RomanNum3ral
/
AutoRecon
mirror of https://github.com/Tib3rius/AutoRecon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reformatting & API Function Name Updates 

Switched spaces to tabs throughout for consistency.
Changed add_port_match() to match_port()
Changed add_service_match() to match_service_name()
Removed un-used variables.
This commit is contained in:
Tib3rius 2021-08-02 19:13:09 -04:00
parent 6ce5654d06
commit c92e594f77
19 changed files with 1835 additions and 1837 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

184
LICENSE
View File

@ -1,11 +1,11 @@
GNU GENERAL PUBLIC LICENSE GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007 Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed. of this license document, but changing it is not allowed.
Preamble Preamble
The GNU General Public License is a free, copyleft license for The GNU General Public License is a free, copyleft license for
software and other kinds of works. software and other kinds of works.
@ -68,7 +68,7 @@ patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and The precise terms and conditions for copying, distribution and
modification follow. modification follow.
TERMS AND CONDITIONS TERMS AND CONDITIONS
0. Definitions. 0. Definitions.
@ -211,26 +211,26 @@ and you may offer support or warranty protection for a fee.
produce it from the Program, in the form of source code under the produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions: terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified a) The work must carry prominent notices stating that you modified
it, and giving a relevant date. it, and giving a relevant date.
b) The work must carry prominent notices stating that it is b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to 7. This requirement modifies the requirement in section 4 to
"keep intact all notices". "keep intact all notices".
c) You must license the entire work, as a whole, under this c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7 License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts, additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it. invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your interfaces that do not display Appropriate Legal Notices, your
work need not make them do so. work need not make them do so.
A compilation of a covered work with other separate and independent A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work, works, which are not by their nature extensions of the covered work,
@ -249,46 +249,46 @@ of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License, machine-readable Corresponding Source under the terms of this License,
in one of these ways: in one of these ways:
a) Convey the object code in, or embodied in, a physical product a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the (including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium Corresponding Source fixed on a durable physical medium
customarily used for software interchange. customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a (including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge. Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord only if you received the object code with such an offer, in accord
with subsection 6b. with subsection 6b.
d) Convey the object code by offering access from a designated d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party) may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements. available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no Source of the work are being offered to the general public at no
charge under subsection 6d. charge under subsection 6d.
A separable portion of the object code, whose source code is excluded A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be from the Corresponding Source as a System Library, need not be
@ -362,28 +362,28 @@ for which you have or can give appropriate copyright permission.
add to a covered work, you may (if authorized by the copyright holders of add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms: that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or authors of the material; or
e) Declining to grant rights under trademark law for use of some e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on any liability that these contractual assumptions directly impose on
those licensors and authors. those licensors and authors.
All other non-permissive additional terms are considered "further All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you restrictions" within the meaning of section 10. If the Program as you
@ -618,9 +618,9 @@ an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee. copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it possible use to the public, the best way to achieve this is to make it
@ -631,31 +631,31 @@ to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found. the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.> <one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author> Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail. Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode: notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author> <program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details. under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands parts of the General Public License. Of course, your program's commands

6
README.md
View File

@ -129,9 +129,9 @@ By default, results will be stored in the ./results directory. A new sub directo
│   ├── proof.txt │   ├── proof.txt
│   └── screenshots/ │   └── screenshots/
└── scans/ └── scans/
├── _commands.log ├── _commands.log
├── _manual_commands.txt ├── _manual_commands.txt
└── xml/ └── xml/
``` ```
The exploit directory is intended to contain any exploit code you download / write for the target. The exploit directory is intended to contain any exploit code you download / write for the target.

