Add aquatone, ffuf

BugBountyScanner.sh

@@ -195,23 +195,23 @@ do
             echo "[+] HIJACKABLE SUBDOMAINS FOUND!"
             notify "SubJack completed. One or more hijackable subdomains found!"
             notify "Hijackable domains: $(cat "subjack-$DOMAIN.txt")"
-            notify "Gathering live page screenshots with WebScreenshot..."
+            notify "Gathering live page screenshots with aquatone..."
         else
             echo "[-] NO HIJACKABLE SUBDOMAINS FOUND."
-            notify "No hijackable subdomains found. Gathering live page screenshots with WebScreenshot..."
+            notify "No hijackable subdomains found. Gathering live page screenshots with aquatone..."
         fi
     else
         echo "[-] SKIPPING SUBJACK"
     fi
 
-    if [ ! -d "webscreenshot" ] || [ "$overwrite" = true ]
+    if [ ! -f "aquatone_report.html" ] || [ "$overwrite" = true ]
     then
-        echo "[*] RUNNING WEBSCREENSHOT..."
-        webscreenshot -i "livedomains-$DOMAIN.txt" -o webscreenshot --no-error-file
+        echo "[*] RUNNING AQUATONE..."
+        cat livedomains-$DOMAIN.txt | aquatone -ports medium
         generate_screenshot_report "$DOMAIN"
-        notify "WebScreenshot completed! Took *$(find webscreenshot/* -maxdepth 0 | wc -l)* screenshots. Getting Wayback Machine path list with GAU..."
+        notify "Aquatone completed! Took *$(find screenshots/* -maxdepth 0 | wc -l)* screenshots. Getting Wayback Machine path list with GAU..."
     else
-        echo "[-] SKIPPING WEBSCREENSHOT"
+        echo "[-] SKIPPING AQUATONE"
     fi
 
     if [ ! -f "WayBack-$DOMAIN.txt" ] || [ "$overwrite" = true ]
@@ -239,44 +239,51 @@ do
                 critIssues="$(grep -c 'critical' < "nuclei-$DOMAIN.txt")"
                 if [ "$critIssues" -gt 0 ]
                 then
-                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which *$critIssues* are critical, and *$highIssues* are high severity. Finding temporary files with GoBuster..."
+                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which *$critIssues* are critical, and *$highIssues* are high severity. Finding temporary files with ffuf.."
                 elif [ "$highIssues" -gt 0 ]
                 then
-                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which *$highIssues* are high severity. Finding temporary files with GoBuster..."
+                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which *$highIssues* are high severity. Finding temporary files with ffuf..."
                 else
-                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which none are critical or high severity. Finding temporary files with GoBuster..."
+                    notify "Nuclei completed. Found *$(wc -l < "nuclei-$DOMAIN.txt")* (potential) issues, of which none are critical or high severity. Finding temporary files with ffuf..."
                 fi
             else
-                notify "Nuclei completed. No issues found. Finding temporary files with GoBuster..."
+                notify "Nuclei completed. No issues found. Finding temporary files with ffuf..."
             fi
         else
             echo "[-] SKIPPING NUCLEI"
         fi
 
-        if [ ! -d "gobuster" ] || [ "$overwrite" = true ]
+        if [ ! -d "ffuf" ] || [ "$overwrite" = true ]
         then
-            echo "[*] RUNNING GOBUSTER..."
-            mkdir gobuster
-            cd gobuster || { echo "Something went wrong"; exit 1; }
+                echo "[*] RUNNING FFUF..."
+		mkdir ffuf
+		cd ffuf || { echo "Something went wrong"; exit 1; }
 
-            while read -r dname;
-            do
-                filename=$(echo "${dname##*/}" | sed 's/:/./g')
-                gobuster -q -e -t 20 -s 200,204 -k -to 3s -u "$dname" -w "$toolsDir"/wordlists/tempfiles.txt -o "gobuster-$filename.txt"
-            done < "../livedomains-$DOMAIN.txt"
+		while read -r dname;
+		do
+    			filename=$(echo "${dname##*/}" | sed 's/:/./g')
+    			ffuf -w "$toolsDir/wordlists/tempfiles.txt" -u "$dname/FUZZ" -mc 200-299 -maxtime 180 -o "ffuf-$filename.csv" -of csv
+		done < "../livedomains-$DOMAIN.txt"
 
