Merge branch 'master' into ping_sweeper_file_handling

Author: codingo

README.md

@@ -19,18 +19,15 @@ This tool can be used and copied for personal use freely however attribution and
 | -t TARGET_HOSTS | Set either a target range of addresses or a single host to target. May also be a file containing hosts. |
 | -o OUTPUT_DIRECTORY | Set the target directory where results should be written. |
 | -w WORDLIST | Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks. |
-| --dns DNS_SERVER | Optionally specify a DNS server to use with a service scan. |
 | --pingsweep | Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts. |
-| --dnssweep | Find DNS servers from the list of target(s). |
+| --dns, --dnssweep | Find DNS servers from the list of target(s). |
 | --snmp | Find hosts responding to SNMP requests from the list of target(s). |
 | --services | Perform a service scan over the target(s) and write recommendations for further commands to execute. |
 | --hostnames | Attempt to discover target hostnames and write to hostnames.txt. |
 | --virtualhosts | Attempt to discover virtual hosts using the specified wordlist. This can be expended via discovered hostnames. |
 | --ignore-http-codes | Comma separated list of http codes to ignore with virtual host scans. |
 | --ignore-content-length | Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess. |
 | --quiet | Supress banner and headers and limit feedback to grepable results. |
-| --exec | Execute shell commands from recommendations as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors. |
-| --simple_exec | Execute non-brute forcing shell comamnds only commands as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors. |
 | --quick | Move to the next target after performing a quick scan and writing first-round recommendations. |
 | --no-udp | Disable UDP service scanning, which is ON by default. |
 

reconnoitre/config.json renamed to config.json

@@ -27,7 +27,7 @@ def find_dns(target_hosts, output_directory, quiet):
 
         print("   [>] Testing %s for DNS" % ip_address)
         DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
-        results = subprocess.check_output(DNSSCAN, shell=True)
+        results = subprocess.check_output(DNSSCAN, shell=True).decode("utf-8")
         lines = results.split("\n")
 
         for line in lines:

reconnoitre/file_helper.py renamed to file_helper.py

@@ -21,7 +21,7 @@ def hostname_scan(target_hosts, output_directory, quiet):
     else:
         SWEEP = "nbtscan -q %s" % (target_hosts)
 
-    results = subprocess.check_output(SWEEP, shell=True)
+    results = subprocess.check_output(SWEEP, shell=True).decode("utf-8")
     lines = results.split("\n")
 
     for line in lines:

reconnoitre/find_dns.py renamed to find_dns.py

@@ -33,4 +33,4 @@ def ping_sweeper(target_hosts, output_directory, quiet):
             live_hosts += 1
     print("[*] Found %s live hosts" % (live_hosts))
     print("[*] Created target list %s" % (output_file))
-    f.close()
+    f.close()

reconnoitre/hostname_scan.py renamed to hostname_scan.py

@@ -48,25 +48,23 @@ def util_checks(util = None):
 
