My Bash & Python Scripts
figlet -f slant -c "Start Hacking" | lolcat && figlet -f digital -c "Hack to Learn" | lolcat && figlet -f mini -c "Dork Fear" | lolcat#!/bin/bash
figlet -f slant -c "Start Hacking" | lolcat && figlet -f digital -c "Hack to Learn" | lolcat && figlet -f mini -c "Sub Fear" | lolcat
# Step 1: Accept the domain name from the user
figlet -f small -c "Enter Domain" | lolcat
echo -e "\033[1;34mEnter the domain name:\033[0m"
read domain
# Step 2: Prepare directories
figlet -f small -c "Setting Up Output Dir" | lolcat
rm -r "subdomains_output"
output_dir="subdomains_output"
mkdir -p "$output_dir"
# Step 3: Start Passive Enum
figlet -f small -c "Passive: Subfinder" | lolcat
subfinder -d $domain -all -recursive -t 200 -o subfinder.txt
figlet -f small -c "Passive: Assetfinder" | lolcat
assetfinder --subs-only $domain | tee assetfinder.txt
figlet -f small -c "Passive: Findomain" | lolcat
findomain --quiet -t $domain -u findomain.txt
figlet -f small -c "Passive: Web Archive" | lolcat
curl -s "http://web.archive.org/cdx/search/cdx?url=*.$domain/*&output=text&fl=original&collapse=urlkey" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u | tee wayback.txt
figlet -f small -c "Passive: crt.sh" | lolcat
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee crt.txt
figlet -f small -c "Passive: Virustotal" | lolcat
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=e4726b21a95fb9db348aaa70bbe44121aa5054ada6171a61e680fc2b398bdbe1&domain=$domain" | grep -oE '[a-zA-Z0-9.-]+\.[a-z]{2,}' | sort -u | tee virustotal.txt
figlet -f small -c "Passive: GitHub" | lolcat
export GITHUB_TOKEN=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
github-subdomains -d $domain -o github-subdomains.txt
figlet -f small -c "Passive: Amass" | lolcat
amass enum -d $domain -o domains-amass.txt -timeout 12 -v
cat domains-amass.txt | grep $domain | grep -oP '^\S+' | sort -u > raw-amass.txt
cat raw-amass.txt | sed 's/\x1b\[[0-9;]*m//g' > amass.txt
# Step 4: Sorting Passive Subdomains
figlet -f small -c "Sorting Passive Subdomains" | lolcat
cat amass.txt github-subdomains.txt crt.txt wayback.txt virustotal.txt assetfinder.txt subfinder.txt findomain.txt | sort -u | sed -E 's#https?://##; s/:([0-9]+)//' | tee "$output_dir/passive-subs.txt"
# Step 5: Start Active/Brute Enum
figlet -f small -c "Active: Knockpy" | lolcat
knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt
figlet -f small -c "Active: Alterx + DNSX with Multiple Variations" | lolcat
cat subfinder.txt | alterx | tee dnsx-subs.txt
echo "$domain" | alterx | tee -a dnsx-subs.txt
echo "$domain" | alterx -enrich | tee -a dnsx-subs.txt
echo "$domain" | alterx -pp word=/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | tee -a dnsx-subs.txt && cat dnsx-subs.txt | wc -l
figlet -f small -c "Active: dnsx-subs Resolve" | lolcat
puredns resolve dnsx-subs.txt --threads 250 --resolvers resolvers.txt --resolvers-trusted trusted.txt --rate-limit 1000 | tee alterx.txt
figlet -f small -c "Active: Puredns Services-Names-Wordlist" | lolcat
puredns bruteforce services-names.txt $domain | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | tee services-puredns.txt
figlet -f small -c "Active: Puredns 2m-Subdomains-Wordlist" | lolcat
puredns bruteforce 2m-subdomains.txt $domain | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | tee active-puredns.txt
# Step 6: Sorting Active Subdomains
figlet -f small -c "Sorting Active Subdomains" | lolcat
cat active-puredns.txt services-puredns.txt knockpy.txt alterx.txt | sort -u | sed -E 's#https?://##; s/:([0-9]+)//' | tee "$output_dir/active-subs.txt"
# Step 7: Merging Active Passive Subdomains
figlet -f small -c "Merging Active Passive Subdomains" | lolcat
cat "$output_dir/active-subs.txt" "$output_dir/passive-subs.txt" | sort -u | tee "$output_dir/subdomains.txt"
# Step 8: Probing Live Subs
figlet -f small -c "Probing Live Subs" | lolcat
cat "$output_dir/subdomains.txt" | httpx-toolkit -ports 80,443,8080,8000,8888,8881,8889 -threads 200 | sort -u | tee "$output_dir/livesubdomains.txt"
cat "$output_dir/livesubdomains.txt" | wc -l
