MERI College of Engineering and Technology

PROJECT REPORT

SUBMITTED IN PARTIAL
FULFILLMENT OF THE
REQUIREMENTS FORTHE AWARD OF
THE DEGREE OF

BACHELOR OF TECHNOLOGY
(Computer Science Engineering)

SUBMITTED TO

Maharshi Dayanand University, Rohtak

SUBMITTED BY

Name of Student Roll No.

Monika Yadav 22CET0129
 ACKNOWLEDGEMENT
I would like to extend my heartfelt gratitude to all those who have supported and contributed
to the completion of this report. Firstly, I am deeply indebted to my professor, Dr. Sachin
Kumar whose guidance, expertise, and unwavering support have been invaluable throughout
the research and writing process. Their insightful feedback and encouragement have greatly
enhanced the quality of this report. I also wish to express my appreciation to the faculty
members of MERI College of Engineering and Technology for their encouragement,
mentorship, and academic guidance, which have played a significant role in shaping this
document.
My sincere thanks also go to my friends and family for their patience, understanding, and
unwavering support during this endeavour. Furthermore, I acknowledge the authors,
researchers, and organizations whose work and publications have been referenced in this
report, providing valuable insights and information. Lastly, I would like to thank any other
individuals or organizations who have directly or indirectly contributed to the completion of
this report. Your support and encouragement have been indispensable, and I am truly grateful
for your contributions.

Monika Yadav
22CET0129

Teacher signature
Dr. Sachin Kumar
Associate Professor (CSE)
 Table of contents
Acknowledgement
Chapter 1: Introduction
1.1 Project Overview
1.2 Background
Chapter 2: Technology used in the project
2.1 BASH SCRIPTING
2.2 PYTHON SCRIPTING
Chapter 3: Project : Bazz Reconnaissance
3.1 Purpose and Scope
3.2 What You Need to Know

Chapter 4: Feature Overview

4.1 Subdomain Enumeration
4.2 Live Domain Probing
4.3 Screenshotting
4.4 URL Finding
4.5 Parameter Discovery
4.6 Directory Fuzzing
4.7 Port Scanning
4.8 Vulnerability Scanning
4.9 Custom Scripting Support
4.10 Reporting and Analysis
4.11 Tools Used
Chapter 5: Methodology
Chapter 6: Conclusion

INTRODUCTION
PROJECT OVERVIEW
In the rapidly evolving landscape of cyber security, reconnaissance serves as the
bedrock upon which effective threat detection and vulnerability assessment are built.
The art of gathering intelligence about potential targets, discerning attack surfaces,
and uncovering security vulnerabilities stands as a pivotal aspect of safeguarding
digital assets against the ever-looming specter of malicious actors. Recognizing the
paramount importance of reconnaissance in fortifying digital defenses, we proudly
introduce the Bazz Reconnaissance Framework—a comprehensive, robust, and
versatile tool meticulously engineered to empower cyber security professionals and
bug hunters alike with advanced reconnaissance capabilities of unparalleled depth
and sophistication.
Bazz stands as a testament to the convergence of innovation and functionality,
boasting a rich tapestry of features and functionalities meticulously curated to cater to
the diverse exigencies and exigencies encountered in reconnaissance operations. From
the formidable prowess of subdomain enumeration facilitated by stalwarts such as
Subfinder and Amass, to the nuanced intricacies of comprehensive port scanning,
directory fuzzing, URL enumeration, and automated vulnerability scanning for XSS,
SQLi, SSTI, and beyond—Bazz epitomizes versatility, equipping users with an
expansive arsenal to explore, analyze, and exploit potential attack vectors with
unparalleled efficacy and finesse.
 BACKGROUND

In the ever-evolving landscape of cyber security, the role of reconnaissance stands as an