 def main():
     parser = ArgumentParser()
-    parser.add_argument("-t",               dest="target_hosts", required=True, help="Set a target range of addresses to target. Ex 10.11.1.1-255" )
-    parser.add_argument("-o",               dest="output_directory", required=True, help="Set the output directory. Ex /root/Documents/labs/")
-    parser.add_argument("-w",               dest="wordlist", required=False, help="Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt", default=False)
-    parser.add_argument("-p",               dest="port", required=False, help="Set the port to use. Leave blank to use discovered ports. Useful to force virtual host scanning on non-standard webserver ports.", default=80)
-    parser.add_argument("--pingsweep",      dest="ping_sweep", action="store_true", help="Write a new target.txt by performing a ping sweep and discovering live hosts.", default=False)
-    parser.add_argument("--dns",            dest="find_dns_servers", action="store_true", help="Find DNS servers from a list of targets.", default=False)
-    parser.add_argument("--services",       dest="perform_service_scan", action="store_true", help="Perform service scan over targets.", default=False)
-    parser.add_argument("--hostnames",      dest="hostname_scan", action="store_true", help="Attempt to discover target hostnames and write to 0-name.txt and hostnames.txt.", default=False)
-    parser.add_argument("--snmp",           dest="perform_snmp_walk", action="store_true", help="Perform service scan over targets.", default=False)
-    parser.add_argument("--quick",          dest="quick",   action="store_true", required=False, help="Move to the next target after performing a quick scan and writing first-round recommendations.", default=False)    
-
-    parser.add_argument("--virtualhosts",   dest="virtualhosts",   action="store_true", required=False, help="Attempt to discover virtual hosts  using the specified wordlist.", default=False)  
-    parser.add_argument('--ignore-http-codes', dest='ignore_http_codes', type=str, help='Comma separated list of http codes to ignore with virtual host scans.', default='404')
-    parser.add_argument('--ignore-content-length', dest='ignore_content_length', type=int, help='Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess.', default=0)
-
-    parser.add_argument("--quiet",          dest="quiet",   action="store_true", help="Supress banner and headers to limit to comma dilimeted results only.", default=False)
-    parser.add_argument("--exec",           dest="follow",  action="store_true", help="Execute shell comamnds from recommendations as they are discovered. Likely to lead to very long execute times depending on the wordlist being used.", default=False)
-    parser.add_argument("--simple_exec",    dest="quickfollow",  action="store_true", help="Execute non-brute forcing shell comamnds only as they are discovered.", default=False)
-    parser.add_argument("--no-udp",    dest="no_udp_service_scan",  action="store_true", help="Disable UDP services scan over targets.", default=False)
+    parser.add_argument("-t",                       dest="target_hosts", required=True, help="Set a target range of addresses to target. Ex 10.11.1.1-255" )
+    parser.add_argument("-o",                       dest="output_directory", required=True, help="Set the output directory. Ex /root/Documents/labs/")
+    parser.add_argument("-w",                       dest="wordlist", required=False, help="Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt", default=False)
+    parser.add_argument("-p",                       dest="port", required=False, help="Set the port to use. Leave blank to use discovered ports. Useful to force virtual host scanning on non-standard webserver ports.", default=80)
+    parser.add_argument("--pingsweep",              dest="ping_sweep", action="store_true", help="Write a new target.txt by performing a ping sweep and discovering live hosts.", default=False)
+    parser.add_argument("--dns","--dnssweep",       dest="find_dns_servers", action="store_true", help="Find DNS servers from a list of targets.", default=False)
+    parser.add_argument("--services",               dest="perform_service_scan", action="store_true", help="Perform service scan over targets.", default=False)
+    parser.add_argument("--hostnames",              dest="hostname_scan", action="store_true", help="Attempt to discover target hostnames and write to 0-name.txt and hostnames.txt.", default=False)
+    parser.add_argument("--snmp",                   dest="perform_snmp_walk", action="store_true", help="Perform service scan over targets.", default=False)
+    parser.add_argument("--quick",                  dest="quick",   action="store_true", required=False, help="Move to the next target after performing a quick scan and writing first-round recommendations.", default=False)    
+
+    parser.add_argument("--virtualhosts",           dest="virtualhosts",   action="store_true", required=False, help="Attempt to discover virtual hosts  using the specified wordlist.", default=False)  
+    parser.add_argument('--ignore-http-codes',      dest='ignore_http_codes', type=str, help='Comma separated list of http codes to ignore with virtual host scans.', default='404')
+    parser.add_argument('--ignore-content-length',  dest='ignore_content_length', type=int, help='Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess.', default=0)
+
+    parser.add_argument("--quiet",                  dest="quiet",   action="store_true", help="Supress banner and headers to limit to comma dilimeted results only.", default=False)
+    parser.add_argument("--no-udp",                 dest="no_udp_service_scan",  action="store_true", help="Disable UDP services scan over targets.", default=False)
     arguments = parser.parse_args()
 
     if len(sys.argv) == 1:

ping_sweeper.py

@@ -15,7 +15,7 @@ def nmap_scan(ip_address, output_directory, dns_server, quick, no_udp_service_sc
 
    print("[+] Starting quick nmap scan for %s" % (ip_address))
    QUICKSCAN = "nmap -sC -sV %s -oA '%s/%s.quick'"  % (ip_address, output_directory, ip_address)
-   quickresults = subprocess.check_output(QUICKSCAN, shell=True)
+   quickresults = subprocess.check_output(QUICKSCAN, shell=True).decode("utf-8")
 
    write_recommendations(quickresults, ip_address, output_directory)
    print("[*] TCP quick scans completed for %s" % ip_address)
@@ -33,8 +33,8 @@ def nmap_scan(ip_address, output_directory, dns_server, quick, no_udp_service_sc
        TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s"  % (dns_server, output_directory, ip_address, output_directory, ip_address, ip_address)
        UDPSCAN = "nmap -sC -sV -sU %s -oA '%s/%s-udp'" % (ip_address, output_directory, ip_address)
 
-   udpresults = "" if no_udp_service_scan is True else subprocess.check_output(UDPSCAN, shell=True)
-   tcpresults = subprocess.check_output(TCPSCAN, shell=True)
+   udpresults = "" if no_udp_service_scan is True else subprocess.check_output(UDPSCAN, shell=True).decode("utf-8")
+   tcpresults = subprocess.check_output(TCPSCAN, shell=True).decode("utf-8")
 
    write_recommendations(tcpresults + udpresults, ip_address, output_directory)
    print("[*] TCP%s scans completed for %s" % (("" if no_udp_service_scan is True else "/UDP"), ip_address))

reconnoitre/reconnoitre.py renamed to reconnoitre.py

@@ -64,7 +64,7 @@ def snmp_scans(ip_address, output_directory):
     SCAN = "snmpwalk -c public -v1 %s 1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'"  % (ip_address, output_directory, ip_address)
 
     try:
-        results = subprocess.check_output(SCAN, stderr=subprocess.STDOUT, shell=True).decode('utf-8')
+        results = subprocess.check_output(SCAN, stderr=subprocess.STDOUT, shell=True).decode("utf-8").decode('utf-8')
     except Exception as e:
         print("[+] No Response from %s" % ip_address)
     except subprocess.CalledProcessError as cpe: