Kali Linux

Reconky : A Great Content Discovery Bash Script For Bug Bounty Hunters Which Automate Lot Of Task And Organized It

Reconky is a script written in bash to automate the task of recon and information gathering. This Bash Script allows you to collect some information that will help you identify what to do next and where to look for the required target.

Main-Features

  • It will Gathers Subdomains with assetfinder and Sublist3r
  • Duplex check for subdomains using amass
  • Enumerates subdomains on a target domain through dictionary attack using knockpy
  • searchs for alive domains using Httprobe
  • Investigates for feasible subdomain takeover
  • Scans for open ports using nmap
  • Pulls and Assembls all possible parameters found in wayback_url data
  • Pulls and compilis json/js/php/aspx/ files from wayback output
  • Runs eyewitness against all the compiled(alive) domains

Installation & Requirements

  • Download the install script from https://github.com/ShivamRai2003/Reconky-Automated_Bash_Script/blob/main/reconky.sh
#!/usr/bin/bash
#Author:Shivam Rai/
#Date:18/06/2021
#Description:Automated Recon tool
echo “
——— _______ _______ _______ _______ _ _
( ____ )( ____ \( ____ \( ___ )( ( /|| \ /\|\ /|
| ( )|| ( \/| ( \/| ( ) || \ ( || \ / /( \ / )
| (____)|| (__ | | | | | || \ | || (_/ / \ (_) /
| __)| __) | | | | | || (\ \) || _ ( \ /
| (\ ( | ( | | | | | || | \ || ( \ \ ) (
| ) \ \__| (____/\| (____/\| (___) || ) \ || / \ \ | |
|/ \__/(_______/(_______/(_______)|/ )_)|_/ \/ \_/
if [[ $(id -u) != 0 ]]; then
echo -e “\n[!] Install.sh requires root privileges”
exit 0
fi
target=$1
if [ ! -d “$target” ];then
mkdir $target
fi
if [ ! -d “$target/reconky” ];then
mkdir $target/reconky
fi
if [ ! -d ‘$target/reconky/sublist3r’ ];then
mkdir $target/reconky/sublist3r
touch $target/reconky/sublist3r/subdomains.txt
fi
if [ ! -d ‘$tagget/reconky/httprobe’ ]; then
mkdir $target/reconky/httprobe
fi
if [ ! -d ‘$target/reconky/assetfinder’ ];then
mkdir $target/reconky/assetfinder
touch $target/reconky/assetfinder/subdomains1.txt
fi
if [ ! -d ‘$target/reconky/Subdomain_Takeover’ ]; then
mkdir $target/reconky/Subdomain_Takeover
fi
if [ ! -d ‘$target/reconky/scans’ ]; then
mkdir $target/reconky/scans
fi
if [ ! -d ‘$target/reconky/wayback_urls’ ]; then
mkdir $target/reconky/wayback_urls
mkdir $target/reconky/wayback_urls/params
touch $target/reconky/wayback_urls/params/params.txt
mkdir $target/reconky/wayback_urls/extensions
fi
if [ ! -d ‘$target/reconky/amass’ ]; then
mkdir $target/reconky/amass
touch $target/reconky/amass/subdomains2.txt
fi
if [ ! -d ‘$target/reconky/witness’ ]; then
mkdir $target/reconky/eyewitness
fi
if [ ! -d ‘$target/reconky/knockpy’ ]; then
mkdir $target/reconky/knockpy
touch $target/reconky/knockpy/subdomains3.txt
fi
if [ ! -f “$target/reconky/httprobe/alivee.txt” ];then
touch $target/reconky/httprobe/alivee.txt
fi
red=`tput setaf 1`
green=`tput setaf 2`
yellow=`tput setaf 3`
echo
echo ${yellow}”Welcome to the Reconky Script-An Excellent Automation Script For Bug Bounty/Pentesting”${yellow}
echo
echo ${red}”[+++] Gatherings subdomains with assetfinder and Sublist3r…[+++]”${red}
echo
echo ${red}”[+++] Duplex checking for subdomains with amass…[+++]”${red}
echo
echo ${red}”[+++] Enumerating subdomains on a target domain through dictionary attack…[+++]”${red}
echo
echo ${red}”[+++] Searching for alive domains using Httprobe…[+++]”${red}
echo
echo ${red}”[+++] Investigating for feasible subdomain takeover…[+++]”${red}
echo
echo ${green}”[+++] Scanning for open ports using nmap…[+++]”${green}
echo
echo ${green}”[+++] Pulling and Assembling all possible params found in wayback_url data…[+++]”${green}
