RomanNum3ral
/
AutoRecon
mirror of https://github.com/Tib3rius/AutoRecon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Plugin Updates 

Separated plugins out into separate files to make them easier to understand.
This commit is contained in:
Tib3rius 2022-02-14 22:15:20 -05:00
parent 0e27e3b1c4
commit ae0eb0629a
90 changed files with 1356 additions and 1287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
autorecon/default-plugins/ftp.py → autorecon/default-plugins/bruteforce-ftp.py
View File

@ -1,18 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapFTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap FTP'
self.tags = ['default', 'safe', 'ftp']
def configure(self):
self.match_service_name(['^ftp', '^ftp\-data'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}')
class BruteforceFTP(ServiceScan):
def __init__(self):

20
autorecon/default-plugins/bruteforce-http.py Normal file
View File

@ -0,0 +1,20 @@
from autorecon.plugins import ServiceScan
class BruteforceHTTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Bruteforce HTTP"
self.tags = ['default', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
service.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [
'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{addressv6}/path/to/auth/area',
'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {addressv6} -m DIR:/path/to/auth/area',
'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{addressv6}/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"',
'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {addressv6} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"'
])

13
autorecon/default-plugins/rdp.py → autorecon/default-plugins/bruteforce-rdp.py
View File

@ -1,18 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapRDP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap RDP"
self.tags = ['default', 'safe', 'rdp']
def configure(self):
self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}')
class BruteforceRDP(ServiceScan):
def __init__(self):

13
autorecon/default-plugins/ssh.py → autorecon/default-plugins/bruteforce-ssh.py
View File

@ -1,18 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapSSH(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SSH"
self.tags = ['default', 'safe', 'ssh']
def configure(self):
self.match_service_name('^ssh')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}')
class BruteforceSSH(ServiceScan):
def __init__(self):

26
autorecon/default-plugins/curl-known-security.py Normal file
View File

@ -0,0 +1,26 @@
from autorecon.plugins import ServiceScan
from autorecon.io import fformat
class CurlKnownSecurity(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Known Security"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp':
process, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/.well-known/security.txt', future_outfile='{protocol}_{port}_{http_scheme}_known-security.txt')
lines = await stdout.readlines()
if process.returncode == 0 and lines:
filename = fformat('{scandir}/{protocol}_{port}_{http_scheme}_known-security.txt')
with open(filename, mode='wt', encoding='utf8') as robots:
robots.write('\n'.join(lines))
else:
service.info('{bblue}[' + fformat('{tag}') + ']{rst} There did not appear to be a .well-known/security.txt file in the webroot (/).')

26
autorecon/default-plugins/curl-robots.py Normal file
View File

@ -0,0 +1,26 @@
from autorecon.plugins import ServiceScan
from autorecon.io import fformat
class CurlRobots(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Curl Robots"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp':
process, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/robots.txt', future_outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt')
lines = await stdout.readlines()
if process.returncode == 0 and lines:
filename = fformat('{scandir}/{protocol}_{port}_{http_scheme}_curl-robots.txt')
with open(filename, mode='wt', encoding='utf8') as robots:
robots.write('\n'.join(lines))
else:
service.info('{bblue}[' + fformat('{tag}') + ']{rst} There did not appear to be a robots.txt file in the webroot (/).')

18
autorecon/default-plugins/curl.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class Curl(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Curl"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s")
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('(?i)powered[ -]by[^\n]+')
async def run(self, service):
if service.protocol == 'tcp':
await service.execute('curl -sSik {http_scheme}://{addressv6}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html')

134
autorecon/default-plugins/databases.py
View File

@ -1,134 +0,0 @@
from autorecon.plugins import ServiceScan
from shutil import which
class NmapMongoDB(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MongoDB"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^mongod')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}')
class NmapMSSQL(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MSSQL"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name(['^mssql', '^ms\-sql'])
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}')
class NmapMYSQL(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MYSQL"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^mysql')
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}')
class NmapOracle(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Oracle"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}')
class OracleTNScmd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle TNScmd"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def check(self):
if which('tnscmd10g') is None:
self.error('The tnscmd10g program could not be found. Make sure it is installed. (On Kali, run: sudo apt install tnscmd10g)')
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt')
await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt')
class OracleScanner(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle Scanner"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def check(self):
if which('oscanner') is None:
self.error('The oscanner program could not be found. Make sure it is installed. (On Kali, run: sudo apt install oscanner)')
async def run(self, service):
await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt')
class OracleODAT(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle ODAT"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [
'python odat.py tnscmd -s {address} -p {port} --ping',
'python odat.py tnscmd -s {address} -p {port} --version',
'python odat.py tnscmd -s {address} -p {port} --status',
'python odat.py sidguesser -s {address} -p {port}',
'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
])
class OraclePatator(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle Patator"
self.tags = ['default', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000')

102
autorecon/default-plugins/default-port-scan.py
View File

@ -1,102 +0,0 @@
from autorecon.plugins import PortScan
from autorecon.config import config
import os, re
class QuickTCPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'Top TCP Ports'
self.description = 'Performs an Nmap scan of the top 1000 TCP ports.'
self.type = 'tcp'
self.tags = ['default', 'default-port-scan']
self.priority = 0
async def run(self, target):
if target.ports: # Don't run this plugin if there are custom ports.
return []
if config['proxychains']:
traceroute_os = ''
else:
traceroute_os = ' -A --osscan-guess'
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
services = await target.extract_services(stdout)
await process.wait()
return services
class AllTCPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'All TCP Ports'
self.description = 'Performs an Nmap scan of all TCP ports.'
self.type = 'tcp'
self.specific_ports = True
self.tags = ['default', 'default-port-scan', 'long']
async def run(self, target):
if config['proxychains']:
traceroute_os = ''
else:
traceroute_os = ' -A --osscan-guess'
if target.ports:
if target.ports['tcp']:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p ' + target.ports['tcp'] + ' -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
else:
return []
else:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
services = []
while True:
line = await stdout.readline()
if line is not None:
match = re.search('^Discovered open port ([0-9]+)/tcp', line)
if match:
target.info('Discovered open port {bmagenta}tcp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
service = target.extract_service(line)
if service:
services.append(service)
else:
break
await process.wait()
return services
class Top100UDPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'Top 100 UDP Ports'
self.description = 'Performs an Nmap scan of the top 100 UDP ports.'
self.type = 'udp'
self.specific_ports = True
self.tags = ['default', 'default-port-scan', 'long']
async def run(self, target):
# Only run UDP scan if user is root.
if os.getuid() == 0:
if target.ports:
if target.ports['udp']:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --osscan-guess -p ' + target.ports['udp'] + ' -oN "{scandir}/_custom_ports_udp_nmap.txt" -oX "{scandir}/xml/_custom_ports_udp_nmap.xml" {address}', blocking=False)
else:
return []
else:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --top-ports 100 -oN "{scandir}/_top_100_udp_nmap.txt" -oX "{scandir}/xml/_top_100_udp_nmap.xml" {address}', blocking=False)
services = []
while True:
line = await stdout.readline()
if line is not None:
match = re.search('^Discovered open port ([0-9]+)/udp', line)
if match:
target.info('Discovered open port {bmagenta}udp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
service = target.extract_service(line)
if service:
services.append(service)
else:
break
await process.wait()
return services
else:
target.error('UDP scan requires AutoRecon be run with root privileges.')

