diff --git a/autorecon.py b/autorecon.py index 20e7378..2799ea9 100644 --- a/autorecon.py +++ b/autorecon.py @@ -105,7 +105,7 @@ def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): exit(-1) port_scan_profiles_config_file = 'port-scan-profiles.toml' -with open(os.path.join(__location__, port_scan_profiles_config_file), 'r') as p: +with open(os.path.join(__location__, 'config', port_scan_profiles_config_file), 'r') as p: try: port_scan_profiles_config = toml.load(p) @@ -115,13 +115,13 @@ with open(os.path.join(__location__, port_scan_profiles_config_file), 'r') as p: except toml.decoder.TomlDecodeError as e: fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') -with open(os.path.join(__location__, 'service-scans.toml'), 'r') as c: +with open(os.path.join(__location__, 'config', 'service-scans.toml'), 'r') as c: try: service_scans_config = toml.load(c) except toml.decoder.TomlDecodeError as e: fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') -with open(os.path.join(__location__, 'patterns.toml'), 'r') as p: +with open(os.path.join(__location__, 'config', 'global-patterns.toml'), 'r') as p: try: global_patterns = toml.load(p) if 'pattern' in global_patterns: @@ -129,7 +129,7 @@ with open(os.path.join(__location__, 'patterns.toml'), 'r') as p: else: global_patterns = [] except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse patterns.toml config file. Check syntax and duplicate tags.') + fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.') if 'username_wordlist' in service_scans_config: if isinstance(service_scans_config['username_wordlist'], str): @@ -213,7 +213,8 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): return {'returncode': process.returncode, 'name': 'run_cmd'} -async def parse_port_scan(stream, tag, address, pattern): +async def parse_port_scan(stream, tag, target, pattern): + address = target.address ports = [] while True: @@ -248,7 +249,8 @@ async def parse_port_scan(stream, tag, address, pattern): return ports -async def parse_service_detection(stream, tag, address, pattern): +async def parse_service_detection(stream, tag, target, pattern): + address = target.address services = [] while True: @@ -303,7 +305,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE) output = [ - parse_port_scan(process.stdout, tag, address, pattern), + parse_port_scan(process.stdout, tag, target, pattern), read_stream(process.stderr, target, tag=tag, color=Fore.RED) ] @@ -338,7 +340,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE) output = [ - parse_service_detection(process.stdout, tag, address, pattern), + parse_service_detection(process.stdout, tag, target, pattern), read_stream(process.stderr, target, tag=tag, color=Fore.RED) ] @@ -397,7 +399,7 @@ async def scan_services(loop, semaphore, target): port = service_tuple[1] service = service_tuple[2] - info(Fore.BLUE + '[' + Style.BRIGHT + address + Style.NORMAL + '] {service} found on {protocol}/{port}' + Fore.RESET) + info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}') with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file: file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n')) diff --git a/config/global-patterns.toml b/config/global-patterns.toml new file mode 100644 index 0000000..67f6600 --- /dev/null +++ b/config/global-patterns.toml @@ -0,0 +1,8 @@ +# Patterns defined in this file will be checked against every line of output (e.g. port scans and service scans) + +[[pattern]] +description = 'Nmap script found a potential vulnerability. ({match})' +pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)' + +[[pattern]] +pattern = '(?i)unauthorized' diff --git a/port-scan-profiles.toml b/config/port-scan-profiles.toml similarity index 100% rename from port-scan-profiles.toml rename to config/port-scan-profiles.toml diff --git a/service-scans.toml b/config/service-scans.toml similarity index 81% rename from service-scans.toml rename to config/service-scans.toml index 19cd48f..1c14eed 100644 --- a/service-scans.toml +++ b/config/service-scans.toml @@ -22,16 +22,36 @@ service-names = [ name = 