MShahine · August 7, 2020 12:33
diff --git a/profile-hack.sh b/profile-hack.sh
 #----- AWS -------

 s3ls(){
 aws s3 ls s3://$1
 }

 s3cp(){
 aws s3 cp $2 s3://$1 
 }

 #---- Content discovery ----
 thewadl(){ #this grabs endpoints from a application.wadl and puts them in yahooapi.txt
 curl -s $1 | grep path | sed -n "s/.*resource path=\"\(.*\)\".*/\1/p" | tee -a ~/tools/dirsearch/db/yahooapi.txt
 }

 #----- recon -----
 crtndstry(){
 ./tools/crtndstry/crtndstry $1
 }

 am(){ #runs amass passively and saves to json
 amass enum --passive -d $1 -json $1.json
 jq .name $1.json | sed "s/\"//g"| httprobe -c 60 | tee -a $1-domains.txt
 }

 certprobe(){ #runs httprobe on all the hosts from certspotter
 curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe | tee -a ./all.txt
 }

 mscan(){ #runs masscan
 sudo masscan -p4443,2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,744$}
 }

 certspotter(){ 
 curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1
 } #h/t Michiel Prins

 crtsh(){
 curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'
 }

 certnmap(){
 curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1  | nmap -T5 -Pn -sS -i - -$
 } #h/t Jobert Abma

 ipinfo(){
 curl http://ipinfo.io/$1
 }

 oneforall(){
 	python3 oneforall.py --target $1 --takeover True run
 }

 #------ Tools ------
 dirsearch(){ #runs dirsearch and takes host and extension as arguments
 python3 ~/tools/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b 
 }

 sqlmap(){
 python ~/tools/sqlmap*/sqlmap.py -u $1 
 }

 ncx(){
 nc -l -n -vv -p $1 -k
 }

 crtshdirsearch(){ #gets all domains from crtsh, runs httprobe and then dir bruteforcers
 curl -s https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe -c 50 | grep https | xargs -n1 -I{} python3 ~/tools/dirsearch/dirsearch.py -u {} -e $2 -t 50 -b 
 }
	#----- AWS -------

	s3ls(){
	aws s3 ls s3://$1
	}

	s3cp(){
	aws s3 cp $2 s3://$1
	}

	#---- Content discovery ----
	thewadl(){ #this grabs endpoints from a application.wadl and puts them in yahooapi.txt
	curl -s $1 \| grep path \| sed -n "s/.resource path=\"\(.\)\".*/\1/p" \| tee -a ~/tools/dirsearch/db/yahooapi.txt
	}

	#----- recon -----
	crtndstry(){
	./tools/crtndstry/crtndstry $1
	}

	am(){ #runs amass passively and saves to json
	amass enum --passive -d $1 -json $1.json
	jq .name $1.json \| sed "s/\"//g"\| httprobe -c 60 \| tee -a $1-domains.txt
	}

	certprobe(){ #runs httprobe on all the hosts from certspotter
	curl -s https://crt.sh/\?q\=\%.$1\&output\=json \| jq -r '.[].name_value' \| sed 's/\*\.//g' \| sort -u \| httprobe \| tee -a ./all.txt
	}

	mscan(){ #runs masscan
	sudo masscan -p4443,2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,744$}
	}

	certspotter(){
	curl -s https://certspotter.com/api/v0/certs\?domain\=$1 \| jq '.[].dns_names[]' \| sed 's/\"//g' \| sed 's/\*\.//g' \| sort -u \| grep $1
	} #h/t Michiel Prins

	crtsh(){
	curl -s https://crt.sh/?Identity=%.$1 \| grep ">.$1" \| sed 's/<[/][TB][DR]>/\n/g' \| grep -vE "<\|^[\][\.]*$1" \| sort -u \| awk 'NF'
	}

	certnmap(){
	curl https://certspotter.com/api/v0/certs\?domain\=$1 \| jq '.[].dns_names[]' \| sed 's/\"//g' \| sed 's/\*\.//g' \| sort -u \| grep $1 \| nmap -T5 -Pn -sS -i - -$
	} #h/t Jobert Abma

	ipinfo(){
	curl http://ipinfo.io/$1
	}

	oneforall(){
	python3 oneforall.py --target $1 --takeover True run
	}

	#------ Tools ------
	dirsearch(){ #runs dirsearch and takes host and extension as arguments
	python3 ~/tools/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b
	}

	sqlmap(){
	python ~/tools/sqlmap*/sqlmap.py -u $1
	}

	ncx(){
	nc -l -n -vv -p $1 -k
	}

	crtshdirsearch(){ #gets all domains from crtsh, runs httprobe and then dir bruteforcers
	curl -s https://crt.sh/?q\=%.$1\&output\=json \| jq -r '.[].name_value' \| sed 's/\*\.//g' \| sort -u \| httprobe -c 50 \| grep https \| xargs -n1 -I{} python3 ~/tools/dirsearch/dirsearch.py -u {} -e $2 -t 50 -b
	}