#!/bin/bash
ip=$1
echo “[+] Looking for open ports with nmap.”
nmap -A -p- -Pn -T4 $ip > ctf.txt
if (cat ctf.txt | grep open | grep ‘http\|https’); then
# Create domain name variable from nmap results
cat ctf.txt | grep ‘htb\|thm’ | cut -d ” ” -f 7 | cut -d “/” -f 3 > results.txt
url=”$(cat results.txt)”
# Take the IP address and url and combine them into a file to add them to the /etc/hosts file
echo $ip $url > results1.txt && cat results1.txt | sudo tee -a /etc/hosts
# Create file variables.
file=”$(cat ctf.txt | grep open | grep http | cut -d ” ” -f 1 | cut -d / -f 1)”
file1=”$(cat ctf.txt | grep open | grep https | cut -d ” ” -f 1 | cut -d / -f 1)”
echo ——————————————————— >> ctf.txt
echo “Subdomain results from ffuf” >> ctf.txt
echo “[+] Looking for subdomains with ffuf.”
ffuf -u http://$url -H “Host: FUZZ.$url” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200 >> ctf.txt
echo “[+] Looking for directories with gobuster.”
gobuster dir -u $url -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt >> ctf.txt
echo “[+] Running web vulnerability scans with nikto.”
nikto -host $ip -p $file -ask no >> ctf.txt
nikto -host $ip -p $file1 -ssl -ask no >> ctf.txt
rm results1.txt results.txt
fi