This Bash script automates subdomain enumeration, live domain checking, port scanning, and data extraction from the Wayback Machine. It integrates various tools such as assetfinder
, httprobe
, subjack
, nmap
, and waybackurls
to conduct reconnaissance on a target domain. Inspried from the CyberMentor
- Automatically creates directory structures to organize the results.
- Gathers subdomains using
assetfinder
(optionalamass
integration). - Probes for live subdomains using
httprobe
. - Scans for subdomain takeover vulnerabilities using
subjack
. - Performs port scanning using
nmap
. - Extracts archived data from the Wayback Machine using
waybackurls
and organizes files by type (e.g.,.js
,.php
,.json
). - Optionally captures screenshots of live subdomains using
EyeWitness
orGoWitness
.
Ensure you have the following tools installed:
- Go (required for
assetfinder
,httprobe
,subjack
, andwaybackurls
)
To install Go, visit: Go Installation
-
Assetfinder:
- Install via Go:
go install github.com/tomnomnom/assetfinder@latest
- Install via Go:
-
Httprobe:
- Install via Go:
go install github.com/tomnomnom/httprobe@latest
- Install via Go:
-
Subjack (for subdomain takeover detection):
- Install via Go:
go install github.com/haccer/subjack@latest
- Install via Go:
-
Nmap:
- Install using your package manager:
sudo apt-get install nmap # for Debian/Ubuntu sudo yum install nmap # for CentOS/RHEL
- Install using your package manager:
-
Waybackurls:
- Install via Go:
go install github.com/tomnomnom/waybackurls@latest
- Install via Go:
-
Amass (for additional subdomain enumeration):
- Install via:
sudo apt-get install amass
- Install via:
-
EyeWitness (for screenshots of live domains):
- Follow the instructions on EyeWitness GitHub for installation.
-
GoWitness (an alternative to EyeWitness):
-
Install via Go:
go install github.com/sensepost/gowitness@latest
-
Make sure to adjust the path in the script if using GoWitness instead of EyeWitness.
-
- Clone the repository or download the script:
git clone https://github.com/CloudyKhan/subdomain-enum.git
- Navigate to the folder containing the script:
cd subdomain-enum
- Make script executable
chmod +x subdomain-enum.sh
Run the script by providing the domain you want to enumerate subdomains for:
./subdomain-enum.sh <domain>
Uncomment or comment sections in the script as needed to your preferences.
The results should be saved in the following directory structure
<domain>/recon/
├── scans/
├── httprobe/
│ └── alive.txt
├── potential_takeovers/
│ └── potential_takeovers.txt
├── wayback/
│ ├── wayback_output.txt
│ ├── params/
│ │ └── wayback_params.txt
│ └── extensions/
│ ├── js.txt
│ ├── php.txt
│ ├── aspx.txt
│ ├── json.txt
│ ├── html.txt
└── final.txt