Description
Black Eagle is a passive-first recon orchestration script for authorized bug-bounty and penetration testing engagements. It aggregates multiple reconnaissance tools (amass, subfinder, findomain, subzy, dnsx, httpx) to discover assets, validate live hosts, and produce structured output for triage and reporting. Active fuzzing (ffuf) is optional and disabled by default — enable only when the target is explicitly in-scope for active testing.
Important legal & ethical note
Only run Black Eagle on domains/assets that are within scope of the Bugcrowd program you are hunting on, or where you have explicit written permission. Misuse of this script against out-of-scope/unauthorized targets can be illegal.
black_eagle.sh— main executable orchestrator (bash)README.md— usage, examples, and install notes
#!/usr/bin/env bash
# Black Eagle v1.1
# Passive-first Recon Orchestrator for bug-bounty recon
# Tools used: amass, subfinder, findomain (optional), dnsx, httpx, subzy, ffuf (optional)
# Usage: ./black_eagle.sh -d example.com [-o outdir] [--resolvers resolvers.txt] [--wordlist wordlist.txt] [--active] [--threads N]
# WARNING: Only run on targets you are authorized to test.
set -euo pipefail
IFS=$'
'
PROGNAME=$(basename "$0")
VERSION="1.1"
function usage(){
cat <<EOF
$PROGNAME v$VERSION
Usage: $PROGNAME -d <domain> [-o outdir] [--resolvers resolvers.txt] [--wordlist wordlist.txt] [--active] [--threads N]
Options:
-d, --domain Target domain (required)
-o, --outdir Output directory (default: blackeagle_<domain>_<ts>)
--resolvers File with DNS resolvers (one per line). If omitted, uses a small default set.
--wordlist Wordlist for ffuf (default: /usr/share/wordlists/dirb/common.txt if exists)
--active Enable active fuzzing (ffuf). DEFAULT: OFF (safe/passive-first)
--threads Concurrency for httpx/ffuf (default: 50)
-h, --help Show this help and exit
Example (passive):
$PROGNAME -d example.com
Example (with active ffuf):
$PROGNAME -d example.com --active --wordlist ~/wordlists/raft-large-directories.txt --threads 100
WARNING: Running active checks against out-of-scope targets may be unlawful.
EOF
}
# defaults
OUTDIR=""
RESOLVERS_FILE=""
WORDLIST=""
ACTIVE=false
THREADS=50
# parse args
if [[ $# -eq 0 ]]; then
usage; exit 1
fi
while [[ $# -gt 0 ]]; do
case "$1" in
-d|--domain) DOMAIN="$2"; shift 2;;
-o|--outdir) OUTDIR="$2"; shift 2;;
--resolvers) RESOLVERS_FILE="$2"; shift 2;;
--wordlist) WORDLIST="$2"; shift 2;;
--active) ACTIVE=true; shift 1;;
--threads) THREADS="$2"; shift 2;;
-h|--help) usage; exit 0;;
*) echo "Unknown arg: $1"; usage; exit 1;;
esac
done
if [[ -z "${DOMAIN:-}" ]]; then
echo "ERROR: domain required (-d)" >&2; usage; exit 1
fi
TS=$(date +%Y%m%d_%H%M%S)
if [[ -z "$OUTDIR" ]]; then
OUTDIR="blackeagle_${DOMAIN//./_}_${TS}"
fi
mkdir -p "$OUTDIR"/raw
# default resolvers
DEFAULT_RESOLVERS="$OUTDIR/resolvers_default.txt"
cat > "$DEFAULT_RESOLVERS" <<'RES'
1.1.1.1
8.8.8.8
9.9.9.9
208.67.222.222
RES
if [[ -n "$RESOLVERS_FILE" ]]; then
RESOLVERS="$RESOLVERS_FILE"
else
RESOLVERS="$DEFAULT_RESOLVERS"
fi
# default wordlist
if [[ -n "$WORDLIST" ]]; then
WL="$WORDLIST"
elif [[ -f "/usr/share/wordlists/dirb/common.txt" ]]; then
WL="/usr/share/wordlists/dirb/common.txt"
else
WL=""
fi
# required tools
REQUIRED=(amass subfinder httpx dnsx subzy)
if command -v findomain >/dev/null 2>&1; then
REQUIRED+=(findomain)
fi
if $ACTIVE; then
REQUIRED+=(ffuf)
fi
MISSING=()
for t in "${REQUIRED[@]}"; do
if ! command -v "$t" >/dev/null 2>&1; then
MISSING+=("$t")
fi
done
if [[ ${#MISSING[@]} -gt 0 ]]; then
echo "ERROR: Missing required tools: ${MISSING[*]}" >&2
echo "Install them first. Example installation tips:" >&2
echo " sudo apt update && sudo apt install -y amass git" >&2
echo " GO111MODULE=on go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest" >&2
echo " GO111MODULE=on go install github.com/projectdiscovery/httpx/cmd/httpx@latest" >&2
echo " GO111MODULE=on go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest" >&2
echo " GO111MODULE=on go install github.com/lukasikic/subzy@latest" >&2
echo " findomain (optional): download release binary from GitHub" >&2
exit 2
fi
# helper for dedupe
function dedupe(){
sort -u | sed '/^$/d'
}
# header
cat <<EOF
[Black Eagle v$VERSION]
Target: $DOMAIN
Output dir: $OUTDIR
Active mode: $ACTIVE
Threads: $THREADS
