Network Reconnaissance & Vulnerability Assessment Tool: ReconScan

Discussion in 'Penetration Testing' started by InfosecShinobi, Feb 18, 2017.

  1. The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets.

    The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from the perspective of exploitability.

    In terms of real-world pentesting, these scripts are not meant to replace commercial tools such as Nessus or Nexpose, but they can complement it nicely for finding the latest vulnerabilities and their PoC exploits.

    Network reconnaissance
    The recon.py script runs various open-source tools in order to enumerate the services on a host. Best run under Kali Linux or similar pentesting-oriented distribution with these tools preinstalled and preconfigured.

    The flow followed by the script is as follows:

    • Scan all TCP/UDP ports with nmap, service detection, minimal amount of scripts:
      • If there are unidentified services, try amap.
      • For identified software, run vulnerability analysis with vulnscan.py
      • For identified services, run further analysis:
        • HTTP(S): nmap with all http scripts, nikto, dirb
        • SMTP: nmap with all smtp scripts
        • FTP: nmap with all ftp scripts, hydra if requested
        • SMB: nmap with all smb scripts, enum4linux, samrdump
        • MSSQL: nmap with all mssql scripts
        • SSH: hydra if requested
        • SNMP: onesixtyone, snmpwalk
        • DNS: attempt zone transfer (axfr) with dig
    Results will be dumped into the results/$ip_address directory, with the $port_$service_$tool file naming scheme. The tools are mostly run simultaneously (unless one depends on the result of another) and the CLI output will be aggregated and tagged by the script, so you will see the progress and dirt found by each running script in real-time.

    Origin
    This script is inspired by Mike Czumak's Recon Scan, which he wrote during his OSCP exam. Many modifications can be found on GitHub, however, I wanted to write a script from scratch, familiarizing myself with each tool and their parameterization, instead of just reusing a bunch of scripts found scattered in various repositories, leaving me none the wiser.

    Usage
    usage: recon.py [-h] [-b] [-n] [-v] [-o OUTPUT] address [port] [service]

    positional arguments:
    address address of the host.
    port port of the service, if scanning only one port
    service type of the service, when port is specified

    optional arguments:
    -h, --help show this help message and exit
    -b, --bruteforce bruteforce credentials with hydra
    -n, --dry-run does not invoke commands
    -v, --verbose enable verbose output, repeat for more verbosity
    -o OUTPUT, --output OUTPUT
    output directory for the results

    Example run
    $ ./recon.py -v 192.168.1.84
    [*] Scanning host 192.168.1.84...
    [*] Running task nmap-tcp with nmap -v -sV -sC -T5 -p- -oN "results/192.168.1.84/0_tcp_nmap.txt" -oX "results/192.168.1.84/0_tcp_nmap.xml" 192.168.1.84
    [*] Running task nmap-udp with nmap -v -sV --version-intensity 0 -sC -sU -T5 -oN "results/192.168.1.84/0_udp_nmap.txt" -oX "results/192.168.1.84/0_udp_nmap.xml" 192.168.1.84
    [*] Service 22/tcp is ssh running OpenSSH version 4.7p1 Debian 8ubuntu1.2
    [*] Service 80/tcp is http running Apache httpd version 2.2.8
    [*] Service 137/udp is netbios-ns running Microsoft Windows netbios-ns
    [*] Service 139/tcp is netbios-ssn running Samba smbd version 3.X - 4.X
    [*] Service 445/tcp is netbios-ssn running Samba smbd version 3.0.28a
    [*] Starting scan of services...
    [*] Scanning service ssh on port 22/tcp...

    You can get it here https://github.com/RoliSoft/ReconScan
     
  2. thanks for sharing ..
     

Share This Page