| 1 | #!/bin/bash |
| 2 | # Reconnaissance - fingerprinting, info disclosure, directory enumeration |
| 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 4 | source "$SCRIPT_DIR/../config.sh" |
| 5 | OUT="$OUT/recon" |
| 6 | mkdir -p "$OUT" |
| 7 | |
| 8 | echo '=== RECONNAISSANCE ===' | tee "$OUT/summary.txt" |
| 9 | |
| 10 | # Server fingerprinting |
| 11 | echo '--- Server Headers ---' | tee -a "$OUT/summary.txt" |
| 12 | curl -sk -I --max-time 10 "$TARGET/" | tee "$OUT/headers.txt" | tee -a "$OUT/summary.txt" |
| 13 | |
| 14 | echo '' | tee -a "$OUT/summary.txt" |
| 15 | echo '--- API Server Headers ---' | tee -a "$OUT/summary.txt" |
| 16 | curl -sk -I --max-time 10 "$API_TARGET/" | tee -a "$OUT/summary.txt" |
| 17 | |
| 18 | # Version disclosure in error pages |
| 19 | echo '' | tee -a "$OUT/summary.txt" |
| 20 | echo '--- Error Page Fingerprint ---' | tee -a "$OUT/summary.txt" |
| 21 | for path in '/nonexistent-page-xyz' '/api/v99/nothing' '/%invalid%'; do |
| 22 | curl -sk --max-time 8 "$TARGET$path" | grep -iE 'apache|nginx|php|version|server|powered|rust|axum|rocket' | head -3 | tee -a "$OUT/summary.txt" |
| 23 | done |
| 24 | |
| 25 | # Common sensitive file exposure |
| 26 | echo '' | tee -a "$OUT/summary.txt" |
| 27 | echo '--- Sensitive File Exposure ---' | tee -a "$OUT/summary.txt" |
| 28 | SENSITIVE=( |
| 29 | '/.env' '/.env.local' '/.env.production' '/.env.backup' |
| 30 | '/.git/config' '/.git/HEAD' '/.git/COMMIT_EDITMSG' |
| 31 | '/composer.json' '/composer.lock' '/package.json' |
| 32 | '/config.php' '/config/config.php' '/wp-config.php' |
| 33 | '/database.yml' '/secrets.yml' '/credentials.json' |
| 34 | '/backup.sql' '/dump.sql' '/db.sql' |
| 35 | '/admin/' '/admin/index.php' '/administrator/' |
| 36 | '/.DS_Store' '/Thumbs.db' |
| 37 | '/server-status' '/server-info' |
| 38 | '/phpinfo.php' '/info.php' '/test.php' |
| 39 | '/crossdomain.xml' '/clientaccesspolicy.xml' |
| 40 | '/robots.txt' '/sitemap.xml' '/.well-known/security.txt' |
| 41 | '/api/swagger' '/api/openapi.json' '/api/docs' |
| 42 | '/v1/' '/api/v1/' '/api/v2/' |
| 43 | ) |
| 44 | for p in "${SENSITIVE[@]}"; do |
| 45 | resp=$(curl -sk -o "$OUT/file_check.txt" -w '%{http_code}' --max-time 8 "$TARGET$p") |
| 46 | size=$(wc -c < "$OUT/file_check.txt" 2>/dev/null || echo 0) |
| 47 | if [[ "$resp" != "404" && "$resp" != "000" ]]; then |
| 48 | echo "[!$resp] $p (${size}b)" | tee -a "$OUT/summary.txt" |
| 49 | else |
| 50 | echo "[$resp] $p" | tee -a "$OUT/summary.txt" |
| 51 | fi |
| 52 | done |
| 53 | |
| 54 | # DNS/subdomain info |
| 55 | echo '' | tee -a "$OUT/summary.txt" |
| 56 | echo '--- DNS Records ---' | tee -a "$OUT/summary.txt" |
| 57 | dig +short "$TARGET_HOST" A | tee -a "$OUT/summary.txt" |
| 58 | dig +short "$API_HOST" A | tee -a "$OUT/summary.txt" |
| 59 | dig +short "$TARGET_HOST" MX | tee -a "$OUT/summary.txt" |
| 60 | dig +short "$TARGET_HOST" TXT | tee -a "$OUT/summary.txt" |
| 61 | |
| 62 | cat "$OUT/summary.txt" |
| 63 |
Script Viewer
Red Team Suite › 14_recon.sh