EOF
# Phase 1: Passive enumeration
echo "[1/6] amass passive enumeration"
amass enum -passive -d "$DOMAIN" -oA "$OUTDIR/raw/amass_passive" || true
echo "[2/6] subfinder enumeration"
subfinder -d "$DOMAIN" -silent -o "$OUTDIR/raw/subfinder.txt" || true
if command -v findomain >/dev/null 2>&1; then
echo "[3/6] findomain (optional)"
findomain -t "$DOMAIN" -u "$OUTDIR/raw/findomain.txt" || true
fi
# aggregate
echo "[+] aggregating passive data"
# collect files
PASS_FILES=("$OUTDIR/raw/subfinder.txt" "$OUTDIR/raw/findomain.txt" "$OUTDIR/raw/amass_passive.txt")
for f in "${PASS_FILES[@]}"; do
[[ -f "$f" ]] && cat "$f" >> "$OUTDIR/raw/passive_agg.txt"
done
# if amass created .txt
if [[ -f "$OUTDIR/raw/amass_passive.txt" ]]; then
cat "$OUTDIR/raw/amass_passive.txt" >> "$OUTDIR/raw/passive_agg.txt" || true
fi
sort -u "$OUTDIR/raw/passive_agg.txt" -o "$OUTDIR/passive_all.txt" || true
# Phase 2: Resolve (dnsx) & live check (httpx)
echo "[4/6] resolve with dnsx and check with httpx"
cat "$OUTDIR/passive_all.txt" | dnsx -r "$RESOLVERS" -silent -a -resp -o "$OUTDIR/raw/dnsx.txt" || true
# pull hostnames from dnsx output
awk '{print $1}' "$OUTDIR/raw/dnsx.txt" | dedupe > "$OUTDIR/resolved.txt" || true
# httpx live-check
cat "$OUTDIR/resolved.txt" | httpx -threads $THREADS -silent -status-code -title -ip -o "$OUTDIR/live.txt" || true
# Phase 3: subdomain takeover checks (passive)
echo "[5/6] subdomain takeover passive checks (subzy)"
if command -v subzy >/dev/null 2>&1; then
cat "$OUTDIR/resolved.txt" | subzy -s -o "$OUTDIR/subzy_report.txt" || true
else
echo "[!] subzy not found; skipping takeover check"
fi
# Phase 4: optional active fuzzing (ffuf)
if $ACTIVE; then
if [[ -z "$WL" ]]; then
echo "[!] No ffuf wordlist found. Provide --wordlist or install dirb wordlists." >&2
else
echo "[6/6] ACTIVE: running ffuf on discovered hosts (noisy)"
mkdir -p "$OUTDIR/ffuf"
while read -r host; do
echo "[ffuf] fuzzing $host"
# try both http and https
ffuf -u "http://$host/FUZZ" -w "$WL" -t $THREADS -o "$OUTDIR/ffuf/${host//./_}_http.json" -of json || true
ffuf -u "https://$host/FUZZ" -w "$WL" -t $THREADS -o "$OUTDIR/ffuf/${host//./_}_https.json" -of json || true
done < "$OUTDIR/resolved.txt"
fi
else
echo "[6/6] ACTIVE mode disabled. To enable pass --active (use responsibly)."
fi
# final summary
cat <<EOF
[+] Black Eagle finished.
Outputs:
Passive list: $OUTDIR/passive_all.txt
Resolved hosts: $OUTDIR/resolved.txt
Live hosts: $OUTDIR/live.txt
Subzy report: $OUTDIR/subzy_report.txt (if produced)
FFUF results: $OUTDIR/ffuf/ (if active)
Remember: only test in-scope assets. Keep detailed notes for bug reports.
EOF
exit 0# Black Eagle — Recon Orchestrator
Black Eagle combines passive reconnaissance tools to produce consolidated lists of discovered subdomains, resolved hosts, live hosts, and optional active fuzzing results. Use this tool only on assets you're authorized to test.
## Prerequisites
Install these tools before running Black Eagle:
- amass
- subfinder
- httpx
- dnsx
- subzy (optional but recommended)
- findomain (optional)
- ffuf (only for --active)
Installation tips:
```bash
sudo apt update && sudo apt install -y amass git
GO111MODULE=on go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
GO111MODULE=on go install github.com/projectdiscovery/httpx/cmd/httpx@latest
GO111MODULE=on go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
GO111MODULE=on go install github.com/lukasikic/subzy@latest
# findomain: download binary from GitHub releases
# ffuf: apt or release binarychmod +x black_eagle.sh
./black_eagle.sh -d example.com./black_eagle.sh -d example.com --active --wordlist ~/wordlists/raft-large-directories.txt --threads 100passive_all.txt— aggregated passive subdomain listresolved.txt— DNS-resolved hostnameslive.txt— HTTP/HTTPS live host info (status, title, IP)subzy_report.txt— passive takeover checksffuf/— optional fuzzing output
---
If you want, I can now:
- produce a one-liner installer script that installs the prerequisites on Kali (Go tools, amass, ffuf, etc), or
- add GitHub Actions or a simple systemd service to run Black Eagle nightly for your authorized programs, or
- tailor the script to emit a CSV/Markdown report ready to paste into Bugcrowd reports.
Tell me which of those you'd like and I'll add it to the canvas as a companion file.