phoenix

#!/bin/bash

# Checar se tem
# unfurl, jq, psql instalado
# unfurl - https://github.com/tomnomnom/unfurl
# jq - apt install jq
# psql - apt install psql

function wayback() {
  curl -s "http://web.archive.org/cdx/search/cdx?url=*.$1/&output=txt&fl=original&collapse=urlkey" | grep -vi '.svg\|.png\|.img\|.ttf\|.eot\|.woff\|.ico\|.css\|.jpg\|.jpeg\|.pdf\|.doc' | unfurl domains | sort -u
}

function crt() {
  # Old version =). Now we will gona use psql connection without limit
  # curl -s "https://crt.sh/?q=$1&output=json" | jq -r '.[]["name_value"]' | sed 's#\*\.##g; s#www\.##g' | sort -u
  if [ ! -f querycrt ]; then
    wget https://raw.githubusercontent.com/bminossi/BashitRecon/master/querycrt &>/dev/null
  fi
  query=$(cat querycrt | sed "s#uber.com#$1#g" >tmpsql)
  psql -f tmpsql -h crt.sh -p 5432 -U guest certwatch | grep "$1" | cut -d "|" -f3 | tr -d " \|+" | sort -u
  rm tmpsql
}

function host2ip() {
  ip=$(dig +short $1)
}

function ip2org() {
  host2ip $1
  org=$(curl -s https://api.iptoasn.com/v1/as/ip/$ip | jq -r ".as_description")
}

function org2ranges() {
  ip2org $1
  curl -s http://asnlookup.com/api/lookup?org=$org | jq -r ".[]"
}

# Recon Grepeando os JS da pagina
#function spiderWaybackJs(){
#cat up | while read dominio;do
# echo -ne "\n[$dominio]\n"
# wayback=$(curl -sf http://archive.org/wayback/available?url=$dominio | jq -r ".archived_snapshots.closest.url")
# curl -sf $wayback | grep -Eo '(http|https)://[^/"].*js' | grep "$dominio" |sort -u
# done
#}

function gau() {
  availableApis=$(curl -sf http://index.commoncrawl.org/collinfo.json | jq -r '.[] | .["cdx-api"]')
  echo $availableApis | sed 's# #\n#g' | while read apiAvailable; do
    apiResult="$apiAvailable?url=*.$1"
    totalPages=$(curl -sf "$apiResult&showNumPages=true" | jq -r ".pages")
    for page in $(eval echo "{0..$totalPages}"); do
      result=$(curl -sf "$apiResult&output=json&fl=url&page=$page" | jq -r ".url")
      if [ -n "$result" ]; then
        echo $result | sed 's# #\n#g' | unfurl domains | sort -u
      fi
    done
  done
}

function abuseipdb() {
  curl -s "https://www.abuseipdb.com/whois/$1" | grep "<li>.*</li>" | grep -v "=" | sed 's/<[^>]*>//g' | sed "s/$/\.$1/g"
}

function sublist3r() {
  curl -s "https://api.sublist3r.com/search.php?domain=$1" | jq -r ".[]"
}

function threatcrowd() {
  curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=$1" | jq -r ".subdomains|.[]"
}

function hackertarget() {
  # You can replace f1 cut parameter to f2, and you will get all ips from api!
  curl -s "http://api.hackertarget.com/hostsearch/?q=$1" | sort -u | cut -d "," -f1
}

function dnsbufferover() {
  # You can replace f2 to f1 to get all ips too :)
  curl -s "http://dns.bufferover.run/dns?q=.$1" | jq -r ".FDNS_A|.[]" | cut -d "," -f2
}

function askengine() {
  # Run it separately. It's a search engine tool, so it will be almost eternal =)
  for page in {1..999}; do
    curl -i -s "https://www.ask.com/web?q=site:$1%20-www.$1&o=0&l=dir&qo=pagination&page=$page" |
      grep "PartialSearchResults.*$1" |
      sed 's/<[^>]*>//g' |
      unfurl domains
  done
}

function rapiddns() {
  # It could take a while ...
  curl -s "https://rapiddns.io/subdomain/$1?full=1" |
    grep "href.*$1" |
     sed 's/<[^>]*>//g'
}

#wayback $1
crt $1
abuseipdb $1
sublist3r $1
threatcrowd $1
hackertarget $1
dnsbufferover $1
#org2ranges $1

# Slow tools
rapiddns $1

# Eternal Tools. Trust me.
#gau $1
#askengine $1