Updated to v1.3

LazyRecon.sh

@@ -1,14 +1,15 @@
 #!/bin/bash
 
-VERSION="1.2"
+VERSION="1.3"
 
 TARGET=$1
 
-WORKING_DIR=$(dirname "$0")
+WORKING_DIR=$(cd -P -- "$(dirname -- "$0")" && pwd -P)
 TOOLS_PATH="$WORKING_DIR/tools"
 WORDLIST_PATH="$WORKING_DIR/wordlists"
 RESULTS_PATH="$WORKING_DIR/results/$TARGET"
 SUB_PATH="$RESULTS_PATH/subdomain"
+CORS_PATH="$RESULTS_PATH/cors"
 IP_PATH="$RESULTS_PATH/ip"
 PSCAN_PATH="$RESULTS_PATH/portscan"
 SSHOT_PATH="$RESULTS_PATH/screenshot"
@@ -51,8 +52,9 @@ setupDir(){
     echo -e "${GREEN}--==[ Setting things up ]==--${RESET}"
     echo -e "${RED}\n[+] Creating results directories...${RESET}"
     rm -rf $RESULTS_PATH
-    mkdir -p $SUB_PATH $IP_PATH $PSCAN_PATH $SSHOT_PATH $DIR_PATH
+    mkdir -p $SUB_PATH $CORS_PATH $IP_PATH $PSCAN_PATH $SSHOT_PATH $DIR_PATH
     echo -e "${BLUE}[*] $SUB_PATH${RESET}"
+    echo -e "${BLUE}[*] $CORS_PATH${RESET}"
     echo -e "${BLUE}[*] $IP_PATH${RESET}"
     echo -e "${BLUE}[*] $PSCAN_PATH${RESET}"
     echo -e "${BLUE}[*] $SSHOT_PATH${RESET}"
@@ -62,7 +64,7 @@ setupDir(){
 
 enumSubs(){
     echo -e "${GREEN}\n--==[ Enumerating subdomains ]==--${RESET}"
-    runBanner "amass"
+    runBanner "Amass"
     ~/go/bin/amass -d $TARGET -o $SUB_PATH/amass.txt
 
     runBanner "subfinder"
@@ -81,10 +83,18 @@ enumSubs(){
 }
 
 
+corsScan(){
+    echo -e "${GREEN}\n--==[ Checking CORS configuration ]==--${RESET}"
+    runBanner "CORScanner"
+    python $TOOLS_PATH/CORScanner/cors_scan.py -v -t 50 -i $SUB_PATH/final-subdomains.txt | tee $CORS_PATH/final-cors.txt
+    echo -e "${BLUE}[*] Check the result at $CORS_PATH/final-cors.txt${RESET}"
+}
+
+
 enumIPs(){
     echo -e "${GREEN}\n--==[ Resolving IP addresses ]==--${RESET}"
     runBanner "massdns"
-    $TOOLS_PATH/massdns/bin/massdns -r $TOOLS_PATH/massdns/lists/resolvers.txt -t A -o S -w $IP_PATH/massdns.raw $SUB_PATH/final-subdomains.txt
+    $TOOLS_PATH/massdns/bin/massdns -r $TOOLS_PATH/massdns/lists/resolvers.txt -q -t A -o S -w $IP_PATH/massdns.raw $SUB_PATH/final-subdomains.txt
     cat $IP_PATH/massdns.raw | grep -e ' A ' |  cut -d 'A' -f 2 | tr -d ' ' > $IP_PATH/massdns.txt
     cat $IP_PATH/*.txt | sort -V | uniq > $IP_PATH/final-ips.txt
     echo -e "${BLUE}[*] Check the list of IP addresses at $IP_PATH/final-ips.txt${RESET}"
@@ -93,9 +103,8 @@ enumIPs(){
 
