Home Unlabelled Autorecon - Multi-Threaded Network Reconnaissance Tool Which Performs Automated Enumeration Of Services

Autorecon - Multi-Threaded Network Reconnaissance Tool Which Performs Automated Enumeration Of Services

By
Friday, April 26, 2013
Read
Add Comment

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended equally a time-saving tool for exercise inwards CTFs together with other penetration testing environments (e.g. OSCP). It may also hold upwards useful inwards real-world engagements.
The tool plant yesteryear firstly performing port scans/service detection scans. From those initial results, the tool volition launch farther enumeration scans of those services using a pose out of unlike tools. For example, if HTTP is found, nikto volition hold upwards launched (as good equally many others).
Everything inwards the tool is highly configurable. The default configuration performs no automated exploitation to maintain the tool inwards business amongst OSCP essay rules. If y'all wishing to add together automatic exploit tools to the configuration, y'all exercise thus at your ain risk. The writer volition non hold upwards held responsible for negative actions that upshot from the mis-use of this tool.

Origin
AutoRecon was inspired yesteryear 3 tools which the writer used during the OSCP labs: Reconnoitre, ReconScan, together with bscan. While all 3 tools were useful, none of the 3 lone had the functionality desired. AutoRecon combines the best features of the aforementioned tools piece also implementing many novel features to aid testers amongst enumeration of multiple targets.

Features

  • Supports multiple targets inwards the cast of IP addresses, IP ranges (CIDR notation), together with resolvable hostnames.
  • Can scan targets concurrently, utilizing multiple processors if they are available.
  • Customizable port scanning profiles for flexibility inwards your initial scans.
  • Customizable service enumeration commands together with suggested manual follow-up commands.
  • An intuitive directory construction for results gathering.
  • Full logging of commands that were run, along amongst errors if they fail.
  • Global together with per-scan pattern matching thus y'all tin highlight/extract of import information from the noise.

Requirements
  • Python 3
  • colorama
  • toml
Once Python 3 is installed, pip3 tin hold upwards used to install the other requirements:
$ pip3 install -r requirements.txt
Several commands used inwards AutoRecon reference the SecLists project, inwards the directory /usr/share/seclists/. You tin either manually download the SecLists projection to this directory (https://github.com/danielmiessler/SecLists), or if y'all are using Kali Linux (highly recommended) y'all tin run the following:
$ sudo apt install seclists
AutoRecon volition even thus run if y'all exercise non install SecLists, though several commands may fail, together with approximately manual commands may non run either.
Additionally the next commands may demand to hold upwards installed, depending on your OS:
curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner smbclient smbmap smtp-user-enum snmpwalk sslscan svwar tnscmd10g whatweb wkhtmltoimage

Usage
AutoRecon uses Python 3 specific functionality together with does non back upwards Python 2.
usage: autorecon.py [-h] [-ct ] [-cs ] [--profile PROFILE]                     [-o OUTPUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [-v]                     [--disable-sanity-checks]                     targets [targets ...]  Network reconnaissance tool to port scan together with automatically enumerate services found on multiple targets.  positional arguments:   targets               IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.                         10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)                         to scan.  optional arguments:   -h, --help            demo this aid message together with acquire out   -ct , --concurrent-targets                          The maximum pose out of target hosts to scan                         concurrently. Default: v   -cs , --concurrent-scans                          The maximum n   umber of scans to perform per target                         host. Default: 10   --profile PROFILE     The port scanning profile to exercise (defined inwards port-                         scan-profiles.toml). Default: default   -o OUTPUT, --output OUTPUT                         The output directory for results. Default: results   --nmap NMAP           Override the {nmap_extra} variable inwards scans. Default:                         -vv --reason -Pn   --nmap-append NMAP_APPEND                         Append to the default {nmap_extra} variable inwards scans.   -v, --verbose         Enable verbose output. Repeat for to a greater extent than verbosity.   --disable-sanity-checks                         Disable sanity checks that would otherwise preclude the                         scans from running.

