diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..62180a0 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,2 @@ +recursive-include Reconnoitre *.txt +recursive-include Reconnoitre *.json diff --git a/Reconnoitre.egg-info/PKG-INFO b/Reconnoitre.egg-info/PKG-INFO new file mode 100644 index 0000000..f690d19 --- /dev/null +++ b/Reconnoitre.egg-info/PKG-INFO @@ -0,0 +1,121 @@ +Metadata-Version: 1.0 +Name: Reconnoitre +Version: 1.0 +Summary: A reconnaissance tool made for the OSCP labs to automate information gathering, and service enumeration whilst creating a directory structure to store results,findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags. +Home-page: https://github.com/codingo/Reconnoitre +Author: codingo +Author-email: codingo@protonmail.com +License: GPLv3 +Description-Content-Type: UNKNOWN +Description: ![Reconnnoitre](https://github.com/codingo/Reconnoitre/blob/master/assets/tank-152362_640.png) + A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags. + + Contributions are more than welcome! + + [![Python 3.2|3.6](https://img.shields.io/badge/python-3.2|3.6-green.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) [![Build Status](https://travis-ci.org/codingo/Reconnoitre.svg?branch=master)](https://travis-ci.org/codingo/Reconnoitre) [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_) + + # Credit + + This tool is based heavily upon the work made public in Mike Czumak's (T_v3rn1x) OSCP review ([link](https://www.securitysift.com/offsec-pwb-oscp/)) along with considerable influence and code taken from Re4son's mix-recon ([link](https://whitedome.com.au/re4son/category/re4son/oscpnotes/)). Virtual host scanning is originally adapted from teknogeek's work which is heavily influenced by jobertabma's virtual host discovery script ([link](https://github.com/jobertabma/virtual-host-discovery)). Further Virtual Host scanning code has been adapted from a project by Tim Kent and I, available here ([link](https://github.com/codingo/VHostScan)). + + # Usage + + This tool can be used and copied for personal use freely however attribution and credit should be offered to Mike Czumak who originally started the process of automating this work. + + | Argument | Description | + | ------------- |:-------------| + | -h, --help | Display help message and exit | + | -t TARGET_HOSTS | Set either a target range of addresses or a single host to target. May also be a file containing hosts. | + | -o OUTPUT_DIRECTORY | Set the target directory where results should be written. | + | -w WORDLIST | Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks. | + | --pingsweep | Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts. | + | --dns, --dnssweep | Find DNS servers from the list of target(s). | + | --snmp | Find hosts responding to SNMP requests from the list of target(s). | + | --services | Perform a service scan over the target(s) and write recommendations for further commands to execute. | + | --hostnames | Attempt to discover target hostnames and write to hostnames.txt. | + | --virtualhosts | Attempt to discover virtual hosts using the specified wordlist. This can be expended via discovered hostnames. | + | --ignore-http-codes | Comma separated list of http codes to ignore with virtual host scans. | + | --ignore-content-length | Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess. | + | --quiet | Supress banner and headers and limit feedback to grepable results. | + | --quick | Move to the next target after performing a quick scan and writing first-round recommendations. | + | --no-udp | Disable UDP service scanning, which is ON by default. | + + ## Usage Examples + _Note that these are some examples to give you insight into potential use cases for this tool. Command lines can be added or removed based on what you wish to accomplish with your scan._ + + ### Scan a single host, create a file structure and discover services + ``` + python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services + ``` + + An example output would look like: + + ``` + root@kali:~/Documents/tools/reconnoitre/reconnoitre# python ./reconnoitre.py -t 192.168.1.5 --services -o /root/Documents/labs/ + __ + |"""\-= RECONNOITRE + (____) An OSCP scanner + + [#] Performing service scans + [*] Loaded single target: 192.168.1.5 + [+] Creating directory structure for 192.168.1.5 + [>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans + [>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit + [>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot + [>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt + [+] Starting quick nmap scan for 192.168.1.5 + [+] Writing findings for 192.168.1.5 + [>] Found HTTP service on 192.168.1.5:80 + [>] Found MS SMB service on 192.168.1.5:445 + [>] Found RDP service on 192.168.1.5:3389 + [*] TCP quick scan completed for 192.168.1.5 + [+] Starting detailed TCP/UDP nmap scans for 192.168.1.5 + [+] Writing findings for 192.168.1.5 + [>] Found MS SMB service on 192.168.1.5:445 + [>] Found RDP service on 192.168.1.5:3389 + [>] Found HTTP service on 192.168.1.5:80 + [*] TCP/UDP Nmap scans completed for 192.168.1.5 + ``` + Which would also write the following recommendations file in the scans folder for each target: + ``` + [*] Found HTTP service on 192.168.1.50:80 + [>] Use nikto & dirb / dirbuster for service enumeration, e.g + [=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt + [=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext + [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/ + [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50 + [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50 + [>] Use curl to retreive web headers and find host information, e.g + [=] curl -i 192.168.1.50 + [=] curl -i 192.168.1.50/robots.txt -s | html2text + [*] Found MS SMB service on 192.168.1.5:445 + [>] Use nmap scripts or enum4linux for further enumeration, e.g + [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5 + [=] enum4linux 192.168.1.5 + [*] Found RDP service on 192.168.1.5:3389 + [>] Use ncrackpassword cracking, e.g + [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5 + ``` + ### Discover live hosts and hostnames within a range + ``` + python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --hostnames + ``` + + ### Discover live hosts within a range and then do a quick probe for services + ``` + python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services --quick + ``` + This will scan all services within a target range to create a file structure of live hosts as well as write recommendations for other commands to be executed based on the services discovered on these machines. Removing --quick will do a further probe but will greatly lengthen execution times. + + ### Discover live hosts within a range and then do probe all ports (UDP and TCP) for services + ``` + python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services + ``` + + # Requirements + + This bare requirement for host and service scanning for this tool is to have both `nbtscan` and `nmap` installed. If you are not using host scanning and only wish to perform a ping sweep and service scan you can get away with only installing `nmap`. The outputted _findings.txt_ will often recommend additional tools which you may not have available in your distribution if not using Kali Linux. All requirements and recommendations are native to Kali Linux which is the recommended (although not required) distribution for using this tool. + + In addition to these requirements outputs will often refer to Wordlists that you may need to find. If you are undertaking OSCP these can be found in the "List of Recommended Tools" thread by g0tmilk. If not then you can find the majority of these online or already within a Kali Linux installation. + +Platform: UNKNOWN diff --git a/Reconnoitre.egg-info/SOURCES.txt b/Reconnoitre.egg-info/SOURCES.txt new file mode 100644 index 0000000..8261f66 --- /dev/null +++ b/Reconnoitre.egg-info/SOURCES.txt @@ -0,0 +1,23 @@ +MANIFEST.in +README.md +setup.py +Reconnoitre/__init__.py +Reconnoitre/reconnoitre.py +Reconnoitre.egg-info/PKG-INFO +Reconnoitre.egg-info/SOURCES.txt +Reconnoitre.egg-info/dependency_links.txt +Reconnoitre.egg-info/entry_points.txt +Reconnoitre.egg-info/top_level.txt +Reconnoitre/lib/__init__.py +Reconnoitre/lib/config.json +Reconnoitre/lib/file_helper.py +Reconnoitre/lib/find_dns.py +Reconnoitre/lib/hostname_scan.py +Reconnoitre/lib/ping_sweeper.py +Reconnoitre/lib/service_scan.py +Reconnoitre/lib/snmp_walk.py +Reconnoitre/lib/virtual_host_scanner.py +Reconnoitre/lib/core/__init__.py +Reconnoitre/lib/core/__version__.py +Reconnoitre/lib/core/input.py +Reconnoitre/wordlists/virtual-host-scanning.txt \ No newline at end of file diff --git a/Reconnoitre.egg-info/dependency_links.txt b/Reconnoitre.egg-info/dependency_links.txt new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/Reconnoitre.egg-info/dependency_links.txt @@ -0,0 +1 @@ + diff --git a/Reconnoitre.egg-info/entry_points.txt b/Reconnoitre.egg-info/entry_points.txt new file mode 100644 index 0000000..259fb97 --- /dev/null +++ b/Reconnoitre.egg-info/entry_points.txt @@ -0,0 +1,3 @@ +[console_scripts] +reconnoitre = Reconnoitre.reconnoitre:main + diff --git a/Reconnoitre.egg-info/top_level.txt b/Reconnoitre.egg-info/top_level.txt new file mode 100644 index 0000000..a7da783 --- /dev/null +++ b/Reconnoitre.egg-info/top_level.txt @@ -0,0 +1 @@ +Reconnoitre diff --git a/lib/__init__.py b/Reconnoitre/__init__.py similarity index 100% rename from lib/__init__.py rename to Reconnoitre/__init__.py diff --git a/lib/core/__init__.py b/Reconnoitre/lib/__init__.py similarity index 100% rename from lib/core/__init__.py rename to Reconnoitre/lib/__init__.py diff --git a/lib/config.json b/Reconnoitre/lib/config.json similarity index 100% rename from lib/config.json rename to Reconnoitre/lib/config.json diff --git a/Reconnoitre/lib/core/__init__.py b/Reconnoitre/lib/core/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/lib/core/__version__.py b/Reconnoitre/lib/core/__version__.py similarity index 100% rename from lib/core/__version__.py rename to Reconnoitre/lib/core/__version__.py diff --git a/lib/core/input.py b/Reconnoitre/lib/core/input.py similarity index 100% rename from lib/core/input.py rename to Reconnoitre/lib/core/input.py diff --git a/lib/file_helper.py b/Reconnoitre/lib/file_helper.py similarity index 100% rename from lib/file_helper.py rename to Reconnoitre/lib/file_helper.py diff --git a/lib/find_dns.py b/Reconnoitre/lib/find_dns.py similarity index 100% rename from lib/find_dns.py rename to Reconnoitre/lib/find_dns.py diff --git a/lib/hostname_scan.py b/Reconnoitre/lib/hostname_scan.py similarity index 100% rename from lib/hostname_scan.py rename to Reconnoitre/lib/hostname_scan.py diff --git a/lib/ping_sweeper.py b/Reconnoitre/lib/ping_sweeper.py similarity index 100% rename from lib/ping_sweeper.py rename to Reconnoitre/lib/ping_sweeper.py diff --git a/lib/service_scan.py b/Reconnoitre/lib/service_scan.py similarity index 100% rename from lib/service_scan.py rename to Reconnoitre/lib/service_scan.py diff --git a/lib/snmp_walk.py b/Reconnoitre/lib/snmp_walk.py similarity index 100% rename from lib/snmp_walk.py rename to Reconnoitre/lib/snmp_walk.py diff --git a/lib/virtual_host_scanner.py b/Reconnoitre/lib/virtual_host_scanner.py similarity index 100% rename from lib/virtual_host_scanner.py rename to Reconnoitre/lib/virtual_host_scanner.py diff --git a/reconnoitre.py b/Reconnoitre/reconnoitre.py similarity index 100% rename from reconnoitre.py rename to Reconnoitre/reconnoitre.py diff --git a/wordlists/virtual-host-scanning.txt b/Reconnoitre/wordlists/virtual-host-scanning.txt similarity index 100% rename from wordlists/virtual-host-scanning.txt rename to Reconnoitre/wordlists/virtual-host-scanning.txt diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/__init__.py b/build/lib.linux-x86_64-2.7/Reconnoitre/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/__init__.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/config.json b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/config.json new file mode 100644 index 0000000..020cce6 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/config.json @@ -0,0 +1,354 @@ +{ + "services": { + "http/s": { + "description": "Found HTTP/S service on $ip:$port", + "nmap-service-names": [ + "http", + "ssl/http", + "https", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt", + "curl -i $ip:$port", + "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt", + "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt" + ] + } + ] + }, + "http": { + "description": "Found HTTP service on $ip:$port", + "nmap-service-names": [ + "http" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "https": { + "description": "Found HTTPS service on $ip:$port", + "nmap-service-names": [ + "https", + "ssl/http", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "ftp": { + "description": "Found FTP service on $ip:$port", + "nmap-service-names": [ + "ftp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip", + "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp" + ] + } + ] + }, + "mysql": { + "description": "Found MySql service on $ip:$port", + "nmap-service-names": [ + "mysql" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mysql" + ] + } + ] + }, + "dns": { + "description": "Found DNS service on $ip:$port", + "nmap-service-names": [ + "dns" + ], + "output": [ + { + "description": "Check out the server for zone transfers", + "commands": [ + "dnsrecon -t axfr -d $ip" + ] + } + ] + }, + "microsoftsql": { + "description": "Found MS SQL service on $ip:$port", + "nmap-service-names": [ + "ms-sql", + "ms-sql-s" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mssql" + ] + }, + { + "description": "Use nmap scripts for further enumeration, e.g", + "commands": [ + "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,smsql.username-sa,mssql.password-sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip" + ] + } + ] + }, + + "telnet": { + "description": "Found telnet service on $ip:$port", + "nmap-service-names": [ + "telnet" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "ncat -nv $ip $port" + ] + } + ] + }, + "smb": { + "description": "Found MS SMB service on $ip:$port", + "nmap-service-names": [ + "microsoft-ds" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip", + "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt", + "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip" + ] + } + ] + }, + "remotedesktop": { + "description": "Found RDP service on $ip:$port", + "nmap-service-names": [ + "msrdp", + "ms-wbt-server" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "ncrack -vv --user administrator -P PASS_LIST rdp://$ip", + "crowbar -b rdp -u -s $ip/32 -U USER_LIST -C PASS_LIST", + "for username in $(cat USER_LIST); do for password in $(cat PASS_LIST) do; rdesktop -u $username -p $password $ip; done; done;" + ] + } + ] + }, + "smtp": { + "description": "Found SMTP service on $ip:$port", + "nmap-service-names": [ + "smtp" + ], + "output": [ + { + "description": "Find users", + "commands": [ + "smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top_shortlist.txt -t $ip -p $port" + ] + } + ] + }, + "snmp": { + "description": "Found SNMP service on $ip:$port", + "nmap-service-names": [ + "snmp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip", + "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt", + "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt" + ] + } + ] + }, + "ssh": { + "description": "Found SSH service on $ip:$port", + "nmap-service-names": [ + "ssh" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h $ip - $port -M ssh", + "hydra -f -V -t 1 -l root -P /usr/share/wordlists/rockyou.txt -s $port $ip ssh", + "ncrack -vv -p $port --user root -P PASS_LIST $ip" + ] + }, + { + "description": "Use nmap to automate banner grabbing and key fingerprints, e.g.", + "commands": [ + "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'" + ] + } + ] + }, + "msrpc": { + "description": "Found MSRPC service on $ip:$port", + "nmap-service-names": [ + "msrpc", + "rpcbind" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "rpcclient -U \"\" $ip" + ] + }, + { + "description": "Bruteforce", + "commands": [ + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "netbios-ssn": { + "description": "Found