diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..03624f1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,13 @@ +FROM python:3.7 + + +RUN apt-get update && \ + apt-get install -y git nmap snmp wget nbtscan + +RUN git clone https://github.com/codingo/Reconnoitre.git recon + +WORKDIR /recon + +RUN pip install -r requirements.txt && python setup.py install + +ENTRYPOINT ["reconnoitre"] diff --git a/README.md b/README.md index d63af02..d52a1e3 100644 --- a/README.md +++ b/README.md @@ -128,3 +128,25 @@ reconnoitre -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --service This bare requirement for host and service scanning for this tool is to have both `nbtscan` and `nmap` installed. If you are not using host scanning and only wish to perform a ping sweep and service scan you can get away with only installing `nmap`. The outputted _findings.txt_ will often recommend additional tools which you may not have available in your distribution if not using Kali Linux. All requirements and recommendations are native to Kali Linux which is the recommended (although not required) distribution for using this tool. In addition to these requirements outputs will often refer to Wordlists that you may need to find. If you are undertaking OSCP these can be found in the "List of Recommended Tools" thread by g0tmilk. If not then you can find the majority of these online or already within a Kali Linux installation. + +# Dockerfile +First step is to install docker if you do not have it installed already. [Docker Installation](https://docs.docker.com/install/linux/docker-ce/ubuntu/) + +Basic Usage: + +``` +cd +docker build -t reconnoitre . + +docker run reconnoitre -o outputdir -t 127.0.0.1 +``` + +If you want files to exist locally you can mount a directory to the Docker container + +``` +cd +docker build -t reconnoitre . +mkdir /path/to/dir + +docker run -v /path/to/dir:/outputdir --services -o outputdir -t 127.0.0.1 +``` diff --git a/Reconnoitre/lib/config.json b/Reconnoitre/lib/config.json index 9becfe6..5d80bb7 100644 --- a/Reconnoitre/lib/config.json +++ b/Reconnoitre/lib/config.json @@ -1,353 +1,359 @@ -{ - "services":{ - "http/s":{ - "description":"Found HTTP/S service on $ip:$port", - "nmap-service-names":[ - "http", - "ssl/http", - "https", - "ssl/http-alt" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt", - "curl -i $ip:$port", - "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt", - "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt" - ] - } - ] - }, - "http":{ - "description":"Found HTTP service on $ip:$port", - "nmap-service-names":[ - "http" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", - "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" - ] - } - ] - }, - "https":{ - "description":"Found HTTPS service on $ip:$port", - "nmap-service-names":[ - "https", - "ssl/http", - "ssl/http-alt" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", - "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", - "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", - "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" - ] - } - ] - }, - "ftp":{ - "description":"Found FTP service on $ip:$port", - "nmap-service-names":[ - "ftp" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip", - "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp" - ] - } - ] - }, - "mysql":{ - "description":"Found MySql service on $ip:$port", - "nmap-service-names":[ - "mysql" - ], - "output":[ - { - "description":"Check out the server for web applications with sqli vulnerabilities", - "commands":[ - "searchsploit mysql" - ] - } - ] - }, - "dns":{ - "description":"Found DNS service on $ip:$port", - "nmap-service-names":[ - "dns" - ], - "output":[ - { - "description":"Check out the server for zone transfers", - "commands":[ - "dnsrecon -t axfr -d $ip" - ] - } - ] - }, - "microsoftsql":{ - "description":"Found MS SQL service on $ip:$port", - "nmap-service-names":[ - "ms-sql", - "ms-sql-s" - ], - "output":[ - { - "description":"Check out the server for web applications with sqli vulnerabilities", - "commands":[ - "searchsploit mssql" - ] - }, - { - "description":"Use nmap scripts for further enumeration, e.g", - "commands":[ - "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,mssql.username=sa,mssql.password=sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip" - ] - } - ] - }, - "telnet":{ - "description":"Found telnet service on $ip:$port", - "nmap-service-names":[ - "telnet" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "ncat -nv $ip $port" - ] - } - ] - }, - "smb":{ - "description":"Found MS SMB service on $ip:$port", - "nmap-service-names":[ - "microsoft-ds" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip", - "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt", - "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip" - ] - } - ] - }, - "remotedesktop":{ - "description":"Found