Packages and Binaries:

autorecon

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.

Installed size: 1.23 MB
How to install: sudo apt install autorecon

Dependencies:
  • curl
  • dirb
  • dirsearch
  • dnsrecon
  • enum4linux
  • enum4linux-ng
  • ffuf
  • gobuster
  • impacket-scripts
  • nbtscan
  • nikto
  • nmap
  • onesixtyone
  • oscanner
  • python3
  • python3-appdirs
  • python3-colorama
  • python3-impacket
  • python3-psutil
  • python3-requests
  • python3-toml
  • python3-unidecode
  • redis-tools
  • seclists
  • sipvicious
  • smbclient
  • smbmap
  • snmp
  • sslscan
  • tnscmd10g
  • whatweb
  • wkhtmltopdf
autorecon
root@kali:~# autorecon -h
usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS]
                 [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE]
                 [--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS]
                 [--service-scans PLUGINS] [--reports PLUGINS]
                 [--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR]
                 [-l [TYPE]] [-o OUTPUT] [--single-target] [--only-scans-dir]
                 [--no-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT]
                 [--target-timeout TARGET_TIMEOUT]
                 [--nmap NMAP | --nmap-append NMAP_APPEND] [--proxychains]
                 [--disable-sanity-checks] [--disable-keyboard-control]
                 [--force-services SERVICE [SERVICE ...]]
                 [-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...]]
                 [-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...]] [--accessible] [-v]
                 [--version] [--curl.path VALUE]
                 [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}]
                 [--dirbuster.wordlist VALUE [VALUE ...]]
                 [--dirbuster.threads VALUE] [--dirbuster.ext VALUE]
                 [--dirbuster.recursive] [--dirbuster.extras VALUE]
                 [--enum4linux.tool {enum4linux-ng,enum4linux}]
                 [--onesixtyone.community-strings VALUE]
                 [--subdomain-enum.domain VALUE]
                 [--subdomain-enum.wordlist VALUE [VALUE ...]]
                 [--subdomain-enum.threads VALUE]
                 [--vhost-enum.hostname VALUE]
                 [--vhost-enum.wordlist VALUE [VALUE ...]]
                 [--vhost-enum.threads VALUE] [--wpscan.api-token VALUE]
                 [--global.username-wordlist VALUE]
                 [--global.password-wordlist VALUE] [--global.domain VALUE]
                 [-h]
                 [targets ...]

Network reconnaissance tool to port scan and automatically enumerate services
found on multiple targets.

positional arguments:
  targets               IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.
                        10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)
                        to scan.

options:
  -t TARGET_FILE, --target-file TARGET_FILE
                        Read targets from file.
  -p PORTS, --ports PORTS
                        Comma separated list of ports / port ranges to scan.
                        Specify TCP/UDP ports by prepending list with T:/U: To
                        scan both TCP/UDP, put port(s) at start or specify B:
                        e.g. 53,T:21-25,80,U:123,B:123. Default: None
  -m MAX_SCANS, --max-scans MAX_SCANS
                        The maximum number of concurrent scans to run.
                        Default: 50
  -mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS
                        The maximum number of concurrent port scans to run.
                        Default: 10 (approx 20% of max-scans unless specified)
  -c CONFIG_FILE, --config CONFIG_FILE
                        Location of AutoRecon's config file. Default:
                        /root/.config/AutoRecon/config.toml
  -g GLOBAL_FILE, --global-file GLOBAL_FILE
                        Location of AutoRecon's global file. Default:
                        /root/.config/AutoRecon/global.toml
  --tags TAGS           Tags to determine which plugins should be included.
                        Separate tags by a plus symbol (+) to group tags
                        together. Separate groups with a comma (,) to create
                        multiple groups. For a plugin to be included, it must
                        have all the tags specified in at least one group.
                        Default: default
  --exclude-tags TAGS   Tags to determine which plugins should be excluded.
                        Separate tags by a plus symbol (+) to group tags
                        together. Separate groups with a comma (,) to create
                        multiple groups. For a plugin to be excluded, it must
                        have all the tags specified in at least one group.
                        Default: None
  --port-scans PLUGINS  Override --tags / --exclude-tags for the listed
                        PortScan plugins (comma separated). Default: None
  --service-scans PLUGINS
                        Override --tags / --exclude-tags for the listed
                        ServiceScan plugins (comma separated). Default: None
  --reports PLUGINS     Override --tags / --exclude-tags for the listed Report
                        plugins (comma separated). Default: None
  --plugins-dir PLUGINS_DIR
                        The location of the plugins directory. Default:
                        /root/.local/share/AutoRecon/plugins
  --add-plugins-dir PLUGINS_DIR
                        The location of an additional plugins directory to add
                        to the main one. Default: None
  -l [TYPE], --list [TYPE]
                        List all plugins or plugins of a specific type. e.g.
                        --list, --list port, --list service
  -o OUTPUT, --output OUTPUT
                        The output directory for results. Default: results
  --single-target       Only scan a single target. A directory named after the
                        target will not be created. Instead, the directory
                        structure will be created within the output directory.
                        Default: False
  --only-scans-dir      Only create the "scans" directory for results. Other
                        directories (e.g. exploit, loot, report) will not be
                        created. Default: False
  --no-port-dirs        Don't create directories for ports (e.g. scans/tcp80,
                        scans/udp53). Instead store all results in the "scans"
                        directory itself. Default: False
  --heartbeat HEARTBEAT
                        Specifies the heartbeat interval (in seconds) for scan
                        status messages. Default: 60
  --timeout TIMEOUT     Specifies the maximum amount of time in minutes that
                        AutoRecon should run for. Default: None
  --target-timeout TARGET_TIMEOUT
                        Specifies the maximum amount of time in minutes that a
                        target should be scanned for before abandoning it and
                        moving on. Default: None
  --nmap NMAP           Override the {nmap_extra} variable in scans. Default:
                        -vv --reason -Pn -T4
  --nmap-append NMAP_APPEND
                        Append to the default {nmap_extra} variable in scans.
                        Default:
  --proxychains         Use if you are running AutoRecon via proxychains.
                        Default: False
  --disable-sanity-checks
                        Disable sanity checks that would otherwise prevent the
                        scans from running. Default: False
  --disable-keyboard-control
                        Disables keyboard control ([s]tatus, Up, Down) if you
                        are in SSH or Docker.
  --force-services SERVICE [SERVICE ...]
                        A space separated list of services in the following
                        style: tcp/80/http tcp/443/https/secure
  -mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-target-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
                        A space separated list of plugin slugs with the max
                        number of instances (per target) in the following
                        style: nmap-http:2 dirbuster:1. Default: None
  -mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-global-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
                        A space separated list of plugin slugs with the max
                        number of global instances in the following style:
                        nmap-http:2 dirbuster:1. Default: None
  --accessible          Attempts to make AutoRecon output more accessible to
                        screenreaders. Default: False
  -v, --verbose         Enable verbose output. Repeat for more verbosity.
  --version             Prints the AutoRecon version and exits.
  -h, --help            Show this help message and exit.

