Tag Archives: multi

AutoRecon – Multi-Threaded Network Reconnaissance Tool Which Performs Automated Enumeration Of Services

AutoRecon is a multi-threaded community reconnaissance software which plays automatic enumeration of services and products. It is meant as a time-saving software to be used in CTFs and different penetration trying out ^(https://www.kitploit.com/search/label/Penetration%20Testing) environments (e.g. OSCP). It will also be helpful in actual-global engagements.
The software works via at first acting port scans/carrier detection scans. From the ones preliminary effects, the software will release additional enumeration scans of the ones services and products the use of various other equipment. For instance, if HTTP is located, nikto will probably be introduced (in addition to many others).
Everything within the software is extremely configurable. The default configuration plays no automatic exploitation to stay the software in keeping with OSCP examination laws. If you want to upload computerized exploit equipment to the configuration, you accomplish that at your personal possibility. The creator might not be held accountable for unfavourable movements that outcome from the mis-use of this software.

Reconnoitre ^(https://github.com/codingo/Reconnoitre), ReconScan ^(https://github.com/RoliSoft/ReconScan), and bscan ^(https://github.com/welchbj/bscan). While all three equipment have been helpful, not one of the three by myself had the capability desired. AutoRecon combines the most productive options of the aforementioned equipment whilst additionally imposing many new options to assist testers with enumeration of a couple of goals.

Features

  • Supports a couple of goals within the type of IP addresses, IP levels (CIDR notation), and resolvable hostnames.
  • Can scan goals similtaneously, using a couple of processors if they’re to be had.
  • Customizable port scanning profiles for flexibility on your preliminary scans.
  • Customizable carrier enumeration ^(https://www.kitploit.com/search/label/Service%20Enumeration) instructions and advised handbook practice-up instructions.
  • An intuitive listing construction for effects accumulating.
  • Full logging of instructions that have been run, together with mistakes in the event that they fail.
  • Global and in keeping with-scan trend matching ^(https://www.kitploit.com/search/label/Pattern%20Matching) so you’ll be able to spotlight/extract vital knowledge from the noise.

Requirements

  • Python 3
  • colorama
  • toml

Once Python 3 is put in, pip3 can be utilized to put in the opposite necessities:

$ pip3 set up -r necessities.txt

Several instructions utilized in AutoRecon reference the SecLists challenge, within the listing /usr/proportion/seclists/. You can both manually obtain the SecLists challenge to this listing (https://github.com/danielmiessler/SecLists ^(https://github.com/danielmiessler/SecLists)), or if you’re the use of Kali Linux (extremely advisable) you’ll be able to run the next:

$ sudo apt set up seclists

AutoRecon will nonetheless run if you don’t set up SecLists, despite the fact that a number of instructions would possibly fail, and a few handbook instructions would possibly not run both.
Additionally the next instructions would possibly wish to be put in, relying for your OS:

curl
enum4linux
gobuster
nbtscan
nikto
nmap
onesixtyone
oscanner
smbclient
smbmap
smtp-person-enum
snmpwalk
sslscan
svwar
tnscmd10g
whatweb
wkhtmltoimage

Usage
AutoRecon makes use of Python 3 explicit capability and does no longer improve Python 2.

utilization: autorecon.py [-h] [-ct ] [-cs ] [--profile PROFILE]
[-o OUTPUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [-v]
[--disable-sanity-checks]
goals [targets ...]

Network reconnaissance software to port scan and mechanically enumerate services and products
discovered on a couple of goals.

positional arguments:
goals IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.
10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)
to scan.

non-compulsory arguments:
-h, --help display this assist message and go out
-ct , --concurrent-goals
The most selection of goal hosts to scan
similtaneously. Default: 5
-cs , --concurrent-scans
The most n umber of scans to accomplish in keeping with goal
host. Default: 10
--profile PROFILE The port scanning profile to make use of (outlined in port-
scan-profiles.toml). Default: default
-o OUTPUT, --output OUTPUT
The output listing for effects. Default: effects
--nmap NMAP Override the nmap_extra variable in scans. Default:
-vv --reason -Pn
--nmap-append NMAP_APPEND
Append to the default nmap_extra variable in scans.
-v, --verbose Enable verbose output. Repeat for extra verbosity.
--disable-sanity-assessments
Disable sanity assessments that may in a different way save you the
scans from working.