2302
autorecon.py
View File

File diff suppressed because it is too large Load Diff

156
plugins/databases.py
View File

@ -2,121 +2,121 @@ from autorecon import ServiceScan
class NmapMongoDB(ServiceScan): class NmapMongoDB(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap MongoDB" self.name = "Nmap MongoDB"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^mongod') self.match_service_name('^mongod')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}')
class NmapMSSQL(ServiceScan): class NmapMSSQL(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap MSSQL" self.name = "Nmap MSSQL"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match(['^mssql', '^ms\-sql']) self.match_service_name(['^mssql', '^ms\-sql'])
def manual(self): def manual(self):
self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}') self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}')
class NmapMYSQL(ServiceScan): class NmapMYSQL(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap MYSQL" self.name = "Nmap MYSQL"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^mysql') self.match_service_name('^mysql')
def manual(self): def manual(self):
self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}') self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U <username> -P <password> -S {address}:{port}')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}')
class NmapOracle(ServiceScan): class NmapOracle(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap Oracle" self.name = "Nmap Oracle"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^oracle') self.match_service_name('^oracle')
def manual(self): def manual(self):
self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}')
class OracleTNScmd(ServiceScan): class OracleTNScmd(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Oracle TNScmd" self.name = "Oracle TNScmd"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^oracle') self.match_service_name('^oracle')
async def run(self, service): async def run(self, service):
await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt')
await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt')
class OracleScanner(ServiceScan): class OracleScanner(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Oracle Scanner" self.name = "Oracle Scanner"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^oracle') self.match_service_name('^oracle')
async def run(self, service): async def run(self, service):
await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt') await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt')
class OracleODAT(ServiceScan): class OracleODAT(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Oracle ODAT" self.name = "Oracle ODAT"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^oracle') self.match_service_name('^oracle')
def manual(self): def manual(self):
self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [
'python odat.py tnscmd -s {address} -p {port} --ping', 'python odat.py tnscmd -s {address} -p {port} --ping',
'python odat.py tnscmd -s {address} -p {port} --version', 'python odat.py tnscmd -s {address} -p {port} --version',
'python odat.py tnscmd -s {address} -p {port} --status', 'python odat.py tnscmd -s {address} -p {port} --status',
'python odat.py sidguesser -s {address} -p {port}', 'python odat.py sidguesser -s {address} -p {port}',
'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt', 'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module' 'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
]) ])
class OraclePatator(ServiceScan): class OraclePatator(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Oracle Patator" self.name = "Oracle Patator"
self.tags = ['default', 'databases'] self.tags = ['default', 'databases']
def configure(self): def configure(self):
self.add_service_match('^oracle') self.match_service_name('^oracle')
def manual(self): def manual(self):
self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000')

64
plugins/default-port-scan.py
View File

@ -3,44 +3,44 @@ import os
class QuickTCPPortScan(PortScan): class QuickTCPPortScan(PortScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Top TCP Ports" self.name = "Top TCP Ports"
self.tags = ["default", "default-port-scan"] self.tags = ["default", "default-port-scan"]
self.priority = 0 self.priority = 0
async def run(self, target): async def run(self, target):
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False) process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
services = await target.extract_services(stdout) services = await target.extract_services(stdout)
await process.wait() await process.wait()
return services return services
class AllTCPPortScan(PortScan): class AllTCPPortScan(PortScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "All TCP Ports" self.name = "All TCP Ports"
self.tags = ["default", "default-port-scan", "long"] self.tags = ["default", "default-port-scan", "long"]
async def run(self, target): async def run(self, target):
process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False) process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False)
services = await target.extract_services(stdout) services = await target.extract_services(stdout)
await process.wait() await process.wait()
return services return services
class Top20UDPPortScan(PortScan): class Top20UDPPortScan(PortScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Top 100 UDP Ports" self.name = "Top 100 UDP Ports"
self.tags = ["default", "default-port-scan"] self.tags = ["default", "default-port-scan"]
async def run(self, target): async def run(self, target):
# Only run UDP scan if user is root. # Only run UDP scan if user is root.
if os.getuid() == 0: if os.getuid() == 0:
process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --version-all --top-ports 100 -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}', blocking=False) process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --version-all --top-ports 100 -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}', blocking=False)
services = await target.extract_services(stdout) services = await target.extract_services(stdout)
await process.wait() await process.wait()
return services return services
else: else:
error('UDP scan requires AutoRecon be run with root privileges.') error('UDP scan requires AutoRecon be run with root privileges.')

