-
-
Notifications
You must be signed in to change notification settings - Fork 890
Usage
usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE]
[-g GLOBAL_FILE] [--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS]
[--service-scans PLUGINS] [--reports PLUGINS] [--plugins-dir PLUGINS_DIR]
[--add-plugins-dir PLUGINS_DIR] [-l [TYPE]] [-o OUTPUT] [--single-target]
[--only-scans-dir] [--no-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT]
[--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND]
[--proxychains] [--disable-sanity-checks] [--disable-keyboard-control]
[--force-services SERVICE [SERVICE ...]] [-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...]]
[-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...]] [--accessible] [-v] [--version]
[--curl.path VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}]
[--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE]
[--dirbuster.ext VALUE] [--dirbuster.recursive] [--onesixtyone.community-strings VALUE]
[--subdomain-enum.domain VALUE] [--subdomain-enum.wordlist VALUE [VALUE ...]]
[--subdomain-enum.threads VALUE] [--vhost-enum.hostname VALUE]
[--vhost-enum.wordlist VALUE [VALUE ...]] [--vhost-enum.threads VALUE]
[--wpscan.api-token VALUE] [--global.username-wordlist VALUE]
[--global.password-wordlist VALUE] [--global.domain VALUE] [-h]
[targets ...]
Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.
positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable
hostnames (e.g. foo.bar) to scan.
optional arguments:
-t TARGET_FILE, --target-file TARGET_FILE
Read targets from file.
-p PORTS, --ports PORTS
Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by
prepending list with T:/U: To scan both TCP/UDP, put port(s) at start or specify
B: e.g. 53,T:21-25,80,U:123,B:123. Default: None
-m MAX_SCANS, --max-scans MAX_SCANS
The maximum number of concurrent scans to run. Default: 50
-mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS
The maximum number of concurrent port scans to run. Default: 10 (approx 20% of
max-scans unless specified)
-c CONFIG_FILE, --config CONFIG_FILE
Location of AutoRecon's config file. Default:
~/.config/AutoRecon/config.toml
-g GLOBAL_FILE, --global-file GLOBAL_FILE
Location of AutoRecon's global file. Default:
~/.config/AutoRecon/global.toml
--tags TAGS Tags to determine which plugins should be included. Separate tags by a plus
symbol (+) to group tags together. Separate groups with a comma (,) to create
multiple groups. For a plugin to be included, it must have all the tags specified
in at least one group. Default: default
--exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus
symbol (+) to group tags together. Separate groups with a comma (,) to create
multiple groups. For a plugin to be excluded, it must have all the tags specified
in at least one group. Default: None
--port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma
separated). Default: None
--service-scans PLUGINS
Override --tags / --exclude-tags for the listed ServiceScan plugins (comma
separated). Default: None
--reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated).
Default: None
--plugins-dir PLUGINS_DIR
The location of the plugins directory. Default:
~/.config/AutoRecon/plugins
--add-plugins-dir PLUGINS_DIR
The location of an additional plugins directory to add to the main one. Default:
None
-l [TYPE], --list [TYPE]
List all plugins or plugins of a specific type. e.g. --list, --list port, --list
service
-o OUTPUT, --output OUTPUT
The output directory for results. Default: results
--single-target Only scan a single target. A directory named after the target will not be
created. Instead, the directory structure will be created within the output
directory. Default: False
--only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit,
loot, report) will not be created. Default: False
--no-port-dirs Don't create directories for ports (e.g. scans/tcp80, scans/udp53). Instead store
all results in the "scans" directory itself. Default: False
--heartbeat HEARTBEAT
Specifies the heartbeat interval (in seconds) for scan status messages. Default:
60
--timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for.
Default: None
--target-timeout TARGET_TIMEOUT
Specifies the maximum amount of time in minutes that a target should be scanned
for before abandoning it and moving on. Default: None
--nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn -T4
--nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans. Default:
--proxychains Use if you are running AutoRecon via proxychains. Default: False
--disable-sanity-checks
Disable sanity checks that would otherwise prevent the scans from running.
