six2dez / reconftw Goto Github PK

Allows ASN/CIDR/Name as target.

Tools suggestion:

metabigor
asnlookup
asnip
mapcidr
3klector
HostHunter

Adding checks for S3 public opened buckets check

Options:
https://gist.githubusercontent.com/random-robbie/b0c8603e55e22b21c49fd80072392873/raw/bucket_list.sh
https://gist.githubusercontent.com/jhaddix/4769f5e3e4dbcaaf9032fbb741ef6f83/raw/fdfc8ded52a6746d8ecb0fc522cf492e42ba0dec/bucket-disclose.sh

Subdomain enumeration is so time consuming.
A progress bar can tell the user that things are moving.

yum is called under ubuntu 20.04 and this call is caused by

test -f /etc/os-release && install_yum

Is the first check of yum not enough ?

test -f /etc/redhat-release && install_yum

all_requirements.txt now is downloaded.
It must be included in the project to be more maintainable and everyone can pull request if if something go wrong.

The function will show that all go tools are not installed if the $HOME/go/bin is not exported in $PATH. Which will be confusing for users and this will make a doubt in the install.sh script.

I suggest to export the go/bin to $path automatically in the reconftw.sh or adding it permanently in the system via install.sh

In subdomain takeover section, run autosubtakeover before subjack

The -insecure option in hakrawler is disabled.
so the line bellow will fail:

cat ${domain}_probed.txt | hakrawler -depth 2 -scope subs -insecure -plain | anew -q ${domain}_url_extract.txt

My hakrawler version is: beta11

/informationGathering/reconftw$ hakrawler -v
beta11

So you need to delete the -insecure option or install hakrawler with -insecure option activated.

Error in ssrf.py path. It must be; $tools/ssrf.py

ssrf_checks(){
...
		eval cat ${domain}_ssrf.txt $DEBUG_ERROR | eval python3 ssrf.py $COLLAB_SERVER > ${domain}_ssrf_confirmed.txt $DEBUG_STD
...

Manual implementation or https://github.com/MichaelStott/CRLF-Injection-Scanner

Add CMS checks for the well known: WP, Drupal, Joomla

Nice and easily readable final html report

My question up title. ffuf's have so pretty html reporting. Are use we html reporting? I should be open PR?

@six2dez WDYT?

Search dalfox replacement, maybe xsstrike

The start function called 2 times which cause a generation of Recon\target.com\Recon\target.com

all(){
	start
	if [ -n "$list" ]
	then
		...
	else
		start

dir generation caused by:

       dir=$PWD/Recon/$domain
	mkdir -p $dir

I suggest to protect those calls: checking the existance of the output dir before the call of mkdir and not use $PWD.

There is a copy paste issue in the favicon funtion.
It must be :

favicon(){
        ...
	printf "${bblue}\n FavIcon Hash Extraction Finished in ${runtime} secs\n"
}

insteed of:

favicon(){
        ...
	printf "${bblue}\n GitHub Scanning Finished in ${runtime} secs\n"
}

Ut test script will help to test every feature and make soft stable and check for regression bugs..
Quality 👍

Describe the bug
SecretFinder open new browser tab for every finding

To Reproduce

Expected behavior

1. SecretFinder create output.html
2. Open it in new browser tab
3. delete output.html
4. Go to 1

Desktop (please complete the following information):

• Linux
• Brave browser

A notification to slack,discord,tg, or any other platform would be help full.

Merge install and update scripts in one, let's say "tools.sh". It will install the tools if not installed or update if exist.

User can add his own outofScope.txt list, an option must be added.

Dear Six2dez,

the installation script doesn't in KALI or ParrotOS fresh installed, nor updated.

