Targets can be read from a file.\nList of invoked applications is saved in a config file, and a sanity check is performed. Also now use absolute paths for security reasons.\nScan results are saved according to service.\nTotal scan time is indicated to tweak performance.\nSome additional minor modifications as well as changes in the config file.

2019-04-28 06:47:46 +02:00 · 2019-04-28 06:47:46 +02:00 · 7a09853738
parent 5da3f41acc
commit 7a09853738
4 changed files with 337 additions and 183 deletions
--- a/autorecon.py
+++ b/autorecon.py
@ -16,17 +16,19 @@ import os
 import re
 import socket
 import string
 from datetime import datetime
 import sys
 import toml
 verbose = 0
-nmap = '-vv --reason -Pn'
+nmap_default_options = '--reason -Pn'
 srvname = ''
 port_scan_profile = None
 port_scan_profiles_config = None
 service_scans_config = None
 global_patterns = []
 applications = {}
 username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
 password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
@ -70,9 +72,11 @@ def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1,
    vals.update(frame.f_locals)
    vals.update(kvargs)
    clock = datetime.now().strftime('%H:%M:%S')
    clock = sep + '['  + Style.BRIGHT + Fore.YELLOW + clock + Style.NORMAL + Fore.RESET + ']'
    unfmt = ''
    if char is not None:
-        unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep
+        unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + clock + sep
    unfmt += sep.join(args)
    fmted = unfmt
@ -104,40 +108,63 @@ def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
    cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
    exit(-1)
-port_scan_profiles_config_file = 'port-scan-profiles.toml'
+
-with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p:
+''' Reads a configuration file, and saves the data to a dictionary
    @replace_values Dictionary with values that should be replaced in the configuration file
 '''
 def read_configuration_file(filename, replace_values = {}):
    data = {}
    try:
-        port_scan_profiles_config = toml.load(p)
+        with open(os.path.join(rootdir, 'config', filename), 'r') as f:
            data = f.read()
-        if len(port_scan_profiles_config) == 0:
+            for entry in replace_values:
-            fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.')
+                data = re.sub('{' +entry + '}', replace_values[entry], data)
            data = toml.loads(data)
    except (OSError, toml.decoder.TomlDecodeError) as e:
        fail('Error: The configuration file {filename} could not be read.')
-    except toml.decoder.TomlDecodeError as e:
+    return data
        fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.')
 with open(os.path.join(rootdir, 'config', 'service-scans.toml'), 'r') as c:
    try:
        service_scans_config = toml.load(c)
    except toml.decoder.TomlDecodeError as e:
        fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.')
-with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p:
+def get_configuration():
-    try:
+    applications_config = read_configuration_file('config.toml')
-        global_patterns = toml.load(p)
+    if len(applications_config) > 0 and 'applications' in applications_config:
-        if 'pattern' in global_patterns:
+        global applications 
-            global_patterns = global_patterns['pattern']
+        applications = applications_config['applications']
-        else:
+        for application in applications:
-            global_patterns = []
+            if not os.path.isfile(applications[application]): 
-    except toml.decoder.TomlDecodeError as e:
+                warn('Warning: The application {application} was not found on the system in the specified path.')
-        fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.')
+    else:
        warn('Warning: The section for application paths was not found in the {application_config_file} configuration file.')
-if 'username_wordlist' in service_scans_config:
+    global port_scan_profiles_config 
-    if isinstance(service_scans_config['username_wordlist'], str):
+    port_scan_profiles_config = read_configuration_file('port-scan-profiles.toml', applications)
-        username_wordlist = service_scans_config['username_wordlist']
+    if len(port_scan_profiles_config) == 0:
        fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.')