indispensable pillar in the defense against digital threats. The process of reconnaissance,
encompassing the systematic gathering of intelligence about potential targets, the
identification of attack surfaces, and the discovery of vulnerabilities, serves as the
foundational bedrock upon which effective threat detection and vulnerability assessment are
built.
As organizations increasingly find themselves besieged by an array of sophisticated cyber
adversaries, the imperative for robust reconnaissance capabilities has never been more acute.
Bug bounty programs, penetration testing engagements, and security assessments all hinge
upon the ability to conduct thorough, exhaustive reconnaissance operations—an endeavor
fraught with challenges and complexities.
Traditional reconnaissance methodologies, while effective to a certain extent, often fall short
in the face of the rapidly evolving threat landscape. Manual reconnaissance processes are
time-consuming, labor-intensive, and prone to human error, while existing automated tools
may lack the versatility, comprehensiveness, or adaptability required to navigate the
intricacies of modern digital environments.
Recognizing the critical need for a comprehensive, adaptable, and efficient reconnaissance
solution, the Bazz Reconnaissance Framework emerges as a beacon of innovation—a
testament to the relentless pursuit of excellence in the realm of cyber security. Born out of a
fervent desire to empower cyber security professionals and bug hunters with the tools,
techniques, and methodologies necessary to conduct thorough, precise reconnaissance
operations, Bazz represents a quantum leap forward in the quest for cyber resilience.
By amalgamating a diverse array of cutting-edge tools, sophisticated techniques, and rigorous
methodologies into a unified, cohesive framework, Bazz endeavors to streamline and
optimize the reconnaissance process, affording practitioners an unparalleled degree of agility,
efficiency, and efficacy in their endeavors. Through the seamless orchestration of automated
tooling, manual analysis, and innovative scripting, Bazz delivers a holistic, all-encompassing
solution—a force multiplier in the ongoing battle against cyber threats.

As organizations grapple with an ever-expanding attack surface and an increasingly hostile

threat landscape, the Bazz Reconnaissance Framework stands ready to chart a course towards
a safer, more secure digital future. With its robust feature set, intuitive design, and
unwavering commitment to excellence, Bazz embodies the spirit of innovation, resilience,
and empowerment—an indispensable ally in the ceaseless quest to safeguard the digital realm
against the machinations of malicious actors.
 Technology used in the project
1.BASH SCRIPTING

A bash script is a file containing a sequence of commands that are executed by the
bash program line by line. It allows you to perform a series of actions, such as
navigating to a specific directory, creating a folder, and launching a process using
the command line.
Automation: Shell scripts allow you to automate repetitive tasks and processes,
saving time and reducing the risk of errors that can occur with manual execution.
Portability: Shell scripts can be run on various platforms and operating systems,
including Unix, Linux, macOS, and even Windows through the use of emulators or
virtual machines.
Flexibility: Shell scripts are highly customizable and can be easily modified to suit
specific requirements. They can also be combined with other programming languages
or utilities to create more powerful scripts.
Accessibility: Shell scripts are easy to write and don't require any special tools or
software. They can be edited using any text editor, and most operating systems have a
built-in shell interpreter.
Integration: Shell scripts can be integrated with other tools and applications, such as
databases, web servers, and cloud services, allowing for more complex automation
and system management tasks.
Debugging: Shell scripts are easy to debug, and most shells have built-in debugging
and error-reporting tools that can help identify and fix issues quickly.
2. PYTHON SCRIPTING

Python scripts are Python code files saved with a .py extension. You can run these
files on any device if it has Python installed on it. They are very versatile programs
and can perform a variety of tasks like data analysis, web development, etc.
You might get these Python scripts if you are a beginner in Python so in this
discussion, we will explore various techniques for executing a Python script.Python is
a high-level, general-purpose programming language. Its design philosophy
emphasizes code readability with the use of significant indentation.

Python is dynamically typed and garbage-collected. It supports multiple programming

paradigms, including structured (particularly procedural), object-oriented and
functional programming. It is often described as a "batteries included" language due
to its comprehensive standard library.Guido van Rossum began working on Python in
the late 1980s as a successor to the ABC programming language and first released it
in 1991 as Python 0.9.0. Python 2.0 was released in 2000. Python 3.0, released in
2008, was a major revision not completely backward-compatible with earlier versions.
Python 2.7.18, released in 2020, was the last release of Python 2.Python consistently
ranks as one of the most popular programming languages, and has gained widespread
use in the machine learning community
 PROJECT
BAZZ Reconnaissance Framework

Purpose and Scope

At the heart of the Bazz Reconnaissance project lies its namesake: the Reconnaissance
Framework. Engineered to be versatile, powerful, and intuitive, this framework serves
as the nucleus around which the entire project orbits. Designed with the express
purpose of simplifying and optimizing the reconnaissance process for cyber security
professionals and bug hunters, the Reconnaissance Framework embodies the
culmination of extensive research, meticulous planning, and innovative design.