-            find . -size 0 -delete
+        # Remove all files with only a header row
+        find . -type f -size -1c -delete
+
+        # Count the number of files (lines in the ffuf files, excluding the header row for each file) and sum into variable
+        ffufFiles=$(find . -type f -exec wc -l {} + | sed '$d' | awk '{sum+=$1-1} END{print sum}')
+
+		if [ "$ffufFiles" -gt 0 ]
+        then
+    			notify "FFUF completed. Got *$ffufFiles* files. Spidering paths with GoSpider..."
+    			cd .. || { echo "Something went wrong"; exit 1; }
+		else
+    			notify "FFUF completed. No temporary files identified. Spidering paths with GoSpider..."
+    			cd .. || { echo "Something went wrong"; exit 1; }
+    			rm -rf ffuf
+		fi
 
-            if [ "$(ls -A .)" ]; then
-                notify "GoBuster completed. Got *$(cat ./* | wc -l)* files. Spidering paths with GoSpider..."
-                cd .. || { echo "Something went wrong"; exit 1; }
-            else
-                notify "GoBuster completed. No temporary files identified. Spidering paths with GoSpider..."
-                cd .. || { echo "Something went wrong"; exit 1; }
-                rm -rf gobuster
             fi   
         else
-            echo "[-] SKIPPING GOBUSTER"
+            echo "[-] SKIPPING ffuf"
         fi
 
         if [ ! -f "paths-$DOMAIN.txt" ] || [ "$overwrite" = true ]
@@ -375,7 +382,7 @@ do
         else
             echo "[-] SKIPPING NMAP"
         fi
-    fi
+
 
     cd ..
     echo "[+] DONE SCANNING $DOMAIN."
@@ -384,4 +391,4 @@ do
 done
 
 echo "[+] DONE! :D"
-notify "Recon finished! Go hack em!"
+notify "Recon finished! Go hack em!"

README.md

@@ -110,7 +110,7 @@ example:
 - Web screenshotting and crawling, HTML screenshot report generation
 - Retrieving (hopefully sensitive) endpoints from the Wayback Machine
 - Identification of interesting parameterized URLs with Gf
-- Enumeration of common "temporary" and forgotten files with GoBuster
+- Enumeration of common "temporary" and forgotten files with Ffuf
 - Automatic detection of LFI, SSTI, and Open Redirects in URL parameters
 - Subdomain takeover detection
 - Port scanning (Top 1000 TCP + SNMP)
@@ -119,15 +119,21 @@ example:
 ## Tools
 
 - `amass`
+- `aquatone`
 - `dnsutils`
-- `Go`
+- `ffuf`
 - `gau`
 - `Gf` (with `Gf-Patterns`)
-- `GoBuster`
+- `Go`
 - `gospider`
 - `httpx`
 - `nmap`
 - `Nuclei` (with `Nuclei-Templates`)
 - `qsreplace`
 - `subjack`
-- `webscreenshot`
+
+## Contributers
+A big thanks to all the contributors who have helped improve. Your contributions are highly appreciated.
+<a href="https://github.com/chvancooten/BugBountyScanner/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=chvancooten/BugBountyScanner" />
+</a>

setup.sh

@@ -63,6 +63,12 @@ apt-get update >/dev/null
 apt-get install -y xvfb dnsutils nmap python3.9 python2 python3-pip curl wget unzip git libfreetype6 libfontconfig1 >/dev/null
 rm -rf /var/lib/apt/lists/*
 
+# Chrome (for aquatone)
+wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
+apt update -qq
+apt install ./google-chrome-stable_current_amd64.deb -y >/dev/null
+rm google-chrome-stable_current_amd64.deb
+
 # Golang
 go version &> /dev/null
 if [ $? -ne 0 ]; then
@@ -86,7 +92,7 @@ go install github.com/tomnomnom/gf@latest &>/dev/null
 go install github.com/jaeles-project/gospider@latest &>/dev/null
 go install github.com/tomnomnom/qsreplace@latest &>/dev/null
 go install github.com/haccer/subjack@latest &>/dev/null
-go install github.com/OJ/gobuster@latest &>/dev/null
+go install github.com/ffuf/ffuf/v2@latest &>/dev/null
 go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest &>/dev/null
 
 # Nuclei-templates
@@ -99,17 +105,19 @@ tar xvf phantomjs-2.1.1-linux-x86_64.tar.bz2 >/dev/null
 rm phantomjs-2.1.1-linux-x86_64.tar.bz2
 cp $toolsDir/phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/bin/phantomjs
 
