I have created a bunch of shell scripts to help you up with your recon. These simple script will help you get all the subdomains and see all the alive subdomains out of all the subdomains we get.
Prerequisites
git clone https://github.com/sahildari/R3CON
cd R3CON
chmod +x *.sh
sudo bash subdomain.sh target.com
Please specify the full path of extract.rb in endpoint.sh
For example if you have cloned the R3CON in your /opt/ directory then change the 11th line to ruby /opt/R3CON/extract.rb scriptsresponse/$domain/$file >> endpoints/$domain/$file
- It will create alive.txt and alive.json in which all the alive subdomains will be listed.
- It will create headers directory to store the file by trying Open-redirect via
X-Forwarded-Host: evil.com - It will create script and scriptresponse directories to store all the js files related to the target and subdomains of the target (Where all the gold relies).
- It will create endpoints directories to store the intereting endpoints it will find.
- After all this you can use your manual searching for the things you want(grep)
grep -iErn 302to search what subdomains encountered the redirection and then check those subdomains manuallygrep -iErn admingrep -iErn secret-key
and you get the point. :)
Happy Hacking!
R3CON framework have been created by using the open source security tools made by these amazing OPEN SOURCE security community -