Comprehensive Tool Integration

One of the defining features of the Reconnaissance Framework is its seamless

integration of a diverse array of cutting-edge reconnaissance tools and techniques.
From robust subdomain enumeration facilitated by tools like Subfinder and Amass, to
comprehensive port scanning and enumeration capabilities, directory fuzzing, URL
enumeration, and automated vulnerability scanning for XSS, SQLi, SSTI, and
beyond—the framework boasts an expansive arsenal designed to address the myriad
challenges encountered in reconnaissance operations.

Flexible Methodologies

Central to the versatility and adaptability of the Reconnaissance Framework are its
flexible methodologies, which encompass both active and passive reconnaissance
techniques. By leveraging a combination of automated tooling and manual analysis,
the framework empowers practitioners to conduct comprehensive assessments,
uncovering hidden assets, identifying exposed services, and surfacing vulnerabilities
that may pose a risk to the security posture of organizations. This flexibility enables
users to tailor their reconnaissance approach to suit the specific requirements and
nuances of each engagement.

Efficient Orchestration

Built upon the robust foundation of Bash scripting, the Reconnaissance Framework
embodies efficiency and elegance in its implementation. Through the seamless
orchestration of various reconnaissance tools and techniques, the framework delivers
a cohesive and intuitive user experience, allowing practitioners to navigate the
complexities of reconnaissance operations with consummate ease and precision.
Whether conducting targeted sweeps of specific domains or conducting wide-ranging
scans of entire networks, users can rely on the Reconnaissance Framework to
streamline their workflow and maximize their productivity.

Continuous Development and Improvement

In line with the dynamic nature of the cyber security landscape, the Reconnaissance
Framework is subject to ongoing development and improvement. Constantly evolving
in response to emerging threats, evolving technologies, and user feedback, the
framework remains at the forefront of innovation, ensuring that users have access to
the latest tools, techniques, and methodologies to stay one step ahead of cyber
adversaries. This commitment to continuous improvement underscores the project's
dedication to excellence and its unwavering commitment to empowering defenders in
the ongoing battle for cyber resilience.
The Bazz Reconnaissance Project: What You Need to
Know
Project BAZZ is a simple collection of small bash-scripts which runs iteratively to carry out
various tools and recon process & store output in an organized way. This project was created
initially for automation of Recon for personal usage and was never meant to be public as there
is nothing fancy about it but due to request by community, Project Bazz is now Public.
Please feel free to improve it in any way you can. There is no secret sauce involved and it's
just a set of commands and existing tools written in bash-scripts for simple Recon Automation.
Project Bazz Supports an approach of Recon from @Anonx_hunter Scope Based Recon
Methodology. Currently this tools supports performing recon for:
Small Scope (single urls in scope) : Performs a limited recon & useful when only a few urls
are provided in scope
Medium Scope (*.target.com in scope) : Performs recon to enumerate more assets and give
you more options to attack on.
Large Scope (Everything in Scope) : Performs almost every possible recon vector from
subdomain enumeration to fuzzing.

What It Does
The project brings together lots of clever tools and tricks to help cyber security
experts search for weak spots in computer systems. These tools can find things like
hidden websites, open doors that shouldn't be open, and places where the bad guys
might try to sneak in.

Why It's Important

In the world of cyber security, knowing where the bad guys might attack from is super
important. The Bazz Reconnaissance project helps people stay ahead of the bad guys
by giving them the tools they need to find and fix problems before they turn into big
headaches.

How It Works
The project is always getting better and learning new tricks to keep up with the bad
guys. People who use it can share ideas and help each other out, making it stronger
and better at keeping computers and networks safe.
 Features Overview

Subdomain Enumeration:
This feature enables the discovery of subdomains associated with a target domain.
Subdomains can provide valuable insights into an organization's infrastructure and
potential attack vectors.
Subdomain enumeration is a crucial step in reconnaissance, aiming to discover
subdomains associated with a target domain. This process is typically divided into two
main phases: active and passive enumeration.

Active Subdomain Enumeration:

Active subdomain enumeration involves actively querying DNS servers or conducting
brute-force attacks to discover subdomains associated with the target domain. This
approach may include techniques such as DNS zone transfers, DNS queries (e.g.,
using tools like dig or nslookup), or brute-force guessing of subdomains based on
common patterns or wordlists.
Active enumeration is proactive and involves direct interaction with DNS
infrastructure. While it can be effective in discovering subdomains, it also carries a
higher risk of detection by network defenders or triggering security alerts due to the
increased volume of DNS queries.

