def Scan(self):
"""The Scan() function will run the initial nmap Top Tcp ports scan with enumerate
versions and nmap's default safe scripts via the -sC and -sV flags. -Pn will ignore ping scan
and the script-timeout is set to 5 minutes as sometimes https scripts can get stuck and
output 100's of lines of unnecessary output which will slow the scan time down. 5 minutes is a good timeout
setting."""
rc = run_commands.RunCommands(self.target)
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
if not os.path.exists(c.getPath("report", "reportDir")):
os.makedirs(c.getPath("report", "reportDir"))
if not os.path.exists(c.getPath("report", "nmapDir")):
os.makedirs(c.getPath("report", "nmapDir"))
print(fg.cyan + "Running Nmap Top Open Ports" + fg.rs)
hpl = helper_lists.topPortsToScan()
topTCP = hpl.topTCP
topTcpPortsString = ",".join(map(str, topTCP))
nmap_command = c.getCmd("nmap",
"nmapTopTcpPorts",
topTcpPorts=topTcpPortsString)
cmd_info = "[" + fg.li_green + "+" + fg.rs + "]"
print(f"""{cmd_info} {fg.li_green}{nmap_command}{fg.rs}""")
rc.loginator(nmap_command)
call(nmap_command, shell=True)
def main():
"""Call All the Functionlity from all lib files to automate the enumeration process."""
signal.signal(signal.SIGINT, signal_handler)
project_root = '/'.join(
f"{os.path.dirname(os.path.realpath(__file__))}".split('/')[:-1])
if not os.path.exists(f"{project_root}/log"):
os.makedirs(f"{project_root}/log")
logger.add(f"{project_root}/log/debug.log",
format="{time} {level} {message}",
level="DEBUG")
banner()
args = argument_parser()
startTimer = time.time()
target_time = []
def reset_timer():
"""Reset the timer which is most useful when scanning a list of hosts from a file."""
resetTimer = time.time()
target_time.clear()
target_time.append(resetTimer)
def check_timer():
"""Check the current timer output. Most useful when the -f argument is supplied from the CLI."""
end = time.time()
time_elapsed = end - target_time[0]
durationMSG = fg.cyan + f"Scans Completed for {args.target} in: " + fg.rs
print(durationMSG, display_time(time_elapsed))
def validateIP():
"""Validate the target IP Before running the tools."""
try:
s = socket.inet_aton(args.target)
except socket.error:
print("")
print(f"{bad_cmd} Bad IP address")
print("")
sys.exit()
def sshUserBrute():
"""Helper Function to Call the SSHBRUTE option / Class"""
sb = brute.Brute(args.target, args.brute, args.port)
sb.SshUsersBrute()
def sshSingleUserBrute():
"""Helper Function to Call the SSHBRUTE option / Class for a single specified username."""
sb = brute.BruteSingleUser(args.target, args.brute, args.port,
args.user)
sb.SshSingleUserBrute()
def sshSingleUserBruteCustom():
"""Helper Function to Call the SSHBRUTE option / Class for a single specified username With a custom PasswordList."""
sb = brute.BruteSingleUserCustom(args.target, args.brute, args.port,
args.user, args.PASSWORDS)
sb.SshSingleUserBruteCustom()
def sshMultipleUsersBruteCustom():
"""Helper Function to Call the SSHBRUTE option / Class for a single specified username With a custom PasswordList."""