Examples
Scanning a unmarried goal:

python3 autorecon.py 127.0.0.1
[*] Scanning goal 127.0.0.1
[*] Running carrier detection nmap-complete-tcp on 127.0.0.1
[*] Running carrier detection nmap-top-20-udp on 127.0.0.1
[*] Running carrier detection nmap-fast on 127.0.0.1
[*] Service detection nmap-fast on 127.0.0.1 completed effectively
[*] [127.0.0.1] ssh discovered on tcp/22
[*] [127.0.0.1] http discovered on tcp/80
[*] [127.0.0.1] rpcbind discovered on tcp/111
[*] [127.0.0.1] postgresql discovered on tcp/5432
[*] Running activity tcp/22/nmap-ssh on 127.0.0.1
[*] Running activity tcp/80/nmap-http on 127.0.0.1
[*] Running activity tcp/80/curl-index on 127.0.0.1
[*] Running activity tcp/80/curl-robots on 127.0.0.1
[*] Running activity tcp/80/whatweb on 127.0.0.1
[*] Running activity tcp/80/nikto on 127.0.0.1
[*] Running activity tcp/111/nmap-nfs on 127.0.0.1
[*] Task tcp/80/curl-index on 127.0.0.1 completed effectively
[*] Task tcp/80/curl-robots on 127.0.0.1 completed effectively
[*] Task tcp/22/nmap-ssh on 127.0.0.1 completed effectively
[*] Task tcp/80/whatweb on 127.0.0.1 completed effectively
[*] Task tcp/111/nmap-nfs on 127.0.0.1 completed effectively
[*] Task tcp/80/nmap-http on 127.0.0.1 completed effectively
[*] Task tcp/80/nikto on 127.0.0.1 completed effectively
[*] Service detection nmap-top-20-udp on 127.0.0.1 completed effectively
[*] Service detection nmap-complete-tcp on 127.0.0.1 completed effectively
[*] [127.0.0.1] http discovered on tcp/5984
[*] [127.0.0.1] rtsp discovered on tcp/5985
[*] Running activity tcp/5984/nmap-http on 127.0.0.1
[*] Running activity tcp/5984/curl-index on 127.0.0.1
[*] Running activity tcp/5984/curl-robots on 127.0.0.1
[*] Running activity tcp/5984/whatweb on 127.0.0.1
[*] Running activity tcp/5984/nikto on 127.0.0.1
[*] Task tcp/5984/curl-index on 127.0.0.1 completed effectively
[*] Task tcp/5984/curl-robots on 127.0.0.1 completed effectively
[*] Task tcp/5984/whatweb on 127.0.0.1 end ed effectively
[*] Task tcp/5984/nikto on 127.0.0.1 completed effectively
[*] Task tcp/5984/nmap-http on 127.0.0.1 completed effectively
[*] Finished scanning goal 127.0.0.1

The default port scan profile first plays a complete TCP port scan, a height 20 UDP port scan, and a height 1000 TCP port scan. You would possibly ask why AutoRecon scans the highest 1000 TCP ports concurrently a complete TCP port scan (which additionally scans the ones ports). The cause is discreet: maximum open ports will most often be within the height 1000, and we wish to get started enumerating services and products briefly, relatively than look ahead to Nmap to scan each and every unmarried port. As you’ll be able to see, all of the carrier enumeration scans in reality end ahead of the overall TCP port scan is completed. While there’s a slight duplication of efforts, it can pay off via getting precise enumeration effects again to the tester faster.
Note that the true command line output will probably be colorized in case your terminal helps it.
Scanning a couple of goals

