This guide might not be for everyone and might not work for everyone, but it is what worked for me. Some of the dependencies listed may not be required, but I went ahead and added them anyway, since there are quite a few tools that require them.
I'll be using Nahamsec's lazy recon setup for this, as he has got a really great setup with most of the tools needed for recon. Plus he already has a bash profile and install script ready to go on his github.
I opted for Debian on my droplet, but the commands will also work for Ubuntu. It's possible, however, that some of the dependencies may not be needed on Ubuntu. I'll leave that to someone else to try.
First thing to do is update Debian.
$ apt update -y && apt upgrade -y
Once you have updated, then you can go ahead and install everything below.
Dependencies to install:
$ apt install -y dnsutils
$ apt install -y python
$ apt install -y python-pip
$ apt install -y ruby
$ apt install -y curl
$ apt install -y snapd
$ apt install -y git
Chromium snap package is needed for Aquatone to work.
$ snap install core
$ snap install chromium
Now that we've laid the foundation, we can download the nahamsec repos.
$ git clone https://github.com/nahamsec/recon_profile
After you download the recon_profile, you can move the bash_profile it to your home directory and rename it to .bash_profile.
$ cd recon_profile
$ mv bash_profile ~
$ mv bash_profile .bash_profile
To start using the aliases in the profile, use the `source` (Luke) command.
$ source ~/.bash_profile
Next, we'll need to clone the Bug Bounty Hunting Tools repo.
$ git clone https://github.com/nahamsec/bbht
Then you'll want to make the shell script executable using `chmod` and run it.
$ cd bbht
$ chmod +x install.sh
The script will install all the necessary tools and will also prompt you to install Go (which is why I didn't include it in the dependencies) which you will want to make sure and specify option 1 to install it.
Last thing you'll need to do is to make the Lazy Recon shell script executable so that you can run it.
$ cd ~/tools/lazyrecon/
$ chmod +x lazyrecon.sh
Now you can run `poweroff` to shut the droplet down and create a snapshot to deploy whenever you like.
That is all you should need to have a remote shell for recon and avoid getting your home IP blacklisted.
A few optional things that you can do to make things a bit faster and easier.
- Remove password auth to use ssh keys only on droplet.
- Create an alias to tarball recon target directories on droplet.
- Create an alias for scp to transfer recon tarballs locally.
Here's the function that I added to my bash profile locally to make file transfer easier:
scp -i ~/.ssh/id_rsa root@$1:~/tools/lazyrecon/$2 ~
All you would need to do is run `dlfile` with the IP address or hostname and the file as arguments to download your recon data.
Be sure to use this link below to get your Digital Ocean account set up so you can get $50 credit:
By doing so, you'll also be helping me out!
team[at]afslabs.net or info[at]saltwrx.org
Shout out to Ben for the awesome work he has done and for being a big contributor to the infosec and bug bounty communities.
Feel free to thank him yourself:
This thanks list will be updated at a later time to include those who put in all the work to create the awesome tools we use for recon. I need a little break from typing all of this down for now.
Download this article on GitLab: HERE