-
-
Notifications
You must be signed in to change notification settings - Fork 149
/
Copy pathmagicrecon.sh
executable file
·632 lines (536 loc) · 23 KB
/
magicrecon.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
#!/bin/bash
. ./configuration.cfg
actualDir=$(pwd)
##############################################
############### PASSIVE RECON ################
##############################################
passive_recon(){
printf "${BOLD}${GREEN}[*] STARTING FOOTPRINTING${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] TARGET URL:${YELLOW} $domain ${NORMAL}\n"
ip_adress=$(dig +short $domain)
printf "${BOLD}${GREEN}[*] TARGET IP ADDRESS:${YELLOW} $ip_adress ${NORMAL}\n\n"
domain=$1
domainName="https://"$domain
company=$(echo $domain | awk -F[.] '{print $1}')
cd targets
if [ -d $domain ]; then rm -Rf $domain; fi
mkdir $domain
cd $domain
if [ -d footprinting ]; then rm -Rf footprinting; fi
mkdir footprinting
cd footprinting
printf "${GREEN}[+] Checking if the target is alive...${NORMAL}\n"
if ping -c 1 -W 1 "$domain" &> /dev/null;
then
printf "\n${BOLD}${YELLOW}$domain${NORMAL} is alive!${NORMAL}\n\n"
else
if [ $mode == "more" ]
then
printf "\n${BOLD}${YELLOW}$domain${RED} is not alive.${NORMAL}\n\n"
return
else
printf "\n${BOLD}${YELLOW}$domain${RED} is not alive. Aborting passive reconnaissance${NORMAL}\n\n"
exit 1
fi
fi
printf "${GREEN}[+] Whois Lookup${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching domain name details, contact details of domain owner, domain name servers, netRange, domain dates, expiry records, records last updated...${NORMAL}\n\n"
whois $domain | grep 'Domain\|Registry\|Registrar\|Updated\|Creation\|Registrant\|Name Server\|DNSSEC:\|Status\|Whois Server\|Admin\|Tech' | grep -v 'the Data in VeriSign Global Registry' | tee whois.txt
printf "\n${GREEN}[+] Nslookup ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching DNS Queries...${NORMAL}\n\n"
nslookup $domain | tee nslookup.txt
printf "\n${GREEN}[+] Horizontal domain correlation/acquisitions ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching horizontal domains...${NORMAL}\n\n"
email=$(whois $domain | grep "Registrant Email" | egrep -ho "[[:graph:]]+@[[:graph:]]+")
curl -s -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36" "https://viewdns.info/reversewhois/?q=$email" | html2text | grep -Po "[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" | tail -n +4 | head -n -1
printf "\n${GREEN}[+] ASN Lookup ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching ASN number of a company that owns the domain...${NORMAL}\n\n"
python3 ~/tools/Asnlookup/asnlookup.py -o $company | tee -a asn.txt
printf "\n${GREEN}[+] WhatWeb ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching platform, type of script, google analytics, web server platform, IP address, country, server headers, cookies...${NORMAL}\n\n"
whatweb $domain | tee whatweb.txt
printf "\n${GREEN}[+] SSL Checker ${NORMAL}\n"
printf "${NORMAL}${CYAN}Collecting SSL/TLS information...${NORMAL}\n\n"
python3 ~/tools/ssl-checker/ssl_checker.py -H $domainName | tee ssl.txt
printf "\n${GREEN}[+] Aquatone ${NORMAL}\n"
printf "${NORMAL}${CYAN}Taking screenshot...${NORMAL}\n\n"
echo $domainName | aquatone -screenshot-timeout $aquatoneTimeout -out screenshot &> /dev/null
printf "\n${GREEN}[+] TheHarvester ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching emails, subdomains, hosts, employee names...${NORMAL}\n\n"
