forked from eslam3kl/3klCon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
3klcon.py
252 lines (221 loc) · 14.5 KB
/
3klcon.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
#!/usr/bin/env python
# [+] This code is written by Eslam Akl - @eslam3kl #
# [+] Automation tool to perform Recon - Information gathering #
# [+] Happy Hacking #
import subprocess
import os
from termcolor import colored
import optparse
print(" ")
print(colored(" ______ _ _ ", "red", attrs=['bold']))
print(colored(" (_____ \| | | | ", "red", attrs=['bold']))
print(colored(" _____) ) | _| | ____ ___ _____ ", "red", attrs=['bold']))
print(colored(" (_____ (| |_/ ) |/ ___) _ \| _ \ ", "red", attrs=['bold']))
print(colored(" _____) ) _ (| ( (__| |_| | | | | ", "red", attrs=['bold']))
print(colored(" (______/|_| \_)\_)____)___/|_| |_| V2.0 ", "red", attrs=['bold']))
print(" ")
print(colored(" Coded by ", "white", attrs=['bold']) + colored("Eslam Akl ", "yellow", attrs=['bold']))
print(colored(" Blog: ", "white", attrs=['bold']) + colored("https://medium.com/@eslam3kl", "yellow", attrs=['bold']))
print(colored(" GitHub: ", "white", attrs=['bold']) + colored("https://github.com/eslam3kl", "yellow", attrs=['bold']))
print(colored("\n(+) Automation Recon Framework, Medium & Large scopes","cyan", attrs=['bold']))
print(colored("(+) ", "red") + colored("Collect all Acquisitions and ASN", "green"))
print(colored("(+) ", "red") + colored("Collect Live subdomains","green"))
print(colored("(+) ", "red") + colored("Collect Live sub-subdomains","green"))
print(colored("(+) ", "red") + colored("Spider & wayback subdomains","green"))
print(colored("(+) ", "red") + colored("Extract JS files","green"))
print(colored("(+) ", "red") + colored("Content Discovery","green"))
print(colored("(+) ", "red") + colored("Port Scan","green"))
print(colored("(+) ", "red") + colored("GitHub Secrets","green"))
print(colored("(+) ", "red") + colored("GitHub dork links","green"))
print(colored("(+) ", "red") + colored("Extract possible vulnerable links ","green"))
print(colored("(+) ", "red") + colored("Scan for Subdomain vulnerabilities Takeover & S3buckets","green"))
print(colored("(+) ", "red") + colored("Scan Links for CVE's","green"))
print(colored("(+) ", "red") + colored("Scan Security Headers ","green"))
print(colored("(+) ", "red") + colored("Scan Misconfiguration ","green"))
print(colored("(+) ", "red") + colored("Scan Vulnerabilities","green"))
print(colored("(+) ", "red") + colored("Scan for website technologies and services\n", "green"))
#get user input
def get_user_input():
parser = optparse.OptionParser()
parser.add_option("-t", "--target_url", dest="target_url", help="\tTarget URL (google.com, microsoft.com)")
(options, arguments) = parser.parse_args()
if not options.target_url:
print(colored("\n\n[-] Warning: ", "red", attrs=['bold']) + colored("Target url doesn't exist, see --help for more info", 'white'))
print(colored("[+] Usage: ","red", attrs=['bold']) + colored("python 3klcon.py -t target.com", 'white'))
print(" ")
raise SystemExit
else:
return options.target_url
#target
user_input = get_user_input()
target = user_input
word = target.split(".")[0]
#subdomain_stage_names
subdomains_output = "subdomains.txt"
httpx_output = "httpx_subfinder_without.txt"
unique_subdomains = "unique_subdomains.txt"
resolved_subdomain = "resolved_subdomains.txt"
live_subdomains = "live_subdomains.txt"
altdns_output = "altdns_output.txt"
git_secrets = "GitHub secrets.txt"
#scan
port_scan = "port_scan.txt"
#wayback files name
waybackurls_output = "waybackurls.txt"
wayback = "wayback_urls.txt"
js_files = "js_files.txt"
#vulnerable files name
ssrf = "gf_ssrf.txt"
redirect = "gf_redirect.txt"
xss = "gf_xss.txt"
sqli = "gf_sqli.txt"
lfi = "gf_lfi.txt"
rce = "gf_rce.txt"
idor = "gf_idor.txt"
#nuclei_output
subdomain_scan = "subdomain_scan.txt"
subdomain_takeover = "subdomain_takeover_scan.txt"
service_info = "service_info_scan.txt"
security_misconfiguration = "security_misconfiguration_scan.txt"
endpoint_check = "endpoints_scan.txt"
########################[ START ]##############################
subprocess.call("mkdir " + word, shell=True)
os.chdir(word)
#get all asn and acquistions
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start collecting ASN & Acquisitions", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
subprocess.call("python ../tools/3klector/3klector.py -t " + word + " > asn_aquisitions.txt" , shell=True)
print(colored("Process DONE!\nFile Name: asn_aquisitions.txt\n" , 'white', attrs=['bold']))
