RomanNum3ral
/
AutoRecon
mirror of https://github.com/Tib3rius/AutoRecon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update README.md

This commit is contained in:
Tib3rius 2021-09-14 18:39:52 -04:00
parent d1ec130609
commit 9adcaa70f9
1 changed files with 84 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
README.md
View File

@ -1,16 +1,10 @@
> It's like bowling with bumpers. - [@ippsec](https://twitter.com/ippsec) > It's like bowling with bumpers. - [@ippsec](https://twitter.com/ippsec)
# Please Read Before Using
**This is a public beta of AutoRecon version 2, which is effectively a complete rewrite of version 1. As such, there are no promises about stability, and you should expect bugs. During this beta, testers are encouraged to try out the new features, especially the new plugin functionality, and report bugs when they are found. Feedback on improvements and changes is also encouraged. There is no guarantee that the current plugin system "API" will be the same when version 2 is released.**
**A wiki will be added to this repository to more fully explain the features in AutoRecon version 2.**
# AutoRecon # AutoRecon
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.
The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, nikto will be launched (as well as many others). The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, feroxbuster will be launched (as well as many others).
Everything in the tool is highly configurable. The default configuration performs **no automated exploitation** to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool. Everything in the tool is highly configurable. The default configuration performs **no automated exploitation** to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool.
@ -41,6 +35,30 @@ AutoRecon was inspired by three tools which the author used during the OSCP labs
- Python 3 - Python 3
- `python3-pip` - `python3-pip`
- `pipx` (optional, but recommended)
### Python 3
If you don't have these installed, and are running Kali Linux, you can execute the following:
```bash
$ sudo apt install python3
$ sudo apt install python3-pip
```
### `pipx`
Further, it's recommended you use `pipx` to manage your python packages; this installs each python package in it's own virtualenv, and makes it available in the global context, which avoids conflicting package dependencies and the resulting instability. To summarize the installation instructions:
```bash
$ sudo apt install python3-venv
$ python3 -m pip install --user pipx
$ python3 -m pipx ensurepath
```
You will have to re-source your ~/.bashrc or ~/.zshrc file (or open a new tab) after running these commands in order to use pipx.
Note that if you want to run AutoRecon via pipx using sudo, you'll have to install pipx and AutoRecon using sudo as well.
### Supporting packages ### Supporting packages
@ -85,20 +103,25 @@ $ sudo apt install seclists curl enum4linux feroxbuster impacket-scripts nbtscan
Ensure you have all of the requirements installed as per the previous section. Ensure you have all of the requirements installed as per the previous section.
Clone the repository and switch to the beta branch: ### Using `pipx` (recommended)
If installing using pipx, you'll need to run the installation command as root or with sudo in order to be able to run autorecon using sudo:
```bash ```bash
$ git clone --branch beta https://github.com/Tib3rius/AutoRecon $ pipx install git+https://github.com/Tib3rius/AutoRecon.git
``` ```
If you already had a copy of the repository, you can run the following from the main directory to get the beta code: ### Using `pip`
If installing using pip, you'll need to run the installation command as root or with sudo in order to be able to run autorecon using sudo:
```bash ```bash
$ git pull $ sudo python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git
$ git checkout beta
``` ```
From within the AutoRecon directory, install the dependencies: ### Manual
If you'd prefer not to use `pip` or `pipx`, you can always still install and execute `autorecon.py` manually as a script. From within the AutoRecon directory, install the dependencies:
```bash ```bash
$ python3 -m pip install -r requirements.txt $ python3 -m pip install -r requirements.txt
@ -117,66 +140,72 @@ See detailed usage options below.
AutoRecon uses Python 3 specific functionality and does not support Python 2. AutoRecon uses Python 3 specific functionality and does not support Python 2.
