Reconnaissance Scripts

This project provides a set of modular scripts to automate the reconnaissance phase of a bug bounty program. The scripts use popular open-source tools to discover information about a target domain and present it in a user-readable way.

Features

• Subdomain Enumeration: Discovers subdomains using Subfinder, Assetfinder, Amass, Findomain, and Crobat.
• HTTP/HTTPS Server Discovery: Identifies live web servers using HTTPX.
• URL Discovery: Finds URLs using Gau and Waybackurls.
• Visual Reconnaissance: Takes screenshots of web pages using Aquatone.
• JavaScript Analysis: Analyzes JavaScript files for endpoints and secrets using LinkFinder and JSScanner.
• Parameter Mining: Finds hidden parameters using Paramspider.
• Secret Scanning: Scans for secrets in web pages using TruffleHog.
• Subdomain Takeover Scanning: Checks for subdomain takeover vulnerabilities using Subzy.
• Vulnerability Scanning: Scans for known vulnerabilities using Nuclei with default and custom templates.
• Port Scanning: Scans for open ports using Nmap.
• Directory Brute-forcing: Finds hidden directories and files using Dirsearch and FFUF.
• S3 Bucket Scanning: Scans for open S3 buckets using S3Scanner.
• Parallel Execution: Runs tasks in parallel to speed up the reconnaissance process.
• Configuration File: Allows you to customize options like wordlists, threads, and the output directory.

Installation

1. Clone the repository or download the scripts.

2. Navigate to the recon-scripts directory:

   cd recon-scripts

3. Run the installation script with sudo to install the required tools:

   sudo ./scripts/install_tools.sh

   Note: This may take some time to complete.

Configuration

You can customize the behavior of the scripts by editing the config.sh file. This file allows you to specify options like wordlists, the number of threads for ffuf, and the output directory.

• Output Directory: The OUTPUT_DIR variable specifies the base directory where the results will be saved. The default is results.
• FFUF Wordlist: To use a custom wordlist for ffuf, uncomment the CUSTOM_FFUF_WORDLIST variable in config.sh and set it to the path of your wordlist.

Usage

1. Run the reconnaissance script:

   ./recon.sh <domain>

   Replace <domain> with the domain you want to scan (e.g., example.com).

   Note: The script will automatically create and use a Python virtual environment in the venv directory.

Output

The results of the scan will be saved in the results/<domain> directory. The directory will contain the following files and directories:

• subfinder.txt: Subdomains discovered by Subfinder.
• assetfinder.txt: Subdomains discovered by Assetfinder.
• amass.txt: Subdomains discovered by Amass.
• findomain.txt: Subdomains discovered by Findomain.
• crobat.txt: Subdomains discovered by Crobat.
• all_subdomains.txt: A list of all unique subdomains.
• live_subdomains.txt: A list of subdomains with live web servers.
• gau.txt: URLs discovered by Gau.
• waybackurls.txt: URLs discovered by Waybackurls.
• all_urls.txt: A list of all unique URLs.
• unfurl.txt: Unfurled URLs.
• aquatone/: Screenshots of web pages.
• js_analysis/: Output of JavaScript analysis.
• paramspider/: Output of parameter mining.
• trufflehog/: Output of secret scanning.
• subzy.txt: Output of subdomain takeover scanning.
• nuclei_output.txt: Output of Nuclei scan with default templates.
• nuclei_custom_output.txt: Output of Nuclei scan with custom templates.
• nmap_output.txt: Output of Nmap scan.
• dirsearch_output.txt: Output of Dirsearch scan.
• ffuf_*.json: Output of FFUF scans.
• s3scanner.txt: Output of S3Scanner scan.