Examples
Scanning a unmarried target:
python3 autorecon.py 127.0.0.1 [*] Scanning target 127.0.0.1 [*] Running service detection nmap-full-tcp on 127.0.0.1 [*] Running service detection nmap-top-20-udp on 127.0.0.1 [*] Running service detection nmap-quick on 127.0.0.1 [*] Service detection nmap-quick on 127.0.0.1 finished successfully [*] [127.0.0.1] ssh found on tcp/22 [*] [127.0.0.1] http found on tcp/80 [*] [127.0.0.1] rpcbind found on tcp/111 [*] [127.0.0.1] postgresql found on tcp/5432 [*] Running chore tcp/22/nmap-ssh on 127.0.0.1 [*] Running chore tcp/80/nmap-http on 127.0.0.1 [*] Running chore tcp/80/curl-index on 127.0.0.1 [*] Running chore tcp/80/curl-robots on 127.0.0.1 [*] Running chore tcp/80/whatweb on 127.0.0.1 [*] Running chore tcp/80/nikto on 127.0.0.1 [*] Running chore tcp/111/nmap-nfs on 127.0.0.1 [*] Task tcp/80/curl-index on 127.0.0.1 finished successfully [*] Task tcp/80/curl-robots on 127.0.0.1 finished successfully [*]    Task tcp/22/nmap-ssh on 127.0.0.1 finished successfully [*] Task tcp/80/whatweb on 127.0.0.1 finished successfully [*] Task tcp/111/nmap-nfs on 127.0.0.1 finished successfully [*] Task tcp/80/nmap-http on 127.0.0.1 finished successfully [*] Task tcp/80/nikto on 127.0.0.1 finished successfully [*] Service detection nmap-top-20-udp on 127.0.0.1 finished successfully [*] Service detection nmap-full-tcp on 127.0.0.1 finished successfully [*] [127.0.0.1] http found on tcp/5984 [*] [127.0.0.1] rtsp found on tcp/5985 [*] Running chore tcp/5984/nmap-http on 127.0.0.1 [*] Running chore tcp/5984/curl-index on 127.0.0.1 [*] Running chore tcp/5984/curl-robots on 127.0.0.1 [*] Running chore tcp/5984/whatweb on 127.0.0.1 [*] Running chore tcp/5984/nikto on 127.0.0.1 [*] Task tcp/5984/curl-index on 127.0.0.1 finished successfully [*] Task tcp/5984/curl-robots on 127.0.0.1 finished successfully [*] Task tcp/5984/whatweb on 127.0.0.1 destination   ed successfully [*] Task tcp/5984/nikto on 127.0.0.1 finished successfully [*] Task tcp/5984/nmap-http on 127.0.0.1 finished successfully [*] Finished scanning target 127.0.0.1
The default port scan profile get-go performs a total TCP port scan, a top xx UDP port scan, together with a top chiliad TCP port scan. You may inquire why AutoRecon scans the top chiliad TCP ports at the same fourth dimension equally a total TCP port scan (which also scans those ports). The argue is simple: most opened upwards ports volition to a greater extent than oftentimes than non hold upwards inwards the top 1000, together with nosotros want to start enumerating services quickly, rather than hold off for Nmap to scan every unmarried port. As y'all tin see, all the service enumeration scans truly destination earlier the total TCP port scan is done. While at that spot is a slight duplication of efforts, it pays off yesteryear getting actual enumeration results dorsum to the tester quicker.
Note that the actual ascendancy business output volition hold upwards colorized if your terminal supports it.
Scanning multiple targets
python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost [*] Scanning target 192.168.1.100 [*] Scanning target 192.168.1.1 [*] Scanning target 192.168.1.2 [*] Scanning target localhost [*] Running service detection nmap-quick on 192.168.1.100 [*] Running service detection nmap-quick on localhost [*] Running service detection nmap-top-20-udp on 192.168.1.100 [*] Running service detection nmap-quick on 192.168.1.1 [*] Running service detection nmap-quick on 192.168.1.2 [*] Running service detection nmap-top-20-udp on 192.168.1.1 [*] Running service detection nmap-full-tcp on 192.168.1.100 [*] Running service detection nmap-top-20-udp on localhost [*] Running service detection nmap-top-20-udp on 192.168.1.2 [*] Running service detection nmap-full-tcp on localhost [*] Running service detection nmap-full-tcp on 192.168.1.1 [*] Running service detection nmap-full-tcp on 192.168.1.2 ...
AutoRecon supports multiple targets per scan, together with volition expand IP ranges provided inwards CIDR notation. By default, solely v targets volition hold upwards scanned at a time, amongst 10 scans per target.
Scanning multiple targets amongst advanced options
python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost [*] Scanning target 192.168.1.100 [*] Scanning target 192.168.1.1 [*] Running service detection nmap-quick on 192.168.1.100 amongst nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml" 192.168.1.100 [*] Running service detection nmap-quick on 192.168.1.1 amongst nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml" 192.168.1.1 [*] Running service detection nmap-top-20-udp on 192.168.1.100 amongst nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml" 192.168.1.100 [*] Running service detection nmap-top-20-udp on 192.168.1.1    amongst nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml" 192.168.1.1 [-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST [-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST [-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST [-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST [-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning. [-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning. [-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan. [-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25 [-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed [-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) sca   n. [-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25 [-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed [-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25 [-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning. [-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning. [-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan. [-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25 [-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed [-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan. [-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25 [-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed [-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25 ...
In this example, the -ct selection limits the pose out of concurrent targets to 2, together with the -cs selection limits the pose out of concurrent scans per target to 2. The -vv selection makes the output real verbose, showing the output of every scan beingness run. The -o selection sets a custom output directory for scan results to hold upwards saved.

