From a8bf2f2729fccc7d1cb5b9956f470cfd95fdc169 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Tue, 1 Oct 2019 19:59:55 -0500 Subject: [PATCH 1/6] Add nmap options to config.json. Add Dockerfile. Add requirements.txt for later --- Dockerfile | 15 ++++++++++ Reconnoitre/lib/config.json | 6 ++++ Reconnoitre/lib/file_helper.py | 28 ++++++++++++++++++ Reconnoitre/lib/service_scan.py | 51 +++++++++++++-------------------- requirements.txt | 2 ++ 5 files changed, 71 insertions(+), 31 deletions(-) create mode 100644 Dockerfile create mode 100644 requirements.txt diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..54dd89c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM python:3.7 + + +RUN apt update && \ + apt install git nmap + + +RUN https://github.com/CrimsonK1ng/Reconnoitre.git recon + +WORKDIR /recon + +RUN pip install requirements && python setup.py install + + + diff --git a/Reconnoitre/lib/config.json b/Reconnoitre/lib/config.json index 9becfe6..a67195d 100644 --- a/Reconnoitre/lib/config.json +++ b/Reconnoitre/lib/config.json @@ -1,4 +1,10 @@ { + "nmap": { + "tcpscan": "-vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1", + "quickscan":"-sC -sV -Pn --disable-arp-ping", + "dnsudpscan" : "-vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 --max-retries 0", + "udpscan": "-sC -sV -sU -Pn --disable-arp-ping" + }, "services":{ "http/s":{ "description":"Found HTTP/S service on $ip:$port", diff --git a/Reconnoitre/lib/file_helper.py b/Reconnoitre/lib/file_helper.py index 5f49a23..bb90f4d 100644 --- a/Reconnoitre/lib/file_helper.py +++ b/Reconnoitre/lib/file_helper.py @@ -142,3 +142,31 @@ def write_recommendations(results, ip_address, outputdir): "\n\n[*] Always remember to manually go over the" " portscan report and carefully read between the lines ;)") f.close() + +def get_config_options(key, option): + __location__ = os.path.realpath( + os.path.join( + os.getcwd(), + os.path.dirname(__file__))) + with open(os.path.join(__location__, "config.json"), "r") as config: + c = config.read() + j = json.loads( + c.replace( + "$ip", + "%(ip)s").replace( + "$port", + "%(port)s").replace( + "$outputdir", + "%(outputdir)s")) + + res = j.get(key, None) + + if res is None: + raise KeyError + + res2 = res.get(option, None) + + if res2 is None: + raise KeyError + + return res2 diff --git a/Reconnoitre/lib/service_scan.py b/Reconnoitre/lib/service_scan.py index 0202f62..9918118 100644 --- a/Reconnoitre/lib/service_scan.py +++ b/Reconnoitre/lib/service_scan.py @@ -3,6 +3,7 @@ from Reconnoitre.lib.file_helper import check_directory from Reconnoitre.lib.file_helper import create_dir_structure +from Reconnoitre.lib.file_helper import get_config_options from Reconnoitre.lib.file_helper import load_targets from Reconnoitre.lib.file_helper import write_recommendations from Reconnoitre.lib.subprocess_helper import run_scan @@ -17,8 +18,8 @@ def nmap_scan( ip_address = ip_address.strip() print("[+] Starting quick nmap scan for %s" % (ip_address)) - QUICKSCAN = "nmap -sC -sV -Pn --disable-arp-ping %s -oA '%s/%s.quick'" % ( - ip_address, output_directory, ip_address) + flags = get_config_options('nmap', 'quickscan') + QUICKSCAN = f"nmap {flags} {ip_address} -oA '{output_directory}/{ip_address}.quick'" quickresults = run_scan(QUICKSCAN) write_recommendations(quickresults, ip_address, output_directory) @@ -35,38 +36,26 @@ def nmap_scan( ip_address, dns_server)) print("[+] Using DNS server %s" % (dns_server)) - TCPSCAN = "nmap -vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1 \ - --dns-servers %s -oN '%s/%s.nmap' -oX \ - '%s/%s_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) - UDPSCAN = "nmap -vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 \ - --max-retries 0 --dns-servers %s -oN '%s/%sU.nmap' \ - -oX '%s/%sU_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) + flags = get_config_options("nmap", "tcpscan") + TCPSCAN = f"nmap {flags} --dns-servers {dns_server} -oN\ + '{output_directory}/{ip_address}.nmap' -oX\ + '{output_directory}/{ip_address}_nmap_scan_import.xml' {ip_address}" + + flags = get_config_options("nmap", "dnsudpscan") + UDPSCAN = f"nmap {flags} \ + --dns-servers {dns_server} -oN '{output_directory}/{ip_address}U.nmap' \ + -oX '{output_directory}/{ip_address}U_nmap_scan_import.xml' {ip_address}" + else: print("[+] Starting detailed TCP%s nmap scans for %s" % ( ("" if