python3 ~/tools/theHarvester/theHarvester.py -d $domain -b all -l 500 -f theharvester.html > theharvester.txt
printf "${NORMAL}${CYAN}Users found: ${NORMAL}\n\n"
cat theharvester.txt | awk '/Users/,/IPs/' | sed -e '1,2d' | head -n -2 | anew -q users.txt
cat users.txt
printf "${NORMAL}${CYAN}IP's found: ${NORMAL}\n\n"
cat theharvester.txt | awk '/IPs/,/Emails/' | sed -e '1,2d' | head -n -2 | anew -q ips.txt
cat ips.txt
printf "${NORMAL}${CYAN}Emails found: ${NORMAL}\n\n"
cat theharvester.txt | awk '/Emails/,/Hosts/' | sed -e '1,2d' | head -n -2 | anew -q emails.txt
cat emails.txt
printf "${NORMAL}${CYAN}Hosts found: ${NORMAL}\n\n"
cat theharvester.txt | awk '/Hosts/,/Trello/' | sed -e '1,2d' | head -n -2 | anew -q hosts.txt
cat hosts.txt
printf "\n${GREEN}[+] CloudEnum ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching public resources in AWS, Azure, and Google Cloud....${NORMAL}\n\n"
key=$(echo $domain | sed s/".com"//)
python3 ~/tools/cloud_enum/cloud_enum.py -k $key --quickscan | tee cloud.txt
printf "\n${GREEN}[+] GitDorker ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching interesting data on GitHub...${NORMAL}\n\n"
domainName="https://"$domain
python3 ~/tools/GitDorker/GitDorker.py -t $github_token -d ~/tools/GitDorker/Dorks/alldorksv3 -q $domain -o dorks.txt
if [ "$2" = true ];
then
printf "\n${GREEN}[+] Whois results: ${NORMAL}\n" | notify -silent | cat whois.txt | notify -silent
printf "\n${GREEN}[+] Nslookup results: ${NORMAL}\n" | notify -silent | cat nslookup.txt | notify -silent
printf "\n${GREEN}[+] ASN Lookup results: ${NORMAL}\n" | notify -silent | cat asn.txt | notify -silent
printf "\n${GREEN}[+] WhatWeb results: ${NORMAL}\n" | notify -silent | cat whatweb.txt | notify -silent
printf "\n${GREEN}[+] SSL Checker results: ${NORMAL}\n" | notify -silent | cat ssl.txt | notify -silent
printf "\n${GREEN}[+] TheHarvester users results: ${NORMAL}\n" | notify -silent | cat users.txt | notify -silent
printf "\n${GREEN}[+] TheHarvester ips results: ${NORMAL}\n" | notify -silent | cat ips.txt | notify -silent
printf "\n${GREEN}[+] TheHarvester emails results: ${NORMAL}\n" | notify -silent | cat emails.txt | notify -silent
printf "\n${GREEN}[+] TheHarvester hosts results: ${NORMAL}\n" | notify -silent | cat hosts.txt | notify -silent
printf "\n${GREEN}[+] CloudEnum results: ${NORMAL}\n" | notify -silent | cat cloud.txt | notify -silent
printf "\n${GREEN}[+] GitDorker results: ${NORMAL}\n" | notify -silent | cat dorks.txt | notify -silent
fi
cd $actualDir
}
##############################################
############### ACTIVE RECON #################
##############################################
active_recon(){
printf "${BOLD}${GREEN}[*] STARTING FINGERPRINTING${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] TARGET URL:${YELLOW} $domain ${NORMAL}\n"
ip_adress=$(dig +short $domain)
printf "${BOLD}${GREEN}[*] TARGET IP ADDRESS:${YELLOW} $ip_adress ${NORMAL}\n\n"
domain=$1
domainName="https://"$domain
cd targets
if [ -d $domain ]; then rm -Rf $domain; fi
mkdir $domain
cd $domain
if [ -d fingerprinting ]; then rm -Rf fingerprinting; fi
mkdir fingerprinting
cd fingerprinting
printf "\n${GREEN}[+] Robots.txt ${NORMAL}\n"
printf "${NORMAL}${CYAN}Checking directories and files from robots.txt...${NORMAL}\n\n"