python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost
[*] Scanning goal 192.168.1.100
[*] Scanning goal 192.168.1.1
[*] Scanning goal 192.168.1.2
[*] Scanning goal localhost
[*] Running carrier detection nmap-fast on 192.168.1.100
[*] Running carrier detection nmap-fast on localhost
[*] Running carrier detection nmap-top-20-udp on 192.168.1.100
[*] Running carrier detection nmap-fast on 192.168.1.1
[*] Running carrier detection nmap-fast on 192.168.1.2
[*] Running carrier detection nmap-top-20-udp on 192.168.1.1
[*] Running carrier detection nmap-complete-tcp on 192.168.1.100
[*] Running carrier detection nmap-top-20-udp on localhost
[*] Running carrier detection nmap-top-20-udp on 192.168.1.2
[*] Running carrier detection nmap-complete-tcp on localhost
[*] Running carrier detection nmap-complete-tcp on 192.168.1.1
[*] Running carrier detection nmap-complete-tcp on 192.168.1.2
...

AutoRecon helps a couple of goals in keeping with scan, and can make bigger IP levels supplied in CIDR notation. By default, most effective 5 goals will probably be scanned at a time, with 10 scans in keeping with goal.
Scanning a couple of goals with complex choices

python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
[*] Scanning goal 192.168.1.100
[*] Scanning goal 192.168.1.1
[*] Running carrier detection nmap-fast on 192.168.1.100 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml" 192.168.1.100
[*] Running carrier detection nmap-fast on 192.168.1.1 with nmap -vv --reason -Pn -sV -sC --version-all -oN "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml" 192.168.1.1
[*] Running carrier detection nmap-top-20-udp on 192.168.1.100 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml" 192.168.1.100
[*] Running carrier detection nmap-top-20-udp on 192.168.1.1 with nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all -oN "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml" 192.168.1.1
[-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) sca n.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25
[-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25
...

In this situation, the -ct choice limits the selection of concurrent goals to 2, and the -cs choice limits the selection of concurrent scans in keeping with goal to 2. The -vv choice makes the output very verbose, appearing the output of each and every scan being run. The -o choice units a customized output listing for scan effects to be stored.

Verbosity
AutoRecon helps three ranges of verbosity:

  • (none) Minimal output. AutoRecon will announce when goal scans get started and end, in addition to which services and products have been recognized.
  • (-v) Verbose output. AutoRecon will moreover specify the precise instructions that are being run, in addition to highlighting any patterns that are matched in command output.
  • (-vv) Very verbose output. AutoRecon will output the whole lot. Literally each and every line from all instructions that are lately working. When scanning a couple of goals similtaneously, this may end up in a daft quantity of output. It isn’t prompt to make use of -vv until you completely wish to see are living output from instructions.

Results
By default, effects will probably be saved within the ./effects listing. A brand new sub listing is created for each and every goal. The construction of this sub listing is:

.
├── exploit/
├── loot/
├── file/
│   ├── native.txt
│   ├── notes.txt
│   ├── evidence.txt
│   └── screenshots/
└── scans/
├── _commands.log
├── _manual_commands.txt
└── xml/

The exploit listing is meant to comprise any exploit code you obtain / write for the objective.
The loot listing is meant to comprise any loot (e.g. hashes, fascinating recordsdata) you in finding at the goal.
The file listing comprises some auto-generated recordsdata and directories which are helpful for reporting:

  • native.txt can be utilized to retailer the native.txt flag discovered on goals.
  • notes.txt must comprise a elementary template the place you’ll be able to write notes for each and every carrier came upon.
  • evidence.txt can be utilized to retailer the evidence.txt flag discovered on goals.
  • The screenshots listing is meant to comprise the screenshots you utilize to report the exploitation of the objective.