-# Webscreenshot
-echo "[*] Installing WebScreenshot via pip..."
-pip3 install webscreenshot >/dev/null
+# Aquatone
+echo "[*] Installing Aquatone"
+wget -q https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip
+unzip -j aquatone_linux_amd64_1.7.0.zip -d /usr/bin/ aquatone >/dev/null
+rm aquatone_linux_amd64_1.7.0.zip
 
 # Subjack fingerprints file
 echo "[*] Installing Subjack fingerprints..."
 mkdir "$toolsDir/subjack"
 wget -q https://raw.githubusercontent.com/haccer/subjack/master/fingerprints.json -O $toolsDir/subjack/fingerprints.json
 
-# GoBuster temporary files wordlist
-echo "[*] Installing GoBuster wordlist..."
+# Temporary files wordlist
+echo "[*] Installing ffuf wordlist..."
 mkdir "$toolsDir/wordlists"
 wget -q https://raw.githubusercontent.com/Bo0oM/fuzz.txt/master/fuzz.txt -O $toolsDir/wordlists/tempfiles.txt
 

utils/runTests.sh

@@ -36,10 +36,10 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-# Webscreenshot
-webscreenshot -h &> /dev/null
-if [ $? -ne 0 ]; then
-    echo "Error - Webscreenshot not (properly) installed"
+# aquatone
+aquatone -h &> /dev/null
+if [ $? -ne 2 ]; then
+    echo "Error - Aquatone not (properly) installed"
     exit 1
 fi
 
@@ -70,10 +70,10 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-# GoBuster
-gobuster -h &> /dev/null
+## ffuf
+ffuf -h &> /dev/null
 if [ $? -ne 0 ]; then
-    echo "Error - GoBuster not (properly) installed"
+    echo "Error - ffuf not (properly) installed"
     exit 1
 fi
 
@@ -106,4 +106,4 @@ if [ $? -ne 0 ]; then
 fi
 
 echo "All good!"
-exit 0
+exit 0

utils/screenshotReport.sh

@@ -4,7 +4,7 @@
 generate_screenshot_report() {
 
 domain=$1
-cd "webscreenshot" || { echo "Something went wrong"; exit 1; }
+cd "./screenshots" || { echo "Something went wrong"; exit 1; }
 
 if [ -e screenshotReport.html ]
 then
@@ -20,45 +20,35 @@ cat >> ../screenshotReport.html << HEADER
 <link rel="stylesheet" href="./dist/github-markdown.css">
 <title>Screenshots for $domain</title>
 <style>
+    .markdown-body {
+        box-sizing: border-box;
+        min-width: 200px;
+        max-width: 980px;
+        margin: 0 auto;
+        padding: 45px;
+    }
 
-	.markdown-body {
-		box-sizing: border-box;
-		min-width: 200px;
-		max-width: 980px;
-		margin: 0 auto;
-		padding: 45px;
-	}
-
-	@media (max-width: 767px) {
-		.markdown-body {
-			padding: 15px;
-		}
-	}
-
-  /* TODO some CSS-fu to make this mess nicer :) 
-
-  .screenshot img {
-    height: 50%;
-    width: 50%;
-    border: 1px solid black;
-  }
-  */
-
+    @media (max-width: 767px) {
+        .markdown-body {
+            padding: 15px;
+        }
+    }
 </style>
 </head>
 <body>
 <div class="markdown-body">
-  <h1>Screenshots for <code>$domain</code></h2>
+  <h1>Screenshots for <code>$domain</code></h1>
+  <h2>Note: This report has been deprecated in favor of Aquatone. Please check out <a href="./aquatone_report.html">the Aquatone report</a> instead.</h2>
 HEADER
 
 for i in *.png
 do 
 caption="$i"
 cat >> ../screenshotReport.html << HTML
 <div id="img_$i" class="screenshot">
-  <a href="./webscreenshot/$i">
+  <a href="./screenshots/$i">
   <p>$caption</p>
-  <img src="./webscreenshot/$i" alt="$caption"/>
+  <img src="./screenshots/$i" alt="$caption"/>
   </a>
   <br>
   <br>
@@ -76,4 +66,5 @@ cat >> ../screenshotReport.html << FOOTER
 FOOTER
 
 cd ..
-}
+}
+