains wasn't finally sorted so resorted unique it as it had many duplicates --- sumrecon.sh | 157 ++++++++++++++++++++++++++-------------------------- 1 file changed, 77 insertions(+), 80 deletions(-) diff --git a/sumrecon.sh b/sumrecon.sh index 1cd21f6..01824c0 100644 --- a/sumrecon.sh +++ b/sumrecon.sh @@ -1,11 +1,7 @@ #!/bin/bash + pwd=$PWD - url=$1 - -# echo $url > var; sed 's/https\?:\/\///g' var >> var1 -# sed '1d' var1 | cut -d '/' -f 1 | tee var -# url=$(cat var) - + url=$1 if [ ! -x "$(command -v assetfinder)" ]; then echo "[-] assetfinder required to run script" exit 1 @@ -21,10 +17,6 @@ exit 1 fi - if [ ! -x "$(find / -type f -name 'EyeWitness')" ];then - echo "[-] Eyewitness required to run script" - exit 1 - fi if [ ! -x "$(command -v httprobe)" ]; then echo "[-] httprobe required to run script" @@ -40,129 +32,134 @@ echo "[-] whatweb required to run script" exit 1 fi - - if [ ! -d "$url" ];then - mkdir $url + if [ ! -x "$(command -v waybackurls)" ]; then + echo "[-] waybackurls required to run script" + exit 1 + fi + + if [ ! -d "$pwd/$url" ];then + mkdir $pwd/$url fi - if [ ! -d "$url/recon" ];then - mkdir $url/recon + if [ ! -d "$pwd/$url/recon" ];then + mkdir $pwd/$url/recon fi - if [ ! -d "$url/recon/3rd-lvls" ];then - mkdir $url/recon/3rd-lvls + if [ ! -d "$pwd/$url/recon/3rd-lvls" ];then + mkdir $pwd/$url/recon/3rd-lvls fi - if [ ! -d "$url/recon/scans" ];then - mkdir $url/recon/scans + if [ ! -d "$pwd/$url/recon/scans" ];then + mkdir $pwd/$url/recon/scans fi - if [ ! -d "$url/recon/httprobe" ];then - mkdir $url/recon/httprobe + if [ ! -d "$pwd/$url/recon/httprobe" ];then + mkdir $pwd/$url/recon/httprobe fi - if [ ! -d "$url/recon/potential_takeovers" ];then - mkdir $url/recon/potential_takeovers + if [ ! -d "$pwd/$url/recon/potential_takeovers" ];then + mkdir $pwd/$url/recon/potential_takeovers fi - if [ ! -d "$url/recon/wayback" ];then - mkdir $url/recon/wayback + if [ ! -d "$pwd/$url/recon/wayback" ];then + mkdir $pwd/$url/recon/wayback fi - if [ ! -d "$url/recon/wayback/params" ];then - mkdir $url/recon/wayback/params + + if [ ! -d "$pwd/$url/recon/wayback/params" ];then + mkdir $pwd/$url/recon/wayback/params fi - if [ ! -d "$url/recon/wayback/extensions" ];then - mkdir $url/recon/wayback/extensions + if [ ! -d "$pwd/$url/recon/wayback/extensions" ];then + mkdir $pwd/$url/recon/wayback/extensions fi - if [ ! -d "$url/recon/whatweb" ];then - mkdir $url/recon/whatweb + if [ ! -d "$pwd/$url/recon/whatweb" ];then + mkdir $pwd/$url/recon/whatweb fi - if [ ! -f "$url/recon/httprobe/alive.txt" ];then - touch $url/recon/httprobe/alive.txt + if [ ! -f "$pwd/$url/recon/httprobe/alive.txt" ];then + touch $pwd/$url/recon/httprobe/alive.txt fi - if [ ! -f "$url/recon/final.txt" ];then - touch $url/recon/final.txt + if [ ! -f "$pwd/$url/recon/final.txt" ];then + touch $pwd/$url/recon/final.txt fi - if [ ! -f "$url/recon/3rd-lvl" ];then - touch $url/recon/3rd-lvl-domains.txt + if [ ! -f "$pwd/$url/recon/3rd-lvl" ];then + touch $pwd/$url/recon/3rd-lvl-domains.txt fi echo "[+] Harvesting subdomains with assetfinder..." - assetfinder $url | grep '.$url' | sort -u | tee -a $url/recon/final1.txt + assetfinder $url| grep '.'$url | sort -u | tee -a $pwd/$url/recon/final1.txt - echo "[+] Double checking for subdomains with amass and certspotter..." - amass enum -d $url | tee -a $url/recon/final1.txt - #curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u - certspotter | tee -a $url/recon/final1.txt - sort -u $url/recon/final1.txt >> $url/recon/final.txt - rm $url/recon/final1.txt + echo "[+] Double checking for subdomains with amass..." + amass enum -passive -d $url | tee -a $pwd/$url/recon/final1.txt + sort -u $pwd/$url/recon/final1.txt >> $pwd/$url/recon/final.txt + rm $pwd/$url/recon/final1.txt echo "[+] Compiling 3rd lvl domains..." - cat ~/$url/recon/final.txt | grep -Po '(\w+\.