A collection of bash scripts for gathering intelligence during penetration testing engagements.
Comprehensive domain intelligence gathering script that collects DNS, WHOIS, SSL, and infrastructure information.
Usage:
./domain_recon.sh example.comFeatures:
- WHOIS information lookup
- Complete DNS record enumeration (A, AAAA, MX, NS, TXT)
- Nameserver identification
- IP address resolution and reverse DNS
- Geolocation data
- HTTP/HTTPS header analysis
- SSL/TLS certificate information
- Basic subdomain enumeration
- Technology stack detection
- ASN information
- Traceroute analysis
- robots.txt and security.txt discovery
Output:
Creates a timestamped directory recon_<domain>_<timestamp>/ containing:
- Individual analysis files for each check
SUMMARY.txt- Consolidated report
Advanced hosting provider reconnaissance script that identifies cloud platforms and hosting services for penetration testing.
Usage:
./hosting_recon.sh example.comFeatures:
- Amazon Web Services (AWS) - EC2, CloudFront, ELB, S3, with region identification
- Google Cloud Platform (GCP) - Compute, Storage, CDN
- Microsoft Azure - Web Apps, Cloud Services, Blob Storage
- Oracle Cloud Infrastructure (OCI)
- IBM Cloud / SoftLayer
- Alibaba Cloud / Aliyun
- Cloudflare (CDN/DDoS Protection)
- Akamai (CDN/Edge)
- Fastly (CDN)
- DigitalOcean
- Linode
- Vultr
- OVH
- Hetzner
- Squarespace
- WordPress.com (Automattic)
- Wix
- Shopify
- GoDaddy
- Bluehost
- HostGator
- DreamHost
- Netlify
- Vercel
- Heroku
- GitHub Pages
- Namecheap
- IP Resolution - Resolves all IPv4/IPv6 addresses
- CNAME Analysis - Detects hosting patterns in DNS aliases
- WHOIS Lookup - Organization, network name, CIDR blocks, ASN
- Geolocation - Country, region, city, ISP information
- HTTP Header Analysis - Server signatures, CDN indicators
- SSL Certificate - Issuer, SANs for related domains
- DNS TXT Records - Hosting verification records
- Network Path - Traceroute to identify infrastructure
- Port Scanning - Common services (80, 443, 22, 3389, etc.)
- AWS-Specific Checks - S3 buckets, CloudFront, ELB
- Cloud DNS Patterns - Provider-specific DNS configurations
Output:
Creates a timestamped directory hosting_recon_<domain>_<timestamp>/ containing:
hosting_analysis.txt- Complete analysis with summarywhois_<ip>.txt- WHOIS data for each IPgeo_<ip>.json- Geolocation data for each IPcdn_headers.txt- HTTP headers with CDN indicatorsip_addresses.txt- List of resolved IPscname.txt- CNAME records
The script provides specific guidance based on detected providers:
- CDN Detection → Origin server discovery techniques
- AWS Detection → S3 bucket misconfigurations, metadata service access
- Azure Detection → Blob storage misconfigurations
- GCP Detection → Storage bucket permissions
- Website Builders → Focus on application-level vulnerabilities
Both scripts require the following tools to be installed:
bash(version 4.0+)dig(DNS lookup)whoiscurlopensslhosttraceroutepython3(for JSON parsing)
brew install bind whois curl opensslsudo apt-get install dnsutils whois curl openssl traceroutesudo yum install bind-utils whois curl openssl traceroute./domain_recon.sh example.com./hosting_recon.sh example.com./domain_recon.sh example.com && ./hosting_recon.sh example.com- Only use these tools on domains/systems you own or have explicit written permission to test
- Unauthorized scanning may be illegal in your jurisdiction
- Always comply with applicable laws and regulations
- Respect rate limits and don't cause service disruption
- Some techniques may trigger security alerts
The authors are not responsible for misuse of these tools.
- Always run both scripts - They provide complementary information
- Review WHOIS files - Look for network ranges to expand scope
- Check for CDNs - May need to bypass to find origin servers
- Examine SSL certificates - SANs often reveal related infrastructure
- Analyze HTTP headers - Technology stack hints for vulnerability research
- Geolocation matters - Consider data residency and jurisdiction
- Save all output - Include in your penetration testing report
AWS:
- Check for public S3 buckets using bucket name permutations
- Test for SSRF to metadata service (169.254.169.254)
- Look for exposed Lambda functions
- Check IAM misconfigurations
Azure:
- Test blob storage permissions
- Look for exposed storage accounts
- Check for function app misconfigurations
GCP:
- Test storage bucket ACLs
- Look for exposed Cloud Functions
- Check metadata service access
CDNs:
- Use origin discovery techniques
- Check for cache poisoning
- Test for header injection
- Look for misconfigurations allowing direct origin access
recon_example.com_20250118_120000/
├── SUMMARY.txt # Main report
├── whois.txt # WHOIS data
├── dns_*.txt # DNS records
├── ssl_cert.txt # SSL certificate
├── technology_stack.txt # Detected technologies
└── ...
hosting_recon_example.com_20250118_120000/
├── hosting_analysis.txt # Complete analysis
├── whois_192.0.2.1.txt # Per-IP WHOIS
├── geo_192.0.2.1.json # Geolocation
└── ...
Feel free to submit issues or pull requests to improve these scripts.
These scripts are provided as-is for educational and authorized security testing purposes.
- Performance Improvements: Significant speed improvements for ASN/WHOIS lookups
- Eliminated duplicate WHOIS lookups (50% reduction in calls)
- Added parallel WHOIS fetching for multiple IPs (up to 85% faster)
- Added 10-second timeouts to prevent hanging on slow/unresponsive servers
- Implemented WHOIS result caching for instant repeated queries
- See PERFORMANCE_IMPROVEMENTS.md for details
- Initial release of domain_recon.sh
- Initial release of hosting_recon.sh
- Support for major cloud providers (AWS, GCP, Azure)
- CDN detection (Cloudflare, Akamai, Fastly)
- Website builder detection (Squarespace, Wix, Shopify, etc.)
- Comprehensive geolocation and WHOIS analysis