RomanNum3ral
/
AutoRecon
mirror of https://github.com/Tib3rius/AutoRecon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial commit with support for custom configuration files.

This commit is contained in:
svo80 2019-04-29 23:59:50 +02:00
parent 99532a1a91
commit 96dc48c9d0
6 changed files with 1106 additions and 606 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

494
README.md
View File

@ -1,31 +1,24 @@
# AutoRecon # AutoReconR
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. AutoReconR attempts to automate parts of the network reconnaissance and service enumeration phase. Respective findings are described and summarized in an automatically generated report. As such, AutoReconR may facilitate identifying potential weaknesses in target systems more quickly and finding an entry point.
The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, nikto will be launched (as well as many others). The tool is intended to be running in the background, while the tester can focus on other tasks in parallel. For instance, in laboratory environments as offered by Offensive Security or during security exams like OSCP, the tester may start writing exploits while AutoReconR scans the remaining targets and performs automatic service enumeration. The tool is highly customizable and supports different scanning profiles in order to efficiently balance program runtime with the amount of extracted information. It should be noted though that the scanning approach is generally deep and aims at examining a system in great detail. A typical program run may take between 20 and 60 minutes, depending on the discovered system services and corresponding programs that should be subsequently executed. Applications such as enum4linux, gobuster, or nikto are able to retrieve extensive information about a target but also increase the required total scanning time. It is also noteworthy that AutoReconR **does not perform any automatic exploitation**, although respective programs can be easily integrated and triggered with the help of custom configuration files that will be automatically included at startup.
Everything in the tool is highly configurable. The default configuration performs **no automated exploitation** to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool. ## Origin and Features
## Origin AutoReconR is forked from [AutoRecon](https://github.com/Tib3rius/AutoRecon) by Tib3rius. The tool was extended with a number of additional features, including
AutoRecon was inspired by three tools which the author used during the OSCP labs: [Reconnoitre](https://github.com/codingo/Reconnoitre), [ReconScan](https://github.com/RoliSoft/ReconScan), and [bscan](https://github.com/welchbj/bscan). While all three tools were useful, none of the three alone had the functionality desired. AutoRecon combines the best features of the aforementioned tools while also implementing many new features to help testers with enumeration of multiple targets. * the possibility to read a list of targets from a file,
* define scanning and service enumeration profiles in custom configuration files,
## Features * automatically store scanning results in a folder structure categorized by system service,
* trigger additional actions based on identified services and service patterns,
* Supports multiple targets in the form of IP addresses, IP ranges (CIDR notation), and resolvable hostnames. * balance program runtime and scanning depth with the help of complexity levels, and
* Targets can either be specified via the command line or read from a file. * summarize findings in a corresponding PDF report.
* Can scan targets concurrently, utilizing multiple processors if they are available.
* Customizable port scanning profiles for flexibility in your initial scans.
* Customizable service enumeration commands and suggested manual follow-up commands.
* Support for different complexity levels to better balance runtime and scanning depth during service enumeration.
* An intuitive directory structure for results gathering.
* Full logging of commands that were run, along with errors if they fail.
* Global and per-scan pattern matching so you can highlight/extract important information from the noise.
## Requirements ## Requirements
* Python 3 * Python 3
* enscript * enscript (to be replaced later)
* colorama * colorama
* toml * toml
@ -35,469 +28,12 @@ Once Python 3 and enscript are installed, pip3 can be used to install the other
$ pip3 install -r requirements.txt $ pip3 install -r requirements.txt
``` ```
Several commands used in AutoRecon reference the SecLists project, in the directory /usr/share/seclists/. You can either manually download the SecLists project to this directory (https://github.com/danielmiessler/SecLists), or if you are using Kali Linux (**highly recommended**) you can run the following: In addition it is advised downloading word lists for password brute forcing and web crawling from the SecLists project (https://github.com/danielmiessler/SecLists).
On Kali Linux, these files are stored in the /usr/share/seclists/ directory or can be installed by running:
```bash ```bash
$ sudo apt install seclists $ sudo apt install seclists
``` ```
AutoRecon will still run if you do not install SecLists, though several commands may fail, and some manual commands may not run either.
Additionally the following commands may need to be installed, depending on your OS:
```
curl
enum4linux
gobuster
nbtscan
nikto
nmap
onesixtyone
oscanner
smbclient
smbmap
smtp-user-enum
snmpwalk
sslscan
svwar
tnscmd10g
whatweb
wkhtmltoimage
```
AutoRecon performs some checks during startup and will indicate any program that is missing and will potentially affect the result gathering process.
## Usage
AutoRecon uses Python 3 specific functionality and does not support Python 2.
```
usage: autorecon.py [-h] [-ct <number>] [-cs <number>] [--profile PROFILE]
[-o OUTPUT] [--nmap NMAP | --nmap-append NMAP_APPEND]
[--skip-service-scan]
[--run-level RUN_LEVEL [RUN_LEVEL ...]] [--run-only]
[-r TARGET_FILE] [-v] [--disable-sanity-checks]
[targets [targets ...]]
Network reconnaissance tool to port scan and automatically enumerate services
found on multiple targets.
positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.
10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)
to scan.
optional arguments:
-h, --help show this help message and exit
-ct <number>, --concurrent-targets <number>
The maximum number of target hosts to scan
concurrently. Default: 5
-cs <number>, --concurrent-scans <number>
The maximum number of scans to perform per target
host. Default: 10
--profile PROFILE The port scanning profile to use (defined in port-
scan-profiles.toml). Default: default
-o OUTPUT, --output OUTPUT
The output directory for results. Default: results
--nmap NMAP Override the {nmap_extra} variable in scans. Default:
--reason -Pn
--nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans.
--skip-service-scan Do not perfom extended service scanning but only
document commands.
--run-level RUN_LEVEL [RUN_LEVEL ...]
During extended service scanning, only run scanners of
a certain complexity level or below.
--run-only If enabled, only run scanners of the specified
complexity level during extended service scanning.
-r TARGET_FILE, --read TARGET_FILE
Read targets from file.
-v, --verbose Enable verbose output. Repeat for more verbosity.
--disable-sanity-checks
Disable sanity checks that would otherwise prevent the
scans from running.
```
### Examples
**Scanning a single target:**
```
python3 autorecon.py 127.0.0.1
[*] Scanning target 127.0.0.1
[*] Running service detection nmap-full-tcp on 127.0.0.1
[*] Running service detection nmap-top-20-udp on 127.0.0.1
[*] Running service detection nmap-quick on 127.0.0.1
[*] Service detection nmap-quick on 127.0.0.1 finished successfully
[*] [127.0.0.1] ssh found on tcp/22
[*] [127.0.0.1] http found on tcp/80
[*] [127.0.0.1] rpcbind found on tcp/111
[*] [127.0.0.1] postgresql found on tcp/5432
[*] Running task tcp/22/nmap-ssh on 127.0.0.1
[*] Running task tcp/80/nmap-http on 127.0.0.1
[*] Running task tcp/80/curl-index on 127.0.0.1
[*] Running task tcp/80/curl-robots on 127.0.0.1
[*] Running task tcp/80/whatweb on 127.0.0.1
[*] Running task tcp/80/nikto on 127.0.0.1
[*] Running task tcp/111/nmap-nfs on 127.0.0.1
[*] Task tcp/80/curl-index on 127.0.0.1 finished successfully
[*] Task tcp/80/curl-robots on 127.0.0.1 finished successfully
[*] Task tcp/22/nmap-ssh on 127.0.0.1 finished successfully
[*] Task tcp/80/whatweb on 127.0.0.1 finished successfully
[*] Task tcp/111/nmap-nfs on 127.0.0.1 finished successfully
[*] Task tcp/80/nmap-http on 127.0.0.1 finished successfully
[*] Task tcp/80/nikto on 127.0.0.1 finished successfully
[*] Service detection nmap-top-20-udp on 127.0.0.1 finished successfully
[*] Service detection nmap-full-tcp on 127.0.0.1 finished successfully
[*] [127.0.0.1] http found on tcp/5984
[*] [127.0.0.1] rtsp found on tcp/5985
[*] Running task tcp/5984/nmap-http on 127.0.0.1
[*] Running task tcp/5984/curl-index on 127.0.0.1
[*] Running task tcp/5984/curl-robots on 127.0.0.1
[*] Running task tcp/5984/whatweb on 127.0.0.1
[*] Running task tcp/5984/nikto on 127.0.0.1
[*] Task tcp/5984/curl-index on 127.0.0.1 finished successfully
[*] Task tcp/5984/curl-robots on 127.0.0.1 finished successfully
[*] Task tcp/5984/whatweb on 127.0.0.1 finished successfully
[*] Task tcp/5984/nikto on 127.0.0.1 finished successfully
[*] Task tcp/5984/nmap-http on 127.0.0.1 finished successfully
[*] Finished scanning target 127.0.0.1
```
The default port scan profile first performs a full TCP port scan, a top 20 UDP port scan, and a top 1000 TCP port scan. You may ask why AutoRecon scans the top 1000 TCP ports at the same time as a full TCP port scan (which also scans those ports). The reason is simple: most open ports will generally be in the top 1000, and we want to start enumerating services quickly, rather than wait for Nmap to scan every single port. As you can see, all the service enumeration scans actually finish before the full TCP port scan is done. While there is a slight duplication of efforts, it pays off by getting actual enumeration results back to the tester quicker.
Note that the actual command line output will be colorized if your terminal supports it.
