Merge pull request #39 from cwaazywabbit/master

codingo · web-flow · commit 751901ebf73c · 2018-06-29T10:56:38.000+10:00
Fix for #36 and #38
diff --git a/reconnoitre/config.json b/reconnoitre/config.json
@@ -1,7 +1,7 @@
 {
   "services": {
-    "http": {
-      "description": "Found HTTP service on $ip:$port",
+    "http/s": {
+      "description": "Found HTTP/S service on $ip:$port",
       "nmap-service-names": [
         "http",
         "ssl/http",
@@ -12,14 +12,46 @@
         {
           "description": "Enumeration",
           "commands": [
-            "nikto -h $ip -p $port -output $outputdir/$ip_nikto.txt",
-            "dirb http://$ip:$port/ -o $outputdir/$ip_dirb.txt",
-            "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_dirbuster_medium.txt",
-            "gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_gobuster_common.txt'",
-            "gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_gobuster_cgis.txt'",
+            "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt",
             "curl -i $ip:$port",
-            "w3m -dump $ip/robots.txt | tee $outputdir/$ip_robots.txt",
-            "VHostScan -t $ip -oN $outputdir/$ip_vhosts.txt"
+            "w3m -dump $ip/robots.txt | tee $outputdir/$ip_$port_robots.txt",
+            "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt"
+          ]
+        }
+      ]
+    },
+    "http": {
+      "description": "Found HTTP service on $ip:$port",
+      "nmap-service-names": [
+        "http"
+      ],
+      "output": [
+        {
+          "description": "Enumeration",
+          "commands": [
+            "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt",
+            "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt",
+            "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'",
+            "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'"
+          ]
+        }
+      ]
+    },
+    "https": {
+      "description": "Found HTTPS service on $ip:$port",
+      "nmap-service-names": [
+        "https",
+        "ssl/http",
+        "ssl/http-alt"
+      ],
+      "output": [
+        {
+          "description": "Enumeration",
+          "commands": [
+            "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt",
+            "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt",
+            "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'",
+            "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'"
           ]
         }
       ]
@@ -33,8 +65,8 @@
         {
           "description": "Enumeration",
           "commands": [
-            "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_ftp' $ip",
-            "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_ftphydra.txt -u $ip -s $port ftp"
+            "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip",
+            "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp"
           ]
         }
       ]
@@ -83,7 +115,7 @@
         {
           "description": "Use nmap scripts for further enumeration, e.g",
           "commands": [
-            "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,smsql.username-sa,mssql.password-sa -oA $outputdir/$ip_mssql_nmap_scan $ip"
+            "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,smsql.username-sa,mssql.password-sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip"
           ]
         }
       ]
@@ -112,9 +144,9 @@
         {
           "description": "Enumeration",
           "commands": [
-            "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_smb.nmap' $ip",
-            "enum4linux -a $ip | tee $outputdir/$ip_enum4linux.txt",