The scans listing is the place all effects from scans carried out via AutoRecon will cross. This contains port scans / carrier detection scans, in addition to any carrier enumeration scans. It additionally comprises two different recordsdata:

  • _commands.log comprises a listing of each and every command AutoRecon ran in opposition to the objective. This turns out to be useful if one of the instructions fails and you need to run it once more with adjustments.
  • _manual_commands.txt comprises any instructions which are deemed “too unhealthy” to run mechanically, both as a result of they’re too intrusive, require amendment in keeping with human research, or simply paintings higher when there’s a human tracking them.

If a scan leads to an error, a document known as _errors.log may also seem within the scans listing with some main points to alert the person.
If output suits an outlined trend, a document known as _patterns.log may also seem within the scans listing with information about the matched output.
The scans/xml listing shops any XML output (e.g. from Nmap scans) one at a time from the principle scan outputs, in order that the scans listing itself does no longer get too cluttered.

Port Scan profiles
The port-scan-profiles.toml document is the place you’ll be able to outline the preliminary port scans / carrier detection instructions. The configuration document makes use of the TOML layout, which is defined right here: https://github.com/toml-lang/toml ^(https://github.com/toml-lang/toml)
Here is an instance profile known as “fast”:

[quick]

[quick.nmap-quick]

[quick.nmap-quick.service-detection]
command = 'nmap nmap_extra -sV --version-all -oN "/_quick_tcp_nmap.txt" -oX "/xml/_quick_tcp_nmap.xml" '
trend = '^(?Pd+)/(?P(tcp|udp))(.*)open(s*)(?P[w-/]+)(s*)(.*)$'

[quick.nmap-top-20-udp]

[quick.nmap-top-20-udp.service-detection]
command = 'nmap nmap_extra -sU -A --top-ports=20 --version-all -oN "/_top_20_udp_nmap.txt" -oX "/xml/_top_20_udp_nmap.xml" '
trend = '^(?Pd+)/(?P(tcp|udp))(.*)open(s*)(?P[w-/]+)(s*)(.*)$'

Note that indentation is non-compulsory, it’s used right here purely for aesthetics. The “fast” profile defines a scan known as “nmap-fast”. This scan has a carrier-detection command which makes use of nmap to scan the highest 1000 TCP ports. The command makes use of two references: is the site of the scans listing for the objective, and is the deal with of the objective.
A regex trend is outlined which goes three named teams (port, protocol, and repair) within the output. Every carrier-detection command will have to have a corresponding trend that fits all three of the ones teams. AutoRecon will try to do a little assessments and refuse to scan if any of those teams are lacking.
An nearly an identical scan known as “nmap-top-20-udp” may be outlined. This scans the highest 20 UDP ports.
Here is a extra difficult instance:

[udp]

[udp.udp-top-20]

[udp.udp-top-20.port-scan]
command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 2>&1 | tee "/_top_20_udp_unicornscan.txt"'
trend = '^UDP opens*[w-]+[s*(?Pd+)].*$'

[udp.udp-top-20.service-detection]
command = 'nmap nmap_extra -sU -A -p ports --version-all -oN "/_top_20_udp_nmap.txt" -oX "/xml/_top_20_udp_nmap.xml" '
trend = '^(?Pd+)/(?P(udp))(.*)open(s*)(?P[w-/]+)(s*)(.*)$'

In this situation, a profile known as “udp” defines a scan known as “udp-top-20”. This scan has two instructions, one is a port-scan and the opposite is a carrier-detection. When a port-scan command is outlined, it’s going to all the time be run first. The corresponding trend will have to fit a named workforce “port” which extracts the port quantity from the output.
The carrier-detection will probably be run after the port-scan command has completed, and makes use of a brand new reference: ports. This reference is a comma-separated string of all of the ports extracted via the port-scan command. Note that the similar three named teams (port, protocol, and repair) are outlined within the carrier-detection trend.
Both the port-scan and the carrier-detection instructions use the and references.
Note that if a port-scan command is outlined and not using a corresponding carrier-detection command, AutoRecon will refuse to scan.
This extra difficult instance is most effective truly helpful if you wish to use unicornscan’s pace in conjuction with nmap’s carrier detection skills. If you’re content material with the use of Nmap for each port scanning and repair detection, you don’t want to make use of this setup.