16
plugins/dns.py
View File

@ -2,13 +2,13 @@ from autorecon import ServiceScan
class DNS(ServiceScan): class DNS(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "DNS" self.name = "DNS"
self.tags = ['default', 'dns'] self.tags = ['default', 'dns']
def configure(self): def configure(self):
self.add_service_match('^domain') self.match_service_name('^domain')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}')

38
plugins/ftp.py
View File

@ -2,29 +2,29 @@ from autorecon import ServiceScan
class NmapFTP(ServiceScan): class NmapFTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'Nmap FTP' self.name = 'Nmap FTP'
self.tags = ['default', 'ftp'] self.tags = ['default', 'ftp']
def configure(self): def configure(self):
self.add_service_match(['^ftp', '^ftp\-data']) self.match_service_name(['^ftp', '^ftp\-data'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}')
class BruteforceFTP(ServiceScan): class BruteforceFTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Bruteforce FTP" self.name = "Bruteforce FTP"
self.tags = ['default', 'ftp'] self.tags = ['default', 'ftp']
def configure(self): def configure(self):
self.add_service_match(['^ftp', '^ftp\-data']) self.match_service_name(['^ftp', '^ftp\-data'])
def manual(self): def manual(self):
self.add_manual_commands('Bruteforce logins:', [ self.add_manual_commands('Bruteforce logins:', [
'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
]) ])

266
plugins/http.py
View File

@ -4,183 +4,183 @@ import os
class NmapHTTP(ServiceScan): class NmapHTTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap HTTP" self.name = "Nmap HTTP"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}') self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}')
self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled') self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}')
class BruteforceHTTP(ServiceScan): class BruteforceHTTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Bruteforce HTTP" self.name = "Bruteforce HTTP"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
def manual(self): def manual(self):
self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [
'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area',
'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"'
]) ])
class Curl(ServiceScan): class Curl(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Curl" self.name = "Curl"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s") self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s")
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
self.add_pattern('(?i)Powered by [^\n]+') self.add_pattern('(?i)Powered by [^\n]+')
async def run(self, service): async def run(self, service):
if service.protocol == 'tcp': if service.protocol == 'tcp':
await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html')
class CurlRobots(ServiceScan): class CurlRobots(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Curl Robots" self.name = "Curl Robots"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service): async def run(self, service):
if service.protocol == 'tcp': if service.protocol == 'tcp':
await service.execute('curl -sSik {http_scheme}://{address}:{port}/robots.txt', outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt') await service.execute('curl -sSik {http_scheme}://{address}:{port}/robots.txt', outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt')
class DirBuster(ServiceScan): class DirBuster(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "DirBuster" self.name = "DirBuster"
self.slug = 'dirbuster' self.slug = 'dirbuster'
self.priority = 0 self.priority = 0
self.tags = ['default', 'http', 'long'] self.tags = ['default', 'http', 'long']
def configure(self): def configure(self):
self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s') self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s')
self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: %(default)s') self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: %(default)s')
self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s') self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s')
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
def manual(self): def manual(self):
self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt',
'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt'
]) ])
self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [
'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"',
'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"'
]) ])
self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [
'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"',
'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"'
]) ])
self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [
'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"',
'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"'
]) ])
self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [
'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"',
