A collection of Bash and Python scripts to automate the reconnaissance phase in web application security testing. This toolkit covers subdomain enumeration, port scanning, HTTP probing, directory bruteforcing, vulnerability scanning, JavaScript file analysis, endpoint discovery, and subdomain takeover checks — all in one streamlined workflow.
- Tool Installation: Automatically installs all the required tools (Sublist3r, Assetfinder, Amass, Subfinder, httprobe, Gowitness, etc.) on supported Linux systems.
- Subdomain Enumeration: Multiple enumerators (Sublist3r, Assetfinder, Amass, Subfinder) consolidate results into a single subdomain list.
- Port Scanning: Quick scanning of common web ports using Nmap.
- HTTP Probing & Screenshotting: Identify live subdomains and capture screenshots for visual inspection.
- Directory & File Bruteforcing: Discover hidden directories/files using dirsearch and curated wordlists from SecLists.
- Vulnerability Scanning: Perform checks with Nuclei for known CVEs and misconfigurations.
- JavaScript File Collection & Analysis: Hunt for potential credentials, API keys, or secrets embedded in JS files.
- Endpoint Discovery: Use WaybackURLs and gau to gather archived endpoints and parameters.
- Subdomain Takeover: Check unclaimed subdomains with Subjack to detect takeover possibilities.
- One-Click Automation: A single script (
auto_recon.sh) to run the entire workflow from start to finish.
- Operating System: Linux-based OS (Kali, Parrot, Ubuntu, etc.)
- Go Language: Required to install some tools like
assetfinder,httprobe, etc. - Python 3.x: Used by some scripts and for the JS Analyzer.
- Wordlists: This toolkit references SecLists paths. Adjust paths to your environment as needed.
-
Clone the Repository
git clone https://github.com/kdairatchi/bashauto.git cd bashauto -
Make the Installation Script Executable
chmod +x install_tools.sh
-
Run the Installation Script
./install_tools.sh
This installs all necessary packages and reconnaissance tools. Adjust if you’re using a different distro or package manager.
If you haven’t already, run:
chmod +x install_tools.sh
./install_tools.sh-
Make All Recon Scripts Executable
chmod +x auto_recon.sh \ subdomain_enum.sh \ port_scan.sh \ http_probe.sh \ dir_bruteforce.sh \ vuln_scan.sh \ js_collection.sh \ endpoint_discovery.sh \ subdomain_takeover.shor
chmod +x *.sh -
Launch Automated Recon
./auto_recon.sh <target-domain>
For example:
./auto_recon.sh example.com
-
Check Results
- All data is stored in the
recon/<target-domain>directory. - Review subdomain lists, Nmap scans, screenshots, JS analysis, directory brute-forcing reports, etc.
- All data is stored in the
automated-web-recon/
├── install_tools.sh # Installs all required tools
├── auto_recon.sh # Master script to run entire workflow
├── subdomain_enum.sh # Subdomain enumeration
├── port_scan.sh # Port scanning
├── http_probe.sh # HTTP probing & screenshotting
├── dir_bruteforce.sh # Directory & file brute-forcing
├── vuln_scan.sh # Vulnerability scanning
├── js_collection.sh # Collect JS files
├── endpoint_discovery.sh # Discover endpoints from archived URLs
├── subdomain_takeover.sh # Check for subdomain takeover
├── js_analyzer.py # Python script to scan JS files for secrets
└── README.md # This README
A one-stop installation script that sets up all the required tools (Sublist3r, Assetfinder, Amass, Subfinder, httprobe, Gowitness, dirsearch, ffuf, nikto, nuclei, getJS, waybackurls, gau, qsreplace, subjack).
- Run:
./install_tools.sh
The master script that chains all individual scripts in the correct order:
- Subdomain Enumeration
- Port Scanning
- HTTP Probing & Screenshotting
- Directory Bruteforcing
- Vulnerability Scanning
- JavaScript Collection & Analysis
- Endpoint Discovery
- Subdomain Takeover Check
- Run:
./auto_recon.sh <target-domain>
-
subdomain_enum.sh
Collects subdomains via Sublist3r, Assetfinder, Amass, Subfinder, and consolidates them intoall_subdomains.txt../subdomain_enum.sh <target-domain>
-
port_scan.sh
Performs a Nmap scan on the discovered subdomains for common web ports../port_scan.sh <target-domain>
-
http_probe.sh
Uses httprobe to check for alive HTTP/HTTPS services and Gowitness to capture screenshots../http_probe.sh <target-domain>
-
dir_bruteforce.sh
Leverages dirsearch to bruteforce directories/files on live subdomains. Default wordlist path is set to SecLists../dir_bruteforce.sh <target-domain>
-
vuln_scan.sh
Uses Nuclei to scan for known vulnerabilities. Customizenuclei_templatesto point to your local template set../vuln_scan.sh <target-domain>
-
js_collection.sh
Collects JavaScript files from each live subdomain using getJS, storing them locally../js_collection.sh <target-domain>
-
js_analyzer.py
Python script that scans downloaded JS files for potential secrets (API keys, AWS keys, etc.).cd recon/<target-domain>/javascript_files python3 js_analyzer.py
-
endpoint_discovery.sh
Gathers endpoints from WaybackURLs and gau to find hidden or archived parameters../endpoint_discovery.sh <target-domain>
-
subdomain_takeover.sh
Checks for subdomain takeover potential using Subjack. Configurefingerprints.jsonas needed../subdomain_takeover.sh <target-domain>
This project is released under the MIT License. Feel free to use, modify, and distribute this toolkit in your own projects. Contributions are welcome!
Disclaimer: Use these scripts responsibly and only on targets you have explicit permission to test. Unauthorized scanning can be illegal or unethical.
Happy Hacking & Stay Safe!
If you find this project useful, please ⭐ star the repository and consider contributing code or enhancements!