diff --git a/autorecon.py b/autorecon.py index 170bc07..4a7d5e8 100644 --- a/autorecon.py +++ b/autorecon.py @@ -25,8 +25,9 @@ class Pattern: class Target: - def __init__(self, address, type, autorecon): + def __init__(self, address, ipversion, type, autorecon): self.address = address + self.ipversion = ipversion self.type = type self.autorecon = autorecon self.basedir = '' @@ -61,7 +62,7 @@ class Target: if self.autorecon.args.nmap_append: nmap_extra += ' ' + self.autorecon.args.nmap_append - if target.type == 'IPv6': + if target.ipversion == 'IPv6': nmap_extra += ' -6' addressv6 = '[' + addressv6 + ']' @@ -155,7 +156,7 @@ class Service: if protocol == 'udp': nmap_extra += ' -sU' - if self.target.type == 'IPv6': + if self.target.ipversion == 'IPv6': nmap_extra += ' -6' addressv6 = '[' + addressv6 + ']' @@ -973,7 +974,7 @@ async def service_scan(plugin, service): if protocol == 'udp': nmap_extra += ' -sU' - if service.target.type == 'IPv6': + if service.target.ipversion == 'IPv6': nmap_extra += ' -6' addressv6 = '[' + addressv6 + ']' @@ -1170,7 +1171,7 @@ async def scan_target(target): if protocol == 'udp': nmap_extra += ' -sU' - if target.type == 'IPv6': + if target.ipversion == 'IPv6': nmap_extra += ' -6' addressv6 = '[' + addressv6 + ']' @@ -1701,9 +1702,9 @@ async def main(): continue if isinstance(ip, ipaddress.IPv4Address): - autorecon.pending_targets.append(Target(ip_str, 'IPv4', autorecon)) + autorecon.pending_targets.append(Target(ip_str, 'IPv4', 'ip', autorecon)) elif isinstance(ip, ipaddress.IPv6Address): - autorecon.pending_targets.append(Target(ip_str, 'IPv6', autorecon)) + autorecon.pending_targets.append(Target(ip_str, 'IPv6', 'ip', autorecon)) else: fail('This should never happen unless IPv8 is invented.') except ValueError: @@ -1727,9 +1728,9 @@ async def main(): continue if isinstance(ip, ipaddress.IPv4Address): - autorecon.pending_targets.append(Target(ip_str, 'IPv4', autorecon)) + autorecon.pending_targets.append(Target(ip_str, 'IPv4', 'ip', autorecon)) elif isinstance(ip, ipaddress.IPv6Address): - autorecon.pending_targets.append(Target(ip_str, 'IPv6', autorecon)) + autorecon.pending_targets.append(Target(ip_str, 'IPv6', 'ip', autorecon)) else: fail('This should never happen unless IPv8 is invented.') @@ -1747,7 +1748,7 @@ async def main(): if found: continue - autorecon.pending_targets.append(Target(target, 'IPv4', autorecon)) + autorecon.pending_targets.append(Target(target, 'IPv4', 'hostname', autorecon)) except socket.gaierror: try: addresses = socket.getaddrinfo(target, None, socket.AF_INET6) @@ -1761,7 +1762,7 @@ async def main(): if found: continue - autorecon.pending_targets.append(Target(target, 'IPv6', autorecon)) + autorecon.pending_targets.append(Target(target, 'IPv6', 'hostname', autorecon)) except socket.gaierror: error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') errors = True diff --git a/plugins/databases.py b/plugins/databases.py index a791ac0..e135de4 100644 --- a/plugins/databases.py +++ b/plugins/databases.py @@ -24,7 +24,7 @@ class NmapMSSQL(ServiceScan): self.match_service_name(['^mssql', '^ms\-sql']) def manual(self, service, plugin_was_run): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): @@ -41,7 +41,7 @@ class NmapMYSQL(ServiceScan): self.match_service_name('^mysql') def manual(self, service, plugin_was_run): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): @@ -74,7 +74,7 @@ class OracleTNScmd(ServiceScan): self.match_service_name('^oracle') async def run(self, service): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') diff --git a/plugins/default-port-scan.py b/plugins/default-port-scan.py index 0cd812e..8f67089 100644 --- a/plugins/default-port-scan.py +++ b/plugins/default-port-scan.py @@ -27,7 +27,6 @@ class AllTCPPortScan(PortScan): def __init__(self): super().__init__() self.name = "All TCP Ports" - self.type = 'tcp' self.tags = ["default", "default-port-scan", "long"] async def run(self, target): diff --git a/plugins/dns.py b/plugins/dns.py index 850e4e3..e0f59b2 100644 --- a/plugins/dns.py +++ b/plugins/dns.py @@ -25,9 +25,10 @@ class DNSZoneTransfer(ServiceScan): async def run(self, service): if self.get_global('domain'): - await service.execute('dig AXFR -p {port} @{address} ' + self.get_global('domain'), outfile='{protocol}_{port}_dns_zone-transfer.txt') - else: - await service.execute('dig AXFR -p {port} @{address}', outfile='{protocol}_{port}_dns_zone-transfer.txt') + await service.execute('dig AXFR -p {port} @{address} ' + self.get_global('domain'), outfile='{protocol}_{port}_dns_zone-transfer-domain.txt') + if service.target.type == 'hostname': + await service.execute('dig AXFR -p {port} @{address} {address}', outfile='{protocol}_{port}_dns_zone-transfer-hostname.txt') + await service.execute('dig AXFR -p {port} @{address}', outfile='{protocol}_{port}_dns_zone-transfer.txt') class DNSReverseLookup(ServiceScan): diff --git a/plugins/http.py b/plugins/http.py index 2abad5e..0e08e27 100644 --- a/plugins/http.py +++ b/plugins/http.py @@ -88,7 +88,7 @@ class DirBuster(ServiceScan): def configure(self): self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s') - self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: %(default)s') + self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-Content/big.txt', '/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt'], help='The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: %(default)s') self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s') self.add_option('ext', default='txt,html,php,asp,aspx,jsp', help='The extensions you wish to fuzz (no dot, comma separated). Default: %(default)s') self.match_service_name('^http') @@ -99,45 +99,42 @@ class DirBuster(ServiceScan): for wordlist in self.get_option('wordlist'): name = os.path.splitext(os.path.basename(wordlist))[0] if self.get_option('tool') == 'feroxbuster': - await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x ' + self.get_option('ext') + ' -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') + await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "' + self.get_option('ext') + '" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') elif self.get_option('tool') == 'gobuster': await service.execute('gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') elif self.get_option('tool') == 'dirsearch': - if service.target.type == 'IPv6': + if service.target.ipversion == 'IPv6': error('dirsearch does not support IPv6.') else: - await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e ' + self.get_option('ext') + ' -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') + await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e "' + self.get_option('ext') + '" -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') elif self.get_option('tool') == 'ffuf': await service.execute('ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') elif self.get_option('tool') == 'dirb': await service.execute('dirb {http_scheme}://{addressv6}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') def manual(self, service, plugin_was_run): - service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', - 'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' - ]) - - service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' - ]) - - if service.target.type == 'IPv4': - service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', - 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' + dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')]) + if self.get_option('tool') == 'feroxbuster': + service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "' + self.get_option('ext') + '" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' + ]) + elif self.get_option('tool') == 'gobuster': + service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + 'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + ]) + elif self.get_option('tool') == 'dirsearch': + if service.target.ipversion == 'IPv4': + service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e "' + self.get_option('ext') + '" -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' + ]) + elif self.get_option('tool') == 'ffuf': + service.add_manual_command('(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_dirbuster.txt' + ]) + elif self.get_option('tool') == 'dirb': + service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' ]) - - service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', - 'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' - ]) - - service.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' - ]) class Nikto(ServiceScan): @@ -151,7 +148,7 @@ class Nikto(ServiceScan): self.match_service_name('^nacn_http$', negative_match=True) def manual(self, service, plugin_was_run): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') class WhatWeb(ServiceScan): @@ -166,7 +163,7 @@ class WhatWeb(ServiceScan): self.match_service_name('^nacn_http$', negative_match=True) async def run(self, service): - if service.protocol == 'tcp' and service.target.type == 'IPv4': + if service.protocol == 'tcp' and service.target.ipversion == 'IPv4': await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') class WkHTMLToImage(ServiceScan): diff --git a/plugins/sip.py b/plugins/sip.py index cbc57f4..b69ef25 100644 --- a/plugins/sip.py +++ b/plugins/sip.py @@ -24,5 +24,5 @@ class SIPVicious(ServiceScan): self.match_service_name('^asterisk') def manual(self, service, plugin_was_run): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') diff --git a/plugins/smb.py b/plugins/smb.py index d36697d..f5c4f65 100644 --- a/plugins/smb.py +++ b/plugins/smb.py @@ -50,7 +50,7 @@ class Enum4Linux(ServiceScan): self.run_once(True) async def run(self, service): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') class NBTScan(ServiceScan): @@ -66,7 +66,7 @@ class NBTScan(ServiceScan): self.run_once(True) async def run(self, service): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') class SMBClient(ServiceScan): @@ -95,7 +95,7 @@ class SMBMap(ServiceScan): self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) async def run(self, service): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') diff --git a/plugins/snmp.py b/plugins/snmp.py index 2355cd5..86a4507 100644 --- a/plugins/snmp.py +++ b/plugins/snmp.py @@ -27,7 +27,7 @@ class OneSixtyOne(ServiceScan): self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') async def run(self, service): - if service.target.type == 'IPv4': + if service.target.ipversion == 'IPv4': await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') class SNMPWalk(ServiceScan):