**Scanning multiple targets**
```
python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost
[*] Scanning target 192.168.1.100
[*] Scanning target 192.168.1.1
[*] Scanning target 192.168.1.2
[*] Scanning target localhost
[*] Running service detection nmap-quick on 192.168.1.100
[*] Running service detection nmap-quick on localhost
[*] Running service detection nmap-top-20-udp on 192.168.1.100
[*] Running service detection nmap-quick on 192.168.1.1
[*] Running service detection nmap-quick on 192.168.1.2
[*] Running service detection nmap-top-20-udp on 192.168.1.1
[*] Running service detection nmap-full-tcp on 192.168.1.100
[*] Running service detection nmap-top-20-udp on localhost
[*] Running service detection nmap-top-20-udp on 192.168.1.2
[*] Running service detection nmap-full-tcp on localhost
[*] Running service detection nmap-full-tcp on 192.168.1.1
[*] Running service detection nmap-full-tcp on 192.168.1.2
...
```
AutoRecon supports multiple targets per scan, and will expand IP ranges provided in CIDR notation. By default, only 5 targets will be scanned at a time, with 10 scans per target.
**Scanning multiple targets with advanced options**
```
python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
[*] Scanning target 192.168.1.100
[*] Scanning target 192.168.1.1
[*] Running service detection nmap-quick on 192.168.1.100 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml" 192.168.1.100
[*] Running service detection nmap-quick on 192.168.1.1 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml" 192.168.1.1
[*] Running service detection nmap-top-20-udp on 192.168.1.100 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml" 192.168.1.100
[*] Running service detection nmap-top-20-udp on 192.168.1.1 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml" 192.168.1.1
[-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25
[-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25
...
```
In this example, the -ct option limits the number of concurrent targets to 2, and the -cs option limits the number of concurrent scans per target to 2. The -vv option makes the output very verbose, showing the output of every scan being run. The -o option sets a custom output directory for scan results to be saved.
### Verbosity
AutoRecon supports three levels of verbosity:
* (none) Minimal output. AutoRecon will announce when target scans start and finish, as well as which services were identified.
* (-v) Verbose output. AutoRecon will additionally specify the exact commands which are being run, as well as highlighting any patterns which are matched in command output.
* (-vv) Very verbose output. AutoRecon will output everything. Literally every line from all commands which are currently running. When scanning multiple targets concurrently, this can lead to a ridiculous amount of output. It is not advised to use -vv unless you absolutely need to see live output from commands.
### Results
By default, results will be stored in the ./results directory. A new sub directory is created for every target. The structure of this sub directory is:
```
├── exploit
├── loot
├── privilege_escalation
├── report
│   ├── local.txt
│   ├── proof.txt
│   └── screenshots
└── scans
├── _commands.log
├── _errors.log
├── _full_tcp_nmap.txt
├── _manual_commands.log
├── _notes.txt
├── _patterns.log
├── _quick_tcp_nmap.txt
├── <service>
├── <service>
├── (...)
└── xml
├── <service>
├── <service>
├── (...)
```
The exploit directory is intended to contain any exploit code you download / write for the target.
The loot directory is intended to contain any loot (e.g. hashes, interesting files) you find on the target.
The privilege_escalation directory is intended to contain any code for escalating the privileges on the target once initial access has been gained
The report directory contains some auto-generated files and directories that are useful for reporting:
* local.txt can be used to store the local.txt flag found on targets.
* notes.txt should contain a basic template where you can write notes for each service discovered.
* proof.txt can be used to store the proof.txt flag found on targets.
* The screenshots directory is intended to contain the screenshots you use to document the exploitation of the target.
The scans directory (and respective subdirectories) is where all results from scans performed by AutoRecon will go. This includes port scans / service detection scans, as well as any service enumeration scans. It also contains two other files:
* \_commands.log contains a list of every command AutoRecon ran against the target. This is useful if one of the commands fails and you want to run it again with modifications.
* \_manual_commands.txt contains any commands that are deemed "too dangerous" to run automatically, either because they are too intrusive, require modification based on human analysis, or just work better when there is a human monitoring them.
If a scan results in an error, a file called \_errors.log will also appear in the scans directory with some details to alert the user.
If output matches a defined pattern, a file called \_patterns.log will also appear in the scans directory with details about the matched output.
The file \_notes.txt contains information about any open ports discovered during scanning.
The scans/xml directory stores any XML output (e.g. from Nmap scans) separately from the main scan outputs, so that the scans directory itself does not get too cluttered.
### Port Scan profiles
The port-scan-profiles.toml file is where you can define the initial port scans / service detection commands. The configuration file uses the TOML format, which is explained here: https://github.com/toml-lang/toml
Here is an example profile called "quick":
```toml
[quick]
[quick.nmap-quick]
[quick.nmap-quick.service-detection]
command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[quick.nmap-top-20-udp]
[quick.nmap-top-20-udp.service-detection]
command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
```
Note that indentation is optional, it is used here purely for aesthetics. The "quick" profile defines a scan called "nmap-quick". This scan has a service-detection command which uses nmap to scan the top 1000 TCP ports. The command uses two references: {scandir} is the location of the scans directory for the target, and {address} is the address of the target.
A regex pattern is defined which matches three named groups (port, protocol, and service) in the output. Every service-detection command must have a corresponding pattern that matches all three of those groups. AutoRecon will attempt to do some checks and refuse to scan if any of these groups are missing.
An almost identical scan called "nmap-top-20-udp" is also defined. This scans the top 20 UDP ports.
Here is a more complicated example:
```toml
[udp]
[udp.udp-top-20]
[udp.udp-top-20.port-scan]
command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"'
pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$'
[udp.udp-top-20.service-detection]
command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
```
In this example, a profile called "udp" defines a scan called "udp-top-20". This scan has two commands, one is a port-scan and the other is a service-detection. When a port-scan command is defined, it will always be run first. The corresponding pattern must match a named group "port" which extracts the port number from the output.
The service-detection will be run after the port-scan command has finished, and uses a new reference: {ports}. This reference is a comma-separated string of all the ports extracted by the port-scan command. Note that the same three named groups (port, protocol, and service) are defined in the service-detection pattern.
Both the port-scan and the service-detection commands use the {scandir} and {address} references.
Note that if a port-scan command is defined without a corresponding service-detection command, AutoRecon will refuse to scan.
This more complicated example is only really useful if you want to use unicornscan's speed in conjuction with nmap's service detection abilities. If you are content with using Nmap for both port scanning and service detection, you do not need to use this setup.
### Service Scans
The service-scans.toml file is where you can define service enumeration scans and other manual commands associated with certain services.
Here is an example of a simple configuration:
```toml
[ftp]
service-names = [
'^ftp',
'^ftp\-data'
]
[[ftp.scan]]
name = 'nmap-ftp'
command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
[[ftp.scan.pattern]]
description = 'Anonymous FTP Enabled!'
pattern = 'Anonymous FTP login allowed'
[[ftp.manual]]
description = 'Bruteforce logins:'
commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
]
```
Note that indentation is optional, it is used here purely for aesthetics. The service "ftp" is defined here. The service-names array contains regex strings which should match the service name from the service-detection scans. Regex is used to be as flexible as possible. The service-names array works on a whitelist basis; as long as one of the regex strings matches, the service will get scanned.
An optional ignore-service-names array can also be defined, if you want to blacklist certain regex strings from matching.
The ftp.scan section defines a single scan, named nmap-ftp. This scan defines a command which runs nmap with several ftp-related scripts. Several references are used here:
* {nmap_extra} by default is set to "-vv --reason -Pn" but this can be overridden or appended to using the --nmap or --nmap-append command line options respectively. If the protocol is UDP, "-sU" will also be appended.
* {port} is the port that the service is running on.
* {scandir} is the location of the scans directory for the target.
* {protocol} is the protocol being used (either tcp or udp).
* {address} is the address of the target.
A pattern is defined for the nmap-ftp scan, which matches the simple pattern "Anonymous FTP login allowed". In the event that this pattern matches output of the nmap-ftp command, the pattern description ("Anonymous FTP Enabled!") will be saved to the \_patterns.log file in the scans directory. A special reference {match} can be used in the description to reference the entire match, or the first capturing group.
The ftp.manual section defines a group of manual commands. This group contains a description for the user, and a commands array which contains the commands that a user can run. Two new references are defined here: {username_wordlist} and {password_wordlist} which are configured at the very top of the service-scans.toml file, and default to a username and password wordlist provided by SecLists.
Here is a more complicated configuration:
```toml
[smb]
service-names = [
'^smb',
'^microsoft\-ds',
'^netbios'
]
[[smb.scan]]
name = 'nmap-smb'
command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
[[smb.scan]]
name = 'enum4linux'
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
run_once = true
ports.tcp = [139, 389, 445]
ports.udp = [137]
level = 2
[[smb.scan]]
name = 'nbtscan'
command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
run_once = true
ports.udp = [137]
[[smb.scan]]
name = 'smbclient'
command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
run_once = true
ports.tcp = [139, 445]
[[smb.scan]]
name = 'smbmap-share-permissions'
command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"'
[[smb.scan]]
name = 'smbmap-list-contents'
command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"'
[[smb.scan]]
name = 'smbmap-execute-command'
command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"'
[[smb.manual]]
description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
commands = [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
]
```
The main difference here is that several scans have some new settings:
* The ports.tcp array defines a whitelist of TCP ports which the command can be run against. If the service is detected on a port that is not in the whitelist, the command will not be run against it.
* The ports.udp array defines a whitelist of UDP ports which the command can be run against. It operates in the same way as the ports.tcp array.
Why do these settings even exist? Well, some commands will only run against specific ports, and can't be told to run against any other ports. enum4linux for example, will only run against TCP ports 139, 389, and 445, and UDP port 137.
