sub
domain=who.int; figlet -f small -c "Passive: Subfinder" | lolcat; subfinder -d $domain -all -recursive -t 200 -o subfinder.txt; figlet -f small -c "Passive: Assetfinder" | lolcat; assetfinder --subs-only $domain | tee assetfinder.txt; figlet -f small -c "Passive: Findomain" | lolcat; findomain --quiet -t $domain -u findomain.txt; figlet -f small -c "Passive: Web Archive" | lolcat; curl -s "https://web.archive.org/cdx/search/cdx?url=*.$domain&fl=original&collapse=urlkey" | awk -F/ '{print $3}' | sort -u | tee archive.txt; figlet -f small -c "Passive: crt.sh" | lolcat; curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | tee crt.txt; figlet -f small -c "Active: Knockpy" | lolcat; knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt; figlet -f small -c "Sorting Subdomains" | lolcat; cat knockpy.txt crt.txt archive.txt assetfinder.txt subfinder.txt findomain.txt | sort -u | tee subdomains.txt#!/bin/bash
figlet -f slant -c "Start Hacking" | lolcat && figlet -f digital -c "Hack to Learn" | lolcat && figlet -f mini -c "Sub Fear" | lolcat
# Step 1: Accept the domain name from the user
figlet -f small -c "Enter Domain" | lolcat
echo -e "\033[1;34mEnter the domain name:\033[0m"
read domain
# Step 2: Prepare directories
figlet -f small -c "Setting Up Output Dir" | lolcat
rm -r "subdomains_output"
output_dir="subdomains_output"
mkdir -p "$output_dir"
# Step 3: Start Passive Enum
figlet -f small -c "Passive: Subfinder" | lolcat
subfinder -d $domain -all -recursive -t 200 -o subfinder.txt
figlet -f small -c "Passive: Assetfinder" | lolcat
assetfinder --subs-only $domain | tee assetfinder.txt
figlet -f small -c "Passive: Findomain" | lolcat
findomain --quiet -t $domain -u findomain.txt
figlet -f small -c "Passive: Web Archive" | lolcat
curl -s "http://web.archive.org/cdx/search/cdx?url=*.$domain/*&output=text&fl=original&collapse=urlkey" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u | tee wayback.txt
figlet -f small -c "Passive: crt.sh" | lolcat
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee crt.txt
figlet -f small -c "Passive: Virustotal" | lolcat
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=e4726b21a95fb9db348aaa70bbe44121aa5054ada6171a61e680fc2b398bdbe1&domain=$domain" | grep -oE '[a-zA-Z0-9.-]+\.[a-z]{2,}' | sort -u | tee virustotal.txt
figlet -f small -c "Passive: GitHub" | lolcat
export GITHUB_TOKEN=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
github-subdomains -d $domain -o github-subdomains.txt
figlet -f small -c "Passive: Amass" | lolcat
amass enum -d $domain -o domains-amass.txt -timeout 12 -v
cat domains-amass.txt | grep $domain | grep -oP '^\S+' | sort -u > raw-amass.txt
cat raw-amass.txt | sed 's/\x1b\[[0-9;]*m//g' > amass.txt
# Step 4: Sorting Passive Subdomains
figlet -f small -c "Sorting Passive Subdomains" | lolcat
cat amass.txt github-subdomains.txt crt.txt wayback.txt virustotal.txt assetfinder.txt subfinder.txt findomain.txt | sort -u | sed -E 's#https?://##; s/:([0-9]+)//' | tee "$output_dir/passive-subs.txt"
# Step 5: Start Active/Brute Enum
figlet -f small -c "Active: Knockpy" | lolcat
knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt
figlet -f small -c "Active: Alterx + DNSX with Multiple Variations" | lolcat
subfinder -d "$domain" | alterx | dnsx | tee dnsx-subs.txt
echo "$domain" | alterx | dnsx | tee -a dnsx-subs.txt
echo "$domain" | alterx -enrich | dnsx | tee -a dnsx-subs.txt
echo "$domain" | alterx -pp word=/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | dnsx | tee -a dnsx-subs.txt && cat dnsx-subs.txt | wc -l
figlet -f small -c "Active: dnsx-subs Resolve" | lolcat
puredns resolve dnsx-subs.txt --threads 250 --resolvers resolvers.txt --resolvers-trusted trusted.txt --rate-limit 1000 | tee alterx.txt
figlet -f small -c "Active: Puredns Services-Names-Wordlist" | lolcat
puredns bruteforce services-names.txt $domain | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | tee services-puredns.txt
figlet -f small -c "Active: Puredns 2m-Subdomains-Wordlist" | lolcat
puredns bruteforce 2m-subdomains.txt $domain | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | tee active-puredns.txt
# Step 6: Sorting Active Subdomains
figlet -f small -c "Sorting Active Subdomains" | lolcat
