In this post, I will share a few tips for beginners to automate your recon process.
Requirement
Python basics (Not required because you have google)
How to Automate Simple Recon Process?
Whenever you see *.target.com on a program, you will run Amass or any other subdomain finding tool to get all subdomains of target.com. Then you will run httprobe tool on all subdomains to filter live subdomains. Then Directory Bruteforce tool on all live subdomains. Then you will use any web screenshot tool to get screenshots of all directories and subdomains. If you are using each tool manually, it would waste your time. This simple recon process looks like this:-
Amass -> httprobe -> Dirsearch/ffuf -> gowitness
So you can automate this process with a simple bash script.
amass enum -passive -norecursive -noalts -d "$1" -o "$1"/subs.txtThis command will run amass tool to find all subdomains and save it under target.com directory in subs.txt file
cat "$1"/subs.txt | ~/go/bin/httprobe > "$1"/status.txtThis command will fetch all subdomains and it will run httprobe on the list to filter live subdomains and save it in status.txt file
python3 autorecon/dirsearch/dirsearch.py -l "$1"/status.txt -e "*" -x 500,403,400,401,502,504,501,503,301,308,302,429 -o "$1"/dirs.txt --format=simpleThis command will run dirsearch tool on live subdomains and return all directories on them in dirs.txt file.
gowitness file -f "$1"/status.txt -P "$1"/screenshots
gowitness file -f "$1"/dirs.txt -P "$1"/screenshotsThis command will fetch us web screenshots on all URLs using gowitness tool on all live subdomains and all directories.
You can combine all commands in one bash script:-
amass enum -passive -norecursive -noalts -d "$1" -o "$1"/subs.txt
cat "$1"/subs.txt | ~/go/bin/httprobe > "$1"/status.txt
python3 autorecon/dirsearch/dirsearch.py -l "$1"/status.txt -e "*" -x 500,403,400,401,502,504,501,503,301,308,302,429 -o "$1"/dirs.txt --format=simple
gowitness file -f "$1"/status.txt -P "$1"/screenshots
gowitness file -f "$1"/dirs.txt -P "$1"/screenshots
These are just simple commands which you can write in your bash.sh script and it will run all tools automatically. $1 is used for taking inputs in command line. For running this script:-
#save bash script as autorecon.sh
chmod 777 autorecon.sh # for executable permission
./autorecon.sh target.com # It will run all tools on target.com You can use bash script or python to automate your recon methodology
Problems and Solutions of automation
Big targets might take a lot of time and you cannot run automation scripts 24/7.
Solution:- Using VPS for automation scripts will save time and you can run scripts 24/7. You can create a discord bot using python which will run on your VPS and runs all scripts in background.
If you want to try a recon bot on discord, you can join this discord server and text me
Like and share