This project of mine is undergoing development and may be buggy, and I wrote it to fullfil my specific needs. You are welcome to use the script for your huting, but I cannot guarantee that I will assist you with any issues you may face.
I wrote this script because I wanted to have a script that will do three things (the first point is the main one):
- Can be easily ran repeatedly on different targets
- Will report back to me on Discord
- Is easy to debug
So the script runs the chosen tasks, logs the output, and notifies me on reports by sending a message to my Discord server.
Main features:
- Stores all recon information in a single json configuration file
- Reports results to Discord
- Checks for internet connection before running each task, and waits for the connection
- Organizes reports according to their category
- Logs tool output to ease debugging
__ ___ ___
/ |/ // _ \ MisconceivedRecon
/ /|_/ // , _/ Mr. Misconception
/_/ /_//_/|_|
Usage: ./misconceived_recon.sh MODE [OPTIONS]
Version: 2.10
Modes:
help => Print this help message
init => Initiate configuration for recon on target
config => Modify configuration of specific target
recon => Run recon based on configuration file
report => Show reports and subreports of enumeration tasks
Functions:
depend => Check for dependencies and install them
subdomain => Subdomain Recon
screenshot => Screenshots of Subdomains
fingerprint => Fingerprint/Service Scan
deep => Deep Domain Recon
leaks => Scan GiHub/GitLab repos for leaks
gdork => Generate GitHub Dorking Links
Parse -h or -help with each mode/function for more information
All these programs are expected to be in
$PATHand will be called as named in this list
anewbatcrt.shdiscord.shdnsreaperferoxbustergithub-subdomains(requires GitHub Access Token)gitrob(requires GitHub/GitLab Access Token)goaltdnspurednsgowitnesshttpxnmapnuclei&nuclei-templatesjsleakshodan(requires API key)subdomainizersubfindertrufflehog(requires GitHub/GitLab Access Token)waybackurlswhoisxclip
Usage: ./misconceived_recon.sh init [OPTIONS]
Flags:
-t -target <domain>
Mandatory: Target domain
-ght -github-token <token>
Mandatory: GitHub Access Token
-u -user-agent-addition <string>
Add string to user-agent as per program's requirement
-sr -scope-regex <regex>
Regex to filter for in-scope domains
-ps -provided-subdomains <file>
File of subdomains provided by BB program
-b -brute-wordlists <file[,file,...]>
Wordlist(s) for subdomain brute-forcing
-ghr -github-recon <url[,url,...]>
GitHub Repos to enumerate
-glt -gitlab-token <token>
GitLab Token
-glr -gitlab-recon <url[,url,...]>
GitLab Repos to enumerate
-p -path <path>
Path to recon report directory
-ct -custom-tasks <task[,task,...]>
Custom task sequence
-d -deep-domains <domain> <wordlist> [fuzz flags]
Domains preform to deep recon on
-mu -monitored-urls <url>
Url to monitor for changes (Can be called multiple times)
-ws -subdomain-webhook <url>
Subdomain Webhook
-wc -screenshots-webhook <url>
Screenshots Webhook
-wf -fingerprint-webhook <url>
Fingerprint/Services Webhook
-wd -deep-domain-webhook <url>
Deep Domain Webhook
-wl -leaks-webhook <url>
Leaks Webhook
-wg -logs-webhook <url>
Logs Webhook
-h -help
Standalone: Print this help message
(Must provide all webhooks together, or none at all)
Available Recon Tasks:
subdomain
screenshot
fingerprint
deep_domains
leaks
The init function is used to initiate a configuration file and folder for a specified target, it requires two arguments:
-t -target: The target domain (Must be base domain, not a subdomain nor a URL e.g. hackerone.com)-ght -github-token token: A GitHub Access Token
The other optional arguments are:
-u -user-agent-addition <string>- String to add to user-agent as per BB program's request
-ps -provided-subdomains <file>- File of subdomains provided by BB program
-b -brute-wordlists file[,file,...]- Wordlist(s) for subdomain brute-forcing, comma separated
-ghr -github-recon url[,url,...]- GitHub Repos to enumerate
-glt -gitlab-token token- GitLab Access Token
-glr -gitlab-recon url[,url,...]- GitLab Repos to enumerate, comma separated (Requires GitLab Access Token)
-p -path path- Path to recon reports parent directory (default is
.)