no_udp_service_scan is True else "/UDP"), ip_address)) - TCPSCAN = "nmap -vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 \ - -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' \ - -oX '%s/%s_nmap_scan_import.xml' %s" % ( - dns_server, - output_directory, - ip_address, - output_directory, - ip_address, - ip_address) - UDPSCAN = "nmap -sC -sV -sU -Pn --disable-arp-ping %s -oA '%s/%s-udp'" % ( - ip_address, output_directory, ip_address) + flags = get_config_options("nmap", "tcpscan") + TCPSCAN = f"nmap {flags} --dns-servers {dns_server} -oN\ + '{output_directory}/{ip_address}.nmap' -oX\ + '{output_directory}/{ip_address}_nmap_scan_import.xml' {ip_address}" + + flags = get_config_options("nmap", "udpscan") + UDPSCAN = f"nmap {flags} {ip_address} -oA '{output_directory}/{ip_address}-udp'" udpresult = "" if no_udp_service_scan is True else run_scan(UDPSCAN) tcpresults = run_scan(TCPSCAN) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..8194198 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +requests=='*' + From b10cba05a322796dce5c0e6ac395607e85636d18 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Tue, 1 Oct 2019 20:05:35 -0500 Subject: [PATCH 2/6] Autopep8. Fix requirements to be extremely loose --- Dockerfile | 9 +- Reconnoitre/lib/config.json | 712 ++++++++++++++++---------------- Reconnoitre/lib/file_helper.py | 3 +- Reconnoitre/lib/ping_sweeper.py | 2 +- Reconnoitre/lib/service_scan.py | 2 +- Reconnoitre/lib/snmp_walk.py | 4 +- requirements.txt | 2 +- 7 files changed, 367 insertions(+), 367 deletions(-) diff --git a/Dockerfile b/Dockerfile index 54dd89c..ca335f3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,14 @@ FROM python:3.7 -RUN apt update && \ - apt install git nmap +RUN apt-get update && \ + apt-get install -y git nmap - -RUN https://github.com/CrimsonK1ng/Reconnoitre.git recon +RUN git clone https://github.com/CrimsonK1ng/Reconnoitre.git recon WORKDIR /recon RUN pip install requirements && python setup.py install - +ENTRYPOINT ["reconnoiter"] diff --git a/Reconnoitre/lib/config.json b/Reconnoitre/lib/config.json index a67195d..5d80bb7 100644 --- a/Reconnoitre/lib/config.json +++ b/Reconnoitre/lib/config.json @@ -1,359 +1,359 @@ -{ - "nmap": { +{ + "nmap": { "tcpscan": "-vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1", - "quickscan":"-sC -sV -Pn --disable-arp-ping", - "dnsudpscan" : "-vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 --max-retries 0", + "quickscan": "-sC -sV -Pn --disable-arp-ping", + "dnsudpscan": "-vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 --max-retries 0", "udpscan": "-sC -sV -sU -Pn --disable-arp-ping" - }, - "services":{ - "http/s":{ - "description":"Found HTTP/S service on $ip:$port", - "nmap-service-names":[ - "http", - "ssl/http", - "https", - "ssl/http-alt" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt", - "curl -i $ip:$port", - "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt", - "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt" - ] - } - ] - }, - "http":{ - "description":"Found HTTP service on $ip:$port", - "nmap-service-names":[ - "http" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", - "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" - ] - } - ] - }, - "https":{ - "description":"Found HTTPS service on $ip:$port", - "nmap-service-names":[ - "https", - "ssl/http", - "ssl/http-alt" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", - "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", - "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", - "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" - ] - } - ] - }, - "ftp":{ - "description":"Found FTP service on $ip:$port", - "nmap-service-names":[ - "ftp" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip", - "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp" - ] - } - ] - }, - "mysql":{ - "description":"Found MySql service on $ip:$port", - "nmap-service-names":[ - "mysql" - ], - "output":[ - { - "description":"Check out the server for web applications with sqli vulnerabilities", - "commands":[ - "searchsploit mysql" - ] - } - ] - }, - "dns":{ - "description":"Found DNS service on $ip:$port", - "nmap-service-names":[ - "dns" - ], - "output":[ - { - "description":"Check out the server for zone transfers", - "commands":[ - "dnsrecon -t axfr -d $ip" - ] - } - ] - }, - "microsoftsql":{ - "description":"Found MS SQL service on $ip:$port", - "nmap-service-names":[ - "ms-sql", - "ms-sql-s" - ], - "output":[ - { - "description":"Check out the server for web applications with sqli vulnerabilities", - "commands":[ - "searchsploit mssql" - ] - }, - { - "description":"Use nmap scripts for further enumeration, e.g", - "commands":[ - "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,mssql.username=sa,mssql.password=sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip" - ] - } - ] - }, - "telnet":{ - "description":"Found telnet service on $ip:$port", - "nmap-service-names":[ - "telnet" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "ncat -nv $ip $port" - ] - } - ] - }, - "smb":{ - "description":"Found MS SMB service on $ip:$port", - "nmap-service-names":[ - "microsoft-ds" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip", - "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt", - "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip" - ] - } - ] - }, - "remotedesktop":{ - "description":"Found RDP service on $ip:$port", - "nmap-service-names":[ - "msrdp", - "ms-wbt-server" - ], - "output":[ - { - "description":"Bruteforcing", - "commands":[ - "ncrack -vv --user administrator -P PASS_LIST rdp://$ip", - "crowbar -b rdp -s $ip/32 -U USER_LIST -C PASS_LIST", - "for username in $(cat USER_LIST); do for password in $(cat PASS_LIST) do; rdesktop -u $username -p $password $ip; done; done;" - ] - } - ] - }, - "smtp":{ - "description":"Found SMTP service on $ip:$port", - "nmap-service-names":[ - "smtp" - ], - "output":[ - { - "description":"Find users", - "commands":[ - "smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top_shortlist.txt -t $ip -p $port" - ] - } - ] - }, - "snmp":{ - "description":"Found SNMP service on $ip:$port", - "nmap-service-names":[ - "snmp" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip", - "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt", - "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt" - ] - } - ] - }, - "ssh":{ - "description":"Found SSH service on $ip:$port", - "nmap-service-names":[ - "ssh" - ], - "output":[ - { - "description":"Bruteforcing", - "commands":[ - "medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h $ip - $port -M ssh", - "hydra -f -V -t 1 -l root -P /usr/share/wordlists/rockyou.txt -s $port $ip ssh", - "ncrack -vv -p $port --user root -P PASS_LIST $ip" - ] - }, - { - "description":"Use nmap to automate banner grabbing and key fingerprints, e.g.", - "commands":[ - "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'" - ] - } - ] - }, - "msrpc":{ - "description":"Found MSRPC service on $ip:$port", - "nmap-service-names":[ - "msrpc", - "rpcbind" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "rpcclient -U \"\" $ip" - ] - }, - { - "description":"Bruteforce", - "commands":[ - "rpcclient -U \"\" $ip" - ] - } - ] - }, - "netbios-ssn":{ - "description":"Found NetBIOS service on $ip:$port", - "nmap-service-names":[ - "netbios-ssn" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmblookup -A $ip", - "smbclient //MOUNT/share -I $ip N", - "smbclient -L //$ip", - "enum4linux -a $ip", - "rpcclient -U \"\" $ip" - ] - } - ] - }, - "CUPS":{ - "description":"Found CUPS service on $ip:$port", - "nmap-service-names":[ - "ipp" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit cups" - ] - } - ] - }, - "java-rmi":{ - "description":"Found CUPS service on $ip:$port", - "nmap-service-names":[ - "java-rmi" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit java rmi" - ] - } - ] - }, - "vnc":{ - "description":"Found VNC service on $ip:$port", - "nmap-service-names":[ - "vnc", - "vnc-http" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit vnc" - ] - }, - { - "description":"Bruteforcing", - "commands":[ - "crowbar -b vnckey -s $ip/32 -p IP -k PASS_FILE" - ] - } - ] - }, - "oracle":{ - "description":"Found Oracle service on $ip:$port", - "nmap-service-names":[ - "oracle-tns" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit Oracle TNS" - ] - } - ] - }, - "kerberos":{ - "description":"Found Kerberos service on $ip:$port", - "nmap-service-names":[ - "kerberos-sec" - ], - "output":[ - { - "description":"Enumeration", - "commands":[ - "nmap -p$port --script=krb5-enum-users --script-args krb5-enum-users.realm='CHANGEME.local',userdb=/usr/share/seclists/Usernames/Names/names.txt -oA '$outputdir/$ip_$port_kerberos' $ip" - ] - } - ] - }, - "ldap":{ - "description":"Found LDAP service on $ip:$port", - "nmap-service-names":[ - "ldap" - ], - "output":[ - { - "description":"Find public exploits", - "commands":[ - "searchsploit ldap" - ] - } - ] - } - } + }, + "services": { + "http/s": { + "description": "Found HTTP/S service on $ip:$port", + "nmap-service-names": [ + "http", + "ssl/http", + "https", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt", + "curl -i $ip:$port", + "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt", + "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt" + ] + } + ] + }, + "http": { + "description": "Found HTTP service on $ip:$port", + "nmap-service-names": [ + "http" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "https": { + "description": "Found HTTPS service on $ip:$port", + "nmap-service-names": [ + "https", + "ssl/http", + "ssl/http-alt" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", + "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + ] + } + ] + }, + "ftp": { + "description": "Found FTP service on $ip:$port", + "nmap-service-names": [ + "ftp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip", + "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp" + ] + } + ] + }, + "mysql": { + "description": "Found MySql service on $ip:$port", + "nmap-service-names": [ + "mysql" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mysql" + ] + } + ] + }, + "dns": { + "description": "Found DNS service on $ip:$port", + "nmap-service-names": [ + "dns" + ], + "output": [ + { + "description": "Check out the server for zone transfers", + "commands": [ + "dnsrecon -t axfr -d $ip" + ] + } + ] + }, + "microsoftsql": { + "description": "Found MS SQL service on $ip:$port", + "nmap-service-names": [ + "ms-sql", + "ms-sql-s" + ], + "output": [ + { + "description": "Check out the server for web applications with sqli vulnerabilities", + "commands": [ + "searchsploit mssql" + ] + }, + { + "description": "Use nmap scripts for further enumeration, e.g", + "commands": [ + "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,mssql.username=sa,mssql.password=sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip" + ] + } + ] + }, + "telnet": { + "description": "Found telnet service on $ip:$port", + "nmap-service-names": [ + "telnet" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "ncat -nv $ip $port" + ] + } + ] + }, + "smb": { + "description": "Found MS SMB service on $ip:$port", + "nmap-service-names": [ + "microsoft-ds" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip", + "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt", + "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip" + ] + } + ] + }, + "remotedesktop": { + "description": "Found RDP service on $ip:$port", + "nmap-service-names": [ + "msrdp", + "ms-wbt-server" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "ncrack -vv --user administrator -P PASS_LIST rdp://$ip", + "crowbar -b rdp -s $ip/32 -U USER_LIST -C PASS_LIST", + "for username in $(cat USER_LIST); do for password in $(cat PASS_LIST) do; rdesktop -u $username -p $password $ip; done; done;" + ] + } + ] + }, + "smtp": { + "description": "Found SMTP service on $ip:$port", + "nmap-service-names": [ + "smtp" + ], + "output": [ + { + "description": "Find users", + "commands": [ + "smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top_shortlist.txt -t $ip -p $port" + ] + } + ] + }, + "snmp": { + "description": "Found SNMP service on $ip:$port", + "nmap-service-names": [ + "snmp" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip", + "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt", + "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt" + ] + } + ] + }, + "ssh": { + "description": "Found SSH service on $ip:$port", + "nmap-service-names": [ + "ssh" + ], + "output": [ + { + "description": "Bruteforcing", + "commands": [ + "medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h $ip - $port -M ssh", + "hydra -f -V -t 1 -l root -P /usr/share/wordlists/rockyou.txt -s $port $ip ssh", + "ncrack -vv -p $port --user root -P PASS_LIST $ip" + ] + }, + { + "description": "Use nmap to automate banner grabbing and key fingerprints, e.g.", + "commands": [ + "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'" + ] + } + ] + }, + "msrpc": { + "description": "Found MSRPC service on $ip:$port", + "nmap-service-names": [ + "msrpc", + "rpcbind" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "rpcclient -U \"\" $ip" + ] + }, + { + "description": "Bruteforce", + "commands": [ + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "netbios-ssn": { + "description": "Found NetBIOS service on $ip:$port", + "nmap-service-names": [ + "netbios-ssn" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmblookup -A $ip", + "smbclient //MOUNT/share -I $ip N", + "smbclient -L //$ip", + "enum4linux -a $ip", + "rpcclient -U \"\" $ip" + ] + } + ] + }, + "CUPS": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "ipp" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit cups" + ] + } + ] + }, + "java-rmi": { + "description": "Found CUPS service on $ip:$port", + "nmap-service-names": [ + "java-rmi" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit java rmi" + ] + } + ] + }, + "vnc": { + "description": "Found VNC service on $ip:$port", + "nmap-service-names": [ + "vnc", + "vnc-http" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit vnc" + ] + }, + { + "description": "Bruteforcing", + "commands": [ + "crowbar -b vnckey -s $ip/32 -p IP -k PASS_FILE" + ] + } + ] + }, + "oracle": { + "description": "Found Oracle service on $ip:$port", + "nmap-service-names": [ + "oracle-tns" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit Oracle TNS" + ] + } + ] + }, + "kerberos": { + "description": "Found Kerberos service on $ip:$port", + "nmap-service-names": [ + "kerberos-sec" + ], + "output": [ + { + "description": "Enumeration", + "commands": [ + "nmap -p$port --script=krb5-enum-users --script-args krb5-enum-users.realm='CHANGEME.local',userdb=/usr/share/seclists/Usernames/Names/names.txt -oA '$outputdir/$ip_$port_kerberos' $ip" + ] + } + ] + }, + "ldap": { + "description": "Found LDAP service on $ip:$port", + "nmap-service-names": [ + "ldap" + ], + "output": [ + { + "description": "Find public exploits", + "commands": [ + "searchsploit ldap" + ] + } + ] + } + } } diff --git a/Reconnoitre/lib/file_helper.py b/Reconnoitre/lib/file_helper.py index bb90f4d..0119de8 100644 --- a/Reconnoitre/lib/file_helper.py +++ b/Reconnoitre/lib/file_helper.py @@ -121,7 +121,7 @@ def write_recommendations(results, ip_address, outputdir): for port in ports: port = port.split("/")[0] - description = ("[*] " + description = ("[*] " + j["services"][service]["description"]) print(description % {"ip": ip_address, "port": port}) f.write((description + "\n") % @@ -143,6 +143,7 @@ def write_recommendations(results, ip_address, outputdir): " portscan report and carefully read between the lines ;)") f.close() + def get_config_options(key, option): __location__ = os.path.realpath( os.path.join( diff --git a/Reconnoitre/lib/ping_sweeper.py b/Reconnoitre/lib/ping_sweeper.py index f372d62..6d2c660 100644 --- a/Reconnoitre/lib/ping_sweeper.py +++ b/Reconnoitre/lib/ping_sweeper.py @@ -23,7 +23,7 @@ def call_nmap_sweep(target_hosts): SWEEP = "nmap -n -sP %s" % (target_hosts) results = run_scan(SWEEP) - lines = str(results).encode("utf-8").split("\n") + lines = str(results).split("\n") return lines diff --git a/Reconnoitre/lib/service_scan.py b/Reconnoitre/lib/service_scan.py index 9918118..da59ea8 100644 --- a/Reconnoitre/lib/service_scan.py +++ b/Reconnoitre/lib/service_scan.py @@ -3,7 +3,7 @@ from Reconnoitre.lib.file_helper import check_directory from Reconnoitre.lib.file_helper import create_dir_structure -from Reconnoitre.lib.file_helper import get_config_options +from Reconnoitre.lib.file_helper import get_config_options from Reconnoitre.lib.file_helper import load_targets from Reconnoitre.lib.file_helper import write_recommendations from Reconnoitre.lib.subprocess_helper import run_scan diff --git a/Reconnoitre/lib/snmp_walk.py b/Reconnoitre/lib/snmp_walk.py index 22142df..21b8a99 100644 --- a/Reconnoitre/lib/snmp_walk.py +++ b/Reconnoitre/lib/snmp_walk.py @@ -70,8 +70,8 @@ def snmp_scans(ip_address, output_directory): " %s - Checking for System Processes" % (ip_address)) SCAN = ("snmpwalk -c public -v1 %s " - "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( - ip_address, output_directory, ip_address)) + "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % ( + ip_address, output_directory, ip_address)) try: run_scan(SCAN, stderr=subprocess.STDOUT) diff --git a/requirements.txt b/requirements.txt index 8194198..3288e92 