~synfinner/AutoRecon

Python utility to assist in early pen testing recon
Added SYN scan and temporarily disabled eventlet
Update README with capabilities
Update README with new help options

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~synfinner/AutoRecon
read/write
git@git.sr.ht:~synfinner/AutoRecon

You can also use your local clone with git send-email.

AutoRecon

Why?

I made this just to simplify my life a bit at home and maybe even at work. I had an inherent desire to not want to type more stuff in.

Also, since we're in lockdown, why not spend some time working on code?

Setup

Setup the env:

-> python3 -m venv env
-> source env/bin/activate
-> pip3 install -r requirements.txt

If using FISH, please follow the instructions here: https://virtualfish.readthedocs.io/en/latest/install.html#installing

-> vf new AutoRecon
-> vf activate AutoRecon
-> pip3 install -r requirements.txt

Capabilities

  • nmap service scan (top 1000 ports),ping and no ping
  • nmap service scan (full port), ping and no ping
  • DNS reverse lookup (supports cidr)
  • Pull SSL certificate Subj. names (supports cidr)
  • ...more coming soon

Examples

  • Pull SSL subject data (useful if you want to know potential host names when you have a list of IPs): ./autorecon.py -t 185.112.145.217 --pullcert

  • Perform nmap service scan against a range of IPs: ./autorecon.py -t 192.168.2.0/24 -s

synfinner@synbook ~/P/p/AutoRecon (dev) [2]> (AutoRecon) ./autorecon.py -t 192.168.2.0/24 -s

  /$$$$$$              /$$               /$$$$$$$
 /$$__  $$            | $$              | $$__  $$
| $$  \ $$ /$$   /$$ /$$$$$$    /$$$$$$ | $$  \ $$  /$$$$$$   /$$$$$$$  /$$$$$$  /$$$$$$$
| $$$$$$$$| $$  | $$|_  $$_/   /$$__  $$| $$$$$$$/ /$$__  $$ /$$_____/ /$$__  $$| $$__  $$
| $$__  $$| $$  | $$  | $$    | $$  \ $$| $$__  $$| $$$$$$$$| $$      | $$  \ $$| $$  \ $$
| $$  | $$| $$  | $$  | $$ /$$| $$  | $$| $$  \ $$| $$_____/| $$      | $$  | $$| $$  | $$
| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$/| $$  | $$|  $$$$$$$|  $$$$$$$|  $$$$$$/| $$  | $$
|__/  |__/ \______/    \___/   \______/ |__/  |__/ \_______/ \_______/ \______/ |__/  |__/

v0.0.1-dev
Author: Synfinner (https://dreadsec.social/@synfinner)

[+] Starting service scan against: 192.168.2.0/24
    ...snip...
Nmap Scan running: ETC: 1584835581 DONE: 69.23%
-------- Host 192.168.2.66 is up --------
   80/tcp  open          http    [cpe:/a:microsoft:iis:10.0, cpe:/o:microsoft:windows] (product: Microsoft IIS httpd version: 10.0 ostype: Windows)
  135/tcp  open          msrpc   [cpe:/o:microsoft:windows] (product: Microsoft Windows RPC ostype: Windows)
  808/tcp  open          ccproxy-http    []
 2968/tcp  open          enpp    []
 6543/tcp  open          mythtv      []
 8082/tcp  open          http    [cpe:/a:microsoft:.net_framework:4.0.30319.42000, cpe:/o:microsoft:windows] (product: MS .NET Remoting httpd extrainfo: .NET CLR 4.0.30319.42000 ostype: Windows)
 9111/tcp  open          DragonIDSConsole    []
27000/tcp  open          flexlm      [] (product: FlexLM license manager)
---------------------------------
  • Perform nmap service scan and ping all hosts: ./autorecon.py -t 192.168.2.0/24 -s --ping

Term Help Output

usage: autorecon.py [-h] -t IP_ADDRESS [-s] [--ping] [--full] [-r]
                    [-n 1.1.1.1] [--pullcert] [--port PORT]

optional arguments:
  -h, --help            show this help message and exit
  -t IP_ADDRESS, --target IP_ADDRESS
                        Target IP/Range to scan
  -s, --scan            Perform nmap service scan (nmap top 1000 ports)
  --ping                Enable ICMP probing within nmap. Default is -Pn.
  --full                Scan all ports (1-65535)
  -r, --rvl             Perform a DNS reverse lookup
  -n 1.1.1.1, --nameserver 1.1.1.1
                        Specify DNS server IP (Default: 8.8.8.8)
  --pullcert            Pull SSL Subject name. Port (--port) may be required.
                        No port specified defaults to 443.
  --port PORT           Port for connection