``` ```
usage: autorecon.py [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE] [--tags TAGS] usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE]
[--exclude-tags TAGS] [--port-scans PLUGINS] [--service-scans PLUGINS] [--reports PLUGINS] [--plugins-dir PLUGINS_DIR] [--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS] [--service-scans PLUGINS]
[--add-plugins-dir PLUGINS_DIR] [-l [TYPE]] [-o OUTDIR] [--single-target] [--only-scans-dir] [--create-port-dirs] [--reports PLUGINS] [--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR] [-l [TYPE]] [-o OUTDIR]
[--heartbeat HEARTBEAT] [--timeout TIMEOUT] [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--single-target] [--only-scans-dir] [--create-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT]
[--proxychains] [--disable-sanity-checks] [--disable-keyboard-control] [--force-services SERVICE [SERVICE ...]] [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--proxychains]
[--accessible] [-v] [--version] [--curl.path VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}] [--disable-sanity-checks] [--disable-keyboard-control] [--force-services SERVICE [SERVICE ...]]
[--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE] [--dirbuster.ext VALUE] [--accessible] [-v] [--version] [--curl.path VALUE]
[--onesixtyone.community-strings VALUE] [--global.username-wordlist VALUE] [--global.password-wordlist VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}] [--dirbuster.wordlist VALUE [VALUE ...]]
[--global.domain VALUE] [-h] [--dirbuster.threads VALUE] [--dirbuster.ext VALUE] [--onesixtyone.community-strings VALUE]
[targets ...] [--global.username-wordlist VALUE] [--global.password-wordlist VALUE] [--global.domain VALUE] [-h]
[targets ...]
Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets. Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.
positional arguments: positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan. targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g.
foo.bar) to scan.
optional arguments: optional arguments:
-t TARGET_FILE, --targets TARGET_FILE -t TARGET_FILE, --targets TARGET_FILE
Read targets from file. Read targets from file.
-p PORTS, --ports PORTS -p PORTS, --ports PORTS
Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list with T:/U: To scan both Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list
TCP/UDP, put port(s) at start or specify B: e.g. 53,T:21-25,80,U:123,B:123. Default: None with T:/U: To scan both TCP/UDP, put port(s) at start or specify B: e.g.
53,T:21-25,80,U:123,B:123. Default: None
-m MAX_SCANS, --max-scans MAX_SCANS -m MAX_SCANS, --max-scans MAX_SCANS
The maximum number of concurrent scans to run. Default: 50 The maximum number of concurrent scans to run. Default: 50
-mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS -mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS
The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless specified) The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless
specified)
-c CONFIG_FILE, --config CONFIG_FILE -c CONFIG_FILE, --config CONFIG_FILE
Location of AutoRecon's config file. Default: /mnt/hgfs/AutoRecon/config.toml Location of AutoRecon's config file. Default: /home/tib3rius/.config/AutoRecon/config.toml
-g GLOBAL_FILE, --global-file GLOBAL_FILE -g GLOBAL_FILE, --global-file GLOBAL_FILE
Location of AutoRecon's global file. Default: /mnt/hgfs/AutoRecon/global.toml Location of AutoRecon's global file. Default: /home/tib3rius/.config/AutoRecon/global.toml
--tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate --tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group
groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be
at least one group. Default: default included, it must have all the tags specified in at least one group. Default: default
--exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate --exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group
groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be
at least one group. Default: None excluded, it must have all the tags specified in at least one group. Default: None
--port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default: None --port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default:
None
--service-scans PLUGINS --service-scans PLUGINS
Override --tags / --exclude-tags for the listed ServiceScan plugins (comma separated). Default: None Override --tags / --exclude-tags for the listed ServiceScan plugins (comma separated). Default:
None
--reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated). Default: None --reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated). Default: None
--plugins-dir PLUGINS_DIR --plugins-dir PLUGINS_DIR
The location of the plugins directory. Default: /mnt/hgfs/AutoRecon/plugins The location of the plugins directory. Default: /home/tib3rius/.config/AutoRecon/plugins
--add-plugins-dir PLUGINS_DIR --add-plugins-dir PLUGINS_DIR
The location of an additional plugins directory to add to the main one. Default: None The location of an additional plugins directory to add to the main one. Default: None
-l [TYPE], --list [TYPE] -l [TYPE], --list [TYPE]
List all plugins or plugins of a specific type. e.g. --list, --list port, --list service List all plugins or plugins of a specific type. e.g. --list, --list port, --list service
-o OUTDIR, --output OUTDIR -o OUTDIR, --output OUTDIR
The output directory for results. Default: results The output directory for results. Default: results
