Passive recon / OSINT automation script:
+ Runs passive recon tools specified in config file given a TLD
+ Extracts email addresses, IP addresses, and DNS names from tool output using regex
+ Queries various OSINT sites specified in config file for TLD and saves result to specified format (default pdf)
+ Runs additional recon tools and website queries on IPs and DNS names found from initial TLD analysis
+ All identified domains, emails, ip addresses, dns names, and tool run history / output stored in sqlite database
+ Aggressive mode can be enabled for running non-passive tests on discovered hosts (e.g. screenshot and spider a website)
– set type=all on nslookup command in default config
By default, the application runs in interactive mode allowing the user to select a project name / output directory as well as add multiple TLDs for analysis before executing scripted tasks. Optionally, a single domain can be specified as a command line parameter to immediately create a new project and execute the scripted tasks against that domain upon launch.
All scan parameters are pulled from config files so multiple configurations can be developed and specified with the -c flag. An example config file (default.example) is included and will be copied into the default path (default.cfg) upon initial launch.
Script tested on Kali Linux as well as OSX and should function on UNIX-based systems with required dependencies.
Python Module Dependencies:
– pyPdf (installed on Kali Linux by default)
– elixir apt-get install python-elixir
– cutycapt (installed on Kali Linux by default)
Dependencies in default tool config file:
– webshag (installed by default on Kali 1.x but not 2.x) apt-get install webshag
+ Email domain filter currently only excludes emails not matching the active domain during TLD phase
+ HTML index page to summarize all output
+ Scrape cutycapt output for targets & emails (convert to text first?)