From 70e6eec782b235d46b6258530a315fe65bdf7b45 Mon Sep 17 00:00:00 2001 From: Tib3rius <48113936+Tib3rius@users.noreply.github.com> Date: Sat, 31 Jul 2021 21:06:28 -0400 Subject: [PATCH] AutoRecon v2 Beta Release Effectively an initial commit since this is 95% rewritten code. --- .gitignore | 141 +- Dockerfile | 16 - README.md | 424 +---- autorecon.py | 1429 +++++++++++++++++ config.toml | 20 + global.toml | 7 + {src/autorecon => plugins}/__init__.py | 0 plugins/databases.py | 122 ++ plugins/default-port-scan.py | 46 + plugins/dns.py | 14 + plugins/ftp.py | 30 + plugins/http.py | 186 +++ plugins/kerberos.py | 14 + plugins/ldap.py | 29 + plugins/misc.py | 170 ++ plugins/nfs.py | 27 + plugins/rdp.py | 30 + plugins/rpc.py | 27 + plugins/sip.py | 27 + plugins/smb.py | 85 + plugins/snmp.py | 52 + plugins/ssh.py | 30 + plugins/sslscan.py | 16 + poetry.lock | 42 - poetry.toml | 2 - pyproject.toml | 28 - requirements.txt | 4 +- src/autorecon/autorecon.py | 885 ---------- .../config/global-patterns-default.toml | 8 - .../config/port-scan-profiles-default.toml | 45 - .../config/service-scans-default.toml | 586 ------- 31 files changed, 2370 insertions(+), 2172 deletions(-) delete mode 100644 Dockerfile create mode 100644 autorecon.py create mode 100644 config.toml create mode 100644 global.toml rename {src/autorecon => plugins}/__init__.py (100%) create mode 100644 plugins/databases.py create mode 100644 plugins/default-port-scan.py create mode 100644 plugins/dns.py create mode 100644 plugins/ftp.py create mode 100644 plugins/http.py create mode 100644 plugins/kerberos.py create mode 100644 plugins/ldap.py create mode 100644 plugins/misc.py create mode 100644 plugins/nfs.py create mode 100644 plugins/rdp.py create mode 100644 plugins/rpc.py create mode 100644 plugins/sip.py create mode 100644 plugins/smb.py create mode 100644 plugins/snmp.py create mode 100644 plugins/ssh.py create mode 100644 plugins/sslscan.py delete mode 100644 poetry.lock delete mode 100644 poetry.toml delete mode 100644 pyproject.toml delete mode 100755 src/autorecon/autorecon.py delete mode 100644 src/autorecon/config/global-patterns-default.toml delete mode 100644 src/autorecon/config/port-scan-profiles-default.toml delete mode 100644 src/autorecon/config/service-scans-default.toml diff --git a/.gitignore b/.gitignore index e1811a8..463d071 100644 --- a/.gitignore +++ b/.gitignore @@ -1,139 +1,4 @@ -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class +__pycache__ +plugins/__pycache__ *.pyc - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -.pybuilder/ -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ +results/ diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index cae11fb..0000000 --- a/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -#sudo docker build -t tib3rius/autorecon . -#mkdir /root/results -#Usage: sudo docker run -it -v /root/results:/results --rm --name autorecon-container tib3rius/autorecon 127.0.0.1 - -FROM kalilinux/kali-bleeding-edge:latest -RUN apt-get update -RUN apt-get install sudo git -y -RUN sudo apt install python3 -y -RUN sudo apt install python3-pip -y -RUN python3 -m pip install --user pipx -RUN python3 -m pipx ensurepath -RUN python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git -RUN sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner smbclient smbmap smtp-user-enum snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf -y -RUN echo "Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/kali/.local/bin"" >> /etc/sudoers -RUN apt-get -y autoremove && apt-get -y autoclean -ENTRYPOINT ["autorecon"] diff --git a/README.md b/README.md index f2bcf53..b67a694 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -[![Packaging status](https://repology.org/badge/vertical-allrepos/autorecon.svg)](https://repology.org/project/autorecon/versions) - > It's like bowling with bumpers. - [@ippsec](https://twitter.com/ippsec) # AutoRecon @@ -24,77 +22,11 @@ AutoRecon was inspired by three tools which the author used during the OSCP labs * Full logging of commands that were run, along with errors if they fail. * Global and per-scan pattern matching so you can highlight/extract important information from the noise. -## Quick Install (Docker) - -If you don't have a Kali instance, you can quickly install AutoRecon using the Dockerfile in the repository. Simply download the Dockerfile, and run the following command from the same directory: - -```bash -sudo docker build -t tib3rius/autorecon . -``` - ## Requirements - Python 3 - `python3-pip` -- `pipx` (optional, but recommended) -### Python 3 - -If you don't have these installed, and are running Kali Linux, you can execute the following: - -```bash -$ sudo apt install python3 -$ sudo apt install python3-pip -``` - -Additionally, if you experience any issues with the stability of the `python3-pip` installation (as reported by a number of people installing `pip3` via `apt` on the OSCP distribution of Kali), you can install it manually as follows: - -```bash -$ curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py -$ python3 get-pip.py -``` - -The `pip3` command should now be usable. - -### `pipx` - -Further, it's recommended you use `pipx` to manage your python packages; this installs each python package in it's own virtualenv, and makes it available in the global context, which avoids conflicting package dependencies and the resulting instability. To summarise the installation instructions: - -```bash -$ sudo apt install python3-venv -$ python3 -m pip install --user pipx -$ python3 -m pipx ensurepath -``` - -You will have to re-source your ~/.bashrc or ~/.zshrc file (or open a new tab) after running these commands in order to use pipx. - -Note that if you want to elevate privileges to run a program installed with `pipx`, with `sudo`, you have two options: - -1. Append the appropriate path to your execution command, using _one_ of the following examples (recommended): - -```bash -$ sudo env "PATH=$PATH" autorecon [OPTIONS] -$ sudo $(which autorecon) [OPTIONS] -``` - -To make this easier, you could add the following alias to your `~/.profile` (or equivalent): - -``` -alias sudo="sudo env \"PATH=$PATH\"" -``` - -2. Add the `pipx` binary path to the `secure_path` set in `/etc/sudoers` - -```bash -sudo visudo /etc/sudoers -``` - -Update the `secure_path` directive as follows: -``` -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/kali/.local/bin" -``` - -If you're not using Kali Linux, make sure to adjust the path to the relevant user. Further detail on the installation of `pipx` is available in their installation instructions available [here](https://pipxproject.github.io/pipx/installation/). Please refer to this for any issues you experience. ### Supporting packages @@ -125,7 +57,7 @@ sslscan svwar tnscmd10g whatweb -wkhtmltoimage +wkhtmltopdf ``` On Kali Linux, you can ensure these are all installed using the following command: @@ -138,29 +70,13 @@ $ sudo apt install seclists curl enum4linux feroxbuster nbtscan nikto nmap onesi Ensure you have all of the requirements installed as per the previous section. -### Using `pipx` (recommended) - -```bash -$ pipx install git+https://github.com/Tib3rius/AutoRecon.git -``` - -### Using `pip` - -If installing using pip, you'll need to run the installation command as root or with sudo in order to be able to run autorecon using sudo: - -```bash -$ sudo python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git -``` - -### Manual - -If you'd prefer not to use `pip` or `pipx`, you can always still install and execute `autorecon.py` manually as a script. First install the dependencies: +First install the dependencies: ```bash $ python3 -m pip install -r requirements.txt ``` -You will then be able to run the `autorecon.py` script (from `/src/autorecon`): +You will then be able to run the `autorecon.py` script: ```bash $ python3 autorecon.py [OPTIONS] 127.0.0.1 @@ -168,176 +84,9 @@ $ python3 autorecon.py [OPTIONS] 127.0.0.1 See detailed usage options below. -### Upgrading - -If you installed using pipx or pip it is recommended that prior to upgrading, you remove all config files stored in ~/.config/AutoRecon. Note that if you run AutoRecon using sudo, you'll also have to delete the config files in /root/.config/AutoRecon. - ## Usage -AutoRecon uses Python 3 specific functionality and does not support Python 2. - -``` -usage: autorecon [-h] [-t TARGET_FILE] [-ct ] [-cs ] - [--profile PROFILE_NAME] [-o OUTPUT_DIR] [--single-target] - [--only-scans-dir] [--heartbeat HEARTBEAT] - [--nmap NMAP | --nmap-append NMAP_APPEND] [-v] - [--disable-sanity-checks] - [targets [targets ...]] - -Network reconnaissance tool to port scan and automatically enumerate services -found on multiple targets. - -positional arguments: - targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. - 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) - to scan. - -optional arguments: - -h, --help show this help message and exit - -t TARGET_FILE, --targets TARGET_FILE - Read targets from file. - -ct , --concurrent-targets - The maximum number of target hosts to scan - concurrently. Default: 5 - -cs , --concurrent-scans - The maximum number of scans to perform per target - host. Default: 10 - --profile PROFILE_NAME - The port scanning profile to use (defined in port- - scan-profiles.toml). Default: default - -o OUTPUT_DIR, --output OUTPUT_DIR - The output directory for results. Default: results - --single-target Only scan a single target. A directory named after the - target will not be created. Instead, the directory - structure will be created within the output directory. - Default: false - --only-scans-dir Only create the "scans" directory for results. Other - directories (e.g. exploit, loot, report) will not be - created. Default: false - --heartbeat HEARTBEAT - Specifies the heartbeat interval (in seconds) for task - status messages. Default: 60 - --nmap NMAP Override the {nmap_extra} variable in scans. Default: - -vv --reason -Pn - --nmap-append NMAP_APPEND - Append to the default {nmap_extra} variable in scans. - -v, --verbose Enable verbose output. Repeat for more verbosity. - --disable-sanity-checks - Disable sanity checks that would otherwise prevent the - scans from running. Default: false -``` - -### Examples - -**Scanning a single target:** - -``` -$ autorecon 127.0.0.1 -[*] Scanning target 127.0.0.1 -[*] Running service detection nmap-full-tcp on 127.0.0.1 -[*] Running service detection nmap-top-20-udp on 127.0.0.1 -[*] Running service detection nmap-quick on 127.0.0.1 -[*] Service detection nmap-quick on 127.0.0.1 finished successfully -[*] [127.0.0.1] ssh found on tcp/22 -[*] [127.0.0.1] http found on tcp/80 -[*] [127.0.0.1] rpcbind found on tcp/111 -[*] [127.0.0.1] postgresql found on tcp/5432 -[*] Running task tcp/22/nmap-ssh on 127.0.0.1 -[*] Running task tcp/80/nmap-http on 127.0.0.1 -[*] Running task tcp/80/curl-index on 127.0.0.1 -[*] Running task tcp/80/curl-robots on 127.0.0.1 -[*] Running task tcp/80/whatweb on 127.0.0.1 -[*] Running task tcp/80/nikto on 127.0.0.1 -[*] Running task tcp/111/nmap-nfs on 127.0.0.1 -[*] Task tcp/80/curl-index on 127.0.0.1 finished successfully -[*] Task tcp/80/curl-robots on 127.0.0.1 finished successfully -[*] Task tcp/22/nmap-ssh on 127.0.0.1 finished successfully -[*] Task tcp/80/whatweb on 127.0.0.1 finished successfully -[*] Task tcp/111/nmap-nfs on 127.0.0.1 finished successfully -[*] Task tcp/80/nmap-http on 127.0.0.1 finished successfully -[*] Task tcp/80/nikto on 127.0.0.1 finished successfully -[*] Service detection nmap-top-20-udp on 127.0.0.1 finished successfully -[*] Service detection nmap-full-tcp on 127.0.0.1 finished successfully -[*] [127.0.0.1] http found on tcp/5984 -[*] [127.0.0.1] rtsp found on tcp/5985 -[*] Running task tcp/5984/nmap-http on 127.0.0.1 -[*] Running task tcp/5984/curl-index on 127.0.0.1 -[*] Running task tcp/5984/curl-robots on 127.0.0.1 -[*] Running task tcp/5984/whatweb on 127.0.0.1 -[*] Running task tcp/5984/nikto on 127.0.0.1 -[*] Task tcp/5984/curl-index on 127.0.0.1 finished successfully -[*] Task tcp/5984/curl-robots on 127.0.0.1 finished successfully -[*] Task tcp/5984/whatweb on 127.0.0.1 finished successfully -[*] Task tcp/5984/nikto on 127.0.0.1 finished successfully -[*] Task tcp/5984/nmap-http on 127.0.0.1 finished successfully -[*] Finished scanning target 127.0.0.1 -``` - -The default port scan profile first performs a full TCP port scan, a top 20 UDP port scan, and a top 1000 TCP port scan. You may ask why AutoRecon scans the top 1000 TCP ports at the same time as a full TCP port scan (which also scans those ports). The reason is simple: most open ports will generally be in the top 1000, and we want to start enumerating services quickly, rather than wait for Nmap to scan every single port. As you can see, all the service enumeration scans actually finish before the full TCP port scan is done. While there is a slight duplication of efforts, it pays off by getting actual enumeration results back to the tester quicker. - -Note that the actual command line output will be colorized if your terminal supports it. - -**Scanning multiple targets** - -``` -$ autorecon 192.168.1.100 192.168.1.1/30 localhost -[*] Scanning target 192.168.1.100 -[*] Scanning target 192.168.1.1 -[*] Scanning target 192.168.1.2 -[*] Scanning target localhost -[*] Running service detection nmap-quick on 192.168.1.100 -[*] Running service detection nmap-quick on localhost -[*] Running service detection nmap-top-20-udp on 192.168.1.100 -[*] Running service detection nmap-quick on 192.168.1.1 -[*] Running service detection nmap-quick on 192.168.1.2 -[*] Running service detection nmap-top-20-udp on 192.168.1.1 -[*] Running service detection nmap-full-tcp on 192.168.1.100 -[*] Running service detection nmap-top-20-udp on localhost -[*] Running service detection nmap-top-20-udp on 192.168.1.2 -[*] Running service detection nmap-full-tcp on localhost -[*] Running service detection nmap-full-tcp on 192.168.1.1 -[*] Running service detection nmap-full-tcp on 192.168.1.2 -... -``` - -AutoRecon supports multiple targets per scan, and will expand IP ranges provided in CIDR notation. By default, only 5 targets will be scanned at a time, with 10 scans per target. - -**Scanning multiple targets with advanced options** - -``` -$ autorecon -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost -[*] Scanning target 192.168.1.100 -[*] Scanning target 192.168.1.1 -[*] Running service detection nmap-quick on 192.168.1.100 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml" 192.168.1.100 -[*] Running service detection nmap-quick on 192.168.1.1 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml" 192.168.1.1 -[*] Running service detection nmap-top-20-udp on 192.168.1.100 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml" 192.168.1.100 -[*] Running service detection nmap-top-20-udp on 192.168.1.1 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml" 192.168.1.1 -[-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST -[-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST -[-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST -[-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST -[-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning. -[-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning. -[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan. -[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25 -[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed -[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) scan. -[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25 -[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed -[-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25 -[-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning. -[-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning. -[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan. -[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25 -[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed -[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan. -[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25 -[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed -[-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25 -... -``` - -In this example, the -ct option limits the number of concurrent targets to 2, and the -cs option limits the number of concurrent scans per target to 2. The -vv option makes the output very verbose, showing the output of every scan being run. The -o option sets a custom output directory for scan results to be saved. +TODO ### Verbosity @@ -386,171 +135,6 @@ If output matches a defined pattern, a file called \_patterns.log will also appe The scans/xml directory stores any XML output (e.g. from Nmap scans) separately from the main scan outputs, so that the scans directory itself does not get too cluttered. -### Port Scan profiles - -The port-scan-profiles.toml file is where you can define the initial port scans / service detection commands. The configuration file uses the TOML format, which is explained here: https://github.com/toml-lang/toml - -Here is an example profile called "quick": - -```toml -[quick] - - [quick.nmap-quick] - - [quick.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - - [quick.nmap-top-20-udp] - - [quick.