From 5115e160b5bd58a3ec5daa47f70da5bac0975b37 Mon Sep 17 00:00:00 2001 From: Tib3rius <48113936+Tib3rius@users.noreply.github.com> Date: Sun, 29 Aug 2021 22:57:30 -0400 Subject: [PATCH] Update README.md --- README.md | 160 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 89 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index 0c18a5f..d02fc34 100644 --- a/README.md +++ b/README.md @@ -20,20 +20,28 @@ AutoRecon was inspired by three tools which the author used during the OSCP labs ## Features -* Supports multiple targets in the form of IP addresses, IP ranges (CIDR notation), and resolvable hostnames. -* Can scan targets concurrently, utilizing multiple processors if they are available. -* Customizable port scanning profiles for flexibility in your initial scans. -* Customizable service enumeration commands and suggested manual follow-up commands. +* Supports multiple targets in the form of IP addresses, IP ranges (CIDR notation), and resolvable hostnames. IPv6 is supported. +* Can scan multiple targets concurrently, utilizing multiple processors if they are available. +* Advanced plugin system allowing for easy creation of new scans. +* Customizable port scanning plugins for flexibility in your initial scans. +* Customizable service scanning plugins for further enumeration. +* Suggested manual follow-up commands for when automation makes little sense. +* Ability to limit port scanning to a combination of TCP/UDP ports. +* Ability to skip port scanning phase by suppling information about services which should be open. +* Global and per-scan pattern matching which highlights and extracts important information from the noise. * An intuitive directory structure for results gathering. * Full logging of commands that were run, along with errors if they fail. -* Global and per-scan pattern matching so you can highlight/extract important information from the noise. +* A powerful config file lets you use your favorite settings every time. +* A tagging system that lets you include or exclude certain plugins. +* Global and per-target timeouts in case you only have limited time. +* Three levels of verbosity, controllable by command-line options, and during scans using Up/Down arrows. +* Colorized output for distinguishing separate pieces of information. Can be turned off for accessibility reasons. ## Requirements - Python 3 - `python3-pip` - ### Supporting packages Several commands used in AutoRecon reference the SecLists project, in the directory /usr/share/seclists/. You can either manually download the SecLists project to this directory (https://github.com/danielmiessler/SecLists), or if you are using Kali Linux (**highly recommended**) you can run the following: @@ -109,11 +117,13 @@ See detailed usage options below. AutoRecon uses Python 3 specific functionality and does not support Python 2. ``` -usage: autorecon.py [-t TARGET_FILE] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE] [--tags TAGS] [--exclude-tags EXCLUDE_TAGS] +usage: autorecon.py [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE] [--tags TAGS] [--exclude-tags EXCLUDE_TAGS] [--plugins-dir PLUGINS_DIR] [-o OUTDIR] [--single-target] [--only-scans-dir] [--create-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT] - [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--disable-sanity-checks] [--accessible] [-v] [--version] - [--curl.path VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}] [--dirbuster.wordlist VALUE] [--dirbuster.threads VALUE] - [--onesixtyone.community-strings VALUE] [--global.username-wordlist VALUE] [--global.password-wordlist VALUE] [--global.domain VALUE] [-h] + [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--disable-sanity-checks] [--disable-keyboard-control] + [--force-services FORCE_SERVICES [FORCE_SERVICES ...]] [--accessible] [-v] [--version] [--curl.path VALUE] + [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}] [--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE] + [--dirbuster.ext VALUE] [--onesixtyone.community-strings VALUE] [--global.username-wordlist VALUE] [--global.password-wordlist VALUE] + [--global.domain VALUE] [-h] [targets ...] Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets. @@ -121,68 +131,76 @@ Network reconnaissance tool to port scan and automatically enumerate services fo positional arguments: targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan. - optional arguments: [30/2643] - -t TARGET_FILE, --targets TARGET_FILE - Read targets from file. - -m MAX_SCANS, --max-scans MAX_SCANS - The maximum number of concurrent scans to run. Default: 50 - -mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS - The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless specified) - -c CONFIG_FILE, --config CONFIG_FILE - Location of AutoRecon's config file. Default: /mnt/hgfs/AutoRecon/config.toml - -g GLOBAL_FILE, --global-file GLOBAL_FILE - Location of AutoRecon's global file. Default: /mnt/hgfs/AutoRecon/global.toml - --tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to - create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group. Default: default - --exclude-tags EXCLUDE_TAGS - Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to - create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group. Default: None - --plugins-dir PLUGINS_DIR - The location of the plugins directory. Default: /mnt/hgfs/AutoRecon/plugins - -o OUTDIR, --output OUTDIR - The output directory for results. Default: results - --single-target Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the - output directory. Default: False - --only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: False - --create-port-dirs Create directories for ports within the "scans" directory (e.g. scans/tcp80, scans/udp53) and store results in these directories. Default: False - --heartbeat HEARTBEAT - Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60 - --timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None - --target-timeout TARGET_TIMEOUT - Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: None - --nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn - --nmap-append NMAP_APPEND - Append to the default {nmap_extra} variable in scans. Default: - --disable-sanity-checks - Disable sanity checks that would otherwise prevent the scans from running. Default: False - --accessible Attempts to make AutoRecon output more accessible to screenreaders. Default: False - -v, --verbose Enable verbose output. Repeat for more verbosity. - --version Prints the AutoRecon version and exits. - -h, --help Show this help message and exit. +optional arguments: + -t TARGET_FILE, --targets TARGET_FILE + Read targets from file. + -p PORTS, --ports PORTS + Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list with T:/U: To scan both TCP/UDP, put port(s) at start + or specify B: e.g. 53,T:21-25,80,U:123,B:123. Default: None + -m MAX_SCANS, --max-scans MAX_SCANS + The maximum number of concurrent scans to run. Default: 50 + -mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS + The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless specified) + -c CONFIG_FILE, --config CONFIG_FILE + Location of AutoRecon's config file. Default: /mnt/hgfs/AutoRecon/config.toml + -g GLOBAL_FILE, --global-file GLOBAL_FILE + Location of AutoRecon's global file. Default: /mnt/hgfs/AutoRecon/global.toml + --tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to + create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group. Default: default + --exclude-tags EXCLUDE_TAGS + Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to + create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group. Default: None + --plugins-dir PLUGINS_DIR + The location of the plugins directory. Default: /mnt/hgfs/AutoRecon/plugins + -o OUTDIR, --output OUTDIR + The output directory for results. Default: results + --single-target Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the + output directory. Default: False + --only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: False + --create-port-dirs Create directories for ports within the "scans" directory (e.g. scans/tcp80, scans/udp53) and store results in these directories. Default: False + --heartbeat HEARTBEAT + Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60 + --timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None + --target-timeout TARGET_TIMEOUT + Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: None + --nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn + --nmap-append NMAP_APPEND + Append to the default {nmap_extra} variable in scans. Default: + --disable-sanity-checks + Disable sanity checks that would otherwise prevent the scans from running. Default: False + --disable-keyboard-control + Disables keyboard control ([s]tatus, Up, Down) if you are in SSH or Docker. + --force-services FORCE_SERVICES [FORCE_SERVICES ...] + A space separated list of services in the following style: tcp/80/http/insecure tcp/443/https/secure + --accessible Attempts to make AutoRecon output more accessible to screenreaders. Default: False + -v, --verbose Enable verbose output. Repeat for more verbosity. + -h, --help Show this help message and exit. - plugin arguments: - These are optional arguments for certain plugins. - - --curl.path VALUE The path on the web server to curl. Default: / - --dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb} - The tool to use for directory busting. Default: feroxbuster - --dirbuster.wordlist VALUE - The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: - ['/usr/share/seclists/Discovery/Web-Content/common.txt'] - --dirbuster.threads VALUE - The number of threads to use when directory busting. Default: 10 - --onesixtyone.community-strings VALUE - The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt - - global plugin arguments: - These are optional arguments that can be used by all plugins. - - --global.username-wordlist VALUE - A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-usernames-shortlist.txt - --global.password-wordlist VALUE - A wordlist of passwords, useful for bruteforcing. Default: /usr/share/seclists/Passwords/darkweb2017-top100.txt - --global.domain VALUE - The domain to use (if known). Used for DNS and/or Active Directory. +plugin arguments: + These are optional arguments for certain plugins. + + --curl.path VALUE The path on the web server to curl. Default: / + --dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb} + The tool to use for directory busting. Default: feroxbuster + --dirbuster.wordlist VALUE [VALUE ...] + The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: ['/usr/share/seclists/Discovery/Web- + Content/common.txt'] + --dirbuster.threads VALUE + The number of threads to use when directory busting. Default: 10 + --dirbuster.ext VALUE + The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp + --onesixtyone.community-strings VALUE + The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt + +global plugin arguments: + These are optional arguments that can be used by all plugins. + + --global.username-wordlist VALUE + A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-usernames-shortlist.txt + --global.password-wordlist VALUE + A wordlist of passwords, useful for bruteforcing. Default: /usr/share/seclists/Passwords/darkweb2017-top100.txt + --global.domain VALUE + The domain to use (if known). Used for DNS and/or Active Directory. Default: None ``` ### Verbosity