Tools Used in Active Phase :

Amass :
Amass is a powerful open-source tool used for network mapping and information
gathering during security assessments and penetration testing. It's designed to help
security professionals and researchers discover and enumerate assets within a network,
including subdomains, IP addresses, and associated domains.

Integration with Other Tools : Amass is designed to work well with other
reconnaissance and penetration testing tools. It can be integrated into larger
workflows and automation frameworks, allowing for seamless data sharing and
collaboration.
AssestFinder :

Assetfinder is another popular open-source tool used for reconnaissance and asset
discovery during security assessments and penetration testing. Similar to Amass, it
focuses on identifying assets within a target domain, including subdomains and
associated IP addresses

Passive Subdomain Enumeration:

Passive subdomain enumeration, on the other hand, involves collecting information
about subdomains from publicly available sources without directly interacting with
DNS servers. This approach relies on data sources such as search engines, public
repositories, certificate transparency logs, and DNS records leaked on the internet.
Passive enumeration is stealthier compared to active enumeration since it does not
involve direct interaction with DNS servers. However, it may have limitations in
terms of coverage and timeliness, as it relies on external data sources that may not
always be up-to-date or comprehensive
Tools Used in Passive Phase :

Subfinder : subfinder is a subdomain discovery tool that returns valid subdomains for
websites, using passive online sources. It has a simple, modular architecture and is
optimized for speed. subfinder is built for doing one thing only - passive subdomain
enumeration, and it does that very well.

Subfinder Features :
 Fast and powerful resolution and wildcard elimination modules
 Curated passive sources to maximize results
 Multiple output formats supported (JSON, file, stdout)
 Optimized for speed and lightweight on resources

OUTPUT :
Subfinder :

Amass :

Github-subdomains Fetcher :
Live Domain Probing:
Live domain probing involves identifying active domains and services within a target
network. This allows for focused reconnaissance efforts and helps identify potential
entry points for cyber attacks.
Tool Used :
HTTPX :
HTTPX is a fast and multi-purpose HTTP toolkit that allows running multiple probes
using the retryablehttp library. It is designed to maintain result reliability with an
increased number of threads.

 Simple and modular code base making it easy to contribute.

 Fast And fully configurable flags to probe multiple elements.
 Supports multiple HTTP based probings.
 Smart auto fallback from https to http as default.
 Supports hosts, URLs and CIDR as input.

CODE :
OUTPUT :

Subdomain Bruteforcing :
Code :

Tools Used:
Shuffledns:
shuffleDNS is a wrapper around massdns, written in go, that allows you to enumerate valid
subdomains using active bruteforce, as well as resolve subdomains with wildcard handling
and easy input-output support.
 Simple and modular code base making it easy to contribute.
 Fast And Simple active subdomain scanning.
 Handles wildcard subdomains in a smart manner.
 Optimized for ease of use
 Stdin and stdout support for integrating in workflows

OUTPUT :

Tools Used For Screenshoting :

Screenshotting:
Screenshotting involves capturing images of web pages associated with target
domains. These screenshots provide visual insights into potential vulnerabilities and
attack surfaces, aiding in the reconnaissance process.

Gowitness :
Gowitness is a website screenshot utility written in Golang, that uses Chrome
Headless to generate screenshots of web interfaces using the command line, with a
handy report viewer to process results. Both Linux and macOS is supported, with
Windows support mostly working.

OUTPUT :
URL Finding:
URL finding focuses on identifying and enumerating URLs associated with target
domains. This allows for a comprehensive analysis of web applications and services,
helping to uncover potential vulnerabilities and attack vectors.

CODE:

Tools Used :
GAU :
getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback
Machine, Common Crawl, and URLScan for any given domain. Inspired by
Tomnomnom's waybackurls.

Waybackurls:
Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine
for *.domain and output them on stdout.

Waymore :
Anyone who does bug bounty will have likely used the amazing waybackurls by
@TomNomNoms. This tool gets URLs from web.archive.org and additional links (if any)
from one of the index collections on index.commoncrawl.org. You would have also likely
used the amazing gau by @hacker_ which also finds URL's from wayback archive, Common
Crawl, but also from Alien Vault and URLScan. Now waymore gets URL's from ALL of
those sources too
Parameter Discovery:
Parameter discovery involves detecting and enumerating parameters within URLs.
This enables thorough testing for vulnerabilities such as SQL injection (SQLi), cross-
site scripting (XSS), and other injection attacks.

