API tools faq
paste
Advertisement
Guest User

mycrappytakeoncrtndstry :P

a guest
Dec 7th, 2019
282
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 9.67 KB | None | 0 0
raw download clone embed print report
  1. crtndstry (){
  2. # main functions courtesy of nahamsec w/ help of nukedx and dmfroberson
  3.         url=$1
  4.         testing_date=$(date +'%d-%m-%y')
  5.         if [[ ! -d "$url" ]];then
  6.                 mkdir $url
  7.         fi
  8.         if [[ ! -d "$url/recon" ]];then
  9.                 mkdir $url/recon
  10.         fi
  11.         if [[ ! -d "$url/recon/crtndstry" ]];then
  12.                 mkdir $url/recon/crtndstry
  13.         fi
  14.  
  15.         mkdir $url/recon/crtndstry/$testing_date
  16.         mkdir $url/recon/crtndstry/$testing_date/rawdata
  17.         mkdir $url/recon/crtndstry/$testing_date/data
  18.         mkdir $url/recon/crtndstry/$testing_date/httprobe
  19. #       mkdir $url/recon/crtndstry/$testing_date/eyewitness
  20.         mkdir $url/recon/crtndstry/$testing_date/wayback
  21.         mkdir $url/recon/crtndstry/$testing_date/wayback/extensions
  22.         mkdir $url/recon/crtndstry/$testing_date/wayback/params
  23.         mkdir $url/recon/crtndstry/$testing_date/subjack
  24.  
  25.         #give it patterns to look for within crt.sh for example %api%.site.com
  26.         declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal" "back" "old")
  27.         for i in "${arr[@]}";do
  28.                 echo "[*] Testing $url for $i"
  29.                 #get a list of domains based on our patterns in the array
  30.                 crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$url\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt )
  31.         done
  32.         curl -s https://crt.sh/\?q\=$url\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt
  33.         for link in $(cat $url/recon/crtndstry/$testing_date/rawdata/crtsh.txt); do curl -s https://crt.sh/\?q\=$link\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url>
  34.         echo "[*] Getting list of domains for $url from certspotter"
  35.         #get a list of domains from certspotter
  36.         certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep -w $url\$ | tee $url/recon/crtndstry/$testing>
  37.         #get a list of domains from digicert
  38.         echo "[*] Getting list of domains for $url from digicert"
  39.         digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$url -o ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json )
  40.         echo "$crtsh"
  41.         echo "$certspotter"
  42.         echo "$digicert"
  43.  
  44.         #this creates a list of all unique root sub domains
  45.         clear
  46.         echo "working on data"
  47.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev | tee ~/$url/recon/crtndstry/$testing_date/$url-temp.txt
  48.  
  49.                  cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev | tee -a ~/$url/crtndstry/$testing_date/$url-temp.txt
  50.         domain=$url
  51.         jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json | sed 's/"//g' | grep -w "$domain$" >
  52.         cat ~/$url/recon/crtndstry/$testing_date/$url-temp.txt | sort -u | tee ~/$url/recon/crtndstry/$testing_date/data/$url-$(date '+%Y.%m.%d-%H.%M').txt; rm ~/$url/recon/crtndstry/$testing_date/$ur>
  53.         echo "[*] Number of domains found: $(cat ~/$url/recon/crtndstry/$testing_date/data/$1-$(date '+%Y.%m.%d-%H.%M').txt | wc -l)"
  54.  
  55.         # run httprobe against found domains
  56.         echo "[+] Running httprobe against compiled domains..."
  57.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt
  58.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter>
  59.         # add wayback and pull .html, .js, .json, .php, robots.txt, .aspx
  60.         echo "[+] Pulling wayback data..."
  61.         cat ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt
  62.         cat ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt
  63.         # pulls robots.txt from wayback output
  64.         echo "  [*] Compiling robots.txt from wayback data..."
  65.         cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
  66.         cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
  67.         # pulls potential params from wayback output
  68.         echo "  [*] Pulling potential params from wayback data..."
  69.         cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params.txt
  70.        for line in $(cat ); echo $line"=";done
  71.         cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params>
  72.         echo "[+] Checking for intersting extensions from wayback data..."
  73.         for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt);do
  74.                 ext="${link##*.}"
  75.                 if [[ "$ext" == "js" ]];then
  76.                         echo "  [+] js files found!"
  77.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
  78.                 fi
  79.                 if [[ "$ext" == "json" ]];then
  80.                         echo "  [+] json files found!"
  81.  
  82.               echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
  83.                fi
  84.                 if [[ "$ext" == "php" ]];then
  85.                         echo "  [+] php files found!"
  86.                         echo $link | sort -u | tee -a ~/url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
  87.                 fi
  88.                 if [[ "$ext" == "html" ]];then
  89.                         echo "  [+] html files found!"
  90.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt;
  91.                 fi
  92.                 if [[ "$ext" == "md" ]]; then
  93.                         echo "  [+] md files found!"
  94.                         echo $link | sort -u |tee -a  ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
  95.                 fi
  96.                 if [[ "$ext" == "xml" ]]; then
  97.                         echo "  [+] xml files found!"
  98.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/xml.txt
  99.                 fi
  100.                 if [[ "$ext" == "cgi" ]]; then
  101.                         echo "  [+] cgi files found!"
  102.                         echo $link | sort -u |tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/cgi.txt
  103.                 fi
  104.         done
  105.         echo "[+] Checking for interesting extensions from wayback data..."
  106.         for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt);do
  107.                 ext="${link##*.}"
  108.                 if [[ "$ext" == "js" ]];then
  109.                         echo "  [+] js files found!"
  110.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
  111.                 fi
  112.                 if [[ "$ext" == "json" ]];then
  113.                         echo "  [+] json files found!"
  114.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
  115.                 fi
  116.                 if [[ "$ext" == "php" ]];then
  117.                         echo "  [+] php files found!"
  118.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
  119.                 fi
  120.                 if [[ "$ext" == "html" ]];then
  121.                         echo "  [+] html files found!"
  122.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt
  123.                 fi
  124.                 if [[ "$ext" == "md" ]]; then
  125.                         echo "  [+] md files found!"
  126.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
  127.                 fi
  128.                 if [[ "$ext" == "xml" ]]; then
  129.                         echo "  [+] xml files found!"
  130.                         echo $link | sort -u | tee -a  ~/$url/recon/crtndstry/$testing_date/wayback/extensions/xml.txt
  131.                 fi
  132.                 if [[ "$ext" == "cgi" ]]; then
  133.                         echo "  [+] cgi files found!"
  134.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/cgi.txt
  135.                 fi
  136.         done
  137.         echo "[*] Scanning for potential subdomain takeover..."
  138.         subjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_date/s>
  139.         subjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_>
  140. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!