Default: False
--disable-keyboard-control
Disables keyboard control ([s]tatus, Up, Down) if you are in SSH or Docker.
--force-services SERVICE [SERVICE ...]
A space separated list of services in the following style: tcp/80/http
tcp/443/https/secure
-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-target-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
A space separated list of plugin slugs with the max number of instances (per
target) in the following style: nmap-http:2 dirbuster:1. Default: None
-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-global-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
A space separated list of plugin slugs with the max number of global instances in
the following style: nmap-http:2 dirbuster:1. Default: None
--accessible Attempts to make AutoRecon output more accessible to screenreaders. Default:
False
-v, --verbose Enable verbose output. Repeat for more verbosity.
--version Prints the AutoRecon version and exits.
-h, --help Show this help message and exit.
plugin arguments:
These are optional arguments for certain plugins.
--curl.path VALUE The path on the web server to curl. Default: /
--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
The tool to use for directory busting. Default: feroxbuster
--dirbuster.wordlist VALUE [VALUE ...]
The wordlist(s) to use when directory busting. Separate multiple wordlists with
spaces. Default: ['~/.config/AutoRecon/wordlists/dirbuster.txt']
--dirbuster.threads VALUE
The number of threads to use when directory busting. Default: 10
--dirbuster.ext VALUE
The extensions you wish to fuzz (no dot, comma separated). Default:
txt,html,php,asp,aspx,jsp
--dirbuster.recursive
Enables recursive searching (where available). Warning: This may cause
significant increases to scan times. Default: False
--onesixtyone.community-strings VALUE
The file containing a list of community strings to try. Default:
/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
--subdomain-enum.domain VALUE
The domain to use as the base domain (e.g. example.com) for subdomain
enumeration. Default: None
--subdomain-enum.wordlist VALUE [VALUE ...]
The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists
with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-
top1million-110000.txt']
--subdomain-enum.threads VALUE
The number of threads to use when enumerating subdomains. Default: 10
--vhost-enum.hostname VALUE
The hostname to use as the base host (e.g. example.com) for virtual host
enumeration. Default: None
--vhost-enum.wordlist VALUE [VALUE ...]
The wordlist(s) to use when enumerating virtual hosts. Separate multiple
wordlists with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-
top1million-110000.txt']
--vhost-enum.threads VALUE
The number of threads to use when enumerating virtual hosts. Default: 10
--wpscan.api-token VALUE
An API Token from wpvulndb.com to help search for more vulnerabilities.
global plugin arguments:
These are optional arguments that can be used by all plugins.
--global.username-wordlist VALUE
A wordlist of usernames, useful for bruteforcing. Default:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
--global.password-wordlist VALUE
A wordlist of passwords, useful for bruteforcing. Default:
/usr/share/seclists/Passwords/darkweb2017-top100.txt
--global.domain VALUE
The domain to use (if known). Used for DNS and/or Active Directory. Default: None
Targets are the only required argument for AutoRecon to function. Targets are accepted in various formats (single IP addresses, CIDR notation for ranges, and even hostnames that are resolvable by the OS.
autorecon 10.0.0.1 10.0.0.2 192.168.0.0/24 scanme.nmap.org
Alternatively, targets can be supplied by passing a valid target file to the -t or --target-file options. Targets within this file must be in the same acceptable formats, and be separated by a new line. An example file that matches the targets shown above would look like this:
10.0.0.1
10.0.0.2
192.168.0.0/24
scanme.nmap.org
The file can be passed to AutoRecon in either of the following ways:
autorecon -t /path/to/targets
autorecon --target-file /path/to/targets
By default, AutoRecon scans ports according to the selected PortScan plugins, which are a top 1000 TCP port scan, an all (65,535) TCP port scan, and a top 100 UDP port scan (if AutoRecon is running with sufficient permissions). With the -p or --ports option, AutoRecon will only scan a subset of ports.