75
autorecon/default-plugins/dirbuster.py Normal file
View File

@ -0,0 +1,75 @@
from autorecon.plugins import ServiceScan
from autorecon.config import config
from shutil import which
import os
class DirBuster(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Directory Buster"
self.slug = 'dirbuster'
self.priority = 0
self.tags = ['default', 'safe', 'long', 'http']
def configure(self):
self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s')
self.add_list_option('wordlist', default=[os.path.join(config['config_dir'], 'wordlists', 'dirbuster.txt')], help='The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s')
self.add_option('ext', default='txt,html,php,asp,aspx,jsp', help='The extensions you wish to fuzz (no dot, comma separated). Default: %(default)s')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
tool = self.get_option('tool')
if tool == 'feroxbuster':
if which('feroxbuster') is None:
self.error('The feroxbuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install feroxbuster)')
elif tool == 'gobuster':
if which('gobuster') is None:
self.error('The gobuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install gobuster)')
elif tool == 'dirsearch':
if which('dirsearch') is None:
self.error('The dirsearch program could not be found. Make sure it is installed. (On Kali, run: sudo apt install dirsearch)')
async def run(self, service):
dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
if self.get_option('tool') == 'feroxbuster':
await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "' + self.get_option('ext') + '" -v -k -n -q -e -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"')
elif self.get_option('tool') == 'gobuster':
await service.execute('gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -d -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"')
elif self.get_option('tool') == 'dirsearch':
if service.target.ipversion == 'IPv6':
service.error('dirsearch does not support IPv6.')
else:
await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e "' + self.get_option('ext') + '" -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"')
elif self.get_option('tool') == 'ffuf':
await service.execute('ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt')
elif self.get_option('tool') == 'dirb':
await service.execute('dirb {http_scheme}://{addressv6}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"')
def manual(self, service, plugin_was_run):
dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
if self.get_option('tool') == 'feroxbuster':
service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "' + self.get_option('ext') + '" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt'
])
elif self.get_option('tool') == 'gobuster':
service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [
'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"'
])
elif self.get_option('tool') == 'dirsearch':
if service.target.ipversion == 'IPv4':
service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e "' + self.get_option('ext') + '" -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"'
])
elif self.get_option('tool') == 'ffuf':
service.add_manual_command('(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_dirbuster.txt'
])
elif self.get_option('tool') == 'dirb':
service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [
'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"'
])

14
autorecon/default-plugins/dns-reverse-lookup.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class DNSReverseLookup(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'DNS Reverse Lookup'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
await service.execute('dig -p {port} -x {address} @{address}', outfile='{protocol}_{port}_dns_reverse-lookup.txt')

18
autorecon/default-plugins/dns-zone-transfer.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class DNSZoneTransfer(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'DNS Zone Transfer'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
if self.get_global('domain'):
await service.execute('dig AXFR -p {port} @{address} ' + self.get_global('domain'), outfile='{protocol}_{port}_dns_zone-transfer-domain.txt')
if service.target.type == 'hostname':
await service.execute('dig AXFR -p {port} @{address} {address}', outfile='{protocol}_{port}_dns_zone-transfer-hostname.txt')
await service.execute('dig AXFR -p {port} @{address}', outfile='{protocol}_{port}_dns_zone-transfer.txt')

143
autorecon/default-plugins/dns.py
View File

@ -1,143 +0,0 @@
from autorecon.plugins import ServiceScan
from shutil import which
import os
class NmapDNS(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap DNS'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}')
class DNSZoneTransfer(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'DNS Zone Transfer'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
if self.get_global('domain'):
await service.execute('dig AXFR -p {port} @{address} ' + self.get_global('domain'), outfile='{protocol}_{port}_dns_zone-transfer-domain.txt')
if service.target.type == 'hostname':
await service.execute('dig AXFR -p {port} @{address} {address}', outfile='{protocol}_{port}_dns_zone-transfer-hostname.txt')
await service.execute('dig AXFR -p {port} @{address}', outfile='{protocol}_{port}_dns_zone-transfer.txt')
class DNSReverseLookup(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'DNS Reverse Lookup'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
await service.execute('dig -p {port} -x {address} @{address}', outfile='{protocol}_{port}_dns_reverse-lookup.txt')
class NmapMulticastDNS(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Multicast DNS'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name(['^mdns', '^zeroconf'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_multicastdns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_multicastdns_nmap.xml" {address}')
class DnsReconDefault(ServiceScan):
def __init__(self):
super().__init__()
self.name = "DnsRecon Default Scan"
self.slug = 'dnsrecon'
self.priority = 0
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
def check(self):
if which('dnsrecon') is None:
self.error('The program dnsrecon could not be found. Make sure it is installed. (On Kali, run: sudo apt install dnsrecon)')
def manual(self, service, plugin_was_run):
service.add_manual_command('Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.', [
'dnsrecon -n {address} -d <DOMAIN-NAME> 2>&1 | tee {scandir}/{protocol}_{port}_dnsrecon_default_manual.txt'
])
async def run(self, service):
if self.get_global('domain'):
await service.execute('dnsrecon -n {address} -d ' + self.get_global('domain') + ' 2>&1', outfile='{protocol}_{port}_dnsrecon_default.txt')
else:
service.error('A domain name was not specified in the command line options (--global.domain). If you know the domain name, look in the _manual_commands.txt file for the dnsrecon command.')
class DnsReconSubdomainBruteforce(ServiceScan):
def __init__(self):
super().__init__()
self.name = "DnsRecon Bruteforce Subdomains"
self.slug = 'dnsrecon-brute'
self.priority = 0
self.tags = ['default', 'safe', 'long', 'dns']
def configure(self):
self.match_service_name('^domain')
def check(self):
if which('dnsrecon') is None:
self.error('The program dnsrecon could not be found. Make sure it is installed. (On Kali, run: sudo apt install dnsrecon)')
def manual(self, service, plugin_was_run):
domain_name = '<DOMAIN-NAME>'
if self.get_global('domain'):
domain_name = self.get_global('domain')
service.add_manual_command('Use dnsrecon to bruteforce subdomains of a DNS domain.', [
'dnsrecon -n {address} -d ' + domain_name + ' -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee {scandir}/{protocol}_{port}_dnsrecon_subdomain_bruteforce.txt',
])
class SubdomainEnumeration(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Subdomain Enumeration"
self.slug = "subdomain-enum"
self.tags = ['default', 'safe', 'long', 'dns']
def configure(self):
self.add_option('domain', help='The domain to use as the base domain (e.g. example.com) for subdomain enumeration. Default: %(default)s')
self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt'], help='The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when enumerating subdomains. Default: %(default)s')
self.match_service_name('^domain')
async def run(self, service):
domains = []
if self.get_option('domain'):
domains.append(self.get_option('domain'))
if service.target.type == 'hostname' and service.target.address not in domains:
domains.append(service.target.address)
if self.get_global('domain') and self.get_global('domain') not in domains:
domains.append(self.get_global('domain'))
if len(domains) > 0:
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
for domain in domains:
await service.execute('gobuster dns -d ' + domain + ' -r {addressv6} -w ' + wordlist + ' -o "{scandir}/{protocol}_{port}_' + domain + '_subdomains_' + name + '.txt"')
else:
service.info('The target was not a domain, nor was a domain provided as an option. Skipping subdomain enumeration.')

