Reformatted code to be pip compatible.

autorecon/config.py

@@ -1,4 +1,6 @@
-import os
+import appdirs, os
+
+config_dir = appdirs.user_config_dir('AutoRecon')
 
 configurable_keys = [
 	'ports',
@@ -39,7 +41,8 @@ configurable_boolean_keys = [
 
 config = {
 	'protected_classes': ['autorecon', 'target', 'service', 'commandstreamreader', 'plugin', 'portscan', 'servicescan', 'global', 'pattern'],
-	'global_file': os.path.dirname(os.path.realpath(os.path.join(__file__, '..'))) + '/global.toml',
+	'config_dir': config_dir,
+	'global_file': os.path.join(config_dir, 'global.toml'),
 	'ports': None,
 	'max_scans': 50,
 	'max_port_scans': None,
@@ -48,7 +51,7 @@ config = {
 	'port_scans': None,
 	'service_scans': None,
 	'reports': None,
-	'plugins_dir': os.path.dirname(os.path.abspath(os.path.join(__file__, '..'))) + '/plugins',
+	'plugins_dir': os.path.join(config_dir, 'plugins'),
 	'add_plugins_dir': None,
 	'outdir': 'results',
 	'single_target': False,

autorecon/config.toml

@@ -0,0 +1,19 @@
+# Configure regular AutoRecon options at the top of this file.
+
+create-port-dirs = true
+nmap-append = '-T4'
+# verbose = 1
+# max-scans = 30
+
+# Configure global options here.
+# [global]
+# username-wordlist = '/usr/share/seclists/Usernames/cirt-default-usernames.txt'
+
+# Configure plugin options here.
+# [dirbuster]
+# threads = 50
+# wordlist = [
+# 	'/usr/share/seclists/Discovery/Web-Content/common.txt',
+# 	'/usr/share/seclists/Discovery/Web-Content/big.txt',
+# 	'/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
+# ]

autorecon/default-plugins/databases.py

@@ -0,0 +1,135 @@
+from autorecon.plugins import ServiceScan
+from autorecon.io import error
+from shutil import which
+
+class NmapMongoDB(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap MongoDB"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^mongod')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}')
+
+class NmapMSSQL(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap MSSQL"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name(['^mssql', '^ms\-sql'])
+
+	def manual(self, service, plugin_was_run):
+		if service.target.ipversion == 'IPv4':
+			service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}')
+
+class NmapMYSQL(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap MYSQL"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^mysql')
+
+	def manual(self, service, plugin_was_run):
+		if service.target.ipversion == 'IPv4':
+			service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}')
+
+class NmapOracle(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap Oracle"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^oracle')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}')
+
+class OracleTNScmd(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Oracle TNScmd"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^oracle')
+
+	def check(self):
+		if which('tnscmd10g') is None:
+			error('The tnscmd10g program could not be found. Make sure it is installed. (On Kali, run: sudo apt install tnscmd10g)')
+
+	async def run(self, service):
+		if service.target.ipversion == 'IPv4':
+			await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt')
+			await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt')
+
+class OracleScanner(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Oracle Scanner"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^oracle')
+
+	def check(self):
+		if which('oscanner') is None:
+			error('The oscanner program could not be found. Make sure it is installed. (On Kali, run: sudo apt install oscanner)')
+
+	async def run(self, service):
+		await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt')
+
+class OracleODAT(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Oracle ODAT"
+		self.tags = ['default', 'safe', 'databases']
+
+	def configure(self):
+		self.match_service_name('^oracle')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [
+			'python odat.py tnscmd -s {address} -p {port} --ping',
+			'python odat.py tnscmd -s {address} -p {port} --version',
+			'python odat.py tnscmd -s {address} -p {port} --status',
+			'python odat.py sidguesser -s {address} -p {port}',
+			'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
+			'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
+		])
+
+class OraclePatator(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Oracle Patator"
+		self.tags = ['default', 'databases']
+
+	def configure(self):
+		self.match_service_name('^oracle')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000')

autorecon/default-plugins/default-port-scan.py

@@ -0,0 +1,103 @@
+from autorecon.plugins import PortScan
+from autorecon.io import info, error
+from autorecon.config import config
+import os, re
+
+class QuickTCPPortScan(PortScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Top TCP Ports'
+		self.description = 'Performs an Nmap scan of the top 1000 TCP ports.'
+		self.type = 'tcp'
+		self.tags = ['default', 'default-port-scan']
+		self.priority = 0
+
+	async def run(self, target):
+		if target.ports: # Don't run this plugin if there are custom ports.
+			return []
+
+		if config['proxychains']:
+			traceroute_os = ''
+		else:
+			traceroute_os = ' -A --osscan-guess'
+
+		process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
+		services = await target.extract_services(stdout)
+		await process.wait()
+		return services
+
+class AllTCPPortScan(PortScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'All TCP Ports'
+		self.description = 'Performs an Nmap scan of all TCP ports.'
+		self.type = 'tcp'
+		self.specific_ports = True
+		self.tags = ['default', 'default-port-scan', 'long']
+
+	async def run(self, target):
+		if config['proxychains']:
+			traceroute_os = ''
+		else:
+			traceroute_os = ' -A --osscan-guess'
+
+		if target.ports:
+			if target.ports['tcp']:
+				process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p ' + target.ports['tcp'] + ' -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
+			else:
+				return []
+		else:
+			process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
+		services = []
+		while True:
+			line = await stdout.readline()
+			if line is not None:
+				match = re.search('^Discovered open port ([0-9]+)/tcp', line)
+				if match:
+					info('Discovered open port {bmagenta}tcp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
+				service = target.extract_service(line)
+				if service:
+					services.append(service)
+			else:
+				break
+		await process.wait()
+		return services
+
+class Top100UDPPortScan(PortScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Top 100 UDP Ports'
+		self.description = 'Performs an Nmap scan of the top 100 UDP ports.'
+		self.type = 'udp'
+		self.specific_ports = True
+		self.tags = ['default', 'default-port-scan', 'long']
+
+	async def run(self, target):
+		# Only run UDP scan if user is root.
+		if os.getuid() == 0:
+			if target.ports:
+				if target.ports['udp']:
+					process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --osscan-guess -p ' + target.ports['udp'] + ' -oN "{scandir}/_custom_ports_udp_nmap.txt" -oX "{scandir}/xml/_custom_ports_udp_nmap.xml" {address}', blocking=False)
+				else:
+					return []
+			else:
+				process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --top-ports 100 -oN "{scandir}/_top_100_udp_nmap.txt" -oX "{scandir}/xml/_top_100_udp_nmap.xml" {address}', blocking=False)
+			services = []
+			while True:
+				line = await stdout.readline()
+				if line is not None:
+					match = re.search('^Discovered open port ([0-9]+)/udp', line)
+					if match:
+						info('Discovered open port {bmagenta}udp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
+					service = target.extract_service(line)
+					if service:
+						services.append(service)
+				else:
+					break
+			await process.wait()
+			return services
+		else:
+			error('UDP scan requires AutoRecon be run with root privileges.')