All PortScan plugins have access to the list of ports requested (which is empty if the user does not specify them), and it is ultimately up to the plugin author to decide whether or not the plugin should (a) scan the default ports, (b) scan the ports specified, or (c) not scan any ports at all. Option (a) should rarely be considered, while options (b) and (c) are recommended. For example, the top 1000 TCP port scan plugin checks to see if ports were specified by the user, and if they were, doesn't perform any scanning. Instead, the all TCP port scan and top 100 UDP port scan plugins will scan the specified ports.
Ports can be specified in a number of ways, both as single ports, and as port ranges, separated by commas. The following example will scan both TCP and UDP port 80 and 443:
autorecon -p 80,443 <target>
The following example will scan TCP and UDP ports 20 to 23 inclusive:
autorecon --ports 20-23 <target>
To scan specific TCP (or UDP) ports, preface the port(s) with either a T: for TCP, or U: for UDP. The following example will scan TCP ports 20 to 23 inclusive, as well as UDP ports 53 and 123:
autorecon -p T:20-23,U:53,123 <target>
To scan the same TCP and UDP port, but also scan specific TCP and/or UDP ports, put the shared ports at the start, or preface them with a B: for Both. The following example will scan TCP and UDP ports 53 and 88, as well as TCP ports 80 and 443, and UDP port 123:
autorecon --ports 53,T:80,443,U:123,B:88 <target>
Since AutoRecon is multi-threaded, it can launch multiple scans against multiple targets. The max scans option controls how many scans can be running at any one time. Each plugin which runs a command is counted as 1 scan towards the maximum. This is important to know, since some of the tools used by the scan are also multi-threaded. For example, the ServiceScan plugin "DirBuster" runs directory busting tools like feroxbuster or gobuster with 10 threads each, however each instance of the plugin only counts as 1 scan rather the 10.
To prevent AutoRecon from port scanning too many targets at once and using up all scans, the number of scans reserved for PortScan plugins is calculated as 20% of the max. By default, the maximum number of scans is 50, so 10 are reserved for PortScans, with the other 40 reserved for ServiceScans. Note that when there are no more targets to port scan, AutoRecon will allow remaining ServiceScan plugins to use scans reserved for PortScans plugins.
The -m and --max-scans options control the maximum number of scans AutoRecon should be running at any time. It must be at least one, and cannot be less than the max-port-scans value (but can be equal to it). The following example sets the max number of scans to 10:
autorecon -m 10 <target>
autorecon -max-scans 10 <target>
The max port scans option controls the maximum number of PortScans that can be running at any one time. This defaults to 20% of the max scans value (see above), however this can be overridden using the -mp and --max-port-scans options. It must be at least one, and cannot be more than the max scans value (but can be equal to it). Generally speaking, the higher the value, the more targets will be scanned concurrently, because the PortScan plugins run first. The following example sets the max number of port scans to 5:
autorecon -mp 5 <target>
autorecon --max-port-scans 5 <target>
AutoRecon looks in multiple places for its config file (config.toml). It will first check the current working directory for the file, and if not found, will use the one automatically created at ~/.config/AutoRecon/config.toml. The option -c and --config will override this behavior, and force AutoRecon to use the one specified:
autorecon -c /path/to/config.toml <target>
autorecon --config /path/to/config.toml <target>
Like the config file, AutoRecon looks in multiple places for its global file (global.toml). It will first check the current working directory for the file, and if not found, will use the one automatically created at ~/.config/AutoRecon/global.toml. The option -g and --global will override this behavior, and force AutoRecon to use the one specified:
autorecon -g /path/to/global.toml <target>
autorecon --global /path/to/global.toml <target>
AutoRecon uses the concept of tags to enable / disable certain plugins at runtime. Plugins can be tagged with multiple tags, or no tags. If no tags are specified, and the tag attribute is not set to an empty list ([]), then the plugin will be automatically tagged as "default". Plugins tagged with "default" will be enabled by default. Other common tags include: safe (the plugin should not crash the target), long (the plugin could take a long time to complete), and unsafe (the plugin may crash the target). Plugin slugs (the shortened name of the plugin) can also be used as tags (e.g. "top-tcp-ports", "dirbuster").
