Cleanup

stevemcilwain · Feb 12, 2020 · c218f05 · c218f05
1 parent 6935e5e
commit c218f05
Show file tree

Hide file tree

Showing 9 changed files with 49 additions and 22 deletions.
diff --git a/modules/qq-enum-web.zsh b/modules/qq-enum-web.zsh
@@ -5,15 +5,15 @@
 #############################################################
 
 qq-enum-web-sweep-nmap() {
-  local subnet && read "subnet?Subnet (range): "
-  print -z "nmap -n -Pn -sS -p80,443,8080 -oA web_sweep ${subnet} && \
-  grep open web_sweep.gnmap |cut -d' ' -f2 > web_hosts.txt"
+  local s && read "s?Subnet (range): "
+  print -z "nmap -n -Pn -sS -p80,443,8080 -oA web_sweep ${s} && \
+  grep open web_sweep.gnmap |cut -d' ' -f2 > sweep.${s}.txt"
 }
 
 qq-enum-web-tcpdump() {
   local i && read "i?Interface: "
   local r && read "r?Remote Host: "
-  print -z "tcpdump -i ${i} host ${r} and tcp port 80 -w web.${r}.pcap"
+  print -z "tcpdump -i ${i} host ${r} and tcp port 80 -w capture.${r}.pcap"
 }
 
 qq-enum-web-whatweb() {
@@ -29,50 +29,59 @@ qq-enum-web-scope-burp() {
 
 qq-enum-web-vhosts-gobuster() {
   local u && read "u?Url: "
+  local d=$(cat ${u} | cut -d/ -f3)
   print -z "gobuster vhost -u ${u} -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt \
-  -a \"${__UA}\" -t20 -o web.vhosts.gobuster.txt"
+  -a \"${__UA}\" -t20 -o vhosts.$d.txt"
 }
 
 # dirs and files
 
 qq-enum-web-dirs-robots() {
   local u && read "u?Url: "
-  print -z "curl -v --user-agent \"${__UA}\" ${u}/robots.txt > web.robots.txt"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "curl -s --user-agent \"${__UA}\" ${u}/robots.txt > robots.${d}.txt"
 }
 
 qq-enum-web-dirs-robots-parsero() {
   local u && read "u?Url: "
-  print -z "parsero -u ${u} -o -sb > web.parsero.txt"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "parsero -u ${u} -o -sb > robots-parsed.${d}.txt"
 }
 
 qq-enum-web-dirs-wfuzz() {
   local u && read "u?Url: "
-  print -z "wfuzz -c -v -L -s 0.1 -w ${__WORDS_RAFT_DIRS} -R2 --hc=404 --hh=100 ${u}/FUZZ "
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "wfuzz -v -s 0.1 -R5 --hc=404 --hh=101 -w ${__WORDS_QUICK} ${u}/FUZZ > dirs.${d}.txt "
 }
 
 qq-enum-web-files-wfuzz() {
   local u && read "u?Url: "
-  print -z "wfuzz -c -v -L -s 0.1 -w ${__WORDS_RAFT_FILES} -R2 --hc=404 --hh=100 ${u}/FUZZ "
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "wfuzz -v -s 0.1 --hc=404 --hh=101 -w ${__WORDS_NULL} ${u}/FUZZ > files.${d}.txt "
 }
 
 qq-enum-web-dirs-ffuf() {
   local u && read "u?Url: "
-  print -z "ffuf -r -w ${__WORDS_RAFT_DIRS} -u ${u}/FUZZ -fs 100 -fc 404"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "ffuf  -fc 404 -fs 101 -w ${__WORDS_QUICK} -u ${u}/FUZZ > dirs.${d}.txt"
 }
 
 qq-enum-web-files-ffuf() {
   local u && read "u?Url: "
-  print -z "ffuf -r -w ${__WORDS_RAFT_FILES} -u ${u}/FUZZ -fs 100 -fc 404"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "ffuf -fc 404 -fs 101 -w ${__WORDS_NULL} -u ${u}/FUZZ > files.${d}.txt"
 }
 
 qq-enum-web-dirs-gobuster() {
   local u && read "u?Url: "
-  print -z "gobuster dir -u ${u} -w ${__WORDS_RAFT_DIRS} -a \"${__UA}\" -t20 -r -k -o gobuster-dirs.txt"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "gobuster dir -u ${u} -a \"${__UA}\" -t10 -k -w ${__WORDS_QUICK} -o dirs.${d}.txt"
 }
 
 qq-enum-web-files-gobuster() {
   local u && read "u?Url: "
-  print -z "gobuster dir -u ${u} -w ${__WORDS_RAFT_FILES} -a \"${__UA}\" -t20 -r -k -o gobuster-files.txt"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "gobuster dir -u ${u} -a \"${__UA}\" -t10 -k  -w ${__WORDS_NULL} -o files.${d}.txt"
 }
 
 qq-enum-web-js-endpoint-finder() {
@@ -101,7 +110,8 @@ qq-enum-web-screens-eyewitness() {
 
 qq-enum-web-vuln-nikto() {
   local u && read "u?Url: "
-  print -z "nikto -C all -useragent \"${__UA}\" -h ${u} -output web.nikto.log"
+  local d=$(cat ${u} | cut -d/ -f3)
+  print -z "nikto -C all -useragent \"${__UA}\" -h ${u} -output nikto.${d}.log"
 }
 
 qq-enum-web-vuln-nmap-rfi() {

diff --git a/modules/qq-recon.zsh b/modules/qq-recon.zsh
@@ -50,11 +50,21 @@ qq-recon-domains-by-crt.sh() {
   print -z "${__SCRIPTS}/crt.sh ${s}"
 }
 
