forked from wirasecure/pentest-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
reconscan.py
executable file
·185 lines (166 loc) · 8.69 KB
/
reconscan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
#!/usr/bin/env python
###############################################################################################################
## [Title]: reconscan.py -- a recon/enumeration script
## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
##-------------------------------------------------------------------------------------------------------------
## [Details]:
## This script is intended to be executed remotely against a list of IPs to enumerate discovered services such
## as smb, smtp, snmp, ftp and other.
##-------------------------------------------------------------------------------------------------------------
## [Warning]:
## This script comes as-is with no promise of functionality or accuracy. I strictly wrote it for personal use
## I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
## functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
## target machines in a lab environment so please only use it against systems for which you have permission!!
##-------------------------------------------------------------------------------------------------------------
## [Modification, Distribution, and Attribution]:
## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
## worth anything anyway :)
###############################################################################################################
import subprocess
import multiprocessing
from multiprocessing import Process, Queue
import os
import time
def multProc(targetin, scanip, port):
jobs = []
p = multiprocessing.Process(target=targetin, args=(scanip,port))
jobs.append(p)
p.start()
return
def dnsEnum(ip_address, port):
print "INFO: Detected DNS on " + ip_address + ":" + port
if port.strip() == "53":
SCRIPT = "./dnsrecon.py %s" % (ip_address)# execute the python script
subprocess.call(SCRIPT, shell=True)
return
def httpEnum(ip_address, port):
print "INFO: Detected http on " + ip_address + ":" + port
print "INFO: Performing nmap web script scan for " + ip_address + ":" + port
HTTPSCAN = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oN /root/scripts/recon_enum/results/exam/%s_http.nmap %s" % (port, ip_address, ip_address)
results = subprocess.check_output(HTTPSCAN, shell=True)
DIRBUST = "./dirbust.py http://%s:%s %s" % (ip_address, port, ip_address) # execute the python script
subprocess.call(DIRBUST, shell=True)
#NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address)
return
def httpsEnum(ip_address, port):
print "INFO: Detected https on " + ip_address + ":" + port
print "INFO: Performing nmap web script scan for " + ip_address + ":" + port
HTTPSCANS = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oX /root/scripts/recon_enum/results/exam/%s_https.nmap %s" % (port, ip_address, ip_address)
results = subprocess.check_output(HTTPSCANS, shell=True)
DIRBUST = "./dirbust.py https://%s:%s %s" % (ip_address, port, ip_address) # execute the python script
subprocess.call(DIRBUST, shell=True)
#NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address)
return
def mssqlEnum(ip_address, port):
print "INFO: Detected MS-SQL on " + ip_address + ":" + port
print "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port
MSSQLSCAN = "nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oX results/exam/nmap/%s_mssql.xml %s" % (port, ip_address, ip_address)
results = subprocess.check_output(MSSQLSCAN, shell=True)
def sshEnum(ip_address, port):
print "INFO: Detected SSH on " + ip_address + ":" + port
SCRIPT = "./sshrecon.py %s %s" % (ip_address, port)
subprocess.call(SCRIPT, shell=True)
return
def snmpEnum(ip_address, port):
print "INFO: Detected snmp on " + ip_address + ":" + port
SCRIPT = "./snmprecon.py %s" % (ip_address)
subprocess.call(SCRIPT, shell=True)
return
def smtpEnum(ip_address, port):
print "INFO: Detected smtp on " + ip_address + ":" + port
if port.strip() == "25":
SCRIPT = "./smtprecon.py %s" % (ip_address)
subprocess.call(SCRIPT, shell=True)
else:
print "WARNING: SMTP detected on non-standard port, smtprecon skipped (must run manually)"
return
def smbEnum(ip_address, port):
print "INFO: Detected SMB on " + ip_address + ":" + port
if port.strip() == "445":
SCRIPT = "./smbrecon.py %s 2>/dev/null" % (ip_address)
subprocess.call(SCRIPT, shell=True)
return
def ftpEnum(ip_address, port):
print "INFO: Detected ftp on " + ip_address + ":" + port
SCRIPT = "./ftprecon.py %s %s" % (ip_address, port)
subprocess.call(SCRIPT, shell=True)
return
def nmapScan(ip_address):
ip_address = ip_address.strip()
print "INFO: Running general TCP/UDP nmap scans for " + ip_address
serv_dict = {}
TCPSCAN = "nmap -vv -Pn -A -sC -sS -T 4 -p- -oN '/root/scripts/recon_enum/results/exam/%s.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%s_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -oN '/root/scripts/recon_enum/results/exam/%sU.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%sU_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
results = subprocess.check_output(TCPSCAN, shell=True)
udpresults = subprocess.check_output(UDPSCAN, shell=True)
lines = results.split("\n")
for line in lines:
ports = []
line = line.strip()
if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
while " " in line:
line = line.replace(" ", " ");
linesplit= line.split(" ")
service = linesplit[2] # grab the service name
port = line.split(" ")[0] # grab the port/proto
if service in serv_dict:
ports = serv_dict[service] # if the service is already in the dict, grab the port list
ports.append(port)
serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
# go through the service dictionary to call additional targeted enumeration functions
for serv in serv_dict:
ports = serv_dict[serv]
if (serv == "http"):
for port in ports:
port = port.split("/")[0]
multProc(httpEnum, ip_address, port)
elif (serv == "ssl/http") or ("https" in serv):
for port in ports:
port = port.split("/")[0]
multProc(httpsEnum, ip_address, port)
elif "ssh" in serv:
for port in ports:
port = port.split("/")[0]
multProc(sshEnum, ip_address, port)
elif "smtp" in serv:
for port in ports:
port = port.split("/")[0]
multProc(smtpEnum, ip_address, port)
elif "snmp" in serv:
for port in ports:
port = port.split("/")[0]
multProc(snmpEnum, ip_address, port)
elif ("domain" in serv):
for port in ports:
port = port.split("/")[0]
multProc(dnsEnum, ip_address, port)
elif ("ftp" in serv):
for port in ports:
port = port.split("/")[0]
multProc(ftpEnum, ip_address, port)
elif "microsoft-ds" in serv:
for port in ports:
port = port.split("/")[0]
multProc(smbEnum, ip_address, port)
elif "ms-sql" in serv:
for port in ports:
port = port.split("/")[0]
multProc(httpEnum, ip_address, port)
print "INFO: TCP/UDP Nmap scans completed for " + ip_address
return
# grab the discover scan results and start scanning up hosts
print "############################################################"
print "#### RECON SCAN ####"
print "#### A multi-process service scanner ####"
print "#### http, ftp, dns, ssh, snmp, smtp, ms-sql ####"
print "############################################################"
if __name__=='__main__':
f = open('results/exam/targets.txt', 'r') # CHANGE THIS!! grab the alive hosts from the discovery scan for enum
for scanip in f:
jobs = []
p = multiprocessing.Process(target=nmapScan, args=(scanip,))
jobs.append(p)
p.start()
f.close()