Best regards,

Adding the in scope subdomains but not discovered by the reconFTW

It takes a lot of time, thinking something more "manual" for JS subdomain scraping

JSScanner plus grep

After any task spent time is printed out.
This time in seconds.
This is not so readable.
Lets print it in other format: HH:MM:SS
And hoping HH is always = 00 :)

Metadata Checks implementation with pymeta

Performance options to avoid net overload (soft, default, hard)

Defining a new flag for this, will add some vars which defines threads for tools like shuffledns, httpx, interlace, ffuf...

Go is needed by several used tools. So it is better to install it automatically if it not installed yet.

Create issues templates for bugs, ideas, new features, etc

Minimum: working
Desirable: Alpine Linux minimal image

out of scope domains must be excluded to improve the execution time of the rest of tools.

Installer must generate or download default config files for subfinder and amass (at least)

Describe the bug
Hey there, currently having issues with the latest pull of the install script. I am running this on Kali 2020.4 as root with the GOPATH / GOROOT path as seen in the screenshot below. During install, I get an error message:

  Using /usr/local/lib/python3.9/dist-packages/EditorConfig-0.12.3-py3.9.egg
Finished processing dependencies for LinkFinder==1.0
Traceback (most recent call last):
  File "/root/Tools/pymeta/setup.py", line 3, in <module>
    with open("README.md", "r") as fh:
FileNotFoundError: [Errno 2] No such file or directory: 'README.md

And left with a bunch of tools uninstalled. While I understand the README.md says installer is as is, I did not have this error message on a pull I did last week of this app. Any help would be much appreciated as to what I am missing. Thank you!

To Reproduce
Steps to reproduce the behavior:

1. Run the install script.

Expected behavior
Tools being installed when running the install script.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• Architecture: x64
• OS: Kali
• Version 2020.4

Look an alternative for git-hound, maybe GitGraber or truffleHog works

Given text files by user as parameter shall be checked and validated as real ASCII text.

file ~/Tools/list.txt 
list.txt: ASCII text

Lot of duplicated urls caused by missing anew command.

cat ${domain}_url_extract.txt | subjs >> ${domain}_jsfile_links.txt;

It suggest to edit it to:

cat ${domain}_url_extract.txt | subjs | anew -q ${domain}_jsfile_links.txt;

The options handling must be less complex and more maintainable.

which sudo will return always the some value.
to check if user is root is better to:

if( id -u == 0 )
then
    SUDO = sudo 
else
    SUDO = " "

if root no need to call sudo/

If any tool owner provide a compiled binary, the install script can be enhanced .

Update Golang using update.sh

• Full scope (-fs): allows anything from cidr, ASN, crtsh.

• Deep scan (--deep?): Allows JS sub scraping, deep crtsh scan, Js scanner and performs attacks (xss, open redirects, ssrf) over all the urls no matter size. This requires the default option not perform this actions and attacks only against short lists.

• Only passive actions (-ps or ....?), no interaction with target, like passive info gathering mode, no dns resolution for subdomains, urls obtained only from gau and wayback, no crawler, no port scan ('port scan' with shodan is passive).

Run the tool and inform only for new discoveries comparing with the existing files.
Like "Old scan detected", then results will be "3 new subdomains added".
Beware, it may interfere with resume run support added in c78d862

• Flag -c for Compare or Cron mode
• After subdomains, rest of steps should be done only for new subdomains not all.
• Output and notifications about new findings, so it should compare and diff before.
• This feature shouldn't remove anything, just add.
• It should be able to run 24/7 in loop without bugs.

please make a docker image.. this install is so problematic

Slack, Discord and Telegram with slackcat, notify.sh or any other

Now only functions spent time is printed.
Users (at least me) want to know the spent time of all the recon process.
This value must be printed even if the user cancelled the reon process (the script receive a kill signal )

rename file.
change the name in install.sh and update.sh

There is an error in the output file, it seems to copied from testssl and not edited.
${domain}_testssl.txt

open_redirect(){
	printf "${bblue} Results are saved in ${domain}_testssl.txt ${reset}\n"
}

ssrf_checks(){
	printf "${bblue} Results are saved in ${domain}_testssl.txt ${reset}\n"
}