In fact, enum4linux will always try these ports when it is run. So if the SMB service is found on TCP ports 139 and 445, AutoRecon may attempt to run enum4linux twice for no reason. This is why the third setting exists:
* If run_once is set to true, the command will only ever run once for that target, even if the SMB service is found on multiple ports.
* The level variable indicates the complexity of performing the scan. For instance, the nikto security scanner is able to examine a running web server in depth. At the same time, the scanning process is also lengthy and significantly increases the runtime of AutoRecon when evaluating multiple targets.
With the help of the --run-level parameter, the user has the possibility of better balancing required scanning time and scanning depth. Programs that require a longer runtime can also be run individually by making use of the --run-only parameter. Thereby, the user may run a quick scan first, followed by a more in-depth scan, e.g.,
```
# run any extended service enumeration program with a complexity level of 2 or lower
$ python3 autorecon.py 127.0.0.1 --run-level 2
# only run programs with a complexity level of 3
$ python3 autorecon.py 127.0.0.1 --run-level 3 --run-only
The user may also skip extended service scanning entirely by specifying the --skip-service-scan parameter. In this case, respective commands will be only documented but not executed, giving the tester a good check list for later service analysis and planning the attack more carefully.
```
## Testimonials
> AutoRecon was invaluable during my OSCP exam, in that it saved me from the tedium of executing my active information gathering commands myself. I was able to start on a target with all of the information I needed clearly laid in front of me. I would strongly recommend this utility for anyone in the PWK labs, the OSCP exam, or other environments such as VulnHub or HTB. It is a great tool for both people just starting down their journey into OffSec and seasoned veterans alike. Just make sure that somewhere between those two points you take the time to learn what's going on "under the hood" and how / why it scans what it does.
>
>\- b0ats (rooted 5/5 exam hosts)
> Wow, what a great find! Before using AutoRecon, ReconScan was my goto enumeration script for targets because it automatically ran the enumeration commands after it finds open ports. The only thing missing was the automatic creation of key directories a pentester might need during an engagement (exploit, loot, report, scans). Reconnoitre did this but didn't automatically run those commands for you. I thought ReconScan that was the bee's knees until I gave AutoRecon a try. It's awesome! It combines the best features of Reconnoitre (auto directory creation) and ReconScan (automatically executing the enumeration commands). All I have to do is run it on a target or a set of targets and start going over the information it has already collected while it continues the rest of scan. The proof is in the pudding :) Passed the OSCP exam! Kudos to Tib3rius!
>
>\- werk0ut
> A friend told me about AutoRecon, so I gave it a try in the PWK labs. AutoRecon launches the common tools we all always use, whether it be nmap or nikto, and also creates a nice subfolder system based on the targets you are attacking. The strongest feature of AutoRecon is the speed; on the OSCP exam I left the tool running in the background while I started with another target, and in a matter of minutes I had all of the AutoRecon output waiting for me. AutoRecon creates a file full of commands that you should try manually, some of which may require tweaking (for example, hydra bruteforcing commands). It's good to have that extra checklist.
>
>\- tr3mb0 (rooted 4/5 exam hosts)
> Being introduced to AutoRecon was a complete game changer for me while taking the OSCP and establishing my penetration testing methodology. AutoRecon is a multi-threaded reconnaissance tool that combines and automates popular enumeration tools to do most of the hard work for you. You can't get much better than that! After running AutoRecon on my OSCP exam hosts, I was given a treasure chest full of information that helped me to start on each host and pass on my first try. The best part of the tool is that it automatically launches further enumeration scans based on the initial port scans (e.g. run enum4linux if SMB is detected). The only bad part is that I did not use this tool sooner! Thanks Tib3rius.
>
>\- rufy (rooted 4/5 exam hosts)
> AutoRecon allows a security researcher to iteratively scan hosts and identify potential attack vectors. Its true power comes in the form of performing scans in the background while the attacker is working on another host. I was able to start my scans and finish a specific host I was working on - and then return to find all relevant scans completed. I was then able to immediately begin trying to gain initial access instead of manually performing the active scanning process. I will continue to use AutoRecon in future penetration tests and CTFs, and highly recommend you do the same.
>
>\- waar (rooted 4.99/5 exam hosts)
> "If you have to do a task more than twice a day, you need to automate it." That's a piece of advice that an old boss gave to me. AutoRecon takes that lesson to heart. Whether you're sitting in the exam, or in the PWK labs, you can fire off AutoRecon and let it work its magic. I had it running during my last exam while I worked on the buffer overflow. By the time I finished, all the enum data I needed was there for me to go through. 10/10 would recommend for anyone getting into CTF, and anyone who has been at this a long time.
>
>\- whoisflynn
> I love this tool so much I wrote it.
>
>\- Tib3rius (rooted 5/5 exam hosts)

933
autoreconr.py Normal file
View File

@ -0,0 +1,933 @@
#!/usr/bin/env python3
#
# AutoReconR attempts to automate parts of the network reconnaissance process and creates a respective findings report.
#
# This program can be redistributed and/or modified under the terms of the
# GNU General Public License, either version 3 of the License, or (at your
# option) any later version.
#
import argparse
import asyncio
from colorama import Fore, Style
from concurrent.futures import ProcessPoolExecutor, as_completed, FIRST_COMPLETED
import ipaddress
import os
import re
import socket
import string
from datetime import datetime
import sys
import toml
import glob
import pprint
__version__ = '0.0.1'
verbose = 0
nmap_default_options = '--reason -Pn'
srvname = ''
# number of possible complexity levels for scanners
max_level = 3
port_scan_profile = None
port_scan_profiles_config = None
service_scans_config = None
port_scan_profiles_config = {}
service_scans_config = {}
global_patterns = []
program_paths = {}
# defines how sections in configuration files need to be labelled in order to be considered
markup = {
'port_scan_profile' : 'port-scan',
'service_scan_profile' : 'service-scan',
'pattern_profile' : 'pattern',
}
files = {
'config' : 'config.toml',
'commands' : '_commands.log',
'manual_commands' : '_manual_commands.log',
'errors' : '_errors.log',
'notes' : '_notes.txt',
'patterns' : '_patterns.txt',
'report' : 'report.pdf',
}
username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
rootdir = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__)))
def e(*args, frame_index=1, **kvargs):
frame = sys._getframe(frame_index)
vals = {}
vals.update(frame.f_globals)
vals.update(frame.f_locals)
vals.update(kvargs)
return string.Formatter().vformat(' '.join(args), args, vals)
def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, file=sys.stdout, **kvargs):
frame = sys._getframe(frame_index)
vals = {
'bgreen': Fore.GREEN + Style.BRIGHT,
'bred': Fore.RED + Style.BRIGHT,
'bblue': Fore.BLUE + Style.BRIGHT,
'byellow': Fore.YELLOW + Style.BRIGHT,
'bmagenta': Fore.MAGENTA + Style.BRIGHT,
'green': Fore.GREEN,
'red': Fore.RED,
'blue': Fore.BLUE,
'yellow': Fore.YELLOW,
'magenta': Fore.MAGENTA,
'bright': Style.BRIGHT,
'srst': Style.NORMAL,
'crst': Fore.RESET,
'rst': Style.NORMAL + Fore.RESET
}
vals.update(frame.f_globals)
vals.update(frame.f_locals)
vals.update(kvargs)
clock = datetime.now().strftime('%H:%M:%S')
clock = sep + '[' + Style.BRIGHT + Fore.YELLOW + clock + Style.NORMAL + Fore.RESET + ']'
unfmt = ''
if char is not None:
unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + clock + sep
unfmt += sep.join(args)
fmted = unfmt
for attempt in range(10):
try:
fmted = string.Formatter().vformat(unfmt, args, vals)
break
except KeyError as err:
key = err.args[0]
unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}')
print(fmted, sep=sep, end=end, file=file)
def debug(*args, color=Fore.BLUE, sep=' ', end='\n', file=sys.stdout, **kvargs):
if verbose >= 2:
cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs)
def info(*args, sep=' ', end='\n', file=sys.stdout, **kvargs):
cprint(*args, color=Fore.GREEN, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs)
def warn(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
def error(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
sys.exit(-1)
# TODO: can be deleted later when 'read_configuration' handles all configuration files
def read_configuration_file(filename, replace_values = {}):
data = {}
try:
with open(os.path.join(rootdir, 'config', filename), 'r') as f:
data = f.read()
for entry in replace_values:
data = re.sub('{' +entry + '}', replace_values[entry], data)
data = toml.loads(data)
except (OSError, toml.decoder.TomlDecodeError) as e:
fail('Error: The configuration file {filename} could not be read.')
return data
def read_configuration(filename):
data = {}
port_scan_profiles = {}
service_scan_profiles = {}
patterns = []
try:
with open(filename, 'r') as f:
data = f.read()
# TODO: insert program path at a later point before the program is executed
for entry in program_paths:
data = re.sub('{' +entry + '}', program_paths[entry], data)
data = toml.loads(data)
for profile in data:
if profile.lower() == markup['port_scan_profile']:
port_scan_profiles = data[profile]
elif profile.lower() == markup['service_scan_profile']:
service_scan_profiles = data[profile]
elif profile.lower() == markup['pattern_profile']:
patterns = data[profile]
else:
warn('Warning: Unknown markup {profile} discovered in configuration file {filename}.')
except (OSError, toml.decoder.TomlDecodeError) as e:
fail('Error: The configuration file {filename} could not be read.')
return port_scan_profiles, service_scan_profiles, patterns
def get_configuration():
applications_config = read_configuration_file('config.toml')
if len(applications_config) > 0 and 'applications' in applications_config:
global program_paths
program_paths = applications_config['applications']
# check whether applications exist
for application in program_paths:
if not os.path.isfile(program_paths[application]):
warn('Warning: The application {application} was not found on the system in the specified path.')
