djedi/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/scripts/pentesting/bb-recon
rpriven 5b6af65def
Organize scripts and clean up dotfiles 
Changes:
- Added 80+ scripts with organized structure
  - payloads/ for third-party pentesting tools
  - pentesting/ for custom security scripts
  - Daily drivers remain flat for fast access
- Converted wes() function to proper script
- Removed .sh extensions from pentesting scripts
- Cleaned up aliases (removed 31 redundant lines)
- Added kanata/, build artifacts to gitignore
- Removed old fre.sh scripts and empty a.out
- Updated configs: helix, tmux, zsh, ulauncher, redshift

Security: All sensitive data excluded via gitignore
2025-11-07 14:48:21 -07:00

264 lines
12 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# Script Name: bb-recon
# Description: Bug-bounty-safe web application reconnaissance
# Usage: bb-recon <url>
# Creates tmux window with parallel safe recon (nuclei info/low, katana, subdomain takeover)
# Based on Jason Haddix's Bug Hunter Methodology
VERSION="1.0.0"
# Colors
readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly CYAN='\033[0;36m'
readonly MAGENTA='\033[0;35m'
readonly BOLD='\033[1m'
readonly NC='\033[0m'
# Status indicators
readonly GREENPLUS="${GREEN}[+]${NC}"
readonly GREENSTAR="${YELLOW}[*]${NC}"
readonly REDMINUS="${RED}[-]${NC}"
readonly REDEXCLAIM="${RED}[!]${NC}"
show_help() {
echo -e "${BOLD}bb-recon${NC} - Bug Bounty Reconnaissance v${VERSION}"
echo
echo -e "${BOLD}USAGE:${NC}"
echo " bb-recon <url>"
echo
echo -e "${BOLD}DESCRIPTION:${NC}"
echo " Bug-bounty-safe web reconnaissance with 4 parallel panes:"
echo " - Pane 1 (top-left): Nuclei (info/low + subdomain takeover)"
echo " - Pane 2 (top-right): httpx (technology detection + security headers)"
echo " - Pane 3 (bottom-left): Katana (JS-aware crawler for endpoint discovery)"
echo " - Pane 4 (bottom-right): Live results dashboard"
echo
echo -e "${BOLD}BUG BOUNTY PHILOSOPHY:${NC}"
echo " Based on Jason Haddix's Bug Hunter Methodology:"
echo " - Find FEATURES first, bugs second"
echo " - Focus on interactive, dynamic applications"
echo " - Conservative tools only (no exploitation)"
echo " - Discovery over brute-forcing"
echo
echo -e "${BOLD}EXAMPLES:${NC}"
echo " bb-recon https://target.com"
echo " bb-recon https://bugcrowd-target.com"
echo " bb-recon https://h1-program.hackerone.net"
echo
echo -e "${BOLD}OUTPUT:${NC}"
echo " All results saved to: ./bb-recon-<target>-<timestamp>/"
echo
echo -e "${BOLD}SAFE FOR BUG BOUNTY:${NC}"
echo " ✓ No directory brute-forcing (Feroxbuster removed)"
echo " ✓ No parameter fuzzing (Arjun removed)"
echo " ✓ Info/Low severity only (no exploit templates)"
echo " ✓ JS analysis for endpoint discovery (passive)"
echo " ✓ Subdomain takeover checks (safe)"
}
# Check required tools
check_tools() {
local missing=()
local optional_missing=()
# Core tools
command -v tmux &>/dev/null || missing+=("tmux")
# Bug bounty tools (all optional but recommended)
command -v nuclei &>/dev/null || optional_missing+=("nuclei")
command -v katana &>/dev/null || optional_missing+=("katana")
command -v httpx &>/dev/null || optional_missing+=("httpx")
if [[ ${#missing[@]} -gt 0 ]]; then
echo -e "${RED}Error:${NC} Missing required tools: ${missing[*]}"
exit 1
fi
if [[ ${#optional_missing[@]} -gt 0 ]]; then
echo -e "${YELLOW}${NC} Optional tools missing (scans will be skipped): ${optional_missing[*]}"
echo -e "${CYAN}Install with:${NC}"
for tool in "${optional_missing[@]}"; do
case "$tool" in
nuclei) echo " go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest" ;;
katana) echo " go install github.com/projectdiscovery/katana/cmd/katana@latest" ;;
httpx) echo " go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest" ;;
esac
done
echo
fi
}
# Create output directory
setup_output_dir() {
local url="$1"
local timestamp=$(date +%Y%m%d-%H%M%S)
local clean_url=$(echo "$url" | tr '/:' '_' | tr -d 'http')
OUTPUT_DIR="bb-recon-${clean_url}-${timestamp}"
mkdir -p "$OUTPUT_DIR"
echo -e "${GREEN}${NC} Output directory: ${BOLD}$OUTPUT_DIR${NC}"
}
# Main bug bounty recon function
run_bb_recon() {
local url="$1"
# Ensure URL has http:// or https://
if [[ ! "$url" =~ ^https?:// ]]; then
url="https://$url"
echo -e "${YELLOW}${NC} No protocol specified, using HTTPS: $url"
fi
echo -e "${CYAN}${BOLD}"
echo "╔════════════════════════════════════════════════════════════╗"
echo "║ Bug Bounty Reconnaissance (Safe Mode) ║"
echo "║ Target: $url"
echo "║ Based on: Jason Haddix's Methodology ║"
echo "╚════════════════════════════════════════════════════════════╝"
echo -e "${NC}"
# Create output directory
setup_output_dir "$url"
# Check if in tmux
if [[ -z "${TMUX:-}" ]]; then
echo -e "${YELLOW}${NC} Not in tmux session - running sequentially"
run_scans_sequential "$url"
return
fi
# Create tmux window
WINDOW_NAME="--> BB: ${url:0:20}... <--"
tmux new-window -n "$WINDOW_NAME"