Service Scans
The carrier-scans.toml document is the place you’ll be able to outline carrier enumeration scans and different handbook instructions related to positive services and products.
Here is an instance of a easy configuration:

[ftp]

carrier-names = [
'^ftp',
'^ftp-knowledge'
]

[[ftp.scan]]
title = 'nmap-ftp'
command = 'nmap nmap_extra -sV -p port --script="(ftp* or ssl*) and no longer (brute or broadcast or dos or exterior or fuzzer)" -oN "/protocol_port_ftp_nmap.txt" -oX "/xml/protocol_port_ftp_nmap.xml" '

[[ftp.scan.pattern]]
description = 'Anonymous FTP Enabled!'
trend = 'Anonymous FTP login allowed'

[[ftp.manual]]
description = 'Bruteforce logins:'
instructions = [
'hydra -L "username_wordlist" -P "" -e nsr -s port -o "/protocol_port_ftp_hydra.txt" ftp://',
'medusa -U "username_wordlist" -P "" -e ns -n port -O "/protocol_port_ftp_medusa.txt" -M ftp -h '
]

Note that indentation is non-compulsory, it’s used right here purely for aesthetics. The carrier “ftp” is outlined right here. The carrier-names array comprises regex strings which must fit the carrier title from the carrier-detection scans. Regex is was once as versatile as imaginable. The carrier-names array works on a whitelist foundation; so long as one of the regex strings suits, the carrier gets scanned.
An non-compulsory forget about-carrier-names array can be outlined, if you wish to blacklist positive regex strings from matching.
The ftp.scan phase defines a unmarried scan, named nmap-ftp. This scan defines a command which runs nmap with a number of ftp-similar scripts. Several references are used right here:

  • nmap_extra via default is about to “-vv –reason -Pn” however this may also be overridden or appended to the use of the –nmap or –nmap-append command line choices respectively. If the protocol is UDP, “-sU” may also be appended.
  • port is the port that the carrier is working on.
  • is the site of the scans listing for the objective.
  • protocol is the protocol getting used (both tcp or udp).
  • is the deal with of the objective.

A trend is outlined for the nmap-ftp scan, which goes the straightforward trend “Anonymous FTP login allowed”. In the development that this trend suits output of the nmap-ftp command, the trend description (“Anonymous FTP Enabled!”) will probably be stored to the _patterns.log document within the scans listing. A different reference can be utilized within the description to reference all of the fit, or the primary taking pictures workforce.
The ftp.handbook phase defines a bunch of handbook instructions. This workforce comprises an outline for the person, and a instructions array which comprises the instructions that a person can run. Two new references are outlined right here: username_wordlist and that are configured on the very height of the carrier-scans.toml document, and default to a username and password wordlist supplied via SecLists.
Here is a extra difficult configuration:

[smb]

carrier-names = [
'^smb',
'^microsoft-ds',
'^netbios'
]

[[smb.scan]]
title = 'nmap-smb'
command = 'nmap nmap_extra -sV -p port --script="(nbstat or smb* or ssl*) and no longer (brute or broadcast or dos or exterior or fuzzer)" --script-args="unsafe=1" -oN "/protocol_port_smb_nmap.txt" -oX "/xml/protocol_port_smb_nmap.xml" '

[[smb.scan]]
title = 'enum4linux'
command = 'enum4linux -a -M -l -d 2>&1 | tee "/enum4linux.txt"'
run_once = true
ports.tcp = [139, 389, 445]
ports.udp = [137]

[[smb.scan]]
title = 'nbtscan'
command = 'nbtscan -rvh 2>&1 | tee "/nbtscan.txt"'
run_once = true
ports.udp = [137]

[[smb.scan]]
title = 'smbclient'
command = 'smbclient -L -N -I 2>&1 | tee "scan dir/smbclient.txt"'
run_once = true
ports.tcp = [139, 445]