#=========================================#
#get subdomains from domain and filtering output
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start collecting Resolved Subdomains", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
subprocess.call("python ../tools/crtfinder/crtfinder.py -u " + target + " > " + subdomains_output, shell=True)
subprocess.call("assetfinder -subs-only " + target + " >> " + subdomains_output, shell=True)
subprocess.call("subfinder -silent -d " + target + " >> " + subdomains_output, shell=True)
subprocess.call("cat " + subdomains_output + " | qsreplace | httpx -follow-redirects -silent > " + resolved_subdomain , shell=True)
subprocess.call("cat " + resolved_subdomain + " | cut -d : -f2 | cut -c 3- > " + live_subdomains, shell=True)
subprocess.call("rm " + resolved_subdomain, shell=True)
print(colored("Process DONE!\nFile Name: live_subdomains.txt\n" , 'white', attrs=['bold']))
#=========================================#
#get all available endpoint using wayback machine and filter the results
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start collecting waybackurls", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
subprocess.call("cat " + live_subdomains + " | waybackurls | grep -v -e .css -e .jpg -e .jpeg -e png -e ico -e svg > wayback.txt" , shell=True)
subprocess.call("cat " + live_subdomains + " | gau | grep -v -e .css -e .jpg -e .jpeg -e png -e ico -e svg >> wayback.txt" , shell=True)
subprocess.call("cat wayback.txt | qsreplace | httpx -silent -follow-redirects > " + waybackurls_output, shell=True)
subprocess.call("rm wayback.txt ", shell=True)
print(colored("Process DONE!\nFile Name: waybackurls.txt" , 'white', attrs=['bold']))
#=========================================#
#get the js files from the output wayback machine results
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start collecting JS files", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
subprocess.call('cat ' + waybackurls_output + ' | grep ".js" > ' + js_files , shell=True)
print(colored("Process DONE!\nFile Name: js_files.txt", 'white', attrs=['bold']))
#=========================================#
#perform port scan
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start Port Scanning", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
subprocess.call("scan.sh -f " + subdomains_output + " > port_scan.txt" , shell=True)
print(colored("Process DONE!\nFile Name: port_scan.txt", 'white', attrs=['bold']))
except:
print(colored("There's an error, Please check it again after ending automation", 'white'))
pass
#=========================================#
#GitHub scan
subprocess.call("mkdir GitHub_Secrets", shell=True)
#create github search links
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start create GitHub secret links", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
with open("live_subdomains.txt", "r") as subdomains:
for subdomain in subdomains:
subprocess.call("gitdorks.sh " + target + " > GitHub_Secrets/" + subdomain + ".txt", shell=True)
print(colored("Process DONE!\nFile Name: github_dorks.txt", 'white', attrs=['bold']))
except:
print(colored("There's an problem, please check it again", 'white'))
pass
#=========================================#
#GitHub Automation scanner
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start Searching at GitHub", 'red', attrs=['bold']))
print(colored("[-] You Must create file 'config.yml' into git-hound dir and set your GitHub username and password", 'white'))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
subprocess.call("cat live_subdomains.txt | git-hound --config-file ../tools/git-hound/config.yml --dig-files --dig-commits > " + git_secrets)
subprocess.call("mv " + git_secrets + " GitHub_secrets/", shell=True)
print(colored("Process DONE!\nFile Name: Github_Secrets.txt", 'white', attrs=['bold']))
except:
print(colored("[-] Git-hound asked for 2FA so it stopped in your automation, So Kindly perform this process maually\n[+] Get into domain folder 'Results directory' and run this command", 'red'))
print(colored("[+] Command: cat live_subdomains.txt | git-hound --config-file ../tools/git-hound/config.yml --dig-files --dig-commits", 'white'))
pass
#=========================================#
#get subdomain from subdomain using altdns
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start collecting Sub-subdomains", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