        return False
    global service_scans_config 
    service_scans_config = read_configuration_file('service-scans.toml', applications)
    global global_patterns 
    global_patterns = read_configuration_file('global-patterns.toml')
    if 'pattern' in global_patterns:
        global_patterns = global_patterns['pattern']
    else:
        global_patterns = []
    if 'username_wordlist' in service_scans_config:
        if isinstance(service_scans_config['username_wordlist'], str):
            username_wordlist = service_scans_config['username_wordlist']
    if 'password_wordlist' in service_scans_config:
        if isinstance(service_scans_config['password_wordlist'], str):
            password_wordlist = service_scans_config['password_wordlist']
    return True
 if 'password_wordlist' in service_scans_config:
    if isinstance(service_scans_config['password_wordlist'], str):
        password_wordlist = service_scans_config['password_wordlist']
 async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
    address = target.address
@ -188,11 +215,13 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]):
        address = target.address
        scandir = target.scandir
-        info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}' if verbose >= 1 else ''))
+        info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}.' if verbose >= 1 else '.'))
        async with target.lock:
            with open(os.path.join(scandir, '_commands.log'), 'a') as file:
                file.writelines(e('{cmd}\n\n'))
        # TODO: check extended service scanning requested?
        process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
@ -204,12 +233,12 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]):
        await process.wait()
    if process.returncode != 0:
-        error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
+        error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}.')
        async with target.lock:
            with open(os.path.join(scandir, '_errors.log'), 'a') as file:
                file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n'))
    else:
-        info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully')
+        info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.')
    return {'returncode': process.returncode, 'name': 'run_cmd'}
@ -289,14 +318,14 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None
        address = target.address
        scandir = target.scandir
-        nmap_extra = nmap
+        nmap_extra = nmap_default_options
        ports = ''
        if port_scan is not None:
            command = e(port_scan[0])
            pattern = port_scan[1]
-            info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else ''))
+            info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.'))
            async with target.lock:
                with open(os.path.join(scandir, '_commands.log'), 'a') as file:
@ -310,9 +339,9 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None
            ]
            results = await asyncio.gather(*output)
-
+            
            await process.wait()
-
+            
            if process.returncode != 0:
                error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
                async with target.lock:
@ -331,7 +360,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None
        command = e(service_detection[0])
        pattern = service_detection[1]
-        info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else ''))
+        info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.'))
        async with target.lock:
            with open(os.path.join(scandir, '_commands.log'), 'a') as file:
@ -354,7 +383,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None
                with open(os.path.join(scandir, '_errors.log'), 'a') as file:
                    file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n'))
        else:
-            info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully')
+            info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.')
        services = results[0]
@ -386,7 +415,6 @@ async def scan_services(loop, semaphore, target):
        for task in done:
            result = task.result()
            if result['returncode'] == 0:
                if result['name'] == 'run_portscan':
                    for service_tuple in result['services']:
@ -399,15 +427,15 @@ async def scan_services(loop, semaphore, target):
                        port = service_tuple[1]
                        service = service_tuple[2]
-                        info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}')
+                        info('Port {bmagenta}{protocol} {port}{rst} ({bmagenta}{service}{rst}) open on target {byellow}{address}{rst}.')
                        with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file:
-                            file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n'))
+                            file.writelines(e('[*] Port {protocol} {port} ({service}) open on {address}.\n\n\n\n'))
                        if protocol == 'udp':
-                            nmap_extra = nmap + " -sU"
+                            nmap_extra = nmap_default_options + " -sU"
                        else:
-                            nmap_extra = nmap
+                            nmap_extra = nmap_default_options
                        secure = True if 'ssl' in service or 'tls' in service else False
@ -443,6 +471,20 @@ async def scan_services(loop, semaphore, target):
                            if not matched_service:
                                continue
                            # NOTE: change for saving results in directories per service
                            if not service_scan == 'all-services':
                                category = '{0}/'.format(service_scan) 
                            else:
                                category = ''
                            try:
                                servicedir = os.path.join(scandir, category)
                                if not os.path.exists(servicedir): os.mkdir(servicedir)
                                xmldir = os.path.join(scandir, 'xml', category)
                                if not os.path.exists(xmldir): os.mkdir(xmldir)
                            except OSError:
                                category = ''
                            if 'manual' in service_scans_config[service_scan]:
                                heading = False
                                with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file:
@ -514,14 +556,17 @@ async def scan_services(loop, semaphore, target):
                                            pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns)))
 def scan_host(target, concurrent_scans):
-    info('Scanning target {byellow}{target.address}{rst}')
+    info('Scanning target {byellow}{target.address}{rst}.')
