Automated framework to do big bounty recon
commonspeak2-wordlists
amass
in passive mode on the domain providedcommonspeak
and amass
domainsmassdns
domains.tmp
httprobe
on the resolved subdomainsmasscan
on the resolved ipsaquatone
on the subdomains that httprobe
found to be aliveffuf
on the found domains ...domain.com/FUZZ
You'll get a few files. I decided it's best to let you figure out what you want to keep:
domains.out
: The unique list of domains from commonspeak
, assetfinder
, and amass
massdns.out
: The results of massdns
(subdomains & resolved IPs)httprobe.out
: The results of httprobe
(subdomains that responded to ports 3000,4567,5000,5104,8000,8008,8080,8088,8443,8280,8333,11371,16080)masscan.out
: The results of masscan
(provided in greppable format)ips.out
: Results of massdns
with only the ip addressessubs.out
: Results of massdns
with only the subdomainsffuf.out
: Results of ffuf
with only status code
and url
aquatone/
: Directory of the aquatone
resultsffuf/
: Directory containing ffuf fuzzed directoriesThere are some variables you need to pass:
<domain>
: is the TLD or subdomain you want to run against (Ex: domain.com).<resolver_check>
: is either true
or false
. If you notice that you're not getting any final output set this value to false
to disable the offending resolver check from massdns.<wordlist_size>
: is either large
or small
.git clone git@github.com:godzilla74/pentest-tools.git
cd pentest-tools
docker build -t recon .
docker run -it -v $(pwd):/opt/results recon <domain> <resolver_check> <wordlist_size>
parallel
support to run some jobs in tandem (masscan, httprobe, aquatone)Have a problem or suggestion? Make an issue. I might get to it.