Bug Bounty Hunting Recon Script
PyBrute is now pyRecon - New Name, Same Great Recon!
Gist: Some terrible continually updated python code leveraging some awesome tools that I use for bug bounty reconnaissance.
pyRecon uses several subdomain enumeration tools and wordlists to create a unique list of subdmains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./output)
Initial Install: python pyRecon.py --install
NOTE: This is an active recon โ only perform on applications that you have permission to test against.
- Sublist3r by Ahmed Aboul-Ela
- enumall by Jason Haddix
- Knock by Gianni Amato
- Subbrute by TheRook
- massdns by B. Blechschmidt
- EyeWitness by ChrisTruncer
- SecList (DNS Recon List) by Daniel Miessler
- LevelUp All.txt Subdomain List by Jason Haddix
First Step:
Install Required Python Modules: sudo pip install -r requirements.txt
Install Tools: python pyRecon.py --install
Example 1: python pyRecon.py -d example.com
Uses subdomain example.com (Sublist3r enumall, Knock)
Example 2: python pyRecon.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r and enumall), adds ports 8443/8080 and checks if on VPN
Example 3: python pyRecon.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r and enumall)
Example 4: python pyRecon.py -d example.com --quick
Uses subdomain example.com and only Sublist3r (+subbrute)
Note: --bruteall must be used with the -b flag
Option | Description |
---|---|
--install/--upgrade | Both do the same function โ install all prerequisite tools (Kali is a prerequisite AFAIK) |
--vpn | Check if you are on VPN (update with your provider) |
--quick | Use ONLY Sublis3r's subdomain methods (+ subbrute) |
--bruteall | Bruteforce with JHaddix All.txt List instead of SecList |
--fresh | Delete old data from output folder |
-d | The domain you want to preform recon on |
-b | Bruteforce with subbrute/massdns and SecList wordlist |
-s n | Only HTTPs domains |
-p | Add port 8080 for HTTP and 8443 for HTTPS |
- 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd's LevelUp Conference (including subbrute/masscan and subdomain lists) - influenced by Jason Haddix's talk Bug Hunter's Methodology 2.0
- 08-09-2017: Various fixes (+ phantomjs error), added --fresh option, removed redundant PyBrute folder from output and added pip requirements.txt