NetBIOS service on $ip:$port", + "nmap-service-names": [ + "netbios-ssn" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmblookup -A $ip", + "smbclient //MOUNT/share -I $ip N", + "smbclient -L //$ip", + "enum4linux -a $ip", + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "CUPS": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "ipp" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit cups" + ] + } + ] + }, + "java-rmi": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "java-rmi" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit java rmi" + ] + } + ] + }, + "vnc": { + "description": "Found VNC service on $ip:$port", + "nmap-service-names": [ + "vnc", + "vnc-http" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit vnc" + ] + }, + { + "description": "Bruteforcing", + "commands": [ + "crowbar -b vnckey -s $ip/32 -p IP -k PASS_FILE" + ] + } + ] + }, + "oracle": { + "description": "Found Oracle service on $ip:$port", + "nmap-service-names": [ + "oracle-tns" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit Oracle TNS" + ] + } + ] + }, + "kerberos": { + "description": "Found Kerberos service on $ip:$port", + "nmap-service-names": [ + "kerberos-sec" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit kerberos" + ] + } + ] + }, + "ldap": { + "description": "Found LDAP service on $ip:$port", + "nmap-service-names": [ + "ldap" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit ldap" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/__init__.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/__version__.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/__version__.py new file mode 100644 index 0000000..19d8875 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/__version__.py @@ -0,0 +1,6 @@ +# +# |"""\-= RECONNOITRE +# (____) An OSCP scanner by @codingo_ +# https://github.com/codingo/VHostScan + +__version__ = '1.0' diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/input.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/input.py new file mode 100644 index 0000000..ce2a754 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/core/input.py @@ -0,0 +1,118 @@ +from argparse import ArgumentParser +import os.path + + +class CliHelper(object): + @staticmethod + def readable_file(parser, arg): + if not os.path.exists(arg): + parser.error("The file %s does not exist!" % arg) + else: + return open(arg, 'r') # return an open file handle + + +class CliArgumentParser(object): + def __init__(self): + self._parser = self.setup_parser() + + def parse(self, argv): + return self._parser.parse_args(argv) + + @staticmethod + def setup_parser(): + parser = ArgumentParser() + + parser.add_argument("-t", + dest="target_hosts", + required=True, + help="Set a target range of addresses to target. Ex 10.11.1.1-255") + + parser.add_argument("-o", + dest="output_directory", + required=True, + help="Set the output directory. Ex /root/Documents/labs/") + + parser.add_argument("-w", + dest="wordlist", + required=False, + help="Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt", + default=False) + + parser.add_argument("-p", + dest="port", + required=False, + help="Set the port to use. Leave blank to use discovered ports. " + "Useful to force virtual host scanning on non-standard webserver ports.", + default=80) + + parser.add_argument("--pingsweep", + dest="ping_sweep", + action="store_true", + help="Write a new target.txt by performing a ping sweep and discovering live hosts.", + default=False) + + parser.add_argument("--dns", "--dnssweep", + dest="find_dns_servers", + action="store_true", + help="Find DNS servers from a list of targets.", + default=False) + + parser.add_argument("--services", + dest="perform_service_scan", + action="store_true", + help="Perform service scan over targets.", + default=False) + + parser.add_argument("--hostnames", + dest="hostname_scan", + action="store_true", + help="Attempt to discover target hostnames and write to 0-name.txt and hostnames.txt.", + default=False) + + parser.add_argument("--snmp", + dest="perform_snmp_walk", + action="store_true", + help="Perform service scan over targets.", + default=False) + + parser.add_argument("--quick", + dest="quick", + action="store_true", + required=False, + help="Move to the next target after performing a quick scan and writing " + "first-round recommendations.", + default=False) + + parser.add_argument("--virtualhosts", + dest="virtualhosts", + action="store_true", + required=False, + help="Attempt to discover virtual hosts using the specified wordlist.", + default=False) + + parser.add_argument('--ignore-http-codes', + dest='ignore_http_codes', + type=str, + help='Comma separated list of http codes to ignore with virtual host scans.', + default='404') + + parser.add_argument('--ignore-content-length', + dest='ignore_content_length', + type=int, + help='Ignore content lengths of specificed amount. ' + 'This may become useful when a server returns a static page on ' + 'every virtual host guess.', + default=0) + + parser.add_argument("--quiet", + dest="quiet", + action="store_true", + help="Supress banner and headers to limit to comma dilimeted results only.", + default=False) + + parser.add_argument("--no-udp", + dest="no_udp_service_scan", + action="store_true", + help="Disable UDP services scan over targets.", + default=False) + return parser diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/file_helper.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/file_helper.py new file mode 100644 index 0000000..7991cbd --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/file_helper.py @@ -0,0 +1,120 @@ +import os +import json + + +def check_directory(output_directory): + try: + os.stat(output_directory) + except Exception: + os.mkdir(output_directory) + print("[!] %s didn't exist and has been created." % output_directory) + + +def load_targets(target_hosts, output_directory, quiet): + if (os.path.isdir(target_hosts) or os.path.isfile(target_hosts)): + return target_hosts + elif "-" in target_hosts: + expand_targets(target_hosts, output_directory) + return output_directory + "/targets.txt" + else: + return output_directory + "/targets.txt" + + +def expand_targets(target_hosts, output_directory): + parts = target_hosts.split(".") + target_list = [] + for part in parts: + if "-" in part: + iprange = part.split("-") + for i in range(int(iprange[0]), int(iprange[1])): + target_list.append(parts[0] + "." + parts[1] + "." + parts[2] + "." + str(i)) + with open(output_directory + "/targets.txt", "w") as targets: + for target in target_list: + targets.write("%s\n" % target) + + +def create_dir_structure(ip_address, output_directory): + print("[+] Creating directory structure for " + ip_address) + + hostdir = output_directory + "/" + ip_address + try: + os.stat(hostdir) + except Exception: + os.mkdir(hostdir) + + nmapdir = hostdir + "/scans" + print(" [>] Creating scans directory at: %s" % nmapdir) + try: + os.stat(nmapdir) + except Exception: + os.mkdir(nmapdir) + + exploitdir = hostdir + "/exploit" + print(" [>] Creating exploit directory at: %s" % exploitdir) + try: + os.stat(exploitdir) + except Exception: + os.mkdir(exploitdir) + + lootdir = hostdir + "/loot" + print(" [>] Creating loot directory at: %s" % lootdir) + try: + os.stat(lootdir) + except Exception: + os.mkdir(lootdir) + + prooffile = hostdir + "/proof.txt" + print(" [>] Creating proof file at: %s" % prooffile) + open(prooffile, 'a').close() + + +def write_recommendations(results, ip_address, outputdir): + recommendations_file = outputdir + "/" + ip_address + "_findings.txt" + serv_dict = {} + lines = results.split("\n") + for line in lines: + ports = [] + line = line.strip() + if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): + while " " in line: + line = line.replace(" ", " ") + service = line.split(" ")[2] + port = line.split(" ")[0] + + if service in serv_dict: + ports = serv_dict[service] + + ports.append(port) + serv_dict[service] = ports + + print("[+] Writing findings for %s" % (ip_address)) + + __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) + with open(os.path.join(__location__, "config.json"), "r") as config: + c = config.read() + j = json.loads(c.replace("$ip", "%(ip)s").replace("$port", "%(port)s").replace("$outputdir", "%(outputdir)s")) + + f = open(recommendations_file, 'w') + for serv in serv_dict: + ports = serv_dict[serv] + + for service in j["services"]: + if (serv in j["services"][service]["nmap-service-names"]) or (service in serv): + for port in ports: + port = port.split("/")[0] + + description = "[*] " + j["services"][service]["description"] + print(description % {"ip": ip_address, "port": port}) + f.write((description + "\n") % {"ip": ip_address, "port": port}) + + for entry in j["services"][service]["output"]: + f.write(" [*] " + entry["description"] + "\n") + + for cmd in entry["commands"]: + f.write( + (" [=] " + cmd + "\n") % {"ip": ip_address, "port": port, "outputdir": outputdir}) + + f.write("\n") + + f.write("\n\n[*] Always remember to manually go over the portscan report and carefully read between the lines ;)") + f.close() diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/find_dns.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/find_dns.py new file mode 100644 index 0000000..38fb816 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/find_dns.py @@ -0,0 +1,43 @@ +import subprocess + +from file_helper import check_directory +from file_helper import load_targets + + +def find_dns(target_hosts, output_directory, quiet): + check_directory(output_directory) + results = 0 + hostcount = 0 + dnscount = 0 + + output_file = open(output_directory + "/DNS-Detailed.txt", 'w') + output_targets = open(output_directory + "/DNS-targets.txt", 'w') + + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + + print("[*] Loaded targets from: %s" % targets) + print("[+] Enumerating TCP port 53 over targets to find dns servers") + + for ip_address in target_file: + hostcount += 1 + ip_address = ip_address.strip() + ip_address = ip_address.rstrip() + + print(" [>] Testing %s for DNS" % ip_address) + DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address) + results = subprocess.check_output(DNSSCAN, shell=True).decode("utf-8") + lines = results.split("\n") + + for line in lines: + line = line.strip() + line = line.rstrip() + if ("53/tcp" in line) and ("open" in line) and ("Discovered" not in line): + print(" [=] Found DNS service running on: %s" % (ip_address)) + output_file.write("[*] Found DNS service running on: %s\n" % (ip_address)) + output_file.write(" [>] %s\n" % (line)) + output_targets.write("%s" % (ip_address)) + dnscount += 1 + print("[*] Found %s DNS servers within %s hosts" % (str(dnscount), str(hostcount))) + output_file.close() + output_targets.close() diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/hostname_scan.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/hostname_scan.py new file mode 100644 index 0000000..cee97bf --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/hostname_scan.py @@ -0,0 +1,48 @@ +import os +import subprocess + +from file_helper import check_directory + + +def hostname_scan(target_hosts, output_directory, quiet): + check_directory(output_directory) + output_file = output_directory + "/hostnames.txt" + f = open(output_file, 'w') + print("[+] Writing hostnames to: %s" % output_file) + + hostnames = 0 + SWEEP = '' + + if (os.path.isfile(target_hosts)): + SWEEP = "nbtscan -q -f %s" % (target_hosts) + else: + SWEEP = "nbtscan -q %s" % (target_hosts) + + results = subprocess.check_output(SWEEP, shell=True).decode("utf-8") + lines = results.split("\n") + + for line in lines: + line = line.strip() + line = line.rstrip() + + # Final line is blank which causes list index issues if we don't + # continue past it. + if " " not in line: + continue + + while " " in line: + line = line.replace(" ", " ") + + ip_address = line.split(" ")[0] + host = line.split(" ")[1] + + if (hostnames > 0): + f.write('\n') + + print(" [>] Discovered hostname: %s (%s)" % (host, ip_address)) + f.write("%s - %s" % (host, ip_address)) + hostnames += 1 + + print("[*] Found %s hostnames." % (hostnames)) + print("[*] Created hostname list %s" % (output_file)) + f.close() diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/ping_sweeper.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/ping_sweeper.py new file mode 100644 index 0000000..3bea501 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/ping_sweeper.py @@ -0,0 +1,45 @@ +import subprocess + +from file_helper import check_directory + + +def ping_sweeper(target_hosts, output_directory, quiet): + check_directory(output_directory) + output_file = output_directory + "/targets.txt" + + print("[+] Performing ping sweep over %s" % target_hosts) + + lines = call_nmap_sweep(target_hosts) + live_hosts = parse_nmap_output_for_live_hosts(lines) + write_live_hosts_list_to_file(output_file, live_hosts) + + for ip_address in live_hosts: + print(" [>] Discovered host: %s" % (ip_address)) + + print("[*] Found %s live hosts" % (len(live_hosts))) + print("[*] Created target list %s" % (output_file)) + + +def call_nmap_sweep(target_hosts): + SWEEP = "nmap -n -sP %s" % (target_hosts) + + results = subprocess.check_output(SWEEP, shell=True) + lines = str(results).encode("utf-8").split("\n") + return lines + + +def parse_nmap_output_for_live_hosts(lines): + def get_ip_from_nmap_line(line): + return line.split()[4] + + live_hosts = [get_ip_from_nmap_line(line) + for line in lines + if "Nmap scan report for" in line] + + return live_hosts + + +def write_live_hosts_list_to_file(output_file, live_hosts): + print("[+] Writing discovered targets to: %s" % output_file) + with open(output_file, 'w') as f: + f.write("\n".join(live_hosts)) diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/service_scan.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/service_scan.py new file mode 100644 index 0000000..83702ad --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/service_scan.py @@ -0,0 +1,102 @@ +import multiprocessing +import socket +import subprocess + +from file_helper import check_directory +from file_helper import create_dir_structure +from file_helper import load_targets +from file_helper import write_recommendations + + +def nmap_scan(ip_address, output_directory, dns_server, quick, no_udp_service_scan): + ip_address = ip_address.strip() + + print("[+] Starting quick nmap scan for %s" % (ip_address)) + QUICKSCAN = "nmap -sC -sV %s -oA '%s/%s.quick'" % (ip_address, output_directory, ip_address) + quickresults = subprocess.check_output(QUICKSCAN, shell=True).decode("utf-8") + + write_recommendations(quickresults, ip_address, output_directory) + print("[*] TCP quick scans completed for %s" % ip_address) + + if (quick): + return + + if dns_server: + print("[+] Starting detailed TCP%s nmap scans for %s using DNS Server %s" % ( + ("" if no_udp_service_scan is True else "/UDP"), ip_address, dns_server)) + print("[+] Using DNS server %s" % (dns_server)) + TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 " \ + "--dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --max-retries 0 " \ + "--dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + else: + print("[+] Starting detailed TCP%s nmap scans for %s" % ( + ("" if no_udp_service_scan is True else "/UDP"), ip_address)) + TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 " \ + "-script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + UDPSCAN = "nmap -sC -sV -sU %s -oA '%s/%s-udp'" % (ip_address, output_directory, ip_address) + + udpresults = "" if no_udp_service_scan is True else subprocess.check_output(UDPSCAN, shell=True).decode("utf-8") + tcpresults = subprocess.check_output(TCPSCAN, shell=True).decode("utf-8") + + write_recommendations(tcpresults + udpresults, ip_address, output_directory) + print("[*] TCP%s scans completed for %s" % (("" if no_udp_service_scan is True else "/UDP"), ip_address)) + + +def valid_ip(address): + try: + socket.inet_aton(address) + return True + except socket.error: + return False + + +def target_file(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + try: + target_file = open(targets, 'r') + print("[*] Loaded targets from: %s" % targets) + except Exception: + print("[!] Unable to load: %s" % targets) + + for ip_address in target_file: + ip_address = ip_address.strip() + create_dir_structure(ip_address, output_directory) + + host_directory = output_directory + "/" + ip_address + nmap_directory = host_directory + "/scans" + + jobs = [] + p = multiprocessing.Process(target=nmap_scan, + args=(ip_address, nmap_directory, dns_server, quick, no_udp_service_scan)) + jobs.append(p) + p.start() + target_file.close() + + +def target_ip(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + print("[*] Loaded single target: %s" % target_hosts) + target_hosts = target_hosts.strip() + create_dir_structure(target_hosts, output_directory) + + host_directory = output_directory + "/" + target_hosts + nmap_directory = host_directory + "/scans" + + jobs = [] + p = multiprocessing.Process(target=nmap_scan, + args=(target_hosts, nmap_directory, dns_server, quick, no_udp_service_scan)) + jobs.append(p) + p.start() + + +def service_scan(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + check_directory(output_directory) + + if (valid_ip(target_hosts)): + target_ip(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan) + else: + target_file(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan) diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/snmp_walk.