Verbosity
AutoRecon supports 3 levels of verbosity:
  • (none) Minimal output. AutoRecon volition denote when target scans start together with finish, equally good equally which services were identified.
  • (-v) Verbose output. AutoRecon volition additionally specify the exact commands which are beingness run, equally good equally highlighting whatsoever patterns which are matched inwards ascendancy output.
  • (-vv) Very verbose output. AutoRecon volition output everything. Literally every business from all commands which are currently running. When scanning multiple targets concurrently, this tin Pb to a ridiculous amount of output. It is non advised to exercise -vv unless y'all absolutely demand to encounter alive output from commands.

Results
By default, results volition hold upwards stored inwards the ./results directory. H5N1 novel sub directory is created for every target. The construction of this sub directory is:
. ├── exploit/ ├── loot/ ├── report/ │   ├── local.txt │   ├── notes.txt │   ├── proof.txt │   └── screenshots/ └── scans/     ├── _commands.log     ├── _manual_commands.txt     └── xml/
The exploit directory is intended to comprise whatsoever exploit code y'all download / write for the target.
The loot directory is intended to comprise whatsoever loot (e.g. hashes, interesting files) y'all discovery on the target.
The written report directory contains approximately auto-generated files together with directories that are useful for reporting:
  • local.txt tin hold upwards used to shop the local.txt flag found on targets.
  • notes.txt should comprise a basic template where y'all tin write notes for each service discovered.
  • proof.txt tin hold upwards used to shop the proof.txt flag found on targets.
  • The screenshots directory is intended to comprise the screenshots y'all exercise to document the exploitation of the target.
The scans directory is where all results from scans performed yesteryear AutoRecon volition go. This includes port scans / service detection scans, equally good equally whatsoever service enumeration scans. It also contains 2 other files:
  • _commands.log contains a listing of every ascendancy AutoRecon ran against the target. This is useful if ane of the commands fails together with y'all want to run it in ane lawsuit again amongst modifications.
  • _manual_commands.txt contains whatsoever commands that are deemed "too dangerous" to run automatically, either because they are also intrusive, require modification based on human analysis, or but piece of occupation amend when at that spot is a human monitoring them.
If a scan results inwards an error, a file called _errors.log volition also seem inwards the scans directory amongst approximately details to warning the user.
If output matches a defined pattern, a file called _patterns.log volition also seem inwards the scans directory amongst details almost the matched output.
The scans/xml directory stores whatsoever XML output (e.g. from Nmap scans) separately from the primary scan outputs, thus that the scans directory itself does non acquire also cluttered.

