AutoRecon for Automated Reconnaissance

Foreword:

Reconnaissance being the first step in every security assessment, it's a repetitive process that's to be done in a systematic way. Thus, it's most beneficial to try automating it as much as possible. So, it turns out that in just about 70 lines of code, we might simply achieve that very objective!

What is this all about?

Given a domain name, the code below attempts to automate the reconnaissance process in security assessments. It simply collects various information about the target domain name. That includes (but not limited to):

• Subdomains
• Open ports
• Directories
• SSL ciphers
• SPF records
• WHOIS records
• Services' banners
• WAFs used (if any)
• Subnet active hosts
• Unprotected config files
• Frameworks used (if any)
• Known vulnerabilities (e.g., Shellshock, Heartbleed, el al.)

Dependencies:

All dependencies come preinstalled on Kali Linux 1.x and later versions.

• DIG
• Nmap
• WHOIS
• WPScan

How to use:

Open your terminal (preferably from Kali Linux) and execute the script below using this command:

sudo python AutoRecon.py example.com

P.S. Root privileges are required. Additionally, if you'd like to save the output into a file, you may use sudo python AutoRecon.py example.com >> output.txt.

Code:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Automate the reconnaissance process, given a domain name.
"""
from __future__ import absolute_import, print_function
import sys
import socket
import subprocess
from time import sleep

def main():
    """Execute main code."""
    try:
        domain = sys.argv[1]
        ip_address = socket.gethostbyname(domain)
    except IndexError:
        print('Error: Domain name not specified.')
        sys.exit(1)
    except socket.gaierror:
        print('Error: Domain name cannot be resolved.')
        raise
    procs = []
    whois_cmd = ['whois', domain]
    dig_cmd = ['dig', '-t', 'txt', '+short', domain]
    wpscan_cmd = ['wpscan', '--force', '--update', '--url', domain]
    nmap_hosts_cmd = ['nmap', '-sn', ip_address + '/24']
    nmap_script_names = ('*-vuln*, banner, default, dns-brute,'
                         'dns-zone-transfer, ftp-*, hostmap-ip2hosts, http-config-backup,'
                         'http-cross*, http-devframework, http-enum, http-headers,'
                         'http-shellshock, http-sitemap-generator, http-waf-fingerprint,'
                         'http-xssed, smtp-*, ssl-*, version')
    nmap_full_cmd = ['nmap', '-sV', '-sS', '-A', '-Pn', '--script',
                     nmap_script_names, domain]
    cmds = {'TXT Records': dig_cmd, 'WHOIS Info': whois_cmd,
            'Active Hosts': nmap_hosts_cmd, 'Nmap Results': nmap_full_cmd,
            'WPScan': wpscan_cmd}

    def handle_proc(proc):
        """Handle subprocesses outputs."""
        separator = '=================='
        output = b''.join(proc.stdout.readlines()).decode('utf-8')
        print(proc.title)
        print(separator)
        print(output.strip())
        print(separator + '\n')
        procs.remove(proc)

    for title, cmd in cmds.items():
        try:
            proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
            proc.title = title
            procs.append(proc)
        except OSError:
            print('%s >> Dependency error occurred.\n' % title)

    while True:
        for proc in procs:
            retcode = proc.poll()
            if retcode is not None:
                handle_proc(proc)
            else:
                continue
        if not procs:
            break
        else:
            sleep(1)

if __name__ == '__main__':
    print('This is gonna take quite a while; you better go make some coffee!\n')
    main()

Screenshot(s):