This Bash script automates the reconnaissance phase for penetration testing and bug bounty hunting. It identifies subdomains, checks for alive domains, scans for potential vulnerabilities, and gathers useful data like wayback URLs, open ports, and JavaScript files. The script is optimized for efficiency and uses popular tools to streamline the reconnaissance process.
- Harvests subdomains using AssetFinder and Amass.
- Checks for alive domains with httprobe.
- Scans for potential subdomain takeovers using Subjack.
- Identifies open ports using Nmap.
- Scrapes Wayback Machine data for parameters and file extensions.
- Categorizes important files (e.g.,
.js,.json,.php) for further analysis. - Generates screenshots of live domains with EyeWitness.
Ensure the following tools are installed and added to your PATH:
- Clone the repository or download the script.
- Ensure the script has execute permissions:
chmod +x recon_script.sh
Run the script with the target domain as an argument:
./recon_script.sh <target_domain>
For example:
./recon_script.sh google.com<target_domain>/
└── recon/
├── eyewitness/
├── httprobe/
│ └── alive.txt
├── potential_takeovers/
│ └── potential_takeovers.txt
├── scans/
│ └── scanned.txt
├── wayback/
│ ├── wayback_output.txt
│ ├── params/
│ │ └── wayback_params.txt
│ └── extensions/
│ ├── js.txt
│ ├── php.txt
│ ├── json.txt
│ ├── jsp.txt
│ └── aspx.txt
└── final.txtYou can modify the script to include additional tools or steps:
- Add more file extensions for extraction.
- Integrate custom tools or APIs.
This script is intended for ethical hacking, penetration testing, and bug bounty purposes with proper authorization. Unauthorized usage against targets is illegal and unethical.
Feel free to submit issues, suggest features, or create pull requests to improve the script.