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' -``` - -Note that indentation is optional, it is used here purely for aesthetics. The "quick" profile defines a scan called "nmap-quick". This scan has a service-detection command which uses nmap to scan the top 1000 TCP ports. The command uses two references: {scandir} is the location of the scans directory for the target, and {address} is the address of the target. - -A regex pattern is defined which matches three named groups (port, protocol, and service) in the output. Every service-detection command must have a corresponding pattern that matches all three of those groups. AutoRecon will attempt to do some checks and refuse to scan if any of these groups are missing. - -An almost identical scan called "nmap-top-20-udp" is also defined. This scans the top 20 UDP ports. - -Here is a more complicated example: - -```toml -[udp] - - [udp.udp-top-20] - - [udp.udp-top-20.port-scan] - command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"' - pattern = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$' - - [udp.udp-top-20.service-detection] - command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' -``` - -In this example, a profile called "udp" defines a scan called "udp-top-20". This scan has two commands, one is a port-scan and the other is a service-detection. When a port-scan command is defined, it will always be run first. The corresponding pattern must match a named group "port" which extracts the port number from the output. - -The service-detection will be run after the port-scan command has finished, and uses a new reference: {ports}. This reference is a comma-separated string of all the ports extracted by the port-scan command. Note that the same three named groups (port, protocol, and service) are defined in the service-detection pattern. - -Both the port-scan and the service-detection commands use the {scandir} and {address} references. - -Note that if a port-scan command is defined without a corresponding service-detection command, AutoRecon will refuse to scan. - -This more complicated example is only really useful if you want to use unicornscan's speed in conjuction with nmap's service detection abilities. If you are content with using Nmap for both port scanning and service detection, you do not need to use this setup. - -### Service Scans - -The service-scans.toml file is where you can define service enumeration scans and other manual commands associated with certain services. - -Here is an example of a simple configuration: - -```toml -[ftp] - -service-names = [ - '^ftp', - '^ftp\-data' -] - - [[ftp.scan]] - name = 'nmap-ftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}' - - [[ftp.scan.pattern]] - description = 'Anonymous FTP Enabled!' - pattern = 'Anonymous FTP login allowed' - - [[ftp.manual]] - description = 'Bruteforce logins:' - commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' - ] -``` - -Note that indentation is optional, it is used here purely for aesthetics. The service "ftp" is defined here. The service-names array contains regex strings which should match the service name from the service-detection scans. Regex is used to be as flexible as possible. The service-names array works on a whitelist basis; as long as one of the regex strings matches, the service will get scanned. - -An optional ignore-service-names array can also be defined, if you want to blacklist certain regex strings from matching. - -The ftp.scan section defines a single scan, named nmap-ftp. This scan defines a command which runs nmap with several ftp-related scripts. Several references are used here: -* {nmap_extra} by default is set to "-vv --reason -Pn" but this can be overridden or appended to using the --nmap or --nmap-append command line options respectively. If the protocol is UDP, "-sU" will also be appended. -* {port} is the port that the service is running on. -* {scandir} is the location of the scans directory for the target. -* {protocol} is the protocol being used (either tcp or udp). -* {address} is the address of the target. - -A pattern is defined for the nmap-ftp scan, which matches the simple pattern "Anonymous FTP login allowed". In the event that this pattern matches output of the nmap-ftp command, the pattern description ("Anonymous FTP Enabled!") will be saved to the \_patterns.log file in the scans directory. A special reference {match} can be used in the description to reference the entire match, or the first capturing group. - -The ftp.manual section defines a group of manual commands. This group contains a description for the user, and a commands array which contains the commands that a user can run. Two new references are defined here: {username_wordlist} and {password_wordlist} which are configured at the very top of the service-scans.toml file, and default to a username and password wordlist provided by SecLists. - -Here is a more complicated configuration: - -```toml -[smb] - -service-names = [ - '^smb', - '^microsoft\-ds', - '^netbios' -] - - [[smb.scan]] - name = 'nmap-smb' - command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' - - [[smb.scan]] - name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' - run_once = true - ports.tcp = [139, 389, 445] - ports.udp = [137] - - [[smb.scan]] - name = 'nbtscan' - command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' - run_once = true - ports.udp = [137] - - [[smb.scan]] - name = 'smbclient' - command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' - run_once = true - ports.tcp = [139, 445] - - [[smb.scan]] - name = 'smbmap-share-permissions' - command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"' - - [[smb.scan]] - name = 'smbmap-list-contents' - command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"' - - [[smb.scan]] - name = 'smbmap-execute-command' - command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"' - - [[smb.manual]] - description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' - commands = [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' - ] -``` - -The main difference here is that several scans have some new settings: - -* The ports.tcp array defines a whitelist of TCP ports which the command can be run against. If the service is detected on a port that is not in the whitelist, the command will not be run against it. -* The ports.udp array defines a whitelist of UDP ports which the command can be run against. It operates in the same way as the ports.tcp array. - -Why do these settings even exist? Well, some commands will only run against specific ports, and can't be told to run against any other ports. enum4linux for example, will only run against TCP ports 139, 389, and 445, and UDP port 137. - -In fact, enum4linux will always try these ports when it is run. So if the SMB service is found on TCP ports 139 and 445, AutoRecon may attempt to run enum4linux twice for no reason. This is why the third setting exists: - -* If run_once is set to true, the command will only ever run once for that target, even if the SMB service is found on multiple ports. - ## Testimonials > AutoRecon was invaluable during my OSCP exam, in that it saved me from the tedium of executing my active information gathering commands myself. I was able to start on a target with all of the information I needed clearly laid in front of me. I would strongly recommend this utility for anyone in the PWK labs, the OSCP exam, or other environments such as VulnHub or HTB. It is a great tool for both people just starting down their journey into OffSec and seasoned veterans alike. Just make sure that somewhere between those two points you take the time to learn what's going on "under the hood" and how / why it scans what it does. diff --git a/autorecon.py b/autorecon.py new file mode 100644 index 0000000..6993359 --- /dev/null +++ b/autorecon.py @@ -0,0 +1,1429 @@ +import asyncio, os, sys, re, signal, pkgutil, inspect, importlib, unidecode, argparse, string, ipaddress, socket, toml, time, math +from datetime import datetime +import colorama +from typing import final +from colorama import Fore, Style +import traceback + +colorama.init() + +class Pattern: + + def __init__(self, pattern, description=None): + self.pattern = pattern + self.description = description + +class Target: + + def __init__(self, address, autorecon): + self.address = address + self.autorecon = autorecon + self.basedir = '' + self.reportdir = '' + self.scandir = '' + self.lock = asyncio.Lock() + self.pending_services = [] + self.services = [] + self.scans = [] + self.running_tasks = {} + + async def add_service(self, protocol, port, name, secure=False): + async with self.lock: + self.pending_services.append(Service(protocol, port, name, secure)) + + def extract_service(self, line, regex=None): + return self.autorecon.extract_service(line, regex) + + async def extract_services(self, stream, regex=None): + return await self.autorecon.extract_services(stream, regex) + + async def execute(self, cmd, blocking=True, outfile=None, errfile=None): + target = self + + # Create variables for command references. + address = target.address + scandir = target.scandir + + nmap_extra = self.autorecon.args.nmap + if self.autorecon.args.nmap_append: + nmap_extra += ' ' + self.autorecon.args.nmap_append + + plugin = inspect.currentframe().f_back.f_locals['self'] + + cmd = e(cmd) + + tag = plugin.slug + + if target.autorecon.config['verbose'] >= 1: + info('Port scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) + + if outfile is not None: + outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) + + if errfile is not None: + errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) + + async with target.lock: + with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: + file.writelines(cmd + '\n\n') + + process, stdout, stderr = await self.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) + + target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) + + if blocking: + while (not (stdout.ended and stderr.ended)): + await asyncio.sleep(0.1) + await process.wait() + + return process, stdout, stderr + +class Service: + + def __init__(self, protocol, port, name, secure=False): + self.target = None + self.protocol = protocol.lower() + self.port = int(port) + self.name = name + self.secure = secure + + @final + def tag(self): + return self.protocol + '/' + str(self.port) + '/' + self.name + + @final + def full_tag(self): + return self.protocol + '/' + str(self.port) + '/' + self.name + '/' + ('secure' if self.secure else 'insecure') + + @final + async def execute(self, cmd, blocking=True, outfile=None, errfile=None): + target = self.target + + # Create variables for command references. + address = target.address + scandir = target.scandir + protocol = self.protocol + port = self.port + name = self.name + + # Special cases for HTTP. + http_scheme = 'https' if 'https' in self.name or self.secure is True else 'http' + + nmap_extra = self.target.autorecon.args.nmap + if self.target.autorecon.args.nmap_append: + nmap_extra += ' ' + self.target.autorecon.args.nmap_append + + if protocol == 'udp': + nmap_extra += ' -sU' + + plugin = inspect.currentframe().f_back.f_locals['self'] + + cmd = e(cmd) + + tag = self.tag() + '/' + plugin.slug + + if target.autorecon.config['verbose'] >= 1: + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) + #info('{blue}[{bright}' + address + ' ' + tag + '{srst}]{rst} Running command: ' + cmd) + + if outfile is not None: + outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) + + if errfile is not None: + errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) + + async with target.lock: + with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: + file.writelines(e('{cmd}\n\n')) + + process, stdout, stderr = await target.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) + + target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) + + if blocking: + while (not (stdout.ended and stderr.ended)): + await asyncio.sleep(0.1) + await process.wait() + + return process, stdout, stderr + +class CommandStreamReader(object): + + def __init__(self, stream, target, tag,patterns=None, outfile=None): + self.stream = stream + self.target = target + self.tag = tag + self.lines = [] + self.patterns = patterns or [] + self.outfile = outfile + self.ended = False + + async def _read(self): + while True: + if self.stream.at_eof(): + break + line = (await self.stream.readline()).decode('utf8').rstrip() + if self.target.autorecon.config['verbose'] >= 2: + if line != '': + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}]{crst} ' + line.replace('{', '{{').replace('}', '}}')) + for p in self.patterns: + matches = p.pattern.findall(line) + for match in matches: + async with self.target.lock: + with open(os.path.join(self.target.scandir, '_patterns.log'), 'a') as file: + if p.description: + if self.target.autorecon.config['verbose'] >= 1: + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}' + p.description.replace('{match}', '{bblue}' + match + '{crst}{bmagenta}') + '{rst}') + file.writelines(p.description.replace('{match}', match) + '\n\n') + else: + if self.target.autorecon.config['verbose'] >= 1: + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}Matched Pattern: {bblue}' + match + '{rst}') + file.writelines('Matched Pattern: ' + match + '\n\n') + + if self.outfile is not None: + with open(self.outfile, 'a') as writer: + writer.write(line + '\n') + self.lines.append(line) + self.ended = True + + async def readline(self): + while True: + try: + return self.lines.pop(0) + except IndexError: + if self.ended: + return None + else: + await asyncio.sleep(0.1) + +class Plugin(object): + + def __init__(self): + self.name = None + self.slug = None + self.description = None + self.type = None + self.tags = ['default'] + self.priority = 1 + self.patterns = [] + self.match = None + self.manual_commands = {} + self.autorecon = None + self.disabled = False + + @final + def add_option(self, name, default=None, help=None): + self.autorecon.add_argument(self, name, metavar='VALUE', default=default, help=help) + + @final + def add_constant_option(self, name, const, default=None, help=None): + self.autorecon.add_argument(self, name, action='store_const', const=const, default=default, help=help) + + @final + def add_true_option(self, name, help=None): + self.autorecon.add_argument(self, name, action='store_true', help=help) + + @final + def add_false_option(self, name, help=None): + self.autorecon.add_argument(self, name, action='store_false', help=help) + + @final + def add_list_option(self, name, default=None, help=None): + self.autorecon.add_argument(self, name, action='append', metavar='VALUE', default=default, help=help) + + @final + def add_choice_option(self, name, choices, default=None, help=None): + if not isinstance(choices, list): + fail('The choices argument for ' + self.name + '\'s ' + name + ' choice option should be a list.') + self.autorecon.add_argument(self, name, choices=choices, default=default, help=help) + + @final + def get_option(self, name): + # TODO: make sure name is simple. + name = self.slug.replace('-', '_') + '.' + slugify(name).replace('-', '_') + + if name in vars(self.autorecon.args): + return vars(self.autorecon.args)[name] + else: + return None + + @final + def get_global_option(self, name): + name = 'global.' + slugify(name).replace('-', '_') + + if name in vars(self.autorecon.args): + return vars(self.autorecon.args)[name] + else: + return None + + @final + def get_global(self, name): + return self.get_global_option(name) + + @final + def add_manual_commands(self, description, commands): + if not isinstance(commands, list): + commands = [commands] + self.manual_commands[description] = commands + + @final + def add_manual_command(self, description, command): + self.add_manual_commands(description, command) + + @final + def add_pattern(self, pattern, description=None): + try: + compiled = re.compile(pattern) + if description: + self.patterns.append(Pattern(compiled, description=description)) + else: + self.patterns.append(Pattern(compiled)) + except re.error: + fail('Error: The pattern "' + pattern + '" in the plugin "' + self.name + '" is invalid regex.') + +class PortScan(Plugin): + + def __init__(self): + super().__init__() + + async def run(self, target): + raise NotImplementedError + +class ServiceScan(Plugin): + + def __init__(self): + super().__init__() + self.ports = {'tcp':[], 'udp':[]} + self.ignore_ports = {'tcp':[], 'udp':[]} + self.services = [] + self.ignore_services = [] + self.run_once_bool = False + self.require_ssl_bool = False + + @final + def add_port_match(self, protocol, port, negative_match=False): + protocol = protocol.lower() + if protocol not in ['tcp', 'udp']: + print('Invalid protocol.') + sys.exit(1) + else: + if not isinstance(port, list): + port = [port] + + port = list(map(int, port)) + + if negative_match: + self.ignore_ports[protocol] = list(set(self.ignore_ports[protocol] + port)) + else: + self.ports[protocol] = list(set(self.ports[protocol] + port)) + + @final + def add_service_match(self, regex, negative_match=False): + if not isinstance(regex, list): + regex = [regex] + + valid_regex = True + for r in regex: + try: + re.compile(r) + except re.error: + print('Invalid regex: ' + r) + valid_regex = False + + if valid_regex: + if negative_match: + self.ignore_services = list(set(self.ignore_services + regex)) + else: + self.services = list(set(self.services + regex)) + else: + sys.exit(1) + + @final + def require_ssl(self, bool): + self.require_ssl_bool = bool + + @final + def run_once(self, bool): + self.run_once_bool = bool + +class AutoRecon(object): + + def __init__(self): + self.pending_targets = [] + self.scanning_targets = [] + self.plugins = {} + self.