Scribd
Upload
86 views7 pages

Bash Script for Subdomain Reconnaissance

Uploaded by

asishhmondal2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views7 pages

Bash Script for Subdomain Reconnaissance

Uploaded by

asishhmondal2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

SUBDOMAIN RECONNAISSANCE

Automated Subdomain Enumeration using Bash Scripting.


Goal : Enumeration of a website using bash scripting. CONTENTS

Key factors in the script : a)Automated subdomain enum

 Finding subdomains using subfinder, assetfinder & amass. b)Script modification technique
 Enumerating whether subdomains are alive using httprobe.
 Take screenshots of alive subdomains.
 scan alive subdomains using nmap.

Attacker machine : Kali Linux

Steps :

Start the Linux machine and create a nano file with .sh extension.

Type or paste the given script in that file:

Script :-

#!/bin/bash

if [ -z "$1" ]; then

echo -e "\033[1;31m[-] No domain provided. Usage: ./script.sh <domain>\033[0m"

exit 1

fi

domain=$1

RED="\033[1;31m"

GREEN="\033[1;32m"

RESET="\033[0m"

subdomain_path="$domain/subdomains"
screenshot_path="$domain/screenshots"

scan_path="$domain/scans"

echo -e "${GREEN}[+] Setting up directories...${RESET}"

mkdir -p "$subdomain_path" "$screenshot_path" "$scan_path"

echo -e "${RED}[+] Launching subfinder...${RESET}"

if subfinder -d "$domain" > "$subdomain_path/found.txt"; then

echo -e "${GREEN}[+] Subfinder completed successfully.${RESET}"

else

echo -e "${RED}[-] Subfinder failed. Check if it's installed and configured correctly.${RESET}"

exit 1

fi

echo -e "${RED}[+] Launching assetfinder...${RESET}"

if assetfinder "$domain" | grep "$domain" >> "$subdomain_path/found.txt"; then

echo -e "${GREEN}[+] Assetfinder completed successfully.${RESET}"

else

echo -e "${RED}[-] Assetfinder failed. Check if it's installed and configured correctly.${RESET}"

exit 1

fi

echo -e "${GREEN}[+] Deduplicating subdomains...${RESET}"

sort -u "$subdomain_path/found.txt" -o "$subdomain_path/found.txt"

if [ ! -s "$subdomain_path/found.txt" ]; then

echo -e "${RED}[-] No subdomains found. Exiting...${RESET}"


exit 1

fi

echo -e "${RED}[+] Finding alive subdomains...${RESET}"

if cat "$subdomain_path/found.txt" | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' |


sort -u > "$subdomain_path/alive.txt"; then

echo -e "${GREEN}[+] Alive subdomains identified.${RESET}"

else

echo -e "${RED}[-] Failed to find alive subdomains. Check if httprobe is installed.${RESET}"

exit 1

fi

if [ ! -s "$subdomain_path/alive.txt" ]; then

echo -e "${RED}[-] No alive subdomains found. Exiting...${RESET}"

exit 1

fi

echo -e "${RED}[+] Taking screenshots of alive subdomains...${RESET}"

if gowitness file -f "$subdomain_path/alive.txt" -P "$screenshot_path" --no-http; then

echo -e "${GREEN}[+] Screenshots taken successfully.${RESET}"

else

echo -e "${RED}[-] Failed to take screenshots. Check if gowitness is installed.${RESET}"

exit 1

fi

echo -e "${RED}[+] Running nmap on alive subdomains...${RESET}"

if nmap -iL "$subdomain_path/alive.txt" -T4 -A -p- -oN "$scan_path/nmap.txt"; then

echo -e "${GREEN}[+] Nmap scan completed successfully.${RESET}"


else

echo -e "${RED}[-] Nmap scan failed. Check if nmap is installed.${RESET}"

exit 1

fi

Save it and then give executable permissions.

Run the bash file.


Once the reconnaissance is complete check all the data in the tesla.com directory and move on for
further enumeration.

Live subdomains~~

Screenshots of subdomains~~
____________________________

SCRIPT MODIFICATION TECHNIQUE:

Note : - Modify the bash script according to your set of tools. All you have to do is copy paste this
part of the script for adding as much as tools you want and modify the script according to the
commands you want to use for using the tools :

Script segment : - ---------------------------------------------------

echo -e "${RED}[+] Launching assetfinder...${RESET}"

if assetfinder "$domain" | grep "$domain" >> "$subdomain_path/found.txt"; then

echo -e "${GREEN}[+] Assetfinder completed successfully.${RESET}"

else

echo -e "${RED}[-] Assetfinder failed. Check if it's installed and configured correctly.${RESET}"

exit 1

fi

---------------------------------------------------------------------------------------

Process to change the script : -

In line 1 replace ‘assetfinder’ with your tool name.

In line 2 replace ‘assetfinder “$domain”’ with the command you use for scanning.

Example :

If we scan using subfinder then we use ‘subfinder –d tesla.com’ and if we add this command in the
script we will write ‘subfinder –d “$domain”’.

In line 3 replace “Assetfinder” with your tool name.

In line 4 replace “Assetfinder” with your tool name.

Now after modification paste the script below ‘fi’ of the assetfinder script.

Now you have successfully added your desired tool inside the script.
Good luck.

_________________

Akash

You might also like