AutoRecon : Multi Threaded Network Reconnaissance Tool

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.

The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, nikto will be launched (as well as many others).

Everything in the tool is highly configurable. The default configuration performs no automated exploitation to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool.

Origin

AutoRecon was inspired by three tools which the author used during the OSCP labs: Reconnoitre, ReconScan, and bscan. While all three tools were useful, none of the three alone had the functionality desired. AutoRecon combines the best features of the aforementioned tools while also implementing many new features to help testers with enumeration of multiple targets.

Features

• Supports multiple targets in the form of IP addresses, IP ranges (CIDR notation), and resolvable hostnames.
• Can scan targets concurrently, utilizing multiple processors if they are available.
• Customizable port scanning profiles for flexibility in your initial scans.
• Customizable service enumeration commands and suggested manual follow-up commands.
• An intuitive directory structure for results gathering.
• Full logging of commands that were run, along with errors if they fail.
• Global and per-scan pattern matching so you can highlight/extract important information from the noise.

Also Read – Slurp : Evaluate The Security Of S3 Buckets

Requirements

• Python 3
• colorama
• toml

Once Python 3 is installed, pip3 can be used to install the other requirements:

$ pip3 install -r requirements.txt

Several commands used in AutoRecon reference the SecLists project, in the directory /usr/share/seclists/. You can either manually download the SecLists project to this directory (https://github.com/danielmiessler/SecLists), or if you are using Kali Linux (highly recommended) you can run the following:

$ sudo apt install seclists

AutoRecon will still run if you do not install SecLists, though several commands may fail, and some manual commands may not run either.

Additionally the following commands may need to be installed, depending on your OS:

curl
enum4linux
gobuster
nbtscan
nikto
nmap
onesixtyone
oscanner
smbclient
smbmap
smtp-user-enum
snmpwalk
sslscan
svwar
tnscmd10g
whatweb
wkhtmltoimage

Usage

AutoRecon uses Python 3 specific functionality and does not support Python 2.

usage: autorecon.py [-h] [-ct ] [-cs ] [–profile PROFILE]
[-o OUTPUT] [–nmap NMAP | –nmap-append NMAP_APPEND] [-v]
[–disable-sanity-checks]
targets [targets …]

Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.

Positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.
10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)
to scan.

Optional arguments:
-h, –help show this help message and exit
-ct , –concurrent-targets The maximum number of target hosts to scan concurrently. Default: 5
-cs , –concurrent-scans The maximum number of scans to perform per target host. Default: 10
–profile PROFILE The port scanning profile to use (defined in port-scan-profiles.toml). Default: default
-o OUTPUT, –output OUTPUT The output directory for results. Default: results
–nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv –reason -Pn
–nmap-append NMAP_APPEND Append to the default {nmap_extra} variable in scans.
-v, –verbose Enable verbose output. Repeat for more verbosity.
–disable-sanity-checks Disable sanity checks that would otherwise prevent the scans from running.

Examples

Scanning a single target:

python3 autorecon.py 127.0.0.1
[] Scanning target 127.0.0.1 [] Running service detection nmap-full-tcp on 127.0.0.1
[] Running service detection nmap-top-20-udp on 127.0.0.1 [] Running service detection nmap-quick on 127.0.0.1
[] Service detection nmap-quick on 127.0.0.1 finished successfully [] [127.0.0.1] ssh found on tcp/22
[] [127.0.0.1] http found on tcp/80 [] [127.0.0.1] rpcbind found on tcp/111
[] [127.0.0.1] postgresql found on tcp/5432 [] Running task tcp/22/nmap-ssh on 127.0.0.1
[] Running task tcp/80/nmap-http on 127.0.0.1 [] Running task tcp/80/curl-index on 127.0.0.1
[] Running task tcp/80/curl-robots on 127.0.0.1 [] Running task tcp/80/whatweb on 127.0.0.1
[] Running task tcp/80/nikto on 127.0.0.1 [] Running task tcp/111/nmap-nfs on 127.0.0.1
[] Task tcp/80/curl-index on 127.0.0.1 finished successfully [] Task tcp/80/curl-robots on 127.0.0.1 finished successfully
[] Task tcp/22/nmap-ssh on 127.0.0.1 finished successfully [] Task tcp/80/whatweb on 127.0.0.1 finished successfully
[] Task tcp/111/nmap-nfs on 127.0.0.1 finished successfully [] Task tcp/80/nmap-http on 127.0.0.1 finished successfully
[] Task tcp/80/nikto on 127.0.0.1 finished successfully [] Service detection nmap-top-20-udp on 127.0.0.1 finished successfully
[] Service detection nmap-full-tcp on 127.0.0.1 finished successfully [] [127.0.0.1] http found on tcp/5984
[] [127.0.0.1] rtsp found on tcp/5985 [] Running task tcp/5984/nmap-http on 127.0.0.1
[] Running task tcp/5984/curl-index on 127.0.0.1 [] Running task tcp/5984/curl-robots on 127.0.0.1
[] Running task tcp/5984/whatweb on 127.0.0.1 [] Running task tcp/5984/nikto on 127.0.0.1
[] Task tcp/5984/curl-index on 127.0.0.1 finished successfully [] Task tcp/5984/curl-robots on 127.0.0.1 finished successfully
[] Task tcp/5984/whatweb on 127.0.0.1 finished successfully [] Task tcp/5984/nikto on 127.0.0.1 finished successfully
[] Task tcp/5984/nmap-http on 127.0.0.1 finished successfully [] Finished scanning target 127.0.0.1

The default port scan profile first performs a full TCP port scan, a top 20 UDP port scan, and a top 1000 TCP port scan. You may ask why AutoRecon scans the top 1000 TCP ports at the same time as a full TCP port scan (which also scans those ports). The reason is simple: most open ports will generally be in the top 1000, and we want to start enumerating services quickly, rather than wait for Nmap to scan every single port. As you can see, all the service enumeration scans actually finish before the full TCP port scan is done. While there is a slight duplication of efforts, it pays off by getting actual enumeration results back to the tester quicker.