__slug_regex = re.compile('^[a-z0-9\-]+$') + self.plugin_types = {'port':[], 'service':[]} + self.port_scan_semaphore = None + self.service_scan_semaphore = None + self.argparse = None + self.argparse_group = None + self.args = None + self.tags = [] + self.excluded_tags = [] + self.patterns = [] + self.configurable_keys = ['max_scans', 'max_port_scans', 'single_target', 'outdir', 'only_scans_dir', 'heartbeat', 'timeout', 'target_timeout', 'accessible', 'verbose'] + self.config = { + 'protected_classes': ['autorecon', 'target', 'service', 'commandstreamreader', 'plugin', 'portscan', 'servicescan', 'global', 'pattern'], + 'global_file': os.path.dirname(os.path.realpath(__file__)) + '/global.toml', + 'max_scans': 50, + 'max_port_scans': None, + 'single_target': False, + 'outdir': 'results', + 'only_scans_dir': False, + 'heartbeat': 60, + 'timeout': None, + 'target_timeout': None, + 'accessible': False, + 'verbose': 0 + } + self.lock = asyncio.Lock() + self.load_slug = None + self.load_module = None + + def add_argument(self, plugin, name, **kwargs): + # TODO: make sure name is simple. + name = '--' + plugin.slug + '.' + slugify(name) + '''if 'action' in kwargs.keys() and kwargs['action'] != 'store': + if kwargs['action'] in ['store_true'] + else: + if 'metavar' not in kwargs.keys(): + kwargs['metavar'] = 'VALUE' + + if 'metavar' not in kwargs.keys() and 'choices' not in kwargs.keys() and ('action' in kwargs.keys() and kwargs['action'] not in ['store_true', 'store_false']): + kwargs['metavar'] = 'VALUE' + ''' + + if self.argparse_group is None: + self.argparse_group = self.argparse.add_argument_group('plugin arguments', description='These are optional arguments for certain plugins.') + self.argparse_group.add_argument(name, **kwargs) + + def extract_service(self, line, regex): + if regex is None: + regex = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + match = re.search(regex, line) + if match: + protocol = match.group('protocol').lower() + port = int(match.group('port')) + service = match.group('service') + secure = True if 'ssl' in service or 'tls' in service else False + + if service.startswith('ssl/') or service.startswith('tls/'): + service = service[4:] + + from autorecon import Service + return Service(protocol, port, service, secure) + else: + return None + + async def extract_services(self, stream, regex): + if not isinstance(stream, CommandStreamReader): + print('Error: extract_services must be passed an instance of a CommandStreamReader.') + sys.exit(1) + + services = [] + while True: + line = await stream.readline() + if line is not None: + service = self.extract_service(line, regex) + if service: + services.append(service) + else: + break + return services + + def register(self, plugin): + if plugin.disabled: + return + + for _, loaded_plugin in self.plugins.items(): + if plugin.name == loaded_plugin.name: + fail('Error: Duplicate plugin name "' + plugin.name + '" detected.', file=sys.stderr) + + if plugin.slug is None: + plugin.slug = slugify(plugin.name) + elif not self.__slug_regex.match(plugin.slug): + fail('Error: provided slug "' + plugin.slug + '" is not valid (must only contain lowercase letters, numbers, and hyphens).', file=sys.stderr) + + if plugin.slug in self.config['protected_classes']: + fail('Error: plugin slug "' + plugin.slug + '" is a protected string. Please change.') + + if plugin.slug not in self.plugins: + + for _, loaded_plugin in self.plugins.items(): + if plugin is loaded_plugin: + fail('Error: plugin "' + plugin.name + '" already loaded as "' + loaded_plugin.name + '" (' + str(loaded_plugin) + ')', file=sys.stderr) + + if plugin.description is None: + plugin.description = '' + + configure_function_found = False + run_coroutine_found = False + manual_function_found = False + + for member_name, member_value in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'configure': + configure_function_found = True + elif member_name == 'run' and inspect.iscoroutinefunction(member_value): + run_coroutine_found = True + elif member_name == 'manual': + manual_function_found = True + + if not run_coroutine_found and not manual_function_found: + fail('Error: the plugin "' + plugin.name + '" needs either a "manual" function, a "run" coroutine, or both.', file=sys.stderr) + + from autorecon import PortScan, ServiceScan + if issubclass(plugin.__class__, PortScan): + self.plugin_types["port"].append(plugin) + elif issubclass(plugin.__class__, ServiceScan): + self.plugin_types["service"].append(plugin) + else: + fail('Plugin "' + plugin.name + '" is neither a PortScan nor a ServiceScan.', file=sys.stderr) + + plugin.tags = [tag.lower() for tag in plugin.tags] + + plugin.autorecon = self + if configure_function_found: + plugin.configure() + self.plugins[plugin.slug] = plugin + else: + fail('Error: plugin slug "' + plugin.slug + '" is already assigned.', file=sys.stderr) + + async def execute(self, cmd, target, tag, patterns=None, outfile=None, errfile=None): + if patterns: + combined_patterns = self.patterns + patterns + else: + combined_patterns = self.patterns + + process = await asyncio.create_subprocess_shell( + cmd, + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + executable='/bin/bash') + + cout = CommandStreamReader(process.stdout, target, tag, patterns=combined_patterns, outfile=outfile) + cerr = CommandStreamReader(process.stderr, target, tag, patterns=combined_patterns, outfile=errfile) + + asyncio.create_task(cout._read()) + asyncio.create_task(cerr._read()) + + return process, cout, cerr + +# Since this file is run as the main method and also imported by plugins, +# we need to make sure that only one instance of the AutoRecon is +# created. This cannot be done with Singletons unfortunately, which is +# why this hack is here. +if 'autorecon' not in sys.modules: # If this file is not yet imported, create the AutoRecon object + autorecon = AutoRecon() +else: # Otherwise, assign it from the __main__ module. + autorecon = sys.modules['__main__'].autorecon + +def e(*args, frame_index=1, **kvargs): + frame = sys._getframe(frame_index) + + vals = {} + + vals.update(frame.f_globals) + vals.update(frame.f_locals) + vals.update(kvargs) + + return string.Formatter().vformat(' '.join(args), args, vals) + +def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, file=sys.stdout, printmsg=True, **kvargs): + frame = sys._getframe(frame_index) + + vals = { + 'bgreen': Fore.GREEN + Style.BRIGHT, + 'bred': Fore.RED + Style.BRIGHT, + 'bblue': Fore.BLUE + Style.BRIGHT, + 'byellow': Fore.YELLOW + Style.BRIGHT, + 'bmagenta': Fore.MAGENTA + Style.BRIGHT, + + 'green': Fore.GREEN, + 'red': Fore.RED, + 'blue': Fore.BLUE, + 'yellow': Fore.YELLOW, + 'magenta': Fore.MAGENTA, + + 'bright': Style.BRIGHT, + 'srst': Style.NORMAL, + 'crst': Fore.RESET, + 'rst': Style.NORMAL + Fore.RESET + } + + if autorecon.config['accessible']: + vals = {'bgreen':'', 'bred':'', 'bblue':'', 'byellow':'', 'bmagenta':'', 'green':'', 'red':'', 'blue':'', 'yellow':'', 'magenta':'', 'bright':'', 'srst':'', 'crst':'', 'rst':''} + + vals.update(frame.f_globals) + vals.update(frame.f_locals) + vals.update(kvargs) + + unfmt = '' + if char is not None and not autorecon.config['accessible']: + unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep + unfmt += sep.join(args) + + fmted = unfmt + + for attempt in range(10): + try: + fmted = string.Formatter().vformat(unfmt, args, vals) + break + except KeyError as err: + key = err.args[0] + unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}') + + if printmsg: + print(fmted, sep=sep, end=end, file=file) + else: + return fmted + +def debug(*args, color=Fore.GREEN, sep=' ', end='\n', file=sys.stdout, **kvargs): + if verbose >= 2: + if autorecon.config['accessible']: + args = ('Debug:',) + args + cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs) + +def info(*args, sep=' ', end='\n', file=sys.stdout, **kvargs): + cprint(*args, color=Fore.BLUE, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs) + +def warn(*args, sep=' ', end='\n', file=sys.stderr,**kvargs): + if autorecon.config['accessible']: + args = ('Warning:',) + args + cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + +def error(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): + if autorecon.config['accessible']: + args = ('Error:',) + args + cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + +def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): + if autorecon.config['accessible']: + args = ('Failure:',) + args + cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + exit(-1) + +def calculate_elapsed_time(start_time): + elapsed_seconds = round(time.time() - start_time) + + m, s = divmod(elapsed_seconds, 60) + h, m = divmod(m, 60) + + elapsed_time = [] + if h == 1: + elapsed_time.append(str(h) + ' hour') + elif h > 1: + elapsed_time.append(str(h) + ' hours') + + if m == 1: + elapsed_time.append(str(m) + ' minute') + elif m > 1: + elapsed_time.append(str(m) + ' minutes') + + if s == 1: + elapsed_time.append(str(s) + ' second') + elif s > 1: + elapsed_time.append(str(s) + ' seconds') + else: + elapsed_time.append('less than a second') + + return ', '.join(elapsed_time) + +def slugify(name): + return re.sub(r'[\W_]+', '-', unidecode.unidecode(name).lower()).strip('-') + +def cancel_all_tasks(signal, frame): + for task in asyncio.all_tasks(): + task.cancel() + + for target in autorecon.scanning_targets: + for process_list in target.running_tasks.values(): + for process_dict in process_list['processes']: + process_dict['process'].kill() + +async def start_heartbeat(target, period=60): + while True: + await asyncio.sleep(period) + async with target.lock: + count = len(target.running_tasks) + + tasks_list = '' + if target.autorecon.config['verbose'] >= 1: + tasks_list = ': {bblue}' + ', '.join(target.running_tasks.keys()) + '{rst}' + + current_time = datetime.now().strftime('%H:%M:%S') + + if count > 1: + info('{bgreen}' + current_time + '{rst} - There are {byellow}' + str(count) + '{rst} scans still running against {byellow}' + target.address + '{rst}' + tasks_list) + elif count == 1: + info('{bgreen}' + current_time + '{rst} - There is {byellow}1{rst} scan still running against {byellow}' + target.address + '{rst}' + tasks_list) + +async def port_scan(plugin, target): + async with target.autorecon.port_scan_semaphore: + info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst}') + + async with target.lock: + target.running_tasks[plugin.slug] = {'plugin': plugin, 'processes':[]} + + start_time = time.time() + try: + result = await plugin.run(target) + except Exception as ex: + exc_type, exc_value, exc_tb = sys.exc_info() + error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) + raise Exception(cprint('Error: Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) + + for process_dict in target.running_tasks[plugin.slug]['processes']: + if process_dict['process'].returncode is None: + warn('A process was left running after port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') + await process_dict['process'].wait() + + if process_dict['process'].returncode != 0: + errors = [] + while True: + line = await process_dict['stderr'].readline() + if line is not None: + errors.append(line + '\n') + else: + break + error('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} ran a command against {byellow}' + target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + target.scandir + '/_errors.log for more details.') + async with target.lock: + with open(os.path.join(target.scandir, '_errors.log'), 'a') as file: + file.writelines('[*] Port scan ' + plugin.name + ' (' + plugin.slug + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') + file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') + if errors: + file.writelines(['[-] Error Output:\n'] + errors + ['\n']) + else: + file.writelines('\n') + + elapsed_time = calculate_elapsed_time(start_time) + + async with target.lock: + target.running_tasks.pop(plugin.slug, None) + + info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished in ' + elapsed_time) + return {'type':'port', 'plugin':plugin, 'result':result} + +async def service_scan(plugin, service): + from autorecon import PortScan + semaphore = service.target.autorecon.service_scan_semaphore + + # If service scan semaphore is locked, see if we can use port scan semaphore. + while True: + if semaphore.locked(): + if semaphore != service.target.autorecon.port_scan_semaphore: # This will be true unless user sets max_scans == max_port_scans + # port_scan_task_count = 0 + # for t in asyncio.all_tasks(): + # frame = inspect.getframeinfo(t.get_stack(limit=1)[0]) + # if frame.function == 'port_scan' and 'await plugin.run(target)' in frame.code_context[0]: + # #print(frame) + # port_scan_task_count += 1 + # print("Old Port Scan Task Count: " + str(port_scan_task_count)) + + port_scan_task_count = 0 + for targ in service.target.autorecon.scanning_targets: + for process_list in targ.running_tasks.values(): + #print('Length: ' + str(len(process_list))) + #for process_dict in process_list['processes']: + if issubclass(process_list['plugin'].__class__, PortScan): + #for process_dict in process_list['processes']: + # print(str(process_dict['process'].returncode) + ': ' + process_dict['cmd']) + port_scan_task_count += 1 + #print("New Port Scan Task Count: " + str(new_port_scan_task_count)) + + if not service.target.autorecon.pending_targets and (service.target.autorecon.config['max_port_scans'] - port_scan_task_count) >= 1: # If no more targets, and we have room, use port scan semaphore. + if service.target.autorecon.port_scan_semaphore.locked(): + await asyncio.sleep(1) + continue + semaphore = service.target.autorecon.port_scan_semaphore + break + else: # Do some math to see if we can use the port scan semaphore. + if (service.target.autorecon.config['max_port_scans'] - (port_scan_task_count + (len(service.target.autorecon.pending_targets) * service.target.autorecon.config['port_scan_plugin_count']))) >= 1: + if service.target.autorecon.port_scan_semaphore.locked(): + await asyncio.sleep(1) + continue + semaphore = service.target.autorecon.port_scan_semaphore + break + else: + await asyncio.sleep(1) + else: + break + else: + break + + async with semaphore: + tag = service.tag() + '/' + plugin.slug + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst}') + + async with service.target.lock: + service.target.running_tasks[tag] = {'plugin': plugin, 'processes':[]} + + start_time = time.time() + try: + result = await plugin.run(service) + except Exception as ex: + exc_type, exc_value, exc_tb = sys.exc_info() + error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) + raise Exception(cprint('Error: Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) + + for process_dict in service.target.running_tasks[tag]['processes']: + if process_dict['process'].returncode is None: + warn('A process was left running after service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') + await process_dict['process'].wait() + + if process_dict['process'].returncode != 0: + errors = [] + while True: + line = await process_dict['stderr'].readline() + if line is not None: + errors.append(line + '\n') + else: + break + error('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} ran a command against {byellow}' + service.target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + service.target.scandir + '/_errors.log for more details.') + async with service.target.lock: + with open(os.path.join(service.target.scandir, '_errors.log'), 'a') as file: + file.writelines('[*] Service scan ' + plugin.name + ' (' + tag + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') + file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') + if errors: + file.writelines(['[-] Error Output:\n'] + errors + ['\n']) + else: + file.writelines('\n') + + elapsed_time = calculate_elapsed_time(start_time) + + async with service.target.lock: + service.target.running_tasks.pop(tag, None) + + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished in ' + elapsed_time) + return {'type':'service', 'plugin':plugin, 'result':result} + +async def scan_target(target): + if target.autorecon.config['single_target']: + basedir = os.path.abspath(target.autorecon.config['outdir']) + else: + basedir = os.path.abspath(os.path.join(target.autorecon.config['outdir'], target.address)) + target.basedir = basedir + os.makedirs(basedir, exist_ok=True) + + if not target.autorecon.config['only_scans_dir']: + exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) + os.makedirs(exploitdir, exist_ok=True) + + lootdir = os.path.abspath(os.path.join(basedir, 'loot')) + os.makedirs(lootdir, exist_ok=True) + + reportdir = os.path.abspath(os.path.join(basedir, 'report')) + target.reportdir = reportdir + os.makedirs(reportdir, exist_ok=True) + + open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close() + open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close() + + screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) + os.makedirs(screenshotdir, exist_ok=True) + + scandir = os.path.abspath(os.path.join(basedir, 'scans')) + target.scandir = scandir + os.makedirs(scandir, exist_ok=True) + + os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) + + pending = [] + + heartbeat = asyncio.create_task(start_heartbeat(target, period=target.autorecon.config['heartbeat'])) + + for plugin in target.autorecon.plugin_types['port']: + plugin_tag_set = set(plugin.tags) + + matching_tags = False + for tag_group in target.autorecon.tags: + if set(tag_group).issubset(plugin_tag_set): + matching_tags = True + break + + excluded_tags = False + for tag_group in target.autorecon.excluded_tags: + if set(tag_group).issubset(plugin_tag_set): + excluded_tags = True + break + + if matching_tags and not excluded_tags: + pending.append(asyncio.create_task(port_scan(plugin, target))) + + async with autorecon.lock: + autorecon.scanning_targets.append(target) + + start_time = time.time() + info('Scanning target {byellow}' + target.address + '{rst}') + + timed_out = False + while pending: + done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) + + # Check if global timeout has occurred. + if autorecon.config['target_timeout'] is not None: + elapsed_seconds = round(time.time() - start_time) + m, s = divmod(elapsed_seconds, 60) + if m >= autorecon.config['target_timeout']: + timed_out = True + break + + # Extract Services + services = [] + async with target.lock: + while target.pending_services: + services.append(target.pending_services.pop(0)) + + for task in done: + try: + if task.exception(): + print(task.exception()) + continue + except asyncio.InvalidStateError: + pass + + if task.result()['type'] == 'port': + for service in (task.result()['result'] or []): + services.append(service) + + for service in services: + if service.full_tag() not in target.services: + target.services.append(service.full_tag()) + else: + continue + + #plugin = task.result()['plugin'] + #info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){srst}]{rst} found {bmagenta}' + service.name + '{rst} on {bmagenta}' + service.protocol + '/' + str(service.port) + '{rst} on {byellow}' + target.address + '{rst}') + info('Found {bmagenta}' + service.name + '{rst} on {bmagenta}' + service.protocol + '/' + str(service.port) + '{rst} on {byellow}' + target.address + '{rst}') + + service.target = target + + # Create variables for command references. + address = target.address + scandir = target.scandir + protocol = service.protocol + port = service.port + + # Special cases for HTTP. + http_scheme = 'https' if 'https' in service.name or service.secure is True else 'http' + + nmap_extra = target.autorecon.args.nmap + if target.autorecon.args.nmap_append: + nmap_extra += ' ' + target.autorecon.args.nmap_append + + if protocol == 'udp': + nmap_extra += ' -sU' + + matching_plugins = [] + heading = False + + for plugin in target.autorecon.plugin_types['service']: + plugin_tag = service.tag() + '/' + plugin.slug + + for s in plugin.services: + if re.search(s, service.name): + plugin_tag_set = set(plugin.tags) + + matching_tags = False + for tag_group in target.autorecon.tags: + if set(tag_group).issubset(plugin_tag_set): + matching_tags = True + break + + excluded_tags = False + for tag_group in target.autorecon.excluded_tags: + if set(tag_group).issubset(plugin_tag_set): + excluded_tags = True + break + + # TODO: Maybe make this less messy, keep manual-only plugins separate? + plugin_is_runnable = False + for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'run': + plugin_is_runnable = True + break + + if plugin_is_runnable and matching_tags and not excluded_tags: + # Skip plugin if run_once_bool and plugin already in target scans + if plugin.run_once_bool and (plugin.slug,) in target.scans: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin should only be run once and it appears to have already been queued. Skipping.{rst}') + continue + + # Skip plugin if require_ssl_bool and port is not secure + if plugin.require_ssl_bool and not service.secure: + continue + + # Skip plugin if service port is in ignore_ports: + if port in plugin.ignore_ports[protocol]: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against ' + protocol + ' port ' + str(port) + '. Skipping.{rst}') + continue + + # Skip plugin if plugin has required ports and service port is not in them: + if plugin.ports[protocol] and port not in plugin.ports[protocol]: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin can only run on specific ports. Skipping.{rst}') + continue + + for i in plugin.ignore_services: + if re.search(i, service.name): + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against this service. Skipping.{rst}') + continue + + # TODO: check if plugin matches tags, BUT run manual commands anyway! + matching_plugins.append(plugin) + + if plugin.manual_commands and (not plugin.run_once_bool or (plugin.run_once_bool and (plugin.slug,) not in target.scans)): + with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: + if not heading: + file.write(e('[*] {service.name} on {service.protocol}/{service.port}\n\n')) + heading = True + for description, commands in plugin.manual_commands.items(): + file.write('\t[-] ' + e(description) + '\n\n') + for command in commands: + file.write('\t\t' + e(command) + '\n\n') + file.flush() + + break + + for plugin in matching_plugins: + plugin_tag = service.tag() + '/' + plugin.slug + + scan_tuple = (service.protocol, service.port, service.name, plugin.slug) + if plugin.run_once_bool: + scan_tuple = (plugin.slug,) + + if scan_tuple in target.scans: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin appears to have already been queued, but it is not marked as run_once. Possible duplicate service tag? Skipping.{rst}') + continue + else: + target.scans.append(scan_tuple) + + pending.add(asyncio.create_task(service_scan(plugin, service))) + heartbeat.cancel() + elapsed_time = calculate_elapsed_time(start_time) + + if timed_out: + + for task in pending: + task.cancel() + + for process_list in target.running_tasks.values(): + for process_dict in process_list['processes']: + process_dict['process'].kill() + + warn('{byellow}Scanning target ' + target.address + ' took longer than the specified target period (' + str(autorecon.config['target_timeout']) + ' min). Cancelling scans and moving to next target.{rst}') + else: + info('Finished scanning target {byellow}' + target.address + '{rst} in ' + elapsed_time) + + async with autorecon.lock: + autorecon.scanning_targets.remove(target) + +async def main(): + from autorecon import Plugin, PortScan, ServiceScan, Target # We have to do this to get around issubclass weirdness when loading plugins. + + parser = argparse.ArgumentParser(add_help=False, description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') + parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs='*') + parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.') + parser.add_argument('-m', '--max-scans', action='store', type=int, help='The maximum number of concurrent scans to run. Default: 50') + parser.add_argument('-mp', '--max-port-scans', action='store', type=int, help='The maximum number of concurrent port scans to run. Default: 10 (approx 20%% of max-scans unless specified)') + parser.add_argument('-c', '--config', action='store', type=str, default=os.path.dirname(os.path.realpath(__file__)) + '/config.toml', dest='config_file', help='Location of AutoRecon\'s config file. Default: %(default)s') + parser.add_argument('-g', '--global-file', action='store', type=str, dest='global_file', help='Location of AutoRecon\'s global file. Default: ' + os.path.dirname(os.path.realpath(__file__)) + '/global.toml') + parser.add_argument('--tags', action='store', type=str, default='default', help='Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group.') + parser.add_argument('--exclude-tags', action='store', type=str, default='', help='Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group.') + parser.add_argument('--plugins-dir', action='store', type=str, default=os.path.dirname(os.path.abspath(__file__)) + '/plugins', help='') + parser.add_argument('-o', '--output', action='store', dest='outdir', help='The output directory for results. Default: results') + parser.add_argument('--single-target', action='store_true', help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false') + parser.add_argument('--only-scans-dir', action='store_true', help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false') + parser.add_argument('--heartbeat', action='store', type=int, help='Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60') + parser.add_argument('--timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: no timeout') + parser.add_argument('--target-timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: no timeout') + nmap_group = parser.add_mutually_exclusive_group() + nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') + nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') + parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running. Default: false') + parser.add_argument('--accessible', action='store_true', help='Attempts to make AutoRecon output more accessible to screenreaders.') + parser.add_argument('-v', '--verbose', action='count', help='Enable verbose output. Repeat for more verbosity.') + parser.error = lambda s: fail(s[0].upper() + s[1:]) + args, unknown = parser.parse_known_args() + + errors = False + + autorecon.argparse = parser + + # Parse config file and args for global.toml first. + if not os.path.isfile(args.config_file): + fail('Error: Specified config file "' + args.config_file + '" does not exist.') + + with open(args.config_file) as c: + try: + config_toml = toml.load(c) + for key, val in config_toml.items(): + if key.replace('-', '_') == 'global_file': + autorecon.config['global_file'] = val + break + except toml.decoder.TomlDecodeError: + fail('Error: Couldn\'t parse ' + args.config_file + ' config file. Check syntax.') + + args_dict = vars(args) + for key in args_dict: + if key == 'global_file' and args_dict['global_file'] is not None: + autorecon.config['global_file'] = args_dict['global_file'] + break + + if not os.path.isdir(args.plugins_dir): + fail('Error: Specified plugins directory "' + args.plugins_dir + '" does not exist.') + + for plugin_file in os.listdir(args.plugins_dir): + if not plugin_file.startswith('_') and plugin_file.endswith('.py'): + + dirname, filename = os.path.split(plugin_file) + dirname = os.path.abspath(dirname) + + try: + plugin = importlib.import_module('.' + filename[:-3], os.path.basename(args.plugins_dir)) + clsmembers = inspect.getmembers(plugin, predicate=inspect.isclass) + for (_, c) in clsmembers: + if c.__module__ == 'autorecon': + continue + + if c.__name__.lower() in autorecon.config['protected_classes']: + print('Plugin "' + c.__name__ + '" in ' + filename + ' is using a protected class name. Please change it.') + sys.exit(1) + + # Only add classes that are a sub class of either PortScan or ServiceScan + if issubclass(c, PortScan) or issubclass(c, ServiceScan): + autorecon.register(c()) + else: + print('Plugin "' + c.__name__ + '" in ' + filename + ' is not a subclass of either PortScan or ServiceScan.') + except (ImportError, SyntaxError) as ex: + print('cannot import ' + filename + ' plugin') + print(ex) + sys.exit(1) + + if len(autorecon.plugin_types['port']) == 0: + fail('Error: There are no valid PortScan plugins in the plugins directory "' + args.plugins_dir + '".') + + # Sort plugins by priority. + autorecon.plugin_types['port'].sort(key=lambda x: x.priority) + autorecon.plugin_types['service'].sort(key=lambda x: x.priority) + + if not os.path.isfile(autorecon.config['global_file']): + fail('Error: Specified global file "' + autorecon.config['global_file'] + '" does not exist.') + + global_plugin_args = None + with open(autorecon.config['global_file']) as g: + try: + global_toml = toml.load(g) + for key, val in global_toml.items(): + if key == 'global' and isinstance(val, dict): # Process global plugin options. + for gkey, gvals in global_toml['global'].items(): + if isinstance(gvals, dict):# and 'help' in gvals: + options = {'metavar':'VALUE'} + + if 'default' in gvals: + options['default'] = gvals['default'] + + if 'metavar' in gvals: + options['metavar'] = gvals['metavar'] + + if 'help' in gvals: + options['help'] = gvals['help'] + + if 'type' in gvals: + gtype = gvals['type'].lower() + if gtype == 'constant': + if 'constant' not in gvals: + fail('Global constant option ' + gkey + ' has no constant value set.') + else: + options['action'] = 'store_const' + options['const'] = gvals['constant'] + elif gtype == 'true': + options['action'] = 'store_true' + options.pop('metavar', None) + options.pop('default', None) + elif gtype == 'false': + options['action'] = 'store_false' + options.pop('metavar', None) + options.pop('default', None) + elif gtype == 'list': + options['action'] = 'append' + elif gtype == 'choice': + if 'choices' not in gvals: + fail('Global choice option ' + gkey + ' has no choices value set.') + else: + if not isinstance(gvals['choices'], list): + fail('The \'choices\' value for global choice option ' + gkey + ' should be a list.') + options['choices'] = gvals['choices'] + options.pop('metavar', None) + + if global_plugin_args is None: + global_plugin_args = parser.add_argument_group("global plugin arguments", description="These are optional arguments that can be used by all plugins.") + + global_plugin_args.add_argument('--global.' + slugify(gkey), **options) + + except toml.decoder.TomlDecodeError: + fail('Error: Couldn\'t parse ' + g.name + ' file. Check syntax.') + + for key, val in config_toml.items(): + if key == 'global' and isinstance(val, dict): # Process global plugin options. + for gkey, gval in config_toml['global'].items(): + if isinstance(gval, bool): + for action in autorecon.argparse._actions: + if action.dest == 'global.' + slugify(gkey).replace('-', '_'): + if action.const is True: + action.__setattr__('default', gval) + break + else: + if autorecon.argparse.get_default('global.' + slugify(gkey).replace('-', '_')): + autorecon.argparse.set_defaults(**{'global.' + slugify(gkey).replace('-', '_'): gval}) + + elif key == 'pattern' and isinstance(val, list): # Process global patterns. + for pattern in val: + if 'pattern' in pattern: + try: + compiled = re.compile(pattern['pattern']) + if 'description' in pattern: + autorecon.patterns.append(Pattern(compiled, description=pattern['description'])) + else: + autorecon.patterns.append(Pattern(compiled)) + except re.error: + fail('Error: The pattern "' + pattern['pattern'] + '" in the config file is invalid regex.') + else: + fail('Error: A [[pattern]] in the config file doesn\'t have a required pattern variable.') + elif isinstance(val, dict): # Process potential plugin arguments. + for pkey, pval in config_toml[key].items(): + if autorecon.argparse.get_default(slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_')): + autorecon.argparse.set_defaults(**{slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_'): pval}) + else: # Process potential other options. + if key.replace('-', '_') in autorecon.configurable_keys: + autorecon.config[key.replace('-', '_')] = val + autorecon.argparse.set_defaults(**{key.replace('-', '_'): val}) + + parser.add_argument('-h', '--help', action='help', default=argparse.SUPPRESS, help='Show this help message and exit.') + args = parser.parse_args() + + args_dict = vars(args) + for key in args_dict: + if key in autorecon.configurable_keys and args_dict[key] is not None: + # Special case for booleans + if key in ['accessible', 'single_target', 'only_scans_dir'] and autorecon.config[key]: + continue + autorecon.config[key] = args_dict[key] + + autorecon.args = args + + if autorecon.config['max_scans'] <= 0: + error('Argument -m/--max-scans must be at least 1.') + errors = True + + if autorecon.config['max_port_scans'] is None: + autorecon.config['max_port_scans'] = max(1, round(autorecon.config['max_scans'] * 0.2)) + else: + if autorecon.config['max_port_scans'] <= 0: + error('Argument -mp/--max-port-scans must be at least 1.') + errors = True + + if autorecon.config['max_port_scans'] > autorecon.config['max_scans']: + error('Argument -mp/--max-port-scans cannot be greater than argument -m/--max-scans.') + errors = True + + if autorecon.config['heartbeat'] <= 0: + error('Argument --heartbeat must be at least 1.') + errors = True + + if autorecon.config['timeout'] is not None and autorecon.config['timeout'] <= 0: + error('Argument --timeout must be at least 1.') + errors = True + + if autorecon.config['target_timeout'] is not None and autorecon.config['target_timeout'] <= 0: + error('Argument --target-timeout must be at least 1.') + errors = True + + if autorecon.config['timeout'] is not None and autorecon.config['target_timeout'] is not None and autorecon.config['timeout'] < autorecon.config['target_timeout']: + error('Argument --timeout cannot be less than --target-timeout.') + errors = True + + if not errors: + autorecon.port_scan_semaphore = asyncio.Semaphore(autorecon.config['max_port_scans']) + # If max scans and max port scans is the same, the service scan semaphore and port scan semaphore should be the same object + if autorecon.config['max_scans'] == autorecon.config['max_port_scans']: + autorecon.service_scan_semaphore = autorecon.port_scan_semaphore + else: + autorecon.service_scan_semaphore = asyncio.Semaphore(autorecon.config['max_scans'] - autorecon.config['max_port_scans']) + + tags = [] + for tag_group in list(set(filter(None, args.tags.lower().split(',')))): + tags.append(list(set(filter(None, tag_group.split('+'))))) + + # Remove duplicate lists from list. + [autorecon.tags.append(t) for t in tags if t not in autorecon.tags] + + excluded_tags = [] + if args.exclude_tags != '': + for tag_group in list(set(filter(None, args.exclude_tags.lower().split(',')))): + excluded_tags.append(list(set(filter(None, tag_group.split('+'))))) + + # Remove duplicate lists from list. + [autorecon.excluded_tags.append(t) for t in excluded_tags if t not in autorecon.excluded_tags] + + # Generate manual commands. + for _, plugin in autorecon.plugins.items(): + for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'manual': + plugin.manual() + + raw_targets = args.targets + + if len(args.target_file) > 0: + if not os.path.isfile(args.target_file): + error('The target file ' + args.target_file + ' was not found.') + sys.exit(1) + try: + with open(args.target_file, 'r') as f: + lines = f.read() + for line in lines.splitlines(): + line = line.strip() + if line.startswith('#') or len(line) == 0: continue + if line not in raw_targets: + raw_targets.append(line) + except OSError: + error('The target file ' + args.target_file + ' could not be read.') + sys.exit(1) + + for target in raw_targets: + try: + ip = str(ipaddress.ip_address(target)) + + if ip not in autorecon.pending_targets: + autorecon.pending_targets.append(ip) + except ValueError: + + try: + target_range = ipaddress.ip_network(target, strict=False) + if not args.disable_sanity_checks and target_range.num_addresses > 256: + error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + else: + for ip in target_range.hosts(): + ip = str(ip) + if ip not in autorecon.pending_targets: + autorecon.pending_targets.append(ip) + except ValueError: + + try: + ip = socket.gethostbyname(target) + + if target not in autorecon.pending_targets: + autorecon.pending_targets.append(target) + except socket.gaierror: + error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') + errors = True + + if len(autorecon.pending_targets) == 0: + error('You must specify at least one target to scan!') + errors = True + + if autorecon.config['single_target'] and len(autorecon.pending_targets) != 1: + error('You cannot provide more than one target when scanning in single-target mode.') + errors = True + + if not args.disable_sanity_checks and len(autorecon.pending_targets) > 256: + error('A total of ' + str(len(autorecon.pending_targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + + port_scan_plugin_count = 0 + for plugin in autorecon.plugin_types['port']: + matching_tags = False + for tag_group in autorecon.tags: + if set(tag_group).issubset(set(plugin.tags)): + matching_tags = True + break + + excluded_tags = False + for tag_group in autorecon.excluded_tags: + if set(tag_group).issubset(set(plugin.tags)): + excluded_tags = True + break + + if matching_tags and not excluded_tags: + port_scan_plugin_count += 1 + + if port_scan_plugin_count == 0: + error('There are no port scan plugins that match the tags specified.') + errors = True + + if errors: + sys.exit(1) + + autorecon.config['port_scan_plugin_count'] = port_scan_plugin_count + + num_initial_targets = max(1, math.ceil(autorecon.config['max_port_scans'] / port_scan_plugin_count)) + + start_time = time.time() + + #sys.exit(0) + + pending = [] + i = 0 + while autorecon.pending_targets: + pending.append(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + i+=1 + if i >= num_initial_targets: + break + + timed_out = False + while pending: + done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) + # Check if global timeout has occurred. + if autorecon.config['timeout'] is not None: + elapsed_seconds = round(time.time() - start_time) + m, s = divmod(elapsed_seconds, 60) + if m >= autorecon.config['timeout']: + timed_out = True + break + + for task in done: + if autorecon.pending_targets: + pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + + #port_scan_task_count = 0 + #for t in asyncio.all_tasks(): + # if inspect.getframeinfo(t.get_stack(limit=1)[0]).function == 'port_scan': + # port_scan_task_count += 1 + #print("Old Port Scan Task Count: " + str(port_scan_task_count)) + + port_scan_task_count = 0 + for targ in autorecon.scanning_targets: + for process_list in targ.running_tasks.values(): + if issubclass(process_list['plugin'].__class__, PortScan): + #print(process_list) + port_scan_task_count += 1 + #print("New Port Scan Task Count: " + str(port_scan_task_count)) + + num_new_targets = math.ceil((autorecon.config['max_port_scans'] - port_scan_task_count) / port_scan_plugin_count) + if num_new_targets > 0: + i = 0 + while autorecon.pending_targets: + pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + i+=1 + if i >= num_new_targets: + break + + if timed_out: + cancel_all_tasks(None, None) + + elapsed_time = calculate_elapsed_time(start_time) + warn('{byellow}AutoRecon took longer than the specified timeout period (' + str(autorecon.config['timeout']) + ' min). Cancelling all scans and exiting.{rst}') + sys.exit(0) + else: + while len(asyncio.all_tasks()) > 1: # this code runs in the main() task so it will be the only task left running + await asyncio.sleep(1) + + elapsed_time = calculate_elapsed_time(start_time) + info('{bright}Finished scanning all targets in ' + elapsed_time + '!{rst}') + +if __name__ == '__main__': + signal.signal(signal.SIGINT, cancel_all_tasks) + try: + asyncio.run(main()) + except asyncio.exceptions.CancelledError: + pass diff --git a/config.toml b/config.toml new file mode 100644 index 0000000..f343a8d --- /dev/null +++ b/config.toml @@ -0,0 +1,20 @@ +# Configure regular AutoRecon options at the top of this file. + +# verbose = 1 +# max-scans = 1 + +# Configure global pattern matching here. +[[pattern]] +description = 'Nmap script found a potential vulnerability. ({match})' +pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)' + +[[pattern]] +pattern = '(?i)unauthorized' + +# Configure global options here. +# [global] +# username-wordlist = '/usr/share/seclists/Usernames/cirt-default-usernames.txt' + +# Configure plugin options here. +# [dirbuster] +# wordlist = ['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-Content/big.txt', '/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'] diff --git a/global.toml b/global.toml new file mode 100644 index 0000000..47c7edc --- /dev/null +++ b/global.toml @@ -0,0 +1,7 @@ +[global.username-wordlist] +default = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' +help = 'A wordlist of usernames, useful for bruteforcing. Default: %(default)s' + +[global.password-wordlist] +default = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' +help = 'A wordlist of passwords, useful for bruteforcing. Default: %(default)s' diff --git a/src/autorecon/__init__.py b/plugins/__init__.py similarity index 100% rename from src/autorecon/__init__.py rename to plugins/__init__.py diff --git a/plugins/databases.py b/plugins/databases.py new file mode 100644 index 0000000..7930bb2 --- /dev/null +++ b/plugins/databases.py @@ -0,0 +1,122 @@ +from autorecon import ServiceScan + +class NmapMongoDB(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap MongoDB" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^mongod') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}') + +class NmapMSSQL(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap MSSQL" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match(['^mssql', '^ms\-sql']) + + def manual(self): + self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') + +class NmapMYSQL(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap MYSQL" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^mysql') + + def manual(self): + self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') + +class NmapOracle(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap Oracle" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^oracle') + + def manual(self): + self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}') + +class OracleTNScmd(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Oracle TNScmd" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^oracle') + + async def run(self, service): + await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') + await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') + +class OracleScanner(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Oracle Scanner" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^oracle') + + async def run(self, service): + await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt') + +class OracleODAT(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Oracle ODAT" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^oracle') + + def manual(self): + self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ + 'python odat.py tnscmd -s {address} -p {port} --ping', + 'python odat.py tnscmd -s {address} -p {port} --version', + 'python odat.py tnscmd -s {address} -p {port} --status', + 'python odat.py sidguesser -s {address} -p {port}', + 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', + 'python odat.py tnspoison -s {address} -p {port} -d --test-module' + ]) + +class OraclePatator(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Oracle Patator" + self.tags = ['default', 'databases'] + + def configure(self): + self.add_service_match('^oracle') + + def manual(self): + self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') diff --git a/plugins/default-port-scan.py b/plugins/default-port-scan.py new file mode 100644 index 0000000..f9725f8 --- /dev/null +++ b/plugins/default-port-scan.py @@ -0,0 +1,46 @@ +from autorecon import PortScan, error +import os + +class QuickTCPPortScan(PortScan): + + def __init__(self): + super().__init__() + self.name = "Top TCP Ports" + self.tags = ["default", "default-port-scan"] + self.priority = 0 + + async def run(self, target): + process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services + +class AllTCPPortScan(PortScan): + + def __init__(self): + super().__init__() + self.name = "All TCP Ports" + self.tags = ["default", "default-port-scan", "long"] + + async def run(self, target): + process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services + +class Top20UDPPortScan(PortScan): + + def __init__(self): + super().__init__() + self.name = "Top 100 UDP Ports" + self.tags = ["default", "default-port-scan"] + + async def run(self, target): + # Only run UDP scan if user is root. + if os.getuid() == 0: + process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --version-all --top-ports 100 -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services + else: + error('UDP scan requires AutoRecon be run with root privileges.') diff --git a/plugins/dns.py b/plugins/dns.py new file mode 100644 index 0000000..df4565c --- /dev/null +++ b/plugins/dns.py @@ -0,0 +1,14 @@ +from autorecon import ServiceScan + +class DNS(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "DNS" + self.tags = ['default', 'dns'] + + def configure(self): + self.add_service_match('^domain') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}') diff --git a/plugins/ftp.py b/plugins/ftp.py new file mode 100644 index 0000000..22c49be --- /dev/null +++ b/plugins/ftp.py @@ -0,0 +1,30 @@ +from autorecon import ServiceScan + +class NmapFTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'Nmap FTP' + self.tags = ['default', 'ftp'] + + def configure(self): + self.add_service_match(['^ftp', '^ftp\-data']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}') + +class BruteforceFTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Bruteforce FTP" + self.tags = ['default', 'ftp'] + + def configure(self): + self.add_service_match(['^ftp', '^ftp\-data']) + + def manual(self): + self.add_manual_commands('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + ]) diff --git a/plugins/http.py b/plugins/http.py new file mode 100644 index 0000000..4e3eddd --- /dev/null +++ b/plugins/http.py @@ -0,0 +1,186 @@ +from autorecon import ServiceScan, error +from shutil import which +import os + +class NmapHTTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap HTTP" + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}') + self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}') + +class BruteforceHTTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Bruteforce HTTP" + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + def manual(self): + self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' + ]) + +class Curl(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Curl" + self.tags = ['default', 'http'] + + def configure(self): + self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s") + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + self.add_pattern('(?i)Powered by [^\n]+') + + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') + +class CurlRobots(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Curl Robots" + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('curl -sSik {http_scheme}://{address}:{port}/robots.txt', outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt') + +class DirBuster(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "DirBuster" + self.slug = 'dirbuster' + self.priority = 0 + self.tags = ['default', 'http', 'long'] + + def configure(self): + self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s') + self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: %(default)s') + self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s') + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + def manual(self): + self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', + 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' + ]) + + self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + ]) + + self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', + 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' + ]) + + self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', + 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' + ]) + + self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + ]) + + async def run(self, service): + for wordlist in self.get_option('wordlist'): + name = os.path.splitext(os.path.basename(wordlist))[0] + if self.get_option('tool') == 'feroxbuster': + await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') + elif self.get_option('tool') == 'gobuster': + await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') + elif self.get_option('tool') == 'dirsearch': + await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w ' + wordlist + ' --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') + elif self.get_option('tool') == 'ffuf': + await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') + elif self.get_option('tool') == 'dirb': + await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') + +class Nikto(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'nikto' + self.tags = ['default', 'http', 'long'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + def manual(self): + self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') + +class WhatWeb(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "whatweb" + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') + +class WkHTMLToImage(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "wkhtmltoimage" + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + async def run(self, service): + if which('wkhtmltoimage') is not None and service.protocol == 'tcp': + await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') + else: + error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)') + +class WPScan(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'WPScan' + self.tags = ['default', 'http'] + + def configure(self): + self.add_service_match('^http') + self.add_service_match('^nacn_http$', negative_match=True) + + def manual(self): + self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') diff --git a/plugins/kerberos.py b/plugins/kerberos.py new file mode 100644 index 0000000..b093bbc --- /dev/null +++ b/plugins/kerberos.py @@ -0,0 +1,14 @@ +from autorecon import ServiceScan + +class NmapKerberos(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap Kerberos" + self.tags = ['default', 'kerberos', 'active-directory'] + + def configure(self): + self.add_service_match(['^kerberos', '^kpasswd']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}') diff --git a/plugins/ldap.py b/plugins/ldap.py new file mode 100644 index 0000000..39e88dd --- /dev/null +++ b/plugins/ldap.py @@ -0,0 +1,29 @@ +from autorecon import ServiceScan + +class NmapLDAP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap LDAP" + self.tags = ['default', 'ldap', 'active-directory'] + + def configure(self): + self.add_service_match('^ldap') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}') + +class LDAPSearch(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'LDAP Search' + self.tags = ['default', 'ldap', 'active-directory'] + + def configure(self): + self.add_service_match('^ldap') + + def manual(self): + self.add_manual_command('ldapsearch command (modify before running):', [ + 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' + ]) diff --git a/plugins/misc.py b/plugins/misc.py new file mode 100644 index 0000000..0e4144a --- /dev/null +++ b/plugins/misc.py @@ -0,0 +1,170 @@ +from autorecon import ServiceScan + +class NmapCassandra(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap Cassandra" + self.tags = ['default', 'cassandra'] + + def configure(self): + self.add_service_match('^apani1') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}') + +class NmapCUPS(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap CUPS" + self.tags = ['default', 'cups'] + + def configure(self): + self.add_service_match('^ipp') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}') + +class NmapDistccd(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap distccd" + self.tags = ['default', 'distccd'] + + def configure(self): + self.add_service_match('^distccd') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}') + +class NmapFinger(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap finger" + self.tags = ['default', 'finger'] + + def configure(self): + self.add_service_match('^finger') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}') + +class NmapIMAP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap IMAP" + self.tags = ['default', 'imap', 'email'] + + def configure(self): + self.add_service_match('^imap') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}') + +class NmapNNTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap NNTP" + self.tags = ['default', 'nntp'] + + def configure(self): + self.add_service_match('^nntp') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}') + +class NmapPOP3(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap POP3" + self.tags = ['default', 'pop3', 'email'] + + def configure(self): + self.add_service_match('^pop3') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}') + +class NmapRMI(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap RMI" + self.tags = ['default', 'rmi'] + + def configure(self): + self.add_service_match(['^java\-rmi', '^rmiregistry']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}') + +class NmapSMTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap SMTP" + self.tags = ['default', 'smtp', 'email'] + + def configure(self): + self.add_service_match('^smtp') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}') + +class SMTPUserEnum(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'SMTP-User-Enum' + self.tags = ['default', 'smtp', 'email'] + + def configure(self): + self.add_service_match('^smtp') + + async def run(self, service): + await service.execute('smtp-user-enum -M VRFY -U "' + self.get_global('username_wordlist') + '" -t {address} -p {port} 2>&1', outfile='{protocol}_{port}_smtp_user-enum.txt') + +class NmapTelnet(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'Nmap Telnet' + self.tags = ['default', 'telnet'] + + def configure(self): + self.add_service_match('^telnet') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}') + +class NmapTFTP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'Nmap TFTP' + self.tags = ['default', 'tftp'] + + def configure(self): + self.add_service_match('^tftp') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}') + +class NmapVNC(ServiceScan): + + def __init__(self): + super().