autorecon/default-plugins/dns.py

@@ -0,0 +1,57 @@
+from autorecon.plugins import ServiceScan
+
+class NmapDNS(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap DNS'
+		self.tags = ['default', 'safe', 'dns']
+
+	def configure(self):
+		self.match_service_name('^domain')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}')
+
+class DNSZoneTransfer(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'DNS Zone Transfer'
+		self.tags = ['default', 'safe', 'dns']
+
+	def configure(self):
+		self.match_service_name('^domain')
+
+	async def run(self, service):
+		if self.get_global('domain'):
+			await service.execute('dig AXFR -p {port} @{address} ' + self.get_global('domain'), outfile='{protocol}_{port}_dns_zone-transfer-domain.txt')
+		if service.target.type == 'hostname':
+			await service.execute('dig AXFR -p {port} @{address} {address}', outfile='{protocol}_{port}_dns_zone-transfer-hostname.txt')
+		await service.execute('dig AXFR -p {port} @{address}', outfile='{protocol}_{port}_dns_zone-transfer.txt')
+
+class DNSReverseLookup(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'DNS Reverse Lookup'
+		self.tags = ['default', 'safe', 'dns']
+
+	def configure(self):
+		self.match_service_name('^domain')
+
+	async def run(self, service):
+		await service.execute('dig -p {port} -x {address} @{address}', outfile='{protocol}_{port}_dns_reverse-lookup.txt')
+
+class NmapMulticastDNS(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap Multicast DNS'
+		self.tags = ['default', 'safe', 'dns']
+
+	def configure(self):
+		self.match_service_name(['^mdns', '^zeroconf'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_multicastdns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_multicastdns_nmap.xml" {address}')

autorecon/default-plugins/ftp.py

@@ -0,0 +1,30 @@
+from autorecon.plugins import ServiceScan
+
+class NmapFTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap FTP'
+		self.tags = ['default', 'safe', 'ftp']
+
+	def configure(self):
+		self.match_service_name(['^ftp', '^ftp\-data'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}')
+
+class BruteforceFTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Bruteforce FTP"
+		self.tags = ['default', 'ftp']
+
+	def configure(self):
+		self.match_service_name(['^ftp', '^ftp\-data'])
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_commands('Bruteforce logins:', [
+			'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{addressv6}',
+			'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {addressv6}'
+		])

autorecon/default-plugins/guess-port-scan.py

@@ -0,0 +1,48 @@
+from autorecon.plugins import PortScan
+from autorecon.targets import Service
+import re
+
+class GuesPortScan(PortScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Guess TCP Ports'
+		self.type = 'tcp'
+		self.description = 'Performs an Nmap scan of the all TCP ports but guesses services based off the port found. Can be quicker. Proper service matching is performed at the end of the scan.'
+		self.tags = ['guess-port-scan', 'long']
+		self.priority = 0
+
+	async def run(self, target):
+		if target.ports:
+			if target.ports['tcp']:
+				process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p ' + target.ports['tcp'] + ' -oN "{scandir}/_custom_ports_tcp_nmap.txt" -oX "{scandir}/xml/_custom_ports_tcp_nmap.xml" {address}', blocking=False)
+			else:
+				return []
+		else:
+			process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
+
+		insecure_ports = {
+			'20':'ftp', '21':'ftp', '22':'ssh', '23':'telnet', '25':'smtp', '53':'domain', '69':'tftp', '79':'finger', '80':'http', '88':'kerberos', '109':'pop3', '110':'pop3', '111':'rpcbind', '119':'nntp', '135':'msrpc', '139':'netbios-ssn', '143':'imap', '161':'snmp', '220':'imap', '389':'ldap', '433':'nntp', '445':'smb', '587':'smtp', '631':'ipp', '873':'rsync', '1098':'java-rmi', '1099':'java-rmi', '1433':'mssql', '1521':'oracle', '2049':'nfs', '2483':'oracle', '3020':'smb', '3306':'mysql', '3389':'rdp', '3632':'distccd', '5060':'asterisk', '5500':'vnc', '5900':'vnc', '5985':'wsman', '6379':'redis', '8080':'http-proxy', '27017':'mongod', '27018':'mongod', '27019':'mongod'
+		}
+		secure_ports = {
+			'443':'https', '465':'smtp', '563':'nntp', '585':'imaps', '593':'msrpc', '636':'ldap', '989':'ftp', '990':'ftp', '992':'telnet', '993':'imaps', '995':'pop3s', '2484':'oracle', '5061':'asterisk', '5986':'wsman'
+		}
+
+		services = []
+		while True:
+			line = await stdout.readline()
+			if line is not None:
+				match = re.match('^Discovered open port ([0-9]+)/tcp', line)
+				if match:
+					if match.group(1) in insecure_ports.keys():
+						await target.add_service(Service('tcp', match.group(1), insecure_ports[match.group(1)]))
+					elif match.group(1) in secure_ports.keys():
+						await target.add_service(Service('tcp', match.group(1), secure_ports[match.group(1)], True))
+				service = target.extract_service(line)
+				if service is not None:
+					services.append(service)
+			else:
+				break
+
+		await process.wait()
+		return services