26
autorecon/default-plugins/dnsrecon-subdomain-bruteforce.py Normal file
View File

@ -0,0 +1,26 @@
from autorecon.plugins import ServiceScan
from shutil import which
class DnsReconSubdomainBruteforce(ServiceScan):
def __init__(self):
super().__init__()
self.name = "DnsRecon Bruteforce Subdomains"
self.slug = 'dnsrecon-brute'
self.priority = 0
self.tags = ['default', 'safe', 'long', 'dns']
def configure(self):
self.match_service_name('^domain')
def check(self):
if which('dnsrecon') is None:
self.error('The program dnsrecon could not be found. Make sure it is installed. (On Kali, run: sudo apt install dnsrecon)')
def manual(self, service, plugin_was_run):
domain_name = '<DOMAIN-NAME>'
if self.get_global('domain'):
domain_name = self.get_global('domain')
service.add_manual_command('Use dnsrecon to bruteforce subdomains of a DNS domain.', [
'dnsrecon -n {address} -d ' + domain_name + ' -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee {scandir}/{protocol}_{port}_dnsrecon_subdomain_bruteforce.txt',
])

29
autorecon/default-plugins/dnsrecon.py Normal file
View File

@ -0,0 +1,29 @@
from autorecon.plugins import ServiceScan
from shutil import which
class DnsRecon(ServiceScan):
def __init__(self):
super().__init__()
self.name = "DnsRecon Default Scan"
self.slug = 'dnsrecon'
self.priority = 0
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
def check(self):
if which('dnsrecon') is None:
self.error('The program dnsrecon could not be found. Make sure it is installed. (On Kali, run: sudo apt install dnsrecon)')
def manual(self, service, plugin_was_run):
service.add_manual_command('Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.', [
'dnsrecon -n {address} -d <DOMAIN-NAME> 2>&1 | tee {scandir}/{protocol}_{port}_dnsrecon_default_manual.txt'
])
async def run(self, service):
if self.get_global('domain'):
await service.execute('dnsrecon -n {address} -d ' + self.get_global('domain') + ' 2>&1', outfile='{protocol}_{port}_dnsrecon_default.txt')
else:
service.error('A domain name was not specified in the command line options (--global.domain). If you know the domain name, look in the _manual_commands.txt file for the dnsrecon command.')

18
autorecon/default-plugins/enum4linux.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class Enum4Linux(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Enum4Linux"
self.tags = ['default', 'safe', 'active-directory']
def configure(self):
self.match_service_name(['^ldap', '^smb', '^microsoft\-ds', '^netbios'])
self.match_port('tcp', [139, 389, 445])
self.match_port('udp', 137)
self.run_once(True)
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt')

16
autorecon/default-plugins/get-arch.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class GetArch(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'get-arch'
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc'])
self.match_port('tcp', 135)
self.add_pattern(' is ((32|64)-bit)', description='Identified Architecture: {match1}')
async def run(self, service):
await service.execute('getArch.py -target {address}', outfile='{protocol}_{port}_rpc_architecture.txt')

282
autorecon/default-plugins/http_server.py
View File

@ -1,282 +0,0 @@
from autorecon.plugins import ServiceScan
from autorecon.io import fformat
from autorecon.config import config
from shutil import which
import os
class NmapHTTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap HTTP"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match1}')
self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}')
class BruteforceHTTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Bruteforce HTTP"
self.tags = ['default', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
service.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [
'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{addressv6}/path/to/auth/area',
'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {addressv6} -m DIR:/path/to/auth/area',
'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{addressv6}/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"',
'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {addressv6} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"'
])
class Curl(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Curl"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s")
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('(?i)powered[ -]by[^\n]+')
async def run(self, service):
if service.protocol == 'tcp':
await service.execute('curl -sSik {http_scheme}://{addressv6}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html')
class CurlRobots(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Curl Robots"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp':
process, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/robots.txt', future_outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt')
lines = await stdout.readlines()
if process.returncode == 0 and lines:
filename = fformat('{scandir}/{protocol}_{port}_{http_scheme}_curl-robots.txt')
with open(filename, mode='wt', encoding='utf8') as robots:
robots.write('\n'.join(lines))
else:
service.info('{bblue}[' + fformat('{tag}') + ']{rst} There did not appear to be a robots.txt file in the webroot (/).')
class CurlKnownSecurity(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Known Security"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp':
process, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/.well-known/security.txt', future_outfile='{protocol}_{port}_{http_scheme}_known-security.txt')
lines = await stdout.readlines()
if process.returncode == 0 and lines:
filename = fformat('{scandir}/{protocol}_{port}_{http_scheme}_known-security.txt')
with open(filename, mode='wt', encoding='utf8') as robots:
robots.write('\n'.join(lines))
else:
service.info('{bblue}[' + fformat('{tag}') + ']{rst} There did not appear to be a .well-known/security.txt file in the webroot (/).')
class DirBuster(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Directory Buster"
self.slug = 'dirbuster'
self.priority = 0
self.tags = ['default', 'safe', 'long', 'http']
def configure(self):
self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s')
self.add_list_option('wordlist', default=[os.path.join(config['config_dir'], 'wordlists', 'dirbuster.txt')], help='The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s')
self.add_option('ext', default='txt,html,php,asp,aspx,jsp', help='The extensions you wish to fuzz (no dot, comma separated). Default: %(default)s')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
tool = self.get_option('tool')
if tool == 'feroxbuster':
if which('feroxbuster') is None:
self.error('The feroxbuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install feroxbuster)')
elif tool == 'gobuster':
if which('gobuster') is None:
self.error('The gobuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install gobuster)')
elif tool == 'dirsearch':
if which('dirsearch') is None:
self.error('The dirsearch program could not be found. Make sure it is installed. (On Kali, run: sudo apt install dirsearch)')
async def run(self, service):
dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
if self.get_option('tool') == 'feroxbuster':
await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "' + self.get_option('ext') + '" -v -k -n -q -e -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"')
elif self.get_option('tool') == 'gobuster':
await service.execute('gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -d -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"')
elif self.get_option('tool') == 'dirsearch':
if service.target.ipversion == 'IPv6':
service.error('dirsearch does not support IPv6.')
else:
await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e "' + self.get_option('ext') + '" -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"')
elif self.get_option('tool') == 'ffuf':
await service.execute('ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt')
elif self.get_option('tool') == 'dirb':
await service.execute('dirb {http_scheme}://{addressv6}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"')
def manual(self, service, plugin_was_run):
dot_extensions = ','.join(['.' + x for x in self.get_option('ext').split(',')])
if self.get_option('tool') == 'feroxbuster':
service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "' + self.get_option('ext') + '" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt'
])
elif self.get_option('tool') == 'gobuster':
service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [
'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"'
])
elif self.get_option('tool') == 'dirsearch':
if service.target.ipversion == 'IPv4':
service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e "' + self.get_option('ext') + '" -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"'
])
elif self.get_option('tool') == 'ffuf':
service.add_manual_command('(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_dirbuster.txt'
])
elif self.get_option('tool') == 'dirb':
service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [
'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"'
])
class Nikto(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'nikto'
self.tags = ['default', 'safe', 'long', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"')
class VirtualHost(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Virtual Host Enumeration'
self.slug = 'vhost-enum'
self.tags = ['default', 'safe', 'http', 'long']
def configure(self):
self.add_option('hostname', help='The hostname to use as the base host (e.g. example.com) for virtual host enumeration. Default: %(default)s')
self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt'], help='The wordlist(s) to use when enumerating virtual hosts. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when enumerating virtual hosts. Default: %(default)s')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
if which('gobuster') is None:
self.error('The gobuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install gobuster)')
async def run(self, service):
hostnames = []
if self.get_option('hostname'):
hostnames.append(self.get_option('hostname'))
if service.target.type == 'hostname' and service.target.address not in hostnames:
hostnames.append(service.target.address)
if self.get_global('domain') and self.get_global('domain') not in hostnames:
hostnames.append(self.get_global('domain'))
if len(hostnames) > 0:
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
for hostname in hostnames:
await service.execute('gobuster vhost -k -u {http_scheme}://' + hostname + ':{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -r -o "{scandir}/{protocol}_{port}_{http_scheme}_' + hostname + '_vhosts_' + name + '.txt"')
else:
service.info('The target was not a hostname, nor was a hostname provided as an option. Skipping virtual host enumeration.')
class WhatWeb(ServiceScan):
def __init__(self):
super().__init__()
self.name = "whatweb"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp' and service.target.ipversion == 'IPv4':
await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt')
class WkHTMLToImage(ServiceScan):
def __init__(self):
super().__init__()
self.name = "wkhtmltoimage"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
if which('wkhtmltoimage') is None:
self.error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)')
async def run(self, service):
if which('wkhtmltoimage') is not None:
if service.protocol == 'tcp':
await service.execute('wkhtmltoimage --format png {http_scheme}://{addressv6}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png')
class WPScan(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'WPScan'
self.tags = ['default', 'safe', 'http']
def configure(self):
self.add_option('api-token', help='An API Token from wpvulndb.com to help search for more vulnerabilities.')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
api_token = ''
if self.get_option('api-token'):
api_token = ' --api-token ' + self.get_option('api-token')
service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{addressv6}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color' + api_token + ' 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"')

