With organizations' digital footprints growing larger and larger, network recon and the enumeration of services available over the public internet has become a critical area in the security of an organization. And given the increased number of vulnerabilities and threats targeting web applications, performing automated recon and service enumeration is ever more important.
Fortunately, using open-source and free-to-use tools such as recon-ng has streamlined this process to the point of near-automation.
Today we'll take a look at AutoRecon, aimed at doing just that: automating your network recon and service enumeration methods.
- What is AutoRecon?
- Installing AutoRecon
- Analyzing the results
- Further understanding the results
What is AutoRecon?
AutoRecon is an open-source project built to perform network reconnaissance with automated service enumeration.
The advantage that AutoRecon provides over other information gathering and internet scanning tools is that it allows one to further process—and further act upon—information gathered directly within AutoRecon. This includes performing actions like Nmap as well as running the gathered data through other scanning tools, such as feroxbuster, sslscan, nbtscan, Nikto and more.
open ports, and SSL certificates from any company
Note: As its dependencies are easily available on KaliLinux, we suggest using AutoRecon on that distribution.
To begin with, ensure you have python3 and pip available.
Next, use Python pip to grab the latest version of AutoRecon and install it:
sudo python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git
Next, you'll need to install certain dependencies:
sudo apt install seclists curl enum4linux feroxbuster impacket-scripts nbtscan nikto nmap onesixtyone oscanner redis-tools smbclient smbmap snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf
Run the command autorecon --help to determine whether it's been successfully installed:
Which should then give you the following output containing various options available in AutoRecon:
Getting started with AutoRecon is super simple—one can even run AutoRecon without any flags or options:
Replace domain.com with a domain name that you wish to scan.
Once the command has finished executing, it should then return the following output:
Analyzing the results
After a scan completes, AutoRecon saves the scan results in the "results" directory, inside of which a new subdirectory is created for every target being scanned by AutoRecon.
The results structure created by AutoRecon is as shown below:
results └── domain-name.here ├── exploit ├── loot ├── report │ ├── local.txt │ ├── notes.txt │ ├── proof.txt │ ├── report.md │ │ └── domain-name.here │ │ ├── Commands.md │ │ ├── Errors.md │ │ ├── Manual Commands.md │ │ ├── Patterns.md │ │ ├── Port Scans │ │ │ ├── PortScan - All TCP Ports.md │ │ │ ├── PortScan - Top 100 UDP Ports.md │ │ │ └── PortScan - Top TCP Ports.md │ │ └── Services │ │ ├── Service - tcp-22-ssh │ │ │ └── Nmap SSH.md │ │ ├── Service - tcp-443-http │ │ │ ├── Curl.md │ │ │ ├── Curl Robots.md │ │ │ ├── Directory Buster.md │ │ │ ├── Nmap HTTP.md │ │ │ ├── SSL Scan.md │ │ │ ├── whatweb.md │ │ │ └── wkhtmltoimage.md │ │ └── Service - tcp-80-http │ │ ├── Curl.md │ │ ├── Curl Robots.md │ │ ├── Directory Buster.md │ │ ├── Nmap HTTP.md │ │ ├── whatweb.md │ │ └── wkhtmltoimage.md │ └── screenshots └── scans ├── _commands.log ├── _errors.log ├── _full_tcp_nmap.txt ├── _manual_commands.txt ├── _patterns.log ├── _quick_tcp_nmap.txt ├── tcp22 │ ├── tcp_22_ssh_nmap.txt │ └── xml │ └── tcp_22_ssh_nmap.xml ├── tcp443 │ ├── tcp_443_https_curl.html │ ├── tcp_443_https_feroxbuster_big.txt │ ├── tcp_443_https_feroxbuster_common.txt │ ├── tcp_443_https_feroxbuster_raft-large-words.txt │ ├── tcp_443_https_nmap.txt │ ├── tcp_443_https_screenshot.png │ ├── tcp_443_https_whatweb.txt │ ├── tcp_443_sslscan.html │ └── xml │ └── tcp_443_https_nmap.xml ├── tcp80 │ ├── tcp_80_http_curl.html │ ├── tcp_80_http_curl-robots.txt │ ├── tcp_80_http_feroxbuster_big.txt │ ├── tcp_80_http_feroxbuster_common.txt │ ├── tcp_80_http_feroxbuster_raft-large-words.txt │ ├── tcp_80_http_nmap.txt │ ├── tcp_80_http_screenshot.png │ ├── tcp_80_http_whatweb.txt │ └── xml │ └── tcp_80_http_nmap.xml ├── _top_100_udp_nmap.txt └── xml ├── _full_tcp_nmap.xml ├── _quick_tcp_nmap.xml └── _top_100_udp_nmap.xml
- The exploit directory is used to store any exploit code you run for the target being scanned.
- The loot directory is intended to store any hashes or notable files you find on the target you're scanning.
- The report directory contains reports of the scan performed by AutoRecon; files are generated as follows:
- local.txt can be used to store the local.txt flag found on targets.
- notes.txt should contain a basic template where you can write notes for each service discovered.
- proof.txt can be used to store the proof.txt flag found on the target.
- The screenshots directory is used to store any screenshots you use to document the exploitation of the target.
- The scans directory is where all results from scans performed by AutoRecon will go. This includes all commands executed by AutoRecon and whether any commands failed or succeeded as well.
- The scans/XML directory stores scan data results in XML format (from Nmap, etc.) which can be used to easily import scan results data into other software for further processing or storing.
Further understanding the results
Finding the webserver version
With the output we gather from AutoRecon, one can find the version of the webserver running on the target system as well. Most web servers expose their name and version by default; for example, from the Nmap output:
PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 55 nginx 1.14.0 (Ubuntu)
This tells us the webserver running on the target being scanned is Nginx 1.14.0.
Detecting operating systems
Looking even further with the output we've gathered above, the webserver often exposes the operating system or operating system family, too. Also, as shown above, we can see the target being scanned runs on Ubuntu.
Gathering screenshots along the way
Often, web application screenshots can tell a lot—they can expose/display errors, find web applications running on non-standard ports, show outdated running web applications, and more. AutoRecon gathers screenshots for any ports it discovers along the way.
These screenshots can be found under the path: results/DOMAIN.NAME/scans/tcpPORT
This allows one to efficiently streamline their process. Usually, one would identify open ports, then run through another tool to gather screenshots. AutoRecon, however, does this for you automatically.
AutoRecon proves to be an excellent tool for performing network reconnaissance with the automated enumeration of services. Combined with its ability to further process gathered data with other useful tools including feroxbuster, sslscan, nbtscan, and Nikto, the number of use cases for AutoRecon increases greatly.
AutoRecon also provides scan results data in the XML format, allowing for scan results to be processed to a greater extent while making logging into databases even simpler.