sef

#!/bin/bash

## Banner
function banner() {
    echo ""
    echo ""
    echo "  ░██████╗███████╗███████╗"
    echo "  ██╔════╝██╔════╝██╔════╝"
    echo "  ╚█████╗░█████╗░░█████╗░░"
    echo "  ░╚═══██╗██╔══╝░░██╔══╝░░"
    echo "  ██████╔╝███████╗██║░░░░░"
    echo "  ╚═════╝░╚══════╝╚═╝░░░░░"
    echo ""
    echo  "  @remonsec @KathanP19"
    echo "Subdomain Enumeration Framework"
}

banner

## Variables
list_resolver=resolvers.txt
list_wordlist=subdomains.txt
amass_config=~/.config/amass/config.ini

## Function
function format_time() {
    ((h=${1}/3600))
    ((m=(${1}%3600)/60))
    ((s=${1}%60))
printf "%02d:%02d:%02d\n" $h $m $s
}

function Tool_Check(){
    echo ""
    echo ""
    type -P subfinder &>/dev/null && echo "[*] Subfinder		YES	]" || { echo "[*] Subfinder		NO	]"; }
    type -P assetfinder &>/dev/null && echo "[*] Assetfinder		YES	]" || { echo "[*] Assetfinder		NO	]"; }
    type -P findomain &>/dev/null && echo "[*] Findomain		YES	]" || { echo "[*] Findomain		NO	]"; }
    type -P amass &>/dev/null && echo "[*] Amass		YES	]" || { echo "[*] Amass		NO	]"; }
    type -P shuffledns &>/dev/null && echo "[*] ShuffleDns		YES	]" || { echo "[*] ShuffleDns		NO	]"; }
    type -P massdns &>/dev/null && echo "[*] Massdns		YES	]" || { echo "[*] Massdns		NO	]"; }
    type -P dnsgen &>/dev/null && echo "[*] DnsGen		YES	]" || { echo "[*] DnsGen		NO	]"; }
    type -P anew &>/dev/null && echo "[*] Anew		YES	]" || { echo "[*] Anew		NO ]"; }
    type -P httpx &>/dev/null && echo "[*] Httpx		YES	]" || { echo "[*] Httpx		NO	]"; }
    echo ""
    echo ""
}

Tool_Check

function Passive() {
    echo "[=] Running Passive Enumeration"
    subfinder -d $domain -o subfinder.txt &>/dev/null
    assetfinder --subs-only $domain | sort -u > assetfinder.txt
    amass enum -passive -norecursive -noalts -d $domain -config $amass_config -o amass.txt &>/dev/null
    findomain --quiet -t $domain -u findomain.txt &>/dev/null
    cat subfinder.txt assetfinder.txt amass.txt findomain.txt | grep -F ".$domain" | sort -u > passive.txt
    rm subfinder.txt assetfinder.txt amass.txt findomain.txt
}

function Active() {
    echo "[=] Running Active Enumeration"
    shuffledns -d $domain -w $list_wordlist -r $list_resolver -o active_tmp.txt &>/dev/null
    cat active_tmp.txt | grep -F ".$domain" | sed "s/*.//" > active.txt
    rm active_tmp.txt
}

function ActPsv() {
    echo "[=] Collecting Active & Passive Enum Result"
    cat active.txt passive.txt | grep -F ".$domain" | sort -u | shuffledns -d $domain -r $list_resolver -o active_passive.txt &>/dev/null
    rm active.txt passive.txt
}

function Permute() {
    if [[ $(cat active_passive.txt | wc -l) -le 50 ]]
    then
        echo "[=] Running Dual Permute Enumeration"
        dnsgen active_passive.txt | shuffledns -d $domain -r $list_resolver -o permute1_tmp.txt &>/dev/null
        cat permute1_tmp.txt | grep -F ".$domain" > permute1.txt 
        dnsgen permute1.txt | shuffledns -d $domain -r $list_resolver -o permute2_tmp.txt &>/dev/null
        cat permute2_tmp.txt | grep -F ".$domain" > permute2.txt
        cat permute1.txt permute2.txt | grep -F ".$domain" | sort -u > permute.txt
        rm permute1.txt permute1_tmp.txt permute2.txt permute2_tmp.txt
    elif [[ $(cat active_passive.txt | wc -l) -le 100 ]]
    then
        echo "[=] Running Single Permute Enumeration"
        dnsgen active_passive.txt | shuffledns -d $domain -r $list_resolver -o permute_tmp.txt &>/dev/null
        cat permute_tmp.txt | grep -F ".$domain" > permute.txt
        rm permute_tmp.txt
    else
        echo "[=] No Permutation"
    fi
}