13
autorecon/default-plugins/ldap.py → autorecon/default-plugins/ldap-search.py
View File

@ -1,18 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapLDAP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap LDAP"
self.tags = ['default', 'safe', 'ldap', 'active-directory']
def configure(self):
self.match_service_name('^ldap')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}')
class LDAPSearch(ServiceScan):
def __init__(self):

16
autorecon/default-plugins/lookup-sid.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class LookupSID(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'lookupsid'
self.tags = ['default', 'safe', 'active-directory']
def configure(self):
self.match_service('tcp', 445, '^microsoft\-ds')
def manual(self, service, plugin_was_run):
service.add_manual_command('Lookup SIDs', [
'lookupsid.py [username]:[password]@{address}'
])

201
autorecon/default-plugins/misc.py
View File

@ -1,201 +0,0 @@
from autorecon.plugins import ServiceScan
from autorecon.io import fformat
class NmapCassandra(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Cassandra"
self.tags = ['default', 'safe', 'cassandra']
def configure(self):
self.match_service_name('^apani1')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}')
class NmapCUPS(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap CUPS"
self.tags = ['default', 'safe', 'cups']
def configure(self):
self.match_service_name('^ipp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}')
class NmapDistccd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap distccd"
self.tags = ['default', 'safe', 'distccd']
def configure(self):
self.match_service_name('^distccd')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}')
class NmapFinger(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap finger"
self.tags = ['default', 'safe', 'finger']
def configure(self):
self.match_service_name('^finger')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}')
class NmapIMAP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap IMAP"
self.tags = ['default', 'safe', 'imap', 'email']
def configure(self):
self.match_service_name('^imap')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}')
class NmapIrc(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap IRC'
self.tags = ['default', 'safe', 'irc']
def configure(self):
self.match_service_name('^irc')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -oN "{scandir}/{protocol}_{port}_irc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_irc_nmap.xml" -p {port} {address}')
class NmapNNTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NNTP"
self.tags = ['default', 'safe', 'nntp']
def configure(self):
self.match_service_name('^nntp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}')
class NmapNTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NTP"
self.tags = ['default', 'safe', 'ntp']
def configure(self):
self.match_service_name('^ntp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ntp_nmap.xml" {address}')
class NmapPOP3(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap POP3"
self.tags = ['default', 'safe', 'pop3', 'email']
def configure(self):
self.match_service_name('^pop3')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}')
class NmapRMI(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap RMI"
self.tags = ['default', 'safe', 'rmi']
def configure(self):
self.match_service_name(['^java\-rmi', '^rmiregistry'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}')
class NmapTelnet(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Telnet'
self.tags = ['default', 'safe', 'telnet']
def configure(self):
self.match_service_name('^telnet')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}')
class NmapTFTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap TFTP'
self.tags = ['default', 'safe', 'tftp']
def configure(self):
self.match_service_name('^tftp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}')
class NmapVNC(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap VNC'
self.tags = ['default', 'safe', 'vnc']
def configure(self):
self.match_service_name('^vnc')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}')
class WinRMDetection(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'WinRM Detection'
self.tags = ['default', 'safe', 'winrm']
def configure(self):
self.match_service_name('^wsman')
self.match_service('tcp', [5985, 5986], '^http')
async def run(self, service):
filename = fformat('{scandir}/{protocol}_{port}_winrm-detection.txt')
with open(filename, mode='wt', encoding='utf8') as winrm:
winrm.write('WinRM was possibly detected running on ' + service.protocol + ' port ' + str(service.port) + '.\nCheck _manual_commands.txt for manual commands you can run against this service.')
def manual(self, service, plugin_was_run):
service.add_manual_commands('Bruteforce logins:', [
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u ' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + ' -p ' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt')
])
service.add_manual_commands('Check login (requires credentials):', [
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u <username> -p <password> -x "whoami"'
])
service.add_manual_commands('Evil WinRM (gem install evil-winrm):', [
'evil-winrm -u <user> -p <password> -i {address}',
'evil-winrm -u <user> -H <hash> -i {address}'
])

17
autorecon/default-plugins/nbtscan.py Normal file
View File

@ -0,0 +1,17 @@
from autorecon.plugins import ServiceScan
class NBTScan(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'nbtscan'
self.tags = ['default', 'safe', 'netbios', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.match_port('udp', 137)
self.run_once(True)
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt')

40
autorecon/default-plugins/nfs.py
View File

@ -1,40 +0,0 @@
from autorecon.plugins import ServiceScan
class NmapNFS(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NFS"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}')
class Showmount(ServiceScan):
def __init__(self):
super().__init__()
self.name = "showmount"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service):
await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt')
class NmapMountd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Mountd"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name('^mountd')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nfs* and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mountd_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mountd_nmap.xml" {address}')

16
autorecon/default-plugins/nikto.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class Nikto(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'nikto'
self.tags = ['default', 'safe', 'long', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"')

14
autorecon/default-plugins/nmap-cassandra.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapCassandra(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Cassandra"
self.tags = ['default', 'safe', 'cassandra']
def configure(self):
self.match_service_name('^apani1')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-cups.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapCUPS(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap CUPS"
self.tags = ['default', 'safe', 'cups']
def configure(self):
self.match_service_name('^ipp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-distccd.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapDistccd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap distccd"
self.tags = ['default', 'safe', 'distccd']
def configure(self):
self.match_service_name('^distccd')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-dns.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapDNS(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap DNS'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name('^domain')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-finger.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapFinger(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap finger"
self.tags = ['default', 'safe', 'finger']
def configure(self):
self.match_service_name('^finger')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-ftp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapFTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap FTP'
self.tags = ['default', 'safe', 'ftp']
def configure(self):
self.match_service_name(['^ftp', '^ftp\-data'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}')

17
autorecon/default-plugins/nmap-http.py Normal file
View File

@ -0,0 +1,17 @@
from autorecon.plugins import ServiceScan
class NmapHTTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap HTTP"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match1}')
self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-imap.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapIMAP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap IMAP"
self.tags = ['default', 'safe', 'imap', 'email']
def configure(self):
self.match_service_name('^imap')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-irc.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapIrc(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap IRC'
self.tags = ['default', 'safe', 'irc']
def configure(self):
self.match_service_name('^irc')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -oN "{scandir}/{protocol}_{port}_irc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_irc_nmap.xml" -p {port} {address}')

