This script performs automated recon on a target domain (large scope) by running the best set of tools to perform scanning and massive reconnaissance.
-
SUBFINDER (https://github.com/projectdiscovery/subfinder)
-
SUBLIST3R (https://github.com/aboul3la/Sublist3r)
-
HTTPX (https://github.com/projectdiscovery/httpx)
-
QSREPLACE (https://github.com/tomnomnom/qsreplace)
-
GOWITNESS (https://github.com/sensepost/gowitness)
-
JSUBFINDER (https://github.com/ThreatUnkown/jsubfinder)
-
DIRSEARCH (https://github.com/maurosoria/dirsearch)
-
SQLMAP (https://github.com/sqlmapproject/sqlmap)
-
ORALYZER (https://github.com/r0075h3ll/Oralyzer)
-
NUCLEI (https://github.com/projectdiscovery/nuclei)
-
SMUGGLER (https://github.com/defparam/smuggler)
-
CRLFUZZ (https://github.com/dwisiswant0/crlfuzz)
-
CLOUDFLAIR (https://github.com/christophetd/CloudFlair)
-
SCIPAG VULSCAN NSE (https://github.com/scipag/vulscan)
-
LINKFINDER (https://github.com/GerbenJavado/LinkFinder)
-
VHOSTS SIEVE (https://github.com/dariusztytko/vhosts-sieve)
-
CLOUD ENUM (https://github.com/initstring/cloud_enum)
-
DNSREAPER (https://github.com/punk-security/dnsReaper)
-
PARAMSPIDER (https://github.com/devanshbatham/ParamSpider)
-
KATANA (https://github.com/projectdiscovery/katana)
-
LOG4J SCAN (https://github.com/fullhunt/log4j-scan)
If you don't set those variables the related tools will not run!
FINGERPRINTS="" # Subjack fingerprints location
CLOUDFLAIR="" # CloudFlair tool location
CENSYS_API_ID="" # Censys api id for CloudFlair
CENSYS_API_SECRET="" # Censys api secret for CloudFlair
VULSCAN_NMAP_NSE="" # Vulscan NSE script for Nmap
JSUBFINDER_SIGN="" # Signature location for jsubfinder tool
LINKFINDER="" # Path for LinkFinder tool
VHOSTS_SIEVE="" # Path for VHosts Sieve tool
CLOUD_ENUM="" # Path for cloud_enum, Multi-cloud OSINT
SUBLIST3R="" # Path for sublist3r tool
ALTDNS_WORDS="" # Path to altdns words permutations file
DNSREAPER="" # Path to dnsrepaer tool
ORALYZER="" # Oralyzer path url tool
ORALYZER_PAYLOADS="" # Oralyzer payloads file
SMUGGLER="" # Smuggler tool
PARAMS="" # List of params for bruteforcing GET/POST hidden params
LFI_PAYLOADS="" # List of payloads for LFI
PARAMSPIDER="" # Path to paramspider tool
DIRSEARCH="" # Path to dirsearch tool
DIRSEARCH_WORDLIST="" # Path to dirsearch wordlist
LOG4JSCAN="" # Path do log4jscan tool
HEADERS_LOG4J="" # Path to log4j headers
- Search for subdomains
- Search for subdomains takeover (dnsreaper)
- Search for live urls using gau
- Spider live urls using Katana
- Get screenshots of subdomains
- Powered by GF-Patterns
- Search for secrets, token and APIs
- Search hidden endpoints in JS urls
- Discovery dirs and files with Dirsearch
- Scan live hosts with Nmap and Vulscan NSE Script
- Run Nuclei on all live subdomains
- Search for XSS with Dalfox
- Search for SQL Injections
- Search for virtual hosts
- Search for LFI on ParamSpider results using FFUF
- Search for public resources in AWS, Azure, and Google Cloud
- Try to get origin of IPs using CloudFlair
- Get interesting URLs for XSS, SQLi, LFI, OPEN REDIRECT
- Extend searching subdomains with words permutations using altdns
- Scan for Open Redirect with Oralyzer
- Fuzzing for CRLF
- Client-side Prototype Pollution to XSS
- Search for hidden params on php/aspx endpoints with FFUF
- Search for hidden params on endpoints with Arjun
- Search for log4j vulnerability
- Search directories and file using Dirsearch
and much more !
$ git clone https://github.com/CalfCrusher/RobinHood/
$ cd RobinHood && chmod +x RobinHood.sh
Run in background:
$ nohup ./RobinHood.sh LARGE_SCOPE_DOMAIN 2>&1 &
You can also give the out-of-scope domains list separated by commas:
$ nohup ./RobinHood.sh example.com vpn.example.com,test.example.com 2>&1 &
To see progress output
$ tail -f nohup.out
Be free to edit the various settings of tools related to your VPS power/bandwith. You can run this script also on your Raspberry or your DigitalOcean droplet or just where you want. It takes very long time also in base of which domain you run against to.