Recon enumerate a target based off Of Nmap results.
Features
Installation
cd /opt
git clone https://github.com/Knowledge-Wisdom-Understanding/recon.git
cd recon
chmod +x setup.sh
./setup.sh
python3 setup.py install
Usage
Usage: autorecon -t 10.10.10.10
An Information Gathering and Enumeration Framework
Optional Arguments:
-h, –help show this help message and exit
-t TARGET, –target TARGET
Single IPv4 Target to Scan
-F, –FUZZ auto fuzz found urls ending with .php for params
-v, –version Show Current Version
-f FILE, –file FILE File of IPv4 Targets to Scan
-w [WEB], –web [WEB]
Get open ports for IPv4 address, then only Enumerate
Web & and Dns Services. -t,–target must be specified.
-w, –web takes a URL as an argument. i.e. python3
recon.py -t 10.10.10.10 -w secret
-i {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} …], –ignore {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} …]
Service modules to ignore during scan.
-s {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} …], –service {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} …]
Scan only specified service modules
-b {ftp,smb,http,ssh}, –brute {ftp,smb,http,ssh}
Experimental! – Brute Force ssh,smb,ftp, or http. -t,
–target is REQUIRED. Must supply only one protocol at
a time. For ssh, first valid users will be enumerated
before password brute is initiated, when no user or
passwords are supplied as options.
-p PORT, –port PORT port for brute forcing argument. If no port specified,
default port will be used
-u USER, –user USER Single user name for brute forcing, for SSH, if no
user specified, will default to
wordlists/usernames.txt and bruteforce usernames
-U USERS, –USERS USERS
List of usernames to try for brute forcing. Not yet
implimented
-P PASSWORDS, –PASSWORDS PASSWORDS
List of passwords to try. Optional for SSH, By default
wordlists/probable-v2-top1575.txt will be used.
To scan a single target and enumerate based off of nmap results:
autorecon -t 10.10.10.10
To Enumerate Web with larger wordlists
autorecon -t 10.10.10.10 -w secret
autorecon -t 10.10.10.10 -w somedirectory
autorecon -t 10.10.10.10 -w ‘ ‘
Typically, on your first run, you should only specify the -t –target option (autorecon -t 10.10.10.10) Before you can use the -s –service option to specify specific modules, you must have already ran the topports module. For instance, if you really wanted to skip all other modules on your first run, and only scan the web after topports, you could do something like,
autorecon -t 10.10.10.10 -s topports dns http httpcms ssl sslcms sort_urls aquatone source
Or skip web enumeration all together but scan everything else.
autorecon -t 10.10.10.10 -i dns http httpcms ssl sslcms sort_urls aquatone source
The remaining services module is also dependent on the topports and or fulltcp module. Now you can skip doing a fulltcp scan if the target is slow. However, be advised, The UDP nmap scan is bundled with the fulltcp module currently, so skipping fulltcp module will result in missing some udp enumeration.
To Scan + Enumerate all IPv4 addr’s in ips.txt file
autorecon -f ips.txt
To Fuzz all found php urls for parameters, you can use the -F –FUZZ flag with no argument.
autorecon -t 10.10.10.10 –FUZZ
Brute force ssh users on default port 22 If unique valid users found, brute force passwords
autorecon -t 10.10.10.10 -b ssh
Same as above but for ssh on port 2222 etc…
autorecon -t 10.10.10.10 -b ssh -p 2222
autorecon -t 10.10.10.10 -b ssh -p 2222 -u slickrick
To ignore certain services from being scanned you can specify the -i , –ignore flag.
When specifying multiple services to ignore, services MUST be space delimited. Only ignore topports if you have already ran this module as most other modules are dependent on nmap’s initial top ports output. All the available modules are as follows:
http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm
autorecon -t 10.10.10.10 -i http
autorecon -t 10.10.10.10 -i http ssl
autorecon –target 10.10.10.10 –ignore fulltcp http
You can also specify services that you wish to only scan, similar to the –ignore option, the -s, –service option will only scan the service specified. Please note that before you can use the -s, –service option, You must have already ran the topports nmap scan as most modules are dependent on nmap’s output.
autorecon -t 10.10.10.10 -s topports remaining
autorecon -t 10.10.10.10 -s http httpcms
autorecon -t 10.10.10.10 –service oracle
Important
Demo
This program is intended to be used in kali linux. If you notice a bug or have a feature request. Please create an issue or submit a pull request. Thanks!
Fun-Facts
Disclaimer
Usage of recon.py for testing or exploiting websites without prior mutual consistency can be considered as an illegal activity. This tool is intended for CTF machines only. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…