else:
warn('Warning: The section for application paths was not found in the {application_config_file} configuration file.')
filenames = glob.glob(os.path.join(rootdir, 'config', '**', '*.toml'), recursive = True)
for filename in filenames:
if os.path.basename(filename) == files['config']: continue
port_scan_profiles, service_scan_profiles, patterns = read_configuration(filename)
global port_scan_profiles_config
port_scan_profiles_config = {**port_scan_profiles_config, **port_scan_profiles}
global service_scans_config
service_scans_config = {**service_scans_config, **service_scan_profiles}
global global_patterns
global_patterns += patterns
if len(port_scan_profiles_config) == 0:
fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.')
return False
if 'username_wordlist' in service_scans_config:
if isinstance(service_scans_config['username_wordlist'], str):
username_wordlist = service_scans_config['username_wordlist']
if 'password_wordlist' in service_scans_config:
if isinstance(service_scans_config['password_wordlist'], str):
password_wordlist = service_scans_config['password_wordlist']
return True
async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
address = target.address
while True:
line = await stream.readline()
if line:
line = str(line.rstrip(), 'utf8', 'ignore')
debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
for p in global_patterns:
matches = re.findall(p['pattern'], line)
if 'description' in p:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
else:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
for p in patterns:
matches = re.findall(p['pattern'], line)
if 'description' in p:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
else:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
else:
break
async def run_cmd(semaphore, cmd, target, category='?', tag='?', patterns=[]):
async with semaphore:
address = target.address
scandir = target.scandir
if len(category) == 0: category = 'all'
category = category.strip('/')
info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}.' if verbose >= 1 else '.'))
async with target.lock:
with open(os.path.join(scandir, files['commands']), 'a') as file:
file.writelines(e('{category} - {cmd}\n\n'))
# skip extended service scanning if only respective commands should be documented
if args.skip_service_scan: return {'returncode': 0, 'name': 'run_cmd'}
process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
await asyncio.wait([
read_stream(process.stdout, target, tag=tag, patterns=patterns),
read_stream(process.stderr, target, tag=tag, patterns=patterns, color=Fore.RED)
])
await process.wait()
if process.returncode != 0:
error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}.')
async with target.lock:
with open(os.path.join(scandir, files['errors']), 'a') as file:
file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n'))
else:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.')
return {'returncode': process.returncode, 'name': 'run_cmd'}
async def parse_port_scan(stream, tag, target, pattern):
address = target.address
ports = []
while True:
line = await stream.readline()
if line:
line = str(line.rstrip(), 'utf8', 'ignore')
debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE)
parse_match = re.search(pattern, line)
if parse_match:
ports.append(parse_match.group('port'))
for p in global_patterns:
matches = re.findall(p['pattern'], line)
if 'description' in p:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
else:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
else:
break
return ports
async def parse_service_detection(stream, tag, target, pattern):
address = target.address
services = []
while True:
line = await stream.readline()
if line:
line = str(line.rstrip(), 'utf8', 'ignore')
debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE)
parse_match = re.search(pattern, line)
if parse_match:
services.append((parse_match.group('protocol').lower(), int(parse_match.group('port')), parse_match.group('service')))
for p in global_patterns:
matches = re.findall(p['pattern'], line)
if 'description' in p:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
else:
for match in matches:
if verbose >= 1:
info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
async with target.lock:
with open(os.path.join(target.scandir, files['patterns']), 'a') as file:
file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
else:
break
return services
async def run_portscan(semaphore, tag, target, service_detection, port_scan=None):
async with semaphore:
address = target.address
scandir = target.scandir
nmap_extra = nmap_default_options
ports = ''
if port_scan is not None:
command = e(port_scan[0])
pattern = port_scan[1]
info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.'))
async with target.lock:
with open(os.path.join(scandir, files['commands']), 'a') as file:
file.writelines(e('{command}\n\n'))
process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
output = [
parse_port_scan(process.stdout, tag, target, pattern),
read_stream(process.stderr, target, tag=tag, color=Fore.RED)
]
results = await asyncio.gather(*output)
await process.wait()
if process.returncode != 0:
error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
async with target.lock:
with open(os.path.join(scandir, files['errors']), 'a') as file:
file.writelines(e('[*] Port scan {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n'))
return {'returncode': process.returncode}
else:
info('Port scan {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully')
ports = results[0]
if len(ports) == 0:
return {'returncode': -1}
ports = ','.join(ports)
command = e(service_detection[0])
pattern = service_detection[1]
info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.'))
async with target.lock:
with open(os.path.join(scandir, files['commands']), 'a') as file:
file.writelines(e('{command}\n\n'))
process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
output = [
parse_service_detection(process.stdout, tag, target, pattern),
read_stream(process.stderr, target, tag=tag, color=Fore.RED)
]
results = await asyncio.gather(*output)
await process.wait()
if process.returncode != 0:
error('Service detection {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
async with target.lock:
with open(os.path.join(scandir, files['errors']), 'a') as file:
file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n'))
else:
info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.')
services = results[0]
return {'returncode': process.returncode, 'name': 'run_portscan', 'services': services}
async def scan_services(loop, semaphore, target):
address = target.address
scandir = target.scandir
pending = []
for profile in port_scan_profiles_config:
if profile == port_scan_profile:
for scan in port_scan_profiles_config[profile]:
service_detection = (port_scan_profiles_config[profile][scan]['service-detection']['command'], port_scan_profiles_config[profile][scan]['service-detection']['pattern'])
if 'port-scan' in port_scan_profiles_config[profile][scan]:
port_scan = (port_scan_profiles_config[profile][scan]['port-scan']['command'], port_scan_profiles_config[profile][scan]['port-scan']['pattern'])
pending.append(run_portscan(semaphore, scan, target, service_detection, port_scan))
else:
pending.append(run_portscan(semaphore, scan, target, service_detection))
break
services = []
while True:
if not pending:
break
done, pending = await asyncio.wait(pending, return_when=FIRST_COMPLETED)
for task in done:
result = task.result()
if result['returncode'] == 0:
if result['name'] == 'run_portscan':
for service_tuple in result['services']:
if service_tuple not in services:
services.append(service_tuple)
else:
continue
protocol = service_tuple[0]
port = service_tuple[1]
service = service_tuple[2]
info('Port {bmagenta}{protocol} {port}{rst} ({bmagenta}{service}{rst}) open on target {byellow}{address}{rst}.')
with open(os.path.join(target.scandir, files['notes']), 'a') as file:
file.writelines(e('[*] Port {protocol} {port} ({service}) open on {address}.\n\n'))
if protocol == 'udp':
nmap_extra = nmap_default_options + " -sU"
else:
nmap_extra = nmap_default_options
secure = True if 'ssl' in service or 'tls' in service else False
# Special cases for HTTP.
scheme = 'https' if 'https' in service or 'ssl' in service or 'tls' in service else 'http'
if service.startswith('ssl/') or service.startswith('tls/'):
service = service[4:]
for service_scan in service_scans_config:
# Skip over configurable variables since the python toml parser cannot iterate over tables only.
if service_scan in ['username_wordlist', 'password_wordlist']:
continue
ignore_service = False
if 'ignore-service-names' in service_scans_config[service_scan]:
for ignore_service_name in service_scans_config[service_scan]['ignore-service-names']:
if re.search(ignore_service_name, service):
ignore_service = True
break
if ignore_service:
continue
matched_service = False
if 'service-names' in service_scans_config[service_scan]:
for service_name in service_scans_config[service_scan]['service-names']:
if re.search(service_name, service):
matched_service = True
break
if not matched_service:
continue
# INFO: change for saving results in directories per service
if not service_scan == 'all-services':
category = '{0}/'.format(service_scan)
else:
category = ''
try:
servicedir = os.path.join(scandir, category)
if not os.path.exists(servicedir): os.mkdir(servicedir)
xmldir = os.path.join(scandir, 'xml', category)
if not os.path.exists(xmldir): os.mkdir(xmldir)
except OSError:
category = ''
if 'manual' in service_scans_config[service_scan]:
heading = False
with open(os.path.join(scandir, files['manual_commands']), 'a') as file:
for manual in service_scans_config[service_scan]['manual']:
if 'description' in manual:
if not heading:
file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
heading = True
description = manual['description']
file.writelines(e('\t[-] {description}\n\n'))
if 'commands' in manual:
if not heading:
file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
heading = True
for manual_command in manual['commands']:
manual_command = e(manual_command)
file.writelines('\t\t' + e('{manual_command}\n\n'))
if heading:
file.writelines('\n')
if 'scan' in service_scans_config[service_scan]:
for scan in service_scans_config[service_scan]['scan']:
if 'name' in scan:
name = scan['name']
# INFO: change for supporting different complexity levels during service scanning
run_level = scan['level'] if 'level' in scan else 0
if (not args.run_only and run_level > max(args.run_level)) or (args.run_only and not run_level in args.run_level):
if verbose >= 1:
info('Scan profile {bgreen}{name}{rst} is at a {bgree}different complexity level{rst} and is ignored.')
