#!/bin/bash

####################################
# Config
##################

HTTPROBE_CONCURRENCY=100
HTTPROBE_TIMEOUT=3000

DIRSEARCH_THREADS=50
DIRSEARCH_EXTENSIONS=\*

ATTENTION_PATTERN='(api|dev|stag|stg|test|tst|corp|int|inter|infra|priv|demo|promo|config|docker|s3|vip|jira|jenkins|splunk|archive|backup|secure|dash|vip|vpn|auth)'

##################
# End Config
####################################

cd `pwd`
TARGET=$1
OUTPATH=recon-$(date +%F)

mkdir -p $OUTPATH
cd $OUTPATH

echo
echo "/==========================================="
echo "|"
echo "| Recon started on $TARGET"
echo "| Saving results in ./$OUTPATH"
echo "|"
echo "\==========================================="
echo

echo "Starting asset discovery"

echo "  Running assetfinder"
assetfinder --subs-only $TARGET >> assetfinder.tmp
echo "  - Found: $(cat assetfinder.tmp | wc -l)"

echo "  Running knockpy"
knockpy $TARGET --json 1>/dev/null 2>knockpy.tmp
KNOCKPY_REPORT=$(cat knockpy.tmp | grep : | awk -F': ' '{print $2}')
cat $KNOCKPY_REPORT | jq '.found.subdomain[]' | sed 's/"//g' >> knockpy.tmp
echo "  - Found: $(cat knockpy.tmp | wc -l)"
mkdir -p reports/knockpy
mv $KNOCKPY_REPORT reports/knockpy

echo "  Checking certspotter"
certspotter $TARGET >> certspotter.tmp
echo "  - Found: $(cat certspotter.tmp | wc -l)"

echo "  Sorting and removing duplicate assets"
cat assetfinder.tmp knockpy.tmp certspotter.tmp | sort -u | grep "$TARGET$" > all.txt
echo "  - Discovered $(cat all.txt | wc -l) unique assets"

echo "  Running massdns"
massdns -q -r ~/tools/massdns/lists/resolvers.txt -t A -o S -w reports/massdns.out all.txt

echo "  Running httprobe"
cat all.txt | httprobe -c $HTTPROBE_CONCURRENCY -t $HTTPROBE_TIMEOUT >> alive.txt
echo "  - $(cat alive.txt | wc -l) assets are responding"

echo "  Looking for interesting assets"
cat all.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-all.txt
cat alive.txt | sed "s/.$TARGET$//" | grep -E $ATTENTION_PATTERN | sed "s/$/.$TARGET/" > attention-alive.txt
echo "  - Found $(cat attention-all.txt | wc -l) interesting assets, of which $(cat attention-alive.txt | wc -l) are responding"

echo "  Asset discovery complete"

echo
echo "Starting content gathering"
echo "  Running dirsearch"
mkdir -p reports/dirsearch
for host in `cat alive.txt`; do
    DIRSEARCH_FILE=$(echo $host | sed -E 's/[\.|\/|:]+/_/g').txt
    dirsearch -e $DIRSEARCH_EXTENSIONS -r -b -u -t $DIRSEARCH_THREADS --plain-text reports/dirsearch/$DIRSEARCH_FILE -u $host
done

echo "  Running webscreenshot"
webscreenshot -i alive.txt -r chromium -o reports/screenshots
echo "  - Total $(ls -l reports/screenshots/*.txt | wc -l) screenshots stored in $OUTPATH/reports/screenshots"

echo "Cleaning up temporary files"
rm -f *.tmp

echo
echo "All done. Happy hunting!"