_
| | __ _ ____ _ _ _ __ ___ ___ ___ _ __
| |/ _ |_ /| | | | __/ _ \/ __|/ _ \| _ \
| | (_| / / | | | | | | __/ (__ (_) | | |
|_|\__ _|___/ \__ |_| \___|\___|\___/|_| |_
|___/
Execute with sudo
because of masscan
./lazyrecon.sh target.com
This script is intended to automate your reconnaissance process in an organized fashion by performing the following:
- Create a dated folder with recon notes for target
- Grab subdomains using
subfinder
- Subdomain discovery through alterations and permutations using
altdns
- Filtering out live subdomains from a list of hosts using
host
- Filtering out for working http and https servers using
meg
- Grab the response and sieving through to exclude false-positives such us
Location
headers - Check for request smuggling vulnerabilities using
smuggler
- Perform
masscan
on live servers usingdnmasscan
- Automatically brute-forces services with default credentials using
Medusa
- [WIP][x] Perform
dirsearch
using custom WordList based on the next SecLists All.txt and fuzz-Bo0oM.txt - [WIP][x] Generate a HTML report in case of a vulnerable domain found.
The project forked from original v1.0 Jason Haddix and Ben Sadeghipour aimed to implement some of the best practice like Subdomain Takeovers, Bruteforce and Request Smuggling.
To start use this script, please clone and setup the next tools in the same level (near the lazyrecon directory). For example:
~/lazyrecon
~/subfinder
~/altdns
~/dirsearch
~/meg
~/httprobe
~/smuggler
~/masscan
~/dnmasscan
~/brutespray
Make sure all tools correctly installed and enabled with execute permissions: chmod +x
If you faced with some issues, feel free to open PR or bug.
Sublist3r
replaced withsubfinder
based on Twitter discussionnmap
replaced withmasscan
based on its featuressmuggler
forked from its original aimed to get lightweight solution included this PRgrep
meg
's output for Location in order to exclude 301/302 status codesaltdns
used based on Scrutiny on the bug bounty- WIP: you can track activity in Projects To Do board
Acknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.