đź’˛ BASH Scripting
How can bash scripting help you in recon?
imagine we have a wildcard scope like ( *.domain.tld ), you probably use all of your subdomain finders tools like amass, subfinder, assetfinder to gather more subdomains.
but there is an easier way that allows you to combine all of your tools with just ONE COMMAND and that’s BASH
here’s an example bash script that will help you in effective recon :
let’s create a bash file with nano or your favorite code editor:
nano recon.sh
Then write this code into it:
url=$1
subfinder -d $url -o subdomains.txt
assetfinder --subs-only $url | anew subdomains.txt
amass enum -d $url -o subdomains_amass.txt
cat subdomains_amass.txt | anew subdomains.txt
Give the script execution permission using :
chmod +x recon.sh
In the first line, we define an input named “url” and by writing url=$1 you can give value to url variable, using argument.
if you run “bash recon.sh domain.tld” the url variable will be equal to domain.tld which is easier than using “read” for manual input, but it’s optional
In the second line, the script will execute subfinder and will replace the url value with “$url” and your command will be like this: “subfinder -d domain.tld -o subdomains.txt”. Then the result will be in a text file named subdomains.txt
Next line the assetfinder will execute with url value the same as the previous line but it will add the new subdomains to subdomains.txt using anew. anew is a tool that will add new lines to the specified file. the mechanism of anew is the same as “tee -a” but better.
The fourth line is also like the above, using anew to add the new subdomain to subdomains.txt .
📍 Now you actually combined 3 tools by just running “bash recon.sh domain.tld”, how easier and faster imagine you can Gather information and combine more tools using BASH. you can use and combine more tools to have a better subdomains list. more tools mean more domains and more domains mean better recon in a faster way!