+qq-recon-subs-by-domain-crt.sh() {
+  local d && read "d?Domain: "
+  print -z "curl 'https://crt.sh/?q=%.${d}' | grep -i "${d}" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -u"
+}
+
 qq-recon-subs-by-domain-subfinder() {
   local d && read "d?Domain: "
   print -z "subfinder -d ${d} -nW -silent >> domains.txt"
 }
 
+qq-recon-subs-by-domain-sublist3r() {
+  local d && read "d?Domain: "
+  print -z "python3 sublist3r.py -d ${d} -b -p 80,443,8080,4443 -t 10 -e Baido,Yahoo,Google,Bing,Ask,Netcraft,VirusTotal,SSL,ThreatCrowd,PassiveDNS"
+}
+
 qq-recon-subs-by-domain-dnsrecon() {
   local d && read "domain?Domain: "
   print -z "dnsrecon -d ${d}"
@@ -86,4 +96,5 @@ qq-recon-domains-by-brute-ffuf() {
 qq-recon-github-by-user-curl() {
   local u && read "u:User: "
   print -z "curl -s \"https://api.github.com/users/${u}/repos?per_page=1000\" | jq '.[].git_url'"
-}
+}
+
diff --git a/notes/enum-web-api.md b/notes/enum-web-api.md
@@ -1,12 +1,8 @@
 
-
-
 ## IDOR
 ```
 Even if ID is a GUID or random, send numeric: /?user_id=111
 
-
-
 ```
 
 
@@ -18,7 +14,5 @@ Send ID twice URL?id=<LEGIT>&id=<VICTIM>
 Send wildcard {"user_id":"*"}
 ```
 
-Use Mass Assignment to bypass security mechanisms.
-For Example:"POST /api/rest_pass" requires old password."PUT /api/update_user" 
 
 
diff --git a/notes/recon-dorks-github.txt → payloads/recon-dorks-github.txt b/notes/recon-dorks-github.txt → payloads/recon-dorks-github.txt
diff --git a/notes/recon-dorks-google.txt → payloads/recon-dorks-google.txt b/notes/recon-dorks-google.txt → payloads/recon-dorks-google.txt
diff --git a/notes/web-file-upload-bypass-bytes.txt → payloads/web-file-upload-bypass-bytes.txt b/notes/web-file-upload-bypass-bytes.txt → payloads/web-file-upload-bypass-bytes.txt
diff --git a/quiver.plugin.zsh b/quiver.plugin.zsh
@@ -44,9 +44,10 @@ export __NOTES="${0:A:h}/notes"
 export __SCRIPTS="${0:A:h}/scripts"
 
 export __WORDS_ALL="/opt/words/all/all.txt"
+export __WORDS_NULL="/opt/words/nullenc/null.txt"
 export __WORDS_COMMON="/usr/share/seclists/Discovery/Web-Content/common.txt"
 export __WORDS_RAFT_DIRS="/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt"
-export __WORDS_APIOBJ="/opt/words/api_wordlist/objects.txt"
+export __WORDS_QUICK="/usr/share/seclists/Discovery/Web-Contant/quickhits.txt"
 export __WORDS_MEDIUM="/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"
 export __WORDS_RAFT_FILES="/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt"
 export __WORDS_SWAGGER="/usr/share/seclists/Discovery/Web-Content/swagger.txt"
@@ -56,6 +57,7 @@ export __PASS_ROCKYOU="/usr/share/wordlists/rockyou.txt"
 export __UA_GOOGLEBOT="Googlebot/2.1 (+http://www.google.com/bot.html)"
 export __UA_CHROME="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
 export __UA_IOS="Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"
+export __UA=__UA_CHROME
 
 export __FDNS=""
 export __RDNS=""

diff --git a/scripts/install-kali.sh b/scripts/install-kali.sh
@@ -103,6 +103,10 @@ echo -e "${green}[+] Adding recon tools...${reset}"
 sudo git clone https://github.com/smicallef/spiderfoot.git /opt/recon/spiderfoot
 sudo git clone https://github.com/M4cs/BlackEye-Python.git /opt/recon/BlackEye-Python
 
+sudo git clone https://github.com/guelfoweb/knock.git /opt/recon/knock
+sudo python /opt/recon/knock/setup.py install
+
+
 echo -e "${green}[+] Adding enum tools...${reset}"
 
 sudo git clone https://github.com/ticarpi/jwt_tool.git /opt/enum/jwt_tool

diff --git a/scripts/webrecon.sh b/scripts/webrecon.sh
@@ -58,6 +58,12 @@ for url in $(cat $1);do
     #eyewitness --web --single ${url} -d ./${host}/screens --no-prompt &> /dev/null
 
 
+
+    #aws s3 ls s3://${subdomain}
+
+    #python3 dirsearch/dirsearch.py  -e * -u ${subdomain}
+
+
     echo -e " "
 done