- Path to recon reports parent directory (default is
-ct -custom-tasks task[,task,...]- Custom task sequence
-d -deep-domains domain wordlist- Domains to preform deep recon on
-mu -monitored-urls <url>- Url to monitor for changes (Can be called multiple times)
-ws -subdomain-webhook url- Subdomain Discord channel webhook
-wc -screenshots-webhook url- Screenshots Discord channel webhook
-wf -fingerprint-webhook url- Fingerprint/Services Discord channel webhook
-wd -deep-domain-webhook url- Deep Domain Discord channel webhook
-wl -leaks-webhook url- Leaks Discord channel webhook
-wg -logs-webhook url- Logs Discord channel webhook
-h -help- Print the help message
Usage: ./misconceived_recon.sh config [OPTIONS]
Flags:
-c -config-file <file>
Mandatory: <Configuration file for target>
-t -target <domain>
Change target domain
-u -user-agent-addition <string>
Change the string added to the user-agent required by the program
-ps -provided-subdomains <file>
Change file of subdomains provided by BB program
-sr -scope-regex <regex>
Regex to filter for in-scope domains
-b -brute-wordlists <file[,file,...]>
Add wordlist(s) for subdomain brute-forcing
-ght -github-token <token>
Change GitHub Token
-ghr -github-recon <url[,url,...]>
Add GitHub Repos to enumerate
-glt -gitlab-token <token>
Change GitLab Token
-glr -gitlab-recon <url[,url,...]>
Add GitLab Repos to enumerate
-a -attack-method <task[,task,...]>
Change task sequence
-d -deep-domains <domain> <wordlist> [fuzz flags]
Add domains for deep recon
-mu -monitored-urls <url>
Add url to monitor for changes (Can be called multiple times)
-ws -subdomain-webhook <url>
Change Subdomain Webhook
-wc -screenshots-webhook <url>
Change Screenshots Webhook
-wf -fingerprint-webhook <url>
Change Fingerprint/Service Webhook
-wd -deep-domain-webhook <url>
Change Deep Domain Webhook
-wl -leaks-webhook <url>
Change Leaks Webhook
-wg -logs-webhook <url>
Change Logs Webhook
-m -manual [editor]
Standalone: Edit the config file manually (default editor 'nano')
-h -help
Standalone: Print this help message
Available Recon Tasks:
subdomain
screenshot
fingerprint
deep_domains
leaks
The config function helps configure a specified configuration file.
Without optional arguments, the configuration file will be printed out to the terminal.
After a change is made, the config file is printed out to the terminal
It requires one argument:
-c -config-file file- The path to a configuration
The other optional arguments:
-t -target domain- Change target domain
-b -brute-wordlists file[,file,...]- Add wordlist(s) for subdomain brute-forcing, comma separated
-u -user-agent-addition <string>- Change string that is added to user-agent as per BB program's request
-ps -provided-subdomains <file>- File of subdomains provided by BB program
-ght -github-token token- Change GitHub Access Token
-ghr -github-recon url[,url,...]- Add GitHub Repos to enumerate
-glt -gitlab-token token- Change GitLab Access Token
-glr -gitlab-recon url[,url,...]- Add GitLab Repos to enumerate
-a -attack-method task[,task,...]- Change task sequence
-d -deep-domains domain wordlist- Add domains for deep recon
-mu -monitored-urls <url>- Add url to monitor for changes (Can be called multiple times)
-ws -subdomain-webhook url- Change Subdomain Discord channel webhook
-wc -screenshots-webhook url- Change Screenshots Discord channel webhook
-wf -fingerprint-webhook url- Change Fingerprint/Service Discord channel webhook
-wd -deep-domain-webhook url- Change Deep Domain Discord channel webhook
-wl -leaks-webhook url- Change Leaks Discord channel webhook
-wg -logs-webhook url- Change Logs Discord channel webhook
-n -nano- Standalone: Edit the config file manually using nano
-h -help- Standalone: Print the help message
Example reports directory tree for target example.com:
./example_recon
├── deep_domains
├── example_config.json
├── fingerprint
├── leaks
│ ├── github
│ └── gitlab
├── logs
├── screenshots
└── subdomains
The configuration file is in the json format.
