UBG Hacking Team
  • About UBG
  • Site Contributors
    • NanoByt3
    • Exabyte
    • DataMcdataface
  • CTF Writeups
    • HTB Traceback Walkthrough
    • HTB Magic Walkthrough
    • HTB Nest Walkthrough
    • HTB Monteverde Walkthrough
    • HTB Resolute Walkthrough
    • HTB Ellingson Walkthrough
    • HTB Jarvis Walkthrough
  • Blog Posts
    • Certification Reviews
      • PenTest+
      • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
      • OSCP Guide to pass
      • SANS Guide to pass
      • CCSP Guide to pass
      • CISSP Guide to pass
      • OSWE Exam Blog
      • OSCP Exam Blog
      • CEH Exam Blog
    • Five Offensive Objectives
    • Powershell For Penetration Testers Downloading And Exfiltrating
    • Powershell For Penetration Testers Switching Users
    • Powershell For Penetration Testers Beating Restricted Policies
  • Attacks
    • WebHosting
      • IP's to block
    • Reconnaissance
      • C99 Recon
      • DNS
        • SubDomain lookup
      • Tools/Syntax
      • O365 RealmInfo
    • On-Prem Linux
      • Shell Upgrades
    • On-Prem Windows
      • Service Session Hijack
      • Egress Testing
  • Detection
  • MISC.
    • enable snmp office365
Powered by GitBook
On this page

Was this helpful?

  1. Attacks
  2. Reconnaissance

C99 Recon

client_name=""
if [ $user_name == ""]; then
    echo -n "What's your name? "; read user_name
fi

if [ $domain_name == ""]; then 
    echo -n "what's the attacking domain (eg. example)? "; read domain_name
fi
#############################################################
webhook="[slackHook]"
key="[c99 API key]"
ips=$(cat < ip.txt)
domains=$(cat < domains.txt)
#############################################################

subdomainFinder() {
    echo "Starting SubDomain finder on $domain_name...";echo
    for i in $domain_name; do curl "https://api.c99.nl/subdomainfinder?key=$key&domain=$domain_name&json" |grep -o '"subdomain":"[^"]*' |cut -d '"' -f 4 |tee -a subdomains.txt;done
    for i in $(cat < subdomains.txt); do curl "https://api.c99.nl/subdomainfinder?key=$key&domain=$domain_name&json" |tee -a jsonSubdomains;done
    cat jsonSubdomains | grep -o '"ip":"[^"]*' |cut -d '"' -f 4 |grep -v none |tee -a discoveredIPs.txt
    sort discoveredIPs.txt |uniq > ip.txt
}

ip2domain() {
    echo "resolving ip to domains" ;echo
    for i in $ips; do curl "https://api.c99.nl/ip2domains?key=$key&ip=$i&json" |tee -a ip2domains.txt;done
}

basicNMAP() {
    echo "basic nmap" ;echo
    for i in $ips; do curl "https://api.c99.nl/nmap?key=$key&host=$i&json" |tee -a basicNMAP.txt;done
}

domainHistory() {
    echo "discovering domain history" ;echo
    for i in $(cat subdomains.txt); do curl "https://api.c99.nl/domainhistory?key=$key&domain=$i&json" |tee -a domainHistory.txt;done
}

finishrecon(){
    curl -X POST -H 'Content-type: application/json' --data '{"text":"finished c99 recon for '$user_name' on '$domain_name'.", "icon_emoji":"fire", "username":"c99 recon"}' $webhook
}

recon() {

        subdomainFinder
        ip2domain   
        basicNMAP
        domainHistory
        finishrecon
}
recon
PreviousReconnaissanceNextDNS

Last updated 4 years ago

Was this helpful?