Automated framework to do big bounty recon
commonspeak2-wordlistsamass in passive mode on the domain providedcommonspeak and amass domainsmassdnsdomains.tmphttprobe on the resolved subdomainsmasscan on the resolved ipsaquatone on the subdomains that httprobe found to be aliveffuf on the found domains ...domain.com/FUZZYou'll get a few files. I decided it's best to let you figure out what you want to keep:
domains.out: The unique list of domains from commonspeak, assetfinder, and amassmassdns.out: The results of massdns (subdomains & resolved IPs)httprobe.out: The results of httprobe (subdomains that responded to ports 3000,4567,5000,5104,8000,8008,8080,8088,8443,8280,8333,11371,16080)masscan.out: The results of masscan (provided in greppable format)ips.out: Results of massdns with only the ip addressessubs.out: Results of massdns with only the subdomainsffuf.out: Results of ffuf with only status code and urlaquatone/: Directory of the aquatone resultsffuf/: Directory containing ffuf fuzzed directoriesThere are some variables you need to pass:
<domain>: is the TLD or subdomain you want to run against (Ex: domain.com).<resolver_check>: is either true or false. If you notice that you're not getting any final output set this value to false to disable the offending resolver check from massdns.<wordlist_size>: is either large or small.git clone git@github.com:godzilla74/pentest-tools.git
cd pentest-tools
docker build -t recon .
docker run -it -v $(pwd):/opt/results recon <domain> <resolver_check> <wordlist_size>parallel support to run some jobs in tandem (masscan, httprobe, aquatone)Have a problem or suggestion? Make an issue. I might get to it.