It is stored in the root of the recon reports directories.
An example config file is:
{
"config": {
"target": "example.com",
"scope_regex": "regex",
"recon_path": "/tmp/example_recon",
"subdomain_brute_wordlist": [
"/usr/share/seclists/Discovery/DNS/namelist.txt"
],
"deep_domains": [
{
"domain": "example.com",
"wordlist": "/usr/share/seclists/Discovery/Web-Content/big.txt"
}
],
"git": {
"token": {
"github": "github_token",
"gitlab": "gitlab_token"
},
"github_recon": [
"https://github.com/user/repo"
],
"gitlab_recon": [
"https://gitlab.com/user/repo"
]
},
"attack_method": [
"subdomain",
"screenshot",
"fingerprint",
"deep_domains",
"leaks"
],
"webhooks": {
"subdomain": "https://discord.com/api/webhooks/...",
"screenshot": "https://discord.com/api/webhooks/...",
"fingerprint": "https://discord.com/api/webhooks/...",
"deep_domain": "https://discord.com/api/webhooks/...",
"leaks": "https://discord.com/api/webhooks/...",
"logs": "https://discord.com/api/webhooks/..."
}
}
} Usage: ./misconceived_recon.sh recon|subdomain|screenshot|fingerprint|deep|leaks|gdork [OPTIONS]
Flags:
-c -config-file file Mandatory: Configuration file for target
The recon function takes one argument (-c -config-file).
It preforms the tasks as specified in the configuration file under attack_method:
"attack_method": [
"subdomain",
"screenshot",
"fingerprint",
"deep_domains",
"leaks"
]Usage: ./misconceived_recon.sh report [OPTIONS]
Flags:
-c -config-file <file>
Mandatory: Configuration file for target
-r -report <report>
Specify report
-s -sub-report <sub-report>
Specify sub-reportThe report function scans the directories for available reports and outputs selected ones
Usage: ./misconceived_recon.sh recon|subdomain|screenshot|fingerprint|deep|leaks|gdork [OPTIONS]
Flags:
-c -config-file file
Mandatory: Configuration file for target
The subdomain function takes one argument (-c -config-file).
It preforms subdomain enumeration.
The following tools are executed:
crt.shsubfindergithub-subdomains.pypuredns(brute-force)subdomainizer.pysubfinder(recursive)goaltdnshttpx(Verifies that the subdomains are alive + provides summary on subdomains)
dnsreapernuclei -tags takeover
The screenshot function takes screenshots of all Live Subdomains using gowitness
The fingerprint function produces the following reports:
whoisshodannmap
The deep_domain_recon function runs the following recon tasks:
waybackurlsferoxbusterjsleak
The leaks function looks for leaked credentials and sensitive files in provided GitHub and GitLab repositories and users.
It runs the following tools:
gitrobtrufflehog
The gdork function generates github dorking links, copies them to the clipboard, and stores them to $recon_dir/github_dorking_links.txt
The depend function looks for and installs required dependencies (on Debian systems) - still in development
- Replace
jsonwithyaml - Update
gowitnessto utilize new--screenshot-formatto export images as JPEG to reduce image size - Improve logic of subdomain enumeration, and re-check sources of each tool
- Add an option to add custom operations
- Add
logsfunction so one doesn't have to fiddle with the terribly named log files - Add more
nucleivulnerability scans - Add a local registry that contains names of targets as well as their configuration files (maybe a
registerfunction) -
Add web technology fingerprinting to thefingerprintfunction (httpx) -
Usehttpxfor extracting IPs from domains -
Replacehttprobewithhttpx -
Change the way the dependecies are checked -
Add pager option (output likeless) toreportfunction