Rock-ON – An All In One Recon Tool That Will Just Get A Single Entry Of The Domain Name And Do All Of The Work Alone

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a UI.FeaturesSub Domain ScrapingFinding A.S.N -> Netblocks -> IP’sResolvingFinding PortsFinding VHostFinding DirectoriesFinding Sub TakeoversAsset tracker with live monitoringPush Notifications to SlackFinding JS link then relative links in them and some sensitive filesActive and passive crawlingRecommendationMachine Configuration – Debian- 9.4, 4 GB RAM on DigitalOcean and its will be good to run this tool on a new and fresh VPS.For Censys:Set the API and SECRET KEY in the sub.sh unless you want to set it again and again.For removing:1. Delete the lines 13-182. Then set you API and SECRET KEY on line 47 & 48 like this: export CENSYS_API_ID=your_key_hereFor getting notification on Slack:Change the webhook address to your one in sub.sh, ASN.sh and Sublert.py-> config.py to get notification while you do your other works.For changing:1. Replace the Webhook address at line 113 in sub.sh and 15 in ASN.sh2. Replace the Webhook address in Tools/sublert/config.pyANDFollow @yassineaboukir guide to configure the slack for sublert and also for creating a webhook address for sub.sh and ASN.sh here: https://medium.com/@yassineaboukir/automated-monitoring-of-subdomains-for-fun-and-profit-release-of-sublert-634cfc5d7708Tools AddedThanks to all the aurthors who have written these scripts and making a huge contribution to the great community. A big shout-out for @ehsahil for his blog on recon that helped me a lot while making this tool and taking examples for the repository. Sublist3r Knock Subfinder Censys Amass CT Logs CTFR Wayback San Domains AltDns NMAP Masscan MassDNS Sublert Aquatone Vhost Rapid7 FDNS DB AWS-CLI Dirsearch More to be added… RequirementsGo-LanguangeInstall by Following methods:wget https://dl.google.com/go/go1.12.5.linux-amd64.tar.gztar -C /usr/local -xzf go1.12.5.linux-amd64.tar.gzrm -f go1.12.5.linux-amd64.tar.gznano ~/.profileAdd this linesexport PATH=$PATH:/usr/local/go/binexport GOROOT=/usr/local/goInstallationNote: For a new Fresh VPS run this commands first:sudo apt-get upgrade && sudo apt-get update && sudo apt-get install gitgit clone https://github.com/SilverPoision/Rock-ON.gitcd Rock-ONchmod +x rockon.sh./rockon.sh1Also don’t forget to configure your AWS credentials by runningaws configureUsage./rockon.shEnter your choice and then the required Information.ScreenshotNote: Run the below command while running the 4th option for the first time.gem install colorizeGive Rock-On some LoveIf this tool was useful to you during your recon stages – I would love to know. Any suggestions or ideas for this tool are appreciated – Just DM me on Facebook or TwitterDownload Rock-ON

Link: http://www.kitploit.com/2019/07/rock-on-all-in-one-recon-tool-that-will.html

Horn3t – Powerful Visual Subdomain Enumeration At The Click Of A Mouse

Horn3t is your Nr #1 tool for exploring subdomains visually.Building on the great Sublist3r framework (or extensible with your favorite one) it searches for subdomains and generates awesome picture previews. Get a fast overview of your target with http status codes, add custom found subdomains and directly access found urls with one click.Recon your targets at blazing speedEnhance your productivity by focusing on interesting looking sitesEnumerate critical sites immediatelySting your targetInstallationInstall Google ChromeInstall requirements.txt with pip3Install requirements.txt of sublist3r with pip3Put the directory within the web server of your choiceMake sure to have the right permissionsRun horn3t.pyOr alternatively use the install.sh file with docker.Afterwards you can access the web portal under http://localhost:1337TodoBetter Scaling on FirefoxAdd Windows DockerfileDirekt Nmap Support per click on a subdomainDirekt Dirb Support per click on a subdomainGenerate PDF Reports of found subdomainsAssist with subdomain takeoverCreditsaboul3la – The creator of Sublist3r; turbolist3r adds some features but is otherwise a near clone of sublist3r.TheRook – The bruteforce module was based on his script subbrute.bitquark – The Subbrute’s wordlist was based on his research dnspop.Tested on Windows 10 and Debian with Google Chrome/Chromium 73Download Horn3t