autorecon/default-plugins/http_server.py

@@ -0,0 +1,214 @@
+from autorecon.plugins import ServiceScan
+from autorecon.io import error, info, fformat
+from shutil import which
+import os
+
+class NmapHTTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap HTTP"
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+		self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}')
+		self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}')
+
+class BruteforceHTTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Bruteforce HTTP"
+		self.tags = ['default', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [
+			'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{addressv6}/path/to/auth/area',
+			'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {addressv6} -m DIR:/path/to/auth/area',
+			'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{addressv6}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
+			'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {addressv6} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"'
+		])
+
+class Curl(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Curl"
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s")
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+		self.add_pattern('(?i)powered[ -]by[^\n]+')
+
+	async def run(self, service):
+		if service.protocol == 'tcp':
+			await service.execute('curl -sSik {http_scheme}://{addressv6}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html')
+
+class CurlRobots(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Curl Robots"
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	async def run(self, service):
+		if service.protocol == 'tcp':
+			_, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/robots.txt', future_outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt')
+			lines = await stdout.readlines()
+
+			if lines:
+				filename = fformat('{scandir}/{protocol}_{port}_{http_scheme}_curl-robots.txt')
+				with open(filename, mode='wt', encoding='utf8') as robots:
+					robots.write('\n'.join(lines))
+			else:
+				info('{bblue}[' + fformat('{tag}') + ']{rst} There did not appear to be a robots.txt file in the webroot (/).')
+
+class DirBuster(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Directory Buster"
+		self.slug = 'dirbuster'
+		self.priority = 0
+		self.tags = ['default', 'safe', 'long', 'http']
+
+	def configure(self):
+		self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s')
+		self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-Content/big.txt', '/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt'], help='The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: %(default)s')
+		self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s')
+		self.add_option('ext', default='txt,html,php,asp,aspx,jsp', help='The extensions you wish to fuzz (no dot, comma separated). Default: %(default)s')
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	def check(self):
+		tool = self.get_option('tool')
+		if tool == 'feroxbuster':
+			if which('feroxbuster') is None:
+				error('The feroxbuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install feroxbuster)')
+		elif tool == 'gobuster':
+			if which('gobuster') is None:
+				error('The gobuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install gobuster)')
+		elif tool == 'dirsearch':
+			if which('dirsearch') is None:
+				error('The dirsearch program could not be found. Make sure it is installed. (On Kali, run: sudo apt install dirsearch)')
+
+	async def run(self, service):
+		dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
+		for wordlist in self.get_option('wordlist'):
+			name = os.path.splitext(os.path.basename(wordlist))[0]
+			if self.get_option('tool') == 'feroxbuster':
+				await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "' + self.get_option('ext') + '" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"')
+			elif self.get_option('tool') == 'gobuster':
+				await service.execute('gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"')
+			elif self.get_option('tool') == 'dirsearch':
+				if service.target.ipversion == 'IPv6':
+					error('dirsearch does not support IPv6.')
+				else:
+					await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e "' + self.get_option('ext') + '" -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"')
+			elif self.get_option('tool') == 'ffuf':
+				await service.execute('ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt')
+			elif self.get_option('tool') == 'dirb':
+				await service.execute('dirb {http_scheme}://{addressv6}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"')
+
+	def manual(self, service, plugin_was_run):
+		dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
+		if self.get_option('tool') == 'feroxbuster':
+			service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
+				'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "' + self.get_option('ext') + '" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt'
+			])
+		elif self.get_option('tool') == 'gobuster':
+			service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [
+				'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"'
+			])
+		elif self.get_option('tool') == 'dirsearch':
+			if service.target.ipversion == 'IPv4':
+				service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
+					'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e "' + self.get_option('ext') + '" -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"'
+				])
+		elif self.get_option('tool') == 'ffuf':
+			service.add_manual_command('(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
+				'ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_dirbuster.txt'
+			])
+		elif self.get_option('tool') == 'dirb':
+			service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [
+				'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"'
+			])
+
+class Nikto(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'nikto'
+		self.tags = ['default', 'safe', 'long', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	def manual(self, service, plugin_was_run):
+		if service.target.ipversion == 'IPv4':
+			service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"')
+
+class WhatWeb(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "whatweb"
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	async def run(self, service):
+		if service.protocol == 'tcp' and service.target.ipversion == 'IPv4':
+			await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt')
+
+class WkHTMLToImage(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "wkhtmltoimage"
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	def check(self):
+		if which('wkhtmltoimage') is None:
+			error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)')
+
+	async def run(self, service):
+		if which('wkhtmltoimage') is not None:
+			if service.protocol == 'tcp':
+				await service.execute('wkhtmltoimage --format png {http_scheme}://{addressv6}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png')
+
+class WPScan(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'WPScan'
+		self.tags = ['default', 'safe', 'http']
+
+	def configure(self):
+		self.match_service_name('^http')
+		self.match_service_name('^nacn_http$', negative_match=True)
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{addressv6}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"')

autorecon/default-plugins/kerberos.py

@@ -0,0 +1,17 @@
+from autorecon.plugins import ServiceScan
+
+class NmapKerberos(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap Kerberos"
+		self.tags = ['default', 'safe', 'kerberos', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^kerberos', '^kpasswd'])
+
+	async def run(self, service):
+		if self.get_global('domain') and self.get_global('username-wordlist'):
+			await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="' + self.get_global('domain') + '",userdb="' + self.get_global('username-wordlist') + '" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}')
+		else:
+			await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}')