Note that the actual command line output will be colorized if your terminal supports it.

Scanning multiple targets

python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost
[] Scanning target 192.168.1.100 [] Scanning target 192.168.1.1
[] Scanning target 192.168.1.2 [] Scanning target localhost
[] Running service detection nmap-quick on 192.168.1.100 [] Running service detection nmap-quick on localhost
[] Running service detection nmap-top-20-udp on 192.168.1.100 [] Running service detection nmap-quick on 192.168.1.1
[] Running service detection nmap-quick on 192.168.1.2 [] Running service detection nmap-top-20-udp on 192.168.1.1
[] Running service detection nmap-full-tcp on 192.168.1.100 [] Running service detection nmap-top-20-udp on localhost
[] Running service detection nmap-top-20-udp on 192.168.1.2 [] Running service detection nmap-full-tcp on localhost
[] Running service detection nmap-full-tcp on 192.168.1.1 [] Running service detection nmap-full-tcp on 192.168.1.2
…

AutoRecon supports multiple targets per scan, and will expand IP ranges provided in CIDR notation. By default, only 5 targets will be scanned at a time, with 10 scans per target.

Scanning multiple targets with advanced options

python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost
[] Scanning target 192.168.1.100 [] Scanning target 192.168.1.1
[] Running service detection nmap-quick on 192.168.1.100 with nmap -vv –reason -Pn -sV -sC –version-all -oN “/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt” -oX “/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml” 192.168.1.100 [] Running service detection nmap-quick on 192.168.1.1 with nmap -vv –reason -Pn -sV -sC –version-all -oN “/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt” -oX “/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml” 192.168.1.1
[] Running service detection nmap-top-20-udp on 192.168.1.100 with nmap -vv –reason -Pn -sU -A –top-ports=20 –version-all -oN “/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt” -oX “/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml” 192.168.1.100 [] Running service detection nmap-top-20-udp on 192.168.1.1 with nmap -vv –reason -Pn -sU -A –top-ports=20 –version-all -oN “/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt” -oX “/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml” 192.168.1.1
[-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST
[-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.
[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25
[-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning.
[-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning.
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.
[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25
[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed
[-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25
…

In this example, the -ct option limits the number of concurrent targets to 2, and the -cs option limits the number of concurrent scans per target to 2. The -vv option makes the output very verbose, showing the output of every scan being run. The -o option sets a custom output directory for scan results to be saved.

Verbosity

AutoRecon supports three levels of verbosity:

• (none) Minimal output. AutoRecon will announce when target scans start and finish, as well as which services were identified.
• (-v) Verbose output. AutoRecon will additionally specify the exact commands which are being run, as well as highlighting any patterns which are matched in command output.
• (-vv) Very verbose output. AutoRecon will output everything. Literally every line from all commands which are currently running. When scanning multiple targets concurrently, this can lead to a ridiculous amount of output. It is not advised to use -vv unless you absolutely need to see live output from commands.

Results

By default, results will be stored in the ./results directory. A new sub directory is created for every target. The structure of this sub directory is:

├── exploit/
├── loot/
├── report/
│   ├── local.txt
│   ├── notes.txt
│   ├── proof.txt
│   └── screenshots/
└── scans/
    ├── _commands.log
    ├── _manual_commands.txt
    └── xml/

The exploit directory is intended to contain any exploit code you download / write for the target.

The loot directory is intended to contain any loot (e.g. hashes, interesting files) you find on the target.

The report directory contains some auto-generated files and directories that are useful for reporting:

• local.txt can be used to store the local.txt flag found on targets.
• notes.txt should contain a basic template where you can write notes for each service discovered.
• proof.txt can be used to store the proof.txt flag found on targets.
• The screenshots directory is intended to contain the screenshots you use to document the exploitation of the target.

The scans directory is where all results from scans performed by AutoRecon will go. This includes port scans / service detection scans, as well as any service enumeration scans. It also contains two other files:

• _commands.log contains a list of every command AutoRecon ran against the target. This is useful if one of the commands fails and you want to run it again with modifications.
• _manual_commands.txt contains any commands that are deemed “too dangerous” to run automatically, either because they are too intrusive, require modification based on human analysis, or just work better when there is a human monitoring them.

If a scan results in an error, a file called _errors.log will also appear in the scans directory with some details to alert the user.

If output matches a defined pattern, a file called _patterns.log will also appear in the scans directory with details about the matched output.

The scans/xml directory stores any XML output (e.g. from Nmap scans) separately from the main scan outputs, so that the scans directory itself does not get too cluttered.

Port Scan profiles

The port-scan-profiles.toml file is where you can define the initial port scans / service detection commands. The configuration file uses the TOML format, which is explained here: https://github.com/toml-lang/toml