#!/bin/bash # --- Configuration --- DOMAIN="certinia.com" OUTPUT_DIR="scan_results_$(date +"%Y-%m-%d_%H-%M-%S")" WORDLIST_DIR="/usr/share/wordlists" # Adjust if your wordlists are in a different location USER_AGENT="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" # Customize if needed # --- Functions for Improved Output --- print_header() { echo -e "\n\e[1;34m[*] $1\e[0m" } print_success() { echo -e "\e[1;32m[+] $1\e[0m" } print_warning() { echo -e "\e[1;33m[-] $1\e[0m" } # --- Create Output Directory --- mkdir -p $OUTPUT_DIR print_success "Output directory created: $OUTPUT_DIR" # --- DNS Enumeration --- print_header "Performing DNS enumeration..." # 1. DNS Records with dnsenum dnsenum $DOMAIN > $OUTPUT_DIR/dnsenum_results.txt print_success "dnsenum scan complete." # 2. Subdomain Enumeration with Sublist3r, assetfinder, amass, and findomain sublist3r -d $DOMAIN -o $OUTPUT_DIR/sublist3r_subdomains.txt assetfinder -subs-only $DOMAIN > $OUTPUT_DIR/assetfinder_subdomains.txt amass enum -passive -d $DOMAIN -o $OUTPUT_DIR/amass_subdomains.txt findomain -t $DOMAIN -o $OUTPUT_DIR/findomain_subdomains.txt print_success "Subdomain enumeration complete." # 3. Combine and Uniqify Subdomains cat $OUTPUT_DIR/*_subdomains.txt | sort -u > $OUTPUT_DIR/all_subdomains.txt print_success "Subdomains combined and saved to: $OUTPUT_DIR/all_subdomains.txt" # --- Live Host Identification --- print_header "Identifying live hosts..." # 4. Filter Live Hosts with httpx httpx -l $OUTPUT_DIR/all_subdomains.txt -status-code -follow-redirects -random-agent -o $OUTPUT_DIR/live_hosts.txt print_success "Live hosts identified and saved to: $OUTPUT_DIR/live_hosts.txt" # --- Web Server and Application Scanning --- print_header "Performing web server and application scanning..." # 5. Full Port Scan with Nmap (adjust timing if needed) nmap -p- -T4 -oN $OUTPUT_DIR/nmap_full_scan.txt $(cat $OUTPUT_DIR/live_hosts.txt) print_success "Nmap full port scan complete." # 6. Service Version Detection with Nmap nmap -sCV -T4 -oN $OUTPUT_DIR/nmap_service_version.txt $(cat $OUTPUT_DIR/live_hosts.txt) print_success "Nmap service version detection complete." # 7. Web Vulnerability Scan with Nikto nikto -h https://$DOMAIN -output $OUTPUT_DIR/nikto_results.txt print_success "Nikto scan complete." # 8. Directory Enumeration with Dirb, Gobuster, and ffuf dirb http://$DOMAIN $WORDLIST_DIR/dirb/common.txt -o $OUTPUT_DIR/dirb_results.txt gobuster dir -u https://$DOMAIN -w $WORDLIST_DIR/dirbuster/directory-list-2.3-medium.txt -t 30 -o $OUTPUT_DIR/gobuster_dir_results.txt ffuf -u https://$DOMAIN/FUZZ -w $WORDLIST_DIR/dirbuster/directory-list-2.3-medium.txt -fc 404 -H "User-Agent: $USER_AGENT" -o $OUTPUT_DIR/ffuf_dir_results.json print_success "Directory enumeration complete." # 9. SSL Certificate and Vulnerabilities Check with testssl.sh testssl.sh --full --jsonfile $OUTPUT_DIR/testssl_results.json $DOMAIN print_success "testssl.sh scan complete." # --- Advanced Vulnerability Scanning --- print_header "Performing advanced vulnerability scanning..." # 10. Vulnerability Scanning with Nmap Scripts (targeted) nmap -sV --script=vulners,http-vuln-* -oN $OUTPUT_DIR/nmap_vuln_scan.txt $(cat $OUTPUT_DIR/live_hosts.txt) print_success "Nmap vulnerability scan complete." # 11. Web Application Vulnerability Scan with OWASP ZAP (consider API scan) # (Adjust parameters and options as needed) zap-baseline.py -t https://$DOMAIN -r $OUTPUT_DIR/zap_report.html print_success "OWASP ZAP scan complete." # --- Additional Considerations --- print_warning "Remember to manually review the results and perform further testing." print_warning "Use tools like sqlmap (with caution), Burp Suite, and others for more in-depth analysis." echo -e "\n\e[1;32mScan complete. Results are saved in the $OUTPUT_DIR directory.\e[0m"