autorecon/default-plugins/ldap.py

@@ -0,0 +1,29 @@
+from autorecon.plugins import ServiceScan
+
+class NmapLDAP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap LDAP"
+		self.tags = ['default', 'safe', 'ldap', 'active-directory']
+
+	def configure(self):
+		self.match_service_name('^ldap')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}')
+
+class LDAPSearch(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'LDAP Search'
+		self.tags = ['default', 'safe', 'ldap', 'active-directory']
+
+	def configure(self):
+		self.match_service_name('^ldap')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('ldapsearch command (modify before running):', [
+			'ldapsearch -x -D "<username>" -w "<password>"" -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"'
+		])

autorecon/default-plugins/misc.py

@@ -0,0 +1,188 @@
+from autorecon.plugins import ServiceScan
+from autorecon.io import fformat
+
+class NmapCassandra(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap Cassandra"
+		self.tags = ['default', 'safe', 'cassandra']
+
+	def configure(self):
+		self.match_service_name('^apani1')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}')
+
+class NmapCUPS(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap CUPS"
+		self.tags = ['default', 'safe', 'cups']
+
+	def configure(self):
+		self.match_service_name('^ipp')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}')
+
+class NmapDistccd(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap distccd"
+		self.tags = ['default', 'safe', 'distccd']
+
+	def configure(self):
+		self.match_service_name('^distccd')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}')
+
+class NmapFinger(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap finger"
+		self.tags = ['default', 'safe', 'finger']
+
+	def configure(self):
+		self.match_service_name('^finger')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}')
+
+class NmapIMAP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap IMAP"
+		self.tags = ['default', 'safe', 'imap', 'email']
+
+	def configure(self):
+		self.match_service_name('^imap')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}')
+
+class NmapIrc(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap IRC'
+		self.tags = ['default', 'safe', 'irc']
+
+	def configure(self):
+		self.match_service_name('^irc')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -oN "{scandir}/{protocol}_{port}_irc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_irc_nmap.xml" -p {port} {address}')
+
+class NmapNNTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap NNTP"
+		self.tags = ['default', 'safe', 'nntp']
+
+	def configure(self):
+		self.match_service_name('^nntp')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}')
+
+class NmapPOP3(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap POP3"
+		self.tags = ['default', 'safe', 'pop3', 'email']
+
+	def configure(self):
+		self.match_service_name('^pop3')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}')
+
+class NmapRMI(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap RMI"
+		self.tags = ['default', 'safe', 'rmi']
+
+	def configure(self):
+		self.match_service_name(['^java\-rmi', '^rmiregistry'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}')
+
+class NmapTelnet(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap Telnet'
+		self.tags = ['default', 'safe', 'telnet']
+
+	def configure(self):
+		self.match_service_name('^telnet')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}')
+
+class NmapTFTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap TFTP'
+		self.tags = ['default', 'safe', 'tftp']
+
+	def configure(self):
+		self.match_service_name('^tftp')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}')
+
+class NmapVNC(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap VNC'
+		self.tags = ['default', 'safe', 'vnc']
+
+	def configure(self):
+		self.match_service_name('^vnc')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}')
+
+class WinRMDetection(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'WinRM Detection'
+		self.tags = ['default', 'safe', 'winrm']
+
+	def configure(self):
+		self.match_service_name('^wsman')
+		self.match_service('tcp', [5985, 5986], '^http')
+
+	async def run(self, service):
+		filename = fformat('{scandir}/{protocol}_{port}_winrm-detection.txt')
+		with open(filename, mode='wt', encoding='utf8') as winrm:
+			winrm.write('WinRM was possibly detected running on ' + service.protocol + ' port ' + str(service.port) + '.\nCheck _manual_commands.txt for manual commands you can run against this service.')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_commands('Bruteforce logins:', [
+			'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u ' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + ' -p ' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt')
+		])
+
+		service.add_manual_commands('Check login (requires credentials):', [
+			'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u <username> -p <password> -x "whoami"'
+		])
+
+		service.add_manual_commands('Evil WinRM (gem install evil-winrm):', [
+			'evil-winrm -u <user> -p <password> -i {address}',
+			'evil-winrm -u <user> -H <hash> -i {address}'
+		])

autorecon/default-plugins/nfs.py

@@ -0,0 +1,40 @@
+from autorecon.plugins import ServiceScan
+
+class NmapNFS(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap NFS"
+		self.tags = ['default', 'safe', 'nfs']
+
+	def configure(self):
+		self.match_service_name(['^nfs', '^rpcbind'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}')
+
+class Showmount(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "showmount"
+		self.tags = ['default', 'safe', 'nfs']
+
+	def configure(self):
+		self.match_service_name(['^nfs', '^rpcbind'])
+
+	async def run(self, service):
+		await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt')
+
+class NmapMountd(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap Mountd"
+		self.tags = ['default', 'safe', 'nfs']
+
+	def configure(self):
+		self.match_service_name('^mountd')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nfs* and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mountd_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mountd_nmap.xml" {address}')

autorecon/default-plugins/rdp.py

@@ -0,0 +1,30 @@
+from autorecon.plugins import ServiceScan
+
+class NmapRDP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap RDP"
+		self.tags = ['default', 'safe', 'rdp']
+
+	def configure(self):
+		self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}')
+
+class BruteforceRDP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Bruteforce RDP"
+		self.tags = ['default', 'rdp']
+
+	def configure(self):
+		self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_commands('Bruteforce logins:', [
+			'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{addressv6}',
+			'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {addressv6}'
+		])