Port Scan profiles
The port-scan-profiles.toml file is where y'all tin define the initial port scans / service detection commands. The configuration file uses the TOML format, which is explained here: https://github.com/toml-lang/toml
Here is an lawsuit profile called "quick":
[quick]      [quick.nmap-quick]          [quick.nmap-quick.service-detection]         ascendancy = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'         designing = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$'      [quick.nmap-top-20-udp]          [quick.nmap-top-20-udp.service-detection]         ascendancy = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'         designing = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$'
Note that indentation is optional, it is used hither purely for aesthetics. The "quick" profile defines a scan called "nmap-quick". This scan has a service-detection ascendancy which uses nmap to scan the top chiliad TCP ports. The ascendancy uses 2 references: {scandir} is the place of the scans directory for the target, together with {address} is the address of the target.
H5N1 regex designing is defined which matches 3 named groups (port, protocol, together with service) inwards the output. Every service-detection ascendancy must direct hold a corresponding designing that matches all 3 of those groups. AutoRecon volition assay to exercise approximately checks together with turn down to scan if whatsoever of these groups are missing.
An almost identical scan called "nmap-top-20-udp" is also defined. This scans the top xx UDP ports.
Here is a to a greater extent than complicated example:
[udp]      [udp.udp-top-20]          [udp.udp-top-20.port-scan]         ascendancy = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"'         designing = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$'          [udp.udp-top-20.service-detection]         ascendancy = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'         designing = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$'
In this example, a profile called "udp" defines a scan called "udp-top-20". This scan has 2 commands, ane is a port-scan together with the other is a service-detection. When a port-scan ascendancy is defined, it volition ever hold upwards run first. The corresponding designing must gibe a named grouping "port" which extracts the port pose out from the output.
The service-detection volition hold upwards run later the port-scan ascendancy has finished, together with uses a novel reference: {ports}. This reference is a comma-separated string of all the ports extracted yesteryear the port-scan command. Note that the same 3 named groups (port, protocol, together with service) are defined inwards the service-detection pattern.
Both the port-scan together with the service-detection commands exercise the {scandir} together with {address} references.
Note that if a port-scan ascendancy is defined without a corresponding service-detection command, AutoRecon volition turn down to scan.
This to a greater extent than complicated lawsuit is solely truly useful if y'all want to exercise unicornscan's speed inwards conjuction amongst nmap's service detection abilities. If y'all are content amongst using Nmap for both port scanning together with service detection, y'all exercise non demand to exercise this setup.

