Lazyrecon is a subdomain discovery tool that finds and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing, brute-force and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.
This script is intended to automate your reconnaissance process in an organized fashion by performing the following:
subfinder
, assetfinder
, gau
, waybackurls
, github-subdomains
dnsgen
Mode
shuffledns
httpx
headless chromium
masscan
on live serversnuclei
smuggler
ffuf
supercharged by interlace
using custom WordList based on the top10000.txtThe point is to get a list of live IPs (in form of socket addresses), attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.
Linux
& Mac
testedpython >= 3.7
pip3 >= 19.0
go >= 1.14
You can use stateful/stateless build agent (worker). There is no additional time is required for provisioning. It may look tricky cause masscan/nmap/naabu root user required.
./lazyconfig
:export HOMEUSER= # your normal, non root user: e.g.: kali
export HOMEDIR= # user's home dir e.g.: /home/kali
export STORAGEDIR= # where output saved, e.g.: ${HOMEDIR}/lazytargets
export GITHUBTOKEN=XXXXXXXXXXXXXXXXXX # a personal access token here
export DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token}
export GOPATH=$HOMEDIR/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/bin
export GO111MODULE=on
source ./lazyconfig
sudo -E ./install.sh
sudo -E ./lazyrecon.sh "hackerone.com"
Customize .github/workflows/test-recon-action.yaml
using DISCORDWEBHOOKURL
and GITHUBTOKEN
secrets, enable --discord
to receive a report:
- name: Install & Recon
env:
GO111MODULE: on
DISCORDWEBHOOKURL: ${{ secrets.DISCORDWEBHOOKURL }}
GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}
run: |
export HOMEDIR=$HOME
export HOMEUSER=$RUNNER_USER
export STORAGEDIR="${HOMEDIR}"/lazytargets
sudo -E ./install.sh
sudo -E ./lazyrecon.sh "hackerone.com" --quiet --discord
Config your environment variables and dependencies using INSTALL.MD
If you faced with some issues, feel free to join Discord, open PR or file the bug.
Execute with sudo
because of masscan
:
â–¶ sudo -E ./lazyrecon.sh tesla.com --wildcard
Parameter | Description | Example |
---|---|---|
--wildcard | Subdomains reconnaissance '*.tesla.com' (default) | ./lazyrecon.sh tesla.com --wildcard |
--single | One target instance 'tesla.com' | ./lazyrecon.sh tesla.com --single |
--ip | Single IP of the target machine | ./lazyrecon.sh 192.168.0.1 --single --ip |
--list | List of subdomains to process for | ./lazyrecon.sh "./testa.txt" --list |
--cidr | Perform network recon, CIDR notation | ./lazyrecon.sh "192.168.0.0/16" --cidr |
--mad | Wayback machine's stuff | ./lazyrecon.sh tesla.com --mad |
--fuzz | SSRF/LFI/SQLi fuzzing | ./lazyrecon.sh tesla.com --mad --fuzz |
--alt | Additionally permutate subdomains (*.tesla.com only) | ./lazyrecon.sh tesla.com --wildcard --alt |
--brute | Basic directory bruteforce (time sensitive) | ./lazyrecon.sh tesla.com --single --brute |
--discord | Send notifications to discord | ./lazyrecon.sh tesla.com --discord |
--quiet | Enable quiet mode | ./lazyrecon.sh tesla.com --quiet |
./lazyrecon.sh
XHR
requests, fuzz parameters and variables%23
, /%2e/
, admin.php%2500.md
etc)This project was inspired by original v1.0 Ben Sadeghipour and aimed to implement some of the best practices like Mechanizing the Methodology, TBHM, Subdomain Takeovers, Request Smuggling, SSRF, LFI and Bruteforce based on Custom wordlist.
aquatone
replaced by headless chromium async script based on performanceSublist3r
replaced with subfinder
based on Twitter discussionnmap
replaced with masscan
based on its features and Twitter duscussion, use helpers/nmap_nse_ifile.sh
by hands using masscan_output.gnmap
as inputsmuggler
forked from its original aimed to get lightweight solution included this PRgrep
meg
's output for Location in order to exclude 301/302 status codeshttpx -fc 301,302
approach)httpx -ip
used without dnsprobe
based on @pdiscoveryio Twitter answeraltdns
used based on Scrutiny on the bug bountymassdns
fully replaced with shuffledns
because of issueAcknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.
Lazyrecon is a subdomain discovery tool that finds and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing, brute-force and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.
Features
This script is intended to automate your reconnaissance process in an organized fashion by performing the following:
subfinder
, assetfinder
, gau
, waybackurls
, github-subdomains
dnsgen
Mode
shuffledns
httpx
headless chromium
masscan
on live serversnuclei
smuggler
ffuf
supercharged by interlace
using custom WordList based on the top10000.txtThe point is to get a list of live IPs (in form of socket addresses), attack available network protocols, check for common CVEs, perform very simple directory bruteforce then use provided reports for manual research.