[[smb.scan]]
title = 'smbmap-proportion-permissions'
command = 'smbmap -H -P port 2>&1 | tee -a "/smbmap-proportion-permissions.txt"; smbmap -u null -p "" -H -P port 2>&1 | tee -a "/smbmap-proportion-permissions.txt"'

[[smb.scan]]
title = 'smbmap-checklist-contents'
command = 'smbmap -H -P port -R 2>&1 | tee -a "/smbmap-checklist-contents.txt"; smbmap -u null -p "" -H -P port -R 2>&1 | tee -a "/smbmap-checklist-contents.txt"'

[[smb.scan]]
title = 'smbmap-execute-command'
command = 'smbmap -H -P port -x "ipconfig /all" 2>&1 | tee -a "/smbmap-execute-command.txt"; smbmap -u null -p "" -H -P port -x "ipconfig /all" 2>&1 | tee -a "/smbmap-execute-command.txt"'

[[smb.manual]]
description = 'Nmap scans for SMB vulnerabilities that would doubtlessly reason a DoS if scanned (in keeping with Nmap). Be cautious:'
instructions = [
'nmap nmap_extra -sV -p port --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "/protocol_port_smb_ms06-025.txt" -oX "/xml/protocol_port_smb_ms06-025.xml" ',
'nmap nmap_extra -sV -p port --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "/protocol_port_smb_ms07-029.txt" -oX "/xml/protocol_port_smb_ms07-029.xml" ',
'nmap nmap_extra -sV -p port --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "/protocol_port_smb_ms08-067.txt" -oX "/xml/protocol_port_smb_ms08-067.xml" '
]

The major distinction this is that a number of scans have some new settings:

  • The ports.tcp array defines a whitelist of TCP ports which the command may also be run in opposition to. If the carrier is detected on a port that isn’t within the whitelist, the command might not be run in opposition to it.
  • The ports.udp array defines a whitelist of UDP ports which the command may also be run in opposition to. It operates in the similar means because the ports.tcp array.

Why do those settings even exist? Well, some instructions will most effective run in opposition to explicit ports, and cannot be advised to run in opposition to another ports. enum4linux for instance, will most effective run in opposition to TCP ports 139, 389, and 445, and UDP port 137.
In reality, enum4linux will all the time take a look at those ports when it’s run. So if the SMB carrier is located on TCP ports 139 and 445, AutoRecon would possibly try to run enum4linux two times for no cause. This is why the 3rd environment exists:

  • If run_once is about to true, the command will most effective ever run as soon as for that concentrate on, despite the fact that the SMB carrier is located on a couple of ports.

Testimonials

AutoRecon used to be priceless all over my OSCP examination, in that it stored me from the tedium of executing my energetic knowledge accumulating ^(https://www.kitploit.com/search/label/Information%20Gathering) instructions myself. I used to be ready to start out on a goal with the entire knowledge I wanted obviously laid in entrance of me. I’d strongly counsel this application for any individual within the PWK labs, the OSCP examination, or different environments corresponding to VulnHub or HTB. It is a handy gizmo for each folks simply beginning down their adventure into OffSec and seasoned veterans alike. Just make certain that someplace between the ones two issues you are taking the time to be informed what is going on “beneath the hood” and the way / why it scans what it does.
– b0ats (rooted 5/5 examination hosts)

Wow, what an excellent in finding! Before the use of AutoRecon, ReconScan used to be my goto enumeration script for goals as it mechanically ran the enumeration instructions after it unearths open ports. The most effective factor lacking used to be the automated advent of key directories a pentester may want all over an engagement (exploit, loot, file, scans). Reconnoitre did this however did not mechanically run the ones instructions for you. I assumed ReconScan that used to be the bee’s knees till I gave AutoRecon a take a look at. It’s superior! It combines the most productive options of Reconnoitre (auto listing advent) and ReconScan (mechanically executing the enumeration instructions). All I’ve to do is administered it on a goal or a suite of goals and get started going over the tips it has already accrued whilst it continues the remainder of scan. The evidence is within the pudding 🙂 Passed the OSCP examination! Kudos to Tib3rius!
– werk0ut

