Las dependencias son Python 2.7 con el módulo SimpleJson, nmap, snmpwalk y nbtscan, además de las típicas wordlists para hacer dir fuzzing.
Instalación
git clone https://github.com/NoorQureshi/Reconnoitre && cd Reconnoitre
cd reconnoitre
python reconnoitre.py -h
# python reconnoitre.py -h
usage: reconnoitre.py [-h] -t TARGET_HOSTS -o OUTPUT_DIRECTORY [-w WORDLIST]
[-p PORT] [--pingsweep] [--dns] [--services]
[--hostnames] [--snmp] [--quick] [--virtualhosts]
[--ignore-http-codes IGNORE_HTTP_CODES]
[--ignore-content-length IGNORE_CONTENT_LENGTH]
[--quiet] [--exec] [--simple_exec]
optional arguments:
-h, --help show this help message and exit
-t TARGET_HOSTS Set a target range of addresses to target. Ex
10.11.1.1-255
-o OUTPUT_DIRECTORY Set the output directory. Ex /root/Documents/labs/
-w WORDLIST Set the wordlist to use for generated commands. Ex
/usr/share/wordlist.txt
-p PORT Set the port to use. Leave blank to use discovered
ports. Useful to force virtual host scanning on non-
standard webserver ports.
--pingsweep Write a new target.txt by performing a ping sweep and
discovering live hosts.
--dns Find DNS servers from a list of targets.
--services Perform service scan over targets.
--hostnames Attempt to discover target hostnames and write to
0-name.txt and hostnames.txt.
--snmp Perform service scan over targets.
--quick Move to the next target after performing a quick scan
and writing first-round recommendations.
--virtualhosts Attempt to discover virtual hosts using the specified
wordlist.
--ignore-http-codes IGNORE_HTTP_CODES
Comma separated list of http codes to ignore with
virtual host scans.
--ignore-content-length IGNORE_CONTENT_LENGTH
Ignore content lengths of specificed amount. This may
become useful when a server returns a static page on
every virtual host guess.
--quiet Supress banner and headers to limit to comma dilimeted
results only.
--exec Execute shell comamnds from recommendations as they
are discovered. Likely to lead to very long execute
times depending on the wordlist being used.
--simple_exec Execute non-brute forcing shell comamnds only as they
are discovered.Ejemplos de uso
Descubrir los hosts vivos y hostnames dentro de un rango:
# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --hostnames
Descubrir los hosts vivos y hostnames dentro de un rango y hacer un reconocimiento rápido de los servicios:
# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --services --quick
Descubrir los hosts vivos y hostnames dentro de un rango y probar todos los puertos (TCP y UDP):
# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --services
Escanear un único host, crear una estructura de ficheros y descubrir servicios:
# python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services
__
|"""\-= RECONNOITRE
(____) An OSCP scanner
[#] Performing service scans
[*] Loaded single target: 192.168.1.5
[+] Creating directory structure for 192.168.1.5
[>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans
[>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit
[>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot
[>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt
[+] Starting quick nmap scan for 192.168.1.5
[+] Writing findings for 192.168.1.5
[>] Found HTTP service on 192.168.1.5:80
[>] Found MS SMB service on 192.168.1.5:445
[>] Found RDP service on 192.168.1.5:3389
[*] TCP quick scan completed for 192.168.1.5
[+] Starting detailed TCP/UDP nmap scans for 192.168.1.5
[+] Writing findings for 192.168.1.5
[>] Found MS SMB service on 192.168.1.5:445
[>] Found RDP service on 192.168.1.5:3389
[>] Found HTTP service on 192.168.1.5:80
[*] TCP/UDP Nmap scans completed for 192.168.1.5Que también escribe el siguiente archivo de recomendaciones en la carpeta de escaneos para cada objetivo:
[*] Found HTTP service on 192.168.1.50:80
[>] Use nikto & dirb / dirbuster for service enumeration, e.g
[=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt
[=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext
[=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/
[=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50
[=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50
[>] Use curl to retreive web headers and find host information, e.g
[=] curl -i 192.168.1.50
[=] curl -i 192.168.1.50/robots.txt -s | html2text
[*] Found MS SMB service on 192.168.1.5:445
[>] Use nmap scripts or enum4linux for further enumeration, e.g
[=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5
[=] enum4linux 192.168.1.5
[*] Found RDP service on 192.168.1.5:3389
[>] Use ncrackpassword cracking, e.g
[=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5Fuente: https://github.com/codingo/Reconnoitre
Comentarios
Publicar un comentario