continue
if 'command' in scan:
tag = e('{protocol}/{port}/{name}')
command = scan['command']
if 'ports' in scan:
port_match = False
if protocol == 'tcp':
if 'tcp' in scan['ports']:
for tcp_port in scan['ports']['tcp']:
if port == tcp_port:
port_match = True
break
elif protocol == 'udp':
if 'udp' in scan['ports']:
for udp_port in scan['ports']['udp']:
if port == udp_port:
port_match = True
break
if port_match == False:
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + Style.NORMAL + '] Scan cannot be run against {protocol} port {port}. Skipping.' + Fore.RESET)
continue
if 'run_once' in scan and scan['run_once'] == True:
scan_tuple = (name,)
if scan_tuple in target.scans:
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan should only be run once and it appears to have already been queued. Skipping.' + Fore.RESET)
continue
else:
target.scans.append(scan_tuple)
else:
scan_tuple = (protocol, port, service, name)
if scan_tuple in target.scans:
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan appears to have already been queued, but it is not marked as run_once in service-scans.toml. Possible duplicate tag? Skipping.' + Fore.RESET)
continue
else:
target.scans.append(scan_tuple)
patterns = []
if 'pattern' in scan:
patterns = scan['pattern']
try:
pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, category=category, tag=tag, patterns=patterns)))
except KeyError:
error('Service detection {bred}{tag}{rst} on {byellow}{address}{rst} could not be started' + (' with {bblue}{cmd}{rst}.' if verbose >= 1 else '.'))
def scan_host(target, concurrent_scans):
info('Scanning target {byellow}{target.address}{rst}.')
basedir = os.path.abspath(os.path.join(outdir, target.address + srvname))
target.basedir = basedir
os.makedirs(basedir, exist_ok=True)
exploitdir = os.path.abspath(os.path.join(basedir, 'exploit'))
os.makedirs(exploitdir, exist_ok=True)
exploitdir = os.path.abspath(os.path.join(basedir, 'privilege_escalation'))
os.makedirs(exploitdir, exist_ok=True)
lootdir = os.path.abspath(os.path.join(basedir, 'loot'))
os.makedirs(lootdir, exist_ok=True)
reportdir = os.path.abspath(os.path.join(basedir, 'report'))
target.reportdir = reportdir
os.makedirs(reportdir, exist_ok=True)
screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots'))
os.makedirs(screenshotdir, exist_ok=True)
scandir = os.path.abspath(os.path.join(basedir, 'scans'))
target.scandir = scandir
os.makedirs(scandir, exist_ok=True)
prepare_log_files(scandir, target)
os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True)
open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close()
open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close()
# Use a lock when writing to specific files that may be written to by other asynchronous functions.
target.lock = asyncio.Lock()
# Get event loop for current process.
loop = asyncio.get_event_loop()
# Create a semaphore to limit number of concurrent scans.
semaphore = asyncio.Semaphore(concurrent_scans)
try:
loop.run_until_complete(scan_services(loop, semaphore, target))
info('Finished scanning target {byellow}{target.address}{rst}.')
if not args.no_report:
loop.run_until_complete(create_report(target))
except KeyboardInterrupt:
sys.exit(1)
async def create_report(target):
address = target.address
scandir = target.scandir
reportdir = target.reportdir
#types = ('*.txt')
#filenames = []
#[filenames.extend(glob.glob(os.path.join(scandir, '*', filetype), recursive=True)) for filetype in types]
filenames = glob.glob(os.path.join(scandir, '**', '*.txt'), recursive=True)
filenames.sort()
report_order = ' '.join(filenames)
# TODO: make use of config file
cmd = '/usr/bin/enscript {0} -o - | /usr/bin/ps2pdf - {1}'.format(report_order, os.path.join(reportdir, files['report']))
info('Creating report for target {byellow}{address}{rst}.')
process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
await process.communicate()
if process.returncode != 0:
error('{bred}Report creation{rst} for target {byellow}{address}{rst} returned non-zero exit code: {process.returncode}.')
else:
info('Report for target {byellow}{address}{rst} was created successfully.')
def prepare_log_files(scandir, target):
for filename in files:
try:
# TODO: files dictionary needs to be reorganized, otherwise some unnecessary files will be created in the scan directory
if not filename.startswith('_'): continue
caption = 'Log session started for host {0} - {1}\n'.format(target.address, datetime.now().strftime('%B %d, %Y - %H:%M:%S'))
with open(os.path.join(scandir, files[filename]), 'a') as f:
f.write('\n{}\n'.format('=' * len(caption)))
f.write(caption)
f.write('{}\n\n'.format('=' * len(caption)))
except OSError:
fail('Error while setting up log file {filename}.')
def read_targets_from_file(filename, targets, disable_sanity_checks):
if not os.path.isfile(filename):
error('The file {filename} with target information was not found.')
return (targets, True)
try:
with open(filename, 'r') as f:
entries = f.read()
except OSError:
error('The file {filename} with target information could not be read.')
return (targets, True)
error = False
for ip in entries.split('\n'):
if ip.startswith('#') or len(ip) == 0: continue
targets, failed = get_ip_address(ip, targets, disable_sanity_checks)
if failed: error = True
return (targets, error)
def get_ip_address(target, targets, disable_sanity_checks):
errors = False
try:
ip = str(ipaddress.ip_address(target))
if ip not in targets:
targets.append(ip)
except ValueError:
try:
target_range = ipaddress.ip_network(target, strict=False)
if not disable_sanity_checks and target_range.num_addresses > 256:
error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.')
errors = True
else:
for ip in target_range.hosts():
ip = str(ip)
if ip not in targets:
targets.append(ip)
except ValueError:
try:
ip = socket.gethostbyname(target)
if target not in targets:
targets.append(target)
except socket.gaierror:
warn(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.')
return (targets, errors)
def get_header():
logo = r'''
_____ __ __________ __________
/ _ \ __ ___/ |_ ____\______ \ ____ ____ ____ ____\______ \
/ /_\ \| | \ __\/ _ \| _// __ \_/ ___\/ _ \ / \| _/
/ | \ | /| | ( <_> ) | \ ___/\ \__( <_> ) | \ | \
\____|__ /____/ |__| \____/|____|_ /\___ >\___ >____/|___| /____|_ /
\/ \/ \/ \/ \/ \/
'''
print('\n{0}'.format('-' * 90))
print('{0}'.format(logo))
print('{0} v{1}'.format(' ' * (90 - len(__version__) - 2), __version__))
print('\n\tAutomated network reconnaissance and reporting.')
print('\n{0}\n'.format('-' * 90))
class Target:
def __init__(self, address):
self.address = address
self.basedir = ''
self.reportdir = ''
self.scandir = ''
self.scans = []
self.lock = None
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.', epilog = get_header())
parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*")
parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='<number>', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s')
parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='<number>', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s')
parser.add_argument('--profile', action='store', default='default', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s')
parser.add_argument('-o', '--output', action='store', default='results', help='The output directory for results. Default: %(default)s')
nmap_group = parser.add_mutually_exclusive_group()
nmap_group.add_argument('--nmap', action='store', default=nmap_default_options, help='Override the {nmap_extra} variable in scans. Default: %(default)s')
nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.')
parser.add_argument('--skip-service-scan', action='store_true', default=False, help='Do not perfom extended service scanning but only document commands.')
parser.add_argument('--run-level', action='store', type=int, default=[0], nargs="+", help='During extended service scanning, only run scanners of a certain complexity level or below.')
parser.add_argument('--run-only', action='store_true', default=False, help='If enabled, only run scanners of the specified complexity level during extended service scanning.')
parser.add_argument('-r', '--read', action='store', type=str, default='', dest='target_file', help='Read targets from file.')
parser.add_argument('--no-report', action='store_true', default=False, help='Do not create a summary report after completing scanning a target.')
parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.')
parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running.')
parser.error = lambda s: fail(s[0].upper() + s[1:])
args = parser.parse_args()
if not os.getuid() == 0:
warn('Warning: You are not running the program with superuser privileges. Service scanning may be impacted.')
config_loaded = get_configuration()
if not config_loaded: sys.exit(-1)
errors = False
if args.concurrent_targets <= 0:
error('Argument -ch/--concurrent-targets: must be at least 1.')
errors = True
concurrent_scans = args.concurrent_scans
if concurrent_scans <= 0:
error('Argument -ct/--concurrent-scans: must be at least 1.')
errors = True
if min(args.run_level) < 0 or max(args.run_level) > max_level:
error('Argument --run-level: must be between 0 (default) and {}.'.format(max_level))
errors = True
port_scan_profile = args.profile
found_scan_profile = False
for profile in port_scan_profiles_config:
if profile == port_scan_profile:
found_scan_profile = True
for scan in port_scan_profiles_config[profile]:
if 'service-detection' not in port_scan_profiles_config[profile][scan]:
error('The {profile}.{scan} scan does not have a defined service-detection section. Every scan must at least have a service-detection section defined with a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the result.')
errors = True
else:
if 'command' not in port_scan_profiles_config[profile][scan]['service-detection']:
error('The {profile}.{scan}.service-detection section does not have a command defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.')
errors = True
else:
if '{ports}' in port_scan_profiles_config[profile][scan]['service-detection']['command'] and 'port-scan' not in port_scan_profiles_config[profile][scan]:
error('The {profile}.{scan}.service-detection command appears to reference a port list but there is no port-scan section defined in {profile}.{scan}. Define a port-scan section with a command and corresponding pattern that extracts port numbers from the result, or replace the reference with a static list of ports.')
errors = True
if 'pattern' not in port_scan_profiles_config[profile][scan]['service-detection']:
error('The {profile}.{scan}.service-detection section does not have a pattern defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.')
errors = True
else:
if not all(x in port_scan_profiles_config[profile][scan]['service-detection']['pattern'] for x in ['(?P<port>', '(?P<protocol>', '(?P<service>']):
error('The {profile}.{scan}.service-detection pattern does not contain one or more of the following matching groups: port, protocol, service. Ensure that all three of these matching groups are defined and capture the relevant data, e.g. (?P<port>\d+)')
errors = True
if 'port-scan' in port_scan_profiles_config[profile][scan]:
if 'command' not in port_scan_profiles_config[profile][scan]['port-scan']:
error('The {profile}.{scan}.port-scan section does not have a command defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.')