CODE :
Tools Used :
Paramspider :
paramspider allows you to fetch URLs related to any domain or a list of domains from
Wayback achives. It filters out "boring" URLs, allowing you to focus on the ones that matter
the most.

Arjun :
HTTP Parameter Discovery Suite :-
Arjun can find query parameters for URL endpoints. If you don't get what that means, it's
okay, read along.
Web applications use parameters (or queries) to accept user input
Directory Fuzzing:
Directory fuzzing entails probing web servers for hidden directories and files. This
helps identify potential entry points for unauthorized access or data leakage,
enhancing the overall security posture of web applications.
Tools Used :-
Dirsearch :
Web Path Discovery Suite : Fuzz Directory Endpoints for valid endpoints.
Dirsearch is Tool that performs bruteforce attack of sensitive directories and files that are
found on the websites.

FFUF :
ffuf is a fast web fuzzer written in Go that allows typical directory discovery, virtual host
discovery (without DNS records) and GET and POST parameter fuzzing. This program is
useful for pentesters, ethical hackers and forensics experts. It also can be used for security
tests.
Port Scanning:
Port scanning involves scanning target hosts for open ports and services. This helps
identify potential attack vectors and points of entry for exploitation, allowing for
proactive security measures to be implemented.
A port scan attack helps cyber criminals find open ports and figure out whether they are
receiving or sending data. It can also reveal whether active security devices like firewalls are
being used by an organization.
CODE :
Tools Use :
NAABU :
Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts
in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT/UDP
scans on the host/list of hosts and lists all ports that return a reply.
NMAP :
Nmap is a network scanning tool—an open source Linux command-line tool—used for
network exploration, host discovery, and security auditing. Gordon Lyon (pseudonym Fyodor
Vaskovich) created it to help map an entire network easily and find its open ports and services.

Vulnerability Scanning:
Vulnerability scanning automates the detection of common web application
vulnerabilities such as XSS, SQLi, and server-side template injection (SSTI). This
streamlines the assessment process and accelerates remediation efforts.

CODE :
Tools Used :

Nuclei :
Nuclei is used to send requests across targets based on a template, leading to zero false
positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a
variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless,
Code etc. With powerful and flexible templating, Nuclei can be used to model all kinds of
security checks.
Nuclei is an open source tool designed for the detection and scanning of vulnerabilities in web
applications and websites

Templates :
Templates are the core of the nuclei scanner which powers the actual scanning engine. This
repository stores and houses various templates for the scanner provided by our team, as well
as contributed by the community.
SUBOVER :
- Used For Finding Subdomain Takeover
Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from
scratch in Golang. Since it's redesign, it has been aimed with speed and efficiency in mind.
Till date, SubOver detects 30+ services which is much more than any other tool out there. The
tool uses Golang concurrency and hence is very fast. It can easily detect and report potential
subdomain takeovers that exist. The list of potentially hijackable services is very
comprehensive and it is what makes this tool so powerful.

GF Patterns :
A wrapper around grep to avoid typing common patterns.
Used to find vunerable endpoints or patters that seems vunearble or find commanly vunerable.

Dalfox : Automatic Cross Site Scripting Finder

DalFox is a powerful open-source tool that focuses on automation, making it ideal for quickly
scanning for XSS flaws and analyzing parameters. Its advanced testing engine and niche
features are designed to streamline the process of detecting and verifying vulnerabilities.
Dalfox tool is a fast, parameter analysis and Cross-site Scripting (XSS) scanner tool based on
a DOM(Document Object Model) parser. The XSS Dalfox has some additional features that
test for SQL injection(SQLi), Server-Side Template Injection(SSTI), and open-redirects.
Dalfox is a Golang language-based tool. Dalfox is also capable of finding reflected, stored,
and blind XSS on the target web application. The basic concept is to analyze parameters, find
XSS, and verify them based on the DOM Parser.
Key Features:
1. Dalfox does Parameter Analysis to find reflected parameters.
2. Dalfox finds free/evil characters and makes Identification of injection point
3. Dalfox does static Analysis, checks for bad-headers like CSP, X-Frame Options, etc.
4. Dalfox does optimization queries for payloads, checks the injection point through
abstraction, and generates a fitted payload.
5. Dalfox eliminates unnecessary payloads based on wrong char.