# Step 9: Status 200
figlet -f small -c "Status 200 Subs" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 200 | tee "$output_dir/200_livesubdomains.txt"
cat "$output_dir/200_livesubdomains.txt" | wc -l
# Step 10: 403 restricted Filtering
figlet -f small -c "restricted subdomain Filter for Information disclosure" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 403 -o "$output_dir/403_sub.txt"
# Step 11: 404 not found Filtering
figlet -f small -c "restricted subdomain Filter for Information disclosure" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 404 -o "$output_dir/404_sub.txt"
# Step 12: Recon with favicon hash to find more targets
figlet -f small -c "Recon with favicon hash to find more targets" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -path /favicon.ico -mc 200 -o "$output_dir/live-favicon.txt"
# Step 13: Keyword Filtering
figlet -f small -c "Keyword Filter" | lolcat
cat "$output_dir/livesubdomains.txt" | grep -E 'api|prod|test|dev|staging|secure|login|admin|beta|support|private|internal|demo|management|dashboard|config|service|analytics|auth' > "$output_dir/important_subs.txt"
# Step 14: Tech Analysis
figlet -f small -c "Tech Stack" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -sc -location -title -server -td -follow-redirects > "$output_dir/httpx_domains.txt"
# Step 15: Language Filter
figlet -f small -c "Language Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i php | awk '{print $1}' > "$output_dir/php-html_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i asp | awk '{print $1}' > "$output_dir/asp-aspx_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i java | awk '{print $1}' > "$output_dir/jsp-jspx-htm-do-actiom_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i CFML | awk '{print $1}' > "$output_dir/cfm-html-htm_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i perl | awk '{print $1}' > "$output_dir/pl-html-htm_domains.txt"
# Step 16: Server Filter
figlet -f small -c "Server Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i Oracle-HTTP-Server | awk '{print $1}' | tee "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Microsoft-IIS/ | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Tomcat | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Adobe ColdFusion | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
# Step 17: Clean Intermediate Files
figlet -f small -c "Cleanup" | lolcat
rm dnsx-subs.txt wayback.txt virustotal.txt github-subdomains.txt puredns.txt crt.txt assetfinder.txt subfinder.txt findomain.txt amass.txt raw-amass.txt domains-amass.txt subdomains.txt
# Step 18: checking subdomain takeover
figlet -f small -c "Checking Subdomain Takeover" | lolcat
nuclei -list "$output_dir/livesubdomains.txt" -t /detect-all-takeovers.yaml -o "$output_dir/sub-takeovers.txt"
shodan init qR2Cu00BTenPnQANNB7lB85Nd4GesofA && shodan search hostname:"$domain" 200 --fields ip_str | tee all-ip.txt
shodan init qR2Cu00BTenPnQANNB7lB85Nd4GesofA && shodan search ssl.cert.subject.CN:"$domain" 200 --fields ip_str | tee -a all-ip.txt
cat all-ip.txt | sort -u | tee "$output_dir/ip.txt" && rm all-ip.txt && cat "$output_dir/ip.txt" | wc -l
cat "$output_dir/ip.txt" "$output_dir/livesubdomains.txt" | tee "$output_dir/assets.txt"
naabu -tp 1000 -l "$output_dir/assets.txt" -c 100 | tee "$output_dir/internal-development-services.txt"
cat "$output_dir/internal-development-services.txt" | httpx -title -sc -td -location -o "$output_dir/development-services-detection.txt"
# Step 18: Merging All Assets
figlet -f small -c "Merging livesubdomains + ip + internal-development-services" | lolcat
cat "$output_dir/assets.txt" "$output_dir/internal-development-services.txt" | tee "$output_dir/all-data.txt"
# Step 18: subdomains CVE + Tech Mapping
figlet -f small -c "subdomains CVE + Tech Mapping" | lolcat
nuclei -list "$output_dir/all-data.txt" -tags cve,osint,tech --s info,high,critical,medium -o "$output_dir/subdomain-CVE.txt"
# Step 19: checking subdomain takeover
figlet -f small -c "Checking Subdomain Takeover" | lolcat
subzy run --targets "$output_dir/livesubdomains.txt" --concurrency 100 --hide_fails --verify_ssl
figlet -f slant -c "All Tasks Done!" | lolcatLast updated