AutoRecon: A Multi-Threaded Network Reconnaissance Tool

Play

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. With organizations' digital footprints growing larger and larger, network recon and the enumeration of services available over the public internet has become a critical area in the security of an organization. And given the increased number of vulnerabilities and threats targeting web applications, performing automated recon and service enumeration is ever more important. Fortunately, using open-source and free-to-use tools such as recon NG has streamlined this process to the point of near-automation. Today we'll take a look at Auto Recon, aimed at doing just that: automating your network recon and service enumeration methods. What is Auto Recon? Auto Recon is an open-source project built to perform network reconnaissance with automated service enumeration. The advantage that Auto Recon provides over other information gathering and internet scanning tools is that it allows one to further process—and further act upon—information gathered directly within Auto Recon. This includes performing actions like Nmap as well as running the gathered data through other scanning tools, such as feroxbuster, SSL Scan, NBT Scan, Nikto and more. Installing Auto Recon Note: As its dependencies are easily available on KaliLinux, we suggest using Auto Recon on that distribution. To begin with, ensure you have python3 and pip available. Next, use Python pip to grab the latest version of Auto Recon and install it. Next, you'll need to install certain dependencies. Run the command to determine whether it's been successfully installed. Which should then give you the following output containing various options available in Auto Recon. Usage Getting started with Auto Recon is super simple—one can even run Auto Recon without any flags or options: Replace domain.com with a domain name that you wish to scan. Once the command has finished executing, it should then return the following output: Analyzing the results After a scan completes, Auto Recon saves the scan results in the "results" directory, inside of which a new subdirectory is created for every target being scanned by Auto Recon. The results structure created by Auto Recon is as shown below: The exploit directory is used to store any exploit code you run for the target being scanned. The loot directory is intended to store any hashes or notable files you find on the target you're scanning. The report directory contains reports of the scan performed by Auto Recon; files are generated as follows: local.txt can be used to store the local.txt flag found on targets. notes.txt should contain a basic template where you can write notes for each service discovered. proof.txt can be used to store the proof.txt flag found on the target. The screenshots directory is used to store any screenshots you use to document the exploitation of the target. The scans directory is where all results from scans performed by Auto Recon will go. This includes all commands executed by Auto Recon and whether any commands failed or succeeded as well. The scans-XML directory stores scan data results in XML format (from Nmap, etc.) which can be used to easily import scan results data into other software for further processing or storing. Further understanding the results Finding the webserver version With the output we gather from Auto Recon, one can find the version of the webserver running on the target system as well. Most web servers expose their name and version by default; for example, from the Nmap output: This tells us the webserver running on the target being scanned is engine X 1.14.0 Detecting operating systems Looking even further with the output we've gathered above, the webserver often exposes the operating system or operating system family, too. Also, as shown above, we can see the target being scanned runs on Ubuntu. Gathering screenshots along the way Often, web application screenshots can tell a l...