RDP service on $ip:$port", - "nmap-service-names":[ - "msrdp", - "ms-wbt-server" - ], - "output":[ - { - "description":"Bruteforcing", - "commands":[ - "ncrack -vv --user administrator -P PASS_LIST rdp://$ip", - "crowbar -b rdp -s $ip/32 -U USER_LIST -C PASS_LIST", - "for username in $(cat USER_LIST); do for password in $(cat PASS_LIST) do; rdesktop -u $username -p $password $ip; done; done;" - ] - } - ] - }, - "smtp":{ - "description":"Found SMTP service on $ip:$port", - "nmap-service-names":[ - "smtp" - ], - "output":[ - { - "description":"Find users", - "commands":[ - "smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top_shortlist.txt -t $ip -p $port" - ] - } - ] - }, - "snmp":{ - "description":"Found SNMP service on $ip:$port", - "nmap-service-names":[ - "snmp" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip", - "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt", - "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt" - ] - } - ] - }, - "ssh":{ - "description":"Found SSH service on $ip:$port", - "nmap-service-names":[ - "ssh" - ], - "output":[ - { - "description":"Bruteforcing", - "commands":[ - "medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h $ip - $port -M ssh", - "hydra -f -V -t 1 -l root -P /usr/share/wordlists/rockyou.txt -s $port $ip ssh", - "ncrack -vv -p $port --user root -P PASS_LIST $ip" - ] - }, - { - "description":"Use nmap to automate banner grabbing and key fingerprints, e.g.", - "commands":[ - "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'" - ] - } - ] - }, - "msrpc":{ - "description":"Found MSRPC service on $ip:$port", - "nmap-service-names":[ - "msrpc", - "rpcbind" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "rpcclient -U \"\" $ip" - ] - }, - { - "description":"Bruteforce", - "commands":[ - "rpcclient -U \"\" $ip" - ] - } - ] - }, - "netbios-ssn":{ - "description":"Found NetBIOS service on $ip:$port", - "nmap-service-names":[ - "netbios-ssn" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmblookup -A $ip", - "smbclient //MOUNT/share -I $ip N", - "smbclient -L //$ip", - "enum4linux -a $ip", - "rpcclient -U \"\" $ip" - ] - } - ] - }, - "CUPS":{ - "description":"Found CUPS service on $ip:$port", - "nmap-service-names":[ - "ipp" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit cups" - ] - } - ] - }, - "java-rmi":{ - "description":"Found CUPS service on $ip:$port", - "nmap-service-names":[ - "java-rmi" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit java rmi" - ] - } - ] - }, - "vnc":{ - "description":"Found VNC service on $ip:$port", - "nmap-service-names":[ - "vnc", - "vnc-http" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit vnc" - ] - }, - { - "description":"Bruteforcing", - "commands":[ - "crowbar -b vnckey -s $ip/32 -p IP -k PASS_FILE" - ] - } - ] - }, - "oracle":{ - "description":"Found Oracle service on $ip:$port", - "nmap-service-names":[ - "oracle-tns" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit Oracle TNS" - ] - } - ] - }, - "kerberos":{ - "description":"Found Kerberos service on $ip:$port", - "nmap-service-names":[ - "kerberos-sec" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -p$port --script=krb5-enum-users --script-args krb5-enum-users.realm='CHANGEME.local',userdb=/usr/share/seclists/Usernames/Names/names.txt -oA '$outputdir/$ip_$port_kerberos' $ip" - ] - } - ] - }, - "ldap":{ - "description":"Found LDAP service on $ip:$port", - "nmap-service-names":[ - "ldap" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit ldap" - ] - } - ] - } - } +{ + "nmap": { + "tcpscan": "-vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1", + "quickscan": "-sC -sV -Pn --disable-arp-ping", + "dnsudpscan": "-vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 --max-retries 0", + "udpscan": "-sC -sV -sU -Pn --disable-arp-ping" + }, + "services": { + "http/s": { + "description": "Found HTTP/S service on $ip:$port", + "nmap-service-names": [ + "http", + "ssl/http", + "https", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt", + "curl -i $ip:$port", + "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt", + "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt" + ] + } + ] + }, + "http": { + "description": "Found HTTP service on $ip:$port", + "nmap-service-names": [ + "http" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "https": { + "description": "Found HTTPS service on $ip:$port", + "nmap-service-names": [ + "https", + "ssl/http", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "ftp": { + "description": "Found FTP service on $ip:$port", + "nmap-service-names": [ + "ftp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip", + "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp" + ] + } + ] + }, + "mysql": { + "description": "Found MySql service on $ip:$port", + "nmap-service-names": [ + "mysql" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mysql" + ] + } + ] + }, + "dns": { + "description": "Found DNS service on $ip:$port", + "nmap-service-names": [ + "dns" + ], + "output": [ + { + "description": "Check out the server for zone transfers", + "commands": [ + "dnsrecon -t axfr -d $ip" + ] + } + ] + }, + "microsoftsql": { + "description": "Found MS SQL service on $ip:$port", + "nmap-service-names": [ + "ms-sql", + "ms-sql-s" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mssql" + ] + }, + { + "description": "Use nmap scripts for further enumeration, e.g", + "commands": [ + "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,mssql.username=sa,mssql.password=sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip" + ] + } + ] + }, + "telnet": { + "description": "Found telnet service on $ip:$port", + "nmap-service-names": [ + "telnet" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "ncat -nv $ip $port" + ] + } + ] + }, + "smb": { + "description": "Found MS SMB service on $ip:$port", + "nmap-service-names": [ + "microsoft-ds" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip", + "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt", + "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip" + ] + } + ] + }, + "remotedesktop": { + "description": "Found RDP service on $ip:$port", + "nmap-service-names": [ + "msrdp", + "ms-wbt-server" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "ncrack -vv --user administrator -P PASS_LIST rdp://$ip", + "crowbar -b rdp -s $ip/32 -U USER_LIST -C PASS_LIST", + "for username in $(cat USER_LIST); do for password in $(cat PASS_LIST) do; rdesktop -u $username -p $password $ip; done; done;" + ] + } + ] + }, + "smtp": { + "description": "Found SMTP service on $ip:$port", + "nmap-service-names": [ + "smtp" + ], + "output": [ + { + "description": "Find users", + "commands": [ + "smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top_shortlist.txt -t $ip -p $port" + ] + } + ] + }, + "snmp": { + "description": "Found SNMP service on $ip:$port", + "nmap-service-names": [ + "snmp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip", + "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt", + "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt" + ] + } + ] + }, + "ssh": { + "description": "Found SSH service on $ip:$port", + "nmap-service-names": [ + "ssh" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h $ip - $port -M ssh", + "hydra -f -V -t 1 -l root -P /usr/share/wordlists/rockyou.txt -s $port $ip ssh", + "ncrack -vv -p $port --user root -P PASS_LIST $ip" + ] + }, + { + "description": "Use nmap to automate banner grabbing and key fingerprints, e.g.", + "commands": [ + "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'" + ] + } + ] + }, + "msrpc": { + "description": "Found MSRPC service on $ip:$port", + "nmap-service-names": [ + "msrpc", + "rpcbind" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "rpcclient -U \"\" $ip" + ] + }, + { + "description": "Bruteforce", + "commands": [ + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "netbios-ssn": { + "description": "Found NetBIOS service on $ip:$port", + "nmap-service-names": [ + "netbios-ssn" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmblookup -A $ip", + "smbclient //MOUNT/share -I $ip N", + "smbclient -L //$ip", + "enum4linux -a $ip", + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "CUPS": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "ipp" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit cups" + ] + } + ] + }, + "java-rmi": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "java-rmi" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit java rmi" + ] + } + ] + }, + "vnc": { + "description": "Found VNC service on $ip:$port", + "nmap-service-names": [ + "vnc", + "vnc-http" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit vnc" + ] + }, + { + "description": "Bruteforcing", + "commands": [ + "crowbar -b vnckey -s $ip/32 -p IP -k PASS_FILE" + ] + } + ] + }, + "oracle": { + "description": "Found Oracle service on $ip:$port", + "nmap-service-names": [ + "oracle-tns" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit Oracle TNS" + ] + } + ] + }, + "kerberos": { + "description": "Found Kerberos service on $ip:$port", + "nmap-service-names": [ + "kerberos-sec" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -p$port --script=krb5-enum-users --script-args krb5-enum-users.realm='CHANGEME.local',userdb=/usr/share/seclists/Usernames/Names/names.txt -oA '$outputdir/$ip_$port_kerberos' $ip" + ] + } + ] + }, + "ldap": { + "description": "Found LDAP service on $ip:$port", + "nmap-service-names": [ + "ldap" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit ldap" + ] + } + ] + } + } } diff --git a/Reconnoitre/lib/file_helper.py b/Reconnoitre/lib/file_helper.py index 5f49a23..93068d9 100644 --- a/Reconnoitre/lib/file_helper.py +++ b/Reconnoitre/lib/file_helper.py @@ -121,7 +121,7 @@ def write_recommendations(results, ip_address, outputdir): for