O.G. AUTO-RECON - Enumerate A Target Based Off Of Nmap Results
Enumerate a target Based off of Nmap Results
Features
- The purpose of O.G. Auto-Recon is to automate the initial information gathering phase and then enumerate based off those results as much as possible.
- This tool is intended for CTF's and can be fairly noisy. (Not the most stealth conscious tool...)
- All tools in this project are compliant with the OSCP exam rules.
- Command syntax can be easily modified in the Config settings. $variable names should remain unchanged.
- If Virtual Host Routing is detected, O.G. Auto-Recon will add the host names to your /etc/hosts file and continue to enumerate the newly discovered host names.
- DNS enumeration is nerfed to ignore .com .co .eu .uk domains etc... since this tool was designed for CTF's like for instance, "hack the box". It will try to find most .htb domains if dns server's are detected..
- This project use's various stand-alone & custom tools to enumerate a target based off nmap results.
- All Commands and output are logged to a Report folder using the naming context, "IP-ADDRESS-Report/" which will look something like, 10.10.10.10-Report/ with a directory tree structure similar to this report tree structure
INSTALLATION
cd /opt
git clone https://github.com/Knowledge-Wisdom-Understanding/recon.git
cd recon
chmod +x setup.sh
./setup.sh
Usage
_____________ ____ ________________ /___/___ \ / / | /___/__ \ Mr.P-Millz _____ O.G./ / _ \______/__/ |______|__|_____ * \_________________/__/ |___ __/__/ /_\ \ | | \ __\/ _ \| | __/ __ \_/ ___\/ _ \| | | | ___ \| | /| | ( |_| ) | | \ ___/\ \__( |_| ) | | |___|____/\__\____|____/_|__|\_\____/|__|____|_ /\___ |\___ \____/|___| / gtihub.com/Knowledge-Wisdom-Understanding \___\/ \__\/ \__\_/ v3.6 \___\/ usage: python3 recon.py -t 10.10.10.10 An Information Gathering and Enumeration Framework optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET Single IPv4 Target to Scan -F, --FUZZ auto fuzz found urls ending with .php for params -v, --version Show Current Version -f FILE, --file FILE File of IPv4 Targets to Scan -w [WEB], --web [WEB] Get open ports for IPv4 address, then only Enumerate Web & and Dns Services. -t,--target must be specified. -w, --web takes a URL as an argument. i.e. python3 recon.py -t 10.10.10.10 -w secret -i {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --ignore {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...] Service modules to ignore during scan. -s {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --service {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...] Scan only specified service modules -b {ftp,smb,http,ssh}, --brute {ftp,smb,http,ssh} Experimental! - Brute Force ssh,smb,ftp, or http. -t, --target is REQUIRED. Must supply only one protocol at a time. For ssh, first valid users will be enumerated before password brute is initiated, when no user or passwords are supplied as options. -p PORT, --port PORT port for brute forcing argument. If no port specified, default port will be used -u USER, --user USER Single user name for brute forcing, for SSH, if no user specified, will default to wordlists/usernames.txt and bruteforce usernames -U USERS, --USERS USERS List of usernames to try for brute forcing. Not yet implimented -P PASSWORDS, --PASSWORDS PASSWORDS List of passwords to try. Optional for SSH, By default wordlists/probable-v2-top1575.txt will be used.
To scan a single target and enumerate based off of nmap results:
_____________ ____ ________________
/___/___ \ / / | /___/__ \ Mr.P-Millz _____
O.G./ / _ \______/__/ |______|__|_____ * \_________________/__/ |___
__/__/ /_\ \ | | \ __\/ _ \| | __/ __ \_/ ___\/ _ \| |
| | ___ \| | /| | ( |_| ) | | \ ___/\ \__( |_| ) | |
|___|____/\__\____|____/_|__|\_\____/|__|____|_ /\___ |\___ \____/|___| /
gtihub.com/Knowledge-Wisdom-Understanding \___\/ \__\/ \__\_/ v3.6 \___\/
usage: python3 recon.py -t 10.10.10.10
An Information Gathering and Enumeration Framework
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Single IPv4 Target to Scan
-F, --FUZZ auto fuzz found urls ending with .php for params
-v, --version Sh ow Current Version
-f FILE, --file FILE File of IPv4 Targets to Scan
-w [WEB], --web [WEB]
Get open ports for IPv4 address, then only Enumerate
Web & and Dns Services. -t,--target must be specified.
-w, --web takes a URL as an argument. i.e. python3
recon.py -t 10.10.10.10 -w secret
-i {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --ignore {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle, source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...]
Service modules to ignore during scan.
-s {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --service {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...]
Scan only specified service modules
-b {ftp,smb,http,ssh}, --brute {ftp,smb,http,ssh}
Experimental! - Brute Force ssh,smb,ftp, or http. -t,
--target is REQUIRED. Must supply only one protocol at
a time. For ssh, first valid users will be enumerated
before password brute is initiated, when no user or
passwords are supplied as options.
-p PORT, --port PORT port for brute forcing argument. If no port specified,
default port will be used
-u USER, --user USER Single user name for brute forcing, for SSH, if no
user specified, will default to
wordlists/usernames.txt and bruteforce usernames
-U USERS, --USERS USERS
List of usernames to try for brute forcing. Not yet
implimented
-P PASSWORDS, --PASSWORDS PASSWORDS
List of passwords to try. Optional for SSH, By defaul t
wordlists/probable-v2-top1575.txt will be used.
- If you don't want to specify a directory , you can just enter ' ' as the argument for --web
python3 recon.py -t 10.10.10.10
python3 recon.py -t 10.10.10.10 -w secret
python3 recon.py -t 10.10.10.10 -w somedirectory
python3 recon.py -t 10.10.10.10 -w ' '
python3 recon.py -t 10.10.10.10 -s topports dns http httpcms ssl sslcms sort_urls aquatone source
To Scan + Enumerate all IPv4 addr's in ips.txt file
python3 recon.py -t 10.10.10.10 -i dns http httpcms ssl sslcms sort_urls aquatone source
python3 recon.py -f ips.txt
python3 recon.py -t 10.10.10.10 --FUZZ
python3 recon.py -t 10.10.10.10 -b ssh
When specifying multiple services to ignore, services MUST be space delimited. Only ignore topports if you have already ran this module as most other modules are dependent on nmap's initial top ports output. All the available modules are as follows:
http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm
python3 recon.py -t 10.10.10.10 -b ssh -p 2222
python3 recon.py -t 10.10.10.10 -b ssh -p 2222 -u slickrick
http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm
python3 recon.py -t 10.10.10.10 -i http
python3 recon.py -t 10.10.10.10 -i http ssl
python3 recon.py --target 10.10.10.10 --ignore fulltcp http
Important
- MAKE SURE TO CHECK OUT THE Config file for all your customization needs
- All required non-default kali linux dependencies are included in setup.sh.
Demo
This program is intended to be used in kali linux. If you notice a bug or have a feature request. Please create an issue or submit a pull request. Thanks!
O.G. AUTO-RECON - Enumerate A Target Based Off Of Nmap Results
Reviewed by Zion3R
on
5:30 PM
Rating: