-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsubfinder.sh
130 lines (116 loc) · 4.46 KB
/
subfinder.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
#================================================================
#% PREREQUISITES
#% go get -u github.com/tomnomnom/assetfinder
#% go get -u github.com/tomnomnom/httprobe
#% go get -u github.com/sensepost/gowitness
#% go get -u github.com/haccer/subjack
#% go get -u github.com/tomnomnom/waybackurls
#%
#% SYNOPSIS
#% ./subfinder.sh domain.com
#%
#% PARAMS
#% -all - all associated domains including external
#%
#% DESCRIPTION
#% This script is used to harvest subdomains for a URL
#%
#% CREDITS
#% @TheCyberMentor - Practical Ethical Hacking
#% https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
#%
#================================================================
url=$1
subs="-subs-only"
if [ $2 = '-all' ];then
subs=""
fi
if [ ! -d "assets" ];then
mkdir assets
fi
if [ ! -d "assets/$url" ];then
mkdir assets/$url
fi
if [ ! -d 'assets/$url/gowitness' ];then
mkdir assets/$url/gowitness
fi
if [ ! -d "assets/$url/scans" ];then
mkdir assets/$url/scans
fi
if [ ! -d "assets/$url/httprobe" ];then
mkdir assets/$url/httprobe
fi
if [ ! -d "assets/$url/potential_takeovers" ];then
mkdir assets/$url/potential_takeovers
fi
if [ ! -d "assets/$url/wayback" ];then
mkdir assets/$url/wayback
fi
if [ ! -d "assets/$url/wayback/params" ];then
mkdir assets/$url/wayback/params
fi
if [ ! -d "assets/$url/wayback/extensions" ];then
mkdir assets/$url/wayback/extensions
fi
if [ ! -f "assets/$url/httprobe/alive.txt" ];then
touch assets/$url/httprobe/alive.txt
fi
if [ ! -f "assets/$url/$url.txt" ];then
touch assets/$url/$url.txt
fi
echo "[+] Harvesting subdomains with assetfinder..."
assetfinder $subs $url >> assets/$url/assets.txt
echo "assetfinder $subs $url >> assets/$url/assets.txt"
cat assets/$url/assets.txt | grep $1 >> assets/$url/$url.txt
rm assets/$url/assets.txt
#echo "[+] Harvesting subdomains with Amass..."
#mass enum -d $url >> assets/$url/f.txt
#sort -u assets/$url/f.txt >> assets/$url/$url.txt
#rm assets/$url/f.txt
echo "[+] Probing for alive domains..."
cat assets/$url/$url.txt | sort -u | sed 's/https\?:\/\///' >> assets/$url/httprobe/alive.txt
echo "[+] Checking for possible subdomain takeover..."
if [ ! -f "assets/$url/potential_takeovers/potential_takeovers.txt" ];then
touch assets/$url/potential_takeovers/potential_takeovers.txt
fi
subjack -w assets/$url/$url.txt -t 100 -timeout 30 -ssl -c $HOME/go/src/github.com/haccer/subjack/fingerprints.json -v 3 -o assets/$url/potential_takeovers/potential_takeovers.txt
echo "[+] Scanning for open ports..."
nmap -iL assets/$url/httprobe/alive.txt -T4 -oA assets/$url/scans/scanned.txt
echo "[+] Scraping wayback data..."
cat assets/$url/$url.txt | waybackurls >> assets/$url/wayback/wayback_output.txt
sort -u assets/$url/wayback/wayback_output.txt
echo "[+] Pulling and compiling all possible params found in wayback data..."
cat assets/$url/wayback/wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> assets/$url/wayback/params/wayback_params.txt
for line in $(cat assets/$url/wayback/params/wayback_params.txt);do echo $line'=';done
echo "[+] Pulling and compiling js/php/aspx/jsp/json files from wayback output..."
for line in $(cat assets/$url/wayback/wayback_output.txt);do
ext="${line##*.}"
if [[ "$ext" == "js" ]]; then
echo $line >> assets/$url/wayback/extensions/js1.txt
sort -u assets/$url/wayback/extensions/js1.txt >> assets/$url/wayback/extensions/js.txt
rm assets/$url/wayback/extensions/js1.txt
fi
if [[ "$ext" == "html" ]];then
echo $line >> assets/$url/wayback/extensions/jsp1.txt
sort -u assets/$url/wayback/extensions/jsp1.txt >> assets/$url/wayback/extensions/jsp.txt
rm assets/$url/wayback/extensions/jsp1.txt
fi
if [[ "$ext" == "json" ]];then
echo $line >> assets/$url/wayback/extensions/json1.txt
sort -u assets/$url/wayback/extensions/json1.txt >> assets/$url/wayback/extensions/json.txt
rm assets/$url/wayback/extensions/json1.txt
fi
if [[ "$ext" == "php" ]];then
echo $line >> assets/$url/wayback/extensions/php1.txt
sort -u assets/$url/wayback/extensions/php1.txt >> assets/$url/wayback/extensions/php.txt
rm assets/$url/wayback/extensions/php1.txt
fi
if [[ "$ext" == "aspx" ]];then
echo $line >> assets/$url/wayback/extensions/aspx1.txt
sort -u assets/$url/wayback/extensions/aspx1.txt >> assets/$url/wayback/extensions/aspx.txt
rm assets/$url/wayback/extensions/aspx1.txt
fi
done
echo "[+] Running gowitness against all compiled domains..."
gowitness file -f assets/$url/httprobe/alive.txt -P assets/$url/gowitness