Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- crtndstry (){
- # main functions courtesy of nahamsec w/ help of nukedx and dmfroberson
- url=$1
- testing_date=$(date +'%d-%m-%y')
- if [[ ! -d "$url" ]];then
- mkdir $url
- fi
- if [[ ! -d "$url/recon" ]];then
- mkdir $url/recon
- fi
- if [[ ! -d "$url/recon/crtndstry" ]];then
- mkdir $url/recon/crtndstry
- fi
- mkdir $url/recon/crtndstry/$testing_date
- mkdir $url/recon/crtndstry/$testing_date/rawdata
- mkdir $url/recon/crtndstry/$testing_date/data
- mkdir $url/recon/crtndstry/$testing_date/httprobe
- # mkdir $url/recon/crtndstry/$testing_date/eyewitness
- mkdir $url/recon/crtndstry/$testing_date/wayback
- mkdir $url/recon/crtndstry/$testing_date/wayback/extensions
- mkdir $url/recon/crtndstry/$testing_date/wayback/params
- mkdir $url/recon/crtndstry/$testing_date/subjack
- #give it patterns to look for within crt.sh for example %api%.site.com
- declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal" "back" "old")
- for i in "${arr[@]}";do
- echo "[*] Testing $url for $i"
- #get a list of domains based on our patterns in the array
- crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$url\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt )
- done
- curl -s https://crt.sh/\?q\=$url\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt
- for link in $(cat $url/recon/crtndstry/$testing_date/rawdata/crtsh.txt); do curl -s https://crt.sh/\?q\=$link\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url>
- echo "[*] Getting list of domains for $url from certspotter"
- #get a list of domains from certspotter
- certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep -w $url\$ | tee $url/recon/crtndstry/$testing>
- #get a list of domains from digicert
- echo "[*] Getting list of domains for $url from digicert"
- digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$url -o ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json )
- echo "$crtsh"
- echo "$certspotter"
- echo "$digicert"
- #this creates a list of all unique root sub domains
- clear
- echo "working on data"
- cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | rev | cut -d "." -f 1,2,3 | sort -u | rev | tee ~/$url/recon/crtndstry/$testing_date/$url-temp.txt
- cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | rev | cut -d "." -f 1,2,3 | sort -u | rev | tee -a ~/$url/crtndstry/$testing_date/$url-temp.txt
- domain=$url
- jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json | sed 's/"//g' | grep -w "$domain$" >
- cat ~/$url/recon/crtndstry/$testing_date/$url-temp.txt | sort -u | tee ~/$url/recon/crtndstry/$testing_date/data/$url-$(date '+%Y.%m.%d-%H.%M').txt; rm ~/$url/recon/crtndstry/$testing_date/$ur>
- echo "[*] Number of domains found: $(cat ~/$url/recon/crtndstry/$testing_date/data/$1-$(date '+%Y.%m.%d-%H.%M').txt | wc -l)"
- # run httprobe against found domains
- echo "[+] Running httprobe against compiled domains..."
- cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt
- cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter>
- # add wayback and pull .html, .js, .json, .php, robots.txt, .aspx
- echo "[+] Pulling wayback data..."
- cat ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt
- cat ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt
- # pulls robots.txt from wayback output
- echo " [*] Compiling robots.txt from wayback data..."
- cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
- cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
- # pulls potential params from wayback output
- echo " [*] Pulling potential params from wayback data..."
- cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params.txt
- for line in $(cat ); echo $line"=";done
- cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params>
- echo "[+] Checking for intersting extensions from wayback data..."
- for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt);do
- ext="${link##*.}"
- if [[ "$ext" == "js" ]];then
- echo " [+] js files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
- fi
- if [[ "$ext" == "json" ]];then
- echo " [+] json files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
- fi
- if [[ "$ext" == "php" ]];then
- echo " [+] php files found!"
- echo $link | sort -u | tee -a ~/url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
- fi
- if [[ "$ext" == "html" ]];then
- echo " [+] html files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt;
- fi
- if [[ "$ext" == "md" ]]; then
- echo " [+] md files found!"
- echo $link | sort -u |tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
- fi
- if [[ "$ext" == "xml" ]]; then
- echo " [+] xml files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/xml.txt
- fi
- if [[ "$ext" == "cgi" ]]; then
- echo " [+] cgi files found!"
- echo $link | sort -u |tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/cgi.txt
- fi
- done
- echo "[+] Checking for interesting extensions from wayback data..."
- for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt);do
- ext="${link##*.}"
- if [[ "$ext" == "js" ]];then
- echo " [+] js files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
- fi
- if [[ "$ext" == "json" ]];then
- echo " [+] json files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
- fi
- if [[ "$ext" == "php" ]];then
- echo " [+] php files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
- fi
- if [[ "$ext" == "html" ]];then
- echo " [+] html files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt
- fi
- if [[ "$ext" == "md" ]]; then
- echo " [+] md files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
- fi
- if [[ "$ext" == "xml" ]]; then
- echo " [+] xml files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/xml.txt
- fi
- if [[ "$ext" == "cgi" ]]; then
- echo " [+] cgi files found!"
- echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/cgi.txt
- fi
- done
- echo "[*] Scanning for potential subdomain takeover..."
- subjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_date/s>
- subjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_>
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement