forked from R0X4R/Garud
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgarud
executable file
·286 lines (250 loc) · 16.1 KB
/
garud
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
#!/bin/bash
# coded by R0X4R
# Contributers: KathanP19 (https://github.com/KathanP19), f8al (https://github.com/f8al), theamanrawat (https://github.com/theamanrawat), remonsec (https://github.com/remonsec).
wget -q --spider http://google.com
if [ $? -ne 0 ];then
echo "Connect to internet before running this tool!"
exit 1
fi
domain=
file=
excl=
load_colors() {
RED="\e[31m"
BOLD="\e[1m"
NORMAL="\e[0m"
GREEN="\e[92m"
YELLOW="\e[93m"
BLINK="\e[5m"
}
usage() {
load_colors
echo -e "${RED}\n █▀▀ ▄▀█ █▀█ █░█ █▀▄"
echo -e "${RED} █▄█ █▀█ █▀▄ █▄█ █▄▀"
echo -e "${NORMAL}${BOLD}\n coded by ${GREEN}R0X4R${NORMAL}${BOLD} with ${RED}<3"
echo -e "${NORMAL}${BOLD}\n Usage: ${NORMAL}-d\t ${BOLD}target you want to scan (${YELLOW}target.com${NORMAL})"
echo -e "${NORMAL}${BOLD} Usage: ${NORMAL}-f\t ${BOLD}output directory where you want to save file (${YELLOW}~/target-output/${NORMAL})"
echo -e "${NORMAL}${BOLD} Usage: ${NORMAL}-x\t ${BOLD}Exclude out of scope domains(${YELLOW}~/out-domains.txt${NORMAL})"
echo -e "${NORMAL}${BOLD} garud ${GREEN}-d${NORMAL} target.com ${GREEN}-f${NORMAL} target-output \n"
exit 1
}
while getopts ":d:f:h:x:" o; do
case "${o}" in
d)
domain=${OPTARG} ;;
f)
file=${OPTARG} ;;
h)
usage ;;
x)
excl=${OPTARG} ;;
*)
usage ;;
esac
done
if [ -z "$domain" ]
then
load_colors
echo -e "${RED}\n █▀▀ ▄▀█ █▀█ █░█ █▀▄"
echo -e "${RED} █▄█ █▀█ █▀▄ █▄█ █▄▀"
echo -e "${NORMAL}${BOLD}\n coded by ${GREEN}R0X4R${NORMAL}${BOLD} with ${RED}<3"
echo -e "${NORMAL}${BOLD}${RED}${BLINK}\n ● Error target not supplied. ${NORMAL}"
echo -e "${NORMAL}${BOLD}\n Usage: ${NORMAL}-d\t ${BOLD}target you want to scan (${YELLOW}target.com${NORMAL})"
echo -e "${NORMAL}${BOLD} Usage: ${NORMAL}-f\t ${BOLD}output directory where you want to save file (${YELLOW}~/target-output/${NORMAL})"
echo -e "${NORMAL}${BOLD} garud ${GREEN}-d${NORMAL} target.com ${GREEN}-f${NORMAL} target-output \n"
exit 1
fi
if [ -z "$file" ]
then
load_colors
echo -e "${RED}\n █▀▀ ▄▀█ █▀█ █░█ █▀▄"
echo -e "${RED} █▄█ █▀█ █▀▄ █▄█ █▄▀"
echo -e "${NORMAL}${BOLD}\n coded by ${GREEN}R0X4R${NORMAL}${BOLD} with ${RED}<3"
echo -e "${NORMAL}${BOLD}${RED}${BLINK}\n ● Error output directory not supplied. ${NORMAL}"
echo -e "${NORMAL}${BOLD}\n Usage: ${NORMAL}-d\t ${BOLD}target you want to scan (${YELLOW}target.com${NORMAL})"
echo -e "${NORMAL}${BOLD} Usage: ${NORMAL}-f\t ${BOLD}output directory where you want to save file (${YELLOW}~/target-output/${NORMAL})"
echo -e "${NORMAL}${BOLD} garud ${GREEN}-d${NORMAL} target.com ${GREEN}-f${NORMAL} target-output \n"
exit 1
fi
if [ ! -d "$file" ]; then
mkdir $file
fi
if [ ! -f "~/.config/notify/notify.conf" ]; then
load_colors
echo -e "${NORMAL}${BOLD}${RED}${BLINK}\n ● Notify conf file does not exist. Please configure your notify else you get many errors. ${NORMAL}"
fi
cd $file/
show_logo() {
clear
echo -e ${GREEN}"\n . . "
echo -e ${GREEN}" .n . . n. "
echo -e ${GREEN}" . .dP dP 9b 9b. . "
echo -e ${GREEN}" 4 qXb . dX Xb . dXp t "
echo -e ${GREEN}"dX. 9Xb .dXb __ __ dXb. dXP .Xb "
echo -e ${GREEN}"9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP "
echo -e ${GREEN}" 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP "
echo -e ${GREEN}" v9XXXXXXXXXXXXXXXXXXXXXi- -vOOO8b d8OOOi- -vXXXXXXXXXXXXXXXXXXXXXPi "
echo -e ${GREEN}" v9XXXXXXXXXXXPi v9XXi DIE v98v8Pi HUMAN vXXPi v9XXXXXXXXXXXPi "