python3 ~/tools/robotScraper/robotScraper.py -d $domain -s output_robot.txt
printf "\n${GREEN}[+] Hakrawler & gau ${NORMAL}\n"
printf "${NORMAL}${CYAN}Gathering URLs and JavaSript file locations...${NORMAL}\n\n"
echo $domainName | hakrawler | tee -a paths.txt
gau $domain >> paths.txt
sort -u paths.txt -o paths.txt
printf "\n${GREEN}[+] Arjun ${NORMAL}\n"
printf "${NORMAL}${CYAN}Finding query parameters for URL endpoints....${NORMAL}\n\n"
arjun -u $domainName -oT parameters.txt
printf "\n${GREEN}[+] Vulnerability: Secrets in JS${NORMAL}\n"
printf "${NORMAL}${CYAN}Obtaining all the JavaScript files of the domain ...${NORMAL}\n\n"
echo $domain | gau | grep '\.js$' | httpx -mc 200 -content-type -silent | grep 'application/javascript' | awk -F '[' '{print $1}' | tee -a js.txt
printf "\n${NORMAL}${CYAN}Discovering sensitive data like apikeys, accesstoken, authorizations, jwt, etc in JavaScript files...${NORMAL}\n\n"
for url in $(cat js.txt);do
python3 ~/tools/SecretFinder/SecretFinder.py --input $url -o cli | tee -a secrefinder.txt
done
printf "\n${GREEN}[+] DirSearch ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching interesting directories and files...${NORMAL}\n\n"
sudo dirsearch -u $domain --deep-recursive --random-agent --exclude-status $excludeStatus -w $dictionary -o dirsearch
printf "\n${GREEN}[+] Nmap ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching open ports...${NORMAL}\n\n"
nmap -p- --open -T5 -v -n $domain -oN nmap.txt
if [ "$2" = true ];
then
printf "\n${GREEN}[+] Robots.txt results: ${NORMAL}\n" | notify -silent | cat output_robot.txt | notify -silent
printf "\n${GREEN}[+] Hakrawler & gau results: ${NORMAL}\n" | notify -silent | cat paths.txt | notify -silent
printf "\n${GREEN}[+] Arjun results: ${NORMAL}\n" | notify -silent | cat parameters.txt | notify -silent
printf "\n${GREEN}[+] Secrets in JS results: ${NORMAL}\n" | notify -silent | cat secrefinder.txt | notify -silent
printf "\n${GREEN}[+] Dirsearch results: ${NORMAL}\n" | notify -silent | cat dirsearch | notify -silent
printf "\n${GREEN}[+] Nmap results: ${NORMAL}\n" | notify -silent | cat nmap.txt | notify -silent
fi
cd $actualDir
}
##############################################
############### ALL MODES ####################
##############################################
all(){
passive_recon $domain
active_recon $domain
vulnerabilities $domain
}
##############################################
############### ALL RECON ####################
##############################################
all_recon(){
passive_recon
active_recon
}
##############################################
############### MASSIVE RECON ################
##############################################
massive_recon(){
printf "${BOLD}${GREEN}[*] STARTING MASSIVE VULNERABILITY ANALYSIS${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] WILDCARD:${YELLOW} *.$wildcard ${NORMAL}\n"
if [ -d automatic_recon ];
then
rm -Rf automatic_recon;
fi
mkdir automatic_recon
cd automatic_recon
while true;
do
subfinder -d $wildcard | anew subdomains.txt | httpx | nuclei -t ~/tools/nuclei-templates/ | notify ; sleep $massiveTime;
printf "${NORMAL}${CYAN}[+] The vulnerabilities found have been notified. Waiting $massiveTime seconds for the new scan.${NORMAL}\n\n"
done
cd $actualDir
}
##############################################
############### VULNERABILITIES ##############
##############################################
