LazyRecon is a script which automates some of the boring tasks of reconnaissance and information gathering. LazyRecon automatically runs the different reconnaissance methods with a single command which allows it to be easily used as part of automated workflows.
LazyRecon: Reconnaissance Process Automator
After giving a target to LazyRecon, it will automatically grab all subdomains, find any CNAME records and scrape for data. In addition to this, it will perform port scanning, gather DNS information and generate a HTML report detailing all the revealed information. After all of this has been complete, the user will know what their next step should be and what points can be targeted for exploitation.
- Create a dated folder with recon notes
- Find any CNAME records pointing to unused cloud services like aws
- Get dns information about every subdomain
- Perform dirsearch for all subdomains
- Grab subdomains using Sublist3r or dns bruteforcing using massdns
- Directory search module (multithreaded up to 10 subdomains scanned at a time)
- Enhanced html reports with the ability to search for strings, endpoints, reponse sizes or status codes
- Subdomain exclusion by using option
- Go version 1.10+
Run the following commands:
$ git clone https://github.com/nahamsec/bbht.git $ cd bbht $chmod +x install.sh $ ./install.sh
Move to the installation directory and enter the following command:
$ ./lazyrecon.sh -d domain.com
_ ____ ____ ___ _ ____ _____ ____ ____ _ / \ / _ \/_ \\ \/// __\/ __// _\/ _ \/ \ /| | | | / \| / / \ / | \/|| \ | / | / \|| |\ || | |_/\| |-||/ /_ / / | /| /_ | \__| \_/|| | \|| \____/\_/ \|\____//_/ \_/\_\\____\\____/\____/\_/ \| Recon started on domain.com Listing subdomains using sublister... Checking certspotter... Checking http://crt.sh Starting Massdns Subdomain discovery this may take a while Traceback (most recent call last): File "/home/cyberpunk/tools/massdns/scripts/subbrute.py", line 8, in
for lines in open(sys.argv): IOError: [Errno 2] No such file or directory: '/home/cyberpunk/tools/SecLists/Discovery/DNS/clean-jhaddix-dns.txt' Massdns finished... Started dns records check... Looking into CNAME Records... Excluding domains (if you set them with -e)... Subdomains that have been excluded from discovery: Starting discovery... Probing for live hosts... cat: ./domain.com/recon-2020-06-06/urllist.txt: No such file or directory Total of 1 live subdomains were found Starting aquatone scan... ./lazyrecon.sh: line 148: aquatone: command not found Scraping wayback for data... Wordlist saved to /domain.com/recon-2020-06-06/wayback-data/paramlist.txt Starting dirsearch... wc: /home/cyberpunk/tools/dirsearch/reports//: Is a directory Scan for domain.com finished successfully Scan completed in : 2 minutes and 15 seconds.