\w+\.\w+)$' | sort -u >> ~/$url/recon/3rd-lvl-domains.txt + cat $pwd/$url/recon/final.txt | grep -Po '(\w+\.\w+\.\w+)$' | sort -u >> $pwd/$url/recon/3rd-lvl-domains.txt #write in line to recursively run thru final.txt - for line in $(cat $url/recon/3rd-lvl-domains.txt);do echo $line | sort -u | tee -a $url/recon/final.txt;done + for line in $(cat $pwd/$url/recon/3rd-lvl-domains.txt);do echo $line | sort -u | tee -a $pwd/$url/recon/final.txt;done echo "[+] Harvesting full 3rd lvl domains with sublist3r..." - for domain in $(cat $url/recon/3rd-lvl-domains.txt);do sublist3r -d $domain -o $url/recon/3rd-lvls/$domain.txt;done - + for domain in $(cat $pwd/$url/recon/3rd-lvl-domains.txt);do sublist3r -d $domain -o $pwd/$url/recon/3rd-lvls/$domain.txt;done + cat $pwd/$url/recon/final.txt | sort -u >> $pwd/$url/recon/final2.txt + rm $pwd/$url/recon/final.txt + mv $pwd/$url/recon/final2.txt $pwd/$url/recon/final.txt echo "[+] Probing for alive domains..." - cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' | sort -u >> $url/recon/httprobe/alive.txt - sort -u $url/ + cat $pwd/$url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' | sort -u >> $pwd/$url/recon/httprobe/a.txt + sort -u $pwd/$url/recon/httprobe/a.txt > $pwd/$url/recon/httprobe/alive.txt echo "[+] Checking for possible subdomain takeover..." - if [ ! -f "$url/recon/potential_takeovers/domains.txt" ];then - touch $url/recon/potential_takeovers/domains.txt + if [ ! -f "$pwd/$url/recon/potential_takeovers/domains.txt" ];then + touch $pwd/$url/recon/potential_takeovers/domains.txt fi - if [ ! -f "$url/recon/potential_takeovers/potential_takeovers1.txt" ];then - touch $url/recon/potential_takeovers/potential_takeovers1.txt + if [ ! -f "$pwd/$url/recon/potential_takeovers/potential_takeovers1.txt" ];then + touch $pwd/$url/recon/potential_takeovers/potential_takeovers1.txt fi - for line in $(cat ~/$url/recon/final.txt);do echo $line |sort -u >> ~/$url/recon/potential_takeovers/domains.txt;done - subjack -w $url/recon/httprobe/alive.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> $url/recon/potential_takeovers/potential_takeovers/potential_takeovers1.txt - sort -u $url/recon/potential_takeovers/potential_takeovers1.txt >> $url/recon/potential_takeovers/potential_takeovers.txt - rm $url/recon/potential_takeovers/potential_takeovers1.txt + for line in $(cat $pwd/$url/recon/final.txt);do echo $line |sort -u >> $pwd/$url/recon/potential_takeovers/domains.txt;done + subjack -w $pwd/$url/recon/httprobe/alive.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> $pwd/$url/recon/potential_takeovers/potential_takeovers1.txt + sort -u $pwd/$url/recon/potential_takeovers/potential_takeovers1.txt >> $pwd/$url/recon/potential_takeovers/potential_takeovers.txt + rm $pwd/$url/recon/potential_takeovers/potential_takeovers1.txt echo "[+] Running whatweb on compiled domains..." - for domain in $(cat ~/$url/recon/httprobe/alive.txt);do - if [ ! -d "$url/recon/whatweb/$domain" ];then - mkdir $url/recon/whatweb/$domain + for domain in $(cat $pwd/$url/recon/httprobe/alive.txt);do + if [ ! -d "$pwd/$url/recon/whatweb/$domain" ];then + mkdir $pwd/$url/recon/whatweb/$domain fi - if [ ! -d "$url/recon/whatweb/$domain/output.txt" ];then - touch $url/recon/whatweb/$domain/output.txt + if [ ! -d "$pwd/$url/recon/whatweb/$domain/output.txt" ];then + touch $pwd/$url/recon/whatweb/$domain/output.txt fi - if [ ! -d "$url/recon/whaweb/$domain/plugins.txt" ];then - touch $url/recon/whatweb/$domain/plugins.txt + if [ ! -d "$pwd/$url/recon/whaweb/$domain/plugins.txt" ];then + touch $pwd/$url/recon/whatweb/$domain/plugins.txt fi echo "[*] Pulling plugins data on $domain $(date +'%Y-%m-%d %T') " - whatweb --info-plugins -t 50 -v $domain >> $url/recon/whatweb/$domain/plugins.txt; sleep 3 + whatweb --info-plugins -t 50 -v $domain >> $pwd/$url/recon/whatweb/$domain/plugins.txt; sleep 3 echo "[*] Running whatweb on $domain $(date +'%Y-%m-%d %T')" - whatweb -t 50 -v $domain >> $url/recon/whatweb/$domain/output.txt; sleep 3 + whatweb -t 50 -v $domain >> $pwd/$url/recon/whatweb/$domain/output.txt; sleep 3 done echo "[+] Scraping wayback data..." - cat $url/recon/final.txt | waybackurls | tee -a $url/recon/wayback/wayback_output1.txt - sort -u $url/recon/wayback/wayback_output1.txt >> $url/recon/wayback/wayback_output.txt - rm $url/recon/wayback/wayback_output1.txt + cat $pwd/$url/recon/final.txt | waybackurls | tee -a $pwd/$url/recon/wayback/wayback_output1.txt + sort -u $pwd/$url/recon/wayback/wayback_output1.txt >> $pwd/$url/recon/wayback/wayback_output.txt + rm $pwd/$url/recon/wayback/wayback_output1.txt echo "[+] Pulling and compiling all possible params found in wayback data..." - cat $url/recon/wayback/wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> $url/recon/wayback/params/wayback_params.txt - for line in $(cat $url/recon/wayback/params/wayback_params.txt);do echo $line'=';done + cat $pwd/$url/recon/wayback/wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> $pwd/$url/recon/wayback/params/wayback_params.txt + for line in $(cat $pwd/$url/recon/wayback/params/wayback_params.txt);do echo $line'=';done echo "[+] Pulling and compiling js/php/aspx/jsp/json files from wayback output..." - for line in $(cat $url/recon/wayback/wayback_output.txt);do + for line in $(cat $pwd/$url/recon/wayback/wayback_output.txt);do ext="${line##*.}" if [[ "$ext" == "js" ]]; then - echo $line | sort -u | tee -a $url/recon/wayback/extensions/js.txt + echo $line | sort -u | tee -a $pwd/$url/recon/wayback/extensions/js.txt fi if [[ "$ext" == "html" ]];then - echo $line | sort -u | tee -a $url/recon/wayback/extensions/jsp.txt + echo $line | sort -u | tee -a $pwd/$url/recon/wayback/extensions/jsp.txt fi if [[ "$ext" == "json" ]];then - echo $line | sort -u | tee -a $url/recon/wayback/extensions/json.txt + echo $line | sort -u | tee -a $pwd/$url/recon/wayback/extensions/json.txt fi if [[ "$ext" == "php" ]];then - echo $line | sort -u | tee -a $url/recon/wayback/extensions/php.txt + echo $line | sort -u | tee -a $pwd/$url/recon/wayback/extensions/php.txt fi if [[ "$ext" == "aspx" ]];then - echo $line | sort -u | tee -a $url/recon/wayback/extensions/aspx.txt + echo $line | sort -u | tee -a $pwd/$url/recon/wayback/extensions/aspx.txt fi done echo "[+] Scanning for open ports..." - nmap -iL $url/recon/httprobe/alive.txt -T4 -oA $url/recon/scans/scanned.txt + nmap -iL $pwd/$url/recon/httprobe/alive.txt -T4 -oA $pwd/$url/recon/scans/scanned.txt echo "[+] Running eyewitness against all compiled domains..." eyewitness=$(find / -type f -name 'EyeWitness.py') - python3 $eyewitness --web -f $url/recon/httprobe/alive.txt -d $url/recon/eyewitness --resolve --no-prompt + python3 $eyewitness --web -f $pwd/$url/recon/httprobe/alive.txt -d $pwd/$url/recon/eyewitness --resolve --no-prompt From c44b85c5806670533b79b65dea204324bdce30bb Mon Sep 17 00:00:00 2001 From: Ebraam Mesak Date: Mon, 10 Oct 2022 02:19:13 +0200 Subject: [PATCH 2/5] update readme Describe how is this different from the main code from @Gr1mmie --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6fc72dd..c0866c3 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,12 @@ # sumrecon -script I