There are 5 options related to tags: --tags, --exclude-tags, --port-scans, --service-scans, and --reports.
The --tags option is used to determine which plugins should be included. Group tags together by separating them with a plus symbol (+), and separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group. For example, the following will only include plugins tagged with both "default" and "http", or plugins tagged "default-port-scan":
autorecon --tags="default+http,default-port-scan" <target>
The --exclude-tags option is used to determine which plugins should be excluded. Group tags together by separating them with a plus symbol (+), and separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group. For example, the following will exclude plugins tagged with "unsafe", or plugins tagged with both "http" and "long":
autorecon --exclude-tags="unsafe,http+long" <target>
Note that the --tags option is processed first, so --exclude-tags will only exclude plugins which have already matched the --tags option.
The --port-scans, --service-scans, and --reports options can be used to override both --tags and --exclude-tags, as a final determination of which plugins should be included. These options do not take tags as values, but rather a command separated list of plugin slugs, where the plugin type matches the option (i.e. --port-scans only affects PortScan plugins). For example, the following will ensure that the "top-tcp-ports" PortScan will be included, as well as the "dirbuster" ServiceScan, and the "cherrytree" Report plugin:
autorecon --port-scans=top-tcp-ports --service-scans=dirbuster --reports=cherrytree <target>
A good example of these options used together would be the following, where only plugins tagged with "http" are included, except for the "nmap-http" plugin, and the PortScan plugin "all-tcp-ports" is included regardless of the tags:
autorecon --tags=http --exclude-tags=nmap-http --port-scans=all-tcp-ports <target>
AutoRecon will import plugins from the default plugins directory, located at ~/.config/AutoRecon/plugins. AutoRecon will generate this directory when it is first run if it does not exist. The --plugins-dir option can be used to override this location. This is recommended if you wish to use a completely separate set of plugins, or if you want to make some temporary modifications to plugins.
If instead, you wish to simply import additional plugins without adding them to the main plugins directory, you can instead use the --add-plugins-dir to specify an additional directory which AutoRecon will load from after the main plugins have been loaded. Care should be taken to ensure that any additional plugins do not have the same name as any of the main plugins (AutoRecon will not load duplicate plugins).
autorecon --plugins-dir=/path/to/plugins --add-plugins-dir=/path/to/additional/plugins <target>
The -l and --list options will list information about all the plugins in AutoRecon. An optional type can be provided to only display a specific type of plugin. Supported types are: port, service, report. For example, to list the service scan plugins, use:
autorecon -l service
The plugin type, name, slug, and description (if it exists) will be displayed for each plugin.
By default, AutoRecon will create a results directory named "results" in the current working directory. All output from AutoRecon is written here, using the following directory structure:
results
└── <target>
├── exploit/
├── loot/
├── report/
│ ├── local.txt
│ ├── notes.txt
│ ├── proof.txt
│ └── screenshots/
└── scans/
├── _commands.log
├── _manual_commands.txt
├── tcp<port>/
├── udp<port>/
└── xml/
The -o and --output options can be used to specify another location for the results directory (relative or absolute path).
If the --single-target option is provided, a directory named after the target will not be created in the results directory. Instead, the target directory structure will be created in the results directory itself, as follows:
results
├── exploit/
├── loot/
├── report/
│ ├── local.txt
│ ├── notes.txt
│ ├── proof.txt
│ └── screenshots/
└── scans/
├── _commands.log
├── _manual_commands.txt
├── tcp<port>/
├── udp<port>/
└── xml/
If the --only-scans-dir option is provided, only the "scans" directory will be created in the target's directory, as follows:
results
└── <target>
└── scans/
├── _commands.log
├── _manual_commands.txt
├── tcp<port>/
├── udp<port>/
└── xml/
If the --no-port-dirs option is provided, directories won't be created for each port found, and all service scan results will be written to the "scans" directory.