Link: http://www.kitploit.com/2019/05/horn3t-powerful-visual-subdomain.html

Osmedeus – Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.How to useIf you have no idea what are you doing just type the command below or check out the Advanced Usage./osmedeus.py -t example.comInstallationgit clone https://github.com/j3ssie/Osmedeuscd Osmedeus./install.shThis install only focus on Kali linux, check more install on Wiki pageFeaturesSubdomain Scan.Subdomain TakeOver Scan.Screenshot the target.Basic recon like Whois, Dig info.Web Technology detection.IP Discovery.CORS Scan.SSL Scan.Headers Scan.Port Scan.Vulnerable Scan.Seperate workspaces to store all scan output and details logging.REST API.React Web UI.Slack notifications.DemoScreenshotsContact@j3ssiejjjDownload Osmedeus

Link: http://feedproxy.google.com/~r/PentestTools/~3/62_7K6wE8Hk/osmedeus-fully-automated-offensive_27.html

Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/9xaMRbIv1Dk/zeebsploit-web-scanner-exploitation.html

Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/RZKskKnsCFU/zeebsploit-web-scanner-exploitation_10.html

Osmedeus – Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

Osmedeus allow you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.How to useIf you have no idea what are you doing just type the command below or check out the Advance Usage./osmedeus.py -t example.comInstallationgit clone https://github.com/j3ssie/Osmedeuscd Osmedeus./install.shThis install only focus on Kali linux, check more install on Wiki pageFeaturesSubdomain Scan.Subdomain TakeOver Scan.Screenshot the target.Basic recon like Whois, Dig info.IP Discovery.CORS Scan.SSL Scan.Headers Scan.Port Scan.Vulnerable Scan.Seperate workspaces to store all scan output and details logging.REST API.SPA Web UI.Slack notifications.DemoScreenshotsContact@j3ssiejjjDownload Osmedeus

Link: http://feedproxy.google.com/~r/PentestTools/~3/DCeXRDXo4J0/osmedeus-fully-automated-offensive.html

Osmedeus – Automatic Reconnaisance And Scanning In Penetration Testing

Automatic Reconnaisance and Scanning in Penetration TestingWhat is Osmedeus?Osmedeus allow you to doing boring stuff in Pentesting automatically like reconnaissance and scanning the target by run the collection of awesome tools.Installationgit clone https://github.com/j3ssie/Osmedeuscd Osmedeuschmod +x install.sh./install.shHow to useDoing normal routine include: Subdomain Scanning, Subdomain TakeOver Scanning, Port Scanning and ScreenShot the target../osmedeus.py -t example.comScanning subdomain and Subdomain TakeOver./osmedeus.py -m subdomain -t example.comGit repo scanning./osmedeus.py -m git –git https://github.com/whatever/repoDoing some stuff with Burp State file./osmedeus.py -m burp -t example.com –burp yourburpstate.xmlAvailable modules with list tool being usedSubdomain Scanning amasssubfindermassdnsSubdomain TakeOver Scanning subjackSubOverPort Scanning and ScreenShot the target aquatonEyeWitnessmasscanGit repo scanning truffleHoggitrobDoing some stuff with Burp State file sqlmapSleuthQLLinkFinderDemoContact@j3ssiejjjDownload Osmedeus

Link: http://feedproxy.google.com/~r/PentestTools/~3/WSk0NzgPyq8/osmedeus-automatic-reconnaisance-and.html

