Created
August 18, 2021 19:04
-
-
Save colehocking/baa4118ea43c7bfa48783ea61f1a570a to your computer and use it in GitHub Desktop.
automate port scanning from a single domain with nmap and sublist3r
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Scan a domain, find the servers that are up, and port scan them; automated | |
| # Requires: nmap, sublist3r | |
| # domain to scan | |
| DOMAIN=$1 | |
| # subdomain file | |
| SUBD="./results/found_dns.txt" | |
| # nmap results from ping scan | |
| PING_RESULTS="./results/ping_res.txt" | |
| # DNS resolution reference file | |
| DNS_REF="./results/dns_resolution_ref.txt" | |
| # list of live IPs to feed nmap for port scan | |
| IPS_LIVE="./results/ips_live.txt" | |
| # results from port scan | |
| PORTS_OPEN="./results/port_results.txt" | |
| # option to remove previous results or exit | |
| rm_results_opt() { | |
| echo -e "\n'results' dir already exists..." | |
| # -n 1 accepts 1 char w/o need for 'enter' | |
| read -p "Remove existing files? (y/n) " -n 1 -r CHOICE | |
| case $CHOICE in | |
| y|Y ) rm -rf results/*;; | |
| n|N ) echo -e "\n\nAborted."; exit 1;; | |
| * ) echo -e "\nInvalid input."; rm_results_opt;; | |
| esac | |
| } | |
| # make sure this script can run | |
| perform_checks() { | |
| if [[ -z "${DOMAIN}" ]]; then | |
| echo "Usage: ./scan_auto.sh <domain>" | |
| exit 1 | |
| elif [[ ! $(which nmap) ]]; then | |
| echo "Script requires nmap" | |
| exit 1 | |
| elif [[ ! $(which sublist3r) ]]; then | |
| echo "script requires sublist3r" | |
| exit 1 | |
| elif [[ -d "results" ]]; then | |
| rm_results_opt | |
| else | |
| mkdir -p results | |
| fi | |
| } | |
| # enumerate subdomains | |
| enum_sub() { | |
| echo -e "\n\nScanning for subdomains...\n" | |
| sublist3r -d ${DOMAIN} -o ${SUBD} | |
| if [[ -f ${SUBD} ]]; then | |
| echo -e "\nSubdomain file: ${SUBD}\n" | |
| else | |
| echo "\nNo subdomains found." | |
| exit 1 | |
| fi | |
| } | |
| # perform ping scan to find live subdomains | |
| ping_scan() { | |
| echo "Scanning for active hosts..." | |
| sudo nmap -sn -iL ${SUBD} -oG ${PING_RESULTS} 2>&1 | tee ${DNS_REF} | |
| echo -e "\nIP/DNS Resolution reference: ${DNS_REF}" | |
| # file exists and is not empty | |
| if [[ -s ${PING_RESULTS} ]]; then | |
| grep -r Up ${PING_RESULTS} | tr -s " " | cut -d " " -f2 >> ${IPS_LIVE} | |
| # we only want unique live ips in our file for port scanning | |
| echo -e "\nActive IPs:" | |
| sort -u ${IPS_LIVE} | |
| else | |
| echo -e "\nNo hosts appear to be active." | |
| exit 1 | |
| fi | |
| } | |
| # perform port scan on live IPs | |
| port_scan() { | |
| if [[ -s ${IPS_LIVE} ]]; then | |
| echo -e "\nScanning active IPs from file: ${IPS_LIVE}" | |
| sudo nmap -sS -vv -iL ${IPS_LIVE} 2>&1 | tee ${PORTS_OPEN} | |
| echo -e "\n Results located at ${PORTS_OPEN}" | |
| else | |
| echo -e "\nNo hosts appear to be active." | |
| exit 1 | |
| fi | |
| } | |
| main() { | |
| perform_checks | |
| enum_sub | |
| sleep 2 | |
| ping_scan | |
| sleep 2 | |
| port_scan | |
| echo -e "\nDone." | |
| } | |
| main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment