Reconnoitre: herramienta de enumeración automática para el OSCP

Codingo, un pentester australiano destacado por mantener NoSQLMap, tiene una herramienta multiproceso muy útil para automatizar las fases iniciales de enumeración contra una máquina "boot2root", es decir, una máquina vulnerable de un lab tipo OSCP. De hecho, fue desarrollada precisamente como herramienta de reconocimiento para los laboratorios OSCP para automatizar la recopilación de información y la enumeración de servicios mientras se crea una estructura de directorios para almacenar los resultados, hallazgos y exploits utilizados para cada host, así como sugerencias de otros comandos para ejecutar y estructuras de directorios para almacenar imágenes, otros ficheros y flags.

Las dependencias son Python 2.7 con el módulo SimpleJson, nmap, snmpwalk y nbtscan, además de las típicas wordlists para hacer dir fuzzing.

Instalación

git clone https://github.com/NoorQureshi/Reconnoitre && cd Reconnoitre
cd reconnoitre
python reconnoitre.py -h
# python reconnoitre.py -h
usage: reconnoitre.py [-h] -t TARGET_HOSTS -o OUTPUT_DIRECTORY [-w WORDLIST]
                      [-p PORT] [--pingsweep] [--dns] [--services]
                      [--hostnames] [--snmp] [--quick] [--virtualhosts]
                      [--ignore-http-codes IGNORE_HTTP_CODES]
                      [--ignore-content-length IGNORE_CONTENT_LENGTH]
                      [--quiet] [--exec] [--simple_exec]

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET_HOSTS       Set a target range of addresses to target. Ex
                        10.11.1.1-255
  -o OUTPUT_DIRECTORY   Set the output directory. Ex /root/Documents/labs/
  -w WORDLIST           Set the wordlist to use for generated commands. Ex
                        /usr/share/wordlist.txt
  -p PORT               Set the port to use. Leave blank to use discovered
                        ports. Useful to force virtual host scanning on non-
                        standard webserver ports.
  --pingsweep           Write a new target.txt by performing a ping sweep and
                        discovering live hosts.
  --dns                 Find DNS servers from a list of targets.
  --services            Perform service scan over targets.
  --hostnames           Attempt to discover target hostnames and write to
                        0-name.txt and hostnames.txt.
  --snmp                Perform service scan over targets.
  --quick               Move to the next target after performing a quick scan
                        and writing first-round recommendations.
  --virtualhosts        Attempt to discover virtual hosts using the specified
                        wordlist.
  --ignore-http-codes IGNORE_HTTP_CODES
                        Comma separated list of http codes to ignore with
                        virtual host scans.
  --ignore-content-length IGNORE_CONTENT_LENGTH
                        Ignore content lengths of specificed amount. This may
                        become useful when a server returns a static page on
                        every virtual host guess.
  --quiet               Supress banner and headers to limit to comma dilimeted
                        results only.
  --exec                Execute shell comamnds from recommendations as they
                        are discovered. Likely to lead to very long execute
                        times depending on the wordlist being used.
  --simple_exec         Execute non-brute forcing shell comamnds only as they
                        are discovered.

Ejemplos de uso

Descubrir los hosts vivos y hostnames dentro de un rango:

# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --hostnames

Descubrir los hosts vivos y hostnames dentro de un rango y hacer un reconocimiento rápido de los servicios:

# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --services --quick

Descubrir los hosts vivos y hostnames dentro de un rango y probar todos los puertos (TCP y UDP):

# python ./reconnoitre.py -t 10.10.10.1-254 -o /root/Documents/labs/ --pingsweep --services

Escanear un único host, crear una estructura de ficheros y descubrir servicios:

# python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services
  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner

[#] Performing service scans
[*] Loaded single target: 192.168.1.5
[+] Creating directory structure for 192.168.1.5
   [>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans
   [>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit
   [>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot
   [>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt
[+] Starting quick nmap scan for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found HTTP service on 192.168.1.5:80
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
[*] TCP quick scan completed for 192.168.1.5
[+] Starting detailed TCP/UDP nmap scans for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
   [>] Found HTTP service on 192.168.1.5:80
[*] TCP/UDP Nmap scans completed for 192.168.1.5

Que también escribe el siguiente archivo de recomendaciones en la carpeta de escaneos para cada objetivo:
[*] Found HTTP service on 192.168.1.50:80
   [>] Use nikto & dirb / dirbuster for service enumeration, e.g
      [=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt
      [=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext
      [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50 
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50 
   [>] Use curl to retreive web headers and find host information, e.g
      [=] curl -i 192.168.1.50
      [=] curl -i 192.168.1.50/robots.txt -s | html2text
[*] Found MS SMB service on 192.168.1.5:445
   [>] Use nmap scripts or enum4linux for further enumeration, e.g
      [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5
      [=] enum4linux 192.168.1.5
[*] Found RDP service on 192.168.1.5:3389
   [>] Use ncrackpassword cracking, e.g
      [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5

Fuente: https://github.com/codingo/Reconnoitre

Comentarios