Lazyrecon : Tool To Automate Your Reconnaissance Process In An Organized Fashion

Lazyrecon is a subdomain discovery tool that finds and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing, brute-force and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.

Features

Super fast asynchronous execution
CI/CD ready
HTML/pdf reports
Discord integration
Background listen server
Domain name, list of domains, IP, CIDR input – notations support
Teardown and program exit housekeeping

Workflow

About

This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

Creates a dated folder with recon notes for a target
Grabs subdomains using subfinder, assetfinder, gau, waybackurls, github-subdomains
Additionally finds new subdomains through alterations and permutations using dnsgen
Searches subnets and new assets using math Mode
Filters out live subdomains from a list of hosts using shuffledns
Checks 1-200,8000-10000 for http(s) probes using httpx
Gets visual part using headless chromium
Performs masscan on live servers
Scanns for known paths and CVEs using nuclei
Shots for SSRF/LFI/SQLi based on wayback machine’s data
Checks for potential request smuggling vulnerabilities using smuggler
Performs ffuf supercharged by interlace using custom WordList based on the top10000.txt
Generates report and send it to Discord

The point is to get a list of live IPs (in form of socket addresses), attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.

Installing

Linux & Mac tested

Pre Requirements

python >= 3.7
pip3 >= 19.0
go >= 1.14

CI/CD way

You can use stateful/stateless build agent (worker). There is no additional time is required for provisioning. It may look tricky cause masscan/nmap/naabu root user required.

Fill in these required environment variables inside: ./lazyconfig:

export HOMEUSER= # your normal, non root user: e.g.: kali
export HOMEDIR= # user’s home dir e.g.: /home/kali
export STORAGEDIR= # where output saved, e.g.: ${HOMEDIR}/lazytargets
export GITHUBTOKEN=XXXXXXXXXXXXXXXXXX # a personal access token here
export DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token}
export GOPATH=$HOMEDIR/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/bin
export GO111MODULE=on

Enable new environment source ./lazyconfig
Call sudo -E ./install.sh
Execute sudo -E ./lazyrecon.sh "hackerone.com"

Github Actions way

Customize .github/workflows/test-recon-action.yaml using DISCORDWEBHOOKURL and GITHUBTOKEN secrets, enable --discord to receive a report

– name: Install & Recon
env:
GO111MODULE: on
DISCORDWEBHOOKURL: ${{ secrets.DISCORDWEBHOOKURL }}
GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}
run: |
export HOMEDIR=$HOME
export HOMEUSER=$RUNNER_USER
export STORAGEDIR=”${HOMEDIR}”/lazytargets
sudo -E ./install.sh
sudo -E ./lazyrecon.sh “hackerone.com” –quiet –discord

Hard way

Config your environment variables and dependencies using INSTALL.MD

If you faced with some issues, feel free to join Discord, open PR or file the bug.

Usage

Execute with sudo because of masscan:

▶ sudo -E ./lazyrecon.sh tesla.com –wildcard

Parameter	Description	Example
–wildcard	Subdomains reconnaissance ‘*.tesla.com’ (default)	./lazyrecon.sh tesla.com –wildcard
–single	One target instance ‘tesla.com’	./lazyrecon.sh tesla.com –single
–ip	Single IP of the target machine	./lazyrecon.sh 192.168.0.1 –single –ip
–list	List of subdomains to process for	./lazyrecon.sh “./testa.txt” –list
–cidr	Perform network recon, CIDR notation	./lazyrecon.sh “192.168.0.0/16” –cidr
–mad	Wayback machine’s stuff	./lazyrecon.sh tesla.com –mad
–fuzz	SSRF/LFI/SQLi fuzzing	./lazyrecon.sh tesla.com –mad –fuzz
–alt	Additionally permutate subdomains (*.tesla.com only)	./lazyrecon.sh tesla.com –wildcard –alt
–brute	Basic directory bruteforce (time sensitive)	./lazyrecon.sh tesla.com –single –brute
–discord	Send notifications to discord	./lazyrecon.sh tesla.com –discord
–quiet	Enable quiet mode	./lazyrecon.sh tesla.com –quiet

Methodology

Use dnsperftest to know your best resolvers
Run ./lazyrecon.sh
Check output reports of chromium, nuclei, masscan, server_log, ssrf, lfi
Explore file upload vulnerabilities
Perform Google, Trello, Atlassian, Github, Bitbucket dorking
Check JS sources for credentials, API endpoints
Investigate XHR requests, fuzz parameters and variables
Check exploit-db.com for target-specific CVE
GET/POST Bruteforce for directories: fuzbo0oM-top10000 –> raft –> target specific
Continue bruteforcing using custom Headers (X-Custom-IP-Authorization: 127.0.0.1; X-Original-URL:)
Try bypass 401/403 errors using notable methods (%23, /%2e/, admin.php%2500.md etc)
Look for XSS xsscrapy.py or XSSTRON