'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"'
]) ])
async def run(self, service): async def run(self, service):
for wordlist in self.get_option('wordlist'): for wordlist in self.get_option('wordlist'):
name = os.path.splitext(os.path.basename(wordlist))[0] name = os.path.splitext(os.path.basename(wordlist))[0]
if self.get_option('tool') == 'feroxbuster': if self.get_option('tool') == 'feroxbuster':
await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"')
elif self.get_option('tool') == 'gobuster': elif self.get_option('tool') == 'gobuster':
await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"')
elif self.get_option('tool') == 'dirsearch': elif self.get_option('tool') == 'dirsearch':
await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w ' + wordlist + ' --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w ' + wordlist + ' --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"')
elif self.get_option('tool') == 'ffuf': elif self.get_option('tool') == 'ffuf':
await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt')
elif self.get_option('tool') == 'dirb': elif self.get_option('tool') == 'dirb':
await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"')
class Nikto(ServiceScan): class Nikto(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'nikto' self.name = 'nikto'
self.tags = ['default', 'http', 'long'] self.tags = ['default', 'http', 'long']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
def manual(self): def manual(self):
self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"')
class WhatWeb(ServiceScan): class WhatWeb(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "whatweb" self.name = "whatweb"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service): async def run(self, service):
if service.protocol == 'tcp': if service.protocol == 'tcp':
await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt')
class WkHTMLToImage(ServiceScan): class WkHTMLToImage(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "wkhtmltoimage" self.name = "wkhtmltoimage"
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
async def run(self, service): async def run(self, service):
if which('wkhtmltoimage') is not None and service.protocol == 'tcp': if which('wkhtmltoimage') is not None and service.protocol == 'tcp':
await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png')
else: else:
error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)') error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)')
class WPScan(ServiceScan): class WPScan(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'WPScan' self.name = 'WPScan'
self.tags = ['default', 'http'] self.tags = ['default', 'http']
def configure(self): def configure(self):
self.add_service_match('^http') self.match_service_name('^http')
self.add_service_match('^nacn_http$', negative_match=True) self.match_service_name('^nacn_http$', negative_match=True)
def manual(self): def manual(self):
self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"')

16
plugins/kerberos.py
View File

@ -2,13 +2,13 @@ from autorecon import ServiceScan
class NmapKerberos(ServiceScan): class NmapKerberos(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap Kerberos" self.name = "Nmap Kerberos"
self.tags = ['default', 'kerberos', 'active-directory'] self.tags = ['default', 'kerberos', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^kerberos', '^kpasswd']) self.match_service_name(['^kerberos', '^kpasswd'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}')

36
plugins/ldap.py
View File

@ -2,28 +2,28 @@ from autorecon import ServiceScan
class NmapLDAP(ServiceScan): class NmapLDAP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap LDAP" self.name = "Nmap LDAP"
self.tags = ['default', 'ldap', 'active-directory'] self.tags = ['default', 'ldap', 'active-directory']
def configure(self): def configure(self):
self.add_service_match('^ldap') self.match_service_name('^ldap')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}')
class LDAPSearch(ServiceScan): class LDAPSearch(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'LDAP Search' self.name = 'LDAP Search'
self.tags = ['default', 'ldap', 'active-directory'] self.tags = ['default', 'ldap', 'active-directory']
def configure(self): def configure(self):
self.add_service_match('^ldap') self.match_service_name('^ldap')
def manual(self): def manual(self):
self.add_manual_command('ldapsearch command (modify before running):', [ self.add_manual_command('ldapsearch command (modify before running):', [
'ldapsearch -x -D "<username>" -w "<password>"" -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' 'ldapsearch -x -D "<username>" -w "<password>"" -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"'
]) ])

208
plugins/misc.py
View File

@ -2,169 +2,169 @@ from autorecon import ServiceScan
class NmapCassandra(ServiceScan): class NmapCassandra(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap Cassandra" self.name = "Nmap Cassandra"
self.tags = ['default', 'cassandra'] self.tags = ['default', 'cassandra']