vulnerabilities(){
printf "${BOLD}${GREEN}[*] STARTING VULNERABILITY SCAN${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] TARGET URL:${YELLOW} $domain ${NORMAL}\n"
ip_adress=$(dig +short $domain)
printf "${BOLD}${GREEN}[*] TARGET IP ADDRESS:${YELLOW} $ip_adress ${NORMAL}\n\n"
domain=$1
domainName="https://"$domain
cd targets
if [ -d $domain ]; then rm -Rf $domain; fi
mkdir $domain
cd $domain
if [ -d vulnerabilities ]; then rm -Rf vulnerabilities; fi
mkdir vulnerabilities
cd vulnerabilities
printf "\n${GREEN}[+] Vulnerability: Missing headers${NORMAL}\n"
printf "${NORMAL}${CYAN}Cheking security headers...${NORMAL}\n\n"
python3 ~/tools/shcheck/shcheck.py $domainName | tee headers.txt | grep 'Missing security header:\|There are\|--'
printf "\n${GREEN}[+] Vulnerability: Email spoofing ${NORMAL}\n"
printf "${NORMAL}${CYAN}Cheking SPF and DMARC record...${NORMAL}\n\n"
mailspoof -d $domain | tee spoof.json
printf "\n${GREEN}[+] Vulnerability: Subdomain takeover ${NORMAL}\n"
printf "${NORMAL}${CYAN}Checking if sub-domain is pointing to a service that has been removed or deleted...${NORMAL}\n\n"
subjack -d $domain -ssl -v | tee takeover.txt
printf "\n${GREEN}[+] Vulnerability: CORS${NORMAL}\n"
printf "${NORMAL}${CYAN}Checking all known misconfigurations in CORS implementations...${NORMAL}\n\n"
python3 ~/tools/Corsy/corsy.py -u $domainName | tee cors.txt
printf "\n${GREEN}[+] Vulnerability: 403 bypass${NORMAL}\n"
printf "${NORMAL}${CYAN}Gathering endpoints that they return 403 status code...${NORMAL}\n\n"
touch endpoints_403.txt
save_ouput=$actualDir"/targets/"$domain"/vulnerabilities/endpoints_403.txt"
sudo dirsearch -u $domainName --random-agent --include-status 403 -w $dictionary --format plain -o $save_ouput
printf "\n${NORMAL}${CYAN}Trying to bypass 403 status code...${NORMAL}\n\n"
for url in $(cat endpoints_403.txt);
do
domainAWK=$domain":443"
endpoint=$(echo $url | awk -F $domainAWK '{print $2}')
if [ -n "$endpoint" ]
then
python3 ~/tools/403bypass/4xx.py $domainName $endpoint | tee -a bypass403.txt
fi
done
printf "\n${GREEN}[+] Vulnerability: Cross Site Request Forgery (CSRF/XSRF)${NORMAL}\n"
printf "${NORMAL}${CYAN}Checking all known misconfigurations in CSRF/XSRF implementations...${NORMAL}\n\n"
python3 ~/tools/Bolt/bolt.py -u $domainName -l 2 | tee -a csrf.txt
printf "\n${GREEN}[+] Vulnerability: Open Redirect${NORMAL}\n"
printf "${NORMAL}${CYAN}Finding Open redirect entry points in the domain...${NORMAL}\n\n"
gau $domain | gf redirect archive | qsreplace | tee or_urls.txt
printf "\n"
printf "${NORMAL}${CYAN}Checking if the entry points are vulnerable...${NORMAL}\n\n"
cat or_urls.txt | qsreplace "https://google.com" | httpx -silent -status-code -location
cat or_urls.txt | qsreplace "//google.com/" | httpx -silent -status-code -location
cat or_urls.txt | qsreplace "//\google.com" | httpx -silent -status-code -location
printf "\n${GREEN}[+] Vulnerability: SSRF${NORMAL}\n"
printf "${NORMAL}${CYAN}Trying to find SSRF vulnerabilities...${NORMAL}\n\n"
printf "${RED}[!] Remember to enter your Burp Collaborator link in the configuration.cfg file \n\n${NORMAL}"
findomain -t $domain | httpx -silent -threads 1000 | gau | grep "=" | qsreplace $burpCollaborator | tee -a ssrf.txt
printf "\n${GREEN}[+] Vulnerability: XSS${NORMAL}\n"
printf "${NORMAL}${CYAN}Trying to find XSS vulnerabilities...${NORMAL}\n\n"