plugin arguments:
  These are optional arguments for certain plugins.

  --curl.path VALUE     The path on the web server to curl. Default: /
  --dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
                        The tool to use for directory busting. Default:
                        feroxbuster
  --dirbuster.wordlist VALUE [VALUE ...]
                        The wordlist(s) to use when directory busting.
                        Separate multiple wordlists with spaces. Default: ['/r
                        oot/.local/share/AutoRecon/wordlists/dirbuster.txt']
  --dirbuster.threads VALUE
                        The number of threads to use when directory busting.
                        Default: 10
  --dirbuster.ext VALUE
                        The extensions you wish to fuzz (no dot, comma
                        separated). Default: txt,html,php,asp,aspx,jsp
  --dirbuster.recursive
                        Enables recursive searching (where available).
                        Warning: This may cause significant increases to scan
                        times. Default: False
  --dirbuster.extras VALUE
                        Any extra options you wish to pass to the tool when it
                        runs. e.g. --dirbuster.extras='-s 200,301 --discover-
                        backup'
  --enum4linux.tool {enum4linux-ng,enum4linux}
                        The tool to use for doing Windows and Samba
                        enumeration. Default: enum4linux-ng
  --onesixtyone.community-strings VALUE
                        The file containing a list of community strings to
                        try. Default:
                        /usr/share/seclists/Discovery/SNMP/common-snmp-
                        community-strings-onesixtyone.txt
  --subdomain-enum.domain VALUE
                        The domain to use as the base domain (e.g.
                        example.com) for subdomain enumeration. Default: None
  --subdomain-enum.wordlist VALUE [VALUE ...]
                        The wordlist(s) to use when enumerating subdomains.
                        Separate multiple wordlists with spaces. Default:
                        ['/usr/share/seclists/Discovery/DNS/subdomains-
                        top1million-110000.txt']
  --subdomain-enum.threads VALUE
                        The number of threads to use when enumerating
                        subdomains. Default: 10
  --vhost-enum.hostname VALUE
                        The hostname to use as the base host (e.g.
                        example.com) for virtual host enumeration. Default:
                        None
  --vhost-enum.wordlist VALUE [VALUE ...]
                        The wordlist(s) to use when enumerating virtual hosts.
                        Separate multiple wordlists with spaces. Default:
                        ['/usr/share/seclists/Discovery/DNS/subdomains-
                        top1million-110000.txt']
  --vhost-enum.threads VALUE
                        The number of threads to use when enumerating virtual
                        hosts. Default: 10
  --wpscan.api-token VALUE
                        An API Token from wpvulndb.com to help search for more
                        vulnerabilities.

global plugin arguments:
  These are optional arguments that can be used by all plugins.

  --global.username-wordlist VALUE
                        A wordlist of usernames, useful for bruteforcing.
                        Default: /usr/share/seclists/Usernames/top-usernames-
                        shortlist.txt
  --global.password-wordlist VALUE
                        A wordlist of passwords, useful for bruteforcing.
                        Default:
                        /usr/share/seclists/Passwords/darkweb2017-top100.txt
  --global.domain VALUE
                        The domain to use (if known). Used for DNS and/or
                        Active Directory. Default: None

Updated on: 2024-Aug-06