errors = True
if 'pattern' not in port_scan_profiles_config[profile][scan]['port-scan']:
error('The {profile}.{scan}.port-scan section does not have a pattern defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.')
errors = True
else:
if '(?P<port>' not in port_scan_profiles_config[profile][scan]['port-scan']['pattern']:
error('The {profile}.{scan}.port-scan pattern does not contain a port matching group. Ensure that the port matching group is defined and captures the relevant data, e.g. (?P<port>\d+)')
errors = True
break
if not found_scan_profile:
error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}')
errors = True
nmap_default_options = args.nmap
if args.nmap_append:
nmap_default_options += " " + args.nmap_append
outdir = args.output
srvname = ''
verbose = args.verbose
if len(args.targets) == 0 and not len(args.target_file):
error('You must specify at least one target to scan!')
errors = True
targets = []
for target in args.targets:
targets, failed = get_ip_address(target, targets, args.disable_sanity_checks)
if failed: errors = True
if len(args.target_file) > 0:
targets, errors = read_targets_from_file(args.target_file, targets, args.disable_sanity_checks)
if not args.disable_sanity_checks and len(targets) > 256:
error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.')
errors = True
if errors:
sys.exit(1)
start_timer = datetime.now().strftime('%H:%M:%S')
with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor:
futures = []
for address in targets:
target = Target(address)
futures.append(executor.submit(scan_host, target, concurrent_scans))
try:
for future in as_completed(futures):
future.result()
except KeyboardInterrupt:
for future in futures:
future.cancel()
executor.shutdown(wait=False)
sys.exit(1)
end_timer = datetime.now().strftime('%H:%M:%S')
tdelta = datetime.strptime(end_timer, '%H:%M:%S') - datetime.strptime(start_timer, '%H:%M:%S')
print('\nScanning completed in {}.'.format(tdelta))

1
config/config.toml
View File

@ -47,6 +47,7 @@
smbclient = '/usr/bin/smbclient' smbclient = '/usr/bin/smbclient'
smbmap = '/usr/bin/smbmap' smbmap = '/usr/bin/smbmap'
smb_version = '/usr/local/bin/get_smb_version' smb_version = '/usr/local/bin/get_smb_version'
nbtscan = '/usr/bin/nbtscan'
# SMTP programs # SMTP programs
smtp_user_enum = '/usr/bin/smtp-user-enum' smtp_user_enum = '/usr/bin/smtp-user-enum'

30
config/custom.toml Normal file
View File

@ -0,0 +1,30 @@
[port-scan.quick]
[port-scan.quick.nmap-quick]
[port-scan.quick.nmap-quick.service-detection]
command = '{nmap} {nmap_extra} -sV --version-all --top-ports 20 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[port-scan.quick.nmap-top-20-udp]
[port-scan.quick.nmap-top-20-udp.service-detection]
command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[port-scan.debug]
[port-scan.debug.nmap-quick]
[port-scan.debug.nmap-quick.service-detection]
command = '{nmap} {nmap_extra} -p 21,22,80,139,445,8000,8080 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[port-scan.debug.nmap-top-20-udp]
[port-scan.debug.nmap-top-20-udp.service-detection]
command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'

38
config/port-scan-profiles.toml
View File

@ -1,55 +1,55 @@
[default] [port-scan.default]
[default.nmap-quick] [port-scan.default.nmap-quick]
[default.nmap-quick.service-detection] [port-scan.default.nmap-quick.service-detection]
command = '{nmap} {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[default.nmap-full-tcp] [port-scan.default.nmap-full-tcp]
[default.nmap-full-tcp.service-detection] [port-scan.default.nmap-full-tcp.service-detection]
command = '{nmap} {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[default.nmap-top-20-udp] [port-scan.default.nmap-top-20-udp]
[default.nmap-top-20-udp.service-detection] [port-scan.default.nmap-top-20-udp.service-detection]
command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[quick] [port-scan.quick]
[quick.nmap-quick] [port-scan.quick.nmap-quick]
[quick.nmap-quick.service-detection] [port-scan.quick.nmap-quick.service-detection]
command = '{nmap} {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[quick.nmap-top-20-udp] [port-scan.quick.nmap-top-20-udp]
[quick.nmap-top-20-udp.service-detection] [port-scan.quick.nmap-top-20-udp.service-detection]
command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[udp] [port-scan.udp]
[udp.udp-top-20] [port-scan.udp.udp-top-20]
[udp.udp-top-20.port-scan] [port-scan.udp.udp-top-20.port-scan]
command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"' command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"'
pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$' pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$'
[udp.udp-top-20.service-detection] [port-scan.udp.udp-top-20.service-detection]
command = '{nmap} {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[debug] [port-scan.debug]
[debug.nmap-quick] [port-scan.debug.nmap-quick]
[debug.nmap-quick.service-detection] [port-scan.debug.nmap-quick.service-detection]
command = '{nmap} {nmap_extra} -p 21,22,80,139,445,8000,8080 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -p 21,22,80,139,445,8000,8080 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'

216
config/service-scans.toml
View File

@ -2,89 +2,89 @@
username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[all-services] # Define scans here that you want to run against all services. [service-scan.all-services] # Define scans here that you want to run against all services.
service-names = [ service-names = [
'.+' '.+'
] ]
[[all-services.scan]] [[service-scan.all-services.scan]]
name = 'sslscan' name = 'sslscan'
command = 'if [ "{secure}" == "True" ]; then {sslscan} --show-certificate --no-colour {address}:{port} 2>&1 | {tee} "{scandir}/{protocol}_{port}_sslscan.txt"; fi' command = 'if [ "{secure}" == "True" ]; then {sslscan} --show-certificate --no-colour {address}:{port} 2>&1 | {tee} "{scandir}/{protocol}_{port}_sslscan.txt"; fi'
[cassandra] [service-scan.cassandra]
service-names = [ service-names = [
'^apani1' '^apani1'
] ]
[[cassandra.scan]] [[service-scan.cassandra.scan]]
name = 'nmap-cassandra' name = 'nmap-cassandra'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cassandra_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cassandra_nmap.xml" {address}'
[cups] [service-scan.cups]
service-names = [ service-names = [
'^ipp' '^ipp'
] ]
[[cups.scan]] [[service-scan.cups.scan]]
name = 'nmap-cups' name = 'nmap-cups'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cups_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cups_nmap.xml" {address}'
[distcc] [service-scan.distcc]
service-names = [ service-names = [
'^distccd' '^distccd'
] ]
[[distcc.scan]] [[service-scan.distcc.scan]]
name = 'nmap-distcc' name = 'nmap-distcc'
command = '{nmap} {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{category}{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_distcc_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{category}{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_distcc_nmap.xml" {address}'
[dns] [service-scan.dns]
service-names = [ service-names = [
'^domain' '^domain'
] ]
[[dns.scan]] [[service-scan.dns.scan]]
name = 'nmap-dns' name = 'nmap-dns'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_dns_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_dns_nmap.xml" {address}'
[finger] [service-scan.finger]
service-names = [ service-names = [
'^finger' '^finger'
] ]
[[finger.scan]] [[service-scan.finger.scan]]
name = 'nmap-finger' name = 'nmap-finger'
command = '{nmap} {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{category}{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_finger_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{category}{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_finger_nmap.xml" {address}'
[ftp] [service-scan.ftp]
service-names = [ service-names = [
'^ftp', '^ftp',
'^ftp\-data' '^ftp\-data'
] ]
[[ftp.scan]] [[service-scan.ftp.scan]]
name = 'nmap-ftp' name = 'nmap-ftp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ftp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ftp_nmap.xml" {address}'
[[ftp.scan.pattern]] [[service-scan.ftp.scan.pattern]]
description = 'Anonymous FTP enabled!' description = 'Anonymous FTP enabled!'
pattern = 'Anonymous FTP login allowed' pattern = 'Anonymous FTP login allowed'
[[ftp.manual]] [[service-scan.ftp.manual]]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ftp_hydra.txt" ftp://{address}', '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
'{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
] ]
[http] [service-scan.http]
service-names = [ service-names = [
'^http', '^http',
@ -95,86 +95,86 @@ ignore-service-names = [
'^nacn_http$' '^nacn_http$'
] ]
[[http.scan]] [[service-scan.http.scan]]
name = 'nmap-http' name = 'nmap-http'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_{scheme}_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_{scheme}_nmap.xml" {address}'
[[http.scan.pattern]] [[service-scan.http.scan.pattern]]
description = 'HTTP server identified: {match}' description = 'HTTP server identified: {match}'
pattern = 'Server: ([^\n]+)' pattern = 'Server: ([^\n]+)'
[[http.scan.pattern]] [[service-scan.http.scan.pattern]]
description = 'WebDAV is enabled.' description = 'WebDAV is enabled.'
