Run the command by automation –
Dirsearch(){
Python3 ~/tools/dirsearch/dirsearch.py -u $1 -t $2 -e $3
} #u =url,
t= no. of , e- extension
Bash Program – For automation:
è
Nano auto.sh
for
domain in ‘crtsh $1’; do
echo
$domain | tee -a /Desktop/Recon/$1_22-6-2020.txt
curl
-I -s $domain | tee /Path/Recon/curlout/$domain_22-6-2020.txt
done
Webfuzzing for critical file and directory
-à
nano autoWebFuzz.sh
for domain in ‘crtsh $1’; do
echo $domain | tee -a
/Desktop/Recon/$1_22-6-2020.txt
wfuzz -c -z
file,/Path/Payloads/DirSrc_CritFile.txt --sc 200
http://$domain/FUZZ | tee /Desktop/Recon/WebFuzzFileDirout/$domain_22-6-2020.txt
done
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1
| jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep
$1
} #h/t Michiel Prins
crtsh(){
curl -s https://crt.sh/?Identity=%.$1 |
grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE
"<|^[\*]*[\.]*$1" | sort -u | awk 'NF'
}
dirsearch(){ #runs dirsearch and takes host
and extension as arguments
python3
/Path/tool/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b
}
certnmap(){
curl
https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed
's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1 | nmap -T5 -Pn -sS -i - -$
}
ipinfo(){
curl http://ipinfo.io/$1
}
crtshdirsearch(){ #gets all domains from
crtsh, runs httprobe and then dir bruteforcers
curl -s
https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed
's/\*\.//g' | sort -u | httprobe -c 50 | grep https | xargs -n1 -I{} dirsearch
-u {} -e $2 -t 50 -b
}
s3ls(){
aws s3 ls s3://$1
}
s3cp(){
aws s3 cp $2 s3://$1
}
Make
a permanent tool:
sudo nano /bin/crtsh
curl
-s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed
's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort
-u | awk 'NF'
sudo chmod +x /bin/crtsh
nano .profile -
remove crtsh from here
source
.profile