-
+    
    basedir = os.path.abspath(os.path.join(outdir, target.address + srvname))
    target.basedir = basedir
    os.makedirs(basedir, exist_ok=True)
    exploitdir = os.path.abspath(os.path.join(basedir, 'exploit'))
    os.makedirs(exploitdir, exist_ok=True)
    exploitdir = os.path.abspath(os.path.join(basedir, 'privilege_escalation'))
    os.makedirs(exploitdir, exist_ok=True)
    lootdir = os.path.abspath(os.path.join(basedir, 'loot'))
    os.makedirs(lootdir, exist_ok=True)
@ -529,6 +574,8 @@ def scan_host(target, concurrent_scans):
    reportdir = os.path.abspath(os.path.join(basedir, 'report'))
    target.reportdir = reportdir
    os.makedirs(reportdir, exist_ok=True)
    f = open(os.path.join(reportdir, 'notes.txt'), 'w')
    f.close()
    screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots'))
    os.makedirs(screenshotdir, exist_ok=True)
@ -553,10 +600,68 @@ def scan_host(target, concurrent_scans):
    try:
        loop.run_until_complete(scan_services(loop, semaphore, target))
-        info('Finished scanning target {byellow}{target.address}{rst}')
+        info('Finished scanning target {byellow}{target.address}{rst}.')
    except KeyboardInterrupt:
        sys.exit(1)
 ''' Reads a list of targets from a file
 '''
 def read_targets_from_file(filename, targets, disable_sanity_checks):
    if not os.path.isfile(filename):
        error('The file {filename} with target information was not found.')
        return (targets, True)
    try:
        with open(filename, 'r') as f:
            entries = f.read()
    except OSError:
        error('The file {filename} with target information could not be read.')
        return (targets, True)
    error = False
    for ip in entries.split('\n'):
        if ip.startswith('#') or len(ip) == 0: continue
        targets, failed = get_ip_address(ip, targets, disable_sanity_checks)
        if failed: error = True
    return (targets, error)
 def get_ip_address(target, targets, disable_sanity_checks):
    errors = False
    try:
        ip = str(ipaddress.ip_address(target))
        if ip not in targets:
            targets.append(ip)
    except ValueError:
        try:
            target_range = ipaddress.ip_network(target, strict=False)
            if not disable_sanity_checks and target_range.num_addresses > 256:
                error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.')
                errors = True
            else:
                for ip in target_range.hosts():
                    ip = str(ip)
                    if ip not in targets:
                        targets.append(ip)
        except ValueError:
            try:
                ip = socket.gethostbyname(target)
                if target not in targets:
                    targets.append(target)
            except socket.gaierror:
                warn(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.')
    return (targets, errors)
 class Target:
    def __init__(self, address):
        self.address = address
@ -569,19 +674,24 @@ class Target:
 if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.')
-    parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="+")
+    parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*")
    parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='<number>', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s')
    parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='<number>', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s')
    parser.add_argument('--profile', action='store', default='default', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s')
    parser.add_argument('-o', '--output', action='store', default='results', help='The output directory for results. Default: %(default)s')
    nmap_group = parser.add_mutually_exclusive_group()
-    nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s')
+    nmap_group.add_argument('--nmap', action='store', default=nmap_default_options, help='Override the {nmap_extra} variable in scans. Default: %(default)s')
    nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.')
    parser.add_argument('-r', '--read', action='store', type=str, default='', dest='target_file', help='Read targets from file.')
    parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.')
    parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running.')
    parser.add_argument('--skip-service-scan', action='store_true', default=False, help='Do not perfom extended service scanning but only protocol commands.')
    parser.error = lambda s: fail(s[0].upper() + s[1:])
    args = parser.parse_args()
    config_loaded = get_configuration()
    if not config_loaded: sys.exit(-1)
    errors = False
    if args.concurrent_targets <= 0:
@ -639,48 +749,26 @@ if __name__ == '__main__':
        error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}')
        errors = True
-    nmap = args.nmap
+    nmap_default_options = args.nmap
    if args.nmap_append:
-        nmap += " " + args.nmap_append
+        nmap_default_options += " " + args.nmap_append
    outdir = args.output
    srvname = ''
    verbose = args.verbose
-    if len(args.targets) == 0:
+    if len(args.targets) == 0 and not len(args.target_file):
        error('You must specify at least one target to scan!')
