x1mdev / ReconPi

ReconPi - A lightweight recon tool that performs extensive scanning with the latest tools.
https://x1m.nl/posts/recon-pi/
MIT License
716 stars 112 forks source link

Script can now run all latest tools on any debian system #52

Closed maverickNerd closed 4 years ago

maverickNerd commented 4 years ago

Short Summary of changes:

Methodology gatherResolvers gatherSubdomains checkTakeovers getCNAME gatherIPs gatherScreenshots startMeg fetchArchive fetchEndpoints runNuclei checkShodan portScan notifySlack Subdomain Enumeration:

Sublert

Subfinder

assetfinder

amass passive and active enum

findomain (Add findomain sources token to get better result)

github-subdomains

dns.bufferover.run

Mutate above Subdomains using commonspeak subdomain list

Combine and Sort above result -> Use shuffledns to resolve -> dnsgen(to mutate) -> httprobe (to get alive hosts)

Check takeover using subjack and nuclei

Get CNAME to check manually for takeovers

Use dnsprobe to gather IP, ignore if they fall in cloudflare ip range

Do masscan and then nmap scan on them, also use http-title and vulners script.

Take Screenshot for visual recon

Use gau to to get archive urls, get paramlist, jsurls, phpurls, aspxurls, and jspurls in there own files.

Get Endpoints using Linkfinder

Run Nuclei Scripts on alive hosts

Check IPs for vulnerability on Shodan

Notify on Slack channel if token is specified.

Directory Buteforcing (Not enabled, as it takes long time, it is better to do manually)

x1mdev commented 4 years ago

pulled in the other one, closing this.