Skip to content
/ lazyrecon Public
forked from storenth/lazyrecon

This v2.0 script is intended to automate your reconnaissance process in an organized fashion.

0 stars 579 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Psype/lazyrecon

BranchesTags
 
 

Repository files navigation

  _
 | | __ _ ____ _   _ _ __ ___  ___  ___  _ __
 | |/ _  |_  /| | | |  __/ _ \/ __|/ _ \|  _ \
 | | (_|  / / | | | | | |  __/ (__  (_) | | | 
 |_|\__ _|___/ \__  |_|  \___|\___|\___/|_| |_v2
               |___/

Lazyrecon is a subdomain discovery tool that discovers and resolves valid subdomains and perform SSRF/LFI/SQLi fuzzing. It has a simple modular architecture and is optimized for speed while work with wayback machine.

About

This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

  • Create a dated folder with recon notes for target
  • Grab subdomains using subfinder, assetfinder, gau, waybackurls, github-subdomains
  • Subdomain discovery through alterations and permutations using altdns and dnsgen
  • Filtering out live subdomains from a list of hosts using shuffledns
  • Check 1-200,8000-10000 for http probes using httpx
  • Get visual part using aquatone
  • Perform masscan on live servers
  • Automatically brute-forces services with default credentials using hydra
  • Scanning for known paths and CVEs using nuclei
  • Shot for SSRF/LFI/SQLi based on wayback machine's data like ParamSpider but no reduces the sizes of archive
  • Check for request smuggling vulnerabilities using smuggler
  • Perform ffuf using custom WordList based on the next SecLists All.txt and fuzz-Bo0oM.txt and top10000.txt
  • Integrates with Discord
  • [WIP][x] Generate a HTML report in case of a vulnerable domain found.

The point is to get a list of live IPs, attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.

Features

The project forked from original v1.0 Jason Haddix and Ben Sadeghipour aimed to implement some of the best practice like Subdomain Takeovers, TBHM, Request Smuggling, SSRF, LFI and Bruteforce based on Custom wordlist.

  1. Super fast Asynchronous Execution
  2. CI/CD ready
  3. Teardown and program exit housekeeping
  4. Discord integration

Installing

Tested on MacOS and Linux

  • To start use this script, please clone and/or setup the dependencies.
  • Config your own HOMEUSER and ATTACKERURL at the very top of the lazyrecon.sh.
  • Launch your local-listen server
  • Update url in discord-hook.sh if you plan to receive notifications
  • Use option nuclei -update-templates to get templates into $HOME/nuclei-templates/ to use properly, but for LFI use storenth-lfi forked till the time projectdiscovery introduce feature for dynamic replacement of parameters.
  • Update your local ~/.gf with ./gfpatterns/
  • Make sure all tools correctly installed and enabled with execute permissions: chmod +x
  1. subfinder
  2. assetfinder
  3. github-subdomains
  4. github-endpoints
  5. aquatone
  6. waybackurls
  7. gau
  8. altdns
  9. dnsgen
  10. shuffledns
  11. masscan
  12. dnsx
  13. SecLists
  14. httpx
  15. nuclei
  16. nuclei-templates
  17. smuggler
  18. ffuf
  19. hydra
  20. gf
  21. unfurl
  22. sqlmap
  23. gospider
  24. hakrawler
  25. ssrf-headers-tool
  26. storenth-lfi

(You may copy each executable dependency to /usr/local/bin/, create symlinc like: ln -s $HOME/smuggler/smuggler.py /usr/local/bin/smuggler, or just export it to the PATH export PATH=~/masscan/masscan:$PATH)

If you faced with some issues, feel free to join Discord, open PR or file the bug.

Usage

Execute with sudo because of masscan:

sudo ./lazyrecon.sh tesla.com --wildcard
Parameter Description Example
--wildcard Perform wildcard filtering for subdomains *.tesla.com sudo ./lazyrecon.sh tesla.com --wildcard
--single Do not perform subdomain discovery tesla.com sudo ./lazyrecon.sh tesla.com --single
--ip Call with IP sudo ./lazyrecon.sh 192.168.0.1 --ip --single
--mad Executes with wayback machines stuff for target sudo ./lazyrecon.sh tesla.com --mad --wildcard
--fuzz Basic SSRF/LFI fuzzing sudo ./lazyrecon.sh tesla.com --single --fuzz
--alt Additionally permutate subdomains sudo ./lazyrecon.sh tesla.com --wildcard --alt
--brute Basic directory bruteforce sudo ./lazyrecon.sh tesla.com --brute
--discord Send notifications to discord sudo ./lazyrecon.sh tesla.com --discord

Notes

  • Use dnsperftest to know your best resolvers
  • Sublist3r replaced with subfinder based on Twitter discussion
  • nmap replaced with masscan based on its features and Twitter duscussion
  • smuggler forked from its original aimed to get lightweight solution included this PR
  • grep meg's output for Location in order to exclude 301/302 status codes (replaced with httpx -fc 301,302 approach)
  • httpx -ip used without dnsprobe based on @pdiscoveryio Twitter answer
  • altdns used based on Scrutiny on the bug bounty
  • massdns fully replaced with shuffledns because of issue
  • WIP: you can track activity in Projects To Do board

Open Questions

  • Investigate ANS like amass intel -org 'MAILRU' and pass it to amass enum -d mail.ru -asn 12345 gives us more subdomains? (Or get list of ASN using echo 'MAILRU' | metabigor net --org -v or just manually get it through http://bgp.he.net). If yes positional arguments will be invoked just like:
./lazyrecon.sh tesla.com 12345
  • Potential connect-back shellcode automation with simpest fuzzer implementation? Like:
cat /dev/urandom | nc hostname port

Acknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.

Methodology

  1. Run ./lazyrecon.sh
  2. Google dorking
  3. Trello, Atlassian, Github, Bitbucket dorking
  4. Check JS sources for credentials, API endpoints, debug for variables
  5. Check XHR API requests, fuzz parameters
  6. RCE based on exploit-db.com for known target-specific CVE service version, deserialization, SQLi, File upload, LFI, SSRF
  7. Brute dirsearch: fuzbo0oM-top10000 --> raft --> target specific
  8. Continue brute with custom Headers (X-Custom-IP-Authorization: 127.0.0.1; X-Original-URL:)
  9. Start new brute with POST method
  10. Try bypass 401/403 errors using notable methods (%23, /%2e/, admin.php%2500.md etc)
  11. wireshark/tcpdump for plain http while login (missing ssl)
  12. hydra, 21, 22, 25 ports
  13. XSS xsscrapy.py or XSSTRON
  14. Run ./lazyrecon.sh using ASN --> cidr

Notable articles

  1. IDOR: https://www.aon.com/cyber-solutions/aon_cyber_labs/finding-more-idors-tips-and-tricks/?utm_source=newsletter&utm_medium=email&utm_campaign=bug_bytes_110_scope_based_recon_finding_more_idors_how_to_hack_sharepoint&utm_term=2021-02-17
  2. SSRF: https://notifybugme.medium.com/finding-ssrf-by-full-automation-7d2680091d68 and https://rez0.blog/hacking/2019/11/29/rce-via-imagetragick.html

About

This v2.0 script is intended to automate your reconnaissance process in an organized fashion.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 89.6%
  • PHP 5.5%
  • Python 4.9%