enum_all.sh

##!/bin/bash
#starting sublist3r
sublist3r -d $1 -v -o domains.txt
#running assetfinder
/bin/assetfinder --subs-only $1 | tee -a domains.txt
#removing duplicate entries
sort -u domains.txt -o domains.txt
#checking for alive domains
echo "\n\n[+] Checking for alive domains..\n"
cat domains.txt | /bin/httprobe | tee -a alive.txt
#formatting the data to json
cat alive.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > alive.json
cat domains.txt | python -c "import sys; import json; print (json.dumps({'domains':list(sys.stdin)}))" > domains.json


To run the script use the following commands
$ sudo chmod 755 enum.sh #setting file permissions
$ ./enum.sh example.com



Storing subdomain headers and response bodies
#!/bin/bash
mkdir headers
mkdir responsebody
CURRENT_PATH=$(pwd)
for x in $(cat $1)
do
        NAME=$(echo $x | awk -F/ '{print $3}')
        curl -X GET -H "X-Forwarded-For: evil.com" $x -I > "$CURRENT_PATH/headers/$NAME"
        curl -s -X GET -H "X-Forwarded-For: evil.com" -L $x > "$CURRENT_PATH/responsebody/$NAME"
done

Use the following commands to run the script
$ sudo chmod 755 response.sh
$ ./response.sh alive.txt


Collecting JavaScript files and Hidden Endpoints

#!/bin/bash
mkdir scripts
mkdir scriptsresponse
RED='\033[0;31m'
NC='\033[0m'
CUR_PATH=$(pwd)
for x in $(ls "$CUR_PATH/responsebody")
do
        printf "\n\n${RED}$x${NC}\n\n"
        END_POINTS=$(cat "$CUR_PATH/responsebody/$x" | grep -Eoi "src=\"[^>]+></script>" | cut -d '"' -f 2)
        for end_point in $END_POINTS
        do
                len=$(echo $end_point | grep "http" | wc -c)
                mkdir "scriptsresponse/$x/"
                URL=$end_point
                if [ $len == 0 ]
                then
                        URL="https://$x$end_point"
                fi
                file=$(basename $end_point)
                curl -X GET $URL -L > "scriptsresponse/$x/$file"
                echo $URL >> "scripts/$x"
        done
done

$ chmod 755 jsfiles.sh
$ ./jsfiles.sh

Make sure to clone relative-url-extractor tool in your home directory

#!/bin/bash
#looping through the scriptsresponse directory
mkdir endpoints
CUR_DIR=$(pwd)
for domain in $(ls scriptsresponse)
do
        #looping through files in each domain
        mkdir endpoints/$domain
        for file in $(ls scriptsresponse/$domain)
        do
                ruby ~/relative-url-extractor/extract.rb scriptsresponse/$domain/$file >> endpoints/$domain/$file 
        done
done
 we will be running nmap over all the subdomains we have collected so far and will store the results in nmapscans directory.

 #!/bin/bash
mkdir nmapscans
for domain in $(cat $1)
do
        nmap -sC -sV $domain | tee nmapscans/$domain
done

$ chmod 755 nmap.sh
$ ./nmap.sh domains.txt

We are going to use aquatone to take the web screenshots, for this we don’t need an actual script we just simply need to pass on our alive.txt domains to aquatone and it will generate the screenshots for us.
$ cat alive.txt | aquatone -out ~/example.com/screenshots/

 to find two info-disclosure bug using above methodology.
 #!/bin/bash
BOLD="\e[1m"
NORMAL="\e[0m"
GREEN="\e[32m"
RED="\e[30m"
HELP="
${BOLD}[+]USAGE:${NORMAL} ./search.sh  (OPTIONS)
-j (string) - search in javascript files
-x (string) - search in header files
-e (string) - search in  html files
-n (string) - search nmap scans
-h - help
"
#writing code to check for expressions in html
searchhtml() {
 local WORD="${1}"
 for domain in $(ls responsebody)
 do
  echo -e "\n${BOLD}${GREEN}${domain}${NORMAL}"
  RES=$(cat responsebody/$domain | grep -E "${WORD}")
  if [ $(echo $RES | wc -c) -le 1 ]
  then
   echo -e "${BOLD}${RED}No results found${NORMAL}"
  else
   echo $RES
  fi
 done
}
searchheader() {
	 local WORD="${1}"
        for domain in $(ls headers)
        do
  echo -e "\n${BOLD}${GREEN}${domain}${NORMAL}"
                RES=$(cat headers/$domain | grep -E "${WORD}")
  if [ $(echo $RES | wc -c) -le 1 ]
                then
                        echo -e "${BOLD}${RED}No results found${NORMAL}"
                else
                        echo $RES
                fi
done
}
searchjs() {
 local WORD="${1}"
        for domain in $(ls scriptsresponse)
        do
  for file in $(ls scriptsresponse/$domain)
  do
   echo -e "\n${BOLD}${GREEN}${domain}/${file}${NORMAL}"
                 RES=$(grep --color -E "${WORD}" scriptsresponse/$domain/$file)
                 if [ $(echo $RES | wc -c) -le 1 ]
                 then
                         echo -e "${BOLD}${RED}No results found${NORMAL}"
                 else
                         echo $RES
                 fi
done
 done
}
searchnmap() {
 local WORD="${1}"
        for domain in $(ls nmapscans)
        do
                echo -e "\n${BOLD}${GREEN}${domain}${NORMAL}"
                RES=$(cat nmapscans/$domain | grep -E "${WORD}")
                if [ $(echo $RES | wc -c) -le 1 ]
                then
                        echo -e "${BOLD}${RED}No results found${NORMAL}"
                else
                        echo $RES
                fi
done
}
while getopts j:x:e:n:h OPTIONS
do
 case "${OPTIONS}" in
  j) searchjs "${OPTARG}" ;;
  e) searchhtml "${OPTARG}" ;;
  x) searchheader "${OPTARG}" ;;
  n) searchnmap "${OPTARG}" ;;
  h) echo -e "${HELP}" ;;
  *)
   echo "[+] Select a valid option.\n"
   echo -e "${HELP}"
   exit 1
  ;;
 esac
done

$ ./search.sh -j "admin"
$ ./search.sh -x "nginx"
$ ./search.sh -e "s3.amazonaws"
$ ./search.sh -n "ssh" #searching nmap scans for the string ssh