{“recon_scripts_v2.0”}

Recon Script v2.0

Introduction

Coming from v1.0 , I had a few ideas in order to improve v2.0. One of which was to add a progress bar and some options to decide what type of scan to do! I was initially thinking of follow the schematic of every open source tool out there with a list of configuration options ( Ex. The -A option for nmap ). After some consideration, I decided on just having the script ask what type of enumeration they would want. Maybe I’ll change it in the future but who knows

Description

This Bash script is a reconnaissance tool designed to automate the process of gathering information about a web application. It combines multiple methods for finding subdomains, directories, and more, helping to create a comprehensive picture of the web application’s structure. The script includes several steps for setting up directories, performing scans, and outputting the results to specific files.

Breakdown of the Script

Initialization and Disclaimer:
– The script starts with a comment section that explains its purpose and provides a disclaimer about its intended use for educational purposes and authorized security testing only.

Variable Declarations:
– domain: Takes the first command-line argument as the target domain.
– mode: Takes the second command-line argument as the mode of reconnaissance (service, directory, subdomain, or all).
– RED, YELLOW, WHITE, RESET, LINE: Define color codes and a line separator for formatted output.
– basic_path, service_path, directory_path, subdomain_path: Define paths for storing the results of various scans.

Progress Indicator Function:
– Defines a progress function that displays a rotating progress indicator while a background process is running.

ASCII Art and Line Separator:
– Displays ASCII art for visual separation and a line separator for better readability.

Directory Setup:
– Checks if the target domain directory and subdirectories (basic_recon, service_recon, directory_recon, subdomain_recon) exist. If not, it creates them.

Basic Enumeration:
– Executes whois and nslookup commands on the target domain and saves the outputs to whois.txt and nslookup.txt in the basic_recon directory.

Service Enumeration:
– If the serv mode is selected, creates a service_recon directory, executes an nmap scan on the target domain, and saves the output to nmap.txt.

Directory Enumeration:
– If the dir mode is selected, creates a directory_recon directory, executes ffuf and dirb scans on the target domain, and saves the outputs to appropriate files.

Subdomain Enumeration:
– If the sub mode is selected, creates a subdomain_recon directory, executes subfinder and assetfinder to find subdomains, filters alive subdomains using httprobe, takes screenshots using gowitness, and saves the outputs to appropriate files.

Mode Selection and Execution:
– Prompts the user to select a mode (serv, dir, sub, all) and executes the corresponding functions based on the user’s choice.

Final Notes

The actual amount of open source tools didnt really change, however, I implemented a progress bar, showing that the script is running instead of freezing and added options so the user can decide on what type of enumeration to use! It was a fun project, learning and implementing function and cases!

Later on to improve on this, I was thinking of maybe changing the schematic of how modes are picked like ( edsrecon -dir OR edsrecon -serv). Researching some open source tools to add onto the script is a next step as well!

Big thanks to Vickie Li’s “Bug Bounty Bootcamp” , TCM Security , GeeksForGeeks, and OpenAI for the help in creating this project!

I’m not sponsored but Vickie Li’s book is TOP TIER! Also look at TCM Security if you have any interest in penetration testing or cybersecurity in general

Resources

https://vickieli.dev/

https://www.amazon.com/Bug-Bounty-Bootcamp-Reporting-Vulnerabilities-ebook/dp/B08YK368Y3

https://academy.tcm-sec.com/courses/

https://www.geeksforgeeks.org/introduction-linux-shell-shell-scripting/

#!/bin/bash

<< comment
This handy recon tool combines a bunch of different methods 
for finding subdomains, directories, and more. It helps you 
get a clear picture of how a web application is set up, 
making it easier to see the whole layout and spot any 
potential issues.

Disclaimer:
This script is intended for educational purposes and authorized security testing only. 
The author is not responsible for any misuse or damage caused by this tool. 
Users are responsible for ensuring they have proper authorization before running 
any security scans. Always verify the scope of your testing to ensure compliance 
with relevant laws and policies.

By using this tool, you agree to use it responsibly and in accordance with all 
applicable laws and regulations. The author disclaims all liability for any actions 
taken based on the information provided by this tool.
comment

#Declare variables
domain=$1
mode=$2
RED="\033[1;31m"
YELLOW="\033[0;33m"
WHITE="\033[0;37m"
RESET="\033[0m"
LINE="\033[0;37m----------------------------------------------------------\033[0m"
basic_path=$domain/basic_recon
service_path=$domain/service_recon
directory_path=$domain/directory_recon
subdomain_path=$domain/subdomain_recon

# Function to display a rotating progress indicator
progress() {
  local pid=$1
  local delay=0.1
  local spinstr='|/-\'
  while ps -p $pid > /dev/null 2>&1; do
    local temp=${spinstr#?}
    printf " [%c]  " "$spinstr"
    local spinstr=$temp${spinstr%"$temp"}
    sleep $delay
    printf "\b\b\b\b\b\b"
  done
  printf "    \b\b\b\b"
}

# TOOL BANNER 
echo -e "${WHITE}
 ___  ___  ___  __  ___  ___    ___   ___   __  __  _  _ 
(  _)(   \(   \(  )(  _)/ __)  (  ,) (  _) / _)/  \( \( )
 ) _) ) ) )) ) ))(  ) _)\__ \   )  \  ) _)( (_( () ))  ( 
(___)(___/(___/(__)(___)(___/  (_)\_)(___) \__)\__/(_)\_)
${RESET}"
echo -e "${LINE}"
sleep 1

#Directory Making
echo "Creating directories for recon : $domain"
sleep 1

## Make top level recon directory
if [ ! -d "$domain" ];then
	mkdir $domain
fi 
if [ ! -d "$basic_path" ];then
	mkdir $basic_path
fi

#Basic Emuneration (whois and nslookup) #Included in every mode
## whois scan
echo "Conducting basic scans ..."
echo "Executing \"whois $domain\""
whois $domain > $basic_path/whois.txt &
pid=$!
progress $pid
wait $pid
echo "[+] whois scan complete"
echo -e "${LINE}"
sleep 1

## nslookup scan 
echo "Executing \"nslookup $domain\""
nslookup $domain > $basic_path/nslookup.txt &
pid=$!
progress $pid
wait $pid
echo "[+] nslookup scan complete"
echo -e "${LINE}"
sleep 1 


#Service Mode 
service_enum(){

  ## Make directory for service enumeration 
  echo -e "Making service enumeration folder"  
  if [ ! -d "$service_path" ];then
  mkdir $service_path
  fi
  
  ## nmap scan -> Feel free to add options to nmap (Sake of testing script I will not)
  echo "Executing \"nmap $domain\" :"
  nmap $domain > $service_path/nmap.txt &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] NMAP Scan completed!"
  echo -e "${LINE}"
  sleep 1
}

#Directory Mode
directory_enum(){

  ## Make directory for directory enumeration 
  echo -e "Making directory enumeration folder"
  if [ ! -d "$directory_path" ];then
    mkdir $directory_path
  fi
  
  ## FFUF tool -> uses medium wordlist
  ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u https://$domain/FUZZ > test.txt&
  pid=$!
  progress $pid
  wait $pid
  echo "[+] FFUF Scan completed!"
  echo -e "${LINE}"
  sleep 1

  ## Dirb tool -> Recursive directory enumeration to domain 
  dirb https://$domain > $directory_path/dirb.txt &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] Dirb Scan completed!"
  echo -e "${LINE}"
  sleep 1
}
 
#Subdomain Mode 
subdomain_enum(){

  ## Make directory for subdomain enumeration 
  echo -e "Making subdomain enumeration folder"
  if [ ! -d "$subdomain_path" ];then 
    mkdir $subdomain_path
  fi

  ##subfinder 
  echo -e "${WHITE} [+] Executing subfinder ... ${RESET}"
  subfinder -d $domain > $subdomain_path/found_subdomain.txt &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] Subfinder Scan completed!"
  echo -e "${LINE}"
  sleep 1

  ##assetfinder 
  echo -e "${WHITE} [+] Executing assetfinder ... ${RESET}"
  assetfinder $domain | grep $domain >> $subdomain_path/found_subdomain.txt &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] Assetfinder Scan completed!"
  echo -e "${LINE}"
  sleep 1

  ##finding alive subdomains (HTTPROBE)
  echo -e "${WHITE} [+] Finding alive subdomains (HTTPROBE) ... ${RESET}" &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] HTTPROBE Scan completed!"
  echo -e "${LINE}"
  sleep 1
  cat $subdomain_path/found_subdomain.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive_subdomains.txt

  ##screenshot of alive subdomains (GOWITNESS)
  echo -e "${WHITE} [+] Taking screenshots of alive subdomains (GOWITNESS) ... ${RESET}" 
  gowitness file -f $subdomain_path/found_subdomain.txt -P $screenshot_path/ --no-http &
  pid=$!
  progress $pid
  wait $pid
  echo "[+] Screenshots completed!"
  echo -e "${LINE}"
  sleep 1

}

# Prompt user for mode
echo "What mode would you like to use? (serv for service, dir for directory, sub for subdomain, all for everything)"
read -r mode

# Main logic to handle user input
case "$mode" in
  serv)
    service_enum
    ;;
  dir)
    directory_enum
    ;;
  sub)
    subdomain_enum
    ;;
  all)
    service_enum
    directory_enum
    subdomain_enum
    ;;
  *)
    echo "Invalid option. Please use 'serv' for service, 'dir' for directory, 'sub' for subdomain, 'all' for everything"
    ;;
esac
Scroll to Top