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/snmp_walk.py new file mode 100644 index 0000000..e514352 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/snmp_walk.py @@ -0,0 +1,73 @@ +import multiprocessing +import socket +import subprocess + +from file_helper import check_directory, load_targets + + +def valid_ip(address): + try: + socket.inet_aton(address) + return True + except socket.error: + return False + + +def target_file(target_hosts, output_directory, quiet): + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + try: + target_file = open(targets, 'r') + print("[*] Loaded targets from: %s" % targets) + except Exception: + print("[!] Unable to load: %s" % targets) + + for ip_address in target_file: + ip_address = ip_address.strip() + + snmp_directory = output_directory + '/' + ip_address + '/scans/snmp/' + check_directory(snmp_directory) + + jobs = [] + p = multiprocessing.Process(target=snmp_scans, args=(ip_address, snmp_directory)) + jobs.append(p) + p.start() + target_file.close() + + +def target_ip(target_hosts, output_directory, quiet): + print("[*] Loaded single target: %s" % target_hosts) + target_hosts = target_hosts.strip() + + snmp_directory = output_directory + '/' + target_hosts + '/scans/snmp/' + check_directory(snmp_directory) + + jobs = [] + p = multiprocessing.Process(target=snmp_scans, args=(target_hosts, snmp_directory)) + jobs.append(p) + p.start() + + +def snmp_walk(target_hosts, output_directory, quiet): + check_directory(output_directory) + + if (valid_ip(target_hosts)): + target_ip(target_hosts, output_directory, quiet) + else: + target_file(target_hosts, output_directory, quiet) + + +def snmp_scans(ip_address, output_directory): + print("[+] Performing SNMP scans for %s to %s" % (ip_address, output_directory)) + print(" [>] Performing snmpwalk on public tree for: %s - Checking for System Processes" % (ip_address)) + SCAN = "snmpwalk -c public -v1 %s 1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( + ip_address, output_directory, ip_address) + + try: + subprocess.check_output(SCAN, stderr=subprocess.STDOUT, shell=True).decode("utf-8").decode('utf-8') + except Exception as e: + print("[+] No Response from %s" % ip_address) + except subprocess.CalledProcessError as cpe: + print("[+] Subprocess failure during scan of %s" % ip_address) + + print("[+] Completed SNMP scans for %s" % (ip_address)) diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/lib/virtual_host_scanner.py b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/virtual_host_scanner.py new file mode 100644 index 0000000..d18d22f --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/lib/virtual_host_scanner.py @@ -0,0 +1,74 @@ +#!/usr/bin/python + +import os +import requests + + +class VirtualHostScanner(object): + """Virtual host scanning class for Reconnoitre + + Virtual host scanner has the following properties: + + Attributes: + wordlist: location to a wordlist file to use with scans + target: the target for scanning + port: the port to scan. Defaults to 80 + ignore_http_codes: commad seperated list of http codes to ignore + ignore_content_length: integer value of content length to ignore + output: folder to write output file to + + """ + + def __init__(self, target, output, port=80, ignore_http_codes='404', ignore_content_length=0, + wordlist="./wordlist/virtual-host-scanning.txt"): + self.target = target + self.output = output + '/' + target + '_virtualhosts.txt' + self.port = port + self.ignore_http_codes = list(map(int, ignore_http_codes.replace(' ', '').split(','))) + self.ignore_content_length = ignore_content_length + self.wordlist = wordlist + + def scan(self): + print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % ( + self.target, str(self.port), self.wordlist)) + print("[>] Ignoring HTTP codes: %s" % (self.ignore_http_codes)) + if (self.ignore_content_length > 0): + print("[>] Ignoring Content length: %s" % (self.ignore_content_length)) + + if not os.path.exists(self.wordlist): + print("[!] Wordlist %s doesn't exist, exiting virtual host scanner." % self.wordlist) + return + + virtual_host_list = open(self.wordlist).read().splitlines() + results = '' + + for virtual_host in virtual_host_list: + hostname = virtual_host.replace('%s', self.target) + + headers = { + 'Host': hostname if self.port == 80 else '{}:{}'.format(hostname, self.port), + 'Accept': '*/*' + } + + dest_url = '{}://{}:{}/'.format('https' if int(self.port) == 443 else 'http', self.target, self.port) + + try: + res = requests.get(dest_url, headers=headers, verify=False) + except requests.exceptions.RequestException: + continue + + if res.status_code in self.ignore_http_codes: + continue + + if self.ignore_content_length > 0 and self.ignore_content_length == int(res.headers.get('content-length')): + continue + + output = 'Found: {} (code: {}, length: {})'.format(hostname, res.status_code, + res.headers.get('content-length')) + results += output + '\n' + + print(output) + for key, val in res.headers.items(): + output = ' {}: {}'.format(key, val) + results += output + '\n' + print(output) diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/reconnoitre.py b/build/lib.linux-x86_64-2.7/Reconnoitre/reconnoitre.py new file mode 100644 index 0000000..ccab11a --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/reconnoitre.py @@ -0,0 +1,110 @@ +#!/usr/bin/python + + +import sys + +from lib.core.input import CliArgumentParser +from lib.find_dns import find_dns +from lib.hostname_scan import hostname_scan +from lib.ping_sweeper import ping_sweeper +from lib.service_scan import service_scan +from lib.snmp_walk import snmp_walk +from lib.virtual_host_scanner import VirtualHostScanner + + +def print_banner(): + print(" __") + print("|\"\"\"\-= RECONNOITRE") + print("(____) An OSCP scanner by @codingo_\n") + + +def util_checks(util=None): + if util is None: + print("[!] Error hit in chktool: None encountered for util.") + sys.exit(1) + + pyvers = sys.version_info + + if (pyvers[0] >= 3) and (pyvers[1] >= 3): # python3.3+ + import shutil + if shutil.which(util) is None: + if util is "nmap": + print( + " [!] nmap was not found on your system. Exiting since we wont be able to scan anything. " + "Please install nmap and try again.") + sys.exit(1) + else: + print(" [-] %s was not found in your system. Scan types using this will fail." % util) + return "Not Found" + else: + return "Found" + else: # less-than python 3.3 + from distutils import spawn + if spawn.find_executable(util) is None: + if util is "nmap": + print( + " [!] nmap was not found on your system. Exiting since we wont be able to scan anything. " + "Please install nmap and try again.") + sys.exit(1) + else: + print(" [-] %s was not found in your system. Scan types using this will fail." % util) + return "Not Found" + else: + return "Found" + + +def main(): + parser = CliArgumentParser() + arguments = parser.parse(sys.argv[1:]) + + if arguments.output_directory.endswith('/' or '\\'): + arguments.output_directory = arguments.output_directory[:-1] + if arguments.target_hosts.endswith('/' or '\\'): + arguments.target_hosts = arguments.target_hosts[:-1] + + if arguments.quiet is not True: + print_banner() + print("[+] Testing for required utilities on your system.") + + utils = ['nmap', 'snmpwalk', 'nbtscan'] # list of utils to check on local system. + for util in utils: + util_checks(util) + + if arguments.ping_sweep is True: + print("[#] Performing ping sweep") + ping_sweeper(arguments.target_hosts, arguments.output_directory, arguments.quiet) + + if arguments.hostname_scan is True: + print("[#] Identifying hostnames") + hostname_scan(arguments.target_hosts, arguments.output_directory, arguments.quiet) + + if arguments.find_dns_servers is True: + print("[#] Identifying DNS Servers") + find_dns(arguments.target_hosts, arguments.output_directory, arguments.quiet) + + if arguments.perform_service_scan is True: + print("[#] Performing service scans") + if arguments.find_dns_servers is True: + service_scan(arguments.target_hosts, arguments.output_directory, arguments.find_dns_servers, + arguments.quiet, arguments.quick, arguments.no_udp_service_scan) + else: + service_scan(arguments.target_hosts, arguments.output_directory, '', arguments.quiet, arguments.quick, + arguments.no_udp_service_scan) + + if arguments.perform_snmp_walk is True: + print("[#] Performing SNMP walks") + snmp_walk(arguments.target_hosts, arguments.output_directory, arguments.quiet) + + if arguments.virtualhosts is True: + print("[#] Performing Virtual host scans") + if arguments.wordlist is False: + print("[!] No wordlist was provided, skipping virtual host scanning.") + else: + scanner = VirtualHostScanner(arguments.target_hosts, arguments.output_directory, arguments.port, + arguments.ignore_http_codes, arguments.ignore_content_length, + arguments.wordlist) + scanner.scan() + + +if __name__ == "__main__": + main() diff --git a/build/lib.linux-x86_64-2.7/Reconnoitre/wordlists/virtual-host-scanning.txt b/build/lib.linux-x86_64-2.7/Reconnoitre/wordlists/virtual-host-scanning.txt new file mode 100644 index 0000000..80c09a6 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/Reconnoitre/wordlists/virtual-host-scanning.txt @@ -0,0 +1,34 @@ +www.%s +dev.%s +local +localhost +status.%s +status +staging.%s +staging +development +development.%s +uat +uat.%s +%s +beta +beta.%s +secure +secure.%s +mobile +mobile.%s +127.0.0.1 +m.%s +m +admin +admin.%s +old +old.%s +v1.%s +v1 +v2.%s +v2 +v3.%s +v3 +alpha +alpha.%s \ No newline at end of file diff --git a/build/lib.linux-x86_64-2.7/lib/__init__.py b/build/lib.linux-x86_64-2.7/lib/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/build/lib.linux-x86_64-2.7/lib/core/__init__.py b/build/lib.linux-x86_64-2.7/lib/core/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/build/lib.linux-x86_64-2.7/lib/core/__version__.py b/build/lib.linux-x86_64-2.7/lib/core/__version__.py new file mode 100644 index 0000000..19d8875 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/core/__version__.py @@ -0,0 +1,6 @@ +# +# |"""\-= RECONNOITRE +# (____) An OSCP scanner by @codingo_ +# https://github.com/codingo/VHostScan + +__version__ = '1.0' diff --git a/build/lib.linux-x86_64-2.7/lib/core/input.py b/build/lib.linux-x86_64-2.7/lib/core/input.py new file mode 100644 index 0000000..ce2a754 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/core/input.py @@ -0,0 +1,118 @@ +from argparse import ArgumentParser +import os.path + + +class CliHelper(object): + @staticmethod + def readable_file(parser, arg): + if not os.path.exists(arg): + parser.error("The file %s does not exist!" % arg) + else: + return open(arg, 'r') # return an open file handle + + +class CliArgumentParser(object): + def __init__(self): + self._parser = self.setup_parser() + + def parse(self, argv): + return self._parser.parse_args(argv) + + @staticmethod + def setup_parser(): + parser = ArgumentParser() + + parser.add_argument("-t", + dest="target_hosts", + required=True, + help="Set a target range of addresses to target. Ex 10.11.1.1-255") + + parser.add_argument("-o", + dest="output_directory", + required=True, + help="Set the output directory. Ex /root/Documents/labs/") + + parser.add_argument("-w", + dest="wordlist", + required=False, + help="Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt", + default=False) + + parser.add_argument("-p", + dest="port", + required=False, + help="Set the port to use. Leave blank to use discovered ports. " + "Useful to force virtual host scanning on non-standard webserver ports.", + default=80) + + parser.add_argument("--pingsweep", + dest="ping_sweep", + action="store_true", + help="Write a new target.txt by performing a ping sweep and discovering live hosts.", + default=False) + + parser.add_argument("--dns", "--dnssweep", + dest="find_dns_servers", + action="store_true", + help="Find DNS servers from a list of targets.", + default=False) + + parser.add_argument("--services", + dest="perform_service_scan", + action="store_true", + help="Perform service scan over targets.", + default=False) + + parser.add_argument("--hostnames", + dest="hostname_scan", + action="store_true", + help="Attempt to discover target hostnames and write to 0-name.txt and hostnames.txt.", + default=False) + + parser.add_argument("--snmp", + dest="perform_snmp_walk", + action="store_true", + help="Perform service scan over targets.", + default=False) + + parser.add_argument("--quick", + dest="quick", + action="store_true", + required=False, + help="Move to the next target after performing a quick scan and writing " + "first-round recommendations.", + default=False) + + parser.add_argument("--virtualhosts", + dest="virtualhosts", + action="store_true", + required=False, + help="Attempt to discover virtual hosts using the specified wordlist.", + default=False) + + parser.add_argument('--ignore-http-codes', + dest='ignore_http_codes', + type=str, + help='Comma separated list of http codes to ignore with virtual host scans.', + default='404') + + parser.add_argument('--ignore-content-length', + dest='ignore_content_length', + type=int, + help='Ignore content lengths of specificed amount. ' + 'This may become useful when a server returns a static page on ' + 'every virtual host guess.', + default=0) + + parser.add_argument("--quiet", + dest="quiet", + action="store_true", + help="Supress banner and headers to limit to comma dilimeted results only.", + default=False) + + parser.add_argument("--no-udp", + dest="no_udp_service_scan", + action="store_true", + help="Disable UDP services scan over targets.", + default=False) + return parser diff --git a/build/lib.linux-x86_64-2.7/lib/file_helper.py b/build/lib.linux-x86_64-2.7/lib/file_helper.py new file mode 100644 index 0000000..7991cbd --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/file_helper.py @@ -0,0 +1,120 @@ +import os +import json + + +def check_directory(output_directory): + try: + os.stat(output_directory) + except Exception: + os.mkdir(output_directory) + print("[!] %s didn't exist and has been created." % output_directory) + + +def load_targets(target_hosts, output_directory, quiet): + if (os.path.isdir(target_hosts) or os.path.isfile(target_hosts)): + return target_hosts + elif "-" in target_hosts: + expand_targets(target_hosts, output_directory) + return output_directory + "/targets.txt" + else: + return output_directory + "/targets.txt" + + +def expand_targets(target_hosts, output_directory): + parts = target_hosts.split(".") + target_list = [] + for part in parts: + if "-" in part: + iprange = part.split("-") + for i in range(int(iprange[0]), int(iprange[1])): + target_list.append(parts[0] + "." + parts[1] + "." + parts[2] + "." + str(i)) + with open(output_directory + "/targets.txt", "w") as targets: + for target in target_list: + targets.write("%s\n" % target) + + +def create_dir_structure(ip_address, output_directory): + print("[+] Creating directory structure for " + ip_address) + + hostdir = output_directory + "/" + ip_address + try: + os.stat(hostdir) + except Exception: + os.mkdir(hostdir) + + nmapdir = hostdir + "/scans" + print(" [>] Creating scans directory at: %s" % nmapdir) + try: + os.stat(nmapdir) + except Exception: + os.mkdir(nmapdir) + + exploitdir = hostdir + "/exploit" + print(" [>] Creating exploit directory at: %s" % exploitdir) + try: + os.stat(exploitdir) + except Exception: + os.mkdir(exploitdir) + + lootdir = hostdir + "/loot" + print(" [>] Creating loot directory at: %s" % lootdir) + try: + os.stat(lootdir) + except Exception: + os.mkdir(lootdir) + + prooffile = hostdir + "/proof.txt" + print(" [>] Creating proof file at: %s" % prooffile) + open(prooffile, 'a').close() + + +def write_recommendations(results, ip_address, outputdir): + recommendations_file = outputdir + "/" + ip_address + "_findings.txt" + serv_dict = {} + lines = results.split("\n") + for line in lines: + ports = [] + line = line.strip() + if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): + while " " in line: + line = line.replace(" ", " ") + service = line.split(" ")[2] + port = line.split(" ")[0] + + if service in serv_dict: + ports = serv_dict[service] + + ports.append(port) + serv_dict[service] = ports + + print("[+] Writing findings for %s" % (ip_address)) + + __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) + with open(os.path.join(__location__, "config.json"), "r") as config: + c = config.read() + j = json.loads(c.replace("$ip", "%(ip)s").replace("$port", "%(port)s").replace("$outputdir", "%(outputdir)s")) + + f = open(recommendations_file, 'w') + for serv in serv_dict: + ports = serv_dict[serv] + + for service in j["services"]: + if (serv in j["services"][service]["nmap-service-names"]) or (service in serv): + for port in ports: + port = port.split("/")[0] + + description = "[*] " + j["services"][service]["description"] + print(description % {"ip": ip_address, "port": port}) + f.write((description + "\n") % {"ip": ip_address, "port": port}) + + for entry in j["services"][service]["output"]: + f.write(" [*] " + entry["description"] + "\n") + + for cmd in entry["commands"]: + f.write( + (" [=] " + cmd + "\n") % {"ip": ip_address, "port": port, "outputdir": outputdir}) + + f.write("\n") + + f.write("\n\n[*] Always remember to manually go over the portscan report and carefully read between the lines ;)") + f.close() diff --git a/build/lib.linux-x86_64-2.7/lib/find_dns.py b/build/lib.linux-x86_64-2.7/lib/find_dns.py new file mode 100644 index 0000000..38fb816 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/find_dns.py @@ -0,0 +1,43 @@ +import subprocess + +from file_helper import check_directory +from file_helper import load_targets + + +def find_dns(target_hosts, output_directory, quiet): + check_directory(output_directory) + results = 0 + hostcount = 0 + dnscount = 0 + + output_file = open(output_directory + "/DNS-Detailed.txt", 'w') + output_targets = open(output_directory + "/DNS-targets.txt", 'w') + + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + + print("[*] Loaded targets from: %s" % targets) + print("[+] Enumerating TCP port 53 over targets to find dns servers") + + for ip_address in target_file: + hostcount += 1 + ip_address = ip_address.strip() + ip_address = ip_address.rstrip() + + print(" [>] Testing %s for DNS" % ip_address) + DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address) + results = subprocess.check_output(DNSSCAN, shell=True).decode("utf-8") + lines = results.split("\n") + + for line in lines: + line = line.strip() + line = line.rstrip() + if ("53/tcp" in line) and ("open" in line) and ("Discovered" not in line): + print(" [=] Found DNS service running on: %s" % (ip_address)) + output_file.write("[*] Found DNS service running on: %s\n" % (ip_address)) + output_file.write(" [>] %s\n" % (line)) + output_targets.write("%s" % (ip_address)) + dnscount += 1 + print("[*] Found %s DNS servers within %s hosts" % (str(dnscount), str(hostcount))) + output_file.close() + output_targets.close() diff --git a/build/lib.linux-x86_64-2.7/lib/hostname_scan.py b/build/lib.linux-x86_64-2.7/lib/hostname_scan.py new file mode 100644 index 0000000..cee97bf --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/hostname_scan.py @@ -0,0 +1,48 @@ +import os +import subprocess + +from file_helper import check_directory + + +def hostname_scan(target_hosts, output_directory, quiet): + check_directory(output_directory) + output_file = output_directory + "/hostnames.txt" + f = open(output_file, 'w') + print("[+] Writing hostnames to: %s" % output_file) + + hostnames = 0 + SWEEP = '' + + if (os.path.isfile(target_hosts)): + SWEEP = "nbtscan -q -f %s" % (target_hosts) + else: + SWEEP = "nbtscan -q %s" % (target_hosts) + + results = subprocess.check_output(SWEEP, shell=True).decode("utf-8") + lines = results.split("\n") + + for line in lines: + line = line.strip() + line = line.rstrip() + + # Final line is blank which causes list index issues if we don't + # continue past it. + if " " not in line: + continue + + while " " in line: + line = line.replace(" ", " ") + + ip_address = line.split(" ")[0] + host = line.split(" ")[1] + + if (hostnames > 0): + f.write('\n') + + print(" [>] Discovered hostname: %s (%s)" % (host, ip_address)) + f.write("%s - %s" % (host, ip_address)) + hostnames += 1 + + print("[*] Found %s hostnames." % (hostnames)) + print("[*] Created hostname list %s" % (output_file)) + f.close() diff --git a/build/lib.linux-x86_64-2.7/lib/ping_sweeper.py b/build/lib.linux-x86_64-2.7/lib/ping_sweeper.py new file mode 100644 index 0000000..3bea501 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/ping_sweeper.py @@ -0,0 +1,45 @@ +import subprocess + +from file_helper import check_directory + + +def ping_sweeper(target_hosts, output_directory, quiet): + check_directory(output_directory) + output_file = output_directory + "/targets.txt" + + print("[+] Performing ping sweep over %s" % target_hosts) + + lines = call_nmap_sweep(target_hosts) + live_hosts = parse_nmap_output_for_live_hosts(lines) + write_live_hosts_list_to_file(output_file, live_hosts) + + for ip_address in live_hosts: + print(" [>] Discovered host: %s" % (ip_address)) + + print("[*] Found %s live hosts" % (len(live_hosts))) + print("[*] Created target list %s" % (output_file)) + + +def call_nmap_sweep(target_hosts): + SWEEP = "nmap -n -sP %s" % (target_hosts) + + results = subprocess.check_output(SWEEP, shell=True) + lines = str(results).encode("utf-8").split("\n") + return lines + + +def parse_nmap_output_for_live_hosts(lines): + def get_ip_from_nmap_line(line): + return line.split()[4] + + live_hosts = [get_ip_from_nmap_line(line) + for line in lines + if "Nmap scan report for" in line] + + return live_hosts + + +def write_live_hosts_list_to_file(output_file, live_hosts): + print("[+] Writing discovered targets to: %s" % output_file) + with open(output_file, 'w') as f: + f.write("\n".join(live_hosts)) diff --git a/build/lib.linux-x86_64-2.7/lib/service_scan.py b/build/lib.linux-x86_64-2.7/lib/service_scan.py new file mode 100644 index 0000000..83702ad --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/service_scan.py @@ -0,0 +1,102 @@ +import multiprocessing +import socket +import subprocess + +from file_helper import check_directory +from file_helper import create_dir_structure +from file_helper import load_targets +from file_helper import write_recommendations + + +def nmap_scan(ip_address, output_directory, dns_server, quick, no_udp_service_scan): + ip_address = ip_address.strip() + + print("[+] Starting quick nmap scan for %s" % (ip_address)) + QUICKSCAN = "nmap -sC -sV %s -oA '%s/%s.quick'" % (ip_address, output_directory, ip_address) + quickresults = subprocess.check_output(QUICKSCAN, shell=True).decode("utf-8") + + write_recommendations(quickresults, ip_address, output_directory) + print("[*] TCP quick scans completed for %s" % ip_address) + + if (quick): + return + + if dns_server: + print("[+] Starting detailed TCP%s nmap scans for %s using DNS Server %s" % ( + ("" if no_udp_service_scan is True else "/UDP"), ip_address, dns_server)) + print("[+] Using DNS server %s" % (dns_server)) + TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 " \ + "--dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --max-retries 0 " \ + "--dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + else: + print("[+] Starting