cat active-puredns.txt services-puredns.txt knockpy.txt alterx.txt | sort -u | sed -E 's#https?://##; s/:([0-9]+)//' | tee "$output_dir/active-subs.txt"
# Step 7: Merging Active Passive Subdomains
figlet -f small -c "Merging Active Passive Subdomains" | lolcat
cat "$output_dir/active-subs.txt" "$output_dir/passive-subs.txt" | sort -u | tee "$output_dir/subdomains.txt"
# Step 8: Probing Live Subs
figlet -f small -c "Probing Live Subs" | lolcat
cat "$output_dir/subdomains.txt" | httpx-toolkit -ports 80,443,8080,8000,8888,8881,8889 -threads 200 | sort -u | tee "$output_dir/livesubdomains.txt"
cat "$output_dir/livesubdomains.txt" | wc -l
# Step 9: Status 200
figlet -f small -c "Status 200 Subs" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 200 | tee "$output_dir/200_livesubdomains.txt"
cat "$output_dir/200_livesubdomains.txt" | wc -l
# Step 10: 403 restricted Filtering
figlet -f small -c "restricted subdomain Filter for Information disclosure" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 403 -o "$output_dir/403_sub.txt"
# Step 11: 404 not found Filtering
figlet -f small -c "restricted subdomain Filter for Information disclosure" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 404 -o "$output_dir/404_sub.txt"
# Step 12: Recon with favicon hash to find more targets
figlet -f small -c "Recon with favicon hash to find more targets" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -path /favicon.ico -mc 200 -o "$output_dir/live-favicon.txt"
# Step 13: Keyword Filtering
figlet -f small -c "Keyword Filter" | lolcat
cat "$output_dir/livesubdomains.txt" | grep -E 'api|prod|test|dev|staging|secure|login|admin|beta|support|private|internal|demo|management|dashboard|config|service|analytics|auth' > "$output_dir/important_subs.txt"
# Step 14: Tech Analysis
figlet -f small -c "Tech Stack" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -sc -location -title -server -td -follow-redirects > "$output_dir/httpx_domains.txt"
# Step 15: Language Filter
figlet -f small -c "Language Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i php | awk '{print $1}' > "$output_dir/php-html_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i asp | awk '{print $1}' > "$output_dir/asp-aspx_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i java | awk '{print $1}' > "$output_dir/jsp-jspx-htm-do-actiom_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i CFML | awk '{print $1}' > "$output_dir/cfm-html-htm_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i perl | awk '{print $1}' > "$output_dir/pl-html-htm_domains.txt"
# Step 16: Server Filter
figlet -f small -c "Server Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i Oracle-HTTP-Server | awk '{print $1}' | tee "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Microsoft-IIS/ | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Tomcat | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Adobe ColdFusion | awk '{print $1}' | tee -a "$output_dir/Default_Server.txt"
# Step 17: Clean Intermediate Files
figlet -f small -c "Cleanup" | lolcat
rm dnsx-subs.txt wayback.txt virustotal.txt github-subdomains.txt puredns.txt crt.txt assetfinder.txt subfinder.txt findomain.txt amass.txt raw-amass.txt domains-amass.txt subdomains.txt
# Step 18: subdomains CVE + Tech Mapping
figlet -f small -c "subdomains CVE + Tech Mapping" | lolcat
nuclei -list "$output_dir/livesubdomains.txt" -tags cves,osint,tech -o "$output_dir/subdomain-CVE.txt"
# Step 19: checking subdomain takeover
figlet -f small -c "Checking Subdomain Takeover" | lolcat
subzy run --targets "$output_dir/livesubdomains.txt" --concurrency 100 --hide_fails --verify_ssl
# Step 20: Param Discovery
figlet -f small -c "Param Discovery" | lolcat
arjun -i "$output_dir/200_livesubdomains.txt" -oT "$output_dir/arjun.txt"
cat "$output_dir/arjun.txt" | Gxss -c 100 -p Rxss -o "$output_dir/xss.txt"
figlet -f slant -c "All Tasks Done!" | lolcat#!/bin/bash
figlet -f slant -c "Start Hacking" | lolcat && figlet -f digital -c "Hack to Learn" | lolcat && figlet -f mini -c "Sub Fear" | lolcat
# Step 1: Accept the domain name from the user
figlet -f small -c "Enter Domain" | lolcat
echo -e "\033[1;34mEnter the domain name:\033[0m"
