Merge 1c511d07a2 into fd87c99abc

2025-06-13 12:34:40 +00:00 · 2025-06-13 12:34:40 +00:00 · 455b2cc1ff
parent fd87c99abc 1c511d07a2
commit 455b2cc1ff
3 changed files with 92 additions and 43 deletions
--- a/README.md
+++ b/README.md
@ -262,15 +262,35 @@ plugin arguments:
  --dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
                        The tool to use for directory busting. Default: feroxbuster
  --dirbuster.wordlist VALUE [VALUE ...]
-                        The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default:
-                        ['~/.local/share/AutoRecon/wordlists/dirbuster.txt']
+                        The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: ['/root/.local/share/AutoRecon/wordlists/dirbuster.txt']
  --dirbuster.threads VALUE
                        The number of threads to use when directory busting. Default: 10
  --dirbuster.ext VALUE
                        The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
+  --dirbuster.recursive
+                        Enables recursive searching (where available). Warning: This may cause significant increases to scan times. Default: False
+  --dirbuster.extras VALUE
+                        Any extra options you wish to pass to the tool when it runs. e.g. --dirbuster.extras='-s 200,301 --discover-backup'
+  --enum4linux.tool {enum4linux-ng,enum4linux}
+                        The tool to use for doing Windows and Samba enumeration. Default: enum4linux-ng
  --onesixtyone.community-strings VALUE
-                        The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-
-                        community-strings-onesixtyone.txt
+                        The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
+  --redirect-host-discovery.update-hosts
+                        If set, discovered redirect hostnames will be added to /etc/hosts with the target IP
+  --subdomain-enum.domain VALUE
+                        The domain to use as the base domain (e.g. example.com) for subdomain enumeration. Default: None
+  --subdomain-enum.wordlist VALUE [VALUE ...]
+                        The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
+  --subdomain-enum.threads VALUE
+                        The number of threads to use when enumerating subdomains. Default: 10
+  --vhost-enum.hostname VALUE
+                        The hostname to use as the base host (e.g. example.com) for virtual host enumeration. Default: None
+  --vhost-enum.wordlist VALUE [VALUE ...]
+                        The wordlist(s) to use when enumerating virtual hosts. Separate multiple wordlists with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
+  --vhost-enum.threads VALUE
+                        The number of threads to use when enumerating virtual hosts. Default: 10
+  --wpscan.api-token VALUE
+                        An API Token from wpvulndb.com to help search for more vulnerabilities.

 global plugin arguments:
  These are optional arguments that can be used by all plugins.
--- a/autorecon/default-plugins/hostname-discovery.py
+++ b/autorecon/default-plugins/hostname-discovery.py
@ -1,39 +0,0 @@
-from autorecon.plugins import ServiceScan
-import requests
-from urllib.parse import urlparse
-import urllib3
-
-urllib3.disable_warnings()
-
-class RedirectHostnameDiscovery(ServiceScan):
-
-	def __init__(self):
-		super().__init__()
-		self.name = 'Redirect Hostname Discovery'
-		self.slug = 'redirect-host-discovery'
-		self.tags = ['default', 'http', 'quick']
-
-	def configure(self):
-		self.match_service_name('^http')
-		self.match_service_name('^nacn_http$', negative_match=True)
-
-	async def run(self, service):
-		try:
-			url = f"{'https' if service.secure else 'http'}://{service.target.address}:{service.port}/"
-			resp = requests.get(url, verify=False, allow_redirects=False)
-
-			if 'Location' in resp.headers:
-				location = resp.headers['Location']
-				parsed = urlparse(location)
-				redirect_host = parsed.hostname
-
-				if redirect_host:
-					service.info(f"[+] Redirect detected: {url} → {location}")
-					service.info(f"[+] Hostname found in redirect: {redirect_host}")
-				else:
-					service.info(f"[+] Redirect detected, but no hostname could be parsed: {location}")
-			else:
-				service.info(f"[-] No redirect detected at {url}")
-
-		except Exception as e:
-			service.error(f"[!] Error during redirect check on {service.target.address}:{service.port} — {e}")
--- a/autorecon/default-plugins/redirect-host-discovery.py
+++ b/autorecon/default-plugins/redirect-host-discovery.py
@ -0,0 +1,68 @@
+from autorecon.plugins import ServiceScan
+from urllib.parse import urlparse
+import requests
+import urllib3
+import os
+import ipaddress
+
+urllib3.disable_warnings()
+
+class RedirectHostnameDiscovery(ServiceScan):
+
+    def __init__(self):
+        super().__init__()
+        self.name = 'Redirect Hostname Discovery'
+        self.slug = 'redirect-host-discovery'
+        self.tags = ['default', 'http', 'quick']
+
+    def configure(self):
+        self.match_service_name('^http')
+        self.match_service_name('^nacn_http$', negative_match=True)
+        self.add_true_option(
+            'update-hosts',
+            help='If set, discovered redirect hostnames will be added to /etc/hosts with the target IP'
+        )
+
+    async def run(self, service):
+        try:
+            ipaddress.ip_address(service.target.address)
+        except ValueError:
+            return 
+
+        try:
+            url = f"{'https' if service.secure else 'http'}://{service.target.address}:{service.port}/"
+            resp = requests.get(url, verify=False, allow_redirects=False)
+
+            if 'Location' in resp.headers:
+                location = resp.headers['Location']
+                parsed = urlparse(location)
+                redirect_host = parsed.hostname
+
+                if redirect_host:
+                    service.info(f"[+] Redirect detected: {url} → {location}")
+                    service.info(f"[+] Hostname found in redirect: {redirect_host}")
+
+                    if self.get_option('update-hosts'):
+                        if os.geteuid() != 0:
+                            service.error("[!] --redirect-host-discovery.update-hosts requires root to modify /etc/hosts.")
+                            return
+
+                        ip = service.target.address
+                        hostname = redirect_host
+
+                        with open("/etc/hosts", "r") as hosts_file:
+                            for line in hosts_file:
+                                parts = line.strip().split()
+                                if len(parts) >= 2 and parts[0] == ip and hostname in parts[1:]:
+                                    return  # entry exists, skip writing
+
+                        with open("/etc/hosts", "a") as hosts_file:
+                            hosts_file.write(f"{ip} {hostname}\n")
+                        service.info(f"[+] Hostname {hostname} added to /etc/hosts with IP {ip}")
+                else:
+                    service.info(f"[+] Redirect detected, but no hostname found in: {location}")
+            else:
+                service.info(f"[-] No redirect detected at {url}")
+
+        except Exception as e:
+            service.error(f"[!] Error during redirect check on {service.target.address}:{service.port} — {e}")