sb = brute.BruteMultipleUsersCustom(args.target, args.brute, args.port,
args.USERS, args.PASSWORDS)
sb.SshMultipleUsersBruteCustom()
rwc = run_web_commands.RunWebCommands(args.target, args.web)
rc = run_commands.RunCommands(args.target)
FUNK_MAP = {
"topports": rc.scanTopTcpPorts,
"dns": rc.enumDNS,
"http": rc.enumHTTP,
"httpcms": rc.cmsEnum,
"ssl": rc.enumHTTPS,
"sslcms": rc.cmsEnumSSL,
"sort_urls": rc.sortFoundUrls,
"sort_proxy_urls": rc.sortFoundProxyUrls,
"proxy": rc.proxyEnum,
"proxycms": rc.proxyEnumCMS,
"aquatone": rc.aquatone,
"source": rc.checkSource,
"smb": rc.enumSMB,
"ldap": rc.enumLdap,
"removecolor": rc.removeColor,
"oracle": rc.enumOracle,
"fulltcp": rc.fullTcpAndTopUdpScan,
"ftpAnonDL": rc.ftpAnonymous,
"remaining": rc.enumRemainingServices,
"searchsploit": rc.searchSploits,
"winrm": rc.winrmPwn,
"peaceout": rc.peace
}
if args.ignore:
Funcs_to_run = [
FUNK_MAP.get(f) for f in FUNK_MAP if f not in args.ignore
]
elif args.service:
Funcs_to_run = [FUNK_MAP.get(f) for f in FUNK_MAP if f in args.service]
else:
Funcs_to_run = [FUNK_MAP.get(f) for f in FUNK_MAP]
def Funky_Fresh(Funk):
return [f() for f in Funk]
# This is the Full Scan option for a Single Target
if (args.target and (args.file is None) and (args.brute is None)
and (args.port is None) and (args.user is None)
and (args.USERS is None) and (args.PASSWORDS is None)
and (not args.FUZZ) and (not args.web)):
validateIP()
reset_timer()
Funky_Fresh(Funcs_to_run)
rc.removeColor()
check_timer()
# This is for the -f --file Option and will run all scans on all IP addresses
# In the provided file. Should be 1 IPv4 address per line
elif (args.file and (args.target is None) and (args.brute is None)
and (args.port is None) and (args.user is None)
and (args.USERS is None) and (args.PASSWORDS is None)
and (not args.FUZZ) and (not args.web)):
try:
with open(args.file, "r") as ips:
for ip in ips:
args.target = ip.rstrip()
validateIP()
reset_timer()
Funky_Fresh(Funcs_to_run)
rc.removeColor()
check_timer()
except FileNotFoundError as fnf_error:
print(fnf_error)
exit()
# This is for the -w --web opton and will run all Web Enumeration on a single target
# The -t --target argument is required.
elif (args.target and (args.web) and (args.port is None)
and (args.user is None) and (args.USERS is None)
and (args.PASSWORDS is None) and (args.file is None)
and (not args.FUZZ)):
validateIP()
if os.path.exists(
f"~/.local/share/autorecon/reports/{args.target}/nmap/top-ports-{args.target}.nmap"
):
reset_timer()
rc.enumDNS()
rwc.enumHTTP2()
rc.cmsEnum()
rwc.enumHTTPS2()
rc.cmsEnumSSL()
rc.removeColor()
rc.aquatone()
rc.checkSource()
rc.peace()
check_timer()
else:
reset_timer()
rc.scanTopTcpPorts()
rc.enumDNS()
rwc.enumHTTP2()
rc.cmsEnum()
rwc.enumHTTPS2()
rc.cmsEnumSSL()
rc.removeColor()
rc.aquatone()
rc.checkSource()
rc.peace()
check_timer()
elif (args.target and (args.FUZZ) and (args.port is None)
and (args.user is None) and (args.USERS is None)
and (args.PASSWORDS is None) and (args.file is None)
and (not args.web)):
validateIP()
reset_timer()
rc.fuzzinator()
rc.removeColor()
rc.peace()
check_timer()
# This is the Brute forcing option and -t --target argument is required
elif args.target and (args.file is None) and args.brute:
if "ssh" in args.brute:
if args.port is None:
args.port = "22"
if (args.user is None and (args.PASSWORDS is None)
and (args.USERS is None)):
print(
f"{teal}Brute Forcing SSH usernames with wordlist: {cwd}/wordlists/usernames.txt on default SSH port,{reset} {args.port}"
)
if os.path.exists(
f"~/.local/share/autorecon/reports/{args.target}/nmap/top-ports-{args.target}.nmap"
):
sshUserBrute()
else:
rc.scanTopTcpPorts()
sshUserBrute()
elif args.user is None and args.USERS:
print(
f"Brute Forcing Usernames with userlist {args.USERS}")
elif args.user and (args.PASSWORDS is None):
print(
f"Brute Forcing {args.user}'s password with default wordlist"
)
sshSingleUserBrute()
elif args.user and args.PASSWORDS:
print(
f"Brute Forcing username, {args.user} with password list, {args.PASSWORDS}"
)
sshSingleUserBruteCustom()
elif args.USERS and (args.PASSWORDS is None):
print(
f"Brute Forcing SSH with username list, {args.USERS} and default password list"
)
elif args.USERS and args.PASSWORDS:
print(
f"Brute Forcing SSH with username list, {args.USERS} and password list, {args.PASSWORDS}"
)
else:
print(EXAMPLES)
else:
if (args.user is None and (args.PASSWORDS is None)
and (args.USERS is None)):
print(
f"{teal}Brute Forcing SSH usernames on port,{reset} {args.port}"