read domain
# Step 2: Prepare directories
figlet -f small -c "Setting Up Output Dir" | lolcat
rm -r "subdomains_output"
output_dir="subdomains_output"
mkdir -p "$output_dir"
# Step 3: Start Passive Enum
figlet -f small -c "Passive: Subfinder" | lolcat
subfinder -d $domain -all -recursive -t 200 -o subfinder.txt
figlet -f small -c "Passive: Assetfinder" | lolcat
assetfinder --subs-only $domain | tee assetfinder.txt
figlet -f small -c "Passive: Findomain" | lolcat
findomain --quiet -t $domain -u findomain.txt
export GITHUB_TOKEN=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
figlet -f small -c "Passive: GitHub" | lolcat
github-subdomains -d $domain -o github-subdomains.txt
figlet -f small -c "Passive: Amass" | lolcat
amass enum -d $domain -o domains-amass.txt -timeout 12 -v
cat domains-amass.txt | grep $domain | grep -oP '^\S+' | sort -u > raw-amass.txt
cat raw-amass.txt | sed 's/\x1b\[[0-9;]*m//g' > amass.txt
figlet -f small -c "Passive: Web Archive" | lolcat
curl -s "https://web.archive.org/cdx/search/cdx?url=*.$domain&fl=original&collapse=urlkey" | awk -F/ '{print $3}' | sort -u | tee archive.txt
figlet -f small -c "Passive: crt.sh" | lolcat
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | tee crt.txt
# Step 3: Sorting Passive Subdomains
figlet -f small -c "Sorting Passive Subdomains" | lolcat
cat github-subdomains.txt crt.txt archive.txt assetfinder.txt subfinder.txt findomain.txt amass.txt | sort -u | tee "$output_dir/passive-subs.txt"
# Step 4: Start Active/Brute Enum
figlet -f small -c "Active: Knockpy" | lolcat
knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt
figlet -f small -c "Active: Alterx + DNSX" | lolcat
cat "$output_dir/passive-subs.txt" | alterx | dnsx -t 1000 | tee dnsx-subs.txt
figlet -f small -c "Active: dnsx-subs Resolve" | lolcat
puredns resolve dnsx-subs.txt --threads 250 --resolvers resolvers.txt --resolvers-trusted trusted.txt --rate-limit 1000 | tee alterx.txt
figlet -f small -c "Active: Puredns Wordlist" | lolcat
puredns bruteforce 2m-subdomains.txt $domain | grep -oE '[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' | tee puredns.txt
# Step 3: Sorting Active Subdomains
figlet -f small -c "Sorting Active Subdomains" | lolcat
cat knockpy.txt alterx.txt puredns.txt | sort -u | tee "$output_dir/active-subs.txt"
# Step 3: Merging Active Passive Subdomains
figlet -f small -c "Merging Active Passive Subdomains" | lolcat
cat "$output_dir/active-subs.txt" "$output_dir/passive-subs.txt" | sort -u | tee "$output_dir/subdomains.txt"
# Step 3: Probing Live Subs
figlet -f small -c "Probing Live Subs" | lolcat
cat "$output_dir/subdomains.txt" | httpx -silent -threads 50 | tee "$output_dir/livesubdomains.txt"
cat "$output_dir/livesubdomains.txt" | wc -l
# Step 5: Status 200
figlet -f small -c "Status 200 Subs" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 200 | tee "$output_dir/200_livesubdomains.txt"
cat "$output_dir/200_livesubdomains.txt" | wc -l
# Step 6: Domain Port Scan
figlet -f small -c "Domain Port Scanning" | lolcat
naabu -tp 1000 -l "$output_dir/subdomains.txt" -o "$output_dir/sub-with-ports.txt"
cat "$output_dir/sub-with-ports.txt" | httpx -title -sc -location -ip -td -follow-redirects | tee "$output_dir/exposed-services.txt"
# Step 7: Reverse DNS to find Origin IP
figlet -f small -c "Reverse DNS to find Origin IP" | lolcat
dnsx -l "$output_dir/livesubdomains.txt" -silent -a -resp-only -o all-ip.txt && cat all-ip.txt | sort -u | tee ip.txt
cat ip.txt | dnsx -ptr -resp-only | tee dnsx.txt
> origin-ip.txt
while read -r host; do
echo "Querying: $host"
ip=$(nslookup "$host" | grep "Address" | tail -n +2 | awk '{print $2}')
if [[ -n "$ip" ]]; then
echo "$ip" >> origin-ip.txt
else
echo "No IP found for $host" >&2
fi
done < dnsx.txt
# Step 6: Sorting All IP
figlet -f small -c "Sorting All IP" | lolcat
cat origin-ip.txt | sort -u | tee -a ip.txt
sort -u ip.txt | tee "$output_dir/live-ip.txt"
# Step 6: IP Port Scan
figlet -f small -c "IP Port Scanning" | lolcat
naabu -tp 1000 -l "$output_dir/live-ip.txt" -o "$output_dir/ip-with-ports.txt"
cat "$output_dir/dnsx.txt" | grep $domain | grep -oP '^\S+' | sort -u | httpx | tee -a "$output_dir/livesubdomains.txt"