def configure(self): def configure(self):
self.add_service_match('^apani1') self.match_service_name('^apani1')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}')
class NmapCUPS(ServiceScan): class NmapCUPS(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap CUPS" self.name = "Nmap CUPS"
self.tags = ['default', 'cups'] self.tags = ['default', 'cups']
def configure(self): def configure(self):
self.add_service_match('^ipp') self.match_service_name('^ipp')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}')
class NmapDistccd(ServiceScan): class NmapDistccd(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap distccd" self.name = "Nmap distccd"
self.tags = ['default', 'distccd'] self.tags = ['default', 'distccd']
def configure(self): def configure(self):
self.add_service_match('^distccd') self.match_service_name('^distccd')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}')
class NmapFinger(ServiceScan): class NmapFinger(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap finger" self.name = "Nmap finger"
self.tags = ['default', 'finger'] self.tags = ['default', 'finger']
def configure(self): def configure(self):
self.add_service_match('^finger') self.match_service_name('^finger')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}')
class NmapIMAP(ServiceScan): class NmapIMAP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap IMAP" self.name = "Nmap IMAP"
self.tags = ['default', 'imap', 'email'] self.tags = ['default', 'imap', 'email']
def configure(self): def configure(self):
self.add_service_match('^imap') self.match_service_name('^imap')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}')
class NmapNNTP(ServiceScan): class NmapNNTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap NNTP" self.name = "Nmap NNTP"
self.tags = ['default', 'nntp'] self.tags = ['default', 'nntp']
def configure(self): def configure(self):
self.add_service_match('^nntp') self.match_service_name('^nntp')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}')
class NmapPOP3(ServiceScan): class NmapPOP3(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap POP3" self.name = "Nmap POP3"
self.tags = ['default', 'pop3', 'email'] self.tags = ['default', 'pop3', 'email']
def configure(self): def configure(self):
self.add_service_match('^pop3') self.match_service_name('^pop3')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}')
class NmapRMI(ServiceScan): class NmapRMI(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap RMI" self.name = "Nmap RMI"
self.tags = ['default', 'rmi'] self.tags = ['default', 'rmi']
def configure(self): def configure(self):
self.add_service_match(['^java\-rmi', '^rmiregistry']) self.match_service_name(['^java\-rmi', '^rmiregistry'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}')
class NmapSMTP(ServiceScan): class NmapSMTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap SMTP" self.name = "Nmap SMTP"
self.tags = ['default', 'smtp', 'email'] self.tags = ['default', 'smtp', 'email']
def configure(self): def configure(self):
self.add_service_match('^smtp') self.match_service_name('^smtp')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}')
class SMTPUserEnum(ServiceScan): class SMTPUserEnum(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'SMTP-User-Enum' self.name = 'SMTP-User-Enum'
self.tags = ['default', 'smtp', 'email'] self.tags = ['default', 'smtp', 'email']
def configure(self): def configure(self):
self.add_service_match('^smtp') self.match_service_name('^smtp')
async def run(self, service): async def run(self, service):
await service.execute('smtp-user-enum -M VRFY -U "' + self.get_global('username_wordlist') + '" -t {address} -p {port} 2>&1', outfile='{protocol}_{port}_smtp_user-enum.txt') await service.execute('smtp-user-enum -M VRFY -U "' + self.get_global('username_wordlist') + '" -t {address} -p {port} 2>&1', outfile='{protocol}_{port}_smtp_user-enum.txt')
class NmapTelnet(ServiceScan): class NmapTelnet(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'Nmap Telnet' self.name = 'Nmap Telnet'
self.tags = ['default', 'telnet'] self.tags = ['default', 'telnet']
def configure(self): def configure(self):
self.add_service_match('^telnet') self.match_service_name('^telnet')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}')
class NmapTFTP(ServiceScan): class NmapTFTP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'Nmap TFTP' self.name = 'Nmap TFTP'
self.tags = ['default', 'tftp'] self.tags = ['default', 'tftp']
def configure(self): def configure(self):
self.add_service_match('^tftp') self.match_service_name('^tftp')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}')
class NmapVNC(ServiceScan): class NmapVNC(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = 'Nmap VNC' self.name = 'Nmap VNC'
self.tags = ['default', 'vnc'] self.tags = ['default', 'vnc']
def configure(self): def configure(self):
self.add_service_match('^vnc') self.match_service_name('^vnc')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}')

32
plugins/nfs.py
