Lazyrecon : Tool To Automate Your Reconnaissance Process In An Organized Fashion

Lazyrecon is a subdomain discovery tool that finds and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing, brute-force and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.

Features

  • Super fast asynchronous execution
  • CI/CD ready
  • HTML/pdf reports
  • Discord integration
  • Background listen server
  • Domain name, list of domains, IP, CIDR input – notations support
  • Teardown and program exit housekeeping

Workflow

About

This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

  • Creates a dated folder with recon notes for a target
  • Grabs subdomains using subfinder, assetfinder, gau, waybackurls, github-subdomains
  • Additionally finds new subdomains through alterations and permutations using dnsgen
  • Searches subnets and new assets using math Mode
  • Filters out live subdomains from a list of hosts using shuffledns
  • Checks 1-200,8000-10000 for http(s) probes using httpx
  • Gets visual part using headless chromium
  • Performs masscan on live servers
  • Scanns for known paths and CVEs using nuclei
  • Shots for SSRF/LFI/SQLi based on wayback machine’s data
  • Checks for potential request smuggling vulnerabilities using smuggler
  • Performs ffuf supercharged by interlace using custom WordList based on the top10000.txt
  • Generates report and send it to Discord

The point is to get a list of live IPs (in form of socket addresses), attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.

Installing

Linux Mac tested

Pre Requirements

python >= 3.7
pip3 >= 19.0
go >= 1.14

CI/CD way

You can use stateful/stateless build agent (worker). There is no additional time is required for provisioning. It may look tricky cause masscan/nmap/naabu root user required.

  • Fill in these required environment variables inside: ./lazyconfig:

export HOMEUSER= # your normal, non root user: e.g.: kali
export HOMEDIR= # user’s home dir e.g.: /home/kali
export STORAGEDIR= # where output saved, e.g.: ${HOMEDIR}/lazytargets
export GITHUBTOKEN=XXXXXXXXXXXXXXXXXX # a personal access token here
export DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token}
export GOPATH=$HOMEDIR/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/bin
export GO111MODULE=on

  • Enable new environment source ./lazyconfig
  • Call sudo -E ./install.sh
  • Execute sudo -E ./lazyrecon.sh "hackerone.com"

Github Actions way

Customize .github/workflows/test-recon-action.yaml using DISCORDWEBHOOKURL and GITHUBTOKEN secrets, enable --discord to receive a report

– name: Install & Recon
env:
GO111MODULE: on
DISCORDWEBHOOKURL: ${{ secrets.DISCORDWEBHOOKURL }}
GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}
run: |
export HOMEDIR=$HOME
export HOMEUSER=$RUNNER_USER
export STORAGEDIR=”${HOMEDIR}”/lazytargets
sudo -E ./install.sh
sudo -E ./lazyrecon.sh “hackerone.com” –quiet –discord

Hard way

Config your environment variables and dependencies using INSTALL.MD

If you faced with some issues, feel free to join Discord, open PR or file the bug.

Usage

Execute with sudo because of masscan:

▶ sudo -E ./lazyrecon.sh tesla.com –wildcard

ParameterDescriptionExample
–wildcardSubdomains reconnaissance ‘*.tesla.com’ (default)./lazyrecon.sh tesla.com –wildcard
–singleOne target instance ‘tesla.com’./lazyrecon.sh tesla.com –single
–ipSingle IP of the target machine./lazyrecon.sh 192.168.0.1 –single –ip
–listList of subdomains to process for./lazyrecon.sh “./testa.txt” –list
–cidrPerform network recon, CIDR notation./lazyrecon.sh “192.168.0.0/16” –cidr
–madWayback machine’s stuff./lazyrecon.sh tesla.com –mad
–fuzzSSRF/LFI/SQLi fuzzing./lazyrecon.sh tesla.com –mad –fuzz
–altAdditionally permutate subdomains (*.tesla.com only)./lazyrecon.sh tesla.com –wildcard –alt
–bruteBasic directory bruteforce (time sensitive)./lazyrecon.sh tesla.com –single –brute
–discordSend notifications to discord./lazyrecon.sh tesla.com –discord
–quietEnable quiet mode./lazyrecon.sh tesla.com –quiet

Methodology

  • Use dnsperftest to know your best resolvers
  • Run ./lazyrecon.sh
  • Check output reports of chromium, nuclei, masscan, server_log, ssrf, lfi
  • Explore file upload vulnerabilities
  • Perform Google, Trello, Atlassian, Github, Bitbucket dorking
  • Check JS sources for credentials, API endpoints
  • Investigate XHR requests, fuzz parameters and variables
  • Check exploit-db.com for target-specific CVE
  • GET/POST Bruteforce for directories: fuzbo0oM-top10000 –> raft –> target specific
  • Continue bruteforcing using custom Headers (X-Custom-IP-Authorization: 127.0.0.1; X-Original-URL:)
  • Try bypass 401/403 errors using notable methods (%23, /%2e/, admin.php%2500.md etc)
  • Look for XSS xsscrapy.py or XSSTRON
Download
R K

Share
Published by
R K
Tags: LazyreconOrganized FashionReconnaissance Process
4 years ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

15 hours ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

16 hours ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

16 hours ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

16 hours ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

16 hours ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

16 hours ago