0
autorecon/default-plugins/kerberos.py → autorecon/default-plugins/nmap-kerberos.py
View File

14
autorecon/default-plugins/nmap-ldap.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapLDAP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap LDAP"
self.tags = ['default', 'safe', 'ldap', 'active-directory']
def configure(self):
self.match_service_name('^ldap')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-mongodb.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapMongoDB(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MongoDB"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^mongod')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-mountd.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapMountd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Mountd"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name('^mountd')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nfs* and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mountd_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mountd_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-msrpc.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapRPC(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MSRPC"
self.tags = ['default', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}')

18
autorecon/default-plugins/nmap-mssql.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class NmapMSSQL(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MSSQL"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name(['^mssql', '^ms\-sql'])
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-multicast-dns.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapMulticastDNS(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Multicast DNS'
self.tags = ['default', 'safe', 'dns']
def configure(self):
self.match_service_name(['^mdns', '^zeroconf'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_multicastdns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_multicastdns_nmap.xml" {address}')

18
autorecon/default-plugins/nmap-mysql.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class NmapMYSQL(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MYSQL"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^mysql')
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-nfs.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapNFS(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NFS"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-nntp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapNNTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NNTP"
self.tags = ['default', 'safe', 'nntp']
def configure(self):
self.match_service_name('^nntp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-ntp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapNTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap NTP"
self.tags = ['default', 'safe', 'ntp']
def configure(self):
self.match_service_name('^ntp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ntp_nmap.xml" {address}')

17
autorecon/default-plugins/nmap-oracle.py Normal file
View File

@ -0,0 +1,17 @@
from autorecon.plugins import ServiceScan
class NmapOracle(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap Oracle"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-pop3.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapPOP3(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap POP3"
self.tags = ['default', 'safe', 'pop3', 'email']
def configure(self):
self.match_service_name('^pop3')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-rdp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapRDP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap RDP"
self.tags = ['default', 'safe', 'rdp']
def configure(self):
self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-redis.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapRedis(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Redis'
self.tags = ['default', 'safe', 'redis']
def configure(self):
self.match_service_name('^redis$')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,redis-info" -oN "{scandir}/{protocol}_{port}_redis_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_redis_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-rmi.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapRMI(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap RMI"
self.tags = ['default', 'safe', 'rmi']
def configure(self):
self.match_service_name(['^java\-rmi', '^rmiregistry'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}')

13
autorecon/default-plugins/rsync.py → autorecon/default-plugins/nmap-rsync.py
View File

@ -12,16 +12,3 @@ class NmapRsync(ServiceScan):
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rsync* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rsync_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rsync_nmap.xml" {address}')
class RsyncList(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Rsync List Files'
self.tags = ['default', 'safe', 'rsync']
def configure(self):
self.match_service_name('^rsync')
async def run(self, service):
await service.execute('rsync -av --list-only rsync://{addressv6}:{port}', outfile='{protocol}_{port}_rsync_file_list.txt')

14
autorecon/default-plugins/sip.py → autorecon/default-plugins/nmap-sip.py
View File

@ -12,17 +12,3 @@ class NmapSIP(ServiceScan):
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}')
class SIPVicious(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SIPVicious"
self.tags = ['default', 'safe', 'sip']
def configure(self):
self.match_service_name(['^asterisk', '^sip'])
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}')

14
autorecon/default-plugins/nmap-smb.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapSMB(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SMB"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-smtp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapSMTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SMTP"
self.tags = ['default', 'safe', 'smtp', 'email']
def configure(self):
self.match_service_name('^smtp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-snmp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapSNMP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SNMP"
self.tags = ['default', 'safe', 'snmp']
def configure(self):
self.match_service_name('^snmp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-ssh.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapSSH(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SSH"
self.tags = ['default', 'safe', 'ssh']
def configure(self):
self.match_service_name('^ssh')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-telnet.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapTelnet(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Telnet'
self.tags = ['default', 'safe', 'telnet']
def configure(self):
self.match_service_name('^telnet')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-tftp.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapTFTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap TFTP'
self.tags = ['default', 'safe', 'tftp']
def configure(self):
self.match_service_name('^tftp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}')

14
autorecon/default-plugins/nmap-vnc.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class NmapVNC(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap VNC'
self.tags = ['default', 'safe', 'vnc']
def configure(self):
self.match_service_name('^vnc')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}')

18
autorecon/default-plugins/onesixtyone.py Normal file
View File

@ -0,0 +1,18 @@
from autorecon.plugins import ServiceScan
class OneSixtyOne(ServiceScan):
def __init__(self):
super().__init__()
self.name = "OneSixtyOne"
self.tags = ['default', 'safe', 'snmp']
def configure(self):
self.match_service_name('^snmp')
self.match_port('udp', 161)
self.run_once(True)
self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s')
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt')

21
autorecon/default-plugins/oracle-odat.py Normal file
View File

@ -0,0 +1,21 @@
from autorecon.plugins import ServiceScan
class OracleODAT(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle ODAT"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [
'python odat.py tnscmd -s {address} -p {port} --ping',
'python odat.py tnscmd -s {address} -p {port} --version',
'python odat.py tnscmd -s {address} -p {port} --status',
'python odat.py sidguesser -s {address} -p {port}',
'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
])

14
autorecon/default-plugins/oracle-patator.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class OraclePatator(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle Patator"
self.tags = ['default', 'databases']
def configure(self):
self.match_service_name('^oracle')
def manual(self, service, plugin_was_run):
service.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000')

19
autorecon/default-plugins/oracle-scanner.py Normal file
View File

@ -0,0 +1,19 @@
from autorecon.plugins import ServiceScan
from shutil import which
class OracleScanner(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle Scanner"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def check(self):
if which('oscanner') is None:
self.error('The oscanner program could not be found. Make sure it is installed. (On Kali, run: sudo apt install oscanner)')
async def run(self, service):
await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt')

21
autorecon/default-plugins/oracle-tnscmd.py Normal file
View File

@ -0,0 +1,21 @@
from autorecon.plugins import ServiceScan
from shutil import which
class OracleTNScmd(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Oracle TNScmd"
self.tags = ['default', 'safe', 'databases']
def configure(self):
self.match_service_name('^oracle')
def check(self):
if which('tnscmd10g') is None:
self.error('The tnscmd10g program could not be found. Make sure it is installed. (On Kali, run: sudo apt install tnscmd10g)')
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt')
await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt')

41
autorecon/default-plugins/portscan-all-tcp-ports.py Normal file
View File

@ -0,0 +1,41 @@
from autorecon.plugins import PortScan
from autorecon.config import config
import re
class AllTCPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'All TCP Ports'
self.description = 'Performs an Nmap scan of all TCP ports.'
self.type = 'tcp'
self.specific_ports = True
self.tags = ['default', 'default-port-scan', 'long']
async def run(self, target):
if config['proxychains']:
traceroute_os = ''
else:
traceroute_os = ' -A --osscan-guess'
if target.ports:
if target.ports['tcp']:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p ' + target.ports['tcp'] + ' -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
else:
return []
else:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
services = []
while True:
line = await stdout.readline()
if line is not None:
match = re.search('^Discovered open port ([0-9]+)/tcp', line)
if match:
target.info('Discovered open port {bmagenta}tcp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
service = target.extract_service(line)
if service:
services.append(service)
else:
break
await process.wait()
return services

0
autorecon/default-plugins/guess-port-scan.py → autorecon/default-plugins/portscan-guess-tcp-ports.py
View File

40
autorecon/default-plugins/portscan-top-100-udp-ports.py Normal file
View File

@ -0,0 +1,40 @@
from autorecon.plugins import PortScan
from autorecon.config import config
import os, re
class Top100UDPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'Top 100 UDP Ports'
self.description = 'Performs an Nmap scan of the top 100 UDP ports.'
self.type = 'udp'
self.specific_ports = True
self.tags = ['default', 'default-port-scan', 'long']
async def run(self, target):
# Only run UDP scan if user is root.
if os.getuid() == 0:
if target.ports:
if target.ports['udp']:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --osscan-guess -p ' + target.ports['udp'] + ' -oN "{scandir}/_custom_ports_udp_nmap.txt" -oX "{scandir}/xml/_custom_ports_udp_nmap.xml" {address}', blocking=False)
else:
return []
else:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --top-ports 100 -oN "{scandir}/_top_100_udp_nmap.txt" -oX "{scandir}/xml/_top_100_udp_nmap.xml" {address}', blocking=False)
services = []
while True:
line = await stdout.readline()
if line is not None:
match = re.search('^Discovered open port ([0-9]+)/udp', line)
if match:
target.info('Discovered open port {bmagenta}udp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
service = target.extract_service(line)
if service:
services.append(service)
else:
break
await process.wait()
return services
else:
target.error('UDP scan requires AutoRecon be run with root privileges.')

26
autorecon/default-plugins/portscan-top-tcp-ports.py Normal file
View File

@ -0,0 +1,26 @@
from autorecon.plugins import PortScan
from autorecon.config import config
class QuickTCPPortScan(PortScan):
def __init__(self):
super().__init__()
self.name = 'Top TCP Ports'
self.description = 'Performs an Nmap scan of the top 1000 TCP ports.'
self.type = 'tcp'
self.tags = ['default', 'default-port-scan']
self.priority = 0
async def run(self, target):
if target.ports: # Don't run this plugin if there are custom ports.
return []
if config['proxychains']:
traceroute_os = ''
else:
traceroute_os = ' -A --osscan-guess'
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
services = await target.extract_services(stdout)
await process.wait()
return services

13
autorecon/default-plugins/redis.py → autorecon/default-plugins/redis-cli.py
View File

@ -1,19 +1,6 @@
from autorecon.plugins import ServiceScan
from shutil import which
class NmapRedis(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Nmap Redis'
self.tags = ['default', 'safe', 'redis']
def configure(self):
self.match_service_name('^redis$')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,redis-info" -oN "{scandir}/{protocol}_{port}_redis_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_redis_nmap.xml" {address}')
class RedisCli(ServiceScan):
def __init__(self):

72
autorecon/default-plugins/reporting.py → autorecon/default-plugins/reporting-cherrytree.py
View File

@ -89,75 +89,3 @@ class CherryTree(Report):
output.writelines('</node>\n')
output.writelines('</cherrytree>')
class Markdown(Report):
def __init__(self):
super().__init__()
self.name = 'Markdown'
async def run(self, targets):
if len(targets) > 1:
report = os.path.join(config['output'], 'report.md')
elif len(targets) == 1:
report = os.path.join(targets[0].reportdir, 'report.md')
else:
return
os.makedirs(report, exist_ok=True)
for target in targets:
os.makedirs(os.path.join(report, target.address), exist_ok=True)
files = [os.path.abspath(filename) for filename in glob.iglob(os.path.join(target.scandir, '**/*'), recursive=True) if os.path.isfile(filename) and filename.endswith(('.txt', '.html'))]
if target.scans['ports']:
os.makedirs(os.path.join(report, target.address, 'Port Scans'), exist_ok=True)
for scan in target.scans['ports'].keys():
if len(target.scans['ports'][scan]['commands']) > 0:
with open(os.path.join(report, target.address, 'Port Scans', 'PortScan - ' + target.scans['ports'][scan]['plugin'].name + '.md'), 'w') as output:
for command in target.scans['ports'][scan]['commands']:
output.writelines('```bash\n' + command[0] + '\n```')
for filename in files:
if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
with open(filename, 'r') as file:
output.writelines('```\n' + file.read() + '\n```\n')
if target.scans['services']:
os.makedirs(os.path.join(report, target.address, 'Services'), exist_ok=True)
for service in target.scans['services'].keys():
os.makedirs(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-')), exist_ok=True)
for plugin in target.scans['services'][service].keys():
if len(target.scans['services'][service][plugin]['commands']) > 0:
with open(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-'), target.scans['services'][service][plugin]['plugin'].name + '.md'), 'w') as output:
for command in target.scans['services'][service][plugin]['commands']:
output.writelines('```bash\n' + command[0] + '\n```')
for filename in files:
if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
with open(filename, 'r') as file:
output.writelines('```\n' + file.read() + '\n```\n')
manual_commands = os.path.join(target.scandir, '_manual_commands.txt')
if os.path.isfile(manual_commands):
with open(os.path.join(report, target.address, 'Manual Commands' + '.md'), 'w') as output:
with open(manual_commands, 'r') as file:
output.writelines('```bash\n' + file.read() + '\n```')
patterns = os.path.join(target.scandir, '_patterns.log')
if os.path.isfile(patterns):
with open(os.path.join(report, target.address, 'Patterns' + '.md'), 'w') as output:
with open(patterns, 'r') as file:
output.writelines(file.read())
commands = os.path.join(target.scandir, '_commands.log')
if os.path.isfile(commands):
with open(os.path.join(report, target.address, 'Commands' + '.md'), 'w') as output:
with open(commands, 'r') as file:
output.writelines('```bash\n' + file.read() + '\n```')
errors = os.path.join(target.scandir, '_errors.log')
if os.path.isfile(errors):
with open(os.path.join(report, target.address, 'Errors' + '.md'), 'w') as output:
with open(errors, 'r') as file:
output.writelines('```\n' + file.read() + '\n```')