Custom Scripting Support:

This feature allows for the incorporation of custom scripts and modules into the
framework. Users can tailor reconnaissance methodologies and integrate specialized
tools and techniques to meet specific requirements.
Tools Used :
One Liner to find Heartbleed Vunerability :
 HeartBleed Vunerability :
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software
library. This weakness allows stealing the information protected, under normal conditions, by the
SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and
privacy over the Internet for applications such as web, email, instant messaging (IM) and some
virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by
the vulnerable versions of the OpenSSL software. This compromises the secret keys used to
identify the service providers and to encrypt the traffic, the names and passwords of the users and
the actual content. This allows attackers to eavesdrop on communications, steal data directly from
the services and users and to impersonate services and users.

ONELINER :
cat $dir/$1_probed | while read line ; do echo "QUIT"|openssl s_client -connect
$line:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done

 Cors_scan.py :
CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of
websites. It helps website administrators and penetration testers to check whether the
domains/urls they are targeting have insecure CORS policies.
 Fast. It uses gevent instead of Python threads for concurrency, which is much faster for
network scanning.
 Comprehensive. It covers all the common types of CORS misconfigurations we know.
 Flexible. It supports various self-define features (e.g. file output), which is helpful for
large-scale scanning.
 CORScanner can be used as a library in your project.
FavFreak.py :
I have created this tool for making my work easier when it comes to recon using Favicon
hashes, it takes a list of urls (with https or http protocol) from stdin ,then it fetches favicon.ico
and calculates its hash value. It sorts the domains/subdomains/IPs according to their favicon
hashes and the most interesting part is , It matches calculated favicon hashes with the favicon
hashes present in the fingerprint dictionary , If matched then it will show you the results in the
output, there is option to generate shodan dorks as well (that is pretty basic and you can do it
manually as well)
GITHOUND :
GitHound hunts down exposed API keys and other sensitive information on GitHub using
GitHub code search, pattern matching, and commit history searching. Unlike other secret-
finding tools, GitHound's use of of GitHub code search enables it to search all of GitHub and
isn't limited to specific repos, users, or orgs.

JSSCAN :
A tool designed to scrape a list of .js files and extract urls, as well as juicy information. (as
long as you modify regex.
Reporting and Analysis:
Reporting and analysis involve generating comprehensive reports detailing
reconnaissance findings, vulnerabilities discovered, and recommended mitigation
strategies. This facilitates informed decision-making and remediation planning,
ensuring a proactive approach to cybersecurity.
Code :

Tools Used :
Notify :
Notify is a Go-based assistance package that enables you to stream the output of several tools
(or read from a file) and publish it to a variety of supported platforms.
 METHODOLOGY

Project BAZZ is a simple collection of small bash-scripts which runs iteratively to

carry out various tools and recon process & store output in an organized way. This
project was created initially for automation of Recon for personal usage and was
never meant to be public as there is nothing fancy about it but due to request by
community, Project BAZZ is now Public.
Please feel free to improve it in any way you can. There is no secret sauce involved
and it's just a set of commands and existing tools written in bash-scripts for simple
Recon Automation.

BAZZ WorkFlow:
Small Scope (single urls in scope) : Performs a limited recon & useful when only a few urls
are provided in scope
Medium Scope (*.target.com in scope) : Performs recon to enumerate more assets and give
you more options to attack on.
Large Scope (Everything in Scope) : Performs almost every possible recon vector from
subdomain enumeration to fuzzing.

Use Cases :
 Small Scope Recon :
BAZZ -t targetfile -S
 Medium Scope Recon :
BAZZ -t targetfile -M
 Large Scope Recon :
BAZZ-t targetfile -L
target file contains list of domains to perform Recon. For example: google.com

Exclude out-of-scope subdomains (As Per Policy )

BAZZ has a flag to remove out-of-scope subdomains from the scan. To do so you have to use
"-e" flag with comma separated subdomains.
BAZZ -t targetfile -S -e sub.ex.com,sub1.ex.com

Side Notes
If you don't want to use specific module, just comment it out and it won't be used anymore.
Change the Blind XSS Payload in the following file /BAZZ/arsenal/autoxss.sh to yours .
Visit XSS Hunter to get your Blind XSS Payload
 INSTALLATION STEPS

Tools Used :
Nuclei
HTTPX
GF & GF-Patterns
Secret Finder
Heartbleed Oneliner
AMASS
Subfinder
Assetfinder
JSScan
FavFreak
Waybackurls
Gau
Parallel
asnip
dirsearch
gowitness
subjack
CORS Scanner
git-hound
Shuffledns
Massdns
~ Other onliners and tools to be added.

