Loading repository data…
Loading repository data…
leebaird / repository
Custom Bash and Python scripts used to automate various penetration testing tasks including recon, scanning, enumeration, and malicious payload creation using Metasploit. For use with Kali Linux and Ubuntu.
Custom bash scripts used to automate various penetration testing tasks including recon, scanning,
enumeration, and malicious payload creation using Metasploit. For use with Kali Linux or Ubuntu.
cd ~
git clone https://github.com/leebaird/discover
cd discover/
./discover.sh
ffuf, feroxbuster, jq, etc.).dev/ and are also reachable from main menu option 15. Dev.RECON
1. Domain
2. Person
SCANNING
3. Generate target list
4. CIDR
5. List
6. IP, range, or URL
7. Rerun Nmap scripts and MSF aux
WEB
8. Insecure direct object reference
9. Open multiple tabs in Firefox
10. Nikto
11. SSL
MISC
12. Parse XML
13. Generate a malicious payload
14. Start a Metasploit listener
15. Dev
16. Update
17. Exit
Security scanners by Yiğit ibrahim (ibrahimsql). Scripts live under dev/ and can also be run directly.
Dev scripts originally by ibrahimsql
1. API Security
2. Cloud Security
3. Container Security
4. OAuth and JWT Security
5. Open Redirect Scanner
6. Sensitive Information
7. WAF Detection
8. Web and API Security
9. Previous menu
dev/
├── api-scanner.sh
├── cloud-scanner.sh
├── container-scanner.sh
├── oauth-jwt-scanner.sh
├── open-redirect.sh
├── sensitive-scanner.sh
├── waf-detect.sh
├── web-api-scanner.sh
├── data/
│ ├── api-paths.txt
│ ├── openredirect-payloads.txt
│ ├── sensitive-denylist.txt
│ ├── sensitive-patterns.tsv
│ ├── sensitive-skip-paths.txt
│ ├── sensitive-web-paths-quick.txt
│ ├── sensitive-web-paths-full.txt
│ ├── waf-aliases.tsv
│ ├── waf-labels.tsv
│ ├── waf-signatures.tsv
│ ├── web-api-phases.tsv
│ ├── web-api-tech-signatures.tsv
│ └── swagger-paths.txt
└── lib/
├── api-scanner/
│ └── common.sh
├── cloud-scanner/
│ ├── common.sh
│ ├── aws.sh
│ ├── azure.sh
│ └── gcp.sh
├── container-scanner/
│ ├── common.sh
│ ├── docker.sh
│ └── k8s.sh
├── oauth-jwt-scanner/
│ ├── common.sh
│ ├── oauth.sh
│ └── jwt.sh
├── open-redirect-scanner/
│ ├── common.sh
│ └── engine.py
├── sensitive-scanner/
│ ├── common.sh
│ ├── files.sh
│ ├── web.sh
│ ├── filescan.py
│ ├── engine.py
│ ├── fixtures/
│ └── run-tests.sh
├── waf-detect/
│ ├── common.sh
│ ├── probe.sh
│ ├── fixtures/
│ └── run-tests.sh
└── web-api-scanner/
├── common.sh
├── phases.sh
├── waf.sh
├── targets.sh
├── msf.sh
├── msf_parse.py
├── probe.sh
├── fixtures/
└── run-tests.sh
RECON
1. Passive
2. Breaches
3. Find registered domains
4. Google dorks
5. Web search
6. Import names
7. Import subdomains
8. Active
9. Previous menu
Note: Passive and Active cannot be ran as root.
PASSIVE RECON
Uses Amass, ARIN, DNSRecon, dnstwist, Metasploit, subfinder, sublist3r, theHarvester, Whois, and multiple websites.
import-names.sh)Run after a passive scan when you want to add or enrich contacts from manual research (LinkedIn, company sites, phone directories, etc.).
Enter the location of your previous passive scan:
/home/user/data/example.com
Enter manual contacts file (or press Enter for default):
Import names merges three sources, then refreshes pages/names.htm:
The merged TSV is saved back to tools/names. The names page is a sortable three-column table: Name, Title, Phone.
import-subdomains.sh)Run after a passive scan when you want to add or enrich hosts from Pentest-Tools or manual research.
Enter the location of your previous passive scan:
/home/user/data/example.com
Enter import file or firefox (or press Enter for default):
Supported imports:
firefox — pull pinia/scans from your Firefox profile (free Pentest-Tools scans)
Firefox pinia/scans export (pinia-scans.json)
Pentest-Tools JSON (pentest-tools-<domain>.json)
Pentest-Tools text export (pentest-tools.txt)
Tab-separated host/IP rows
Edit $HOME/data/<domain>/tools/subdomains-import.tsv for manual entries
Format: Subdomain, IP (tab-separated; IP optional)
Hosts without an IP are resolved with dig during import
Re-run Import subdomains whenever you add rows or run a new Pentest-Tools scan
Import subdomains merges with existing tools/subdomains, assigns categories from
old/subdomain-categories.tsv, splits private IPs to tools/private-subs, and
refreshes pages/subdomains.htm with Subdomain, Category, and IP columns only.