pattern = 'WebDAV is ENABLED' pattern = 'WebDAV is ENABLED'
[[http.scan]] [[service-scan.http.scan]]
name = 'curl-index' name = 'curl-index'
command = '{curl} -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_index.html"' command = '{curl} -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_index.html"'
[[http.scan.pattern]] [[service-scan.http.scan.pattern]]
pattern = '(?i)Powered by [^\n]+' pattern = '(?i)Powered by [^\n]+'
[[http.scan]] [[service-scan.http.scan]]
name = 'curl-robots' name = 'curl-robots'
command = '{curl} -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_robots.txt"' command = '{curl} -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_robots.txt"'
[[http.scan]] [[service-scan.http.scan]]
name = 'wkhtmltoimage' name = 'wkhtmltoimage'
command = 'if hash {wkhtmltoimage} 2> /dev/null; then {wkhtmltoimage} --format png {scheme}://{address}:{port}/ {scandir}/{category}{protocol}_{port}_{scheme}_screenshot.png; fi' command = 'if hash {wkhtmltoimage} 2> /dev/null; then {wkhtmltoimage} --format png {scheme}://{address}:{port}/ {scandir}/{category}{protocol}_{port}_{scheme}_screenshot.png; fi'
[[http.scan]] [[service-scan.http.scan]]
name = 'whatweb' name = 'whatweb'
command = '{whatweb} --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_whatweb.txt"' command = '{whatweb} --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_whatweb.txt"'
[[http.scan]] [[service-scan.http.scan]]
name = 'gobuster' name = 'gobuster'
command = '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -r -s "200,204,301,302,307,403" -x "txt,html,htm,php,pl,asp,aspx" 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster.txt"' command = '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -r -s "200,204,301,302,307,403" -x "txt,html,htm,php,pl,asp,aspx" 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster.txt"'
level = 2 level = 2
[[http.scan.pattern]] [[service-scan.http.scan.pattern]]
description = 'HTTP resource discovered: {match}' description = 'HTTP resource discovered: {match}'
pattern = '(http[s]?://.+?)\s\(Status: 200\)' pattern = '(http[s]?://.+?)\s\(Status: 200\)'
[[http.scan]] [[service-scan.http.scan]]
name = 'nikto' name = 'nikto'
command = '{nikto} -ask=no -h {scheme}://{address}:{port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_nikto.txt"' command = '{nikto} -ask=no -h {scheme}://{address}:{port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_nikto.txt"'
level = 3 level = 3
[[http.manual]] [[service-scan.http.manual]]
description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
commands = [ commands = [
'{dirsearch} -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_big.txt"', '{dirsearch} -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_big.txt"',
'{dirsearch} -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' '{dirsearch} -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"'
] ]
[[http.manual]] [[service-scan.http.manual]]
description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):'
commands = [ commands = [
'{dirb} {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', '{dirb} {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt',
'{dirb} {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' '{dirb} {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
] ]
[[http.manual]] [[service-scan.http.manual]]
description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):' description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
commands = [ commands = [
'{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -r -s "200,204,301,302,307,403,500" -x "txt,html,htm,php,pl,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_big.txt"', '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -r -s "200,204,301,302,307,403,500" -x "txt,html,htm,php,pl,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_big.txt"',
'{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -r -s "200,204,301,302,307,403,500" -x "txt,html,htm,php,pl,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -r -s "200,204,301,302,307,403,500" -x "txt,html,htm,php,pl,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
] ]
[[http.manual]] [[service-scan.http.manual]]
description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
commands = [ commands = [
'{wpscan} --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_wpscan.txt"' '{wpscan} --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_wpscan.txt"'
] ]
[[http.manual]] [[service-scan.http.manual]]
description = '(cadaver) WebDAV command-line client (useful if WebDAV is enabled):' description = '(cadaver) WebDAV command-line client (useful if WebDAV is enabled):'
commands = [ commands = [
'{davtest} -cleanup -nocreate -url {scheme}://{address}:{port}/ 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_davtest.txt"', '{davtest} -cleanup -nocreate -url {scheme}://{address}:{port}/ 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_{scheme}_davtest.txt"',
'{cadaver} {scheme}://{address}:{port}/' '{cadaver} {scheme}://{address}:{port}/'
] ]
[[http.manual]] [[service-scan.http.manual]]
description = "Credential bruteforcing commands (don't run these without modifying them):" description = "Credential bruteforcing commands (don't run these without modifying them):"
commands = [ commands = [
'{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
@ -183,133 +183,133 @@ ignore-service-names = [
'{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
] ]
[imap] [service-scan.imap]
service-names = [ service-names = [
'^imap' '^imap'
] ]
[[imap.scan]] [[service-scan.imap.scan]]
name = 'nmap-imap' name = 'nmap-imap'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_imap_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_imap_nmap.xml" {address}'
[kerberos] [service-scan.kerberos]
service-names = [ service-names = [
'^kerberos', '^kerberos',
'^kpasswd' '^kpasswd'
] ]
[[kerberos.scan]] [[service-scan.kerberos.scan]]
name = 'nmap-kerberos' name = 'nmap-kerberos'
command = '{nmap} {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{category}{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_kerberos_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{category}{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_kerberos_nmap.xml" {address}'
[ldap] [service-scan.ldap]
service-names = [ service-names = [
'^ldap' '^ldap'
] ]
[[ldap.scan]] [[service-scan.ldap.scan]]
name = 'nmap-ldap' name = 'nmap-ldap'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ldap_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ldap_nmap.xml" {address}'
[[ldap.scan]] [[service-scan.ldap.scan]]
name = 'enum4linux' name = 'enum4linux'
command = '{enum4linux} -a -M -l -d {address} 2>&1 | {tee} "{scandir}/{category}enum4linux.txt"' command = '{enum4linux} -a -M -l -d {address} 2>&1 | {tee} "{scandir}/{category}enum4linux.txt"'
run_once = true run_once = true
ports.tcp = [139, 389, 445] ports.tcp = [139, 389, 445]
ports.udp = [137] ports.udp = [137]
[mongodb] [service-scan.mongodb]
service-names = [ service-names = [
'^mongod' '^mongod'
] ]
[[mongodb.scan]] [[service-scan.mongodb.scan]]
name = 'nmap-mongodb' name = 'nmap-mongodb'
command = '{nmap} {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{category}{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mongodb_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{category}{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mongodb_nmap.xml" {address}'
[mssql] [service-scan.mssql]
service-names = [ service-names = [
'^mssql', '^mssql',
'^ms\-sql' '^ms\-sql'
] ]
[[mssql.scan]] [[service-scan.mssql.scan]]
name = 'nmap-mssql' name = 'nmap-mssql'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{category}{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mssql_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{category}{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mssql_nmap.xml" {address}'
[[mssql.manual]] [[service-scan.mssql.manual]]
description = '(sqsh) interactive database shell' description = '(sqsh) interactive database shell'
commands = [ commands = [
'{sqsh} -U <username> -P <password> -S {address}:{port}' '{sqsh} -U <username> -P <password> -S {address}:{port}'
] ]
[mysql] [service-scan.mysql]
service-names = [ service-names = [
'^mysql' '^mysql'
] ]
[[mysql.scan]] [[service-scan.mysql.scan]]
name = 'nmap-mysql' name = 'nmap-mysql'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mysql_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mysql_nmap.xml" {address}'
[nfs] [service-scan.nfs]
service-names = [ service-names = [
'^nfs', '^nfs',
'^rpcbind' '^rpcbind'
] ]
[[nfs.scan]] [[service-scan.nfs.scan]]
name = 'nmap-nfs' name = 'nmap-nfs'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nfs_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nfs_nmap.xml" {address}'
[nntp] [service-scan.nntp]
service-names = [ service-names = [
'^nntp' '^nntp'
] ]
[[nntp.scan]] [[service-scan.nntp.scan]]
name = 'nmap-nntp' name = 'nmap-nntp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nntp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nntp_nmap.xml" {address}'
[oracle] [service-scan.oracle]
service-names = [ service-names = [
'^oracle' '^oracle'
] ]
[[oracle.scan]] [[service-scan.oracle.scan]]
name = 'nmap-oracle' name = 'nmap-oracle'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_nmap.xml" {address}'
[[oracle.scan]] [[service-scan.oracle.scan]]
name = 'oracle-tnscmd-ping' name = 'oracle-tnscmd-ping'
command = '{tnscmd10g} ping -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_ping.txt"' command = '{tnscmd10g} ping -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_ping.txt"'
[[oracle.scan]] [[service-scan.oracle.scan]]
name = 'oracle-tnscmd-version' name = 'oracle-tnscmd-version'
command = '{tnscmd10g} version -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' command = '{tnscmd10g} version -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"'
[[oracle.scan]] [[service-scan.oracle.scan]]
name = 'oracle-tnscmd-version' name = 'oracle-tnscmd-version'
command = '{tnscmd10g} version -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' command = '{tnscmd10g} version -h {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"'
[[oracle.scan]] [[service-scan.oracle.scan]]
name = 'oracle-scanner' name = 'oracle-scanner'
command = '{oscanner} -v -s {address} -P {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_scanner.txt"' command = '{oscanner} -v -s {address} -P {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_oracle_scanner.txt"'
[[oracle.manual]] [[service-scan.oracle.manual]]
description = 'Brute-force SIDs using Nmap' description = 'Brute-force SIDs using Nmap'
command = '{nmap} {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{category}{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{category}{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}'
[[oracle.manual]] [[service-scan.oracle.manual]]
description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:' description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:'
commands = [ commands = [
'{odat} tnscmd -s {address} -p {port} --ping', '{odat} tnscmd -s {address} -p {port} --ping',
@ -320,23 +320,23 @@ service-names = [
'{odat} tnspoison -s {address} -p {port} -d <sid> --test-module' '{odat} tnspoison -s {address} -p {port} -d <sid> --test-module'