75
autorecon/default-plugins/reporting-markdown.py Normal file
View File

@ -0,0 +1,75 @@
from autorecon.plugins import Report
from autorecon.config import config
import os, glob
class Markdown(Report):
def __init__(self):
super().__init__()
self.name = 'Markdown'
async def run(self, targets):
if len(targets) > 1:
report = os.path.join(config['output'], 'report.md')
elif len(targets) == 1:
report = os.path.join(targets[0].reportdir, 'report.md')
else:
return
os.makedirs(report, exist_ok=True)
for target in targets:
os.makedirs(os.path.join(report, target.address), exist_ok=True)
files = [os.path.abspath(filename) for filename in glob.iglob(os.path.join(target.scandir, '**/*'), recursive=True) if os.path.isfile(filename) and filename.endswith(('.txt', '.html'))]
if target.scans['ports']:
os.makedirs(os.path.join(report, target.address, 'Port Scans'), exist_ok=True)
for scan in target.scans['ports'].keys():
if len(target.scans['ports'][scan]['commands']) > 0:
with open(os.path.join(report, target.address, 'Port Scans', 'PortScan - ' + target.scans['ports'][scan]['plugin'].name + '.md'), 'w') as output:
for command in target.scans['ports'][scan]['commands']:
output.writelines('```bash\n' + command[0] + '\n```')
for filename in files:
if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
with open(filename, 'r') as file:
output.writelines('```\n' + file.read() + '\n```\n')
if target.scans['services']:
os.makedirs(os.path.join(report, target.address, 'Services'), exist_ok=True)
for service in target.scans['services'].keys():
os.makedirs(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-')), exist_ok=True)
for plugin in target.scans['services'][service].keys():
if len(target.scans['services'][service][plugin]['commands']) > 0:
with open(os.path.join(report, target.address, 'Services', 'Service - ' + service.tag().replace('/', '-'), target.scans['services'][service][plugin]['plugin'].name + '.md'), 'w') as output:
for command in target.scans['services'][service][plugin]['commands']:
output.writelines('```bash\n' + command[0] + '\n```')
for filename in files:
if filename in command[0] or (command[1] is not None and filename == command[1]) or (command[2] is not None and filename == command[2]):
output.writelines('\n\n[' + filename + '](file://' + filename + '):\n\n')
with open(filename, 'r') as file:
output.writelines('```\n' + file.read() + '\n```\n')
manual_commands = os.path.join(target.scandir, '_manual_commands.txt')
if os.path.isfile(manual_commands):
with open(os.path.join(report, target.address, 'Manual Commands' + '.md'), 'w') as output:
with open(manual_commands, 'r') as file:
output.writelines('```bash\n' + file.read() + '\n```')
patterns = os.path.join(target.scandir, '_patterns.log')
if os.path.isfile(patterns):
with open(os.path.join(report, target.address, 'Patterns' + '.md'), 'w') as output:
with open(patterns, 'r') as file:
output.writelines(file.read())
commands = os.path.join(target.scandir, '_commands.log')
if os.path.isfile(commands):
with open(os.path.join(report, target.address, 'Commands' + '.md'), 'w') as output:
with open(commands, 'r') as file:
output.writelines('```bash\n' + file.read() + '\n```')
errors = os.path.join(target.scandir, '_errors.log')
if os.path.isfile(errors):
with open(os.path.join(report, target.address, 'Errors' + '.md'), 'w') as output:
with open(errors, 'r') as file:
output.writelines('```\n' + file.read() + '\n```')

57
autorecon/default-plugins/rpc.py
View File

@ -1,57 +0,0 @@
from autorecon.plugins import ServiceScan
class NmapRPC(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap MSRPC"
self.tags = ['default', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}')
class RPCClient(ServiceScan):
def __init__(self):
super().__init__()
self.name = "rpcclient"
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
def manual(self, service, plugin_was_run):
service.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}')
class RPCDump(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'rpcdump'
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc', '^ncacn_http$'])
self.match_port('tcp', [135, 139, 443, 445, 593])
async def run(self, service):
if service.protocol == 'tcp':
await service.execute('impacket-rpcdump -port {port} {address}', outfile='{protocol}_{port}_rpc_rpcdump.txt')
class GetArch(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'get-arch'
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc'])
self.match_port('tcp', 135)
self.add_pattern(' is ((32|64)-bit)', description='Identified Architecture: {match1}')
async def run(self, service):
await service.execute('getArch.py -target {address}', outfile='{protocol}_{port}_rpc_architecture.txt')

14
autorecon/default-plugins/rpcclient.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class RPCClient(ServiceScan):
def __init__(self):
super().__init__()
self.name = "rpcclient"
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
def manual(self, service, plugin_was_run):
service.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}')

16
autorecon/default-plugins/rpcdump.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class RPCDump(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'rpcdump'
self.tags = ['default', 'safe', 'rpc']
def configure(self):
self.match_service_name(['^msrpc', '^rpcbind', '^erpc', '^ncacn_http$'])
self.match_port('tcp', [135, 139, 443, 445, 593])
async def run(self, service):
if service.protocol == 'tcp':
await service.execute('impacket-rpcdump -port {port} {address}', outfile='{protocol}_{port}_rpc_rpcdump.txt')

14
autorecon/default-plugins/rsync-list-files.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class RsyncList(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Rsync List Files'
self.tags = ['default', 'safe', 'rsync']
def configure(self):
self.match_service_name('^rsync')
async def run(self, service):
await service.execute('rsync -av --list-only rsync://{addressv6}:{port}', outfile='{protocol}_{port}_rsync_file_list.txt')

14
autorecon/default-plugins/showmount.py Normal file
View File

@ -0,0 +1,14 @@
from autorecon.plugins import ServiceScan
class Showmount(ServiceScan):
def __init__(self):
super().__init__()
self.name = "showmount"
self.tags = ['default', 'safe', 'nfs']
def configure(self):
self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service):
await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt')

15
autorecon/default-plugins/sipvicious.py Normal file
View File

@ -0,0 +1,15 @@
from autorecon.plugins import ServiceScan
class SIPVicious(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SIPVicious"
self.tags = ['default', 'safe', 'sip']
def configure(self):
self.match_service_name(['^asterisk', '^sip'])
def manual(self, service, plugin_was_run):
if service.target.ipversion == 'IPv4':
service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}')

24
autorecon/default-plugins/smb-vuln.py Normal file
View File

@ -0,0 +1,24 @@
from autorecon.plugins import ServiceScan
class SMBVuln(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMB Vulnerabilities"
self.tags = ['unsafe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}')
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}')
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}')
def manual(self, service, plugin_was_run):
if not plugin_was_run: # Only suggest these if they weren't run.
service.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
])

119
autorecon/default-plugins/smb.py
View File

@ -1,119 +0,0 @@
from autorecon.plugins import ServiceScan
class NmapSMB(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SMB"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}')
class SMBVuln(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMB Vulnerabilities"
self.tags = ['unsafe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}')
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}')
await service.execute('nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}')
def manual(self, service, plugin_was_run):
if not plugin_was_run: # Only suggest these if they weren't run.
service.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
])
class Enum4Linux(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Enum4Linux"
self.tags = ['default', 'safe', 'active-directory']
def configure(self):
self.match_service_name(['^ldap', '^smb', '^microsoft\-ds', '^netbios'])
self.match_port('tcp', [139, 389, 445])
self.match_port('udp', 137)
self.run_once(True)
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt')
class LookupSID(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'lookupsid'
self.tags = ['default', 'safe', 'active-directory']
def configure(self):
self.match_service('tcp', 445, '^microsoft\-ds')
def manual(self, service, plugin_was_run):
service.add_manual_command('Lookup SIDs', [
'lookupsid.py [username]:[password]@{address}'
])
class NBTScan(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'nbtscan'
self.tags = ['default', 'safe', 'netbios', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.match_port('udp', 137)
self.run_once(True)
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt')
class SMBClient(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMBClient"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.match_port('tcp', [139, 445])
self.run_once(True)
async def run(self, service):
await service.execute('smbclient -L //{address} -N -I {address} 2>&1', outfile='smbclient.txt')
class SMBMap(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMBMap"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')

16
autorecon/default-plugins/smbclient.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class SMBClient(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMBClient"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.match_port('tcp', [139, 445])
self.run_once(True)
async def run(self, service):
await service.execute('smbclient -L //{address} -N -I {address} 2>&1', outfile='smbclient.txt')

20
autorecon/default-plugins/smbmap.py Normal file
View File

@ -0,0 +1,20 @@
from autorecon.plugins import ServiceScan
class SMBMap(ServiceScan):
def __init__(self):
super().__init__()
self.name = "SMBMap"
self.tags = ['default', 'safe', 'smb', 'active-directory']
def configure(self):
self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')

13
autorecon/default-plugins/smtp.py → autorecon/default-plugins/smtp-user-enum.py
View File