# Split into 4 panes with explicit targeting
# Layout: 2x2 grid with pipelines and live monitoring
# ACTUAL pane numbers after splits: 1, 2, 3, 4 (no pane 0!)
# [1: nuclei] [2: feroxbuster → arjun]
# [3: katana] [4: live dashboard]
# Create 2x2 grid layout
# CRITICAL: Tmux pane numbering behavior discovered through testing:
# Step 1: split-window -h creates [0:left] [1:right]
# Step 2: select pane 0, split-window -v creates [0:TL] [1:BL] [2:right]
# Step 3: select pane 2, split-window -v creates [1:TL] [2:TR] [3:BL] [4:BR]
#
# PANE 0 DISAPPEARS during this process! Final panes are numbered 1, 2, 3, 4
# Split horizontally first (left | right)
tmux split-window -h
# Split left column vertically
tmux select-pane -t 0
tmux split-window -v
# Split right column vertically (target pane 2 after left split)
tmux select-pane -t 2
tmux split-window -v
# Force tiled layout for perfect 2x2 grid (equal-sized panes)
tmux select-layout tiled
# Final verified pane layout after tmux renumbering and tiled layout:
# 1 (top-left) 2 (top-right)
# 3 (bottom-left) 4 (bottom-right)
# Send commands to each pane with ACTUAL pane numbers after splits
# After all splits complete, tmux renumbers panes as: 1 (TL), 2 (TR), 3 (BL), 4 (BR)
# (pane 0 disappears during the splitting process)
# Pane 1 (top-left): Nuclei (info/low severity + subdomain takeover)
tmux select-pane -t 1
if command -v nuclei &>/dev/null; then
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${GREENSTAR} Starting Nuclei scan (info/low + subdomain takeover)...${NC}' && nuclei -u '$url' -s info,low -t exposed-panels/ -t exposures/ -t misconfiguration/ -t technologies/ -t takeovers/ -t subdomain-takeover/ -o nuclei.txt 2>&1 | tee nuclei.log && echo -e '${GREEN}✓ Nuclei complete${NC}'" C-m
else
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${YELLOW}⚠ nuclei not installed - skipping${NC}'" C-m
fi
# Pane 2 (top-right): httpx technology detection and security headers
tmux select-pane -t 2
if command -v httpx &>/dev/null; then
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${GREENSTAR} Technology detection with httpx...${NC}' && echo '$url' | httpx -td -title -status-code -content-length -server -tech-detect -follow-redirects -o httpx.txt && echo -e '${GREEN}✓ httpx complete${NC}'" C-m
else
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${YELLOW}⚠ httpx not installed - skipping tech detection${NC}'" C-m
fi
# Pane 3 (bottom-left): katana (web crawler with all output formats)
tmux select-pane -t 3
if command -v katana &>/dev/null; then
# Full katana with all output formats as originally requested
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${GREENSTAR} Starting katana crawler (full output)...${NC}' && katana -u '$url' -jc -kf all -aff -d 10 -o katana.txt 2>&1 | tee katana.log && katana -u '$url' -jc -kf all -aff -d 10 -f path -o katana_paths.txt && katana -u '$url' -jc -kf all -aff -d 10 -f url -o katana_urls.txt && katana -u '$url' -jc -kf all -aff -d 10 -f udir -o katana_dirs.txt && cat katana_dirs.txt 2>/dev/null | sort -u >> urls.txt && cat katana_paths.txt 2>/dev/null | sed 's/^.//g' >> paths.txt && echo -e '${GREEN}✓ Katana complete (all formats)${NC}'" C-m
else
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${YELLOW}⚠ katana not installed - skipping${NC}'" C-m
fi
# Pane 4 (bottom-right): Live results dashboard
tmux select-pane -t 4
# Watch output files and show live statistics
tmux send-keys "cd '$PWD/$OUTPUT_DIR' && echo -e '${CYAN}╔══════════════════════════════════════════════╗${NC}' && echo -e '${CYAN}║ BUG BOUNTY RECON DASHBOARD (SAFE MODE) ║${NC}' && echo -e '${CYAN}╚══════════════════════════════════════════════╝${NC}' && echo -e '${YELLOW}[*] Monitoring output files...${NC}' && while true; do clear; echo -e '${CYAN}═══ Bug Bounty Safe Reconnaissance ═══${NC}'; echo; echo -e '${GREEN}Nuclei (info/low + takeover):${NC}'; [ -f nuclei.txt ] && [ -s nuclei.txt ] && echo \" Found: \$(wc -l < nuclei.txt 2>/dev/null || echo 0) findings\" || [ -f nuclei.log ] && grep -q 'complete' nuclei.log 2>/dev/null && echo ' Complete (0 findings)' || echo ' Waiting...'; echo; echo -e '${GREEN}Technology Stack (httpx):${NC}'; [ -f httpx.txt ] && [ -s httpx.txt ] && echo \" Detected: \$(grep -c 'http' httpx.txt 2>/dev/null || echo 0) technologies\" || echo ' Waiting...'; echo; echo -e '${GREEN}Katana Crawler:${NC}'; [ -f katana.txt ] && [ -s katana.txt ] && echo \" Crawled: \$(wc -l < katana.txt 2>/dev/null || echo 0) URLs\" || echo ' Waiting...'; echo; echo -e '${GREEN}JS Endpoints:${NC}'; [ -f katana_paths.txt ] && [ -s katana_paths.txt ] && echo \" Discovered: \$(wc -l < katana_paths.txt 2>/dev/null || echo 0) paths\" || echo ' None yet'; echo; echo -e '${CYAN}Latest Discoveries:${NC}'; [ -f katana_urls.txt ] && tail -5 katana_urls.txt 2>/dev/null || echo ' None yet'; echo; echo -e '${YELLOW}[Press Ctrl+C to stop monitoring]${NC}'; sleep 3; done" C-m
# Focus back on top-left pane (nuclei)
tmux select-pane -t 1
echo
echo -e "${GREEN}${NC} Tmux bug bounty recon window created"
echo -e "${CYAN}[*]${NC} Switch to window: ${BOLD}--> BB: ${url:0:20}... <--${NC}"
echo -e "${CYAN}[*]${NC} Results will be in: ${BOLD}$OUTPUT_DIR${NC}"
echo
echo -e "${GREEN}Bug Bounty Safe:${NC}"
echo -e " ✓ No directory brute-forcing"
echo -e " ✓ No parameter fuzzing"
echo -e " ✓ Info/Low severity only"
echo -e " ✓ Passive endpoint discovery"
}
# Sequential execution (when not in tmux)
run_scans_sequential() {
local url="$1"
cd "$OUTPUT_DIR"
echo -e "\n${GREENSTAR} Running nuclei (info/low + subdomain takeover)...${NC}"
command -v nuclei &>/dev/null && nuclei -u "$url" -s info,low -t exposed-panels/ -t exposures/ -t misconfiguration/ -t technologies/ -t takeovers/ -t subdomain-takeover/ -o nuclei.txt || echo "nuclei not installed"
echo -e "\n${GREENSTAR} Technology detection with httpx...${NC}"
command -v httpx &>/dev/null && echo "$url" | httpx -td -title -status-code -content-length -server -tech-detect -follow-redirects -o httpx.txt || echo "httpx not installed"
echo -e "\n${GREENSTAR} Running katana (JS-aware crawler)...${NC}"
if command -v katana &>/dev/null; then
katana -u "$url" -jc -kf all -aff -d 10 -o katana.txt
katana -u "$url" -jc -kf all -aff -d 10 -f path -o katana_paths.txt
katana -u "$url" -jc -kf all -aff -d 10 -f url -o katana_urls.txt
fi
cd ..
echo -e "\n${GREEN}${NC} Bug bounty recon complete! Results in: ${BOLD}$OUTPUT_DIR${NC}"
}
# Parse arguments
if [[ $# -eq 0 ]] || [[ "$1" =~ ^(-h|--help|help)$ ]]; then
show_help
exit 0
fi
url="$1"
# Validate URL
if [[ -z "$url" ]]; then
echo -e "${RED}Error:${NC} URL required"
echo "Usage: bb-recon <url>"
exit 1
fi
# Check tools
check_tools
# Run bug bounty reconnaissance
run_bb_recon "$url"
Reference in a new issue View git blame Copy permalink