RomanNum3ral
/
AutoRecon
mirror of https://github.com/Tib3rius/AutoRecon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

service-scans.toml now uses an improved format for configuring scans. 

Updated README.md to reflect changes in the tool.
This commit is contained in:
Tib3rius 2019-03-26 13:46:25 -04:00
parent ead957b8c2
commit c8ba082901
3 changed files with 321 additions and 311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
README.md
View File

@ -45,7 +45,8 @@ AutoRecon uses Python 3 specific functionality and does not support Python 2.
``` ```
usage: autorecon.py [-h] [-ct <number>] [-cs <number>] [--profile PROFILE] usage: autorecon.py [-h] [-ct <number>] [-cs <number>] [--profile PROFILE]
[-v] [-o OUTPUT] [--disable-sanity-checks] [-o OUTPUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [-v]
[--disable-sanity-checks]
targets [targets ...] targets [targets ...]
Network reconnaissance tool to port scan and automatically enumerate services Network reconnaissance tool to port scan and automatically enumerate services
@ -65,10 +66,14 @@ optional arguments:
The maximum number of scans to perform per target The maximum number of scans to perform per target
host. Default: 10 host. Default: 10
--profile PROFILE The port scanning profile to use (defined in port- --profile PROFILE The port scanning profile to use (defined in port-
scan-profiles.toml). scan-profiles.toml). Default: default
-v, --verbose enable verbose output, repeat for more verbosity
-o OUTPUT, --output OUTPUT -o OUTPUT, --output OUTPUT
output directory for the results The output directory for results. Default: results
--nmap NMAP Override the {nmap_extra} variable in scans. Default:
-vv --reason -Pn
--nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans.
-v, --verbose Enable verbose output. Repeat for more verbosity.
--disable-sanity-checks --disable-sanity-checks
Disable sanity checks that would otherwise prevent the Disable sanity checks that would otherwise prevent the
scans from running. scans from running.
@ -232,7 +237,13 @@ Here is an example profile called "quick":
[quick.nmap-quick] [quick.nmap-quick]
[quick.nmap-quick.service-detection] [quick.nmap-quick.service-detection]
command = 'nmap -vv --reason -Pn -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/_quick_tcp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
[quick.nmap-top-20-udp]
[quick.nmap-top-20-udp.service-detection]
command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
``` ```
@ -240,6 +251,8 @@ Note that indentation is optional, it is used here purely for aesthetics. The "q
A regex pattern is defined which matches three named groups (port, protocol, and service) in the output. Every service-detection command must have a corresponding pattern that matches all three of those groups. AutoRecon will attempt to do some checks and refuse to scan if any of these groups are missing. A regex pattern is defined which matches three named groups (port, protocol, and service) in the output. Every service-detection command must have a corresponding pattern that matches all three of those groups. AutoRecon will attempt to do some checks and refuse to scan if any of these groups are missing.
An almost identical scan called "nmap-top-20-udp" is also defined. This scans the top 20 UDP ports.
Here is a more complicated example: Here is a more complicated example:
```toml ```toml
@ -252,7 +265,7 @@ Here is a more complicated example:
pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$' pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$'
[udp.udp-top-20.service-detection] [udp.udp-top-20.service-detection]
command = 'nmap -vv --reason -Pn -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/_top_20_udp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$' pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
``` ```
@ -280,14 +293,11 @@ service-names = [
'^ftp\-data' '^ftp\-data'
] ]
[ftp.scans] [[ftp.scan]]
name = 'nmap-ftp'
command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
[ftp.scans.nmap-ftp] [[ftp.manual]]
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/{protocol}_{port}_ftp_nmap.xml" {address}'
[ftp.manual]
[ftp.manual.bruteforce]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
@ -299,9 +309,14 @@ Note that indentation is optional, it is used here purely for aesthetics. The se
An optional ignore-service-names array can also be defined, if you want to blacklist certain regex strings from matching. An optional ignore-service-names array can also be defined, if you want to blacklist certain regex strings from matching.
The ftp.scans section defines a single scan, named nmap-ftp. This scan defines a command which runs nmap with several ftp-related scripts. Several references are used here: {nmap_extra} will be blank unless the port is UDP, at which point it will be set to -sU, {port} is the port that the service is running on, {scandir} is the location of the scans directory for the target, {protocol} is the protocol being used (either tcp or udp), and {address} is the address of the target. The ftp.scan section defines a single scan, named nmap-ftp. This scan defines a command which runs nmap with several ftp-related scripts. Several references are used here:
* {nmap_extra} by default is set to "-vv --reason -Pn" but this can be overridden or appended to using the --nmap or --nmap-append command line options respectively. If the protocol is UDP, "-sU" will also be appended.