port in ports: port = port.split("/")[0] - description = ("[*] " + description = ("[*] " + j["services"][service]["description"]) print(description % {"ip": ip_address, "port": port}) f.write((description + "\n") % @@ -142,3 +142,28 @@ def write_recommendations(results, ip_address, outputdir): "\n\n[*] Always remember to manually go over the" " portscan report and carefully read between the lines ;)") f.close() + + +def get_config_options(key, *args): + __location__ = os.path.realpath( + os.path.join( + os.getcwd(), + os.path.dirname(__file__))) + with open(os.path.join(__location__, "config.json"), "r") as config: + c = config.read() + j = json.loads( + c.replace( + "$ip", + "%(ip)s").replace( + "$port", + "%(port)s").replace( + "$outputdir", + "%(outputdir)s")) + + res = j.get(key, None) + for arg in args: + res = res.get(arg, None) + if res is None: + raise KeyError + + return res diff --git a/Reconnoitre/lib/ping_sweeper.py b/Reconnoitre/lib/ping_sweeper.py index f372d62..6d2c660 100644 --- a/Reconnoitre/lib/ping_sweeper.py +++ b/Reconnoitre/lib/ping_sweeper.py @@ -23,7 +23,7 @@ def call_nmap_sweep(target_hosts): SWEEP = "nmap -n -sP %s" % (target_hosts) results = run_scan(SWEEP) - lines = str(results).encode("utf-8").split("\n") + lines = str(results).split("\n") return lines diff --git a/Reconnoitre/lib/service_scan.py b/Reconnoitre/lib/service_scan.py index 0202f62..da59ea8 100644 --- a/Reconnoitre/lib/service_scan.py +++ b/Reconnoitre/lib/service_scan.py @@ -3,6 +3,7 @@ from Reconnoitre.lib.file_helper import check_directory from Reconnoitre.lib.file_helper import create_dir_structure +from Reconnoitre.lib.file_helper import get_config_options from Reconnoitre.lib.file_helper import load_targets from Reconnoitre.lib.file_helper import write_recommendations from Reconnoitre.lib.subprocess_helper import run_scan @@ -17,8 +18,8 @@ def nmap_scan( ip_address = ip_address.strip() print("[+] Starting quick nmap scan for %s" % (ip_address)) - QUICKSCAN = "nmap -sC -sV -Pn --disable-arp-ping %s -oA '%s/%s.quick'" % ( - ip_address, output_directory, ip_address) + flags = get_config_options('nmap', 'quickscan') + QUICKSCAN = f"nmap {flags} {ip_address} -oA '{output_directory}/{ip_address}.quick'" quickresults = run_scan(QUICKSCAN) write_recommendations(quickresults, ip_address, output_directory) @@ -35,38 +36,26 @@ def nmap_scan( ip_address, dns_server)) print("[+] Using DNS server %s" % (dns_server)) - TCPSCAN = "nmap -vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1 \ - --dns-servers %s -oN '%s/%s.nmap' -oX \ - '%s/%s_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) - UDPSCAN = "nmap -vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 \ - --max-retries 0 --dns-servers %s -oN '%s/%sU.nmap' \ - -oX '%s/%sU_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) + flags = get_config_options("nmap", "tcpscan") + TCPSCAN = f"nmap {flags} --dns-servers {dns_server} -oN\ + '{output_directory}/{ip_address}.nmap' -oX\ + '{output_directory}/{ip_address}_nmap_scan_import.xml' {ip_address}" + + flags = get_config_options("nmap", "dnsudpscan") + UDPSCAN = f"nmap {flags} \ + --dns-servers {dns_server} -oN '{output_directory}/{ip_address}U.nmap' \ + -oX '{output_directory}/{ip_address}U_nmap_scan_import.xml' {ip_address}" + else: print("[+] Starting detailed TCP%s nmap scans for %s" % ( ("" if no_udp_service_scan is True else "/UDP"), ip_address)) - TCPSCAN = "nmap -vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 \ - -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' \ - -oX '%s/%s_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) - UDPSCAN = "nmap -sC -sV -sU -Pn --disable-arp-ping %s -oA '%s/%s-udp'" % ( - ip_address, output_directory, ip_address) + flags = get_config_options("nmap", "tcpscan") + TCPSCAN = f"nmap {flags} --dns-servers {dns_server} -oN\ + '{output_directory}/{ip_address}.nmap' -oX\ + '{output_directory}/{ip_address}_nmap_scan_import.xml' {ip_address}" + + flags = get_config_options("nmap", "udpscan") + UDPSCAN = f"nmap {flags} {ip_address} -oA '{output_directory}/{ip_address}-udp'" udpresult = "" if no_udp_service_scan is True else run_scan(UDPSCAN) tcpresults = run_scan(TCPSCAN) diff --git a/Reconnoitre/lib/snmp_walk.py b/Reconnoitre/lib/snmp_walk.py index 22142df..21b8a99 100644 --- a/Reconnoitre/lib/snmp_walk.py +++ b/Reconnoitre/lib/snmp_walk.py @@ -70,8 +70,8 @@ def snmp_scans(ip_address, output_directory): " %s - Checking for System Processes" % (ip_address)) SCAN = ("snmpwalk -c public -v1 %s " - "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( - ip_address, output_directory, ip_address)) + "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( + ip_address, output_directory, ip_address)) try: run_scan(SCAN, stderr=subprocess.STDOUT) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..3288e92 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +requests +