forked from ethicalhack3r/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautomator.sh - (Unfinished)
174 lines (157 loc) · 6.59 KB
/
automator.sh - (Unfinished)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/bin/bash
#Automatically run recon against a domain/list of domains.
#Built for Backtrack
#
# Current Features:
# * DNS Recon
# * Email Harvesting
# * Meta Data Enumeration
# * WhoIs
#
# Additional Features
# * Pull domains from SSL Certificate
#
# Usage: ./automator.sh listofdomains.txt
# Usage: ./automator.sh domain.com
#
# By: Leon Teale (RandomStorm)
#
## Setting Coloured variables
red=`echo -e "\033[31m"`
lcyan=`echo -e "\033[36m"`
yellow=`echo -e "\033[33m"`
green=`echo -e "\033[32m"`
blue=`echo -e "\033[34m"`
purple=`echo -e "\033[35m"`
normal=`echo -e "\033[m"`
## Check for correct usage
if [ -z "$1" ];
then
echo ""
echo "Usage: ./automator.sh listofdomains.txt"
echo "Usage: ./automator.sh domain.com"
echo ""
## Run script on correct usage
else
##Set Variables
domain="$1"
output_dir="~/Desktop"
#Run scripts without arguments
clear
echo "$yellow _ _ "
echo "$yellow /\ | | | | "
echo "$yellow / \ _ _| |_ ___ _ __ ___ __ _| |_ ___ _ __ "
echo "$yellow / /\ \| | | | __/ _ \| '_ \` _ \ / _\` | __/ _ \| '__|"
echo "$yellow / ____ \ |_| | || (_) | | | | | | (_| | || (_) | | "
echo "$yellow /_/ \_\__,_|\__\___/|_| |_| |_|\__,_|\__\___/|_|$normal"
echo "$lcyan -- by Leon Teale (Randomstorm)"
echo ""
echo "$blue +-------------------------------------------+"
echo "$blue | $red Current Features$normal $blue |$normal"
echo "$blue | $yellow * DNS Recon$normal $blue |$normal"
echo "$blue | $yellow * Email Harvesting$normal $blue |$normal"
echo "$blue | $yellow * Meta DataEnumeration$normal $blue |$normal"
echo "$blue | $yellow * WhoIs$normal $blue|$normal"
echo "$blue | |"
echo "$blue | $red Additional Features $normal $blue |$normal"
echo "$blue | $yellow * Pull domains From SSL Cert$normal$blue |$normal"
echo "$blue +-------------------------------------------+$normal"
echo "$lcyan Target = '$green$domain$lcyan'"
echo ""
mkdir -p ~/Desktop/$domain
mkdir -p ~/Desktop/$domain/metagoofil
sleep 1
## Set Variables ##
echo "Run intense scan? [y/N]"
read intense
## Main Features: ##
## Run the DNS Stage
if
[[ "$intense" == "y" ]]
then
echo "$yellow Running DNS Recon Stage..$normal (..Very Slow)"
echo ""
if
dig @`dig ns $domain | grep -v '^;' | grep A | cut -f1 | head -1` $domain axfr | grep "XFR size"
then
echo "$lcyan Zone Transfer Vulnerability: ($red Yes $lcyan)$normal"
else
echo "$lcyan Zone Transfer Vulnerability: ($green No $lcyan)$normal"
fi
echo ""
dnsrecon -t brt,std,axfr -D /root/Desktop/wordlists/dnsbruteforce.txt -d $domain > /tmp/$domain.dnsrecon.txt.tmp
cat /tmp/$domain.dnsrecon.txt.tmp | grep '[^\.][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}[^\.]' | grep -vE 'Trying|TCP|MX|NS|SOA|Has' | awk {'print $3 "\t" $4'} | sort -u | sed '/^$/d' > ~/Desktop/$domain/dnsrecon.txt
echo "$lcyan Subdomains found: ($yellow `cat ~/Desktop/$domain/dnsrecon.txt | wc -l` $lcyan)$normal"
echo ""
else
echo "$yellow Running DNS Recon Stage..$normal"
echo ""
if
dig @`dig ns $domain | grep -v '^;' | grep A | cut -f1 | head -1` $domain axfr | grep "XFR size"
then
echo "$lcyan Zone Transfer Vulnerability: ($red Yes $lcyan)$normal"
else