__init__() + self.name = 'Nmap VNC' + self.tags = ['default', 'vnc'] + + def configure(self): + self.add_service_match('^vnc') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}') diff --git a/plugins/nfs.py b/plugins/nfs.py new file mode 100644 index 0000000..8210580 --- /dev/null +++ b/plugins/nfs.py @@ -0,0 +1,27 @@ +from autorecon import ServiceScan + +class NmapNFS(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap NFS" + self.tags = ['default', 'nfs'] + + def configure(self): + self.add_service_match(['^nfs', '^rpcbind']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}') + +class Showmount(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "showmount" + self.tags = ['default', 'nfs'] + + def configure(self): + self.add_service_match(['^nfs', '^rpcbind']) + + async def run(self, service): + await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt') diff --git a/plugins/rdp.py b/plugins/rdp.py new file mode 100644 index 0000000..a4dc5cb --- /dev/null +++ b/plugins/rdp.py @@ -0,0 +1,30 @@ +from autorecon import ServiceScan + +class NmapRDP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap RDP" + self.tags = ['default', 'rdp'] + + def configure(self): + self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}') + +class BruteforceRDP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Bruteforce RDP" + self.tags = ['default', 'rdp'] + + def configure(self): + self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) + + def manual(self): + self.add_manual_commands('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + ]) diff --git a/plugins/rpc.py b/plugins/rpc.py new file mode 100644 index 0000000..63535dd --- /dev/null +++ b/plugins/rpc.py @@ -0,0 +1,27 @@ +from autorecon import ServiceScan + +class NmapMSRPC(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap MSRPC" + self.tags = ['default', 'rpc'] + + def configure(self): + self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}') + +class RPCClient(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "rpcclient" + self.tags = ['default', 'rpc'] + + def configure(self): + self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) + + def manual(self): + self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') diff --git a/plugins/sip.py b/plugins/sip.py new file mode 100644 index 0000000..da93233 --- /dev/null +++ b/plugins/sip.py @@ -0,0 +1,27 @@ +from autorecon import ServiceScan + +class NmapSIP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap SIP" + self.tags = ['default', 'sip'] + + def configure(self): + self.add_service_match('^asterisk') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}') + +class SIPVicious(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "SIPVicious" + self.tags = ['default', 'sip'] + + def configure(self): + self.add_service_match('^asterisk') + + def manual(self): + self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') diff --git a/plugins/smb.py b/plugins/smb.py new file mode 100644 index 0000000..40b84a2 --- /dev/null +++ b/plugins/smb.py @@ -0,0 +1,85 @@ +from autorecon import ServiceScan + +class NmapSMB(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap SMB" + self.tags = ['default', 'smb', 'active-directory'] + + def configure(self): + self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) + + def manual(self): + self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' + ]) + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}') + +class Enum4Linux(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Enum4Linux" + self.tags = ['default', 'enum4linux', 'active-directory'] + + def configure(self): + self.add_service_match(['^ldap', '^smb', '^microsoft\-ds', '^netbios']) + self.add_port_match('tcp', [139, 389, 445]) + self.add_port_match('udp', 137) + self.run_once(True) + + async def run(self, service): + await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') + +class NBTScan(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "nbtscan" + self.tags = ['default', 'netbios', 'active-directory'] + + def configure(self): + self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) + self.add_port_match('udp', 137) + self.run_once(True) + + async def run(self, service): + await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') + +class SMBClient(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "SMBClient" + self.tags = ['default', 'smb', 'active-directory'] + + def configure(self): + self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) + self.add_port_match('tcp', [139, 445]) + self.run_once(True) + + async def run(self, service): + await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt') + +class SMBMap(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "SMBMap" + self.tags = ['default', 'smb', 'active-directory'] + + def configure(self): + self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) + + async def run(self, service): + await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') diff --git a/plugins/snmp.py b/plugins/snmp.py new file mode 100644 index 0000000..83d552f --- /dev/null +++ b/plugins/snmp.py @@ -0,0 +1,52 @@ +from autorecon import ServiceScan + +class NmapSNMP(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap SNMP" + self.tags = ['default', 'snmp'] + + def configure(self): + self.add_service_match('^snmp') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}') + +class OneSixtyOne(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "OneSixtyOne" + self.tags = ['default', 'snmp'] + + def configure(self): + self.add_service_match('^snmp') + self.add_port_match('udp', 161) + self.run_once(True) + self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') + + async def run(self, service): + await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') + +class SNMPWalk(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "SNMPWalk" + self.tags = ['default', 'snmp'] + + def configure(self): + self.add_service_match('^snmp') + self.add_port_match('udp', 161) + self.run_once(True) + + async def run(self, service): + await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt') diff --git a/plugins/ssh.py b/plugins/ssh.py new file mode 100644 index 0000000..637c390 --- /dev/null +++ b/plugins/ssh.py @@ -0,0 +1,30 @@ +from autorecon import ServiceScan + +class NmapSSH(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Nmap SSH" + self.tags = ['default', 'ssh'] + + def configure(self): + self.add_service_match('^ssh') + + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}') + +class BruteforceSSH(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "Bruteforce SSH" + self.tags = ['default', 'ssh'] + + def configure(self): + self.add_service_match('ssh') + + def manual(self): + self.add_manual_command('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + ]) diff --git a/plugins/sslscan.py b/plugins/sslscan.py new file mode 100644 index 0000000..c9a8833 --- /dev/null +++ b/plugins/sslscan.py @@ -0,0 +1,16 @@ +from autorecon import ServiceScan + +class SSLScan(ServiceScan): + + def __init__(self): + super().__init__() + self.name = "SSL Scan" + self.tags = ['default', 'ssl', 'tls'] + + def configure(self): + self.add_service_match('.+') + self.require_ssl(True) + + async def run(self, service): + if service.protocol == 'tcp' and service.secure: + await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html') diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index 75da55b..0000000 --- a/poetry.lock +++ /dev/null @@ -1,42 +0,0 @@ -[[package]] -category = "main" -description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." -name = "appdirs" -optional = false -python-versions = "*" -version = "1.4.3" - -[[package]] -category = "main" -description = "Cross-platform colored terminal text." -name = "colorama" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -version = "0.4.3" - -[[package]] -category = "main" -description = "Python Library for Tom's Obvious, Minimal Language" -name = "toml" -optional = false -python-versions = "*" -version = "0.10.0" - -[metadata] -content-hash = "7359d313673568959d8011a312ea74ee6c3c3f3a2a5d81f690b87f6236d051ec" -python-versions = "^3.7" - -[metadata.files] -appdirs = [ - {file = "appdirs-1.4.3-py2.py3-none-any.whl", hash = "sha256:d8b24664561d0d34ddfaec54636d502d7cea6e29c3eaf68f3df6180863e2166e"}, - {file = "appdirs-1.4.3.tar.gz", hash = "sha256:9e5896d1372858f8dd3344faf4e5014d21849c756c8d5701f78f8a103b372d92"}, -] -colorama = [ - {file = "colorama-0.4.3-py2.py3-none-any.whl", hash = "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff"}, - {file = "colorama-0.4.3.tar.gz", hash = "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"}, -] -toml = [ - {file = "toml-0.10.0-py2.7.egg", hash = "sha256:f1db651f9657708513243e61e6cc67d101a39bad662eaa9b5546f789338e07a3"}, - {file = "toml-0.10.0-py2.py3-none-any.whl", hash = "sha256:235682dd292d5899d361a811df37e04a8828a5b1da3115886b73cf81ebc9100e"}, - {file = "toml-0.10.0.tar.gz", hash = "sha256:229f81c57791a41d65e399fc06bf0848bab550a9dfd5ed66df18ce5f05e73d5c"}, -] diff --git a/poetry.toml b/poetry.toml deleted file mode 100644 index 3b549d6..0000000 --- a/poetry.toml +++ /dev/null @@ -1,2 +0,0 @@ -[virtualenvs] -create = true diff --git a/pyproject.toml b/pyproject.toml deleted file mode 100644 index 1c8cd46..0000000 --- a/pyproject.toml +++ /dev/null @@ -1,28 +0,0 @@ -[tool.poetry] -name = "autorecon" -version = "1.0.0" -description = "A multi-threaded network reconaissance tool which performs automated enumeration of services" -authors = ["Tib3rius"] -license = "GPL-3.0-only" -readme = "README.md" -homepage = "https://github.com/Tib3rius/AutoRecon" -repository = "https://github.com/Tib3rius/AutoRecon" -packages = [ - {include = "autorecon", from = "src"}, -] - -[tool.poetry.dependencies] -python = "^3.7" -toml = "^0.10.0" -colorama = "^0.4.3" -appdirs = "^1.4.3" - -[tool.poetry.dev-dependencies] - - -[tool.poetry.scripts] -autorecon = 'autorecon.autorecon:main' - -[build-system] -requires = ["poetry>=0.12"] -build-backend = "poetry.masonry.api" diff --git a/requirements.txt b/requirements.txt index d5cbce5..d43a59e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -colorama +unidecode toml -appdirs +colorama \ No newline at end of file diff --git a/src/autorecon/autorecon.py b/src/autorecon/autorecon.py deleted file mode 100755 index e9bfd78..0000000 --- a/src/autorecon/autorecon.py +++ /dev/null @@ -1,885 +0,0 @@ -#!/usr/bin/env python3 -# -# AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. -# -# This program can be redistributed and/or modified under the terms of the -# GNU General Public License, either version 3 of the License, or (at your -# option) any later version. -# - -import atexit -import argparse -import asyncio -import colorama -from colorama import Fore, Style -from concurrent.futures import ProcessPoolExecutor, as_completed, FIRST_COMPLETED -from datetime import datetime -import ipaddress -import os -import re -import socket -import string -import sys -import time -import toml -import termios -import appdirs -import shutil - -# Globals -verbose = 0 -nmap = "-vv --reason -Pn" -srvname = "" -heartbeat_interval = 60 -port_scan_profile = None -port_scan_profiles_config = None -service_scans_config = None -global_patterns = [] -username_wordlist = "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -password_wordlist = "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -single_target = False -only_scans_dir = False - - -def _quit(): - TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno()) - termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS) - - -def _init(): - global port_scan_profiles_config - global service_scans_config - global global_patterns - - atexit.register(_quit) - appname = "AutoRecon" - rootdir = os.path.dirname(os.path.realpath(__file__)) - default_config_dir = os.path.join(rootdir, "config") - config_dir = appdirs.user_config_dir(appname) - port_scan_profiles_config_file = os.path.join(config_dir, "port-scan-profiles.toml") - service_scans_config_file = os.path.join(config_dir, "service-scans.toml") - global_patterns_config_file = os.path.join(config_dir, "global-patterns.toml") - - # Confirm this directory exists; if not, populate it with the default configurations - if not os.path.exists(config_dir): - os.makedirs(config_dir, exist_ok=True) - shutil.copy( - os.path.join(default_config_dir, "port-scan-profiles-default.toml"), - port_scan_profiles_config_file, - ) - shutil.copy( - os.path.join(default_config_dir, "service-scans-default.toml"), - service_scans_config_file, - ) - shutil.copy( - os.path.join(default_config_dir, "global-patterns-default.toml"), - global_patterns_config_file, - ) - - - with open(port_scan_profiles_config_file, "r") as p: - try: - port_scan_profiles_config = toml.load(p) - - if len(port_scan_profiles_config) == 0: - fail( - "There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file." - ) - - except toml.decoder.TomlDecodeError as e: - fail( - "Error: Couldn't parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags." - ) - - with open(service_scans_config_file, "r") as c: - try: - service_scans_config = toml.load(c) - except toml.decoder.TomlDecodeError as e: - fail( - "Error: Couldn't parse service-scans.toml config file. Check syntax and duplicate tags." - ) - - with open(global_patterns_config_file, "r") as p: - try: - global_patterns = toml.load(p) - if "pattern" in global_patterns: - global_patterns = global_patterns["pattern"] - else: - global_patterns = [] - except toml.decoder.TomlDecodeError as e: - fail( - "Error: Couldn't parse global-patterns.toml config file. Check syntax and duplicate tags." - ) - - if "username_wordlist" in service_scans_config: - if isinstance(service_scans_config["username_wordlist"], str): - username_wordlist = service_scans_config["username_wordlist"] - - if "password_wordlist" in service_scans_config: - if isinstance(service_scans_config["password_wordlist"], str): - password_wordlist = service_scans_config["password_wordlist"] - - -def e(*args, frame_index=1, **kvargs): - frame = sys._getframe(frame_index) - - vals = {} - - vals.update(frame.f_globals) - vals.update(frame.f_locals) - vals.update(kvargs) - - return string.Formatter().vformat(' '.join(args), args, vals) - -def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, file=sys.stdout, **kvargs): - frame = sys._getframe(frame_index) - - vals = { - 'bgreen': Fore.GREEN + Style.BRIGHT, - 'bred': Fore.RED + Style.BRIGHT, - 'bblue': Fore.BLUE + Style.BRIGHT, - 'byellow': Fore.YELLOW + Style.BRIGHT, - 'bmagenta': Fore.MAGENTA + Style.BRIGHT, - - 'green': Fore.GREEN, - 'red': Fore.RED, - 'blue': Fore.BLUE, - 'yellow': Fore.YELLOW, - 'magenta': Fore.MAGENTA, - - 'bright': Style.BRIGHT, - 'srst': Style.NORMAL, - 'crst': Fore.RESET, - 'rst': Style.NORMAL + Fore.RESET - } - - vals.update(frame.f_globals) - vals.update(frame.f_locals) - vals.update(kvargs) - - unfmt = '' - if char is not None: - unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep - unfmt += sep.join(args) - - fmted = unfmt - - for attempt in range(10): - try: - fmted = string.Formatter().vformat(unfmt, args, vals) - break - except KeyError as err: - key = err.args[0] - unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}') - - print(fmted, sep=sep, end=end, file=file) - -def debug(*args, color=Fore.BLUE, sep=' ', end='\n', file=sys.stdout, **kvargs): - if verbose >= 2: - cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs) - -def