echo
echo ${green}”[+++] Pulling and compiling json/js/php/aspx/ files from wayback output…[+++]”${green}
echo
echo ${green}”[+++] Running gowtiness(eyewitness) against all the compiled(alive) domains…[+++]”${green}
echo
echo ${yellow}”[+++]Recon is in Progress Take A Cofee or Tea ;)[+++]”${yellow}
echo
assetfinder $target >> $target/reconky/assetfinder/subdomains1.txt
cat $target/reconky/assetfinder/subdomains1.txt | grep $1 >> $target/reconky/Subdomain_final.txt
echo
sublist3r -d $target -v -t 100 -o $target/reconky/sublist3r/subdomains.txt
cat $target/reconky/sublist3r/subdomains.txt | grep $1 >> $target/reconky/Subdomain_final.txt
echo
amass enum -d $target -o $target/reconky/amass/subdomains2.txt
cat $target/reconky/amass/subdomains2.txt | grep $1 >> $target/reconky/Subdomain_final.txt
echo
knockpy $target >> $target/reconky/knockpy/subdomains3.txt
awk ‘/$target/ {print}’ $target/reconky/knockpy/subdomains3.txt | cut -d ” ” -f 9 >> $target/reconky/Subdomain_final.txt
echo
cat $target/reconky/Subdomain_final.txt | sort -u | httprobe | sed -E ‘s/^\s*.*:\/\///g’ >> $target/reconky/httprobe/alivee.txt
echo
if [ ! -f “$target/reconky/Subdomain_Takeover/Subdomain_Takeover.txt” ];then
touch $target/reconky/Subdomain_Takeover/Subdomain_Takeover.txt
fi
subjack -w $target/reconky/Subdomain_final.txt -t 70 -timeout 25 -ssl -c /root/go/src/github.com/haccer/subjack/fingerprints.json -v 3 -o $target/reconky/Subdomain_Takeover/Subdomain_Takeover.txt
echo
nmap -iL $target/reconky/httprobe/alivee.txt -T4 -oA $target/reconky/scans/scanned.txt
echo
if [ ! -f “$target/reconky/wayback_urls/wayback_output.txt” ];then
touch $target/reconky/wayback_urls/wayback_output.txt
fi
cat $target/reconky/Subdomain_final.txt | waybackurls >> $target/reconky/wayback_urls/wayback_output.txt
sort -u $target/reconky/wayback_urls/wayback_output.txt
cat $target/reconky/wayback_urls/wayback_output.txt | grep ‘?*=’ | cut -d ‘=’ -f 1 | sort -u >> $target/reconky/wayback_urls/params/params.txt
for i in $(cat $target/reconky/wayback_urls/params/params.txt);do echo $i’=’;done
echo
for i in $(cat $target/reconky/wayback_urls/wayback_output.txt);do
ext=”${i##*.}”
if [[ “ext”==”php” ]];then
echo $i >> $target/reconky/wayback_urls/extensions/php1.txt
sort -u $target/reconky/wayback_urls/extensions/php1.txt >> $target/reconky/wayback_urls/extensions/php.txt
rm $target/reconky/wayback_urls/extensions/php1.txt
fi
if [[ “ext”==”js” ]];then
echo $i >> $target/reconky/wayback_urls/extensions/js1.txt
sort -u $target/reconky/wayback_urls/extensions/js1.txt >> $target/reconky/wayback_urls/extensions/js.txt
rm $target/reconky/wayback_urls/extensions/js1.txt
fi
if [[ “ext”==”html” ]];then
echo $i >> $target/reconky/wayback_urls/extensions/html1.txt
sort -u $target/reconky/wayback_urls/extensions/html1.txt >> $target/reconky/wayback_urls/extensions/html.txt
rm $target/reconky/wayback_urls/extensions/html1.txt
fi
if [[ “ext”==”json” ]];then
echo $i >> $target/reconky/wayback_urls/extensions/json1.txt
sort -u $target/reconky/wayback_urls/extensions/json1.txt >> $target/reconky/wayback_urls/extensions/json.txt
rm $target/reconky/wayback_urls/extensions/json1.txt
fi
if [[ “ext”==”aspx” ]];then
echo $i >> $target/reconky/wayback_urls/extensions/aspx1.txt
sort -u $target/reconky/wayback_urls/extensions/aspx1.txt >> $target/reconky/wayback_urls/extensions/aspx.txt
rm $target/reconky/wayback_urls/extensions/aspx1.txt
fi
done
eyewitness -f $target/reconky/httprobe/alivee.txt –web -d $target/
reconky/eyewitness –resolve

DEMO

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago