Guide to the Discover Tool: Automating Reconnaissance for Penetration Testing

byEngr. M.A. Rashid Rony
0

 

Guide to the Discover Tool: Automating Reconnaissance for Penetration Testing

Introduction

The Discover tool is an open-source collection of custom bash scripts designed to automate reconnaissance and scanning tasks for penetration testers and security researchers. Hosted on GitHub under the repository leebaird/discover, it streamlines the process of gathering intelligence about a target, such as domains, subdomains, IPs, open ports, and web content. By integrating with popular tools like Nmap, Recon-ng, and Amass, Discover simplifies repetitive tasks, making it a valuable asset for ethical hacking and bug bounty hunting.

This article provides a detailed tutorial on the Discover tool, covering its purpose, installation, key features, and practical usage with a step-by-step example. It is intended for beginners and intermediate pentesters who want to leverage automation in their reconnaissance workflows. All examples are for educational purposes and should only be used in authorized testing environments.

What is the Discover Tool?

The Discover tool, developed by Lee Baird, is a set of bash scripts that automate various reconnaissance tasks during the initial phases of a penetration test. It integrates multiple open-source tools to perform tasks like:

  • Passive Reconnaissance: Gathering information without direct interaction (e.g., WHOIS, DNS enumeration).
  • Active Reconnaissance: Probing targets for open ports, services, and web content.
  • Content Discovery: Identifying directories, files, and endpoints on web servers.
  • Credential Harvesting: Collecting leaked credentials from databases like Breach Parse.

Discover is particularly valued for its simplicity and customization, allowing users to tailor scans to their specific needs. It is designed to run on Linux systems, with Kali Linux being the primary platform due to its pre-installed pentesting tools.

Key Features

  • Modular Scripts: Individual scripts for specific tasks (e.g., domain recon, IP scanning, web enumeration).
  • Tool Integration: Combines tools like Amass, Nmap, Recon-ng, dirb, gobuster, and Breach Parse.
  • Passive and Active Modes: Supports non-intrusive (passive) and direct (active) scanning.
  • Customizable Output: Saves results in organized directories for easy analysis.
  • Credential Harvesting: Integrates with Breach Parse to find leaked credentials.
  • Ease of Use: Menu-driven interface with command-line options for automation.
  • Open Source: Freely available at https://github.com/leebaird/discover.

System Requirements

  • Operating System: Kali Linux (recommended), Debian-based systems, or other Linux distributions.
  • Dependencies: Bash, Git, and pre-installed tools like Nmap, Recon-ng, Amass, dirb, gobuster, and Python 2/3.
  • Hardware: Minimum 2GB RAM; 4GB+ recommended for large scans.
  • Permissions: Root or sudo access for installation and some scans.

Installation Guide

Discover is not pre-installed on Kali Linux but can be easily set up from GitHub. Below are the steps for installation.

Steps

  1. Install Dependencies: Ensure required tools are installed on Kali Linux:

2.  sudo apt update

sudo apt install -y nmap recon-ng amass dirb gobuster python3 python3-pip

For Breach Parse (credential harvesting):

pip install requests

  1. Clone the Discover Repository:

4.  git clone https://github.com/leebaird/discover.git

cd discover

  1. Run the Setup Script:

./setup.sh

This installs additional dependencies and configures the environment. You may need to manually install missing tools if prompted.

  1. Verify Installation:

./discover.sh

The main menu should appear, listing available scripts and options.

Troubleshooting

  • Missing Tools: If a tool like Amass or Recon-ng is missing, install it manually (e.g., sudo apt install amass).
  • Permission Errors: Run scripts with sudo if root access is required.
  • Updates: Pull the latest version with git pull to ensure you have the most recent scripts.

Using the Discover Tool

Discover operates via a menu-driven interface or direct script execution. Below is an overview of the main menu and key scripts.

Main Menu

Launch Discover:

cd discover

./discover.sh

The menu displays options like:

Discover> Main Menu

 

1. Domain

2. Person

3. Parse salesforce

4. Password

5. Update

6. Exit

  • Domain: Reconnaissance on domains (e.g., subdomains, DNS records).
  • Person: OSINT for individuals (e.g., email harvesting).
  • Parse Salesforce: Extracts data from Salesforce communities.
  • Password: Credential harvesting using Breach Parse.
  • Update: Updates Discover scripts.
  • Exit: Closes the program.

Key Scripts

Discover includes several scripts in the /scripts directory:

  • domain.sh: Performs subdomain enumeration, DNS lookups, and port scanning.
  • ip.sh: Scans IPs for open ports and services.
  • web.sh: Enumerates web content (directories, files).
  • breach.sh: Searches for leaked credentials in breach databases.
  • recon-ng.sh: Automates Recon-ng for domain reconnaissance.