] ]
[[oracle.manual]] [[service-scan.oracle.manual]]
description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:' description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:'
commands = [ commands = [
'{patator} oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' '{patator} oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000'
] ]
[pop3] [service-scan.pop3]
service-names = [ service-names = [
'^pop3' '^pop3'
] ]
[[pop3.scan]] [[service-scan.pop3.scan]]
name = 'nmap-pop3' name = 'nmap-pop3'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_pop3_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_pop3_nmap.xml" {address}'
[rdp] [service-scan.rdp]
service-names = [ service-names = [
'^rdp', '^rdp',
@ -344,29 +344,29 @@ service-names = [
'^ms\-term\-serv' '^ms\-term\-serv'
] ]
[[rdp.scan]] [[service-scan.rdp.scan]]
name = 'nmap-rdp' name = 'nmap-rdp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rdp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rdp_nmap.xml" {address}'
[[rdp.manual]] [[service-scan.rdp.manual]]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_rdp_hydra.txt" rdp://{address}', '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
'{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
] ]
[rmi] [service-scan.rmi]
service-names = [ service-names = [
'^java\-rmi', '^java\-rmi',
'^rmiregistry' '^rmiregistry'
] ]
[[rmi.scan]] [[service-scan.rmi.scan]]
name = 'nmap-rmi' name = 'nmap-rmi'
command = '{nmap} {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{category}{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rmi_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{category}{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rmi_nmap.xml" {address}'
[rpc] [service-scan.rpc]
service-names = [ service-names = [
'^msrpc', '^msrpc',
@ -374,47 +374,48 @@ service-names = [
'^erpc' '^erpc'
] ]
[[rpc.scan]] [[service-scan.rpc.scan]]
name = 'nmap-msrpc' name = 'nmap-msrpc'
command = '{nmap} {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{category}{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rpc_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{category}{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rpc_nmap.xml" {address}'
[[rpc.manual]] [[service-scan.rpc.manual]]
description = 'RPC Client:' description = 'RPC Client:'
commands = [ commands = [
'{rpcclient} -p {port} -U "" {address}' '{rpcclient} -p {port} -U "" {address}'
] ]
[sip] [service-scan.sip]
service-names = [ service-names = [
'^asterisk' '^asterisk'
] ]
[[sip.scan]] [[service-scan.sip.scan]]
name = 'nmap-sip' name = 'nmap-sip'
command = '{nmap} {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{category}{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_sip_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{category}{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_sip_nmap.xml" {address}'
[[sip.scan]] [[service-scan.sip.scan]]
name = 'svwar' name = 'svwar'
command = '{svwar} -D -m INVITE -p {port} {address}' command = '{svwar} -D -m INVITE -p {port} {address}'
[ssh] [service-scan.ssh]
service-names = [ service-names = [
'^ssh' '^ssh'
] ]
[[ssh.scan]] [[service-scan.ssh.scan]]
name = 'nmap-ssh' name = 'nmap-ssh'
command = '{nmap} {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{category}{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ssh_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{category}{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ssh_nmap.xml" {address}'
[[ssh.manual]] [[service-scan.ssh.manual]]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ssh_hydra.txt" ssh://{address}', '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
'{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
] ]
[smb]
[service-scan.smb]
service-names = [ service-names = [
'^smb', '^smb',
@ -422,49 +423,48 @@ service-names = [
'^netbios' '^netbios'
] ]
[[smb.scan]] [[service-scan.smb.scan]]
name = 'nmap-smb' name = 'nmap-smb'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_nmap.xml" {address}'
[[smb.scan]] [[service-scan.smb.scan]]
name = 'smbclient' name = 'smbclient'
command = '{smbclient} -L\\ -N -I {address} 2>&1 | {tee} "{scandir}/{category}smbclient.txt"' command = '{smbclient} -L\\ -N -I {address} 2>&1 | {tee} "{scandir}/{category}smbclient.txt"'
run_once = true run_once = true
ports.tcp = [139, 445] ports.tcp = [139, 445]
[[smb.scan]] [[service-scan.smb.scan]]
name = 'smb-version' name = 'smb-version'
command = '{smb_version} {address} -P {port} | head -n 1 | {tee} -a "{scandir}/{category}smb-version.txt"' command = '{smb_version} {address} -P {port} | head -n 1 | {tee} -a "{scandir}/{category}smb-version.txt"'
run_once = true run_once = true
ports.tcp = [139, 445] ports.tcp = [139, 445]
[[smb.scan]] [[service-scan.smb.scan]]
name = 'smbmap-share-permissions' name = 'smbmap-share-permissions'
command = '{smbmap} -H {address} -P {port} 2>&1 | {tee} -a "{scandir}/{category}smbmap-share-permissions.txt"; {smbmap} -u null -p "" -H {address} -P {port} 2>&1 | {tee} -a "{scandir}/{category}smbmap-share-permissions.txt"' command = '{smbmap} -H {address} -P {port} 2>&1 | {tee} -a "{scandir}/{category}smbmap-share-permissions.txt"; {smbmap} -u null -p "" -H {address} -P {port} 2>&1 | {tee} -a "{scandir}/{category}smbmap-share-permissions.txt"'
[[smb.scan]] [[service-scan.smb.scan]]
name = 'smbmap-list-contents' name = 'smbmap-list-contents'
command = '{smbmap} -H {address} -P {port} -R 2>&1 | {tee} -a "{scandir}/{category}smbmap-list-contents.txt"; {smbmap} -u null -p "" -H {address} -P {port} -R 2>&1 | {tee} -a "{scandir}/{category}smbmap-list-contents.txt"' command = '{smbmap} -H {address} -P {port} -R 2>&1 | {tee} -a "{scandir}/{category}smbmap-list-contents.txt"; {smbmap} -u null -p "" -H {address} -P {port} -R 2>&1 | {tee} -a "{scandir}/{category}smbmap-list-contents.txt"'
[[smb.scan]] [[service-scan.smb.scan]]
name = 'smbmap-execute-command' name = 'smbmap-execute-command'
command = '{smbmap} -H {address} -P {port} -x "ipconfig /all" 2>&1 | {tee} -a "{scandir}/{category}smbmap-execute-command.txt"; {smbmap} -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | {tee} -a "{scandir}/{category}smbmap-execute-command.txt"' command = '{smbmap} -H {address} -P {port} -x "ipconfig /all" 2>&1 | {tee} -a "{scandir}/{category}smbmap-execute-command.txt"; {smbmap} -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | {tee} -a "{scandir}/{category}smbmap-execute-command.txt"'
[[smb.scan]] [[service-scan.smb.scan]]
name = 'enum4linux' name = 'enum4linux'
command = '{enum4linux} -a -M -l -d {address} 2>&1 | {tee} "{scandir}/{category}enum4linux.txt"' command = '{enum4linux} -a -M -l -d {address} 2>&1 | {tee} "{scandir}/{category}enum4linux.txt"'
run_once = true run_once = true
ports.tcp = [139, 389, 445] ports.tcp = [139, 389, 445]
ports.udp = [137] ports.udp = [137]
[[smb.scan]] [[service-scan.smb.scan]]
name = 'nbtscan' name = 'nbtscan'
command = '{nbtscan} -rvh {address} 2>&1 | {tee} "{scandir}/{category}nbtscan.txt"' command = '{nbtscan} -rvh {address} 2>&1 | {tee} "{scandir}/{category}nbtscan.txt"'
run_once = true run_once = true
ports.udp = [137] ports.udp = [137]
[[service-scan.smb.manual]]
[[smb.manual]]
description = '{nmap} scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' description = '{nmap} scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
commands = [ commands = [
'{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms06-025.xml" {address}', '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms06-025.xml" {address}',
@ -472,110 +472,110 @@ service-names = [
'{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms08-067.xml" {address}' '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms08-067.xml" {address}'
] ]
[smtp] [service-scan.smtp]
service-names = [ service-names = [
'^smtp' '^smtp'
] ]
[[smtp.scan]] [[service-scan.smtp.scan]]
name = 'nmap-smtp' name = 'nmap-smtp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smtp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smtp_nmap.xml" {address}'
[[smtp.scan]] [[service-scan.smtp.scan]]
name = 'smtp-user-enum' name = 'smtp-user-enum'
command = '{smtp_user_enum} -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_smtp_user-enum.txt"' command = '{smtp_user_enum} -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_smtp_user-enum.txt"'
[snmp] [service-scan.snmp]
service-names = [ service-names = [
'^snmp' '^snmp'
] ]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'nmap-snmp' name = 'nmap-snmp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_snmp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_snmp_nmap.xml" {address}'
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'onesixtyone' name = 'onesixtyone'
command = '{onesixtyone} -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_onesixtyone.txt"' command = '{onesixtyone} -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_onesixtyone.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk' name = 'snmpwalk'
command = '{snmpwalk} -c public -v 1 {address} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk.txt"' command = '{snmpwalk} -c public -v 1 {address} 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-system-processes' name = 'snmpwalk-system-processes'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-running-processes' name = 'snmpwalk-running-processes'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-process-paths' name = 'snmpwalk-process-paths'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-storage-units' name = 'snmpwalk-storage-units'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-software-names' name = 'snmpwalk-software-names'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_software_names.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-user-accounts' name = 'snmpwalk-user-accounts'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[[snmp.scan]] [[service-scan.snmp.scan]]
name = 'snmpwalk-tcp-ports' name = 'snmpwalk-tcp-ports'
command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | {tee} "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[telnet] [service-scan.telnet]
service-names = [ service-names = [
'^telnet' '^telnet'
] ]
[[telnet.scan]] [[service-scan.telnet.scan]]
name = 'nmap-telnet' name = 'nmap-telnet'
command = '{nmap} {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_telnet_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_telnet_nmap.xml" {address}'
[tftp] [service-scan.tftp]
service-names = [ service-names = [
'^tftp' '^tftp'
] ]
[[tftp.scan]] [[service-scan.tftp.scan]]
name = 'nmap-tftp' name = 'nmap-tftp'
command = '{nmap} {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{category}{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_tftp_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{category}{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_tftp_nmap.xml" {address}'
[vnc] [service-scan.vnc]
service-names = [ service-names = [
'^vnc' '^vnc'
] ]
[[vnc.scan]] [[service-scan.vnc.scan]]
name = 'nmap-vnc' name = 'nmap-vnc'
command = '{nmap} {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_vnc_nmap.xml" {address}' command = '{nmap} {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_vnc_nmap.xml" {address}'