* {port} is the port that the service is running on.
* {scandir} is the location of the scans directory for the target.
* {protocol} is the protocol being used (either tcp or udp).
* {address} is the address of the target.
The ftp.manual section defines a group of manual commands called "bruteforce". This group contains a description for the user, and a commands array which contains the commands that a user can run. Two new references are defined here: {username_wordlist} and {password_wordlist} which are configured at the very top of the service-scans.toml file, and default to a username and password wordlist provided by SecLists. The ftp.manual section defines a group of manual commands. This group contains a description for the user, and a commands array which contains the commands that a user can run. Two new references are defined here: {username_wordlist} and {password_wordlist} which are configured at the very top of the service-scans.toml file, and default to a username and password wordlist provided by SecLists.
Here is a more complicated configuration: Here is a more complicated configuration:
@ -314,26 +329,36 @@ service-names = [
'^netbios' '^netbios'
] ]
[smb.scans] [[smb.scan]]
name = 'nmap-smb'
command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
[smb.scans.nmap-smb] [[smb.scan]]
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/{protocol}_{port}_smb_nmap.xml" {address}' name = 'enum4linux'
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
[smb.scans.enum4linux]
command = 'enum4linux -a -M -l -d {address} | tee "{scandir}/enum4linux.txt"'
run_once = true run_once = true
ports.tcp = [139, 389, 445] ports.tcp = [139, 389, 445]
ports.udp = [137] ports.udp = [137]
[smb.scans.nbtscan] [[smb.scan]]
command = 'nbtscan -rvh {address} | tee "{scandir}/nbtscan.txt"' name = 'nbtscan'
command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
run_once = true run_once = true
ports.udp = [137] ports.udp = [137]
[smb.scans.smbclient] [[smb.scan]]
command = 'smbclient -L\\ -N -I {address} | tee "{scandir}/smbclient.txt"' name = 'smbclient'
command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
run_once = true run_once = true
ports.tcp = [139, 445] ports.tcp = [139, 445]
[[smb.manual]]
description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
commands = [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
]
``` ```
The main difference here is that several scans have some new settings: The main difference here is that several scans have some new settings:

36
autorecon.py
View File

@ -356,41 +356,43 @@ async def scan_services(loop, semaphore, target):
heading = False heading = False
with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file:
for manual in service_scans_config[service_scan]['manual']: for manual in service_scans_config[service_scan]['manual']:
if 'description' in service_scans_config[service_scan]['manual'][manual]: if 'description' in manual:
if not heading: if not heading:
file.writelines(e('[*] {service} on {protocol}/{port}\n\n')) file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
heading = True heading = True
description = service_scans_config[service_scan]['manual'][manual]['description'] description = manual['description']
file.writelines(e('\t[-] {description}\n\n')) file.writelines(e('\t[-] {description}\n\n'))
if 'commands' in service_scans_config[service_scan]['manual'][manual]: if 'commands' in manual:
if not heading: if not heading:
file.writelines(e('[*] {service} on {protocol}/{port}\n\n')) file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
heading = True heading = True
for manual_command in service_scans_config[service_scan]['manual'][manual]['commands']: for manual_command in manual['commands']:
manual_command = e(manual_command) manual_command = e(manual_command)
file.writelines('\t\t' + e('{manual_command}\n\n')) file.writelines('\t\t' + e('{manual_command}\n\n'))
if heading: if heading:
file.writelines('\n') file.writelines('\n')
if 'scans' in service_scans_config[service_scan]: if 'scan' in service_scans_config[service_scan]:
for scan in service_scans_config[service_scan]['scans']: for scan in service_scans_config[service_scan]['scan']:
if 'command' in service_scans_config[service_scan]['scans'][scan]: if 'name' in scan:
tag = e('{protocol}/{port}/{scan}') name = scan['name']
command = service_scans_config[service_scan]['scans'][scan]['command'] if 'command' in scan:
tag = e('{protocol}/{port}/{name}')
command = scan['command']
if 'ports' in service_scans_config[service_scan]['scans'][scan]: if 'ports' in scan:
port_match = False port_match = False
if protocol == 'tcp': if protocol == 'tcp':
if 'tcp' in service_scans_config[service_scan]['scans'][scan]['ports']: if 'tcp' in scan['ports']:
