grimmiecrtndstry

1. crtndstry (){
2. # main functions courtesy of nahamsec w/ help of nukedx and dmfroberson
3.         url=$1
4.         testing_date=$(date +'%d-%m-%y')
5.         if [[ ! -d "$url" ]];then
6.                 mkdir $url
7.         fi
8.         if [[ ! -d "$url/recon" ]];then
9.                 mkdir $url/recon
10.         fi
11.         if [[ ! -d "$url/recon/crtndstry" ]];then
12.                 mkdir $url/recon/crtndstry
13.         fi
14.  
15.         mkdir $url/recon/crtndstry/$testing_date
16.         mkdir $url/recon/crtndstry/$testing_date/rawdata
17.         mkdir $url/recon/crtndstry/$testing_date/data
18.         mkdir $url/recon/crtndstry/$testing_date/httprobe
19. #       mkdir $url/recon/crtndstry/$testing_date/eyewitness
20.         mkdir $url/recon/crtndstry/$testing_date/wayback
21.         mkdir $url/recon/crtndstry/$testing_date/wayback/extensions
22.         mkdir $url/recon/crtndstry/$testing_date/wayback/params
23.         mkdir $url/recon/crtndstry/$testing_date/subjack
24.  
25.         #give it patterns to look for within crt.sh for example %api%.site.com
26.         declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal" "back" "old")
27.         for i in "${arr[@]}";do
28.                 echo "[*] Testing $url for $i"
29.                 #get a list of domains based on our patterns in the array
30.                 crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$url\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt )
31.         done
32. for link in $(cat $url/recon/crtndstry/$testing_date/rawdata/crtsh.txt); do curl -s https://crt.sh/\?q\=$link\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt;done
33. echo "[*] Getting list of domains for $url from certspotter"
34.         #get a list of domains from certspotter
35.         certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$url | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep -w $url\$ | tee $url/recon/crtndstry/$testing_date/rawdata/certspotter.txt )
36.  #get a list of domains from digicert
37.         echo "[*] Getting list of domains for $url from digicert"
38.         digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$url -o ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json )
39.         echo "$crtsh"
40.         echo "$certspotter"
41.         echo "$digicert"
42.  
43.         #this creates a list of all unique root sub domains
44.         clear
45.         echo "working on data"
46.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev | tee ~/$url/recon/crtndstry/$testing_date/$url-temp.txt
47.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | rev | cut -d "."  -f 1,2,3 | sort -u | rev | tee -a ~/$url/crtndstry/$testing_date/$url-temp.txt
48.         domain=$url
49.         jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' ~/$url/recon/crtndstry/$testing_date/rawdata/digicert.json | sed 's/"//g' | grep -w "$domain$" >
50.         cat ~/$url/recon/crtndstry/$testing_date/$url-temp.txt | sort -u | tee ~/$url/recon/crtndstry/$testing_date/data/$url-$(date '+%Y.%m.%d-%H.%M').txt; rm ~/$url/recon/crtndstry/$testing_date/$ur>
51.         echo "[*] Number of domains found: $(cat ~/$url/recon/crtndstry/$testing_date/data/$1-$(date '+%Y.%m.%d-%H.%M').txt | wc -l)"
52.  
53.         # run httprobe against found domains
54.         echo "[+] Running httprobe against compiled domains..."
55.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt
56.         cat ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter>
57.         # add wayback and pull .html, .js, .json, .php, robots.txt, .aspx
58.         echo "[+] Pulling wayback data..."
59.         cat ~/$url/recon/crtndstry/$testing_date/httprobe/crtsh_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt
60.         cat ~/$url/recon/crtndstry/$testing_date/httprobe/certspotter_alive.txt | waybackurls >> ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt
61.         # pulls robots.txt from wayback output
62.         echo "  [*] Compiling robots.txt from wayback data..."
63.         cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
64.         cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep 'robots.txt' >> ~/$url/recon/crtndstry/$testing_date/wayback/extensions/robots.txt
65.         # pulls potential params from wayback output
66.         echo "  [*] Pulling potential params from wayback data..."
67. cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params.txt
68. #       for line in $(cat ); echo $line"=";done
69.         cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> ~/$url/recon/crtndstry/$testing_date/wayback/params/potential_params>
70.         echo "[+] Checking for intersting extensions from wayback data..."
71.         for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/crtsh_wayback_output.txt);do
72.                 ext="${link##*.}"
73.                 if [[ "$ext" == "do" ]];then
74.                         echo "  [+] do files found!"
75.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/dos.txt
76.                 fi
77.                 if [[ "$ext" == "jsp" ]];then
78.                         echo "  [+] jsp files found!"
79.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/jsp.txt
80.                 fi
81.                 if [[ "$ext" == "js" ]];then
82.                         echo "  [+] js files found!"
83.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
84. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
85.                 fi
86.                 if [[ "$ext" == "json" ]];then
87.                         echo "  [+] json files found!"
88.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
89. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
90.                 fi
91.                 if [[ "$ext" == "php" ]];then
92.                         echo "  [+] php files found!"
93.                         echo $link | sort -u | tee -a ~/url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
94. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
95.                 fi
96.                 if [[ "$ext" == "html" ]];then
97.                         echo "  [+] html files found!"
98.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt;
99. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt
100.                 fi
101.                 if [[ "$ext" == "md" ]];then
102.                         echo "  [+] md files found!"
103.                         echo $link | sort -u |tee -a  ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
104. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/
105.        done
106.         echo "[+] Checking for interesting extensions from wayback data..."
107.         for link in $(cat ~/$url/recon/crtndstry/$testing_date/wayback/certspotter_wayback_output.txt);do
108.                 ext="${link##*.}"
109.                 if [[ "$ext" == "do" ]]; then
110.                         echo "  [+] do files found!"
111.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/dos.txt
112.                 fi
113.                 if [[ "$ext" == "jsp" ]];then
114.                         echo "  [+] jsp files found!"
115.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/jsp.txt
116.                 fi
117.                 if [[ "$ext" == "js" ]];then
118.                         echo "  [+] js files found!"
119.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
120. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/js.txt
121.                 fi
122.                 if [[ "$ext" == "json" ]];then
123.                         echo "  [+] json files found!"
124.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
125. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/json.txt
126.                 fi
127.                 if [[ "$ext" == "php" ]];then
128.                         echo "  [+] php files found!"
129.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
130. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/php.txt
131.                 fi
132.                 if [[ "$ext" == "html" ]];then
133.                         echo "  [+] html files found!"
134.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt
135. #                       sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/html.txt
136.                 fi
137.                 if [[ "$ext" == "md" ]]; then
138.                         echo "  [+] md files found!"
139.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/md.txt
140. #                        sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/
141.                 fi
142.                 if [[ "$ext" == "xml" ]]; then
143.                         echo "  [+] xml files found!"
144.                 fi
145.                 if [[ "$ext" == "cgi" ]]; then
146.                         echo "  [+] cgi files found!"
147.                         echo $link | sort -u | tee -a ~/$url/recon/crtndstry/$testing_date/wayback/extensions/cgi.txt
148. #                        sort -u ~/$url/recon/crtndstry/$testing_date/wayback/extensions/
149.                 fi
150.         done
151.         # add subjack cmd that runs agasint all subdomains found
152.         echo "[*] Scanning for potential subdomain takeover..."
153.         subjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/crtsh.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_date/subjack/crtsh.txt
154. ubjack -w ~/$url/recon/crtndstry/$testing_date/rawdata/certspotter.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> ~/$url/recon/crtndstry/$testing_date/subjack/certspotter.txt