View File

@ -2,26 +2,26 @@ from autorecon import ServiceScan
class NmapNFS(ServiceScan): class NmapNFS(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap NFS" self.name = "Nmap NFS"
self.tags = ['default', 'nfs'] self.tags = ['default', 'nfs']
def configure(self): def configure(self):
self.add_service_match(['^nfs', '^rpcbind']) self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}')
class Showmount(ServiceScan): class Showmount(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "showmount" self.name = "showmount"
self.tags = ['default', 'nfs'] self.tags = ['default', 'nfs']
def configure(self): def configure(self):
self.add_service_match(['^nfs', '^rpcbind']) self.match_service_name(['^nfs', '^rpcbind'])
async def run(self, service): async def run(self, service):
await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt') await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt')

38
plugins/rdp.py
View File

@ -2,29 +2,29 @@ from autorecon import ServiceScan
class NmapRDP(ServiceScan): class NmapRDP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap RDP" self.name = "Nmap RDP"
self.tags = ['default', 'rdp'] self.tags = ['default', 'rdp']
def configure(self): def configure(self):
self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}')
class BruteforceRDP(ServiceScan): class BruteforceRDP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Bruteforce RDP" self.name = "Bruteforce RDP"
self.tags = ['default', 'rdp'] self.tags = ['default', 'rdp']
def configure(self): def configure(self):
self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv'])
def manual(self): def manual(self):
self.add_manual_commands('Bruteforce logins:', [ self.add_manual_commands('Bruteforce logins:', [
'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
]) ])

32
plugins/rpc.py
View File

@ -2,26 +2,26 @@ from autorecon import ServiceScan
class NmapMSRPC(ServiceScan): class NmapMSRPC(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap MSRPC" self.name = "Nmap MSRPC"
self.tags = ['default', 'rpc'] self.tags = ['default', 'rpc']
def configure(self): def configure(self):
self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}')
class RPCClient(ServiceScan): class RPCClient(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "rpcclient" self.name = "rpcclient"
self.tags = ['default', 'rpc'] self.tags = ['default', 'rpc']
def configure(self): def configure(self):
self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) self.match_service_name(['^msrpc', '^rpcbind', '^erpc'])
def manual(self): def manual(self):
self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}')

32
plugins/sip.py
View File

@ -2,26 +2,26 @@ from autorecon import ServiceScan
class NmapSIP(ServiceScan): class NmapSIP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap SIP" self.name = "Nmap SIP"
self.tags = ['default', 'sip'] self.tags = ['default', 'sip']
def configure(self): def configure(self):
self.add_service_match('^asterisk') self.match_service_name('^asterisk')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}')
class SIPVicious(ServiceScan): class SIPVicious(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "SIPVicious" self.name = "SIPVicious"
self.tags = ['default', 'sip'] self.tags = ['default', 'sip']
def configure(self): def configure(self):
self.add_service_match('^asterisk') self.match_service_name('^asterisk')
def manual(self): def manual(self):
self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}')

116
plugins/smb.py
View File

@ -2,84 +2,84 @@ from autorecon import ServiceScan
class NmapSMB(ServiceScan): class NmapSMB(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap SMB" self.name = "Nmap SMB"
self.tags = ['default', 'smb', 'active-directory'] self.tags = ['default', 'smb', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
def manual(self): def manual(self):
self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
]) ])
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}')
class Enum4Linux(ServiceScan): class Enum4Linux(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Enum4Linux" self.name = "Enum4Linux"
self.tags = ['default', 'enum4linux', 'active-directory'] self.tags = ['default', 'enum4linux', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^ldap', '^smb', '^microsoft\-ds', '^netbios']) self.match_service_name(['^ldap', '^smb', '^microsoft\-ds', '^netbios'])
self.add_port_match('tcp', [139, 389, 445]) self.match_port('tcp', [139, 389, 445])
self.add_port_match('udp', 137) self.match_port('udp', 137)
self.run_once(True) self.run_once(True)
async def run(self, service): async def run(self, service):
await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt')
class NBTScan(ServiceScan): class NBTScan(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "nbtscan" self.name = "nbtscan"
self.tags = ['default', 'netbios', 'active-directory'] self.tags = ['default', 'netbios', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.add_port_match('udp', 137) self.match_port('udp', 137)