@ -1,18 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapSMTP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SMTP"
self.tags = ['default', 'safe', 'smtp', 'email']
def configure(self):
self.match_service_name('^smtp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}')
class SMTPUserEnum(ServiceScan):
def __init__(self):

30
autorecon/default-plugins/snmp.py → autorecon/default-plugins/snmpwalk.py
View File

@ -1,35 +1,5 @@
from autorecon.plugins import ServiceScan
class NmapSNMP(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Nmap SNMP"
self.tags = ['default', 'safe', 'snmp']
def configure(self):
self.match_service_name('^snmp')
async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}')
class OneSixtyOne(ServiceScan):
def __init__(self):
super().__init__()
self.name = "OneSixtyOne"
self.tags = ['default', 'safe', 'snmp']
def configure(self):
self.match_service_name('^snmp')
self.match_port('udp', 161)
self.run_once(True)
self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s')
async def run(self, service):
if service.target.ipversion == 'IPv4':
await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt')
class SNMPWalk(ServiceScan):
def __init__(self):

34
autorecon/default-plugins/subdomain-enumeration.py Normal file
View File

@ -0,0 +1,34 @@
from autorecon.plugins import ServiceScan
import os
class SubdomainEnumeration(ServiceScan):
def __init__(self):
super().__init__()
self.name = "Subdomain Enumeration"
self.slug = "subdomain-enum"
self.tags = ['default', 'safe', 'long', 'dns']
def configure(self):
self.add_option('domain', help='The domain to use as the base domain (e.g. example.com) for subdomain enumeration. Default: %(default)s')
self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt'], help='The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when enumerating subdomains. Default: %(default)s')
self.match_service_name('^domain')
async def run(self, service):
domains = []
if self.get_option('domain'):
domains.append(self.get_option('domain'))
if service.target.type == 'hostname' and service.target.address not in domains:
domains.append(service.target.address)
if self.get_global('domain') and self.get_global('domain') not in domains:
domains.append(self.get_global('domain'))
if len(domains) > 0:
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
for domain in domains:
await service.execute('gobuster dns -d ' + domain + ' -r {addressv6} -w ' + wordlist + ' -o "{scandir}/{protocol}_{port}_' + domain + '_subdomains_' + name + '.txt"')
else:
service.info('The target was not a domain, nor was a domain provided as an option. Skipping subdomain enumeration.')

39
autorecon/default-plugins/virtual-host-enumeration.py Normal file
View File

@ -0,0 +1,39 @@
from autorecon.plugins import ServiceScan
from shutil import which
import os
class VirtualHost(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'Virtual Host Enumeration'
self.slug = 'vhost-enum'
self.tags = ['default', 'safe', 'http', 'long']
def configure(self):
self.add_option('hostname', help='The hostname to use as the base host (e.g. example.com) for virtual host enumeration. Default: %(default)s')
self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt'], help='The wordlist(s) to use when enumerating virtual hosts. Separate multiple wordlists with spaces. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when enumerating virtual hosts. Default: %(default)s')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
if which('gobuster') is None:
self.error('The gobuster program could not be found. Make sure it is installed. (On Kali, run: sudo apt install gobuster)')
async def run(self, service):
hostnames = []
if self.get_option('hostname'):
hostnames.append(self.get_option('hostname'))
if service.target.type == 'hostname' and service.target.address not in hostnames:
hostnames.append(service.target.address)
if self.get_global('domain') and self.get_global('domain') not in hostnames:
hostnames.append(self.get_global('domain'))
if len(hostnames) > 0:
for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0]
for hostname in hostnames:
await service.execute('gobuster vhost -k -u {http_scheme}://' + hostname + ':{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -r -o "{scandir}/{protocol}_{port}_{http_scheme}_' + hostname + '_vhosts_' + name + '.txt"')
else:
service.info('The target was not a hostname, nor was a hostname provided as an option. Skipping virtual host enumeration.')

16
autorecon/default-plugins/whatweb.py Normal file
View File

@ -0,0 +1,16 @@
from autorecon.plugins import ServiceScan
class WhatWeb(ServiceScan):
def __init__(self):
super().__init__()
self.name = "whatweb"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service):
if service.protocol == 'tcp' and service.target.ipversion == 'IPv4':
await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt')

32
autorecon/default-plugins/winrm-detection.py Normal file
View File

@ -0,0 +1,32 @@
from autorecon.plugins import ServiceScan
from autorecon.io import fformat
class WinRMDetection(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'WinRM Detection'
self.tags = ['default', 'safe', 'winrm']
def configure(self):
self.match_service_name('^wsman')
self.match_service('tcp', [5985, 5986], '^http')
async def run(self, service):
filename = fformat('{scandir}/{protocol}_{port}_winrm-detection.txt')
with open(filename, mode='wt', encoding='utf8') as winrm:
winrm.write('WinRM was possibly detected running on ' + service.protocol + ' port ' + str(service.port) + '.\nCheck _manual_commands.txt for manual commands you can run against this service.')
def manual(self, service, plugin_was_run):
service.add_manual_commands('Bruteforce logins:', [
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u ' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + ' -p ' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt')
])
service.add_manual_commands('Check login (requires credentials):', [
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u <username> -p <password> -x "whoami"'
])
service.add_manual_commands('Evil WinRM (gem install evil-winrm):', [
'evil-winrm -u <user> -p <password> -i {address}',
'evil-winrm -u <user> -H <hash> -i {address}'
])

22
autorecon/default-plugins/wkhtmltoimage.py Normal file
View File

@ -0,0 +1,22 @@
from autorecon.plugins import ServiceScan
from shutil import which
class WkHTMLToImage(ServiceScan):
def __init__(self):
super().__init__()
self.name = "wkhtmltoimage"
self.tags = ['default', 'safe', 'http']
def configure(self):
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def check(self):
if which('wkhtmltoimage') is None:
self.error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)')
async def run(self, service):
if which('wkhtmltoimage') is not None:
if service.protocol == 'tcp':
await service.execute('wkhtmltoimage --format png {http_scheme}://{addressv6}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png')

20
autorecon/default-plugins/wpscan.py Normal file
View File

@ -0,0 +1,20 @@
from autorecon.plugins import ServiceScan
class WPScan(ServiceScan):
def __init__(self):
super().__init__()
self.name = 'WPScan'
self.tags = ['default', 'safe', 'http']
def configure(self):
self.add_option('api-token', help='An API Token from wpvulndb.com to help search for more vulnerabilities.')
self.match_service_name('^http')
self.match_service_name('^nacn_http$', negative_match=True)
def manual(self, service, plugin_was_run):
api_token = ''
if self.get_option('api-token'):
api_token = ' --api-token ' + self.get_option('api-token')
service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{addressv6}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color' + api_token + ' 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"')

2
autorecon/main.py
View File

@ -17,7 +17,7 @@ from autorecon.io import slugify, e, fformat, cprint, debug, info, warn, error,
from autorecon.plugins import Pattern, PortScan, ServiceScan, Report, AutoRecon
from autorecon.targets import Target, Service
VERSION = "2.0.15"
VERSION = "2.0.16"
if not os.path.exists(config['config_dir']):
shutil.rmtree(config['config_dir'], ignore_errors=True, onerror=None)

2
pyproject.toml
View File

@ -1,6 +1,6 @@
[tool.poetry]
name = "autorecon"
version = "2.0.15"
version = "2.0.16"
description = "A multi-threaded network reconnaissance tool which performs automated enumeration of services."
authors = ["Tib3rius"]
license = "GNU GPL v3"