info(*args, sep=' ', end='\n', file=sys.stdout, **kvargs): - cprint(*args, color=Fore.GREEN, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs) - -def warn(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): - cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) - -def error(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): - cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) - -def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): - cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) - exit(-1) - -def calculate_elapsed_time(start_time): - elapsed_seconds = round(time.time() - start_time) - - m, s = divmod(elapsed_seconds, 60) - h, m = divmod(m, 60) - - elapsed_time = [] - if h == 1: - elapsed_time.append(str(h) + ' hour') - elif h > 1: - elapsed_time.append(str(h) + ' hours') - - if m == 1: - elapsed_time.append(str(m) + ' minute') - elif m > 1: - elapsed_time.append(str(m) + ' minutes') - - if s == 1: - elapsed_time.append(str(s) + ' second') - elif s > 1: - elapsed_time.append(str(s) + ' seconds') - else: - elapsed_time.append('less than a second') - - return ', '.join(elapsed_time) - - -async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): - address = target.address - while True: - line = "" - try: - line = await stream.readline() - except ValueError: - continue - - if line: - line = str(line.rstrip(), 'utf8', 'ignore') - debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color) - - for p in global_patterns: - matches = re.findall(p['pattern'], line) - if 'description' in p: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - ' + p['description'] + '\n\n')) - else: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - Matched Pattern: {match}\n\n')) - - for p in patterns: - matches = re.findall(p['pattern'], line) - if 'description' in p: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - ' + p['description'] + '\n\n')) - else: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - Matched Pattern: {match}\n\n')) - else: - break - -async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): - async with semaphore: - address = target.address - scandir = target.scandir - - info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}' if verbose >= 1 else '')) - - async with target.lock: - with open(os.path.join(scandir, '_commands.log'), 'a') as file: - file.writelines(e('{cmd}\n\n')) - - start_time = time.time() - process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash') - async with target.lock: - target.running_tasks.append(tag) - - await asyncio.wait([ - read_stream(process.stdout, target, tag=tag, patterns=patterns), - read_stream(process.stderr, target, tag=tag, patterns=patterns, color=Fore.RED) - ]) - - await process.wait() - async with target.lock: - target.running_tasks.remove(tag) - elapsed_time = calculate_elapsed_time(start_time) - - if process.returncode != 0: - error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') - async with target.lock: - with open(os.path.join(scandir, '_errors.log'), 'a') as file: - file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n')) - else: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}') - - return {'returncode': process.returncode, 'name': 'run_cmd'} - -async def parse_port_scan(stream, tag, target, pattern): - address = target.address - ports = [] - - while True: - line = await stream.readline() - if line: - line = str(line.rstrip(), 'utf8', 'ignore') - debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE) - - parse_match = re.search(pattern, line) - if parse_match: - ports.append(parse_match.group('port')) - - - for p in global_patterns: - matches = re.findall(p['pattern'], line) - if 'description' in p: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - ' + p['description'] + '\n\n')) - else: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - Matched Pattern: {match}\n\n')) - else: - break - - return ports - -async def parse_service_detection(stream, tag, target, pattern): - address = target.address - services = [] - - while True: - line = await stream.readline() - if line: - line = str(line.rstrip(), 'utf8', 'ignore') - debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE) - - parse_match = re.search(pattern, line) - if parse_match: - services.append((parse_match.group('protocol').lower(), int(parse_match.group('port')), parse_match.group('service'))) - - for p in global_patterns: - matches = re.findall(p['pattern'], line) - if 'description' in p: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - ' + p['description'] + '\n\n')) - else: - for match in matches: - if verbose >= 1: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}') - async with target.lock: - with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file: - file.writelines(e('{tag} - Matched Pattern: {match}\n\n')) - else: - break - - return services - -async def run_portscan(semaphore, tag, target, service_detection, port_scan=None): - async with semaphore: - - address = target.address - scandir = target.scandir - nmap_extra = nmap - - ports = '' - if port_scan is not None: - command = e(port_scan[0]) - pattern = port_scan[1] - - info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) - - async with target.lock: - with open(os.path.join(scandir, '_commands.log'), 'a') as file: - file.writelines(e('{command}\n\n')) - - start_time = time.time() - process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash') - async with target.lock: - target.running_tasks.append(tag) - - output = [ - parse_port_scan(process.stdout, tag, target, pattern), - read_stream(process.stderr, target, tag=tag, color=Fore.RED) - ] - - results = await asyncio.gather(*output) - - await process.wait() - async with target.lock: - target.running_tasks.remove(tag) - elapsed_time = calculate_elapsed_time(start_time) - - if process.returncode != 0: - error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') - async with target.lock: - with open(os.path.join(scandir, '_errors.log'), 'a') as file: - file.writelines(e('[*] Port scan {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n')) - return {'returncode': process.returncode} - else: - info('Port scan {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}') - - ports = results[0] - if len(ports) == 0: - return {'returncode': -1} - - ports = ','.join(ports) - - command = e(service_detection[0]) - pattern = service_detection[1] - - info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) - - async with target.lock: - with open(os.path.join(scandir, '_commands.log'), 'a') as file: - file.writelines(e('{command}\n\n')) - - start_time = time.time() - process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash') - async with target.lock: - target.running_tasks.append(tag) - - output = [ - parse_service_detection(process.stdout, tag, target, pattern), - read_stream(process.stderr, target, tag=tag, color=Fore.RED) - ] - - results = await asyncio.gather(*output) - - await process.wait() - async with target.lock: - target.running_tasks.remove(tag) - elapsed_time = calculate_elapsed_time(start_time) - - if process.returncode != 0: - error('Service detection {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') - async with target.lock: - with open(os.path.join(scandir, '_errors.log'), 'a') as file: - file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n')) - else: - info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}') - - services = results[0] - - return {'returncode': process.returncode, 'name': 'run_portscan', 'services': services} - -async def start_heartbeat(target, period=60): - while True: - await asyncio.sleep(period) - async with target.lock: - tasks = target.running_tasks - count = len(tasks) - - tasks_list = '' - if verbose >= 1: - tasks_list = ': {bgreen}' + ', '.join(tasks) + '{rst}' - - current_time = datetime.now().strftime('%H:%M:%S') - - if count > 1: - info('{bgreen}[{current_time}]{rst} - There are {byellow}{count}{rst} tasks still running on {byellow}{target.address}{rst}' + tasks_list) - elif count == 1: - info('{bgreen}[{current_time}]{rst} - There is {byellow}1{rst} task still running on {byellow}{target.address}{rst}' + tasks_list) - -async def scan_services(loop, semaphore, target): - address = target.address - scandir = target.scandir - pending = [] - - heartbeat = loop.create_task(start_heartbeat(target, period=heartbeat_interval)) - - for profile in port_scan_profiles_config: - if profile == port_scan_profile: - for scan in port_scan_profiles_config[profile]: - service_detection = (port_scan_profiles_config[profile][scan]['service-detection']['command'], port_scan_profiles_config[profile][scan]['service-detection']['pattern']) - if 'port-scan' in port_scan_profiles_config[profile][scan]: - port_scan = (port_scan_profiles_config[profile][scan]['port-scan']['command'], port_scan_profiles_config[profile][scan]['port-scan']['pattern']) - pending.append(run_portscan(semaphore, scan, target, service_detection, port_scan)) - else: - pending.append(run_portscan(semaphore, scan, target, service_detection)) - break - - services = [] - - while True: - if not pending: - heartbeat.cancel() - break - - done, pending = await asyncio.wait(pending, return_when=FIRST_COMPLETED) - - for task in done: - result = task.result() - - if result['returncode'] == 0: - if result['name'] == 'run_portscan': - for service_tuple in result['services']: - if service_tuple not in services: - services.append(service_tuple) - else: - continue - - protocol = service_tuple[0] - port = service_tuple[1] - service = service_tuple[2] - - info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}') - - if not only_scans_dir: - with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file: - file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n')) - - if protocol == 'udp': - nmap_extra = nmap + " -sU" - else: - nmap_extra = nmap - - secure = True if 'ssl' in service or 'tls' in service else False - - # Special cases for HTTP. - scheme = 'https' if 'https' in service or 'ssl' in service or 'tls' in service else 'http' - - if service.startswith('ssl/') or service.startswith('tls/'): - service = service[4:] - - for service_scan in service_scans_config: - # Skip over configurable variables since the python toml parser cannot iterate over tables only. - if service_scan in ['username_wordlist', 'password_wordlist']: - continue - - ignore_service = False - if 'ignore-service-names' in service_scans_config[service_scan]: - for ignore_service_name in service_scans_config[service_scan]['ignore-service-names']: - if re.search(ignore_service_name, service): - ignore_service = True - break - - if ignore_service: - continue - - matched_service = False - - if 'service-names' in service_scans_config[service_scan]: - for service_name in service_scans_config[service_scan]['service-names']: - if re.search(service_name, service): - matched_service = True - break - - if not matched_service: - continue - - if 'manual' in service_scans_config[service_scan]: - heading = False - with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: - for manual in service_scans_config[service_scan]['manual']: - if 'description' in manual: - if not heading: - file.writelines(e('[*] {service} on {protocol}/{port}\n\n')) - heading = True - description = manual['description'] - file.writelines(e('\t[-] {description}\n\n')) - if 'commands' in manual: - if not heading: - file.writelines(e('[*] {service} on {protocol}/{port}\n\n')) - heading = True - for manual_command in manual['commands']: - manual_command = e(manual_command) - file.writelines('\t\t' + e('{manual_command}\n\n')) - if heading: - file.writelines('\n') - - if 'scan' in service_scans_config[service_scan]: - for scan in service_scans_config[service_scan]['scan']: - - if 'name' in scan: - name = scan['name'] - if 'command' in scan: - tag = e('{protocol}/{port}/{name}') - command = scan['command'] - - if 'ports' in scan: - port_match = False - - if protocol == 'tcp': - if 'tcp' in scan['ports']: - for tcp_port in scan['ports']['tcp']: - if port == tcp_port: - port_match = True - break - elif protocol == 'udp': - if 'udp' in scan['ports']: - for udp_port in scan['ports']['udp']: - if port == udp_port: - port_match = True - break - - if port_match == False: - warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + Style.NORMAL + '] Scan cannot be run against {protocol} port {port}. Skipping.' + Fore.RESET) - continue - - if 'run_once' in scan and scan['run_once'] == True: - scan_tuple = (name,) - if scan_tuple in target.scans: - warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan should only be run once and it appears to have already been queued. Skipping.' + Fore.RESET) - continue - else: - target.scans.append(scan_tuple) - else: - scan_tuple = (protocol, port, service, name) - if scan_tuple in target.scans: - warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan appears to have already been queued, but it is not marked as run_once in service-scans.toml. Possible duplicate tag? Skipping.' + Fore.RESET) - continue - else: - target.scans.append(scan_tuple) - - patterns = [] - if 'pattern' in scan: - patterns = scan['pattern'] - - pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns))) - -def scan_host(target, concurrent_scans, outdir): - start_time = time.time() - info('Scanning target {byellow}{target.address}{rst}') - - if single_target: - basedir = os.path.abspath(outdir) - else: - basedir = os.path.abspath(os.path.join(outdir, target.address + srvname)) - target.basedir = basedir - os.makedirs(basedir, exist_ok=True) - - if not only_scans_dir: - exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) - os.makedirs(exploitdir, exist_ok=True) - - lootdir = os.path.abspath(os.path.join(basedir, 'loot')) - os.makedirs(lootdir, exist_ok=True) - - reportdir = os.path.abspath(os.path.join(basedir, 'report')) - target.reportdir = reportdir - os.makedirs(reportdir, exist_ok=True) - - open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close() - open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close() - - screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) - os.makedirs(screenshotdir, exist_ok=True) - - scandir = os.path.abspath(os.path.join(basedir, 'scans')) - target.scandir = scandir - os.makedirs(scandir, exist_ok=True) - - os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) - - # Use a lock when writing to specific files that may be written to by other asynchronous functions. - target.lock = asyncio.Lock() - - # Get event loop for current process. - loop = asyncio.get_event_loop() - - # Create a semaphore to limit number of concurrent scans. - semaphore = asyncio.Semaphore(concurrent_scans) - - try: - loop.run_until_complete(scan_services(loop, semaphore, target)) - elapsed_time = calculate_elapsed_time(start_time) - info('Finished scanning target {byellow}{target.address}{rst} in {elapsed_time}') - except KeyboardInterrupt: - sys.exit(1) - -class Target: - def __init__(self, address): - self.address = address - self.basedir = '' - self.reportdir = '' - self.scandir = '' - self.scans = [] - self.lock = None - self.running_tasks = [] - - - -def main(): - global single_target - global only_scans_dir - global port_scan_profile - global heartbeat_interval - global nmap - global srvname - global verbose - - _init() - parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') - parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*") - parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.') - parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s') - parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s') - parser.add_argument('--profile', action='store', default='default', dest='profile_name', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s') - parser.add_argument('-o', '--output', action='store', default='results', dest='output_dir', help='The output directory for results. Default: %(default)s') - parser.add_argument('--single-target', action='store_true', default=False, help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false') - parser.add_argument('--only-scans-dir', action='store_true', default=False, help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false') - parser.add_argument('--heartbeat', action='store', type=int, default=60, help='Specifies the heartbeat interval (in seconds) for task status messages. Default: %(default)s') - nmap_group = parser.add_mutually_exclusive_group() - nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') - nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') - parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.') - parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running. Default: false') - parser.error = lambda s: fail(s[0].upper() + s[1:]) - args = parser.parse_args() - - single_target = args.single_target - only_scans_dir = args.only_scans_dir - - errors = False - - if args.concurrent_targets <= 0: - error('Argument -ch/--concurrent-targets: must be at least 1.') - errors = True - - concurrent_scans = args.concurrent_scans - - if concurrent_scans <= 0: - error('Argument -ct/--concurrent-scans: must be at least 1.') - errors = True - - port_scan_profile = args.profile_name - - found_scan_profile = False - for profile in port_scan_profiles_config: - if profile == port_scan_profile: - found_scan_profile = True - for scan in port_scan_profiles_config[profile]: - if 'service-detection' not in port_scan_profiles_config[profile][scan]: - error('The {profile}.{scan} scan does not have a defined service-detection section. Every scan must at least have a service-detection section defined with a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the result.') - errors = True - else: - if 'command' not in port_scan_profiles_config[profile][scan]['service-detection']: - error('The {profile}.