autorecon/default-plugins/redis.py

@@ -0,0 +1,37 @@
+from autorecon.plugins import ServiceScan
+from autorecon.io import error
+from shutil import which
+
+class NmapRedis(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap Redis'
+		self.tags = ['default', 'safe', 'redis']
+
+	def configure(self):
+		self.match_service_name('^redis$')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,redis-info" -oN "{scandir}/{protocol}_{port}_redis_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_redis_nmap.xml" {address}')
+
+class RedisCli(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Redis Cli'
+		self.tags = ['default', 'safe', 'redis']
+
+	def configure(self):
+		self.match_service_name('^redis$')
+
+	def check(self):
+		if which('redis-cli') is None:
+			error('The redis-cli program could not be found. Make sure it is installed. (On Kali, run: sudo apt install redis-tools)')
+
+	async def run(self, service):
+		if which('redis-cli') is not None:
+			_, stdout, _ = await service.execute('redis-cli -p {port} -h {address} INFO', outfile='{protocol}_{port}_redis_info.txt')
+			if not (await stdout.readline()).startswith('NOAUTH Authentication required'):
+				await service.execute('redis-cli -p {port} -h {address} CONFIG GET \'*\'', outfile='{protocol}_{port}_redis_config.txt')
+				await service.execute('redis-cli -p {port} -h {address} CLIENT LIST', outfile='{protocol}_{port}_redis_client-list.txt')

autorecon/default-plugins/reporting.py

@@ -0,0 +1,163 @@
+from autorecon.plugins import Report
+from autorecon.config import config
+from xml.sax.saxutils import escape
+import os, glob
+
+class CherryTree(Report):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'CherryTree'
+		self.tags = []
+
+	async def run(self, targets):
+		if len(targets) > 1:
+			report = os.path.join(config['outdir'], 'report.xml.ctd')
+		elif len(targets) == 1:
+			report = os.path.join(targets[0].reportdir, 'report.xml.ctd')
+		else:
+			return
+
+		with open(report, 'w') as output:
+			output.writelines('<?xml version="1.0" encoding="UTF-8"?>\n<cherrytree>\n')
+			for target in targets:
+				output.writelines('<node name="' + escape(target.address) + '" is_bold="1" custom_icon_id="1">\n')
+
+				files = [os.path.abspath(filename) for filename in glob.iglob(os.path.join(target.scandir, '**/*'), recursive=True) if os.path.isfile(filename) and filename.endswith(('.txt', '.html'))]
+
+				if target.scans['ports']:
+					output.writelines('<node name="Port Scans" custom_icon_id="2">\n')
+					for scan in target.scans['ports'].keys():
+						if len(target.scans['ports'][scan]['commands']) > 0:
+							output.writelines('<node name="PortScan: ' + escape(target.scans['ports'][scan]['plugin'].name) + '" custom_icon_id="21">\n')
+							for command in target.scans['ports'][scan]['commands']:
+								output.writelines('<rich_text>' + escape(command[0]))
+								for filename in files:
+									if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
+										output.writelines('\n\n' + escape(filename) + ':\n\n')
+										with open(filename, 'r') as file:
+											output.writelines(escape(file.read()) + '\n')
+								output.writelines('</rich_text>\n')
+							output.writelines('</node>\n')
+					output.writelines('</node>\n')
+				if target.scans['services']:
+					output.writelines('<node name="Services" custom_icon_id="2">\n')
+					for service in target.scans['services'].keys():
+						output.writelines('<node name="Service: ' + escape(service.tag()) + '" custom_icon_id="3">\n')
+						for plugin in target.scans['services'][service].keys():
+							if len(target.scans['services'][service][plugin]['commands']) > 0:
+								output.writelines('<node name="' + escape(target.scans['services'][service][plugin]['plugin'].name) + '" custom_icon_id="21">\n')
+								for command in target.scans['services'][service][plugin]['commands']:
+									output.writelines('<rich_text>' + escape(command[0]))
+									for filename in files:
+										if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
+											output.writelines('\n\n' + escape(filename) + ':\n\n')
+											with open(filename, 'r') as file:
+												output.writelines(escape(file.read()) + '\n')
+									output.writelines('</rich_text>\n')
+								output.writelines('</node>\n')
+						output.writelines('</node>\n')
+					output.writelines('</node>\n')
+
+				manual_commands = os.path.join(target.scandir, '_manual_commands.txt')
+				if os.path.isfile(manual_commands):
+					output.writelines('<node name="Manual Commands" custom_icon_id="22">\n')
+					with open(manual_commands, 'r') as file:
+						output.writelines('<rich_text>' + escape(file.read()) + '</rich_text>\n')
+					output.writelines('</node>\n')
+
+				patterns = os.path.join(target.scandir, '_patterns.log')
+				if os.path.isfile(patterns):
+					output.writelines('<node name="Patterns" custom_icon_id="10">\n')
+					with open(patterns, 'r') as file:
+						output.writelines('<rich_text>' + escape(file.read()) + '</rich_text>\n')
+					output.writelines('</node>\n')
+
+				commands = os.path.join(target.scandir, '_commands.log')
+				if os.path.isfile(commands):
+					output.writelines('<node name="Commands" custom_icon_id="21">\n')
+					with open(commands, 'r') as file:
+						output.writelines('<rich_text>' + escape(file.read()) + '</rich_text>\n')
+					output.writelines('</node>\n')
+
+				errors = os.path.join(target.scandir, '_errors.log')
+				if os.path.isfile(errors):
+					output.writelines('<node name="Errors" custom_icon_id="57">\n')
+					with open(errors, 'r') as file:
+						output.writelines('<rich_text>' + escape(file.read()) + '</rich_text>\n')
+					output.writelines('</node>\n')
+				output.writelines('</node>\n')
+
+			output.writelines('</cherrytree>')
+
+class Markdown(Report):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Markdown'
+
+	async def run(self, targets):
+		if len(targets) > 1:
+			report = os.path.join(config['outdir'], 'report.md')
+		elif len(targets) == 1:
+			report = os.path.join(targets[0].reportdir, 'report.md')
+		else:
+			return
+
+		os.makedirs(report, exist_ok=True)
+
+		for target in targets:
+			os.makedirs(os.path.join(report, target.address), exist_ok=True)
+
+			files = [os.path.abspath(filename) for filename in glob.iglob(os.path.join(target.scandir, '**/*'), recursive=True) if os.path.isfile(filename) and filename.endswith(('.txt', '.html'))]
+
+			if target.scans['ports']:
+				os.makedirs(os.path.join(report, target.address, 'Port Scans'), exist_ok=True)
+				for scan in target.scans['ports'].keys():
+					if len(target.scans['ports'][scan]['commands']) > 0:
+						with open(os.path.join(report, target.address, 'Port Scans', 'PortScan - ' + target.scans['ports'][scan]['plugin'].name + '.md'), 'w') as output:
+							for command in target.scans['ports'][scan]['commands']:
+								output.writelines('```bash\n' + command[0] + '\n```')
+								for filename in files:
+									if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
+										output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
+										with open(filename, 'r') as file:
+											output.writelines('```\n' + file.read() + '\n```\n')
+			if target.scans['services']:
+				os.makedirs(os.path.join(report, target.address, 'Services'), exist_ok=True)
+				for service in target.scans['services'].keys():
+					os.makedirs(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-')), exist_ok=True)
+					for plugin in target.scans['services'][service].keys():
+						if len(target.scans['services'][service][plugin]['commands']) > 0:
+							with open(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-'), target.scans['services'][service][plugin]['plugin'].name + '.md'), 'w') as output:
+								for command in target.scans['services'][service][plugin]['commands']:
+									output.writelines('```bash\n' + command[0] + '\n```')
+									for filename in files:
+										if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
+											output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
+											with open(filename, 'r') as file:
+												output.writelines('```\n' + file.read() + '\n```\n')
+
+			manual_commands = os.path.join(target.scandir, '_manual_commands.txt')
+			if os.path.isfile(manual_commands):
+				with open(os.path.join(report, target.address, 'Manual Commands' + '.md'), 'w') as output:
+					with open(manual_commands, 'r') as file:
+						output.writelines('```bash\n' + file.read() + '\n```')
+
+			patterns = os.path.join(target.scandir, '_patterns.log')
+			if os.path.isfile(patterns):
+				with open(os.path.join(report, target.address, 'Patterns' + '.md'), 'w') as output:
+					with open(patterns, 'r') as file:
+						output.writelines(file.read())
+
+			commands = os.path.join(target.scandir, '_commands.log')
+			if os.path.isfile(commands):
+				with open(os.path.join(report, target.address, 'Commands' + '.md'), 'w') as output:
+					with open(commands, 'r') as file:
+						output.writelines('```bash\n' + file.read() + '\n```')
+
+			errors = os.path.join(target.scandir, '_errors.log')
+			if os.path.isfile(errors):
+				with open(os.path.join(report, target.address, 'Errors' + '.md'), 'w') as output:
+					with open(errors, 'r') as file:
+						output.writelines('```\n' + file.read() + '\n```')

