@@ -127,13 +127,31 @@ amass enum -d syselement.com
127127
128128➡️ [ httprobe] ( https://github.com/tomnomnom/httprobe ) - take a list of domains and probe for working (alive) http and https servers
129129
130+ ``` bash
131+ # Go is necessary (installed via pimpmykali.sh)
132+ go install github.com/tomnomnom/httprobe@latest
133+
134+ # or on Kali
135+ sudo apt install httprobe
136+ ```
137+
138+ ``` bash
139+ cat tesla.com/recon/final.txt | httprobe
140+
141+ # Skip default probes, and use only https:443 probe
142+ cat tesla.com/recon/final.txt | httprobe -s -p https:443
143+
144+ # Strip only subdomains from the list
145+ cat tesla.com/recon/final.txt | sort -u | httprobe -s -p https:443 | sed ' s/https\?:\/\///' | tr -d ' :443'
146+ ```
147+
130148➡️ [ assetfinder] ( https://github.com/tomnomnom/assetfinder ) - find domains and subdomains related to a given domain
131149
132150``` bash
133151# Go is necessary (installed via pimpmykali.sh)
134152go get -u github.com/tomnomnom/assetfinder
135153
136- # or in Kali
154+ # or on Kali
137155sudo apt install assetfinder
138156```
139157
@@ -143,7 +161,51 @@ assetfinder syselement.com
143161assetfinder --subs-only tesla.com
144162```
145163
146- ### Automated domain recon script
164+ ---
165+
166+ ## Screenshoting websites
167+
168+ ➡️ [ gowitness] ( https://github.com/sensepost/gowitness ) - A golang, web screenshot utility using Chrome Headless
169+
170+ ``` bash
171+ # Go is necessary (installed via pimpmykali.sh)
172+ go install github.com/sensepost/gowitness@latest
173+
174+ # or on Kali
175+ sudo apt install gowitness
176+ ```
177+
178+ ``` bash
179+ gowitness scan single --url " https://tesla.com"
180+
181+ gowitness scan single --url " https://blog.syselement.com"
182+ ```
183+
184+ ---
185+
186+ ## Website technologies
187+
188+ ➡️ [ BuiltWith.com] ( https://builtwith.com/ ) - find out what websites are built with
189+
190+ ![ BuiltWith.com] ( .gitbook/assets/2024-07-03_19-54-58_561.png )
191+
192+ ➡️ [ Wappalyzer.com] ( https://www.wappalyzer.com/ ) - via browser extension
193+
194+ - by visiting the webpage, interact with the browser extension to check the website technologies
195+
196+ ![ ] ( .gitbook/assets/2024-07-03_20-14-16_570.png )
197+
198+ ➡️ [ WhatWeb] ( https://github.com/urbanadventurer/WhatWeb/ )
199+
200+ ``` bash
201+ whatweb https://blog.syselement.com/
202+ ```
203+
204+ ![ ] ( .gitbook/assets/2024-07-03_20-17-06_571.png )
205+
206+ ---
207+
208+ ## Automated recon script
147209
148210- Little ` bash ` script for sub-domains hunting
149211
@@ -160,45 +222,63 @@ if [ ! -d "$url/recon" ]; then
160222 mkdir $url /recon
161223fi
162224
163- # Assetfinder
225+ # Assetfinder #
164226echo " [+] Harvesting subdomains with assetfinder..."
165227assetfinder $url >> $url /recon/assets.txt
166228# get only subdomains containing $url
167229cat $url /recon/assets.txt | grep $1 >> $url /recon/final.txt
168230rm $url /recon/assets.txt
169231
170- # Amass
232+ # Amass #
171233# echo "[+] Harvesting subdomains with amass..."
172234# amass enum -d $url >> $url/recon/f.txt
173235# sort -u $url/recon/f.txt >> $url/recon/final.txt
174236# rm $url/recon/f.txt
175237
238+ # httprobe #
239+ echo " [+] Probing for alive domains..."
240+ cat $url /recon/final.txt | sort -u | httprobe -s -p https:443 | sed ' s/https\?:\/\///' | tr -d ' :443' >> $url /recon/alive.txt
176241
242+ # ##
177243```
178244
245+ ➡️ [ sumrecon] ( https://github.com/Gr1mmie/sumrecon/blob/master/sumrecon.sh ) - web recon script
179246
247+ ``` bash
248+ wget https://raw.githubusercontent.com/Gr1mmie/sumrecon/refs/heads/master/sumrecon.sh
249+ ```
180250
181- ---
182-
183- ## Website technologies
184-
185- ➡️ [ BuiltWith.com] ( https://builtwith.com/ ) - find out what websites are built with
186-
187- ![ BuiltWith.com] ( .gitbook/assets/2024-07-03_19-54-58_561.png )
188-
189- ➡️ [ Wappalyzer.com] ( https://www.wappalyzer.com/ ) - via browser extension
251+ - TCM's modified final script
252+ - ** Creates a directory structure** for reconnaissance under a given URL
253+ - ** Harvests subdomains** using ` assetfinder `
254+ - ** Filters valid subdomains** and saves them to ` final.txt `
255+ - ** Checks for live domains** using ` httprobe `
256+ - ** Identifies potential subdomain takeovers** using ` subjack `
257+ - ** Scans for open ports** using ` nmap `
258+ - ** Scrapes archived URLs** from ` waybackurls `
259+ - ** Extracts parameters** from Wayback Machine data
260+ - ** Categorizes JavaScript, PHP, JSON, JSP, and ASPX files** from Wayback Machine data
261+ - ** Removes temporary files** to keep the structure clean
262+ - (Commented out) ** Could run ` amass ` for subdomain discovery** and ** use ` EyeWitness ` for screenshots**
190263
191- - by visiting the webpage, interact with the browser extension to check the website technologies
264+ ``` bash
265+ # 0. Requirements
266+ sudo apt install amass assetfinder httprobe gowitness nmap subjack
267+ go install github.com/tomnomnom/waybackurls@latest
192268
193- ![ ] ( .gitbook/assets/2024-07-03_20-14-16_570.png )
269+ # 1. Copy the code here https://pastebin.com/raw/MhE6zXVt to a new file
194270
195- ➡️ [ WhatWeb] ( https://github.com/urbanadventurer/WhatWeb/ )
271+ # 2. Fix last 2 lines with gowitness and uncomment them
272+ # echo "[+] Running eyewitness against all compiled domains..."
273+ # gowitness scan file -f $url/recon/httprobe/alive.txt
196274
197- ``` bash
198- whatweb https://blog. syselement.com/
275+ chmod +x finalrecon.sh
276+ ./finalrecon.sh syselement.com
199277```
200278
201- ![ ] ( .gitbook/assets/2024-07-03_20-17-06_571.png )
279+ > - Check those additional resources
280+ > - The Bug Hunter's Methodology - [ The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix] ( https://www.youtube.com/watch?v=uKWu6yhnhbQ )
281+ > - [ Nahamsec Recon Playlist] ( https://www.youtube.com/watch?v=MIujSpuDtFY&list=PLKAaMVNxvLmAkqBkzFaOxqs3L66z2n8LA )
202282
203283---
204284
0 commit comments