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -requests=='*' +requests From a9b4fea75dd7e3dca2ad9bbfe089b800842408d4 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Tue, 1 Oct 2019 20:10:03 -0500 Subject: [PATCH 3/6] ENRYPOINT --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca335f3..d941b58 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,6 @@ RUN git clone https://github.com/CrimsonK1ng/Reconnoitre.git recon WORKDIR /recon -RUN pip install requirements && python setup.py install - -ENTRYPOINT ["reconnoiter"] +RUN pip install -r requirements.txt && python setup.py install +ENTRYPOINT reconnoitre From 7a96111215dd1b502d7bedcc995f1bbcdfec4f58 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Tue, 1 Oct 2019 21:50:09 -0500 Subject: [PATCH 4/6] Use codingo repo --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d941b58..b5fed4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM python:3.7 RUN apt-get update && \ apt-get install -y git nmap -RUN git clone https://github.com/CrimsonK1ng/Reconnoitre.git recon +RUN git clone https://github.com/codingo/Reconnoitre.git recon WORKDIR /recon From c14f30dc23f854ab7c90fd68ff806d5f90a53273 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Wed, 2 Oct 2019 17:02:17 -0500 Subject: [PATCH 5/6] arg unpacking for nested value retrieval --- Reconnoitre/lib/file_helper.py | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/Reconnoitre/lib/file_helper.py b/Reconnoitre/lib/file_helper.py index 0119de8..93068d9 100644 --- a/Reconnoitre/lib/file_helper.py +++ b/Reconnoitre/lib/file_helper.py @@ -144,7 +144,7 @@ def write_recommendations(results, ip_address, outputdir): f.close() -def get_config_options(key, option): +def get_config_options(key, *args): __location__ = os.path.realpath( os.path.join( os.getcwd(), @@ -161,13 +161,9 @@ def get_config_options(key, option): "%(outputdir)s")) res = j.get(key, None) + for arg in args: + res = res.get(arg, None) + if res is None: + raise KeyError - if res is None: - raise KeyError - - res2 = res.get(option, None) - - if res2 is None: - raise KeyError - - return res2 + return res From b477ad1fe90fd70b933be749685b815316ade0a8 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Wed, 2 Oct 2019 17:15:07 -0500 Subject: [PATCH 6/6] Update README with usage instructions for docker. Update dockerfile to contain snmp and nbtscan --- Dockerfile | 4 ++-- README.md | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b5fed4d..03624f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM python:3.7 RUN apt-get update && \ - apt-get install -y git nmap + apt-get install -y git nmap snmp wget nbtscan RUN git clone https://github.com/codingo/Reconnoitre.git recon @@ -10,4 +10,4 @@ WORKDIR /recon RUN pip install -r requirements.txt && python setup.py install -ENTRYPOINT reconnoitre +ENTRYPOINT ["reconnoitre"] diff --git a/README.md b/README.md index d63af02..d52a1e3 100644 --- a/README.md +++ b/README.md @@ -128,3 +128,25 @@ reconnoitre -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --service This bare requirement for host and service scanning for this tool is to have both `nbtscan` and `nmap` installed. If you are not using host scanning and only wish to perform a ping sweep and service scan you can get away with only installing `nmap`. The outputted _findings.txt_ will often recommend additional tools which you may not have available in your distribution if not using Kali Linux. All requirements and recommendations are native to Kali Linux which is the recommended (although not required) distribution for using this tool. In addition to these requirements outputs will often refer to Wordlists that you may need to find. If you are undertaking OSCP these can be found in the "List of Recommended Tools" thread by g0tmilk. If not then you can find the majority of these online or already within a Kali Linux installation. + +# Dockerfile +First step is to install docker if you do not have it installed already. [Docker Installation](https://docs.docker.com/install/linux/docker-ce/ubuntu/) + +Basic Usage: + +``` +cd +docker build -t reconnoitre . + +docker run reconnoitre -o outputdir -t 127.0.0.1 +``` + +If you want files to exist locally you can mount a directory to the Docker container + +``` +cd +docker build -t reconnoitre . +mkdir /path/to/dir + +docker run -v /path/to/dir:/outputdir --services -o outputdir -t 127.0.0.1 +```