--single-target Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will --single-target Only scan a single target. A directory named after the target will not be created. Instead, the
be created within the output directory. Default: False directory structure will be created within the output directory. Default: False
--only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. --only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report)
Default: False will not be created. Default: False
--create-port-dirs Create directories for ports within the "scans" directory (e.g. scans/tcp80, scans/udp53) and store results in these --create-port-dirs Create directories for ports within the "scans" directory (e.g. scans/tcp80, scans/udp53) and
directories. Default: True store results in these directories. Default: True
--heartbeat HEARTBEAT --heartbeat HEARTBEAT
Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60 Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60
--timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None --timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None
--target-timeout TARGET_TIMEOUT --target-timeout TARGET_TIMEOUT
Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Specifies the maximum amount of time in minutes that a target should be scanned for before
Default: None abandoning it and moving on. Default: None
--nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn --nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn
--nmap-append NMAP_APPEND --nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans. Default: -T4 Append to the default {nmap_extra} variable in scans. Default: -T4
@ -200,23 +229,25 @@ plugin arguments:
The tool to use for directory busting. Default: feroxbuster The tool to use for directory busting. Default: feroxbuster
--dirbuster.wordlist VALUE [VALUE ...] --dirbuster.wordlist VALUE [VALUE ...]
The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default:
['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-Content/big.txt', ['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-
'/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt'] Content/big.txt', '/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt']
--dirbuster.threads VALUE --dirbuster.threads VALUE
The number of threads to use when directory busting. Default: 10 The number of threads to use when directory busting. Default: 10
--dirbuster.ext VALUE --dirbuster.ext VALUE
The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
--onesixtyone.community-strings VALUE --onesixtyone.community-strings VALUE
The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp- The file containing a list of community strings to try. Default:
community-strings-onesixtyone.txt /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
global plugin arguments: global plugin arguments:
These are optional arguments that can be used by all plugins. These are optional arguments that can be used by all plugins.
--global.username-wordlist VALUE --global.username-wordlist VALUE
A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-usernames-shortlist.txt A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-
usernames-shortlist.txt
--global.password-wordlist VALUE --global.password-wordlist VALUE
A wordlist of passwords, useful for bruteforcing. Default: /usr/share/seclists/Passwords/darkweb2017-top100.txt A wordlist of passwords, useful for bruteforcing. Default:
/usr/share/seclists/Passwords/darkweb2017-top100.txt
--global.domain VALUE --global.domain VALUE
The domain to use (if known). Used for DNS and/or Active Directory. Default: None The domain to use (if known). Used for DNS and/or Active Directory. Default: None
``` ```
@ -228,7 +259,7 @@ AutoRecon supports four levels of verbosity:
* (none) Minimal output. AutoRecon will announce when scanning targets starts / ends. * (none) Minimal output. AutoRecon will announce when scanning targets starts / ends.
* (-v) Verbose output. AutoRecon will additionally announce when plugins start running, and report open ports and identified services. * (-v) Verbose output. AutoRecon will additionally announce when plugins start running, and report open ports and identified services.
* (-vv) Very verbose output. AutoRecon will additionally specify the exact commands which are being run by plugins, highlight any patterns which are matched in command output, and announce when plugins end. * (-vv) Very verbose output. AutoRecon will additionally specify the exact commands which are being run by plugins, highlight any patterns which are matched in command output, and announce when plugins end.
* (-vvv) Very very verbose output. AutoRecon will output everything. Literally every line from all commands which are currently running. When scanning multiple targets concurrently, this can lead to a ridiculous amount of output. It is not advised to use -vvv unless you absolutely need to see live output from commands. * (-vvv) Very, very verbose output. AutoRecon will output everything. Literally every line from all commands which are currently running. When scanning multiple targets concurrently, this can lead to a ridiculous amount of output. It is not advised to use -vvv unless you absolutely need to see live output from commands.
Note: You can change the verbosity of AutoRecon mid-scan by pressing the up and down arrow keys. Note: You can change the verbosity of AutoRecon mid-scan by pressing the up and down arrow keys.