echo "$lcyan Zone Transfer Vulnerability: ($green No $lcyan)$normal"
fi
echo ""
dnsrecon -t brt,std,axfr -D /usr/share/dnsrecon/namelist.txt -d $domain > /tmp/$domain.dnsrecon.txt.tmp
cat /tmp/$domain.dnsrecon.txt.tmp | grep '[^\.][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}[^\.]' | grep -vE 'Trying|TCP|spf1|SOA|Has' | awk {'print $3 "\t" $4'} | sort -u | grep $domain | sed '/^$/d' > ~/Desktop/$domain/dnsrecon.txt
echo "$lcyan Subdomains found: ($yellow `cat ~/Desktop/$domain/dnsrecon.txt | wc -l` $lcyan)$normal"
echo ""
fi
rm -rf /tmp/$domain.dnsrecon.txt.tmp
echo "" >> ~/Desktop/$domain/dnsrecon.txt
echo "Name Servers" >> ~/Desktop/$domain/dnsrecon.txt
dig ns $domain | grep -v '^;' | grep A | awk {'print $1 "\t" $5'} | sed '/^$/d' >> ~/Desktop/$domain/dnsrecon.txt
echo "" >> ~/Desktop/$domain/dnsrecon.txt
echo "MX Records" >> ~/Desktop/$domain/dnsrecon.txt
dig mx $domain | grep -v '^;' | grep $domain | awk {'print $6'} | sed '/^$/d' >> ~/Desktop/$domain/dnsrecon.txt
cat ~/Desktop/$domain/dnsrecon.txt
echo ""
echo "$green DNS Recon Stage Complete!$normal"
## Run the Mail Harvesting Stage
echo "+------------------------------------------------+"
echo ""
echo "$yellow Running Email Harvesting Stage..$normal"
theharvester -l 500 -b all -d $domain > /tmp/$domain.emails.txt.tmp
cat /tmp/$domain.emails.txt.tmp | grep @ | grep -vE 'cmartore' > ~/Desktop/$domain/emails.txt
rm -rf /tmp/$domain.emails.txt.tmp
echo "$lcyan Email Addresses Found: ($yellow `cat ~/Desktop/$domain/emails.txt | wc -l` $lcyan)$normal"
echo ""
cat ~/Desktop/$domain/emails.txt | column -c 100
echo ""
echo "$green Email Harvesting Stage Complete!$normal"
## Run the MetaGooFil Stage
echo "+------------------------------------------------+"
echo ""
echo "$yellow Running Meta Data Gathering Stage..$normal"
echo ""
metagoofil -d $domain -t pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx -l 20 -n 20 -o ~/Desktop/$domain/metagoofil/ -f ~/Desktop/$domain/users_temp.txt > /dev/null
cat ~/Desktop/$domain/users_temp.txt | sed 's/useritem/\n/g' | grep '">' | grep -vE 'head' | awk -F "<" {'print $1'} | cut -d">" -f2 | sed -e "s/^ \{1,\}//" > ~/Desktop/$domain/users.txt
echo "$lcyan Users found: ($yellow `cat ~/Desktop/$domain/users.txt | wc -l` $lcyan)$normal"
echo ""
cat ~/Desktop/$domain/users.txt
echo ""
echo "$green Meta Data Stage Complete!$normal"
## Run the WhoIs
echo "+------------------------------------------------+"
echo ""
whois $domain > ~/Desktop/$domain/whois.txt
echo "$yellow Running WhoIs..$normal"
echo ""
echo "$green WhoIs output saved to: $lcyan ~/Desktop/$domain/whois.txt$normal"
## Additional Features: ##
## Pull domains from SSL Certificate
echo "+------------------------------------------------+"
echo ""
echo "$yellow Pulling Domains from SSL Certificates $normal"
echo ""
sslscan --ssl2 $domain | grep DNS | sed 's/,/"\n"/g' | sed 's/"//g' | cut -d':' -f2 > ~/Desktop/$domain/sslcertdomains_temp.txt
nmap -vv $domain -script=ssl-cert -p443 | grep commonName | grep -v 'Issuer' | cut -d '/' -f1 | cut -d '=' -f2 >> ~/Desktop/$domain/sslcertdomains_temp.txt
cat ~/Desktop/$domain/sslcertdomains_temp.txt | sort -u > ~/Desktop/$domain/sslcertdomains.txt
cat ~/Desktop/$domain/sslcertdomains.txt
rm ~/Desktop/$domain/sslcertdomains_temp.txt
echo ""
echo "$green Finished Pulling Domains!$normal"
echo ""
fi