A chum advised me about AutoRecon, so I gave it a take a look at within the PWK labs. AutoRecon launches the average equipment all of us all the time use, whether or not it’s nmap or nikto, and in addition creates a pleasant subfolder gadget in keeping with the goals you’re attacking. The most powerful characteristic of AutoRecon is the velocity; at the OSCP examination I left the software working within the background whilst I began with some other goal, and in a question of mins I had the entire AutoRecon output looking ahead to me. AutoRecon creates a document filled with instructions that you simply must take a look at manually, a few of which would possibly require tweaking (for instance, hydra bruteforcing instructions). It’s just right to have that additional tick list.
– tr3mb0 (rooted 4/5 examination hosts)

Being presented to AutoRecon used to be a whole sport changer for me whilst taking the OSCP and setting up my penetration trying out technique. AutoRecon is a multi-threaded reconnaissance software that mixes and automates fashionable enumeration equipment to do many of the onerous be just right for you. You can not get a lot better than that! After working AutoRecon on my OSCP examination hosts, I used to be given a treasure chest filled with knowledge that helped me to start out on each and every host and move on my first take a look at. The best possible a part of the software is that it mechanically launches additional enumeration scans in keeping with the preliminary port scans (e.g. run enum4linux if SMB is detected). The most effective dangerous section is that I didn’t use this software faster! Thanks Tib3rius.
– rufy (rooted 4/5 examination hosts)

AutoRecon lets in a safety researcher to iteratively scan hosts and determine possible assault vectors. Its true energy comes within the type of acting scans within the background whilst the attacker is operating on some other host. I used to be ready to start out my scans and end a selected host I used to be running on – after which go back to search out all related scans finished. I used to be then ready to right away start looking to achieve preliminary get right of entry to as a substitute of manually acting the energetic scanning procedure. I can proceed to make use of AutoRecon in long run penetration assessments and CTFs, and extremely counsel you do the similar.
– waar (rooted 4.99/5 examination hosts)

“If it’s a must to do a job greater than two times an afternoon, you wish to have to automate it.” That’s a work of recommendation that an previous boss gave to me. AutoRecon takes that lesson to middle. Whether you might be sitting within the examination, or within the PWK labs, you’ll be able to fireplace off AutoRecon and let it paintings its magic. I had it working all over my final examination whilst I labored at the buffer overflow. By the time I ended, all of the enum knowledge I wanted used to be there for me to move thru. 10/10 would counsel for any individual entering CTF, and any individual who has been at this a very long time.
– whoisflynn

I really like this software such a lot I wrote it.
– Tib3rius (rooted 5/5 examination hosts)

I extremely counsel any individual going for his or her OSCP, doing CTFs or on HTB to checkout this software. Been the use of AutoRecon on HTB for a month ahead of the use of it over at the PWK labs and it helped me move my OSCP examination. If you might be having a difficult time getting settled with an enumeration technique I urge you to practice the float and methods this script makes use of. It takes out a large number of the tedious paintings that you are almost definitely used to whilst on the similar time supply smartly-arranged subdirectories to briefly glance over so you do not lose your head. The handbook instructions it supplies are nice for the ones explicit scenarios that want it when you’ve got run out of choices. It’s an excessively precious software, can not counsel sufficient.
– d0hnuts (rooted 5/5 examination hosts)

Autorecon is not only another software, this is a recon correlation framwork for engagements. This helped me fireplace a complete bunch of scans whilst I used to be running on different goals. This can assist so much in time control. This assisted me to possess 4/5 bins in pwk examination! Result: Passed!
– Wh0ami (rooted 4/5 examination hosts)

Download AutoRecon ^(https://github.com/Tib3rius/AutoRecon)