self.run_once(True) self.run_once(True)
async def run(self, service): async def run(self, service):
await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt')
class SMBClient(ServiceScan): class SMBClient(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "SMBClient" self.name = "SMBClient"
self.tags = ['default', 'smb', 'active-directory'] self.tags = ['default', 'smb', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
self.add_port_match('tcp', [139, 445]) self.match_port('tcp', [139, 445])
self.run_once(True) self.run_once(True)
async def run(self, service): async def run(self, service):
await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt') await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt')
class SMBMap(ServiceScan): class SMBMap(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "SMBMap" self.name = "SMBMap"
self.tags = ['default', 'smb', 'active-directory'] self.tags = ['default', 'smb', 'active-directory']
def configure(self): def configure(self):
self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) self.match_service_name(['^smb', '^microsoft\-ds', '^netbios'])
async def run(self, service): async def run(self, service):
await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt')
await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt')
await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')
await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt')

72
plugins/snmp.py
View File

@ -2,51 +2,51 @@ from autorecon import ServiceScan
class NmapSNMP(ServiceScan): class NmapSNMP(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap SNMP" self.name = "Nmap SNMP"
self.tags = ['default', 'snmp'] self.tags = ['default', 'snmp']
def configure(self): def configure(self):
self.add_service_match('^snmp') self.match_service_name('^snmp')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}')
class OneSixtyOne(ServiceScan): class OneSixtyOne(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "OneSixtyOne" self.name = "OneSixtyOne"
self.tags = ['default', 'snmp'] self.tags = ['default', 'snmp']
def configure(self): def configure(self):
self.add_service_match('^snmp') self.match_service_name('^snmp')
self.add_port_match('udp', 161) self.match_port('udp', 161)
self.run_once(True) self.run_once(True)
self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s')
async def run(self, service): async def run(self, service):
await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt')
class SNMPWalk(ServiceScan): class SNMPWalk(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "SNMPWalk" self.name = "SNMPWalk"
self.tags = ['default', 'snmp'] self.tags = ['default', 'snmp']
def configure(self): def configure(self):
self.add_service_match('^snmp') self.match_service_name('^snmp')
self.add_port_match('udp', 161) self.match_port('udp', 161)
self.run_once(True) self.run_once(True)
async def run(self, service): async def run(self, service):
await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt') await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt')
await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt') await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt')

38
plugins/ssh.py
View File

@ -2,29 +2,29 @@ from autorecon import ServiceScan
class NmapSSH(ServiceScan): class NmapSSH(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Nmap SSH" self.name = "Nmap SSH"
self.tags = ['default', 'ssh'] self.tags = ['default', 'ssh']
def configure(self): def configure(self):
self.add_service_match('^ssh') self.match_service_name('^ssh')
async def run(self, service): async def run(self, service):
await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}') await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}')
class BruteforceSSH(ServiceScan): class BruteforceSSH(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "Bruteforce SSH" self.name = "Bruteforce SSH"
self.tags = ['default', 'ssh'] self.tags = ['default', 'ssh']
def configure(self): def configure(self):
self.add_service_match('ssh') self.match_service_name('ssh')
def manual(self): def manual(self):
self.add_manual_command('Bruteforce logins:', [ self.add_manual_command('Bruteforce logins:', [
'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
]) ])

20
plugins/sslscan.py
View File

@ -2,15 +2,15 @@ from autorecon import ServiceScan
class SSLScan(ServiceScan): class SSLScan(ServiceScan):
def __init__(self): def __init__(self):
super().__init__() super().__init__()
self.name = "SSL Scan" self.name = "SSL Scan"
self.tags = ['default', 'ssl', 'tls'] self.tags = ['default', 'ssl', 'tls']
def configure(self): def configure(self):
self.add_service_match('.+') self.match_service_name('.+')
self.require_ssl(True) self.require_ssl(True)
async def run(self, service): async def run(self, service):
if service.protocol == 'tcp' and service.secure: if service.protocol == 'tcp' and service.secure:
await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html') await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html')