I made these scripts for my needs and tried to understand a little bit of how some bug hunters work and put some of those steps in a logical order for me.
Until I consider this work finished, I'll continue to study and saw how some people work and put it in features within collector script. :D
Here in this README.md I put just the usage and other data of main scripts.
Any other script in this repository will have it's description in the script header.
Recommended to run on vps with 1VCPU and 2GB ram.
Why I need run get-tools.sh with root ou sudo?
'Cos you need to keep your system updated and install some packages from your distribution repository to prepare your environment to run the collector.
This script detect some systems like Arch Linux, Debian, Ubuntu and Kali.
The ideia of this script is prepare your new VPS or VM with some tools to use on reconnaissance and attack phase.
I also put some wordlists and tools used during reconnaissance phase.
Profiles:
- linux: get some tools and scripts to help on linux privesc and exploitation;
- mobile: get some tools and scripts to help on Android or iOS App pentest;
- osint: get some tools and scripts to help on gathering information;
- web: tries to ensure the installation of the necessary binaries for collector, if you notice the only binary checks have been focused on what collector needs;
- windows: get some tools and script to help on windows privesc and exploitation;
- all: will install all tools from all profiles;
How get-tools.sh work?
# ./get-tools.sh -u your_user -p profile
or
$ sudo -H ./get-tools.sh -u your_user -p profile
After execution you will have the follow directories structure on user home:
~/pentest
├── exploits
├── infra-tools
├── leaks
├── linux-tools
├── mobile-tools
├── osint-tools
├── payloads
├── pentest-scripts
├── web-tools
├── wifi-tools
├── windows-tools
└── wordlists
Attention: I'm using the linux, osint, windows and web functions of get-tools.sh to get a collection of scripts or tools to help me with my tasks and, more importantly, keep a backup of the tools or scripts for me. Feel free to use or just move on.
collector is a script written in Bash, it is intended to automate some tedious tasks of reconnaissance and information gathering.
This tool allows you to gather some information that should help you identify what to do next and where to look.
For now collector use amass, Sublist3r, certspotter, crt.sh, dnssearch, gobuster, dirsearch, wayback, aquatone.
In the future I pretend to use subfinder, massdns, dnsrecon and others tools to get more subdomains and others information.
Using collector in default reconnaissance with main domain!
Default:
./collector -d domain.com
Reconnaissance throught tor using privoxy:
./collector -d domain.com -p
Reconnaissance with excluded domains:
./collector -d domain.com -e excluded.domain.com,other.domain.com
Reconnaissance informing a new DNS resolver, by default use 8.8.8.8:
./collector -d domain.com -r 1.1.1.1
Reconnaissance with brute force using Sublist3r:
./collector -d domain.com -b
Attention: If -b option is omitted, the Sublist3r will execute without brute force.
Reconnaissance with brute force using gobuster and dnssearch:
./collector -d domain.com -s /path/to/wordlist1,/path/to/wordlist2
Reconnaissance with directories and files brute force with gobuster and dirsearch:
./collector -d domain.com -w /path/to/wordlist1,/path/to/wordlist2
Attention: If any word list won't be provided the dicc.txt wordlist from dirsearch will be used by default and just dirsearch will be executed
You can put more than one option, example:
./collector -d domain.com -b -e excluded.domain.com,other.domain.com -s /path/to/wordlist1,/path/to/wordlist2
or
./collector -d domain.com -w /path/to/wordlist1,/path/to/wordlist2 -b
Using collector in default reconnaissance with just one URL!
Default:
./collector -u https://domain.com
Reconnaissance throught tor using privoxy:
./collector -u https://domain.com -p
Reconnaissance with directories and files brute force with gobuster and dirsearch:
./collector -u https://domain.com -w /path/to/wordlist1,/path/to/wordlist2
Use as you need.
- Create a dated folder with recon notes
- Grab subdomains using:
- Amass, certspotter, cert.sh, subfinder and Sublist3r
- Dns bruteforcing using amass, gobuster and dnssearch
- The diff_domains function to improve the time of execution, get just what change on target infraestructure
- Perform nmap to live hosts
- Probe for live hosts over some ports like 80, 443, 8080, etc
- The web_data funtion from collector work when you put a list of URLs from file.
- Perform dirsearch and gobuster for all subdomains
- Scrape wayback
- use docker to setup instances of privoxy to provide a proxy to dirsearch and gobuster
- Rebuild GIT repository
Alfredo Casanova with some bash code corrections.
Caue Bici with code review and answer some questions about python programming
Enderson Maia with the help on Dockerfile and shellcheck tip.
Henrique Galdino the help with some curl options.
Icaro Torres with the ideia to diff files from a day ago to improve the execution time of the script.
Manoel Abreu with the ideia to use the git-dumper.py in rebuild_git function.
Ulisses Alves with code review and answer some questions about python programming
https://0xsp.com/offensive/red-teaming-toolkit-collection
https://medium.com/@ricardoiramar/subdomain-enumeration-tools-evaluation-57d4ec02d69e
https://github.com/riramar/Web-Attack-Cheat-Sheet
https://inteltechniques.com/blog/2018/03/06/updated-osint-flowcharts/
https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md
https://github.com/renergr1nch/splitter
https://bitbucket.org/splazit/docker-privoxy-alpine/src/master/
https://github.com/essandess/adblock2privoxy
https://0xpatrik.com/subdomain-enumeration-2019/
https://blog.securitybreached.org/2017/11/25/guide-to-basic-recon-for-bugbounty/
https://medium.com/@shifacyclewala/the-complete-subdomain-enumeration-guide-b097796e0f3
https://www.secjuice.com/penetration-testing-for-beginners-part-1-an-overview/
https://www.secjuice.com/reconnaissance-for-beginners/
https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
https://medium.com/hackernoon/10-rules-of-bug-bounty-65082473ab8c
https://https://findomain.app/findomain-advanced-automated-and-modern-recon/
https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
https://medium.com/hackcura/learning-path-for-bug-bounty-6173557662a7
https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4
https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
Warning: This code was originally created for personal use, it generates a substantial amount of traffic, please use with caution.