{“_recon_scripts_v1.0”}

recon Script

Recon Script v1.0

Introduction

Enumeration is one of the most overlooked but also one of the most important phases in bug bounty hunting and penetration testing. Recon is something that I personally have trouble with myself so I figured automating the process of reconnaissance would help in my journey to improve as well as learn a bit of shell scripting!

This Bash script is a reconnaissance tool designed to automate the process of gathering information about a web application. It combines multiple methods for finding subdomains, directories, and more, helping to create a comprehensive picture of the web application’s structure. The script includes several steps for setting up directories, performing scans, and outputting the results to specific files.

Breakdown of the Script

Initialization and Disclaimer:
– The script starts with a comment section that explains its purpose and provides a disclaimer about its intended use for educational purposes and authorized security testing only.

Variable Declarations:
– domain: Takes the first command-line argument as the target domain.
– RED, YELLOW, WHITE, RESET, LINE: Define color codes and a line separator for formatted output.

Directory Setup:
– Checks if the target domain directory and subdirectories (subdomains, screenshots, scans, directories) exist. If not, it creates them.

ASCII Art and Line Separator:
– Displays ASCII art for visual separation and a line separator for better readability.

CURL Scan:
– Executes a CURL command to get the HTTP headers of the target domain and saves the output to curl.txt in the scans directory.

NMAP Scan:
– Executes an NMAP scan on the target domain and saves the results to nmap.txt in the scans directory.

Directory Enumeration:
– Executes a dirb scan (commented out) for directory enumeration and mentions that dirbuster and ffuf can also be used.

Subdomain Enumeration:
– Executes subfinder to find subdomains and saves the results to found_subdomain.txt in the subdomains directory.
– Uses assetfinder to find additional subdomains and appends the results to found_subdomain.txt.
– Uses httprobe to filter alive subdomains and saves them to alive_subdomains.txt in the subdomains directory.
– Uses gowitness to take screenshots of the alive subdomains and saves them in the screenshots directory.-

Completion Message:
– Displays a final ASCII art and a line separator to indicate the end of the script.

Final Thoughts

After creating this script, I realize this is only the beginning of a long journey into shell scripting. I wanted to create options for the script so that I can choose which type of enumeration to do but I decided that was for v2.0.

One issue I came up with is that I couldn’t tell if my script was frozen and wasn’t running correctly OR the open source tool being used like nmap or dirb was taking forever, I’m thinking adding a progress bar would help with that. That might be a addition to v2.0.

Overall, it was a fun experience! I learned about declaring user input , creating directories and the process of automating open source tools.

Big thanks to TCM Security for the walkthrough as well as Vickie Li’s book “Bug Bounty Bootcamp : The Guide to Finding and Reporting Web Vulnerabilities”

See you soon for v2.0 of recon_script!!!

Resources

https://vickieli.dev/

https://www.amazon.com/Bug-Bounty-Bootcamp-Reporting-Vulnerabilities-ebook/dp/B08YK368Y3

https://academy.tcm-sec.com/courses/

Scroll to Top