From e89168c5f65e19398673936d4bf10f7be6e740ea Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Sat, 5 Oct 2019 21:10:31 -0500 Subject: [PATCH 1/2] Add --scantype flag. Also add gobuster **dir** to other gobuster commands in config --- Reconnoitre/lib/config.json | 11 ++++++++-- Reconnoitre/lib/core/input.py | 10 +++++++++ Reconnoitre/lib/service_scan.py | 37 +++++++++++++++++++++++++++++++++ Reconnoitre/reconnoitre.py | 8 ++++++- 4 files changed, 63 insertions(+), 3 deletions(-) diff --git a/Reconnoitre/lib/config.json b/Reconnoitre/lib/config.json index 5d80bb7..c7be8e4 100644 --- a/Reconnoitre/lib/config.json +++ b/Reconnoitre/lib/config.json @@ -5,6 +5,13 @@ "dnsudpscan": "-vv -Pn --disable-arp-ping -A -sC -sU -T 4 --top-ports 200 --max-retries 0", "udpscan": "-sC -sV -sU -Pn --disable-arp-ping" }, + "scans":{ + "default": { + "description": "Default scan", + "commands" : [ + ] + } + }, "services": { "http/s": { "description": "Found HTTP/S service on $ip:$port", @@ -37,8 +44,8 @@ "commands": [ "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt", "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", - "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'", + "gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'" ] } ] diff --git a/Reconnoitre/lib/core/input.py b/Reconnoitre/lib/core/input.py index 5407626..2aa63da 100644 --- a/Reconnoitre/lib/core/input.py +++ b/Reconnoitre/lib/core/input.py @@ -134,4 +134,14 @@ def setup_parser(): action="store_true", help="Disable UDP services scan over targets.", default=False) + + parser.add_argument("--scantype", + nargs="?", + dest="scantype", + const="default", + help='Use custom scantype defined in the ' + 'config.json \"scans\" json object. If ' + 'provide without arguments the default ' + 'will be used.') + return parser diff --git a/Reconnoitre/lib/service_scan.py b/Reconnoitre/lib/service_scan.py index da59ea8..298197a 100644 --- a/Reconnoitre/lib/service_scan.py +++ b/Reconnoitre/lib/service_scan.py @@ -1,5 +1,6 @@ import multiprocessing import socket +from subprocess import CalledProcessError from Reconnoitre.lib.file_helper import check_directory from Reconnoitre.lib.file_helper import create_dir_structure @@ -161,3 +162,39 @@ def service_scan( quiet, quick, no_udp_service_scan) + +def user_scan( + ip_address, + output_directory, + scan_type): + ip_address = ip_address.strip() + + print(f"[+] Starting scan with scan {scan_type} for {ip_address}") + try: + description = get_config_options('scans', scan_type, "description") + commands = get_config_options('scans', scan_type, "commands") + + + except KeyError as e: + print(e) + print(f"[!] Error extracting commands and description for {scan_type}") + + commandoutput = "" + + for command in commands: + try: + command = command.replace( + "$ip", + "%(ip)s").replace( + "$outputdir", + "%(outputdir)s") % { "ip": ip_address, + "outputdir": output_directory } + commandoutput += run_scan(command) + except CalledProcessError: + print(f"[!] Error running command: {command}") + + if commandoutput: + write_recommendations(commandoutput, ip_address, output_directory) + print(f"[*] Scan {scan_type} completed for {ip_address}") + + diff --git a/Reconnoitre/reconnoitre.py b/Reconnoitre/reconnoitre.py index 6d3d6df..d1144e7 100644 --- a/Reconnoitre/reconnoitre.py +++ b/Reconnoitre/reconnoitre.py @@ -8,7 +8,7 @@ from .lib.find_dns import find_dns from .lib.hostname_scan import hostname_scan from .lib.ping_sweeper import ping_sweeper -from .lib.service_scan import service_scan +from .lib.service_scan import service_scan, user_scan from .lib.snmp_walk import snmp_walk from .lib.virtual_host_scanner import VirtualHostScanner @@ -135,6 +135,12 @@ def main(): arguments.wordlist) scanner.scan() + if arguments.scantype: + print(f"[#] Performing scan {arguments.scantype}") + user_scan(arguments.target_hosts, + arguments.output_directory, + arguments.scantype) + # Declare signal handler to immediately exit on KeyboardInterrupt def signal_handler(signal, frame): From e93ae5036f631e8334a41b0067a8cfb7e98d33d4 Mon Sep 17 00:00:00 2001 From: Al Straumann Date: Sat, 5 Oct 2019 21:14:45 -0500 Subject: [PATCH 2/2] Update readme for scan type --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index d52a1e3..00335cd 100644 --- a/README.md +++ b/README.md @@ -150,3 +150,38 @@ mkdir /path/to/dir docker run -v /path/to/dir:/outputdir --services -o outputdir -t 127.0.0.1 ``` + +# Custom Scans + +You can specify custom scans that are not for specific services in the ```lib/config.json```. + +Example Default: +``` + "scans":{ + "default": { + "description": "Default scan", + "commands" : [ + ] + } + }, +``` +The above is the default scan type to be ran when executing ```reconnoitre --scantype -t 192.168.1.1 -o output``` + +Example Custom: +``` + "scans":{ + "default": { + "description": "Default scan", + "commands" : [ + ] + }, + "custom": { + "description": "New custom scan", + "commands" : [ + "custom command 1", + "custom command 2" + ] + } + }, +``` +The above configuration will allow you to run the custom commands listed when executing ```reconnoitre --scantype custom -t 192.168.1.1 -o output```