Recon Automation Tips - Bug Bounty

In this post, I will share a few tips for beginners to automate your recon process.


Requirement


How to Automate Simple Recon Process?

Whenever you see *.target.com on a program, you will run Amass or any other subdomain finding tool to get all subdomains of target.com. Then you will run httprobe tool on all subdomains to filter live subdomains. Then Directory Bruteforce tool on all live subdomains. Then you will use any web screenshot tool to get screenshots of all directories and subdomains. If you are using each tool manually, it would waste your time. This simple recon process looks like this:-

Amass -> httprobe -> Dirsearch/ffuf -> gowitness

So you can automate this process with a simple bash script.

amass enum -passive -norecursive -noalts -d "$1" -o "$1"/subs.txt

This command will run amass tool to find all subdomains and save it under target.com directory in subs.txt file

cat "$1"/subs.txt | ~/go/bin/httprobe > "$1"/status.txt

This command will fetch all subdomains and it will run httprobe on the list to filter live subdomains and save it in status.txt file

python3 autorecon/dirsearch/dirsearch.py -l "$1"/status.txt -e "*" -x 500,403,400,401,502,504,501,503,301,308,302,429 -o "$1"/dirs.txt --format=simple

This command will run dirsearch tool on live subdomains and return all directories on them in dirs.txt file.

gowitness file -f "$1"/status.txt -P "$1"/screenshots
gowitness file -f "$1"/dirs.txt -P "$1"/screenshots

This command will fetch us web screenshots on all URLs using gowitness tool on all live subdomains and all directories.

You can combine all commands in one bash script:-

amass enum -passive -norecursive -noalts -d "$1" -o "$1"/subs.txt
cat "$1"/subs.txt | ~/go/bin/httprobe > "$1"/status.txt
python3 autorecon/dirsearch/dirsearch.py -l "$1"/status.txt -e "*" -x 500,403,400,401,502,504,501,503,301,308,302,429 -o "$1"/dirs.txt --format=simple
gowitness file -f "$1"/status.txt -P "$1"/screenshots
gowitness file -f "$1"/dirs.txt -P "$1"/screenshots
 

These are just simple commands which you can write in your bash.sh script and it will run all tools automatically. $1 is used for taking inputs in command line. For running this script:-

#save bash script as autorecon.sh
chmod 777 autorecon.sh # for executable permission
./autorecon.sh target.com # It will run all tools on target.com 

You can use bash script or python to automate your recon methodology


Problems and Solutions of automation

Big targets might take a lot of time and you cannot run automation scripts 24/7.

Solution:- Using VPS for automation scripts will save time and you can run scripts 24/7. You can create a discord bot using python which will run on your VPS and runs all scripts in background.


If you want to try a recon bot on discord, you can join this discord server and text me



Like and share

1,859 views0 comments