echo -e ${GREEN}" ------- 9X. .db|db. .XP ------- "
echo -e ${GREEN}" )b. .dbo.dPivviv9b.odb. .dX( "
echo -e ${GREEN}" ,dXXXXXXXXXXXb dXXXXXXXXXXXb. "
echo -e ${GREEN}" dXXXXXXXXXXXPi . v9XXXXXXXXXXXb "
echo -e ${GREEN}" dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb "
echo -e ${GREEN}" 9XXbi vXXXXXb.dX|Xb.dXXXXXi vdXXP "
echo -e ${GREEN}" vi 9XXXXXX( )XXXXXXP vi "
echo -e ${GREEN}" XXXX X.vvi.X XXXX "
echo -e ${GREEN}" XP^Xivb divX^XX "
echo -e ${GREEN}" X. 9 v i P )X "
echo -e ${GREEN}" vb v i di "
echo -e ${GREEN}" v i "
echo -e "${RED}\n █▀▀ ▄▀█ █▀█ █░█ █▀▄"
echo -e "${RED} █▄█ █▀█ █▀▄ █▄█ █▄▀"
echo -e "${NORMAL}${BOLD}\n coded by ${GREEN}R0X4R${NORMAL}${BOLD} with ${RED}<3"
sleep 1
}
check_tools() {
echo ""
sleep 2
type -P assetfinder &>/dev/null && echo -e "${NORMAL}-${BOLD} Assetfinder: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Assetfinder: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P subfinder &>/dev/null && echo -e "-${BOLD} Subfinder: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Subfinder: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P amass &>/dev/null && echo -e "-${BOLD} Amass: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Amass: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P anew &>/dev/null && echo -e "-${BOLD} Anew: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Anew: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P httpx &>/dev/null && echo -e "-${BOLD} HTTPx: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} HTTPx: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P get-title &>/dev/null && echo -e "-${BOLD} Get-title: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Get-title: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P aquatone &>/dev/null && echo -e "-${BOLD} Aquatone: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Aquatone: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P subjack &>/dev/null && echo -e "-${BOLD} Subjack: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Subjack: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P subzy &>/dev/null && echo -e "-${BOLD} Subzy: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Subzy: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P hakrawler &>/dev/null && echo -e "-${BOLD} hakrawler: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} hakrawler: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P gf &>/dev/null && echo -e "-${BOLD} GF: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} GF: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P kxss &>/dev/null && echo -e "-${BOLD} Kxss: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Kxss: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P dalfox &>/dev/null && echo -e "-${BOLD} Dalfox: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Dalfox: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P nuclei &>/dev/null && echo -e "-${BOLD} Nuclei: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Nuclei: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P ffuf &>/dev/null && echo -e "-${BOLD} FFUF: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} FFUF: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
type -P notify &>/dev/null && echo -e "-${BOLD} Notify: ${NORMAL}${GREEN}working fine${NORMAL}" || { echo -e "-${BOLD} Notify: ${NORMAL}${RED}getting errors${NORMAL}\n "; exit 1; }
}
scan_targets() {
echo -e "${NORMAL}${BOLD}\n\n Target: ${RED}$domain${NORMAL}"