for tcp_port in service_scans_config[service_scan]['scans'][scan]['ports']['tcp']: for tcp_port in scan['ports']['tcp']:
if port == tcp_port: if port == tcp_port:
port_match = True port_match = True
break break
elif protocol == 'udp': elif protocol == 'udp':
if 'udp' in service_scans_config[service_scan]['scans'][scan]['ports']: if 'udp' in scan['ports']:
for udp_port in service_scans_config[service_scan]['scans'][scan]['ports']['udp']: for udp_port in scan['ports']['udp']:
if port == udp_port: if port == udp_port:
port_match = True port_match = True
break break
@ -399,15 +401,15 @@ async def scan_services(loop, semaphore, target):
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + Style.NORMAL + '] Scan cannot be run against {protocol} port {port}. Skipping.' + Fore.RESET) warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + Style.NORMAL + '] Scan cannot be run against {protocol} port {port}. Skipping.' + Fore.RESET)
continue continue
if 'run_once' in service_scans_config[service_scan]['scans'][scan] and service_scans_config[service_scan]['scans'][scan]['run_once'] == True: if 'run_once' in scan and scan['run_once'] == True:
scan_tuple = (scan,) scan_tuple = (name,)
if scan_tuple in target.scans: if scan_tuple in target.scans:
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan should only be run once and it appears to have already been queued. Skipping.' + Fore.RESET) warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan should only be run once and it appears to have already been queued. Skipping.' + Fore.RESET)
continue continue
else: else:
target.scans.append(scan_tuple) target.scans.append(scan_tuple)
else: else:
scan_tuple = (protocol, port, service, scan) scan_tuple = (protocol, port, service, name)
if scan_tuple in target.scans: if scan_tuple in target.scans:
warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan appears to have already been queued, but it is not marked as run_once in service-scans.toml. Possible duplicate tag? Skipping.' + Fore.RESET) warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan appears to have already been queued, but it is not marked as run_once in service-scans.toml. Possible duplicate tag? Skipping.' + Fore.RESET)
continue continue

207
service-scans.toml
View File

@ -8,9 +8,8 @@ service-names = [
'^apani1' '^apani1'
] ]
[cassandra.scans] [[cassandra.scan]]
name = 'nmap-cassandra'
[cassandra.scans.nmap-cassandra]
command = 'nmap {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}'
[cups] [cups]
@ -19,9 +18,8 @@ service-names = [
'^ipp' '^ipp'
] ]
[cups.scans] [[cups.scan]]
name = 'nmap-cups'
[cups.scans.nmap-cups]
command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}'
[dns] [dns]
@ -30,9 +28,8 @@ service-names = [
'^domain', '^domain',
] ]
[dns.scans] [[dns.scan]]
name = 'nmap-dns'
[dns.scans.nmap-dns]
command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}'
[ftp] [ftp]
@ -42,14 +39,11 @@ service-names = [
'^ftp\-data' '^ftp\-data'
] ]
[ftp.scans] [[ftp.scan]]
name = 'nmap-ftp'
[ftp.scans.nmap-ftp]
command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
[ftp.manual] [[ftp.manual]]
[ftp.manual.bruteforce]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
@ -66,26 +60,27 @@ ignore-service-names = [
'^nacn_http$' '^nacn_http$'
] ]
[http.scans] [[http.scan]]
name = 'nmap-http'
[http.scans.nmap-http]
command = 'nmap {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}'
[http.scans.curl-index] [[http.scan]]
name = 'curl-index'
command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_index.html"' command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_index.html"'
[http.scans.curl-robots] [[http.scan]]
name = 'curl-robots'
command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_robots.txt"'
[http.scans.whatweb] [[http.scan]]
name = 'whatweb'
command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
[http.scans.nikto] [[http.scan]]
name = 'nikto'
command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
[http.manual] [[http.manual]]
[http.manual.dirsearch]
description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
commands = [ commands = [
'dirsearch -u {scheme}://{address}:{port}/ --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt" -t 16 -r -e html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt', 'dirsearch -u {scheme}://{address}:{port}/ --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt" -t 16 -r -e html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt',
@ -93,7 +88,7 @@ ignore-service-names = [
'dirsearch -u {scheme}://{address}:{port}/ --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt" -t 16 -r -e html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' 'dirsearch -u {scheme}://{address}:{port}/ --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt" -t 16 -r -e html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