Service Scans
The service-scans.toml file is where y'all tin define service enumeration scans together with other manual commands associated amongst for sure services.
Here is an lawsuit of a uncomplicated configuration:
[ftp]  service-names = [     '^ftp',     '^ftp\-data' ]      [[ftp.scan]]     cry = 'nmap-ftp'     ascendancy = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) together with non (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'          [[ftp.scan.pattern]]         description = 'Anonymous FTP Enabled!'         designing = 'Anonymous FTP login allowed'      [[ftp.manual]]     description = 'Bruteforce logins:'     commands = [         'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',         'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'     ]
Note that indentation is optional, it is used hither purely for aesthetics. The service "ftp" is defined here. The service-names array contains regex strings which should gibe the service cry from the service-detection scans. Regex is used to hold upwards equally flexible equally possible. The service-names array plant on a whitelist basis; equally long equally ane of the regex strings matches, the service volition acquire scanned.
An optional ignore-service-names array tin also hold upwards defined, if y'all want to blacklist for sure regex strings from matching.
The ftp.scan department defines a unmarried scan, named nmap-ftp. This scan defines a ascendancy which runs nmap amongst several ftp-related scripts. Several references are used here:
  • {nmap_extra} yesteryear default is set to "-vv --reason -Pn" but this tin hold upwards overridden or appended to using the --nmap or --nmap-append ascendancy business options respectively. If the protocol is UDP, "-sU" volition also hold upwards appended.
  • {port} is the port that the service is running on.
  • {scandir} is the place of the scans directory for the target.
  • {protocol} is the protocol beingness used (either tcp or udp).
  • {address} is the address of the target.
H5N1 designing is defined for the nmap-ftp scan, which matches the uncomplicated designing "Anonymous FTP login allowed". In the lawsuit that this designing matches output of the nmap-ftp command, the designing description ("Anonymous FTP Enabled!") volition hold upwards saved to the _patterns.log file inwards the scans directory. H5N1 particular reference {match} tin hold upwards used inwards the description to reference the entire match, or the get-go capturing group.
The ftp.manual department defines a grouping of manual commands. This grouping contains a description for the user, together with a commands array which contains the commands that a user tin run. Two novel references are defined here: {username_wordlist} together with {password_wordlist} which are configured at the real top of the service-scans.toml file, together with default to a username together with password wordlist provided yesteryear SecLists.
Here is a to a greater extent than complicated configuration:
[smb]  service-names = [     '^smb',     '^microsoft\-ds',     '^netbios' ]      [[smb.scan]]     cry = 'nmap-smb'     ascendancy = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) together with non (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'      [[smb.scan]]     cry = 'enum4linux'     ascendancy = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'     run_once = truthful     ports.tcp = [139, 389, 445]     ports.udp = [137]      [[smb.scan]]     cry = 'nbtscan'     ascendancy = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'     run_once = truthful     ports.udp = [137]      [[smb.scan]]     cry = 'smbclient'     ascendancy = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scan   dir}/smbclient.txt"'     run_once = truthful     ports.tcp = [139, 445]      [[smb.scan]]     cry = 'smbmap-share-permissions'     ascendancy = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"'      [[smb.scan]]     cry = 'smbmap-list-contents'     ascendancy = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"'      [[smb.scan]]     cry = 'smbmap-execute-command'     ascendancy = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"'      [[smb.manual]]        description = 'Nmap scans for SMB vulnerabilities that could potentially drive a DoS if scanned (according to Nmap). Be careful:'     commands = [         'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',         'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',         'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'     ]
The primary divergence hither is that several scans direct hold approximately novel settings:
  • The ports.tcp array defines a whitelist of TCP ports which the ascendancy tin hold upwards run against. If the service is detected on a port that is non inwards the whitelist, the ascendancy volition non hold upwards run against it.
  • The ports.udp array defines a whitelist of UDP ports which the ascendancy tin hold upwards run against. It operates inwards the same agency equally the ports.tcp array.
Why exercise these settings fifty-fifty exist? Well, approximately commands volition solely run against specific ports, together with can't hold upwards told to run against whatsoever other ports. enum4linux for example, volition solely run against TCP ports 139, 389, together with 445, together with UDP port 137.
In fact, enum4linux volition ever assay these ports when it is run. So if the SMB service is found on TCP ports 139 together with 445, AutoRecon may assay to run enum4linux twice for no reason. This is why the 3rd setting exists:
  • If run_once is set to true, the ascendancy volition solely ever run in ane lawsuit for that target, fifty-fifty if the SMB service is found on multiple ports.

