-
Notifications
You must be signed in to change notification settings - Fork 26
/
sef
executable file
·180 lines (163 loc) · 6.89 KB
/
sef
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/bin/bash
## Banner
function banner() {
echo ""
echo ""
echo " ░██████╗███████╗███████╗"
echo " ██╔════╝██╔════╝██╔════╝"
echo " ╚█████╗░█████╗░░█████╗░░"
echo " ░╚═══██╗██╔══╝░░██╔══╝░░"
echo " ██████╔╝███████╗██║░░░░░"
echo " ╚═════╝░╚══════╝╚═╝░░░░░"
echo ""
echo " @remonsec @KathanP19"
echo "Subdomain Enumeration Framework"
}
banner
## Variables
list_resolver=resolvers.txt
list_wordlist=2m-subdomains.txt
amass_config=~/.config/amass/config.ini
## Function
function format_time() {
((h=${1}/3600))
((m=(${1}%3600)/60))
((s=${1}%60))
printf "%02d:%02d:%02d\n" $h $m $s
}
function Tool_Check(){
echo ""
echo ""
type -P subfinder &>/dev/null && echo "[*] Subfinder YES ]" || { echo "[*] Subfinder NO ]"; }
type -P assetfinder &>/dev/null && echo "[*] Assetfinder YES ]" || { echo "[*] Assetfinder NO ]"; }
type -P findomain &>/dev/null && echo "[*] Findomain YES ]" || { echo "[*] Findomain NO ]"; }
type -P amass &>/dev/null && echo "[*] Amass YES ]" || { echo "[*] Amass NO ]"; }
type -P shuffledns &>/dev/null && echo "[*] ShuffleDns YES ]" || { echo "[*] ShuffleDns NO ]"; }
type -P massdns &>/dev/null && echo "[*] Massdns YES ]" || { echo "[*] Massdns NO ]"; }
type -P dnsgen &>/dev/null && echo "[*] DnsGen YES ]" || { echo "[*] DnsGen NO ]"; }
type -P anew &>/dev/null && echo "[*] Anew YES ]" || { echo "[*] Anew NO ]"; }
type -P httpx &>/dev/null && echo "[*] Httpx YES ]" || { echo "[*] Httpx NO ]"; }
echo ""
echo ""
}
Tool_Check
function Passive() {
echo "[=] Running Passive Enumeration"
subfinder -d $domain -o subfinder.txt &>/dev/null
assetfinder --subs-only $domain | sort -u > assetfinder.txt &>/dev/null
amass enum -passive -norecursive -noalts -d $domain -config $amass_config -o amass.txt &>/dev/null
findomain -t $domain -u findomain.txt &>/dev/null
cat subfinder.txt assetfinder.txt amass.txt findomain.txt | grep -F ".$domain" | sort -u > passive.txt
rm subfinder.txt assetfinder.txt amass.txt findomain.txt
}
function Active() {
echo "[=] Running Active Enumeration"
shuffledns -d $domain -w $list_wordlist -r $list_resolver -o active_tmp.txt &>/dev/null
cat active_tmp.txt | grep -F ".$domain" | sed "s/*.//" > active.txt
rm active_tmp.txt
}
function ActPsv() {
echo "[=] Collecting Active & Passive Enum Result"
cat active.txt passive.txt | grep -F ".$domain" | sort -u | shuffledns -d $domain -r $list_resolver -o active_passive.txt &>/dev/null
rm active.txt passive.txt
}
function Permute() {
if [[ $(cat active_passive.txt | wc -l) -le 50 ]]
then
echo "[=] Running Dual Permute Enumeration"
dnsgen active_passive.txt | shuffledns -d $domain -r $list_resolver -o permute1_tmp.txt &>/dev/null
cat permute1_tmp.txt | grep -F ".$domain" > permute1.txt
dnsgen permute1.txt | shuffledns -d $domain -r $list_resolver -o permute2_tmp.txt &>/dev/null
cat permute2_tmp.txt | grep -F ".$domain" > permute2.txt
cat permute1.txt permute2.txt | grep -F ".$domain" | sort -u > permute.txt
rm permute1.txt permute1_tmp.txt permute2.txt permute2_tmp.txt
elif [[ $(cat active_passive.txt | wc -l) -le 100 ]]
then
echo "[=] Running Single Permute Enumeration"
dnsgen active_passive.txt | shuffledns -d $domain -r $list_resolver -o permute_tmp.txt &>/dev/null
cat permute_tmp.txt | grep -F ".$domain" > permute.txt
rm permute_tmp.txt
else
echo "[=] No Permutation"
fi
}
function SubFinal() {
echo "[=] Collecting Enumerated Final Result"
cat active.txt passive.txt active_passive.txt permute.txt 2>/dev/null | grep -F ".$domain" | sort -u > sub.txt
}
function Output() {
mkdir -p $dir
mv active.txt passive.txt active_passive.txt permute.txt sub.txt sub.httpx $dir 2>/dev/null
}
function Htpx() {
echo "[=] Running HTTPx"
httpx -l sub.txt -silent -o sub.httpx &>/dev/null
httpx -l sub.txt -csp-probe -silent | grep -F ".$domain" | anew sub.httpx &>/dev/null
httpx -l sub.txt -tls-probe -silent | grep -F ".$domain" | anew sub.httpx &>/dev/null
}
function sefresult() {
echo ""
echo ""
echo "[#] Total Subdomain Found $(cat sub.txt | wc -l)"
echo "[#] Total HTTP Probed Found $(cat sub.httpx | wc -l)"
echo "[#] Script completed in total $(format_time $SECONDS)"
}
while getopts ":hd:w:r:o:-:" optchar;do
case "${optchar}" in
-)
case "${OPTARG}" in
dL)
domain_list="${!OPTIND}"; OPTIND=$(( $OPTIND + 1))
;;
ac)
amass_config="${!OPTIND}"; OPTIND=$(( $OPTIND + 1))
;;
quick)
Passive;
SubFinal;
Htpx;
sefresult;
;;
all)
Passive;
Active;
ActPsv;
Permute;
SubFinal;
Htpx;
sefresult;
;;
*)
if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
echo "Unknown option --${OPTARG}" >&2
fi
;;
esac;;
h)
echo "Usage: "
echo " $0 -d To Specify Domain."
echo " $0 -w To Specify wordlist to use else (Default)."
echo " $0 -r To Specify resolver to use else (Default)."
echo " $0 -o To Store all the result in specific folder."
echo " $0 --dL To Import Domain-list."
echo " $0 --ac To Specify Amass-config file."
echo " $0 --quick To quicky perform passive scan of domain."
echo " $0 --all To fully scan using all functionality."
exit 2
;;
d) domain=$OPTARG
;;
w) list_wordlist=$OPTARG
;;
r) list_resolver=$OPTARG
;;
o) dir=$OPTARG
Output
;;
*)
if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
echo "Non-option argument: '-${OPTARG}'";
fi
;;
esac
done