gau $domain | gf xss | sed 's/=.*/=/' | sed 's/URL: //' | dalfox pipe -o xss.txt
printf "\n${GREEN}[+] Vulnerability: SQLi${NORMAL}\n"
printf "${NORMAL}${CYAN}Finding SQLi entry points in the domain...${NORMAL}\n\n"
gau $domain | gf sqli | tee sqli_paramaters.txt
printf "\n"
printf "${NORMAL}${CYAN}Checking if the entry points are vulnerable...${NORMAL}\n\n"
sqlmap -m sqli_paramaters.txt --batch --random-agent --level 1 | tee -a sqli.txt
printf "\n${GREEN}[+] Vulnerability: Multiples vulnerabilities${NORMAL}\n"
printf "${NORMAL}${CYAN}Running multiple templates to discover vulnerabilities...${NORMAL}\n\n"
nuclei -u $domain -t ~/tools/nuclei-templates/ -severity low,medium,high,critical -silent -o mutiple_vulnerabilities.txt
if [ "$2" = true ];
then
printf "\n${GREEN}[+] Missing headers results: ${NORMAL}\n" | notify -silent | cat headers.txt | notify -silent
printf "\n${GREEN}[+] Email spoofing results: ${NORMAL}\n" | notify -silent | cat spoof.json | notify -silent
printf "\n${GREEN}[+] Subdomain takeover results: ${NORMAL}\n" | notify -silent | cat takeover.txt | notify -silent
printf "\n${GREEN}[+] CORS results: ${NORMAL}\n" | notify -silent | cat cors.txt | notify -silent
printf "\n${GREEN}[+] 403 bypass results: ${NORMAL}\n" | notify -silent | cat bypass403.txt | notify -silent
printf "\n${GREEN}[+] Cross Site Request Forgery (CSRF/XSRF) results: ${NORMAL}\n" | notify -silent | cat csrf.txt | notify -silent
printf "\n${GREEN}[+] Open Redirect results: ${NORMAL}\n" | notify -silent | cat or_urls.txt | notify -silent
printf "\n${GREEN}[+] SSRF results: ${NORMAL}\n" | notify -silent | cat ssrf.txt | notify -silent
printf "\n${GREEN}[+] XSS results: ${NORMAL}\n" | notify -silent | cat xss.txt | notify -silent
printf "\n${GREEN}[+] SQLi results: ${NORMAL}\n" | notify -silent | cat sqli.txt | notify -silent
printf "\n${GREEN}[+] Nuclei results: ${NORMAL}\n" | notify -silent | cat mutiple_vulnerabilities.txt | notify -silent
fi
cd $actualDir
}
##############################################
############### WILDCARD RECON ###############
##############################################
wildcard_recon(){
printf "${BOLD}${RED}[!] This mode does not accept any arguments${NORMAL}\n"
printf "${BOLD}${RED}[!] A complete analysis will be carried out on all the subdomains found of the entered wildcard ${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] STARTING SUBDOMAIN ENUMERATION${NORMAL}\n\n"
printf "${BOLD}${GREEN}[*] WILDCARD:${YELLOW} *.$wildcard ${NORMAL}\n"
if [ -d subdomains ]; then rm -Rf subdomains; fi
mkdir subdomains
cd subdomains
printf "\n${GREEN}[+] Subfinder ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching subdomains...${NORMAL}\n\n"
subfinder -silent -d $wildcard -o subdomains.txt
printf "\n${GREEN}[+] Amass ${NORMAL}\n"
printf "${NORMAL}${CYAN}Searching subdomains with bruteforce...${NORMAL}\n\n"
amass enum -d $wildcard -w $dnsDictionary -o bruteforce.txt
cat bruteforce.txt >> subdomains.txt
rm bruteforce.txt
sort -u subdomains.txt -o subdomains.txt
printf "\n${GREEN}[+] Httpx ${NORMAL}\n"
printf "${NORMAL}${CYAN}Checking alive subdomains...${NORMAL}\n\n"
httpx -l subdomains.txt -silent -o alive.txt
#Removing http/https word from alive.txt
cp alive.txt alive_subdomains.txt
sed -i 's#^http://##; s#/score/$##' alive_subdomains.txt
sed -i 's#^https://##; s#/score/$##' alive_subdomains.txt
