________  _________  ____     _______________(_)___  / /______
  / ___/ _ \/ ___/ __ \/ __ \   / ___/ ___/ ___/ / __ \/ __/ ___/
 / /  /  __/ /__/ /_/ / / / /  (__  ) /__/ /  / / /_/ / /_(__  ) 
/_/   \___/\___/\____/_/ /_/  /____/\___/_/  /_/ .___/\__/____/  
                                              /_/                

                                                                                    

A simple recon framework for bug bounty hunting

• Enumerate subdomains using Sublist3r and Subdominizer
• Probe subdomains using httpx
• Check cloud buckets using cloud_enum and S3Scanner
• Scan webpages using nuclei
• Take screenshots using Aquatone
• Asset discovery using hakrawler
• Scan for XSS from asset discovery using XSStrike
• Directory bruteforcing using ffuf
• Notify for new URLs or JS files discovered via Slack

The idea is to turn this:

targets
├── tesla
│   └── domains.txt
└── shopify
    └── domains.txt

into this:

targets
├── tesla
│   ├── screenshots/
│   ├── urls.txt
│   ├── js.txt
│   ├── githound.txt
│   ├── cloud_enum.txt
│   ├── webservers.txt
│   ├── domains.txt
│   └── subdomains.txt
├── shopify
│   ├── screenshots/
│   ├── urls.txt
│   ├── js.txt
│   ├── cloud_enum.txt
│   ├── webservers.txt
│   ├── domains.txt
│   └── subdomains.txt
│
.
.

* Inspired by lazyrecon by nahamsec

* This code is created for personal use. But feel free to try it out

* I'm not very good at bash, please point out any weird quirks that could use some improvements ♥

Setup

Bash one-line setup. Installs recon-scripts to $HOME/.recon-scripts

bash <(curl -s https://raw.githubusercontent.com/tedmdelacruz/recon-scripts/master/configure)

Initialize a vars.sh from vars.sh.example

cd .recon-scripts
cp vars.sh.example vars.sh
vim vars.sh

Usage:

Run predefined scans

cd .recon_scripts
$ scans/sweep.sh # Initial scann of all targets in recon folder
$ scans/snipe.sh tesla shopify # Probe and quick scan
$ scans/bombard.sh shopify # Comprehensive scan

Set up crontab

$ crontab -e
30 21 * * *  /home/tedm/.recon-scripts/cron/daily.sh

Or execute individual functions like so:

$ enumerate_subdomains domain.com path/to/targets_dir/target
$ probe_subdomains path/to/target
$ cloud_bucket_enum path/to/target
$ nuclei_scan path/to/target
$ take_screenshots path/to/target

TODO

• Configure API key inclusion to subdomain enumerations
• Monitor interesting files and web pages for changes
• Show GitHub dorking links
• Setup port scanning using dnmasscan, masscan, and nmap
• Support multithreading
• Add script for scaffolding directories
• Add reporting