______ ______ _ _
| ___ \ | ___ \ | | |
| |_/ /___ ___ ___ _ __ | |_/ /_ _| | | __
| // _ \/ __/ _ \| '_ \| ___ \ | | | | |/ /
| |\ \ __/ (_| (_) | | | | |_/ / |_| | | <
\_| \_\___|\___\___/|_| |_\____/ \__,_|_|_|\_\
V.1.0
Taurus Omar
Scanning crt.sh...
Target ==> projectdiscovery.io
Searching in the CertSpotter API... 🔍
Searching in the Crtsh database API... 🔍
Searching in the Threatcrowd API... 🔍
Searching in the AnubisDB API... 🔍
Searching in the Urlscan.io API... 🔍
Searching in the Threatminer API... 🔍
Searching in the Sublist3r API... 🔍
Searching in the Archive.org API... 🔍This script automates the process of subdomain enumeration and scanning using several popular open-source tools, combining their results and providing detailed output. The primary purpose of this tool is to simplify and streamline the process of discovering subdomains and their related information for a given domain.
- Uses Amass, Subfinder, Assetfinder, Findomain, crt.sh, MassDNS, Httpx, Naabu, and Nuclei
- Combines subdomain results from all tools into a single file
- Extracts IP addresses for discovered subdomains
- Scans subdomains with Httpx and sorts the results
- Scans subdomains with Naabu to find open ports
- Scans subdomains with Nuclei for potential vulnerabilities
- Organizes results in a structured directory
- The tool follows a logical structure to gather the subdomains and information from each tool to be used by the next one.
- Postive httpx subdomains are used for scanning by Nuclei.
recon/
└── results/
└── example.com-<timestamp>/
├── amass_example.com/
│ ├── config.ini
│ ├── db/
│ ├── named/
│ └── notes.md
├── amass_example.com.txt
├── assetfinder_example.com.txt
├── findomain_example.com.txt
├── httpx_example.com.txt
├── naabu_example.com.txt
├── nuclei_example.com.txt
├── subdomains/
│ ├── amass_example.com.txt
│ ├── assetfinder_example.com.txt
│ ├── crt.sh.txt
│ ├── findomain_example.com.txt
│ ├── subfinder_example.com.txt
│ └── unique_subdomains.txt
└── subfinder_example.com.txt
- If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):
go install github.com/TaurusOmar/reconbulk@latest
- Install all required tools:
Make sure all these tools are in your system's PATH.
- Prepare a list of DNS resolvers. You can find a sample list here.
reconbulk <domain> <resolvers_list>
<domain>: The target domain to scan<resolvers_list>: The file path to your list of DNS resolvers
The script will create a directory named ~/recon/results/<domain>-<timestamp> containing the output files from each tool.
The output directory will contain the following files:
- amass_{domain}.txt: Output from Amass
- subfinder_{domain}.txt: Output from Subfinder
- assetfinder_{domain}.txt: Output from Assetfinder
- findomain_{domain}.txt: Output from Findomain
- {domain}.crt.txt: Output from crt.sh
- {domain}.subdomains.txt: Combined and unique subdomains from all tools
- {domain}.ips.txt: IP addresses associated with the discovered subdomains
- httpx_{domain}.txt: Results of the Httpx scan
- sorted_httpx_{domain}.txt: Sorted Httpx results
- naabu_{domain}.txt: Results of the Naabu scan
- nuclei_{domain}.txt: Results of the Nuclei scan
This tool is intended for educational purposes and legal use only. The authors and contributors are not responsible for any misuse, damage, or legal consequences caused by the use of this tool. Please use responsibly.