/lazyrecon

This script is intended to automate your reconnaissance process in an organized fashion

Primary LanguageShell

  _
 | | __ _ ____ _   _ _ __ ___  ___  ___  _ __
 | |/ _  |_  /| | | |  __/ _ \/ __|/ _ \|  _ \
 | | (_|  / / | | | | | |  __/ (__  (_) | | | 
 |_|\__ _|___/ \__  |_|  \___|\___|\___/|_| |_
               |___/

Usage beta

Execute with sudo because of masscan

./lazyrecon.sh target.com

About

This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

  • Create a dated folder with recon notes for target
  • Grab subdomains using subfinder
  • Subdomain discovery through alterations and permutations using altdns
  • Filtering out live subdomains from a list of hosts using host
  • Filtering out for working http and https servers using meg
  • Grab the response and sieving through to exclude false-positives such us Location headers
  • Check for request smuggling vulnerabilities using smuggler
  • Perform masscan on live servers using dnmasscan
  • Automatically brute-forces services with default credentials using Medusa
  • [WIP][x] Perform dirsearch using custom WordList based on the next SecLists All.txt and fuzz-Bo0oM.txt
  • [WIP][x] Generate a HTML report in case of a vulnerable domain found.

Features

The project forked from original v1.0 Jason Haddix and Ben Sadeghipour aimed to implement some of the best practice like Subdomain Takeovers, Bruteforce and Request Smuggling.

Dependencies

To start use this script, please clone and setup the next tools in the same level (near the lazyrecon directory). For example:

~/lazyrecon
~/subfinder
~/altdns
~/dirsearch
~/meg
~/httprobe
~/smuggler
~/masscan
~/dnmasscan
~/brutespray

Make sure all tools correctly installed and enabled with execute permissions: chmod +x

  1. subfinder
  2. altdns
  3. dirsearch
  4. meg
  5. httprobe
  6. smuggler
  7. masscan
  8. dnmasscan
  9. brutespray

If you faced with some issues, feel free to open PR or bug.

Notes

  • Sublist3r replaced with subfinder based on Twitter discussion
  • nmap replaced with masscan based on its features
  • smuggler forked from its original aimed to get lightweight solution included this PR
  • grep meg's output for Location in order to exclude 301/302 status codes
  • altdns used based on Scrutiny on the bug bounty
  • WIP: you can track activity in Projects To Do board

Acknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.