_     ____  ____ ___  _ ____  _____ ____ ____  _
 / \   /  _ \/_   \\  \///  __\/  __//   _Y  _ \/ \  /|
 | |   | / \| /   / \  / |  \/||  \  |  / | / \|| |\ ||
 | |_/\| |-||/   /_ / /  |    /|  /_ |  \_| \_/|| | \||
 \____/\_/ \|\____//_/   \_/\_\\____\\____|____/\_/  \|

./lazyrecon.sh -d target.com

Subdomain discovery using Sublist3r, certspotter, crt.sh and massdns

This script is intended to automate your reconnaissance process in an organized fashion by performing the following:

• Create a dated folder with recon notes
• Grab subdomains using Sublist3r and certspotter
• Grab a screenshot of responsive hosts
• Grab the response header
• Perform nmap
• Perform dirsearch
• Generate a HTML report with output from the tools above
• Color coding in report.html for easier reading

• Massdns subdomain discovery
• Massdns crt.sh subdomain discovery
• Find dead dns records
• Notify for possible NS Subdomain takeover
• Improved reporting and less output while doing the work
• Find ip address space of target company

This requires Bug Bounty Hunting Tools in order for the tools to work.

This requires Massdns installed in the root directory https://github.com/blechschmidt/massdns.

Get Asnlookup tool from https://github.com/yassineaboukir/asnlookup and install it into ~/tools/

Make sure you download all.zip and unzip it before using the script the file all.txt is a huge wordlist used by massdns.

- For instance the script handles wildcard dns very poorly this is going to be addressed next

• install.sh script
• Changes in dns records that may reveal a subdomain take over

Warning: This code was originally created for personal use for myself, so it's a bit messy and hopefully it'll be cleaned up with more features in a later release.