#!/bin/bash
# Reconnaissance - fingerprinting, info disclosure, directory enumeration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/recon"
mkdir -p "$OUT"

echo '=== RECONNAISSANCE ===' | tee "$OUT/summary.txt"

# Server fingerprinting
echo '--- Server Headers ---' | tee -a "$OUT/summary.txt"
curl -sk -I --max-time 10 "$TARGET/" | tee "$OUT/headers.txt" | tee -a "$OUT/summary.txt"

echo '' | tee -a "$OUT/summary.txt"
echo '--- API Server Headers ---' | tee -a "$OUT/summary.txt"
curl -sk -I --max-time 10 "$API_TARGET/" | tee -a "$OUT/summary.txt"

# Version disclosure in error pages
echo '' | tee -a "$OUT/summary.txt"
echo '--- Error Page Fingerprint ---' | tee -a "$OUT/summary.txt"
for path in '/nonexistent-page-xyz' '/api/v99/nothing' '/%invalid%'; do
  curl -sk --max-time 8 "$TARGET$path" | grep -iE 'apache|nginx|php|version|server|powered|rust|axum|rocket' | head -3 | tee -a "$OUT/summary.txt"
done

# Common sensitive file exposure
echo '' | tee -a "$OUT/summary.txt"
echo '--- Sensitive File Exposure ---' | tee -a "$OUT/summary.txt"
SENSITIVE=(
  '/.env' '/.env.local' '/.env.production' '/.env.backup'
  '/.git/config' '/.git/HEAD' '/.git/COMMIT_EDITMSG'
  '/composer.json' '/composer.lock' '/package.json'
  '/config.php' '/config/config.php' '/wp-config.php'
  '/database.yml' '/secrets.yml' '/credentials.json'
  '/backup.sql' '/dump.sql' '/db.sql'
  '/admin/' '/admin/index.php' '/administrator/'
  '/.DS_Store' '/Thumbs.db'
  '/server-status' '/server-info'
  '/phpinfo.php' '/info.php' '/test.php'
  '/crossdomain.xml' '/clientaccesspolicy.xml'
  '/robots.txt' '/sitemap.xml' '/.well-known/security.txt'
  '/api/swagger' '/api/openapi.json' '/api/docs'
  '/v1/' '/api/v1/' '/api/v2/'
)
for p in "${SENSITIVE[@]}"; do
  resp=$(curl -sk -o "$OUT/file_check.txt" -w '%{http_code}' --max-time 8 "$TARGET$p")
  size=$(wc -c < "$OUT/file_check.txt" 2>/dev/null || echo 0)
  if [[ "$resp" != "404" && "$resp" != "000" ]]; then
    echo "[!$resp] $p (${size}b)" | tee -a "$OUT/summary.txt"
  else
    echo "[$resp] $p" | tee -a "$OUT/summary.txt"
  fi
done

# DNS/subdomain info
echo '' | tee -a "$OUT/summary.txt"
echo '--- DNS Records ---' | tee -a "$OUT/summary.txt"
dig +short "$TARGET_HOST" A | tee -a "$OUT/summary.txt"
dig +short "$API_HOST" A | tee -a "$OUT/summary.txt"
dig +short "$TARGET_HOST" MX | tee -a "$OUT/summary.txt"
dig +short "$TARGET_HOST" TXT | tee -a "$OUT/summary.txt"

cat "$OUT/summary.txt"