sort -u alive_subdomains.txt -o alive_subdomains.txt
cat alive_subdomains.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > alive.json
cat subdomains.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > subdomains.json
sed 's/ \+/,/g' alive_subdomains.txt > alive.csv
sed 's/ \+/,/g' subdomains.txt > subdomains.csv
mode="more"
for domain in $(cat alive_subdomains.txt);do
all $domain $more
done
cd $actualDir
}
##############################################
############### HELP SECTION #################
##############################################
help(){
printf "\n"
printf "${BOLD}${GREEN}USAGE${NORMAL}\n"
printf "$0 [-d domain.com] [-w domain.com] [-l listdomains.txt]"
printf "\n [-a] [-p] [-x] [-r] [-v] [-m] [-n] [-h] \n\n"
printf "${BOLD}${GREEN}TARGET OPTIONS${NORMAL}\n"
printf " -d domain.com Target domain\n"
printf " -w domain.com Wildcard domain\n"
printf " -l list.txt Target list\n"
printf " \n"
printf "${BOLD}${GREEN}MODE OPTIONS${NORMAL}\n"
printf " -a, --all All mode - Full scan with full target recognition and vulnerability scanning\n"
printf " -p, --passive Passive reconnaissance (Footprinting) - Performs only passive recon with multiple tools\n"
printf " -x, --active Active reconnaissance (Fingerprinting) - Performs only active recon with multiple tools\n"
printf " -r, --recon Reconnaissance - Perform active and passive reconnaissance\n"
printf " -v, --vulnerabilities Vulnerabilities - Check multiple vulnerabilities in the domain/list domains\n"
printf " -m, --massive Massive recon - Massive vulnerability analysis with repetitions every X seconds\n"
printf " \n"
printf "${BOLD}${GREEN}EXTRA OPTIONS${NORMAL}\n"
printf " -n, --notify Notify - This option is used to receive notifications via Discord, Telegram or Slack\n"
printf " -h, --help Help - Show this help\n"
printf " \n"
printf "${BOLD}${GREEN}EXAMPLES${NORMAL}\n"
printf " ${CYAN}All:${NORMAL}\n"
printf " ./magicrecon.sh -d domain.com -a\n"
printf " \n"
printf " ${CYAN}Passive reconnaissance to a list of domains:${NORMAL}\n"
printf " ./magicrecon.sh -l domainlist.txt -p\n"
printf " \n"
printf " ${CYAN}Active reconnaissance to a domain:${NORMAL}\n"
printf " ./magicrecon.sh -d domain.com -x\n"
printf " \n"
printf " ${CYAN}Full reconnaissance:${NORMAL}\n"
printf " ./magicrecon.sh -d domain.com -r\n"
printf " \n"
printf " ${CYAN}Full reconnaissance and vulnerabilities scanning:${NORMAL}\n"
printf " ./magicrecon.sh -d domain.com -r -v\n"
printf " \n"
printf " ${CYAN}Full reconnaissance and vulnerabilities scanning to a wildcard:${NORMAL}\n"
printf " ./magicrecon.sh -w domain.com \n"
printf " \n"
printf " ${CYAN}Massive reconnaissance and vulnerabilities scanning:${NORMAL}\n"
printf " ./magicrecon.sh -w domain.com -m \n"
}
##############################################
###############LAUNCH SCRIPT##################
##############################################
usage(){
printf "\n"
printf "Usage: $0 [-d domain.com] [-w domain.com] [-l listdomains.txt]"
printf "\n [-a] [-p] [-x] [-r] [-v] [-m] [-n] [-h] \n\n"
exit 2
}
printf "${BOLD}${YELLOW}"
figlet "MagicRecon"
printf "${BOLD}${MAGENTA}MagicRecon v.3.0 - Open Source Project | Author: Robotshell | Twitter: @robotshelld\n\n${NORMAL}"
PARSED_ARGUMENTS=$(getopt -a -n magicrecon -o "d:w:l:apxrvmnh" --long "domain:,wildcard:,list:,all,passive,active,recon,vulnerabilities,massive,notify,help" -- "$@")
VALID_ARGUMENTS=$?