Installing
Linux
& Mac
testedPrerequirements
python >= 3.7
pip3 >= 19.0
go >= 1.14
CI/CD way
You can use stateful/stateless build agent (worker). There is no additional time is required for provisioning. It may look tricky cause masscan/nmap/naabu root user required.
./lazyconfig
:export HOMEUSER= # your normal, non root user: e.g.: kali
export HOMEDIR= # user's home dir e.g.: /home/kali
export STORAGEDIR= # where output saved, e.g.: ${HOMEDIR}/lazytargets
export GITHUBTOKEN=XXXXXXXXXXXXXXXXXX # a personal access token here
export DISCORDWEBHOOKURL= # https://discord.com/api/webhooks/{webhook.id}/{webhook.token}
export GOPATH=$HOMEDIR/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$HOME/go/bin:$HOMEDIR/go/bin
export GO111MODULE=on
source ./lazyconfig
sudo -E ./install.sh
sudo -E ./lazyrecon.sh "hackerone.com"
Github Actions way
Customize .github/workflows/test-recon-action.yaml
using DISCORDWEBHOOKURL
and GITHUBTOKEN
secrets, enable --discord
to receive a report:
- name: Install & Recon
env:
GO111MODULE: on
DISCORDWEBHOOKURL: ${{ secrets.DISCORDWEBHOOKURL }}
GITHUBTOKEN: ${{ secrets.GITHUBTOKEN }}
run: |
export HOMEDIR=$HOME
export HOMEUSER=$RUNNER_USER
export STORAGEDIR="${HOMEDIR}"/lazytargets
sudo -E ./install.sh
sudo -E ./lazyrecon.sh "hackerone.com" --quiet --discord
Hard way
Config your environment variables and dependencies using INSTALL.MD
If you faced with some issues, feel free to join Discord, open PR or file the bug.
Usage
Execute with sudo
because of masscan
:
â–¶ sudo -E ./lazyrecon.sh tesla.com --wildcard
Parameter | Description | Example |
---|---|---|
–wildcard | Subdomains reconnaissance ‘*.tesla.com’ (default) | ./lazyrecon.sh tesla.com –wildcard |
–single | One target instance ‘tesla.com’ | ./lazyrecon.sh tesla.com –single |
–ip | Single IP of the target machine | ./lazyrecon.sh 192.168.0.1 –single –ip |
–list | List of subdomains to process for | ./lazyrecon.sh “./testa.txt” –list |
–cidr | Perform network recon, CIDR notation | ./lazyrecon.sh “192.168.0.0/16” –cidr |
–mad | Wayback machine’s stuff | ./lazyrecon.sh tesla.com –mad |
–fuzz | SSRF/LFI/SQLi fuzzing | ./lazyrecon.sh tesla.com –mad –fuzz |
–alt | Additionally permutate subdomains (*.tesla.com only) | ./lazyrecon.sh tesla.com –wildcard –alt |
–brute | Basic directory bruteforce (time sensitive) | ./lazyrecon.sh tesla.com –single –brute |
–discord | Send notifications to discord | ./lazyrecon.sh tesla.com –discord |
–quiet | Enable quiet mode | ./lazyrecon.sh tesla.com –quiet |
Methodology
./lazyrecon.sh
XHR
requests, fuzz parameters and variables%23
, /%2e/
, admin.php%2500.md
etc)Origin
This project was inspired by original v1.0 Ben Sadeghipour and aimed to implement some of the best practices like Mechanizing the Methodology, TBHM, Subdomain Takeovers, Request Smuggling, SSRF, LFI and Bruteforce based on Custom wordlist.
Notable articles
Notes
aquatone
replaced by headless chromium async script based on performanceSublist3r
replaced with subfinder
based on Twitter discussionnmap
replaced with masscan
based on its features and Twitter duscussion, use helpers/nmap_nse_ifile.sh
by hands using masscan_output.gnmap
as inputsmuggler
forked from its original aimed to get lightweight solution included this PRgrep
meg
‘s output for Location in order to exclude 301/302 status codeshttpx -fc 301,302
approach)httpx -ip
used without dnsprobe
based on @pdiscoveryio Twitter answeraltdns
used based on Scrutiny on the bug bountymassdns
fully replaced with shuffledns
because of issueAcknowledgement: This code was created for personal use with hosts you able to hack/explore by any of the known bug bounty program. Use it at your own risk.
Write a AI detection pass, persuasive, cickable, catchy, well structured and seo optimized article with… Read More
AI Will Make Human Art More Valuable AI models are increasing in popularity and value… Read More
UK Set to Announce Ban on TikTok on Government Smartphones: Report Following in the footsteps… Read More
How ChatGPT and Generative AI Could Change the Way We Travel The travel industry is… Read More
The curious case of Pluto! Is it a dwarf planet, comet or an asteroid? This… Read More
A Spy Wants to Connect with You on LinkedIn: How to Spot and Avoid Fake… Read More
Leave a Comment