Run Active afterward to populate Photo, Status, Web Server, and Technologies.
active.sh)ACTIVE RECON
Run after a passive scan (and optionally Import subdomains) when you want to probe which public hosts respond over HTTP/HTTPS, fingerprint technologies, and capture screenshots.
Enter the location of your previous passive scan:
/home/user/data/example.com
Requires httpx, whatweb, gowitness, python3, and Chrome or Chromium (install
via Update).
tools/subdomains (RFC1918 IPs are skipped)tools/httpx.jsonltools/whatweb.jsontools/gowitness/recon/active-tech.py and refreshes
pages/subdomains.htmpages/active.htm (Reports menu → Active),
including software versions enriched with NVD CVSS when availablepages/subdomains.htm, and refresh pages/active.htmThe Reports menu contains Passive (pages/passive.htm, the former
report.htm rollup) and Active (pages/active.htm, httpx/whatweb stats).
Active Scope metrics
| Metric | Meaning |
|---|---|
| Public subdomains | Hosts in tools/subdomains with non-RFC1918 IPs |
| Private subdomains | Rows in tools/private-subs |
| Responding hosts | Unique hosts with an httpx status (any code) |
Status codes on the Active page count all httpx responses (including 404/5xx). Screenshots, whatweb, and Alive by category still use the alive subset only (status 200–399, 401, 403, or 405).
Public subdomains table (after Active):
| Column | Source |
|---|---|
| Subdomain, Category, IP | passive scan / Import subdomains |
| Photo | gowitness screenshot link when captured |
| Status | httpx status code |
| Web Server | httpx/whatweb Server header |
| Title / Technologies | httpx page title (filtered) + httpx tech / whatweb plugins |
The private subdomains table stays three columns (Subdomain, Category, Private IP Address).
active-tech.py merges and deduplicates overlapping data between columns — for
example, OpenSSL and mod_jk versions drop out of Web Server when already listed in
Technologies, Microsoft-IIS/10 shortens to Microsoft-IIS when IIS:10 is
present, Apache/2.4.37 shortens to Apache when Apache HTTP Server:2.4.37 is
present, OS names such as Red Hat are removed from Technologies when already shown
in the Web Server banner, and httpx Nginx labels are normalized to nginx.
Artifacts written under tools/:
active-targets.txt — public hostnames sent to httpxhttpx.jsonl — httpx JSON outputactive-alive.tsv — host, URL, and status for alive responsesactive.txt — alive URLs sent to whatweb and gowitnesswhatweb.json — whatweb JSON outputgowitness/screenshots/ — JPEG screenshotsgowitness/gowitness.jsonl and gowitness/gowitness.db — gowitness metadatasoftware-cves-cache.json — cached NVD CVSS/CVE lookups for the Active reportActive recon can enrich the Software versions table on pages/active.htm with
CVSS scores and CVE IDs from the National Vulnerability Database.
Lookups are implemented in recon/software-cve.py.
Without a key: enrichment still runs, but NVD’s anonymous rate limits apply (slower; roughly several seconds between requests).
With a key: authenticated rate limits (much faster).
Skip enrichment entirely:
export DISCOVER_SKIP_CVE=1
Get a free API key
.env — see below)How Discover finds the key
Order of precedence (non-empty values higher in the list always win):
export NVD_API_KEY=....env in the Discover install — $DISCOVER/.env.env in your home config — ~/.discover/.envExample .env line (no quotes required):
NVD_API_KEY=your-key-here
~/discover as documented above):
cp ~/discover/.env.example ~/discover/.env
or mkdir -p ~/.discover && cp ~/discover/.env.example ~/.discover/.env$DISCOVER/.env.example) instead of ~/discover.env is gitignored; never commit real keys.env.example is tracked as documentation onlyOther useful variables
| Variable | Purpose |
|---|---|
NVD_API_KEY | Optional NVD API key for faster CVSS lookups |
DISCOVER_SKIP_CVE=1 | Skip NVD queries; Software table still lists versions |
DISCOVER_CVE_PROGRESS=1 | Print each product lookup while building Active |
Cache file: <report>/tools/software-cves-cache.json (per engagement; re-runs reuse
cached product:version results). CVSS values are triage leads from NVD CPE
matches, not confirmed findings — validate before reporting to a client.
CISA Known Exploited Vulnerabilities (KEV)
Discover Update (main menu option 16 / misc/update.sh) downloads the CISA KEV
JSON catalog into Discover’s resource/ folder:
$DISCOVER/resource/known_exploited_vulnerabilities.json
(e.g. `~/discover/resource/kno