if [ $VALID_ARGUMENTS != "0" ];
then
usage
fi
if [ $# == 0 ]
then
printf "${RED}[!] No arguments detected \n${NORMAL}"
exit 1
fi
eval set -- "$PARSED_ARGUMENTS"
mode_recon=0
vulnerabilitiesMode=false
notifyMode=false
while :
do
case "$1" in
'-d' | '--domain')
domain=$2
shift
shift
continue
;;
'-w' | '--wildcard')
wildcard=$2
shift
shift
continue
;;
'-l' | '--list')
domainList=$2
shift
shift
continue
;;
'-a' | '--all')
mode_recon=1
shift
continue
;;
'-p' | '--passive')
mode_recon=2
shift
continue
;;
'-x' | '--active')
mode_recon=3
shift
continue
;;
'-r' | '--recon')
mode_recon=4
shift
continue
;;
'-v' | '--vulnerabilities')
vulnerabilitiesMode=true
shift
continue
;;
'-m' | '--massive')
mode_recon=5
shift
continue
;;
'-n' | '--notify')
notifyMode=true
shift
continue
;;
'-h' | '--help')
help
exit
;;
'--')
shift
break
;;
*)
printf "${RED}[!] Unexpected option: $1 - this should not happen. \n${NORMAL}"
usage
;;
esac
done
if [ -z "$domain" ] && [ -z "$wildcard" ] && [ -z "$domainList" ]
then
printf "${RED}[!] Please specify a domain (-d | --domain), a wildcard (-w | --wildcard) or a list of domains(-l | --list) \n${NORMAL}"
exit 1
fi
if [ ! -d targets ];
then
mkdir targets
fi
if [ ! -z "$wildcard" ] && [ $mode_recon != 5 ]
then
wildcard_recon $wildcard
exit 1
fi
case $mode_recon in
0)
if [ -z "$domainList" ]
then
if [ $vulnerabilitiesMode == true ]
then
vulnerabilities $domain $notifyMode
fi
else
if [ $vulnerabilitiesMode == true ]
then
for domain in $(cat $domainList);do
vulnerabilities $domain $notifyMode
done
fi
fi
;;
1)
if [ -z "$domainList" ]
then
all $domain $notifyMode
else
for domain in $(cat $domainList);do
all $domain $notifyMode
done
fi
;;
2)
if [ -z "$domainList" ]
then
passive_recon $domain $notifyMode $vulnerabilitiesMode
else
for domain in $(cat $domainList);do
passive_recon $domain $notifyMode $vulnerabilitiesMode
done
fi
;;
3)
if [ -z "$domainList" ]
then
active_recon $domain $notifyMode $vulnerabilitiesMode
else
for domain in $(cat $domainList);do
active_recon $domain $notifyMode $vulnerabilitiesMode
done
fi
;;
4)
if [ -z "$domainList" ]
then
all_recon $domain $notifyMode
else
for domain in $(cat $domainList);do
all_recon $domain $notifyMode
done
fi
;;
5)
if [ ! -z "$wildcard" ]
then
massive_recon $wildcard
else
printf "${RED}[!] This mode only works with a wildcard (-w | --wildcard) \n${NORMAL}"
exit 1
fi
;;
*)
help
exit 1
;;
esac