TakeOver v1 – Extracts CNAME Record Of All Subdomains At Once

What is Subdomain Takeover?Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example.com that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the sub.example.com.Here is the command that checks CNAME record of a subdomain.$dig CNAME apt.shopify.com –> apt.shopify.com.s3-website-us-east-1.amazonaws.com.How Can Takeover script help bug bounty hunters?There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.How can I recognise if the subdomain is vulnerable to subdomain takeover?There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.Security researcher @edoverflow has listed all services and their fingerprints. For more detail visit https://github.com/EdOverflow/can-i-take-over-xyzYoutubeDownload TakeOver-v1

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHQM026H0rI/takeover-v1-extracts-cname-record-of.html

SubScraper – External Pentest Tool That Performs Subdomain Enumeration Through Various Techniques

SubScraper uses DNS brute force, Google & Bing scraping, and Virus Total to enumerate subdomains without an API. Written in Python3, SubScraper performs HTTP(S) requests and DNS “A" record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, "CNAME" lookups are displayed to identify subdomain takeover opportunities. Usagepython3 subscraper.py example.compython3 subscraper.py -t 5 -o csv example.comOptions -s Only use internet to find subdomains -b Only use DNS brute forcing to find subdomains -o OUTFILE Define output file type: csv/txt (Default: None) -t MAX_THREADS Max threads (Default: 10) -w SUBLIST Custom subdomain wordlistDownload Subscraper

Link: http://feedproxy.google.com/~r/PentestTools/~3/N7uapcTydU0/subscraper-external-pentest-tool-that.html

SubFinder – A Subdomain Discovery Tool That Discovers Valid Subdomains For Websites

SubFinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and has been aimed as a successor to sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.We have designed SubFinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike. FeaturesSimple and modular code base making it easy to contribute.Fast And Powerful Bruteforcing ModulePowerful Permutation generation engine. (In Development)Many Passive Data Sources (30 At Present)Multiple Output formatsAsk, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, CrtSH, DnsDB, DNSDumpster, Dogpile, Entrust CT-Search, Exalead, FindSubdomains, GoogleTER, Hackertarget, IPv4Info, Netcraft, PassiveTotal, PTRArchive, Riddler, SecurityTrails, SiteDossier, Shodan, SSL Certificates, ThreatCrowd, ThreatMiner, Virustotal, WaybackArchive, Yahoo Usage./subfinder -h This will display help for the tool. Here are all the switches it supports. Flag Description Example -b Use bruteforcing to find subdomains ./subfinder -d example.com -b -c Don’t show colored output ./subfinder -c -d Domain to find subdomains for ./subfinder -d example.com -dL List of domains to find subdomains for ./subfinder -dl hosts.txt -nW Remove wildcard subdomains ./subfinder -nw -o Name of the output file (Optional) ./subfinder -o output.txt -oT Write output in Aquatone style JSON format (Required -nW) ./subfinder -o output.txt -nw -oA -oJ Write output in JSON format ./subfinder -o output.json -oJ -oD Output to directory (When using multiple hosts) ./subfinder -od ~/misc/out/ -r Comma-separated list of resolvers to use ./subfinder -r 8.8.8.8,1.1.1.1 -rL File containing list of resolvers to use ./subfinder -rL resolvers.txt –recursive Use recursive subdomain finding (default: true) ./subfinder –recursive –set-config Sets a configuration option ./subfinder –set-config example=something –set-settings Sets a setting option ./subfinder –set-settings CensysPages=10 –no-passive Do not perform passive subdomain enumeration ./subfinder -d freelancer.com –no-passive –silent Show only the subdomains found ./subfinder –silent –sources Comma separated list of sources to use (optional) ./subfinder –sources threatcrowd,virustotal –exclude-sources Comma separated list of sources not to use (optional) ./subfinder –exclude-sources threatcrowd,virustotal -t Number of concurrent threads (Bruteforce) ./subfinder -t 10 –timeout Seconds to wait until quitting connection ./subfinder –timeout 10 -v Display verbose output ./subfinder -v -w Wordlist for doing bruteforcing and permutation ./subfinder -w words.txt Installation InstructionsDirect InstallationSubFinder requires go1.10+ to install successfully !The installation is easy. Git clone the repo and run go build.go get github.com/subfinder/subfinderUpgradingIf you wish to upgrade the package you can use:go get -u github.com/subfinder/subfinderRunning in a Docker ContainerGit clone the repo, then build and run subfinder in a container with the following commandsClone the repo using git clone https://github.com/subfinder/subfinder.gitBuild your docker containerdocker build -t subfinder .After building the container, run the following.docker run -it subfinderThe above command is the same as running -hNOTE: Please follow the Post Install steps given after this to correctly configure the tool.For example, this runs the tool against uber.com and output the results to your host file system:docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txtPost Installation InstructionsSubfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:VirustotalPassivetotalSecurityTrailsCensysRiddlerShodanThese are the configuration options you have to specify via the command line.VirustotalAPIKey PassivetotalUsername PassivetotalKeySecurityTrailsKeyRiddlerEmailRiddlerPasswordCensysUsernameCensysSecretShodanAPIKeyTheses values are stored in the $HOME/.config/subfinder/config.json file which will be created when you run the tool for the first time. To configure the services to use an API key, you need to use the tool with –set-config option which will allow you to set a configuration option. For example:./subfinder –set-config VirustotalAPIKey=0x41414141./subfinder –set-config PassivetotalUsername=hacker,PassivetotalKey=supersecretIf you are using docker, you need to first create your directory structure holding subfinder configuration file. You can either run the binary in your host system and let it create the directory structure of files, after which you can use –set-config flag to set the api values like before. Or you can run:mkdir $HOME/.config/subfindercp config.json $HOME/.config/subfinder/config.jsonnano $HOME/.config/subfinder/config.jsonAfter that, you can pass it as a volume using the following sample command.sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.comNow, you can also pass –set-config inside the docker to change the configuration options.Running SubfinderTo run the tool on a target, just use the following command../subfinder -d freelancer.comThis will run the tool against freelancer.com. There are a number of configuration options that you can pass along with this command. The verbose switch (-v) can be used to display verbose information.[CERTSPOTTER] www.fi.freelancer.com[DNSDUMPSTER] hosting.freelancer.com[DNSDUMPSTER] support.freelancer.com[DNSDUMPSTER] accounts.freelancer.com[DNSDUMPSTER] phabricator.freelancer.com[DNSDUMPSTER] cdn1.freelancer.com[DNSDUMPSTER] t1.freelancer.com[DNSDUMPSTER] wdc.t1.freelancer.com[DNSDUMPSTER] dal.t1.freelancer.comThe -o command can be used to specify an output file../subfinder -d freelancer.com -o output.txtYou can also get output in json format using -oJ switch. The –silent switch can be used to show only subdomains found without any other info. The –set-config switch can be used to set the value of any configuration option as explained above in the readme.You can also pass some special settings for the tool through the command line by using –set-setting flag. For example, you can pass the number of Censys pages to check using the following command../subfinder -d freelancer.com –sources censys –set-settings CensysPages=2 -v For checking all pages returned by censys, you can use “all" option. Note, It is a string.These are the settings currently supportedCensysPagesAskPagesBaiduPagesBingPagesFor using bruteforcing capabilities, you can use -b flag with -w option to specify a wordlist../subfinder -d freelancer.com -b -w jhaddix_all.txt -t 100 –sources censys –set-settings CensysPages=2 -v You can also write output in JSON format as used by Aquatone../subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v You can specify custom resolvers too../subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -r 8.8.8.8,1.1.1.1./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -rL resolvers.txtIf you want to do bruteforce only and do not want to run the passive subdomain discovery engine, you can use –no-passive flag which will not run passive discovery. You can use this functionality to run plain bruteforce, etc../subfinder -d freelancer.com –no-passive -v -b -w ~/dnslist.txtDownload SubFinder

Link: http://feedproxy.google.com/~r/PentestTools/~3/58lFnCeg94M/subfinder-subdomain-discovery-tool-that.html