forked from ShadowArc147/RedTeamScripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathweb_enumeration.sh
More file actions
executable file
·152 lines (132 loc) · 5.22 KB
/
web_enumeration.sh
File metadata and controls
executable file
·152 lines (132 loc) · 5.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
# Script Name: web_enumeration.sh
# Description: Web enumeration script with optional tool selection.
# Author: ShadowArc147
# Email: [email protected]
# Created: 2025-01-31
# Updated: 2025-02-14
# Version: 1.9
echo ""
echo "WEB ENUMERATION BY SHADOWARC147"
echo ""
# Ensure a target is provided
if [ -z "$1" ]; then
echo "Usage: $0 <IP-ADDRESS or HOSTNAME> [-p <PORT>] [-g] [-n] [-f] [-s] [-a]"
exit 1
fi
TARGET=""
PORT=""
RUN_GOBUSTER=false
RUN_NIKTO=false
RUN_FFUF=false
RUN_SUBLIST3R=false
RUN_AMASS=false
RUN_ALL=true
# Parse arguments manually to handle target as first positional argument
while [[ $# -gt 0 ]]; do
case "$1" in
-p) shift; PORT=$1 ;;
-g) RUN_GOBUSTER=true; RUN_ALL=false ;;
-n) RUN_NIKTO=true; RUN_ALL=false ;;
-f) RUN_FFUF=true; RUN_ALL=false ;;
-s) RUN_SUBLIST3R=true; RUN_ALL=false ;;
-a) RUN_AMASS=true; RUN_ALL=false ;;
*) TARGET=$1 ;;
esac
shift
done
# Ensure a target is set
if [ -z "$TARGET" ]; then
echo "Error: No target specified."
exit 1
fi
# If no port is specified, default to 80
if [ -z "$PORT" ]; then
PORT=80
echo "[*] No port specified. Defaulting to port 80."
fi
# Determine if target is an IP or a domain
if [[ "$TARGET" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "[*] Target appears to be an IP address. Attempting hostname resolution..."
HOSTNAME=$(nslookup $TARGET | awk '/name =/ {print $4}' | sed 's/\.$//')
if [ -z "$HOSTNAME" ]; then
echo "[!] No hostname found for $TARGET. Using the IP directly."
HOSTNAME=$TARGET
else
echo "[*] Resolved hostname: $HOSTNAME"
fi
else
echo "[*] Target appears to be a hostname."
HOSTNAME=$TARGET
fi
OUTPUT_DIR="http_enum_results_${TARGET}_port${PORT}"
mkdir -p $OUTPUT_DIR
echo "Starting HTTP enumeration for $TARGET on port $PORT..."
echo "Results will be saved in $OUTPUT_DIR"
# Run Gobuster if enabled or all tools are selected
if [ "$RUN_GOBUSTER" = true ] || [ "$RUN_ALL" = true ]; then
echo "[*] Running Gobuster..."
gobuster dir -u http://$TARGET:$PORT -w /usr/share/wordlists/dirb/big.txt -k -x .txt,.php,.zip,.ini,.log,.xml,.config -o $OUTPUT_DIR/gobuster.txt
# Check for /wordpress in Gobuster results
if grep -q "/wordpress" "$OUTPUT_DIR/gobuster.txt"; then
echo "[*] WordPress installation found at $TARGET/wordpress. Running WPScan..."
# Run WPScan
if command -v wpscan &> /dev/null; then
wpscan --url http://$TARGET/wordpress --disable-tls-checks -o $OUTPUT_DIR/wpscan.txt
echo "[*] WPScan results saved to $OUTPUT_DIR/wpscan.txt"
else
echo "[!] WPScan not installed. Skipping WordPress scanning."
fi
fi
fi
# Run Nikto if enabled or all tools are selected
if [ "$RUN_NIKTO" = true ] || [ "$RUN_ALL" = true ]; then
echo "[*] Running Nikto..."
nikto -h http://$TARGET:$PORT -output $OUTPUT_DIR/nikto_scan.txt
# Check if .git is found in Nikto results
if grep -iq "\.git" $OUTPUT_DIR/nikto_scan.txt; then
echo "[*] .git directory found in Nikto scan. Attempting to dump the Git repository..."
# Create a directory for the git dump
mkdir -p gitdump
# Download git-dumper.sh and make it executable
echo "[*] Downloading gitdumper.sh..."
wget -q https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh -O gitdumper.sh
chmod +x gitdumper.sh
# Run git-dumper.sh to dump the .git directory
echo "[*] Running gitdumper.sh..."
./gitdumper.sh http://$TARGET:$PORT/.git/ ./gitdump/
if [ $? -eq 0 ]; then
echo "[*] git-dumper successfully dumped the .git directory to ./gitdump/"
else
echo "[!] git-dumper failed to dump the .git directory."
fi
# Download extractor.sh and make it executable
echo "[*] Downloading extractor.sh..."
wget -q https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh -O extractor.sh
chmod +x extractor.sh
# Run extractor.sh to extract the project
echo "[*] Running extractor.sh..."
./extractor.sh ./gitdump/ ./extracted_project/
if [ $? -eq 0 ]; then
echo "[*] Git repository successfully extracted to ./extracted_project/"
else
echo "[!] Extractor script failed."
fi
fi
fi
# Run FFUF without filtering to determine the most common 'Words' value
echo "[*] Running FFUF initial scan to determine wf value..."
ffuf -k -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-u "http://$HOSTNAME/" -H "Host: FUZZ.$HOSTNAME" -o $OUTPUT_DIR/ffuf_initial.json
WF_VALUE=$(jq -r '.results[].words' $OUTPUT_DIR/ffuf_initial.json | sort | uniq -c | sort -nr | head -1 | awk '{print $2}')
echo "[*] Determined wf value: $WF_VALUE"
# Run Amass if enabled or all tools are selected
if [ "$RUN_AMASS" = true ] || [ "$RUN_ALL" = true ]; then
if command -v amass &> /dev/null; then
echo "[*] Running Amass..."
amass enum -d $HOSTNAME -o $OUTPUT_DIR/subdomains.txt
else
echo "[*] Amass not found. Skipping..."
fi
fi
echo "Enumeration complete. Check the $OUTPUT_DIR directory for results."