autorecon/default-plugins/rpc.py

@@ -0,0 +1,42 @@
+from autorecon.plugins import ServiceScan
+from autorecon.io import error, warn
+
+class NmapRPC(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap MSRPC"
+		self.tags = ['default', 'rpc']
+
+	def configure(self):
+		self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}')
+
+class RPCClient(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "rpcclient"
+		self.tags = ['default', 'safe', 'rpc']
+
+	def configure(self):
+		self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}')
+
+class RPCDump(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'rpcdump'
+		self.tags = ['default', 'safe', 'rpc']
+
+	def configure(self):
+		self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
+
+	async def run(self, service):
+		if service.protocol == 'tcp':
+			await service.execute('impacket-rpcdump -port {port} {address}', outfile='{protocol}_{port}_rpc_rpcdump.txt')

autorecon/default-plugins/rsync.py

@@ -0,0 +1,27 @@
+from autorecon.plugins import ServiceScan
+
+class NmapRsync(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Nmap Rsync'
+		self.tags = ['default', 'safe', 'rsync']
+
+	def configure(self):
+		self.match_service_name('^rsync')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rsync* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rsync_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rsync_nmap.xml" {address}')
+
+class RsyncList(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'Rsync List Files'
+		self.tags = ['default', 'safe', 'rsync']
+
+	def configure(self):
+		self.match_service_name('^rsync')
+
+	async def run(self, service):
+		await service.execute('rsync -av --list-only rsync://{addressv6}:{port}', outfile='{protocol}_{port}_rsync_file_list.txt')

autorecon/default-plugins/sip.py

@@ -0,0 +1,28 @@
+from autorecon.plugins import ServiceScan
+
+class NmapSIP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap SIP"
+		self.tags = ['default', 'safe', 'sip']
+
+	def configure(self):
+		self.match_service_name('^asterisk')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}')
+
+class SIPVicious(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SIPVicious"
+		self.tags = ['default', 'safe', 'sip']
+
+	def configure(self):
+		self.match_service_name('^asterisk')
+
+	def manual(self, service, plugin_was_run):
+		if service.target.ipversion == 'IPv4':
+			service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}')

autorecon/default-plugins/smb.py

@@ -0,0 +1,104 @@
+from autorecon.plugins import ServiceScan
+
+class NmapSMB(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap SMB"
+		self.tags = ['default', 'safe', 'smb', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}')
+
+class SMBVuln(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SMB Vulnerabilities"
+		self.tags = ['unsafe', 'smb', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}')
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}')
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}')
+
+	def manual(self, service, plugin_was_run):
+		if not plugin_was_run: # Only suggest these if they weren't run.
+			service.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [
+				'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
+				'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
+				'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
+			])
+
+class Enum4Linux(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Enum4Linux"
+		self.tags = ['default', 'safe', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^ldap', '^smb', '^microsoft\-ds', '^netbios'])
+		self.match_port('tcp', [139, 389, 445])
+		self.match_port('udp', 137)
+		self.run_once(True)
+
+	async def run(self, service):
+		if service.target.ipversion == 'IPv4':
+			await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt')
+
+class NBTScan(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "nbtscan"
+		self.tags = ['default', 'safe', 'netbios', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
+		self.match_port('udp', 137)
+		self.run_once(True)
+
+	async def run(self, service):
+		if service.target.ipversion == 'IPv4':
+			await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt')
+
+class SMBClient(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SMBClient"
+		self.tags = ['default', 'safe', 'smb', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
+		self.match_port('tcp', [139, 445])
+		self.run_once(True)
+
+	async def run(self, service):
+		await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt')
+
+class SMBMap(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SMBMap"
+		self.tags = ['default', 'safe', 'smb', 'active-directory']
+
+	def configure(self):
+		self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
+
+	async def run(self, service):
+		if service.target.ipversion == 'IPv4':
+			await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
+			await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
+			await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
+			await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
+			await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')
+			await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')