-            "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_smb_smb-enum-users.nmap' $ip"
+            "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip",
+            "enum4linux -a $ip | tee $outputdir/$ip_$port_enum4linux.txt",
+            "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip"
           ]
         }
       ]
@@ -159,9 +191,9 @@
         {
           "description": "Enumeration",
           "commands": [
-            "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_snmp' $ip",
-            "onesixtyone $ip > $outputdir/$ip_snmp_onesixtyone.txt",
-            "snmpwalk -c public -v1 $ip > $outputdir/$ip_snmpwalk.txt"
+            "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip",
+            "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt",
+            "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt"
           ]
         }
       ]
@@ -183,7 +215,7 @@
         {
           "description": "Use nmap to automate banner grabbing and key fingerprints, e.g.",
           "commands": [
-            "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_ssh-hostkey'"
+            "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'"
           ]
         }
       ]
@@ -319,4 +351,4 @@
       ]
     }
   }
-}
+}
diff --git a/reconnoitre/file_helper.py b/reconnoitre/file_helper.py
@@ -73,7 +73,8 @@ def write_recommendations(results, ip_address, outputdir):
 
    print("[+] Writing findings for %s" % (ip_address))
 
-   with open("config.json", "r") as config:
+   __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__)))
+   with open(os.path.join(__location__, "config.json"), "r") as config:
        c = config.read()
        j = json.loads(c.replace("$ip", "%(ip)s").replace("$port", "%(port)s").replace("$outputdir", "%(outputdir)s"))
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"services": {`
`3`		`- "http": {`
`4`		`- "description": "Found HTTP service on $ip:$port",`
	`3`	`+ "http/s": {`
	`4`	`+ "description": "Found HTTP/S service on $ip:$port",`
`5`	`5`	`"nmap-service-names": [`
`6`	`6`	`"http",`
`7`	`7`	`"ssl/http",`
`@@ -12,14 +12,46 @@`
`12`	`12`	`{`
`13`	`13`	`"description": "Enumeration",`
`14`	`14`	`"commands": [`
`15`		`- "nikto -h $ip -p $port -output $outputdir/$ip_nikto.txt",`
`16`		`- "dirb http://$ip:$port/ -o $outputdir/$ip_dirb.txt",`
`17`		`- "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_dirbuster_medium.txt",`
`18`		`- "gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e \| tee '$outputdir/$ip_gobuster_common.txt'",`
`19`		`- "gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e \| tee '$outputdir/$ip_gobuster_cgis.txt'",`
	`15`	`+ "nikto -h $ip -p $port -output $outputdir/$ip_$port_nikto.txt",`
`20`	`16`	`"curl -i $ip:$port",`
`21`		`- "w3m -dump $ip/robots.txt \| tee $outputdir/$ip_robots.txt",`
`22`		`- "VHostScan -t $ip -oN $outputdir/$ip_vhosts.txt"`
	`17`	`+ "w3m -dump $ip/robots.txt \| tee $outputdir/$ip_$port_robots.txt",`
	`18`	`+ "VHostScan -t $ip -oN $outputdir/$ip_$port_vhosts.txt"`
	`19`	`+ ]`
	`20`	`+ }`
	`21`	`+ ]`
	`22`	`+ },`
	`23`	`+ "http": {`
	`24`	`+ "description": "Found HTTP service on $ip:$port",`
	`25`	`+ "nmap-service-names": [`
	`26`	`+ "http"`
	`27`	`+ ],`
	`28`	`+ "output": [`
	`29`	`+ {`
	`30`	`+ "description": "Enumeration",`
	`31`	`+ "commands": [`
	`32`	`+ "dirb http://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt",`
	`33`	`+ "dirbuster -H -u http://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt",`
	`34`	`+ "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e \| tee '$outputdir/$ip_$port_gobuster_common.txt'",`
	`35`	`+ "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e \| tee '$outputdir/$ip_$port_gobuster_cgis.txt'"`
	`36`	`+ ]`