'nmap-cups' command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}' +[distcc] + +service-names = [ + '^distccd' +] + + [[distcc.scan]] + name = 'nmap-distcc' + command = 'nmap {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}' + [dns] service-names = [ - '^domain', + '^domain' ] [[dns.scan]] name = 'nmap-dns' command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}' +[finger] + +service-names = [ + '^finger' +] + + [[finger.scan]] + nmap = 'nmap-finger' + command = 'nmap {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' + [ftp] service-names = [ @@ -72,10 +92,17 @@ ignore-service-names = [ description = 'Identified HTTP Server: {match}' pattern = 'Server: ([^\n]+)' + [[http.scan.pattern]] + description = 'WebDAV is enabled' + pattern = 'WebDAV is ENABLED' + [[http.scan]] name = 'curl-index' command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"' + [[http.scan.pattern]] + pattern = '(?i)Powered by [^\n]+' + [[http.scan]] name = 'curl-robots' command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' @@ -141,12 +168,13 @@ service-names = [ [kerberos] service-names = [ - '^kerberos' + '^kerberos', + '^kpasswd' ] [[kerberos.scan]] name = 'nmap-kerberos' - command = 'nmap {nmap_extra} -sV -p {port} --script=krb5-enum-users -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' [ldap] @@ -184,7 +212,7 @@ service-names = [ [[mssql.scan]] name = 'nmap-mssql' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},mssql.username=sa,mssql.password=sa -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' [[mssql.manual]] description = '(sqsh) interactive database shell' @@ -213,6 +241,16 @@ service-names = [ name = 'nmap-nfs' command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}' +[nntp] + +service-names = [ + '^nntp' +] + + [[nntp.scan]] + name = 'nmap-nntp' + command = 'nmap {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}' + [oracle] service-names = [ @@ -261,7 +299,7 @@ service-names = [ [[rmi.scan]] name = 'nmap-rmi' - command = 'nmap {nmap_extra} -sV -p {port} --script=rmi-vuln-classloader,rmi-dumpregistry -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' [rpc] @@ -271,9 +309,25 @@ service-names = [ '^erpc' ] - [[msrpc.scan]] + [[rpc.scan]] name = 'nmap-msrpc' - command = 'nmap {nmap_extra} -sV -p {port} --script=msrpc-enum,rpc-grind,rpcinfo -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' + + [[rpc.manual]] + description = 'RPC Client:' + commands = [ + 'rpcclient -p {port} -U "" {address}' + ] + +[sip] + +service-names = [ + '^asterisk' +] + + [[sip.scan]] + name = 'nmap-sip' + command = 'nmap {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}' [ssh] @@ -283,7 +337,7 @@ service-names = [ [[ssh.scan]] name = 'nmap-ssh' - command = 'nmap {nmap_extra} -sV -p {port} --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' [[ssh.manual]] description = 'Bruteforce logins:' @@ -301,7 +355,7 @@ service-names = [ [[smb.scan]] name = 'nmap-smb' - command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' [[smb.scan]] name = 'enum4linux' @@ -325,9 +379,9 @@ service-names = [ [[smb.manual]] description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' commands = [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' ] [smtp] @@ -416,7 +470,7 @@ service-names = [ [[telnet.scan]] name = 'nmap-telnet' - command = 'nmap {nmap_extra} -sV -p {port} --script=telnet-encryption,telnet-ntlm-info -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' [tftp] @@ -426,7 +480,7 @@ service-names = [ [[tftp.scan]] name = 'nmap-tftp' - command = 'nmap {nmap_extra} -sV -p {port} --script=tftp-enum -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' [vnc] @@ -436,4 +490,4 @@ service-names = [ [[vnc.scan]] name = 'nmap-vnc' - command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}' + command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}' diff --git a/patterns.toml b/patterns.toml deleted file mode 100644 index fc20acb..0000000 --- a/patterns.toml +++ /dev/null @@ -1,3 +0,0 @@ -[[pattern]] -description = 'Nmap script found a potential vulnerability. ({match})' -pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)'