autorecon/default-plugins/smtp.py

@@ -0,0 +1,33 @@
+from autorecon.plugins import ServiceScan
+
+class NmapSMTP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap SMTP"
+		self.tags = ['default', 'safe', 'smtp', 'email']
+
+	def configure(self):
+		self.match_service_name('^smtp')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}')
+
+class SMTPUserEnum(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = 'SMTP-User-Enum'
+		self.tags = ['default', 'safe', 'smtp', 'email']
+
+	def configure(self):
+		self.match_service_name('^smtp')
+
+	async def run(self, service):
+		await service.execute('hydra smtp-enum://{addressv6}:{port}/vrfy -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_vrfy.txt')
+		await service.execute('hydra smtp-enum://{addressv6}:{port}/expn -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_expn.txt')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('Try User Enumeration using "RCPT TO". Replace <TARGET-DOMAIN> with the target\'s domain name:', [
+			'hydra smtp-enum://{addressv6}:{port}/rcpt -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -o "{scandir}/{protocol}_{port}_smtp_user-enum_hydra_rcpt.txt" -p <TARGET-DOMAIN>'
+		])

autorecon/default-plugins/snmp.py

@@ -0,0 +1,53 @@
+from autorecon.plugins import ServiceScan
+
+class NmapSNMP(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap SNMP"
+		self.tags = ['default', 'safe', 'snmp']
+
+	def configure(self):
+		self.match_service_name('^snmp')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}')
+
+class OneSixtyOne(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "OneSixtyOne"
+		self.tags = ['default', 'safe', 'snmp']
+
+	def configure(self):
+		self.match_service_name('^snmp')
+		self.match_port('udp', 161)
+		self.run_once(True)
+		self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s')
+
+	async def run(self, service):
+		if service.target.ipversion == 'IPv4':
+			await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt')
+
+class SNMPWalk(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SNMPWalk"
+		self.tags = ['default', 'safe', 'snmp']
+
+	def configure(self):
+		self.match_service_name('^snmp')
+		self.match_port('udp', 161)
+		self.run_once(True)
+
+	async def run(self, service):
+		await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt')
+		await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt')

autorecon/default-plugins/ssh.py

@@ -0,0 +1,30 @@
+from autorecon.plugins import ServiceScan
+
+class NmapSSH(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Nmap SSH"
+		self.tags = ['default', 'safe', 'ssh']
+
+	def configure(self):
+		self.match_service_name('^ssh')
+
+	async def run(self, service):
+		await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}')
+
+class BruteforceSSH(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "Bruteforce SSH"
+		self.tags = ['default', 'ssh']
+
+	def configure(self):
+		self.match_service_name('ssh')
+
+	def manual(self, service, plugin_was_run):
+		service.add_manual_command('Bruteforce logins:', [
+			'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{addressv6}',
+			'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {addressv6}'
+		])

autorecon/default-plugins/sslscan.py

@@ -0,0 +1,16 @@
+from autorecon.plugins import ServiceScan
+
+class SSLScan(ServiceScan):
+
+	def __init__(self):
+		super().__init__()
+		self.name = "SSL Scan"
+		self.tags = ['default', 'safe', 'ssl', 'tls']
+
+	def configure(self):
+		self.match_all_service_names(True)
+		self.require_ssl(True)
+
+	async def run(self, service):
+		if service.protocol == 'tcp' and service.secure:
+			await service.execute('sslscan --show-certificate --no-colour {addressv6}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html')

autorecon/global.toml

@@ -0,0 +1,22 @@
+[global.username-wordlist]
+default = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
+help = 'A wordlist of usernames, useful for bruteforcing. Default: %(default)s'
+
+[global.password-wordlist]
+default = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+help = 'A wordlist of passwords, useful for bruteforcing. Default: %(default)s'
+
+[global.domain]
+help = 'The domain to use (if known). Used for DNS and/or Active Directory. Default: %(default)s'
+
+# Configure global pattern matching here.
+[[pattern]]
+description = 'Nmap script found a potential vulnerability. ({match})'
+pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)'
+
+[[pattern]]
+pattern = '(?i)unauthorized'
+
+[[pattern]]
+description = 'CVE Identified: {match}'
+pattern = '(CVE-\d{4}-\d{4,7})'

autorecon/main.py

@@ -1,10 +1,10 @@
 #!/usr/bin/python3
 
-import argparse, asyncio, importlib, inspect, ipaddress, math, os, re, sys, signal, select, socket, termios, time, traceback, tty
+import argparse, asyncio, importlib, inspect, ipaddress, math, os, re, select, shutil, signal, socket, sys, termios, time, traceback, tty
 from datetime import datetime
 
 try:
-	import colorama, toml, unidecode
+	import appdirs, colorama, toml, unidecode
 	from colorama import Fore, Style
 except ModuleNotFoundError:
 	print('One or more required modules was not installed. Please run or re-run: ' + ('sudo ' if os.getuid() == 0 else '') + 'python3 -m pip install -r requirements.txt')
@@ -17,6 +17,16 @@ from autorecon.io import slugify, e, fformat, cprint, debug, info, warn, error,
 from autorecon.plugins import Pattern, PortScan, ServiceScan, Report, AutoRecon
 from autorecon.targets import Target, Service
 