subprocess.call("altdns -i " + live_subdomains +" -o data_output_altdns.txt -w ../word_lists/words.txt -r -s " + altdns_output, shell=True)
print(colored("Process DONE!\nResults in altdns_output.txt", 'white', attrs=['bold']))
except:
print(colored("There's an problem in resolving subdomains, please check it again", 'white'))
pass
#=========================================#
#get all available hidden direcotories from subdomains
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start Content Discovery ", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
subprocess.call("python3 ../tools/dirsearch/dirsearch.py -L " + live_subdomains + " -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e js,php,bak,txt,asp,aspx,jsp,html,zip,jar,sql,json,old,gz,shtml,log,swp,yaml,yml,config,save,rsa,ppk,tar -x 500 --simple-report dirsearch_output.txt > subdomains_content_discovery.txt ", shell=True)
subprocess.call("python3 ../tools/dirsearch/dirsearch.py -L " + altdns_output + " -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e js,php,bak,txt,asp,aspx,jsp,html,zip,jar,sql,json,old,gz,shtml,log,swp,yaml,yml,config,save,rsa,ppk,tar -x 500 --simple-report dirsearch_output_altdns.txt > altdns_subdomains_content_discovery.txt ", shell=True)
try:
print(colored("Process DONE!\nFile's Names: subdomains_content_discovery.txt & altdns_subdomains_content_discovery.txt", 'white', attrs=['bold']))
except:
print(colored("There's an problem, please check it again", 'white'))
pass
#=========================================#
#make possible vulnerable files by gf
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start creating vulnerable files", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
subprocess.call("mkdir vulnerable_files", shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf ssrf > vulnerable_files/" + ssrf, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf sqli > vulnerable_files/" + sqli, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf xss > vulnerable_files/" + xss, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf lfi > vulnerable_files/" + lfi, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf idor > vulnerable_files/" + idor, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf redirect > vulnerable_files/" + redirect, shell=True)
subprocess.call("cat " + waybackurls_output + " | grep = | gf rce > vulnerable_files/" + rce, shell=True)
print(colored("Process DONE!", 'white', attrs=['bold']))
except:
print(colored("There's an error in GF-Templete, Please check its installation again after ending automation", 'white'))
pass
#=========================================#
#vulnerability scanners
print(colored("\n--------------------------------------------", 'red', attrs=['bold']))
print(colored("[+] Start Automation Scanners", 'red', attrs=['bold']))
print(colored("--------------------------------------------", 'red', attrs=['bold']))
try:
subprocess.call("mkdir automation_scanners", shell=True)
#test all subdomains for service and vulnerabilities - nuclei
subprocess.call("cat " + live_subdomains + " | nuclei -t ../tools/nuclei-templates -o automation_scanners/" + subdomain_scan, shell=True )
#test subdomain takeover, cves
subprocess.call("nuclei -silent -l " + live_subdomains + " -t ../tools/nuclei-templates/subdomain-takeover/ -t ../tools/nuclei-templates/dns/ -t ../tools/nuclei-templates/cves/ -o automation_scanners/" + subdomain_takeover, shell=True)
subprocess.call("subjack -w " + live_subdomains +" -timeout 30 -ssl -c /root/go/src/github.com/haccer/subjack/fingerprints.json -v -m >> automation_scanners/" + subdomain_takeover, shell=True)
#test services info & technologies
subprocess.call("nuclei -silent -l " + live_subdomains + " -t ../tools/nuclei-templates/files -t ../tools/nuclei-templates/technologies -o automation_scanners/" + service_info, shell=True)
#security_misconfiguration
subprocess.call("nuclei -silent -l " + live_subdomains + " -t ../tools/nuclei-templates/security-misconfiguration -o automation_scanners/" + security_misconfiguration, shell=True)
#vulnerabilities, generic detection, cves & payload
subprocess.call("nuclei -silent -l " + waybackurls_output + " -t ../tools/nuclei-templates/cves/ -t ../tools/nuclei-templates/payloads -t ../tools/nuclei-templates/vulnerabilities -t ../tools/nuclei-templates/generic-detections -o automation_scanners/" + endpoint_check , shell=True)
except:
print(colored("There's an problem, please check it again", 'white'))
pass
#=========================================#