 portScan(){
     echo -e "${GREEN}\n--==[ Port-scanning targets ]==--${RESET}"
-    # Based on exp, the sweet spot for the rate is 10k. More than 10k causes masscan to miss some open ports
     runBanner "masscan"
-    sudo $TOOLS_PATH/masscan/bin/masscan -p 1-65535 --rate 10000 --wait 0 --open -iL $IP_PATH/final-ips.txt -oX $PSCAN_PATH/masscan.xml
+    sudo $TOOLS_PATH/masscan/bin/masscan -p 1-65535 --rate 1000 --wait 0 --open -iL $IP_PATH/final-ips.txt -oX $PSCAN_PATH/masscan.xml
     xsltproc -o $PSCAN_PATH/final-masscan.html $TOOLS_PATH/nmap-bootstrap.xsl $PSCAN_PATH/masscan.xml
     open_ports=$(cat $PSCAN_PATH/masscan.xml | grep portid | cut -d "\"" -f 10 | sort -n | uniq | paste -sd,)
     echo -e "${BLUE}[*] Masscan Done! View the HTML report at $PSCAN_PATH/final-masscan.html${RESET}"
@@ -110,30 +119,15 @@ portScan(){
 visualRecon(){
     echo -e "${GREEN}\n--==[ Taking screenshots ]==--${RESET}"
     runBanner "aquatone"
-    cat $SUB_PATH/final-subdomains.txt | ~/go/bin/aquatone -http-timeout 10000 -scan-timeout 300 -threads 10 -ports xlarge -out $SSHOT_PATH/aquatone/
+    cat $SUB_PATH/final-subdomains.txt | ~/go/bin/aquatone -http-timeout 10000 -scan-timeout 300 -ports xlarge -out $SSHOT_PATH/aquatone/
     echo -e "${BLUE}[*] Check the result at $SSHOT_PATH/aquatone/aquatone_report.html${RESET}"
 }
 
 
 bruteDir(){
     echo -e "${GREEN}\n--==[ Bruteforcing directories ]==--${RESET}"
-    runBanner "gobuster"
-    echo -e "${BLUE}[*]Creting output directory...${RESET}"
-    mkdir -p $DIR_PATH/gobuster
-    for url in $(cat $SSHOT_PATH/aquatone/aquatone_urls.txt); do
-        fqdn=$(echo $url | sed -e 's;https\?://;;' | sed -e 's;/.*$;;')
-        ~/go/bin/gobuster -t 100 -k -e -f -r -w $WORDLIST_PATH/dir_all.txt -u $url -o $DIR_PATH/gobuster/$fqdn.tmp
-        if [ ! -s $DIR_PATH/gobuster/$fqdn.tmp ]; then
-            rm $DIR_PATH/gobuster/$fqdn.tmp
-        else
-            cat $DIR_PATH/gobuster/$fqdn.tmp | sort -k 3 -n > $DIR_PATH/gobuster/$fqdn.txt
-            rm $DIR_PATH/gobuster/$fqdn.tmp
-        fi
-    done
-    echo -e "${BLUE}[*] Check the results at $DIR_PATH/gobuster/${RESET}"
-
     runBanner "dirsearch"
-    echo -e "${BLUE}[*]Creting output directory...${RESET}"
+    echo -e "${BLUE}[*]Creating output directory...${RESET}"
     mkdir -p $DIR_PATH/dirsearch
     for url in $(cat $SSHOT_PATH/aquatone/aquatone_urls.txt); do
         fqdn=$(echo $url | sed -e 's;https\?://;;' | sed -e 's;/.*$;;')
@@ -154,6 +148,7 @@ displayLogo
 checkArgs $TARGET
 setupDir
 enumSubs
+corsScan
 enumIPs
 portScan
 visualRecon

README.md

@@ -3,39 +3,44 @@
 [![license](https://img.shields.io/github/license/capt-meelo/LazyRecon.svg?style=flat)](https://github.com/capt-meelo/LazyRecon/blob/master/LICENSE)
 [![issues](https://img.shields.io/github/issues-raw/capt-meelo/LazyRecon.svg?style=flat)](https://github.com/capt-meelo/LazyRecon/issues?q=is:issue+is:open)
 
-LazyRecon is a wrapper of various scripts that automates the tedious process of reconnaissance of a target domain. 
+LazyRecon is a wrapper of various scripts that automates the tedious and redundant process of reconnaissance of a target domain. 
 
 LazyRecon utilizes the following tools:
 - Subdomain Enumeration:
   - [Amass](https://github.com/OWASP/Amass)
   - [Subfinder](https://github.com/subfinder/subfinder)
 - Subdomain Takeover:
-  - [subjack](https://github.com/haccer/subjack) 
+  - [subjack](https://github.com/haccer/subjack)
+- CORS Configuration:
+  - [CORScanner](https://github.com/chenjj/CORScanner) 
 - IP Discovery:
   - [Massdns](https://github.com/blechschmidt/massdns)
-- Port Scanner:
+- Port Scanning:
   - [Masscan](https://github.com/robertdavidgraham/masscan)
   - [Nmap](https://nmap.org/)
   - [Nmap Bootstrap Stylesheet](https://github.com/honze-net/nmap-bootstrap-xsl/)
 - Visual Recon:
   - [Aquatone](https://github.com/michenriksen/aquatone)
 - Content Discovery:
-  - [Gobuster](https://github.com/OJ/gobuster)
   - [Dirsearch](https://github.com/maurosoria/dirsearch)
 - Wordlists:
   - [JHaddix's all.txt](https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a)
-  - [JHaddix's content_discovery_all.txt](https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
   - [SecLists' raft-large-words.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-large-words.txt)
-
 
-Thanks to the developers of these tools!
 