        errors = True
    targets = []
    for target in args.targets:
-        try:
+        targets, failed = get_ip_address(target, targets, args.disable_sanity_checks)
-            ip = str(ipaddress.ip_address(target))
+        if failed: errors = True
-            if ip not in targets:
+    if len(args.target_file) > 0:
-                targets.append(ip)
+        targets, errors = read_targets_from_file(args.target_file, targets, args.disable_sanity_checks)
        except ValueError:
            try:
                target_range = ipaddress.ip_network(target, strict=False)
                if not args.disable_sanity_checks and target_range.num_addresses > 256:
                    error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.')
                    errors = True
                else:
                    for ip in target_range.hosts():
                        ip = str(ip)
                        if ip not in targets:
                            targets.append(ip)
            except ValueError:
                try:
                    ip = socket.gethostbyname(target)
                    if target not in targets:
                        targets.append(target)
                except socket.gaierror:
                    error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.')
                    errors = True
    if not args.disable_sanity_checks and len(targets) > 256:
        error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.')
@ -689,6 +777,7 @@ if __name__ == '__main__':
    if errors:
        sys.exit(1)
    start_timer = datetime.now().strftime('%H:%M:%S')
    with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor:
        futures = []
@ -704,3 +793,8 @@ if __name__ == '__main__':
                future.cancel()
            executor.shutdown(wait=False)
            sys.exit(1)
    end_timer = datetime.now().strftime('%H:%M:%S')
    tdelta = datetime.strptime(end_timer, '%H:%M:%S') - datetime.strptime(start_timer, '%H:%M:%S')
    print('\nScanning completed in {}.'.format(tdelta))
--- a/config/config.toml
+++ b/config/config.toml
@ -0,0 +1,42 @@
 # configuration for program paths
 [applications]
    nmap = '/usr/bin/nmap'
    # password brute-forcing programs
    hydra = '/usr/bin/hydra'
    medusa = '/usr/bin/medusa'
    patator = '/usr/bin/patator'
    # programs for web servers and application
    sslscan = '/usr/bin/sslscan'
    curl = '/usr/bin/curl'
    dirb = '/usr/bin/dirb'
    wkhtmltoimage = '/usr/bin/wkhtmltoimage'
    whatweb = '/usr/bin/whatweb'
    nikto = '/usr/bin/nikto'
    gobuster = '/usr/bin/gobuster'
    wpscan = '/usr/local/bin/wpscan'
    dirsearch = ''
    # Oracle programs
    tnscmd10g = '/usr/bin/tnscmd10g'
    oscanner = '/usr/bin/oscanner'
    odat = '/usr/bin/python odat.py'
    # RPC programs
    rpcclient = '/usr/bin/rpcclient'
    # SMB programs
    enum4linux = '/usr/bin/enum4linux'
    smbclient = '/usr/bin/smbclient'
    smbmap = '/usr/bin/smbmap'
    smb_version = '/usr/local/bin/get_smb_version'
    # SMTP programs
    smtp-user-enum = '/usr/bin/smtp-user-enum'
    # SNMP programs
    onesixtyone = '/usr/bin/onesixtyone'
    snmpwalk = '/usr/bin/snmpwalk'
--- a/config/port-scan-profiles.toml
+++ b/config/port-scan-profiles.toml
@ -3,19 +3,19 @@
    [default.nmap-quick]
        [default.nmap-quick.service-detection]
-        command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
    [default.nmap-full-tcp]
        [default.nmap-full-tcp.service-detection]
-        command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
    [default.nmap-top-20-udp]
        [default.nmap-top-20-udp.service-detection]
-        command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
 [quick]
@ -23,13 +23,13 @@
    [quick.nmap-quick]
        [quick.nmap-quick.service-detection]
-        command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
    [quick.nmap-top-20-udp]
        [quick.nmap-top-20-udp.service-detection]
-        command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
 [udp]
@ -41,5 +41,16 @@
        pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$'
        [udp.udp-top-20.service-detection]
-        command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
+        command = '{nmap} {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
 [debug]
    [debug.nmap-quick]
        [debug.nmap-quick.service-detection]
        command = '{nmap} {nmap_extra} --top-ports 10 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
--- a/config/service-scans.toml
+++ b/config/service-scans.toml
@ -10,7 +10,7 @@ service-names = [
    [[all-services.scan]]
    name = 'sslscan'
-    command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi'
+    command = 'if [ "{secure}" == "True" ]; then {sslscan} --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi'
 [cassandra]
@ -20,7 +20,7 @@ service-names = [
    [[cassandra.scan]]
    name = 'nmap-cassandra'
-    command = 'nmap {nmap_extra} -sV  -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV  -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cassandra_nmap.xml" {address}'
 [cups]
@ -30,7 +30,7 @@ service-names = [
    [[cups.scan]]