] ]
[http.manual.dirb] [[http.manual]]
description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):'
commands = [ commands = [
'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt',
@ -101,7 +96,7 @@ ignore-service-names = [
'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
] ]
[http.manual.gobuster] [[http.manual]]
description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):' description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
commands = [ commands = [
'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt" -w /usr/share/seclists/Discovery/Web-Content/big.txt -s "200,204,301,302,307,403,500" -e', 'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt" -w /usr/share/seclists/Discovery/Web-Content/big.txt -s "200,204,301,302,307,403,500" -e',
@ -109,13 +104,13 @@ ignore-service-names = [
'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s "200,204,301,302,307,403,500" -e' 'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s "200,204,301,302,307,403,500" -e'
] ]
[http.manual.wpscan] [[http.manual]]
description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
commands = [ commands = [
'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"'
] ]
[http.manual.bruteforce] [[http.manual]]
description = "Credential bruteforcing commands (don't run these without modifying them):" description = "Credential bruteforcing commands (don't run these without modifying them):"
commands = [ commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
@ -130,9 +125,8 @@ service-names = [
'^imap' '^imap'
] ]
[imap.scans] [[imap.scan]]
name = 'nmap-imap'
[imap.scans.nmap-imap]
command = 'nmap {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}'
[kerberos] [kerberos]
@ -141,9 +135,8 @@ service-names = [
'^kerberos' '^kerberos'
] ]
[kerberos.scans] [[kerberos.scan]]
name = 'nmap-kerberos'
[kerberos.scans.nmap-kerberos]
command = 'nmap {nmap_extra} -sV -p {port} --script=krb5-enum-users -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=krb5-enum-users -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}'
[ldap] [ldap]
@ -152,12 +145,12 @@ service-names = [
'^ldap' '^ldap'
] ]
[ldap.scans] [[ldap.scan]]
name = 'nmap-ldap'
[ldap.scans.nmap-ldap]
command = 'nmap {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}'
[ldap.scans.enum4linux] [[ldap.scan]]
name = 'enum4linux'
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
run_once = true run_once = true
ports.tcp = [139, 389, 445] ports.tcp = [139, 389, 445]
@ -169,9 +162,8 @@ service-names = [
'^mongod' '^mongod'
] ]
[mongodb.scans] [[mongodb.scan]]
name = 'nmap-mongodb'
[mongodb.scans.nmap-mongodb]
command = 'nmap {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}'
[mssql] [mssql]
@ -181,14 +173,11 @@ service-names = [
'^ms\-sql' '^ms\-sql'
] ]
[mssql.scans] [[mssql.scan]]
name = 'nmap-mssql'
[mssql.scans.nmap-mssql]
command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},mssql.username=sa,mssql.password=sa -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},mssql.username=sa,mssql.password=sa -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}'
[mssql.manual] [[mssql.manual]]
[mssql.manual.sqsh]
description = '(sqsh) interactive database shell' description = '(sqsh) interactive database shell'
commands = [ commands = [
'sqsh -U <username> -P <password> -S {address}:{port}' 'sqsh -U <username> -P <password> -S {address}:{port}'
@ -200,9 +189,8 @@ service-names = [
'^mysql' '^mysql'
] ]
[mysql.scans] [[mysql.scan]]
name = 'nmap-mysql'
[mysql.scans.nmap-mysql]
command = 'nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}'
[nfs] [nfs]
@ -212,9 +200,8 @@ service-names = [
'^rpcbind' '^rpcbind'
] ]
[nfs.scans] [[nfs.scan]]
name = 'nmap-nfs'
[nfs.scans.nmap-nfs]
command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}'
[oracle] [oracle]
@ -223,9 +210,8 @@ service-names = [
'^oracle' '^oracle'
] ]
[oracle.scans] [[oracle.scan]]
name = 'nmap-oracle'
[oracle.scans.nmap-oracle]
command = 'nmap {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}'
[pop3] [pop3]
@ -234,9 +220,8 @@ service-names = [
'^pop3' '^pop3'
] ]
[pop3.scans] [[pop3.scan]]
name = 'nmap-pop3'
[pop3.scans.nmap-pop3]
command = 'nmap {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}'
[rdp] [rdp]
@ -247,19 +232,17 @@ service-names = [
'^ms\-term\-serv' '^ms\-term\-serv'
] ]
[rdp.scans] [[rdp.scan]]
name = 'nmap-rdp'
[rdp.scans.nmap-rdp]
command = 'nmap {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}'
[rdp.manual] [[rdp.manual]]
[rdp.manual.bruteforce]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
] ]
[rmi] [rmi]
service-names = [ service-names = [
@ -267,9 +250,8 @@ service-names = [
'^rmiregistry' '^rmiregistry'
] ]
[rmi.scans] [[rmi.scan]]
name = 'nmap-rmi'
[rmi.scans.nmap-rmi]