Pre-Requisite :
1. Make sure to have "Go" latest version is installed and paths are correctly set.
Installation :
1. Clone the repository :- https://github.com/AnonX-Hunter/Bazz-Recon
2. Run the following script to install necessary tools: sh install.sh
3. The arsenal directory contains a set of small scripts used to automate BAZZ. Give
executable permissions to scripts in this directory.
4. Navigate to ~/arsenal directory and Simply run following command to see all the
supported options provided in BAZZ:
5. ./Bazz.sh -h
6. To use it over vps for performing recon on larger set of targets perform following
command:
7. screen -S <screen_name> ~/arsenal/Bazz.sh -h (for vps only)
8. This will keep BAZZ running even if the SSH Connection is terminated or you turn off
your local machine.

Docker Installation :

If you are lazy like me and hate wasting time in setup don't worry,we have created the docker
env. to use BAZZ without any setup

we have integrate BAZZ with Hacktools

1. docker pull xavier9909/hacktools_bazz

2. docker run -it xavier9909/hacktools_bazz
3. cd arsenal && ./Bazz.sh
4. or just simply type bazz from any directory
CONCLUSION

Summary of Key Points: In conclusion, we have developed a powerful and versatile recon
automation tool that integrates a comprehensive suite of reconnaissance tools. Through
careful integration and orchestration, our tool enables users to conduct thorough and
efficient reconnaissance operations for identifying and mitigating cybersecurity risks.

Impact and Significance: The development of this tool marks a significant advancement in
the field of cybersecurity reconnaissance. By providing a unified platform for executing
multiple reconnaissance tasks, our tool empowers security professionals to better
understand their attack surface and proactively address potential vulnerabilities. Its impact
extends beyond individual organizations, contributing to the collective effort to enhance
cybersecurity practices and protect digital assets worldwide.

User Benefits: Users stand to benefit greatly from the capabilities offered by our recon
automation tool. By automating repetitive tasks and providing a centralized interface for
managing reconnaissance activities, users can save time, reduce manual errors, and focus
their efforts on analyzing and responding to security threats. The tool's extensibility and
customization options further enhance its utility, allowing users to adapt it to their specific
needs and workflows.

Lessons Learned: Throughout the development process, we encountered various challenges

and obstacles, from technical hurdles to design considerations. However, each challenge
presented an opportunity for learning and growth. User feedback played a crucial role in
shaping the tool's features and functionality, highlighting the importance of continuous
engagement with the cybersecurity community. We have emerged from this experience with
a deeper understanding of the complexities of reconnaissance and a renewed commitment
to delivering high-quality solutions to our users.

Future Directions: As we look to the future, we see boundless opportunities for further
innovation and improvement. We envision expanding the tool's capabilities to address
emerging cybersecurity threats, such as IoT vulnerabilities and supply chain attacks.
Additionally, we plan to enhance usability and accessibility features to ensure that our tool
remains accessible to users with diverse skill sets and backgrounds. Collaboration with the
cybersecurity community will be key to driving these advancements, and we welcome input
and contributions from all stakeholders.

Acknowledgments: We would like to express our heartfelt gratitude to all those who have
contributed to the development and success of this project. This includes our mentors,
advisors, collaborators, and users, whose support and feedback have been invaluable
throughout the journey. We are humbled by the opportunity to make a positive impact in
the cybersecurity field and are grateful for the trust and encouragement we have received
along the way.
Call to Action: As we conclude this documentation, we extend an open invitation to all
cybersecurity professionals and enthusiasts to join us in our mission to advance the state of
reconnaissance tools and practices. Whether through testing, feedback, or collaboration on
future development efforts, your involvement is crucial to the continued success of this
project. Together, we can build a safer and more secure digital landscape for all.

Closing Remarks: In closing, we would like to express our sincere gratitude to all who have
supported us on this journey. We are proud of what we have accomplished thus far and are
excited about the possibilities that lie ahead. As we continue to refine and enhance our
recon automation tool, we remain committed to our mission of empowering cybersecurity
professionals with the tools and resources they need to protect against evolving threats.
Thank you for your interest, your support, and your dedication to the ongoing pursuit of
cybersecurity excellence.