    name = 'nmap-cups'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cups_nmap.xml" {address}'
 [distcc]
@ -40,7 +40,7 @@ service-names = [
    [[distcc.scan]]
    name = 'nmap-distcc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{category}{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_distcc_nmap.xml" {address}'
 [dns]
@ -50,7 +50,7 @@ service-names = [
    [[dns.scan]]
    name = 'nmap-dns'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_dns_nmap.xml" {address}'
 [finger]
@ -59,8 +59,8 @@ service-names = [
 ]
    [[finger.scan]]
-    nmap = 'nmap-finger'
+    name = 'nmap-finger'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{category}{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_finger_nmap.xml" {address}'
 [ftp]
@ -71,7 +71,7 @@ service-names = [
    [[ftp.scan]]
    name = 'nmap-ftp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ftp_nmap.xml" {address}'
        [[ftp.scan.pattern]]
        description = 'Anonymous FTP Enabled!'
@ -80,8 +80,8 @@ service-names = [
    [[ftp.manual]]
    description = 'Bruteforce logins:'
    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
+        '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
+        '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
    ]
 [http]
@ -96,7 +96,7 @@ ignore-service-names = [
    [[http.scan]]
    name = 'nmap-http'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_{scheme}_nmap.xml" {address}'
        [[http.scan.pattern]]
        description = 'Identified HTTP Server: {match}'
@ -108,65 +108,65 @@ ignore-service-names = [
    [[http.scan]]
    name = 'curl-index'
-    command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"'
+    command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_index.html"'
        [[http.scan.pattern]]
        pattern = '(?i)Powered by [^\n]+'
    [[http.scan]]
    name = 'curl-robots'
-    command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"'
+    command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_robots.txt"'
    [[http.scan]]
    name = 'wkhtmltoimage'
-    command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi'
+    command = 'if hash {wkhtmltoimage} 2> /dev/null; then {wkhtmltoimage} --format png {scheme}://{address}:{port}/ {scandir}/{category}{protocol}_{port}_{scheme}_screenshot.png; fi'
    [[http.scan]]
    name = 'whatweb'
-    command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
+    command = '{whatweb} --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_whatweb.txt"'
    [[http.scan]]
    name = 'nikto'
-    command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
+    command = '{nikto} -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_nikto.txt"'
    [[http.scan]]
    name = 'gobuster'
-    command = 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"'
+    command = '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster.txt"'
    [[http.manual]]
    description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
    commands = [
-        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"',
+        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_big.txt"',
-        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"'
+        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"'
    ]
    [[http.manual]]
    description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):'
    commands = [
-        'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt',
+        'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt',
-        'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
+        'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
    ]
    [[http.manual]]
    description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
    commands = [
-        'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
+        '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_big.txt"',
-        'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
+        '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
    ]
    [[http.manual]]
    description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
    commands = [
-        'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"'
+        '{wpscan} --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_wpscan.txt"'
    ]
    [[http.manual]]
    description = "Credential bruteforcing commands (don't run these without modifying them):"
    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
+        '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
+        '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
+        '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
+        '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
    ]
 [imap]
@ -177,7 +177,7 @@ service-names = [
    [[imap.scan]]
    name = 'nmap-imap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_imap_nmap.xml" {address}'
 [kerberos]
@ -188,7 +188,7 @@ service-names = [
    [[kerberos.scan]]
    name = 'nmap-kerberos'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{category}{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_kerberos_nmap.xml" {address}'
 [ldap]
@ -198,11 +198,11 @@ service-names = [
    [[ldap.scan]]