function SubFinal() {
    echo "[=] Collecting Enumerated Final Result"
    cat active.txt passive.txt active_passive.txt permute.txt 2>/dev/null | grep -F ".$domain" | sort -u > sub.txt
}

function Output() {
    mkdir -p $dir
    mv active.txt passive.txt active_passive.txt permute.txt sub.txt sub.httpx $dir 2>/dev/null
}

function Htpx() {
    echo "[=] Running HTTPx"
    httpx -l sub.txt -silent -o sub.httpx &>/dev/null
    httpx -l sub.txt -csp-probe -silent | grep -F ".$domain" | anew sub.httpx &>/dev/null
    httpx -l sub.txt -tls-probe -silent | grep -F ".$domain" | anew sub.httpx &>/dev/null
}


function sefresult() {
    echo ""
    echo ""
    echo "[#] Total Subdomain Found $(cat sub.txt | wc -l)"
    echo "[#] Total HTTP Probed Found $(cat sub.httpx | wc -l)"
    echo "[#] Script completed in total $(format_time $SECONDS)"
}

while getopts ":hd:w:r:o:-:" optchar;do
        case "${optchar}" in
                -)
                        case "${OPTARG}" in
                                dLq)
                                        domain_list="${!OPTIND}"; OPTIND=$(( $OPTIND + 1))
				       for site in $(cat $domain_list);do
						domain=$site
						dir=$site
						echo -e "\n Scanning $domain Right Now"
						Passive
						SubFinal
						Htpx
						sefresult
						Output
						echo -e "\n Scanning $domain done";done
                                        ;;
                                dLa)
                                        domain_list="${!OPTIND}"; OPTIND=$(( $OPTIND + 1))
				       for site in $(cat $domain_list);do
						domain=$site
						dir=$site
						echo -e "\n Scanning $domain Right Now"
						Passive
						Active
						ActPsv
						Permute
						SubFinal
						Htpx
						sefresult
						Output
						echo -e "\n Scanning $domain done";done
                                        ;;
				ac)
                                        amass_config="${!OPTIND}"; OPTIND=$(( $OPTIND + 1))
                                        ;;
				quick)
                                        Passive;
					SubFinal;
					Htpx;
					sefresult;
                                        ;;
				all)
                                        Passive;
					Active;
					ActPsv;
					Permute;
					SubFinal;
					Htpx;
					sefresult;
                                        ;;
                                *)
                                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
                                        echo "Unknown option --${OPTARG}" >&2
                                        fi
                                        ;;
                        esac;;
                h)
                        echo "Usage: 						"
			echo "       $0 -d       To Specify Domain."
			echo "       $0 -w       To Specify wordlist to use else (Default)."
			echo "       $0 -r       To Specify resolver to use else (Default)."
			echo "       $0 -o       To Store all the result in specific folder."
			echo "       $0 --dLq     To quick passive scan Domain-list."
			echo "       $0 --dLa     To full scan Domain-list."
                        echo "       $0 --ac     To Specify Amass-config file."
                        echo "       $0 --quick  To quicky perform passive scan of domain."
                        echo "       $0 --all    To fully scan using all functionality."
			echo "	"
			echo "Example Usage:					"
			echo "	"
			echo "	Single Domain Scanning"
			echo "  \$ bash sef -d target.com -w wordlist.txt -r resolvers.txt --ac amass_config.ini --all -o target.com"
			echo "	"
			echo "  Domain-List Scanning"
			echo "  \$ bash sef -w wordlist.txt -r resolvers.txt --ac amass_config.ini --dLa domain_list.txt"
                        exit 2
                        ;;

                d)	domain=$OPTARG
                        ;;
                w)	list_wordlist=$OPTARG
                        ;;
                r)	list_resolver=$OPTARG
                        ;;
                o)	dir=$OPTARG
			Output
                        ;;
                *)
                        if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
                        echo "Non-option argument: '-${OPTARG}'";
                        fi
                        ;;
        esac
done