+def install():
+	shutil.rmtree(config['config_dir'], ignore_errors=True)
+	os.makedirs(config['config_dir'], exist_ok=True)
+	shutil.copy(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'config.toml'), os.path.join(config['config_dir'], 'config.toml'))
+	shutil.copy(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'global.toml'), os.path.join(config['config_dir'], 'global.toml'))
+	shutil.copytree(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'default-plugins'), os.path.join(config['config_dir'], 'plugins'))
+
+if not os.path.exists(config['config_dir']):
+	install()
+
 # Save current terminal settings so we can restore them.
 terminal_settings = termios.tcgetattr(sys.stdin.fileno())
 
@@ -711,15 +721,15 @@ async def scan_target(target):
 		autorecon.completed_targets.append(target)
 		autorecon.scanning_targets.remove(target)
 
-async def main():
+async def run():
 	parser = argparse.ArgumentParser(add_help=False, description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.')
 	parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs='*')
 	parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.')
 	parser.add_argument('-p', '--ports', action='store', type=str, help='Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list with T:/U: To scan both TCP/UDP, put port(s) at start or specify B: e.g. 53,T:21-25,80,U:123,B:123. Default: %(default)s')
 	parser.add_argument('-m', '--max-scans', action='store', type=int, help='The maximum number of concurrent scans to run. Default: %(default)s')
 	parser.add_argument('-mp', '--max-port-scans', action='store', type=int, help='The maximum number of concurrent port scans to run. Default: 10 (approx 20%% of max-scans unless specified)')
-	parser.add_argument('-c', '--config', action='store', type=str, default=os.path.dirname(os.path.realpath(__file__)) + '/config.toml', dest='config_file', help='Location of AutoRecon\'s config file. Default: %(default)s')
-	parser.add_argument('-g', '--global-file', action='store', type=str, dest='global_file', help='Location of AutoRecon\'s global file. Default: ' + os.path.dirname(os.path.realpath(__file__)) + '/global.toml')
+	parser.add_argument('-c', '--config', action='store', type=str, default=os.path.join(config['config_dir'], 'config.toml'), dest='config_file', help='Location of AutoRecon\'s config file. Default: %(default)s')
+	parser.add_argument('-g', '--global-file', action='store', type=str, dest='global_file', help='Location of AutoRecon\'s global file. Default: ' + os.path.join(config['config_dir'], 'global.toml'))
 	parser.add_argument('--tags', action='store', type=str, default='default', help='Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group. Default: %(default)s')
 	parser.add_argument('--exclude-tags', action='store', type=str, default='', metavar='TAGS', help='Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group. Default: %(default)s')
 	parser.add_argument('--port-scans', action='store', type=str, metavar='PLUGINS', help='Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default: %(default)s')
@@ -753,7 +763,7 @@ async def main():
 	autorecon.argparse = parser
 
 	if args.version:
-		print('AutoRecon v2.0-beta3')
+		print('AutoRecon v2.0')
 		sys.exit(0)
 
 	# Parse config file and args for global.toml first.
@@ -1368,12 +1378,15 @@ async def main():
 		# Restore original terminal settings.
 		termios.tcsetattr(sys.stdin, termios.TCSADRAIN, terminal_settings)
 
-if __name__ == '__main__':
+def main():
 	# Capture Ctrl+C and cancel everything.
 	signal.signal(signal.SIGINT, cancel_all_tasks)
 	try:
-		asyncio.run(main())
+		asyncio.run(run())
 	except asyncio.exceptions.CancelledError:
 		pass
 	except RuntimeError:
 		pass
+
+if __name__ == '__main__':
+	main()

poetry.lock

@@ -0,0 +1,54 @@
+[[package]]
+name = "appdirs"
+version = "1.4.4"
+description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"."
+category = "main"
+optional = false
+python-versions = "*"
+
+[[package]]
+name = "colorama"
+version = "0.4.4"
+description = "Cross-platform colored terminal text."
+category = "main"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+description = "Python Library for Tom's Obvious, Minimal Language"
+category = "main"
+optional = false
+python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
+
+[[package]]
+name = "unidecode"
+version = "1.3.1"
+description = "ASCII transliterations of Unicode text"
+category = "main"
+optional = false
+python-versions = ">=3.5"
+
+[metadata]
+lock-version = "1.1"
+python-versions = "^3.7"
+content-hash = "681db41aa556d6d3f79e1e8ee0107bccd078e39c8db7e6e0159860c96ea93c5b"
+
+[metadata.files]
+appdirs = [
+    {file = "appdirs-1.4.4-py2.py3-none-any.whl", hash = "sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128"},
+    {file = "appdirs-1.4.4.tar.gz", hash = "sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41"},
+]
+colorama = [
+    {file = "colorama-0.4.4-py2.py3-none-any.whl", hash = "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"},
+    {file = "colorama-0.4.4.tar.gz", hash = "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b"},
+]
+toml = [
+    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
+    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
+]
+unidecode = [
+    {file = "Unidecode-1.3.1-py3-none-any.whl", hash = "sha256:5f58926b9125b499f8ab6816828e737578fa3e31fa24d351a3ab7f4b7c064ab0"},
+    {file = "Unidecode-1.3.1.tar.gz", hash = "sha256:6efac090bf8f29970afc90caf4daae87b172709b786cb1b4da2d0c0624431ecc"},
+]

pyproject.toml

@@ -0,0 +1,22 @@
+[tool.poetry]
+name = "autorecon"
+version = "2.0.0"
+description = "A multi-threaded network reconnaissance tool which performs automated enumeration of services."
+authors = ["Tib3rius"]
+license = "GNU GPL v3"
+
+[tool.poetry.dependencies]
+python = "^3.7"
+appdirs = "^1.4.4"
+colorama = "^0.4.4"
+toml = "^0.10.2"
+Unidecode = "^1.3.1"
+
+[tool.poetry.dev-dependencies]
+
+[tool.poetry.scripts]
+autorecon = "autorecon.main:main"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"

requirements.txt

@@ -1,3 +1,4 @@
-unidecode
-toml
+appdirs
 colorama
+toml
+unidecode