detailed TCP%s nmap scans for %s" % ( + ("" if no_udp_service_scan is True else "/UDP"), ip_address)) + TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 " \ + "-script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % ( + dns_server, output_directory, ip_address, output_directory, ip_address, ip_address) + UDPSCAN = "nmap -sC -sV -sU %s -oA '%s/%s-udp'" % (ip_address, output_directory, ip_address) + + udpresults = "" if no_udp_service_scan is True else subprocess.check_output(UDPSCAN, shell=True).decode("utf-8") + tcpresults = subprocess.check_output(TCPSCAN, shell=True).decode("utf-8") + + write_recommendations(tcpresults + udpresults, ip_address, output_directory) + print("[*] TCP%s scans completed for %s" % (("" if no_udp_service_scan is True else "/UDP"), ip_address)) + + +def valid_ip(address): + try: + socket.inet_aton(address) + return True + except socket.error: + return False + + +def target_file(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + try: + target_file = open(targets, 'r') + print("[*] Loaded targets from: %s" % targets) + except Exception: + print("[!] Unable to load: %s" % targets) + + for ip_address in target_file: + ip_address = ip_address.strip() + create_dir_structure(ip_address, output_directory) + + host_directory = output_directory + "/" + ip_address + nmap_directory = host_directory + "/scans" + + jobs = [] + p = multiprocessing.Process(target=nmap_scan, + args=(ip_address, nmap_directory, dns_server, quick, no_udp_service_scan)) + jobs.append(p) + p.start() + target_file.close() + + +def target_ip(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + print("[*] Loaded single target: %s" % target_hosts) + target_hosts = target_hosts.strip() + create_dir_structure(target_hosts, output_directory) + + host_directory = output_directory + "/" + target_hosts + nmap_directory = host_directory + "/scans" + + jobs = [] + p = multiprocessing.Process(target=nmap_scan, + args=(target_hosts, nmap_directory, dns_server, quick, no_udp_service_scan)) + jobs.append(p) + p.start() + + +def service_scan(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan): + check_directory(output_directory) + + if (valid_ip(target_hosts)): + target_ip(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan) + else: + target_file(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan) diff --git a/build/lib.linux-x86_64-2.7/lib/snmp_walk.py b/build/lib.linux-x86_64-2.7/lib/snmp_walk.py new file mode 100644 index 0000000..e514352 --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/snmp_walk.py @@ -0,0 +1,73 @@ +import multiprocessing +import socket +import subprocess + +from file_helper import check_directory, load_targets + + +def valid_ip(address): + try: + socket.inet_aton(address) + return True + except socket.error: + return False + + +def target_file(target_hosts, output_directory, quiet): + targets = load_targets(target_hosts, output_directory, quiet) + target_file = open(targets, 'r') + try: + target_file = open(targets, 'r') + print("[*] Loaded targets from: %s" % targets) + except Exception: + print("[!] Unable to load: %s" % targets) + + for ip_address in target_file: + ip_address = ip_address.strip() + + snmp_directory = output_directory + '/' + ip_address + '/scans/snmp/' + check_directory(snmp_directory) + + jobs = [] + p = multiprocessing.Process(target=snmp_scans, args=(ip_address, snmp_directory)) + jobs.append(p) + p.start() + target_file.close() + + +def target_ip(target_hosts, output_directory, quiet): + print("[*] Loaded single target: %s" % target_hosts) + target_hosts = target_hosts.strip() + + snmp_directory = output_directory + '/' + target_hosts + '/scans/snmp/' + check_directory(snmp_directory) + + jobs = [] + p = multiprocessing.Process(target=snmp_scans, args=(target_hosts, snmp_directory)) + jobs.append(p) + p.start() + + +def snmp_walk(target_hosts, output_directory, quiet): + check_directory(output_directory) + + if (valid_ip(target_hosts)): + target_ip(target_hosts, output_directory, quiet) + else: + target_file(target_hosts, output_directory, quiet) + + +def snmp_scans(ip_address, output_directory): + print("[+] Performing SNMP scans for %s to %s" % (ip_address, output_directory)) + print(" [>] Performing snmpwalk on public tree for: %s - Checking for System Processes" % (ip_address)) + SCAN = "snmpwalk -c public -v1 %s 1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( + ip_address, output_directory, ip_address) + + try: + subprocess.check_output(SCAN, stderr=subprocess.STDOUT, shell=True).decode("utf-8").decode('utf-8') + except Exception as e: + print("[+] No Response from %s" % ip_address) + except subprocess.CalledProcessError as cpe: + print("[+] Subprocess failure during scan of %s" % ip_address) + + print("[+] Completed SNMP scans for %s" % (ip_address)) diff --git a/build/lib.linux-x86_64-2.7/lib/virtual_host_scanner.py b/build/lib.linux-x86_64-2.7/lib/virtual_host_scanner.py new file mode 100644 index 0000000..d18d22f --- /dev/null +++ b/build/lib.linux-x86_64-2.7/lib/virtual_host_scanner.py @@ -0,0 +1,74 @@ +#!/usr/bin/python + +import os +import requests + + +class VirtualHostScanner(object): + """Virtual host scanning class for Reconnoitre + + Virtual host scanner has the following properties: + + Attributes: + wordlist: location to a wordlist file to use with scans + target: the target for scanning + port: the port to scan. Defaults to 80 + ignore_http_codes: commad seperated list of http codes to ignore + ignore_content_length: integer value of content length to ignore + output: folder to write output file to + + """ + + def __init__(self, target, output, port=80, ignore_http_codes='404', ignore_content_length=0, + wordlist="./wordlist/virtual-host-scanning.txt"): + self.target = target + self.output = output + '/' + target + '_virtualhosts.txt' + self.port = port + self.ignore_http_codes = list(map(int, ignore_http_codes.replace(' ', '').split(','))) + self.ignore_content_length = ignore_content_length + self.wordlist = wordlist + + def scan(self): + print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % ( + self.target, str(self.port), self.wordlist)) + print("[>] Ignoring HTTP codes: %s" % (self.ignore_http_codes)) + if (self.ignore_content_length > 0): + print("[>] Ignoring Content length: %s" % (self.ignore_content_length)) + + if not os.path.exists(self.wordlist): + print("[!] Wordlist %s doesn't exist, exiting virtual host scanner." % self.wordlist) + return + + virtual_host_list = open(self.wordlist).read().splitlines() + results = '' + + for virtual_host in virtual_host_list: + hostname = virtual_host.replace('%s', self.target) + + headers = { + 'Host': hostname if self.port == 80 else '{}:{}'.format(hostname, self.port), + 'Accept': '*/*' + } + + dest_url = '{}://{}:{}/'.format('https' if int(self.port) == 443 else 'http', self.target, self.port) + + try: + res = requests.get(dest_url, headers=headers, verify=False) + except requests.exceptions.RequestException: + continue + + if res.status_code in self.ignore_http_codes: + continue + + if self.ignore_content_length > 0 and self.ignore_content_length == int(res.headers.get('content-length')): + continue + + output = 'Found: {} (code: {}, length: {})'.format(hostname, res.status_code, + res.headers.get('content-length')) + results += output + '\n' + + print(output) + for key, val in res.headers.items(): + output = ' {}: {}'.format(key, val) + results += output + '\n' + print(output) diff --git a/dist/Reconnoitre-1.0-py2.7.egg b/dist/Reconnoitre-1.0-py2.7.egg new file mode 100644 index 0000000..32c55e3 Binary files /dev/null and b/dist/Reconnoitre-1.0-py2.7.egg differ diff --git a/setup.py b/setup.py index cf3e83a..1efedd8 100644 --- a/setup.py +++ b/setup.py @@ -23,10 +23,10 @@ def dependencies(imported_file): author_email="codingo@protonmail.com", url="https://github.com/codingo/Reconnoitre", packages=find_packages(exclude=('tests')), - package_data={'Reconnoitre': ['*.txt']}, + package_data={'Reconnoitre': ['*.txt', '*.json']}, entry_points={ 'console_scripts': [ - 'Reconnoitre = Reconnoitre.Reconnoitre:main' + 'reconnoitre = Reconnoitre.reconnoitre:main' ] }, include_package_data=True)