	`37`	`+ }`
	`38`	`+ ]`
	`39`	`+ },`
	`40`	`+ "https": {`
	`41`	`+ "description": "Found HTTPS service on $ip:$port",`
	`42`	`+ "nmap-service-names": [`
	`43`	`+ "https",`
	`44`	`+ "ssl/http",`
	`45`	`+ "ssl/http-alt"`
	`46`	`+ ],`
	`47`	`+ "output": [`
	`48`	`+ {`
	`49`	`+ "description": "Enumeration",`
	`50`	`+ "commands": [`
	`51`	`+ "dirb https://$ip:$port/ -o $outputdir/$ip_$port_dirb.txt",`
	`52`	`+ "dirbuster -H -u https://$ip:$port/ -l /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -s / -v -r $outputdir/$ip_$port_dirbuster_medium.txt",`
	`53`	`+ "gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e \| tee '$outputdir/$ip_$port_gobuster_common.txt'",`
	`54`	`+ "gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e \| tee '$outputdir/$ip_$port_gobuster_cgis.txt'"`
`23`	`55`	`]`
`24`	`56`	`}`
`25`	`57`	`]`
`@@ -33,8 +65,8 @@`
`33`	`65`	`{`
`34`	`66`	`"description": "Enumeration",`
`35`	`67`	`"commands": [`
`36`		`- "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_ftp' $ip",`
`37`		`- "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_ftphydra.txt -u $ip -s $port ftp"`
	`68`	`+ "nmap -sV -Pn -vv -p$port --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA '$outputdir/$ip_$port_ftp' $ip",`
	`69`	`+ "hydra -L USER_LIST -P PASS_LIST -f -o $outputdir/$ip_$port_ftphydra.txt -u $ip -s $port ftp"`
`38`	`70`	`]`
`39`	`71`	`}`
`40`	`72`	`]`
`@@ -83,7 +115,7 @@`
`83`	`115`	`{`
`84`	`116`	`"description": "Use nmap scripts for further enumeration, e.g",`
`85`	`117`	`"commands": [`
`86`		`- "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,smsql.username-sa,mssql.password-sa -oA $outputdir/$ip_mssql_nmap_scan $ip"`
	`118`	`+ "nmap -vv -sV -Pn -p $port --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=$port,smsql.username-sa,mssql.password-sa -oA $outputdir/$ip_$port_mssql_nmap_scan $ip"`
`87`	`119`	`]`
`88`	`120`	`}`
`89`	`121`	`]`
`@@ -112,9 +144,9 @@`
`112`	`144`	`{`
`113`	`145`	`"description": "Enumeration",`
`114`	`146`	`"commands": [`
`115`		`- "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_smb.nmap' $ip",`
`116`		`- "enum4linux -a $ip \| tee $outputdir/$ip_enum4linux.txt",`
`117`		`- "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_smb_smb-enum-users.nmap' $ip"`
	`147`	`+ "nmap -sV -Pn -vv -p 139,$port --script=smb-vuln* --script-args=unsafe=1 -oA '$outputdir/$ip_$port_smb.nmap' $ip",`
	`148`	`+ "enum4linux -a $ip \| tee $outputdir/$ip_$port_enum4linux.txt",`
	`149`	`+ "nmap -sV -Pn -vv -p $port --script=smb-enum-users -oA '$outputdir/$ip_$port_smb_smb-enum-users.nmap' $ip"`
`118`	`150`	`]`
`119`	`151`	`}`
`120`	`152`	`]`
`@@ -159,9 +191,9 @@`
`159`	`191`	`{`
`160`	`192`	`"description": "Enumeration",`
`161`	`193`	`"commands": [`
`162`		`- "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_snmp' $ip",`
`163`		`- "onesixtyone $ip > $outputdir/$ip_snmp_onesixtyone.txt",`
`164`		`- "snmpwalk -c public -v1 $ip > $outputdir/$ip_snmpwalk.txt"`
	`194`	`+ "nmap -sV -Pn -vv -p$port --script=snmp-netstat,snmp-processes -oA '$outputdir/$ip_$port_snmp' $ip",`
	`195`	`+ "onesixtyone $ip > $outputdir/$ip_$port_snmp_onesixtyone.txt",`
	`196`	`+ "snmpwalk -c public -v1 $ip > $outputdir/$ip_$port_snmpwalk.txt"`
`165`	`197`	`]`
`166`	`198`	`}`
`167`	`199`	`]`
`@@ -183,7 +215,7 @@`
`183`	`215`	`{`
`184`	`216`	`"description": "Use nmap to automate banner grabbing and key fingerprints, e.g.",`
`185`	`217`	`"commands": [`
`186`		`- "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_ssh-hostkey'"`
	`218`	`+ "nmap $ip -p $port -sV --script=ssh-hostkey -oA '$outputdir/$ip_$port_ssh-hostkey'"`
`187`	`219`	`]`
`188`	`220`	`}`
`189`	`221`	`]`
`@@ -319,4 +351,4 @@`
`319`	`351`	`]`
`320`	`352`	`}`
`321`	`353`	`}`
`322`		`-}`
	`354`	`+}`