cat "$output_dir/ip-with-ports.txt" | httpx -title -sc -location -td -follow-redirects | tee -a "$output_dir/exposed-services.txt"
# Step 8: restricted Filtering
figlet -f small -c "restricted subdomain Filter for Information disclosure" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -mc 403 -o "$output_dir/403_livesubdomains.txt"
# Step 9: Keyword Filtering
figlet -f small -c "Keyword Filter" | lolcat
cat "$output_dir/livesubdomains.txt" | grep -E 'api|prod|test|dev|staging|secure|login|admin|beta|support|private|internal|demo|management|dashboard|config|service|analytics|auth' > "$output_dir/important_subs.txt"
# Step 10: Tech Analysis
figlet -f small -c "Tech Stack" | lolcat
cat "$output_dir/livesubdomains.txt" | httpx -sc -location -title -server -td -follow-redirects > "$output_dir/httpx_domains.txt"
# Step 11: Language Filter
figlet -f small -c "Language Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i php | awk '{print $1}' > "$output_dir/php-html_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i asp | awk '{print $1}' > "$output_dir/asp-aspx_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i java | awk '{print $1}' > "$output_dir/jsp-jspx-htm-do-actiom_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i CFML | awk '{print $1}' > "$output_dir/cfm-html-htm_domains.txt"
cat "$output_dir/httpx_domains.txt" | grep -i perl | awk '{print $1}' > "$output_dir/pl-html-htm_domains.txt"
# Step 12: Server Filter
figlet -f small -c "Server Filter" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i apache | awk '{print $1}' > "$output_dir/Apache_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Nginx | awk '{print $1}' > "$output_dir/Nginx_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i IIS | awk '{print $1}' > "$output_dir/IIS-Windows_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i oracle | awk '{print $1}' > "$output_dir/Oracle-weblogic_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Tomcat | awk '{print $1}' > "$output_dir/Apache_Tomcat_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i httpd | awk '{print $1}' > "$output_dir/httpd_Tomcat_Server.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Adobe ColdFusion | awk '{print $1}' > "$output_dir/Adobe-ColdFusion.txt"
# Step 13: WAF Detection
figlet -f small -c "WAF Detection" | lolcat
cat "$output_dir/httpx_domains.txt" | grep -i Cloudflare | awk '{print $1}' > "$output_dir/Cloudflare_WAF.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Akamai | awk '{print $1}' > "$output_dir/Akamai_WAF.txt"
cat "$output_dir/httpx_domains.txt" | grep -i Amazon CloudFront | awk '{print $1}' > "$output_dir/Amazon_CloudFront_WAF.txt"
cat "$output_dir/httpx_domains.txt" | grep -i imperva | awk '{print $1}' > "$output_dir/imperva_WAF.txt"
# Step 14: Screenshotting
figlet -f small -c "Screenshotting" | lolcat
gowitness scan file -f "$output_dir/livesubdomains.txt" --delay 4 --screenshot-fullpage --screenshot-path screenshots/ --write-csv-file 100sshost.csv --write-db
gowitness report generate --screenshot-path screenshots/ --zip-name screenshots-report.zip
chmod +x screenshots-report.zip
unzip screenshots-report.zip -d "$output_dir/sc-report"
rm -r screenshots
# Step 15: Clean Intermediate Files
figlet -f small -c "Cleanup" | lolcat
rm github-subdomains.txt knockpy.txt puredns.txt crt.txt archive.txt assetfinder.txt subfinder.txt findomain.txt amass.txt raw-amass.txt domains-amass.txt subdomains.txt all-ip.txt gowitness.sqlite3
# Step 16: CVE Scanning
figlet -f small -c "CVE Scan" | lolcat
cat "$output_dir/livesubdomains.txt" "$output_dir/sort-origin-ip.txt" "$output_dir/ip-with-ports.txt" > "$output_dir/nuclei-scan-sub.txt"
cat "$output_dir/livesubdomains.txt" | nuclei -t /home/kali/target/nuclei-templates -o "$output_dir/swagger-xss.txt"
cat "$output_dir/nuclei-scan-sub.txt" | nuclei --tags cve,xss,lfi,rce --s info,high,critical,medium -es unknown -o "$output_dir/Domain-CVE.txt"
# Step 17: Param Discovery
figlet -f small -c "Param Discovery" | lolcat
arjun -i "$output_dir/livesubdomains.txt" -oT "$output_dir/arjun.txt"
cat "$output_dir/arjun.txt" | Gxss -c 100 -p Rxss -o "$output_dir/xss.txt"
figlet -f slant -c "All Tasks Done!" | lolcat
Last updated