mswell/magicRecon

This repository contain a powerful shell script to maximize the data collection process of an objective

MagicRecon

Description

Recon is an essential element of any penetration testing. This repository contain a powerful shell script to maximize the recon and data collection process of an objective. With this script you can easily find:

• Sensitive information disclosure.
• Missing HTTP headers
• Open S3 buckets.
• Subdomain takeovers.
• Open ports and services.
• Endpoints.
• Directories.
• Javascript files with senstive info
• CORS missconfigurations
• Other quick bugs.

Disclaimer ⚠️

The author of this document take no responsibility for correctness. This project is merely here to help guide security researchers towards determining whether something is vulnerable or not, but does not guarantee accuracy. Warning: This code was originally created for personal use, it generates a substantial amount of traffic, please use with caution.

Tools needed

• Amass
• Certsh.py
• Github-subdomains.py
• Gobuster
• Assetfinder
• Subjack
• httprobe
• Corsy
• Aquatone
• curl
• relative-url-extractor
• Jsearch.py
• Nmap
• SecLists

IMPORTANT: YOU NEED TO INSTALL ALL THE TOOLS IN YOUR HOME FOLDER AND INSERT YOUR GITHUB TOKEN IN THE SCRIPT CONFIGURATION TO USE Github-subdomains.py.

How does it work?

The script has 5 phases:

1. Subdomain enumeration: Amass, Certsh.py, Github-subdomains.py, Gobuster DNS and Assetfinder tools are used to find the maximum possible number of subdomains. httprobe is used to probe for working http and https servers. Then Subjack is used to quickly check if it exists subdomains takeover. Corsy tool is used to find CORS missconfigurations. Finally, Aquatone takes screenshots of each subdomain.

2. Headers: curl is used to obtain the headers of each subdomain.

3. Javascript: relative-url-extractor and Jsearch.py are used to inspect the javascript files of each subdomain for endpoints and sensitive information.

4. Directories and hidden files: Gobuster DIR is used to collect hidden files and directories through a dictionary. You can change the dictionary in the script configuration.

5. Nmap: Nmap is used to scan ports and services quiclky.

All the data generated in the different processes are saved in different files and directories in different formats.

Usage

./magicRecon.sh <domain>

Thanks

• Special Thanks to Mohd Shibli for his great contributions in the article Fasten your Recon process using Shell Scripting

About me

Twitter

Donation

• If you've earned a bug bounty using this tool, please consider donating to support it's development. You can help me to develop more useful tools. Thanks 😍