{scan}.service-detection section does not have a command defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.') - errors = True - else: - if '{ports}' in port_scan_profiles_config[profile][scan]['service-detection']['command'] and 'port-scan' not in port_scan_profiles_config[profile][scan]: - error('The {profile}.{scan}.service-detection command appears to reference a port list but there is no port-scan section defined in {profile}.{scan}. Define a port-scan section with a command and corresponding pattern that extracts port numbers from the result, or replace the reference with a static list of ports.') - errors = True - - if 'pattern' not in port_scan_profiles_config[profile][scan]['service-detection']: - error('The {profile}.{scan}.service-detection section does not have a pattern defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.') - errors = True - else: - if not all(x in port_scan_profiles_config[profile][scan]['service-detection']['pattern'] for x in ['(?P', '(?P', '(?P']): - error('The {profile}.{scan}.service-detection pattern does not contain one or more of the following matching groups: port, protocol, service. Ensure that all three of these matching groups are defined and capture the relevant data, e.g. (?P\d+)') - errors = True - - if 'port-scan' in port_scan_profiles_config[profile][scan]: - if 'command' not in port_scan_profiles_config[profile][scan]['port-scan']: - error('The {profile}.{scan}.port-scan section does not have a command defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.') - errors = True - - if 'pattern' not in port_scan_profiles_config[profile][scan]['port-scan']: - error('The {profile}.{scan}.port-scan section does not have a pattern defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.') - errors = True - else: - if '(?P' not in port_scan_profiles_config[profile][scan]['port-scan']['pattern']: - error('The {profile}.{scan}.port-scan pattern does not contain a port matching group. Ensure that the port matching group is defined and captures the relevant data, e.g. (?P\d+)') - errors = True - break - - if not found_scan_profile: - error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}') - errors = True - - heartbeat_interval = args.heartbeat - - nmap = args.nmap - if args.nmap_append: - nmap += " " + args.nmap_append - - outdir = args.output_dir - srvname = '' - verbose = args.verbose - - raw_targets = args.targets - targets = [] - - if len(args.target_file) > 0: - if not os.path.isfile(args.target_file): - error('The target file {args.target_file} was not found.') - sys.exit(1) - try: - with open(args.target_file, 'r') as f: - lines = f.read() - for line in lines.splitlines(): - line = line.strip() - if line.startswith('#') or len(line) == 0: continue - if line not in raw_targets: - raw_targets.append(line) - except OSError: - error('The target file {args.target_file} could not be read.') - sys.exit(1) - - for target in raw_targets: - try: - ip = str(ipaddress.ip_address(target)) - - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - target_range = ipaddress.ip_network(target, strict=False) - if not args.disable_sanity_checks and target_range.num_addresses > 256: - error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - else: - for ip in target_range.hosts(): - ip = str(ip) - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - ip = socket.gethostbyname(target) - - if target not in targets: - targets.append(target) - except socket.gaierror: - error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') - errors = True - - if len(targets) == 0: - error('You must specify at least one target to scan!') - errors = True - - if single_target and len(targets) != 1: - error('You cannot provide more than one target when scanning in single-target mode.') - sys.exit(1) - - if not args.disable_sanity_checks and len(targets) > 256: - error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - - if errors: - sys.exit(1) - - with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor: - start_time = time.time() - futures = [] - - for address in targets: - target = Target(address) - futures.append(executor.submit(scan_host, target, concurrent_scans, outdir)) - - try: - for future in as_completed(futures): - future.result() - except KeyboardInterrupt: - for future in futures: - future.cancel() - executor.shutdown(wait=False) - sys.exit(1) - - elapsed_time = calculate_elapsed_time(start_time) - info('{bgreen}Finished scanning all targets in {elapsed_time}!{rst}') - - -if __name__ == '__main__': - main() diff --git a/src/autorecon/config/global-patterns-default.toml b/src/autorecon/config/global-patterns-default.toml deleted file mode 100644 index 67f6600..0000000 --- a/src/autorecon/config/global-patterns-default.toml +++ /dev/null @@ -1,8 +0,0 @@ -# Patterns defined in this file will be checked against every line of output (e.g. port scans and service scans) - -[[pattern]] -description = 'Nmap script found a potential vulnerability. ({match})' -pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)' - -[[pattern]] -pattern = '(?i)unauthorized' diff --git a/src/autorecon/config/port-scan-profiles-default.toml b/src/autorecon/config/port-scan-profiles-default.toml deleted file mode 100644 index 31cf8ba..0000000 --- a/src/autorecon/config/port-scan-profiles-default.toml +++ /dev/null @@ -1,45 +0,0 @@ -[default] - - [default.nmap-quick] - - [default.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - - [default.nmap-full-tcp] - - [default.nmap-full-tcp.service-detection] - command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - - [default.nmap-top-20-udp] - - [default.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - -[quick] - - [quick.nmap-quick] - - [quick.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - - [quick.nmap-top-20-udp] - - [quick.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - -[udp] - - [udp.udp-top-20] - - [udp.udp-top-20.port-scan] - command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"' - pattern = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$' - - [udp.udp-top-20.service-detection] - command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' - pattern = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' diff --git a/src/autorecon/config/service-scans-default.toml b/src/autorecon/config/service-scans-default.toml deleted file mode 100644 index 55197e4..0000000 --- a/src/autorecon/config/service-scans-default.toml +++ /dev/null @@ -1,586 +0,0 @@ -# Configurable Variables -username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' - -[all-services] # Define scans here that you want to run against all services. - -service-names = [ - '.+' -] - - [[all-services.scan]] - name = 'sslscan' - command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' - -[cassandra] - -service-names = [ - '^apani1' -] - - [[cassandra.scan]] - name = 'nmap-cassandra' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}' - -[cups] - -service-names = [ - '^ipp' -] - - [[cups.scan]] - name = 'nmap-cups' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}' - -[distcc] - -service-names = [ - '^distccd' -] - - [[distcc.scan]] - name = 'nmap-distcc' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}' - -[dns] - -service-names = [ - '^domain' -] - - [[dns.scan]] - name = 'nmap-dns' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}' - -[finger] - -service-names = [ - '^finger' -] - - [[finger.scan]] - name = 'nmap-finger' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' - -[ftp] - -service-names = [ - '^ftp', - '^ftp\-data' -] - - [[ftp.scan]] - name = 'nmap-ftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}' - - [[ftp.scan.pattern]] - description = 'Anonymous FTP Enabled!' - pattern = 'Anonymous FTP login allowed' - - [[ftp.manual]] - description = 'Bruteforce logins:' - commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' - ] - -[http] - -service-names = [ - '^http', -] - -ignore-service-names = [ - '^nacn_http$' -] - - [[http.scan]] - name = 'nmap-http' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}' - - [[http.scan.pattern]] - description = 'Identified HTTP Server: {match}' - pattern = 'Server: ([^\n]+)' - - [[http.scan.pattern]] - description = 'WebDAV is enabled' - pattern = 'WebDAV is ENABLED' - - [[http.scan]] - name = 'curl-index' - command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"' - - [[http.scan.pattern]] - pattern = '(?i)Powered by [^\n]+' - - [[http.scan]] - name = 'curl-robots' - command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' - - [[http.scan]] - name = 'wkhtmltoimage' - command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi' - - [[http.scan]] - name = 'whatweb' - command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' - - [[http.scan]] - name = 'feroxbuster' - command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt' - - [[http.manual]] - description = '(nikto) old but generally reliable web server enumeration tool' - commands = [ - 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' - ] - - [[http.manual]] - description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' - commands = [ - 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt', - 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt' - ] - - [[http.manual]] - description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' - commands = [ - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"', - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' - ] - - [[http.manual]] - description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' - commands = [ - 'dirb {scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt"', - 'dirb {scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt"' - ] - - [[http.manual]] - description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):' - commands = [ - 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', - 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' - ] - - [[http.manual]] - description = '(gobuster v1 & v2) Directory/file enumeration for web servers using various wordlists (same as dirb above):' - commands = [ - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' - ] - - [[http.manual]] - description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' - commands = [ - 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' - ] - - [[http.manual]] - description = "Credential bruteforcing commands (don't run these without modifying them):" - commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', - ] - -[imap] - -service-names = [ - '^imap' -] - - [[imap.scan]] - name = 'nmap-imap' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}' - -[kerberos] - -service-names = [ - '^kerberos', - '^kpasswd' -] - - [[kerberos.scan]] - name = 'nmap-kerberos' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' - -[ldap] - -service-names = [ - '^ldap' -] - - [[ldap.scan]] - name = 'nmap-ldap' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}' - - [[ldap.scan]] - name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' - run_once = true - ports.tcp = [139, 389, 445] - ports.udp = [137] - - [[ldap.manual]] - description = 'ldapsearch command (modify before running)' - commands = [ - 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' - ] - -[mongodb] - -service-names = [ - '^mongod' -] - - [[mongodb.scan]] - name = 'nmap-mongodb' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}' - -[mssql] - -service-names = [ - '^mssql', - '^ms\-sql' -] - - [[mssql.scan]] - name = 'nmap-mssql' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' - - [[mssql.manual]] - description = '(sqsh) interactive database shell' - commands = [ - 'sqsh -U -P -S {address}:{port}' - ] - -[mysql] - -service-names = [ - '^mysql' -] - - [[mysql.scan]] - name = 'nmap-mysql' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}' - -[nfs] - -service-names = [ - '^nfs', - '^rpcbind' -] - - [[nfs.scan]] - name = 'nmap-nfs' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}' - - [[nfs.scan]] - name = 'showmount' - command = 'showmount -e {address} 2>&1 | tee "{scandir}/{protocol}_{port}_showmount.txt"' - -[nntp] - -service-names = [ - '^nntp' -] - - [[nntp.scan]] - name = 'nmap-nntp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}' - -[oracle] - -service-names = [ - '^oracle' -] - - [[oracle.scan]] - name = 'nmap-oracle' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}' - - [[oracle.scan]] - name = 'oracle-tnscmd-ping' - command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"' - - [[oracle.scan]] - name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' - - [[oracle.scan]] - name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' - - [[oracle.scan]] - name = 'oracle-scanner' - command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"' - - [[oracle.manual]] - description = 'Brute-force SIDs using Nmap' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' - - [[oracle.manual]] - description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:' - commands = [ - 'python odat.py tnscmd -s {address} -p {port} --ping', - 'python odat.py tnscmd -s {address} -p {port} --version', - 'python odat.py tnscmd -s {address} -p {port} --status', - 'python odat.py sidguesser -s {address} -p {port}', - 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', - 'python odat.py tnspoison -s {address} -p {port} -d --test-module' - ] - - [[oracle.manual]] - description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:' - commands = [ - 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' - ] - -[pop3] - -service-names = [ - '^pop3' -] - - [[pop3.scan]] - name = 'nmap-pop3' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}' - -[rdp] - -service-names = [ - '^rdp', - '^ms\-wbt\-server', - '^ms\-term\-serv' -] - - [[rdp.scan]] - name = 'nmap-rdp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}' - - [[rdp.manual]] - description = 'Bruteforce logins:' - commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' - ] - -[rmi] - -service-names = [ - '^java\-rmi', - '^rmiregistry' -] - - [[rmi.scan]] - name = 'nmap-rmi' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' - -[rpc] - -service-names = [ - '^msrpc', - '^rpcbind', - '^erpc' -] - - [[rpc.scan]] - name = 'nmap-msrpc' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' - - [[rpc.manual]] - description = 'RPC Client:' - commands = [ - 'rpcclient -p {port} -U "" {address}' - ] - -[sip] - -service-names = [ - '^asterisk' -] - - [[sip.scan]] - name = 'nmap-sip' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}' - - [[sip.scan]] - name = 'svwar' - command = 'svwar -D -m INVITE -p {port} {address}' - -[ssh] - -service-names = [ - '^ssh' -] - - [[ssh.scan]] - name = 'nmap-ssh' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' - - [[ssh.manual]] - description = 'Bruteforce logins:' - commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' - ] -[smb] - -service-names = [ - '^smb', - '^microsoft\-ds', - '^netbios' -] - - [[smb.scan]] - name = 'nmap-smb' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' - - [[smb.scan]] - name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' - run_once = true - ports.tcp = [139, 389, 445] - ports.udp = [137] - - [[smb.scan]] - name = 'nbtscan' - command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' - run_once = true - ports.udp = [137] - - [[smb.scan]] - name = 'smbclient' - command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' - run_once = true - ports.tcp = [139, 445] - - [[smb.scan]] - name = 'smbmap-share-permissions' - command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"' - - [[smb.scan]] - name = 'smbmap-list-contents' - command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"' - - [[smb.scan]] - name = 'smbmap-execute-command' - command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"' - - [[smb.manual]] - description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' - commands = [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' - ] - -[smtp] - -service-names = [ - '^smtp' -] - - [[smtp.scan]] - name = 'nmap-smtp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}' - - [[smtp.scan]] - name = 'smtp-user-enum' - command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' - -[snmp] - -service-names = [ - '^snmp' -] - - [[snmp.scan]] - name = 'nmap-snmp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}' - - [[snmp.scan]] - name = 'onesixtyone' - command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk' - command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-system-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-running-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-process-paths' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-storage-units' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-software-names' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-user-accounts' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' - run_once = true - ports.udp = [161] - - [[snmp.scan]] - name = 'snmpwalk-tcp-ports' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' - run_once = true - ports.udp = [161] - -[telnet] - -service-names = [ - '^telnet' -] - - [[telnet.scan]] - name = 'nmap-telnet' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' - -[tftp] - -service-names = [ - '^tftp' -] - - [[tftp.scan]] - name = 'nmap-tftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' - -[vnc] - -service-names = [ - '^vnc' -] - - [[vnc.scan]] - name = 'nmap-vnc' - command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}'