    name = 'nmap-ldap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ldap_nmap.xml" {address}'
    [[ldap.scan]]
    name = 'enum4linux'
-    command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
+    command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"'
    run_once = true
    ports.tcp = [139, 389, 445]
    ports.udp = [137]
@ -215,7 +215,7 @@ service-names = [
    [[mongodb.scan]]
    name = 'nmap-mongodb'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{category}{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mongodb_nmap.xml" {address}'
 [mssql]
@ -226,7 +226,7 @@ service-names = [
    [[mssql.scan]]
    name = 'nmap-mssql'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{category}{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mssql_nmap.xml" {address}'
    [[mssql.manual]]
    description = '(sqsh) interactive database shell'
@ -242,7 +242,7 @@ service-names = [
    [[mysql.scan]]
    name = 'nmap-mysql'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mysql_nmap.xml" {address}'
 [nfs]
@ -253,7 +253,7 @@ service-names = [
    [[nfs.scan]]
    name = 'nmap-nfs'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nfs_nmap.xml" {address}'
 [nntp]
@ -263,7 +263,7 @@ service-names = [
    [[nntp.scan]]
    name = 'nmap-nntp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nntp_nmap.xml" {address}'
 [oracle]
@ -273,43 +273,43 @@ service-names = [
    [[oracle.scan]]
    name = 'nmap-oracle'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_nmap.xml" {address}'
    [[oracle.scan]]
    name = 'oracle-tnscmd-ping'
-    command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"'
+    command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_ping.txt"'
    [[oracle.scan]]
    name = 'oracle-tnscmd-version'
-    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
+    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"'
    [[oracle.scan]]
    name = 'oracle-tnscmd-version'
-    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
+    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"'
    [[oracle.scan]]
    name = 'oracle-scanner'
-    command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"'
+    command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_scanner.txt"'
    [[oracle.manual]]
    description = 'Brute-force SIDs using Nmap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{category}{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}'
    [[oracle.manual]]
    description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:'
    commands = [
-        'python odat.py tnscmd -s {address} -p {port} --ping',
+        '{odat} tnscmd -s {address} -p {port} --ping',
-        'python odat.py tnscmd -s {address} -p {port} --version',
+        '{odat} tnscmd -s {address} -p {port} --version',
-        'python odat.py tnscmd -s {address} -p {port} --status',
+        '{odat} tnscmd -s {address} -p {port} --status',
-        'python odat.py sidguesser -s {address} -p {port}',
+        '{odat} sidguesser -s {address} -p {port}',
-        'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
+        '{odat} passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
-        'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
+        '{odat} tnspoison -s {address} -p {port} -d <sid> --test-module'
    ]
    [[oracle.manual]]
    description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:'
    commands = [
-        'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000'
+        '{patator} oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000'
    ]
 [pop3]
@ -320,7 +320,7 @@ service-names = [
    [[pop3.scan]]
    name = 'nmap-pop3'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_pop3_nmap.xml" {address}'
 [rdp]
@ -332,13 +332,13 @@ service-names = [
    [[rdp.scan]]
    name = 'nmap-rdp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rdp_nmap.xml" {address}'
    [[rdp.manual]]
    description = 'Bruteforce logins:'
    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
+        '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
+        '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
    ]
 [rmi]
@ -350,7 +350,7 @@ service-names = [
    [[rmi.scan]]
    name = 'nmap-rmi'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{category}{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rmi_nmap.xml" {address}'
 [rpc]
@ -362,12 +362,12 @@ service-names = [
    [[rpc.scan]]
    name = 'nmap-msrpc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{category}{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rpc_nmap.xml" {address}'
    [[rpc.manual]]
    description = 'RPC Client:'
    commands = [
-        'rpcclient -p {port} -U "" {address}'
+        '{rpcclient} -p {port} -U "" {address}'
    ]
 [sip]
@ -378,7 +378,7 @@ service-names = [
    [[sip.scan]]
    name = 'nmap-sip'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{category}{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_sip_nmap.xml" {address}'
    [[sip.scan]]
    name = 'svwar'
@ -392,13 +392,13 @@ service-names = [
    [[ssh.scan]]
    name = 'nmap-ssh'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{category}{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ssh_nmap.xml" {address}'