Command-Line Usage

For automation, run scripts directly:

./scripts/domain.sh <domain>

./scripts/web.sh <url>

Practical Example: Reconnaissance on a Domain

Let’s walk through a practical example of using Discover to perform reconnaissance on a target domain, such as example.com. This assumes you have permission to test the target.

Step 1: Setup

  1. Launch Discover:

2.  cd discover

./discover.sh

  1. Select Domain (option 1) from the main menu.

Step 2: Passive Reconnaissance

  1. Enter the target domain: example.com.
  2. Choose Passive mode to avoid direct interaction.
  3. Discover runs tools like:
    • Amass: Enumerates subdomains (e.g., sub1.example.com, api.example.com).
    • WHOIS: Gathers registration details.
    • Recon-ng: Collects DNS records and related domains.
  4. Output: Results saved to /root/discover/<domain>/ (e.g., /root/discover/example.com/recon-ng.txt).

Example Output (simplified):

Subdomains found:

- sub1.example.com

- api.example.com

DNS Records:

- A: 93.184.216.34

WHOIS:

- Registrant: Example Inc.

Step 3: Active Reconnaissance

  1. Re-run domain.sh and select Active mode.
  2. Discover performs:
    • Nmap: Scans for open ports on discovered IPs (e.g., 80, 443).
    • Gobuster: Enumerates directories on http://example.com (e.g., /admin, /login).
  3. Example command (manual):

./scripts/domain.sh example.com

  1. Output: Port scan results in /root/discover/example.com/nmap/; web directories in /root/discover/example.com/gobuster.txt.

Example Output:

Nmap Scan:

- 93.184.216.34:80 (http)

- 93.184.216.34:443 (https)

Gobuster:

- /about (Status: 200)

- /login (Status: 200)

Step 4: Credential Harvesting

  1. From the main menu, select Password (option 4).
  2. Use Breach Parse to search for credentials related to example.com:

./scripts/breach.sh example.com

  1. Output: Leaked credentials (if any) saved to /root/discover/example.com/breach/.

Example Output:

Credentials:

- user@example.com:password123

- admin@example.com:admin2023

Step 5: Web Content Enumeration

  1. Run the web script on a discovered URL:

./scripts/web.sh http://example.com

  1. Discover uses dirb or gobuster to find hidden directories and files.
  2. Output: Results in /root/discover/example.com/web/.

Example Output:

Found:

- /backup (Status: 200)

- /config.php (Status: 200)

Step 6: Review Results

  • All outputs are organized in /root/discover/example.com/.
  • Combine findings for further testing (e.g., use subdomains in Burp Suite for vulnerability scanning).

Visual References

Discover’s output is text-based, but you can find screenshots of the menu and results in:

  • GitHub README: https://github.com/leebaird/discover (shows menu interface).
  • TryHackMe Walkthroughs: Search for “Discover tool TryHackMe” to see script execution visuals.
  • Medium Articles: Look for “Discover tool reconnaissance” (e.g., https://medium.com for pentesting tutorials).

For example, the main menu screenshot typically shows the numbered options (Domain, Person, etc.), and output screenshots display text files with subdomain lists or Nmap results.

Best Practices and Tips

  • Legal Use: Only test domains you have explicit permission to scan. Unauthorized scanning is illegal.
  • Passive First: Start with passive mode to minimize detection risks.
  • Output Management: Regularly clean /root/discover/ to avoid clutter.
  • Tool Updates: Run git pull and ./discover.sh (Update option) to stay current.
  • Integration: Use Discover outputs with other tools like Burp Suite or Metasploit.
  • Common Issues:
    • Missing dependencies: Install manually (e.g., sudo apt install recon-ng).
    • Slow scans: Limit scope for large domains (e.g., example.com instead of all subdomains).
  • Learning Resources:
    • GitHub: https://github.com/leebaird/discover
    • TryHackMe: Rooms like “Reconnaissance” cover Discover usage.
    • Web Security Academy: https://portswigger.net/web-security for related labs.

Conclusion

The Discover tool is a powerful ally for penetration testers, automating the tedious aspects of reconnaissance while integrating seamlessly with industry-standard tools. By mastering its scripts for domain, IP, web, and credential harvesting, you can efficiently gather actionable intelligence. Always prioritize ethical and authorized use, and practice in safe environments like TryHackMe or Web Security Academy labs.

Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://github.com/leebaird/discover

 

Tags:

Post a Comment

Previous Post Next Post