built upon courtesy of @hmaverickadams - -Has been tested only on kali. To be run in root directory +script @Gr1mmie built upon courtesy of @hmaverickadams +and was edited by me. +Has been tested only on Ubuntu. To be run in any directory ## DEPENDENCIES * assetfinder - https://github.com/tomnomnom/assetfinder * amass - https://github.com/OWASP/Amass -* certspotter - #curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u (set as alias) * sublist3r - https://github.com/aboul3la/Sublist3r * httprobe - https://github.com/tomnomnom/httprobe * waybackurls - https://github.com/tomnomnom/waybackurls From 0fe7f200067ab0b96065d9e6b4ca2d8443e489ce Mon Sep 17 00:00:00 2001 From: Ebraam Mesak Date: Mon, 10 Oct 2022 02:19:59 +0200 Subject: [PATCH 3/5] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c0866c3..260ed34 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # sumrecon script @Gr1mmie built upon courtesy of @hmaverickadams -and was edited by me. -Has been tested only on Ubuntu. To be run in any directory +and was edited by me.
+Has been tested on Ubuntu. To be run in any directory ## DEPENDENCIES * assetfinder - https://github.com/tomnomnom/assetfinder From 83c477bfe22ae2e3dc29b5ff3035754f096f96a5 Mon Sep 17 00:00:00 2001 From: Ebraam Mesak Date: Mon, 10 Oct 2022 02:36:30 +0200 Subject: [PATCH 4/5] Replace eyewitness with gowitness Replace eyewitness with gowitness --- sumrecon.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/sumrecon.sh b/sumrecon.sh index 01824c0..8fe15fd 100644 --- a/sumrecon.sh +++ b/sumrecon.sh @@ -16,7 +16,10 @@ echo "[-] sublist3r required to run script" exit 1 fi - + if [ ! -x "$(command -v gowitness)" ]; then + echo "[-] gowitness required to run script" + exit 1 + fi if [ ! -x "$(command -v httprobe)" ]; then echo "[-] httprobe required to run script" @@ -32,11 +35,7 @@ echo "[-] whatweb required to run script" exit 1 fi - if [ ! -x "$(command -v waybackurls)" ]; then - echo "[-] waybackurls required to run script" - exit 1 - fi - + if [ ! -d "$pwd/$url" ];then mkdir $pwd/$url fi @@ -58,7 +57,6 @@ if [ ! -d "$pwd/$url/recon/wayback" ];then mkdir $pwd/$url/recon/wayback fi - if [ ! -d "$pwd/$url/recon/wayback/params" ];then mkdir $pwd/$url/recon/wayback/params fi @@ -68,6 +66,10 @@ if [ ! -d "$pwd/$url/recon/whatweb" ];then mkdir $pwd/$url/recon/whatweb fi + if [ ! -d "$pwd/$url/recon/gowitness" ];then + mkdir $pwd/$url/recon/gowitness + fi + if [ ! -f "$pwd/$url/recon/httprobe/alive.txt" ];then touch $pwd/$url/recon/httprobe/alive.txt fi @@ -160,6 +162,5 @@ echo "[+] Scanning for open ports..." nmap -iL $pwd/$url/recon/httprobe/alive.txt -T4 -oA $pwd/$url/recon/scans/scanned.txt - echo "[+] Running eyewitness against all compiled domains..." - eyewitness=$(find / -type f -name 'EyeWitness.py') - python3 $eyewitness --web -f $pwd/$url/recon/httprobe/alive.txt -d $pwd/$url/recon/eyewitness --resolve --no-prompt + echo "[+] Running gowitness against all compiled domains..." + gowitness file -f $pwd/$url/recon/httprobe/alive.txt -D $pwd/$url/recon/gowitness/gowitness.sqlite3 -P $pwd/$url/recon/gowitness/Screenshots From d64667cc71e82e7bdaa2e580d3be6d4faf6fc952 Mon Sep 17 00:00:00 2001 From: Ebraam Mesak Date: Mon, 10 Oct 2022 02:37:30 +0200 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 260ed34..6b235a3 100644 --- a/README.md +++ b/README.md @@ -12,4 +12,4 @@ Has been tested on Ubuntu. To be run in any directory * waybackurls - https://github.com/tomnomnom/waybackurls * whatweb - https://github.com/urbanadventurer/WhatWeb * nmap - https://nmap.org/download.html -* eyewitness - https://github.com/FortyNorthSecurity/EyeWitness +* gowitness - https://github.com/sensepost/gowitness