    [[ssh.manual]]
    description = 'Bruteforce logins:'
    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
+        '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
+        '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
    ]
 [smb]
@ -410,45 +410,52 @@ service-names = [
    [[smb.scan]]
    name = 'nmap-smb'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_nmap.xml" {address}'
    [[smb.scan]]
    name = 'smbclient'
    command = '{smbclient} -L\\ -N -I {address} 2>&1 | tee "{scandir}/{category}smbclient.txt"'
    run_once = true
    ports.tcp = [139, 445]
    [[smb.scan]]
    name = 'smb-version'
    command = '{smb_version} {address} -P {port} | head -n 1 | tee -a "{scandir}/{category}smb-version.txt"'
    run_once = true
    ports.tcp = [139, 445]
    [[smb.scan]]
    name = 'smbmap-share-permissions'
    command = '{smbmap} -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"; {smbmap} -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"'
    [[smb.scan]]
    name = 'smbmap-list-contents'
    command = '{smbmap} -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"; {smbmap} -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"'
    [[smb.scan]]
    name = 'smbmap-execute-command'
    command = '{smbmap} -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"; {smbmap} -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"'
    [[smb.scan]]
    name = 'enum4linux'
-    command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
+    command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"'
    run_once = true
    ports.tcp = [139, 389, 445]
    ports.udp = [137]
    [[smb.scan]]
    name = 'nbtscan'
-    command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
+    command = '{nbtscan} -rvh {address} 2>&1 | tee "{scandir}/{category}nbtscan.txt"'
    run_once = true
    ports.udp = [137]
    [[smb.scan]]
    name = 'smbclient'
    command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
    run_once = true
    ports.tcp = [139, 445]
    [[smb.scan]]
    name = 'smbmap-share-permissions'
    command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"'
    [[smb.scan]]
    name = 'smbmap-list-contents'
    command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"'
    [[smb.scan]]
    name = 'smbmap-execute-command'
    command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"'
    [[smb.manual]]
-    description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
+    description = '{nmap} scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
    commands = [
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
+        '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms06-025.xml" {address}',
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
+        '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms07-029.xml" {address}',
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
+        '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms08-067.xml" {address}'
    ]
 [smtp]
@ -459,11 +466,11 @@ service-names = [
    [[smtp.scan]]
    name = 'nmap-smtp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smtp_nmap.xml" {address}'
    [[smtp.scan]]
    name = 'smtp-user-enum'
-    command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"'
+    command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_smtp_user-enum.txt"'
 [snmp]
@ -473,59 +480,59 @@ service-names = [
    [[snmp.scan]]
    name = 'nmap-snmp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_snmp_nmap.xml" {address}'
    [[snmp.scan]]
    name = 'onesixtyone'
-    command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"'
+    command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_onesixtyone.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk'
-    command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-system-processes'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-running-processes'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-process-paths'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-storage-units'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-software-names'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-user-accounts'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
    run_once = true
    ports.udp = [161]
    [[snmp.scan]]
    name = 'snmpwalk-tcp-ports'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
+    command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
    run_once = true
    ports.udp = [161]
@ -537,7 +544,7 @@ service-names = [
    [[telnet.scan]]
    name = 'nmap-telnet'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_telnet_nmap.xml" {address}'
 [tftp]
@ -547,7 +554,7 @@ service-names = [
    [[tftp.scan]]
    name = 'nmap-tftp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{category}{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_tftp_nmap.xml" {address}'
 [vnc]
@ -557,4 +564,4 @@ service-names = [
    [[vnc.scan]]
    name = 'nmap-vnc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}'
+    command = '{nmap} {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_vnc_nmap.xml" {address}'