command = 'nmap {nmap_extra} -sV -p {port} --script=rmi-vuln-classloader,rmi-dumpregistry -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=rmi-vuln-classloader,rmi-dumpregistry -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}'
[rpc] [rpc]
@ -280,9 +262,8 @@ service-names = [
'^erpc' '^erpc'
] ]
[msrpc.scans] [[msrpc.scan]]
name = 'nmap-msrpc'
[msrpc.scans.nmap-msrpc]
command = 'nmap {nmap_extra} -sV -p {port} --script=msrpc-enum,rpc-grind,rpcinfo -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=msrpc-enum,rpc-grind,rpcinfo -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}'
[ssh] [ssh]
@ -291,14 +272,11 @@ service-names = [
'^ssh' '^ssh'
] ]
[ssh.scans] [[ssh.scan]]
name = 'nmap-ssh'
[ssh.scans.nmap-ssh]
command = 'nmap {nmap_extra} -sV -p {port} --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}'
[ssh.manual] [[ssh.manual]]
[ssh.manual.bruteforce]
description = 'Bruteforce logins:' description = 'Bruteforce logins:'
commands = [ commands = [
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
@ -312,30 +290,30 @@ service-names = [
'^netbios' '^netbios'
] ]
[smb.scans] [[smb.scan]]
name = 'nmap-smb'
[smb.scans.nmap-smb]
command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
[smb.scans.enum4linux] [[smb.scan]]
name = 'enum4linux'
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
run_once = true run_once = true
ports.tcp = [139, 389, 445] ports.tcp = [139, 389, 445]
ports.udp = [137] ports.udp = [137]
[smb.scans.nbtscan] [[smb.scan]]
name = 'nbtscan'
command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
run_once = true run_once = true
ports.udp = [137] ports.udp = [137]
[smb.scans.smbclient] [[smb.scan]]
name = 'smbclient'
command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
run_once = true run_once = true
ports.tcp = [139, 445] ports.tcp = [139, 445]
[smb.manual] [[smb.manual]]
[smb.manual.smb-vulns]
description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
commands = [ commands = [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
@ -349,12 +327,12 @@ service-names = [
'^smtp' '^smtp'
] ]
[smtp.scans] [[smtp.scan]]
name = 'nmap-smtp'
[smtp.scans.nmap-smtp]
command = 'nmap {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}'
[smtp.scans.smtp-user-enum] [[smtp.scan]]
name = 'smtp-user-enum'
command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"'
[snmp] [snmp]
@ -363,52 +341,60 @@ service-names = [
'^snmp' '^snmp'
] ]
[snmp.scans] [[snmp.scan]]
name = 'nmap-snmp'
[snmp.scans.nmap-snmp]
command = 'nmap {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}'
[snmp.scans.onesixtyone] [[snmp.scan]]
name = 'onesixtyone'
command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -dd -o "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt" {address}' command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -dd -o "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt" {address}'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk] [[snmp.scan]]
name = 'snmpwalk'
command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-system-processes] [[snmp.scan]]
name = 'snmpwalk-system-processes'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-running-processes] [[snmp.scan]]
name = 'snmpwalk-running-processes'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-process-paths] [[snmp.scan]]
name = 'snmpwalk-process-paths'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-storage-units] [[snmp.scan]]
name = 'snmpwalk-storage-units'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-software-names] [[snmp.scan]]
name = 'snmpwalk-software-names'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-user-accounts] [[snmp.scan]]
name = 'snmpwalk-user-accounts'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
[snmp.scans.snmpwalk-tcp-ports] [[snmp.scan]]
name = 'snmpwalk-tcp-ports'
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
run_once = true run_once = true
ports.udp = [161] ports.udp = [161]
@ -419,9 +405,8 @@ service-names = [
'^telnet' '^telnet'
] ]
[telnet.scans] [[telnet.scan]]
name = 'nmap-telnet'
[telnet.scans.nmap-telnet]
command = 'nmap {nmap_extra} -sV -p {port} --script=telnet-encryption,telnet-ntlm-info -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=telnet-encryption,telnet-ntlm-info -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}'
[tftp] [tftp]
@ -430,9 +415,8 @@ service-names = [
'^tftp' '^tftp'
] ]
[tftp.scans] [[tftp.scan]]
name = 'nmap-tftp'
[tftp.scans.nmap-tftp]
command = 'nmap {nmap_extra} -sV -p {port} --script=tftp-enum -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script=tftp-enum -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}'
[vnc] [vnc]
@ -441,7 +425,6 @@ service-names = [
'^vnc' '^vnc'
] ]
[vnc.scans] [[vnc.scan]]
name = 'nmap-vnc'
[vnc.scans.nmap-vnc]
command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}'