 ## Workflow
 ![Flow](workflow.png)
 
 
 ## Installation
-:warning: **NOTE:** Before executing `install.sh`, modify the `subEnumTools()` function by placing your **Virustotal**, **Passivetotal**, **SecurityTrails**, **Censys**, **Riddler**, and **Shodan API keys**. This will give better results during the subdomain enumeration.
+First, run the following commands to install the latest version of **Go**.
+```
+git clone https://github.com/capt-meelo/LazyRecon.git
+cd LazyRecon
+source get-go.sh
+```
+
+Then, modify the `subEnumTools()` function of `install.sh` by placing your **Virustotal**, **Passivetotal**, **SecurityTrails**, **Censys**, **Riddler**, and **Shodan API keys**. This will give better results during the subdomain enumeration.
 ```
 ~/go/bin/subfinder --set-config VirustotalAPIKey=<INSERT-YOUR-API-KEY-HERE>
 ~/go/bin/subfinder --set-config PassivetotalUsername=<INSERT-YOUR-API-KEY-HERE>,PassivetotalKey=<INSERT-YOUR-API-KEY-HERE>
@@ -44,31 +49,48 @@ Thanks to the developers of these tools!
 ~/go/bin/subfinder --set-config CensysUsername=<INSERT-YOUR-API-KEY-HERE>,CensysSecret=<INSERT-YOUR-API-KEY-HERE>
 ~/go/bin/subfinder --set-config ShodanAPIKey=<INSERT-YOUR-API-KEY-HERE>
 ```
-To install, just do the following:
+Finally, run the following to install the required tools.
 ```
-git clone https://github.com/capt-meelo/LazyRecon.git
-cd LazyRecon
 chmod +x install.sh
 ./install.sh
 ```
 
+
 ## How to Use
-:warning: **NOTES:** 
-1. It's recommended to run this tool in a VPS, such as [DigitalOcean](https://www.digitalocean.com/?refcode=f7f86614e1b3), for better speed.
-2. Running this tool takes time, thus it's suggested to run it under a **screen** or **tmux** session.
 ```
 cd LazyRecon
 chmod +x LazyRecon.sh
 ./LazyRecon.sh <target_domain>
 ```
 
 
+## Notes
+- It's suggested to run this tool in a VPS, such as [DigitalOcean](https://www.digitalocean.com/?refcode=f7f86614e1b3), for better speed & accuracy.
+- Running this tool takes time, thus it's recommended to run it under a **screen** or **tmux** session.
+- The tool runs **masscan** with the option `--rate 1000` for more accurate results. Based on experiments, **masscan** misses some open ports when scanning large port ranges. Depending on your environment, you could do the following to have a good balance between speed and accuracy:
+  - Increase the rate, and/or reduce the number of ports. For example, use the options `--top-ports 1000` & `--rate 10000`.
+  - If you feel **masscan** and **nmap** are slow, you can run them in the background by changing the command `portScan` to `portScan > /dev/null 2>&1 &`.
+
+
+
+## Tested On
+:white_check_mark: Ubuntu 18.10 (64-bit)
+
+:white_check_mark: Debian 9.8 (64-bit)
+
+:white_check_mark: Kali 2019.1 (64-bit)
+
+
 ## Contribute
 
 If you have any problem or new idea, feel free to create an issue, or pull a request.
 
 
+## Credits
+
+All of the tools being used by LazyRecon are developed by others, so big thanks to them!
+
+
 ## Disclaimer
-All of the tools being used by LazyRecon are developed by others. I just put all the pieces together to automate the redundant jobs.
 
-This tool is written for educational purposes only. You are responsible for your own actions. If you mess something up or break any law while using this tool, it's your fault, and your fault only.
+This tool is written for educational purposes only. You are responsible for your own actions. If you mess something up or break any law while using this tool, it's your fault and your fault only.

get-go.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+RED="\033[1;31m"
+RESET="\033[0m"
+
+echo -e "${RED}[+] Installing the latest version of Go...${RESET}"
+LATEST_GO=$(wget -qO- https://golang.org/dl/ | grep -oP 'go([0-9\.]+)\.linux-amd64\.tar\.gz' | head -n 1 | grep -oP 'go[0-9\.]+' | grep -oP '[0-9\.]+' | head -c -2)
+wget https://dl.google.com/go/go$LATEST_GO.linux-amd64.tar.gz
+sudo tar -C /usr/local -xzf go$LATEST_GO.linux-amd64.tar.gz
+echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile
+source ~/.profile
+rm -rf go$LATEST_GO*