Testimonials
AutoRecon was invaluable during my OSCP exam, inwards that it saved me from the tedium of executing my active information gathering commands myself. I was able to start on a target amongst all of the information I needed clearly set inwards front end of me. I would strongly recommend this utility for anyone inwards the PWK labs, the OSCP exam, or other environments such equally VulnHub or HTB. It is a peachy tool for both people but starting downward their journeying into OffSec together with seasoned veterans alike. Just brand for sure that somewhere betwixt those 2 points y'all accept the fourth dimension to acquire what's going on "under the hood" together with how / why it scans what it does.
- b0ats (rooted 5/5 essay hosts)
Wow, what a peachy find! Before using AutoRecon, ReconScan was my goto enumeration script for targets because it automatically ran the enumeration commands later it finds opened upwards ports. The solely thing missing was the automatic creation of primal directories a pentester mightiness demand during an 24-hour interval of the month (exploit, loot, report, scans). Reconnoitre did this but didn't automatically run those commands for you. I idea ReconScan that was the bee's knees until I gave AutoRecon a try. It's awesome! It combines the best features of Reconnoitre (auto directory creation) together with ReconScan (automatically executing the enumeration commands). All I direct hold to exercise is run it on a target or a set of targets together with start going over the information it has already collected piece it continues the balance of scan. The proof is inwards the pudding :) Passed the OSCP exam! Kudos to Tib3rius!
- werk0ut
H5N1 friend told me almost AutoRecon, thus I gave it a assay inwards the PWK labs. AutoRecon launches the mutual tools nosotros all ever use, whether it hold upwards nmap or nikto, together with also creates a overnice subfolder organisation based on the targets y'all are attacking. The strongest characteristic of AutoRecon is the speed; on the OSCP essay I left the tool running inwards the background piece I started amongst approximately other target, together with inwards a thing of minutes I had all of the AutoRecon output waiting for me. AutoRecon creates a file total of commands that y'all should assay manually, approximately of which may require tweaking (for example, hydra bruteforcing commands). It's expert to direct hold that extra checklist.
- tr3mb0 (rooted 4/5 essay hosts)
Being introduced to AutoRecon was a consummate game changer for me piece taking the OSCP together with establishing my penetration testing methodology. AutoRecon is a multi-threaded reconnaissance tool that combines together with automates pop enumeration tools to exercise most of the difficult piece of occupation for you. You can't acquire much amend than that! After running AutoRecon on my OSCP essay hosts, I was given a treasure breast total of information that helped me to start on each host together with locomote yesteryear on my get-go try. The best constituent of the tool is that it automatically launches farther enumeration scans based on the initial port scans (e.g. run enum4linux if SMB is detected). The solely bad constituent is that I did non exercise this tool sooner! Thanks Tib3rius.
- rufy (rooted 4/5 essay hosts)
AutoRecon allows a safety researcher to iteratively scan hosts together with seat potential assault vectors. Its truthful ability comes inwards the cast of performing scans inwards the background piece the assaulter is working on approximately other host. I was able to start my scans together with destination a specific host I was working on - together with thus render to discovery all relevant scans completed. I was thus able to forthwith set about trying to gain initial access instead of manually performing the active scanning process. I volition maintain to exercise AutoRecon inwards futurity penetration tests together with CTFs, together with highly recommend y'all exercise the same.
- waar (rooted 4.99/5 essay hosts)
"If y'all direct hold to exercise a chore to a greater extent than than twice a day, y'all demand to automate it." That's a slice of advice that an one-time boss gave to me. AutoRecon takes that lesson to heart. Whether you're sitting inwards the exam, or inwards the PWK labs, y'all tin burn off AutoRecon together with allow it piece of occupation its magic. I had it running during my final essay piece I worked on the buffer overflow. By the fourth dimension I finished, all the enum information I needed was at that spot for me to acquire through. 10/10 would recommend for anyone getting into CTF, together with anyone who has been at this a long time.
- whoisflynn
I dear this tool thus much I wrote it.
- Tib3rius (rooted 5/5 essay hosts)
I highly recommend anyone going for their OSCP, doing CTFs or on HTB to checkout this tool. Been using AutoRecon on HTB for a calendar month earlier using it over on the PWK labs together with it helped me locomote yesteryear my OSCP exam. If you're having a difficult fourth dimension getting settled amongst an enumeration methodology I encourage y'all to follow the menstruation together with techniques this script uses. It takes out a lot of the irksome piece of occupation that you're belike used to piece at the same fourth dimension render well-organized subdirectories to rapidly hold off over thus y'all don't lose your head. The manual commands it provides are peachy for those specific situations that demand it when y'all direct hold run out of options. It's a real valuable tool, cannot recommend enough.
- d0hnuts (rooted 5/5 essay hosts)
Autorecon is non but whatsoever other tool, it is a recon correlation framwork for engagements. This helped me burn a whole bunch of scans piece I was working on other targets. This tin aid a lot inwards fourth dimension management. This assisted me to ain 4/5 boxes inwards pwk exam! Result: Passed!
- Wh0ami (rooted 4/5 essay hosts)


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us