-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmagicRecon.sh
209 lines (162 loc) · 5.71 KB
/
magicRecon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
#!/bin/bash
#########CONFIGURATION#########
#PARAMETERS
subjackThreads=100
subjackTime=30
gobusterDNSThreads=50
gobusterDictionaryPath=~/SecLists/Discovery/DNS/namelist.txt
aquatoneTimeout=50000
gobusterDirThreads=50
gobusterDictionaryPathDir=~/SecLists/Discovery/Web-Content/raft-medium-files-directories.txt
githubToken=YOUR GITHUB TOKEN
#COLORS
BOLD="\e[1m"
NORMAL="\e[0m"
GREEN="\e[92m"
#########SUBDOMAIN ENUMERATIONS#########
echo -e "${BOLD}${GREEN}[+] Welcome to MagicRecon"
echo -e ""
echo -e "${BOLD}${GREEN}[+] MagicRecon has 5 steps: "
echo -e "${BOLD}${GREEN}[+] STEP 1: Subdomain Enumeration"
echo -e "${BOLD}${GREEN}[+] STEP 2: Subdomain headers and response bodies"
echo -e "${BOLD}${GREEN}[+] STEP 3: JavaScript files and Hidden Endpoints"
echo -e "${BOLD}${GREEN}[+] STEP 4: Find directories and hidden files"
echo -e "${BOLD}${GREEN}[+] STEP 5: Port scan for alive domains"
echo -e ""
echo -e "${BOLD}${GREEN}[+] STEP 1: Starting Subdomain Enumeration"
#Amass
echo -e "${GREEN}[+] Starting Amass"
amass enum -norecursive -noalts -d $1 -o domains.txt
#Crt.sh
echo -e "${GREEN}[+] Starting Certsh.py"
python ~/CertificateTransparencyLogs/certsh.py -d $1 | tee -a domains.txt
#Github-Search
echo -e "${GREEN}[+] Starting Github-subdomains.py"
python3 ~/github-search/github-subdomains.py -d $1 -t $githubToken | tee -a domains.txt
#Gobuster
echo -e "${GREEN}[+] Starting Gobuster DNS"
gobuster dns -d $1 -w $gobusterDictionaryPath -t $gobusterDNSThreads -o gobusterDomains.txt
sed 's/Found: //g' gobusterDomains.txt >> domains.txt
rm gobusterDomains.txt
#Assetfinder
echo -e "${GREEN}[+] Starting Assetfinder"
~/go/bin/assetfinder --subs-only $1 | tee -a domains.txt
#Subjack
echo -e "${GREEN}[+] Starting Subjack for search subdomains takevoer"
subjack -w domains.txt -t $subjackThreads -timeout $subjackTime -ssl -c ~/subjack/fingerprints.json -v 3
#Removing duplicate entries
sort -u domains.txt -o domains.txt
#Discovering alive domains
echo -e ""
echo "[+] Checking for alive domains.."
cat domains.txt | ~/go/bin/httprobe | tee -a alive.txt
sort alive.txt | uniq -u
#Corsy
echo -e ""
echo -e "${GREEN}[+] Starting Corsy to find CORS missconfigurations"
python3 ~/Corsy/corsy.py -i alive.txt -o CORS.txt
#Aquatone
echo -e ""
echo -e "${BOLD}${GREEN}[+] Starting Aquatone to take screenshots"
mkdir screenshots
CUR_DIR=$(pwd)
cat alive.txt | aquatone -screenshot-timeout $aquatoneTimeout -out screenshots/
#Parse data jo JSON
cat alive.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > alive.json
cat domains.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > domains.json
#########SUBDOMAIN HEADERS#########
echo -e ""
echo -e "${BOLD}${GREEN}[+] STEP 2: Storing subdomain headers and response bodies"
mkdir headers
CURRENT_PATH=$(pwd)
for x in $(cat alive.txt)
do
NAME=$(echo $x | awk -F/ '{print $3}')
curl -X GET -H "X-Forwarded-For: evil.com" $x -I > "$CURRENT_PATH/headers/$NAME"
curl -s -X GET -H "X-Forwarded-For: evil.com" -L $x > "$CURRENT_PATH/responsebody/$NAME"
done
#########JAVASCRIPT FILES#########
echo -e ""
echo -e "${BOLD}${GREEN}[+] STEP 3: Collecting JavaScript files and Hidden Endpoints"
mkdir scripts
mkdir scriptsresponse
mkdir responsebody
RED='\033[0;31m'
NC='\033[0m'
CUR_PATH=$(pwd)
for x in $(ls "$CUR_PATH/responsebody")
do
printf "\n\n${RED}$x${NC}\n\n"
END_POINTS=$(cat "$CUR_PATH/responsebody/$x" | grep -Eoi "src=\"[^>]+></script>" | cut -d '"' -f 2)
for end_point in $END_POINTS
do
len=$(echo $end_point | grep "http" | wc -c)
mkdir "scriptsresponse/$x/"
URL=$end_point
if [ $len == 0 ]
then
URL="https://$x$end_point"
fi
file=$(basename $end_point)
curl -X GET $URL -L > "scriptsresponse/$x/$file"
echo $URL >> "scripts/$x"
done
done
mkdir endpoints
CUR_DIR=$(pwd)
for domain in $(ls scriptsresponse)
do
#looping through files in each domain
mkdir endpoints/$domain
for file in $(ls scriptsresponse/$domain)
do
ruby ~/relative-url-extractor/extract.rb scriptsresponse/$domain/$file >> endpoints/$domain/$file
if [ ! -s endpoints/$domain/$file ] ;
then
rm endpoints/$domain/$file
fi
done
done
############################ HERE
echo -e "${GREEN}[+] Starting Jsearch.py"
organitzationName= sed 's/.com//' <<< "$1"
mkdir javascript
for domain in $(cat alive.txt)
do
NAME=$(echo $domain | awk -F/ '{print $3}')
cd javascript/
mkdir $NAME
echo -e "${GREEN}[+] Searching JS files for $NAME"
echo -e ""
python3 ~/jsearch/jsearch.py -u $domain -n "$organitzationName" | tee -a $NAME.txt
if [ -z "$(ls -A $NAME/)" ] ;
then
rmdir $NAME
fi
if [ ! -s $NAME.txt ] ;
then
rm $NAME.txt
fi
cd ..
done
#########FILES AND DIRECTORIES#########
echo -e ""
echo -e "${BOLD}${GREEN}[+] STEP 4: Starting Gobuster to find directories and hidden files"
mkdir directories
for domain in $(cat alive.txt)
do
NAME=$(echo $domain | awk -F/ '{print $3}')
gobuster dir -u $domain -w $gobusterDictionaryPathDir -t $gobusterDirThreads -o directories/$NAME
if [ ! -s directories/$NAME ] ;
then
rm directories/$NAME
fi
done
#########NMAP#########
echo -e ""
echo -e "${BOLD}${GREEN}[+]STEP 5: Starting Nmap Scan for alive domains"
mkdir nmapscans
for domain in $(cat domains.txt)
do
nmap -sC -sV -v $domain | tee nmapscans/$domain
done