echo -e "${NORMAL}${BOLD} Output: ${GREEN}$(pwd)${NORMAL}"
}
run_subenum() {
echo -ne "${NORMAL}${BOLD}${YELLOW}\n ● Scanning is in progress:${NORMAL}${BOLD} Scanning subdomains of $domain [${GREEN}${BLINK}20%${NORMAL}] \r"
assetfinder --subs-only $domain | sort -u > $file-assetfinder.txt
python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o $file-sublister.txt &> /dev/null
subfinder -silent -d $domain -o $file-subfinder.txt > /dev/null
amass enum -passive -norecursive -noalts -d $domain -o $file-amass.txt &> /dev/null
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Filtering subdomains of $domain [${GREEN}${BLINK}30%${NORMAL}] \r"
sleep 1s
if [ -f "$excl" ]
then
cat $file-sublister.txt $file-assetfinder.txt $file-subfinder.txt $file-amass.txt | grep -v "*" | grep -vf $excl | sort -u | sed '/@/d' | sed '/<BR>/d' | sed '/\_/d'| sed '/*/d' > $file-finalsubdomains.txt
else
cat $file-sublister.txt $file-assetfinder.txt $file-subfinder.txt $file-amass.txt | grep -v "*" | sort -u | sed '/@/d' | sed '/<BR>/d' | sed '/\_/d'| sed '/*/d' > $file-finalsubdomains.txt
fi
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Filtering valid subdomains of $domain [${GREEN}${BLINK}35%${NORMAL}] \r"
sleep 1s
cat $file-finalsubdomains.txt | sort -u | uniq -u | httpx -silent > $file-alive.txt
cat $file-alive.txt | sed -E 's/^\s*.*:\/\///g' > $file-alwpr.txt
}
run_gettitle() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Getting titles of valid subdomains of $domain [${GREEN}${BLINK}40%${NORMAL}] \r"
cat $file-alive.txt | get-title > $file-gettitle.txt
cat $file-alive.txt | aquatone -chrome-path /snap/bin/chromium -out $file-aqua_out/ -threads 5 -silent &> /dev/null
}
run_subtake() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Checking for subdomain takeovers of subdomains of $domain [${GREEN}${BLINK}50%${NORMAL}] \r"
subjack -w $file-finalsubdomains.txt -t 20 -ssl -c ~/tools/fingerprints.json -o $file-subjack.txt &> /dev/null
subzy -targets $file-finalsubdomains.txt -hide_fails --verify_ssl -concurrency 20 | tee $file-subzy.txt &> /dev/null
takeover.py -l $file-finalsubdomains.txt -t 10 -o $file-takeover.txt &> /dev/null
}
run_params() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Getting all parameters of $domain [${GREEN}${BLINK}70%${NORMAL}] \r"
cat $file-finalsubdomains.txt | hakrawler -depth 5 -plain -wayback | anew $file-hakrawler.txt &> /dev/null
python3 ~/tools/ParamSpider/paramspider.py --domain $domain --exclude woff,css,js,png,svg,jpg --level high --quiet --output $file-paramspider.txt &> /dev/null
cat output/$file-paramspider.txt $file-hakrawler.txt | sort -u | uniq -u > $file-params.txt
rm $file-hakrawler.txt
rm -rf output/
}
run_gf() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Filtering all parameters of $domain [${GREEN}${BLINK}75%${NORMAL}] \r"
cat $file-params.txt | gf xss | sed 's/=.*/=/' | sed 's/URL: //' > $file-xss.txt
cat $file-params.txt | gf ssrf > $file-ssrf.txt
cat $file-params.txt | gf ssti > $file-ssti.txt
cat $file-params.txt | gf redirect > $file-redirect.txt
cat $file-params.txt | gf sqli > $file-sqli.txt
cat $file-params.txt | gf lfi > $file-lfi.txt
cat $file-params.txt | gf rce > $file-rce.txt
}
check_xss() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Checking for xss in $domain [${GREEN}${BLINK}85%${NORMAL}] \r"
mkdir vulnerabilities/ &> /dev/null
cat $file-xss.txt | kxss | tee vulnerabilities/$file-xssvuln.txt | notify -silent &> /dev/null
dalfox file $file-xss.txt pipe --silence --no-color --no-spinner | tee vulnerabilities/$file-dalfox.txt | notify -silent &> /dev/null
}
check_mail() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Checking for email spoofing errors in $domain [${GREEN}${BLINK}87%${NORMAL}] \r"
for target in $(echo "$domain"); do if [[ $(curl --connect-timeout 3 -kls --max-time 3 -d "serial=fred12&domain=${target}" -H "Content-Type: application/x-www-form-urlencoded" -X POST "https://www.kitterman.com/spf/getspf3.py") =~ 'SPF record passed validation test with pySPF' ]]; then echo -e "VULNERABLE: ${target}"; else echo -e "NOT VULNERABLE: ${target}"; fi done | tee vulnerabilities/$file-spf.txt | notify -silent &> /dev/null
for target in $(echo "$domain"); do if [[ $(curl --connect-timeout 3 -kls --max-time 3 -X GET "https://dmarcly.com/server/dmarc_check.php?domain=${target}") =~ 'success' ]]; then echo -e "VULNERABLE: ${target}"; else echo -e "NOT VULNERABLE: ${target}"; fi done | tee vulnerabilities/$file-email.txt | notify -silent &> /dev/null
}
check_nuclei() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Scanning for vulnerabilities of $domain using nuclei [${GREEN}${BLINK}90%${NORMAL}] \r"
cat $file-alive.txt | nuclei -t ~/nuclei-templates/ -silent -o vulnerabilities/$file-nuclei.txt | notify -silent &> /dev/null
}
check_infoleak() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Scanning for directories and sensitive files of $domain using dirsearch [${GREEN}${BLINK}94%${NORMAL}] \r"
python3 ~/tools/dirsearch/dirsearch.py -w ~/wordlists/big.txt -l $file-alive.txt -x 204,301,302,401,500,502,503,429 -e html,json,php,asp,aspx,log,sql,txt,asp,jsp,bak -r -R 3 --exclude-texts "403 Forbidden", "Log in to" --full-url -q --plain-text-report vulnerabilities/$file-dir.txt | notify -silent &> /dev/null
}
check_open() {
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Checking for openredirection in $domain [${GREEN}${BLINK}97%${NORMAL}] \r"
ffuf -c -u "FUZZ///www.evil.com" -r -w $file-alive.txt -mr evil.com -s | notify -silent | anew $file-ffufv.txt &> /dev/null # this oneliner I got from Musab Khan youtube channel. Video Link: https://youtu.be/LVQcVDWZv88
ffuf -c -u "FUZZ//@www.evil.com" -r -w $file-alive.txt -mr evil.com -s | notify -silent | anew $file-ffufv.txt &> /dev/null
ffuf -c -u "FUZZ//\/\/www.evil.com" -r -w $file-alive.txt -mr evil.com -s | notify -silent | tee $file-ffufv.txt &> /dev/null
cat $file-redirect.txt | grep -a -i \=http | qsreplace 'http://www.evil.com/' | while read host do; do curl -s -L $host -I | grep "evil.com" && echo -e "[VULNERABLE] - $host \n "; done | tee $file-vulnred.txt | notify -silent &> /dev/null # this oneliner I got from Hacktify's youtube channel. Video Link: https://youtu.be/Va_TvyBjtKA
sleep 1s
echo -ne "${NORMAL}${BOLD}${YELLOW} ● Scanning is in progress:${NORMAL}${BOLD} Setting things up for $domain [${GREEN}${BLINK}100%${NORMAL}] \r"
sleep 1s
echo -ne "\n"
echo -e "${NORMAL}${BOLD} ● Scanning Completed. Thanks for using Garud."
}
slack_bot() {
sleep 3s
echo -e "${NORMAL}${BOLD}${YELLOW}\n ● Sending notification to your slack.\n"
function notification_text()
{
echo -e "Hii $(whoami),\nRecon completed for $domain.\nAll your outputs are saved in $(pwd).\n Thanks for using Garud";
}
python3 ~/slack-bot.py "$(notification_text)."
}
run_scans() {
scan_targets
run_subenum
run_gettitle
run_subtake
run_params
run_gf
check_xss
check_mail
check_nuclei
check_infoleak
check_open
slack_bot
exit 1
}
while true
do
load_colors
show_logo
check_tools
sleep 8
clear
show_logo
run_scans
done