)
if os.path.exists(
f"~/.local/share/autorecon/reports/{args.target}/nmap/top-ports-{args.target}.nmap"
):
sshUserBrute()
else:
rc.scanTopTcpPorts()
sshUserBrute()
elif args.user and (args.PASSWORDS is None):
print(
f"Brute Forcing {args.user}'s password with default wordlist on port, {args.port}"
)
sshSingleUserBrute()
elif args.user and args.PASSWORDS:
print(
f"Brute Forcing username, {args.user} with password list, {args.PASSWORDS} on port, {args.port}"
)
sshSingleUserBruteCustom()
elif args.USERS and (args.PASSWORDS is None):
print(
f"Brute Forcing SSH with username list, {args.USERS} and default password list on port, {args.port}"
)
elif args.USERS and args.PASSWORDS:
print(
f"Brute Forcing SSH with username list, {args.USERS} and password list, {args.PASSWORDS} on port, {args.port}"
)
sshMultipleUsersBruteCustom()
else:
print(EXAMPLES)
elif "smb" in args.brute:
if args.port is None:
args.port = "445"
print("ToDo: Impliment SMB brute forcing")
else:
print("ToDo: Impliment SMB brute forcing")
# print(f"Brute Forcing SMB on port {args.port}")
elif "ftp" in args.brute:
if args.port is None:
args.port = "21"
print("ToDo: Impliment FTP brute forcing")
# print("Brute Forcing FTP USERS on default port 21")
else:
print("ToDo: Impliment FTP brute forcing")
# print(f"Brute Forcing FTP on port {args.port}")
elif "http" in args.brute:
if args.port is None:
args.port = "80"
print("ToDo: Impliment http brute forcing")
else:
# print(f"Brute Forcing http on port {args.port}")
print("ToDo: Impliment http brute forcing")
elif args.file and args.target:
print(
f"{bad_cmd} Cannot use -t {args.target} and -f {args.file} together"
)
print(EXAMPLES)
else:
print(EXAMPLES)
end = time.time()
time_elapsed = end - startTimer
durationMSG = fg.cyan + f"All Scans Completed in: " + fg.rs
print(durationMSG, display_time(time_elapsed))
def Scan(self):
"""Enumerate HTTPS/SSL Web Server ports based on nmaps output. This function will run the following tools;
WhatWeb, WafW00f, Dirsearch, Nikto, and curl robots.txt"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
df = dnsenum.DnsEnum(self.target)
df.GetHostNames()
heartbleed = df.heartbleed
hostnames = df.hostnames
ssl_ports = np.ssl_ports
system_type = np.os_system_type
if len(ssl_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
if not os.path.exists(c.getPath("webSSL", "webSSLDir")):
os.makedirs(c.getPath("webSSL", "webSSLDir"))
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
print(fg.li_cyan + "Enumerating HTTPS/SSL Ports" + fg.rs)
if heartbleed is True:
rc = run_commands.RunCommands(self.target)
be_mine = peaceout_banner.heartbleed(self.target)
be_mine.bleedOut()
for sslport in ssl_ports:
rc.loginator(c.getCmd("webSSL", "heartbleed",
port=sslport))
call(c.getCmd("webSSL", "heartbleed", port=sslport),
shell=True)
commands = []
if len(hostnames) == 0:
for sslport in ssl_ports:
commands.append(
c.getCmd("webSSL", "niktoSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "whatwebSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "wafw00fSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "curlRobotsSSLTarget",
port=sslport))
if system_type:
if system_type[0] == "Windows":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDictWindows",
port=sslport))
if system_type[0] == "Linux":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDict",
port=sslport))
else:
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDict",
port=sslport))
else:
for sslport in ssl_ports:
for host in hostnames:
commands.append(
c.getCmd("webSSL",
"niktoSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"whatwebSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"wafw00fSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"curlRobotsSSLHost",
host=host,
port=sslport))
if system_type:
if system_type[0] == "Windows":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDictWindows",
host=host,
port=sslport))
if system_type[0] == "Linux":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDict",
host=host,
port=sslport))
else:
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDict",
host=host,
port=sslport))
self.processes = tuple(commands)
def cmdline(self, command):
"""This cmdline method will also log commands using the loginator method from run_commands Since stdout is not displayed in the terminal. ToDo: Log Dig's output to a file"""
rc = run_commands.RunCommands(self.target)
rc.loginator(command)
process = Popen(args=command, stdout=PIPE, shell=True)
return process.communicate()[0]