Currently for each machine returned Reconnoitre will start a new thread for the remote hosts. This means that if 255 machines are available, 255 instances of NMap will fire in the background.

A change to the way threads are started and managed in the application and to also allow them to be controlled by the command line would resolve this (no small undertaking).

UDP could come handy in the OSCP lab/exam, but in real-life scenarios would most likely be blocked or give false-positives.

Providing an option to disable UDP upon wish, would make the tool a bit more suitable for general purposes.

• PS: have already implemented this in my local fork, just waiting for the last pull-request to be approved before I push the new one; if you agree that it could come handy.

Regards

Add virtual host discovery scanning using specified wordlist.

Gobuster v3.0.1 now has mode options called "dns", "dir", "vhost". This will need to be reflected in the exported findings file that is generated for the automatic gobuster commands.

These need "dir" added to each.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u https://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'

Will throw a pull request.

I'm running reconnoitre in Kali, it was working fine before but now, after a git pull I'm getting some other error.

Traceback (most recent call last):
  File "/usr/local/bin/reconnoitre", line 11, in <module>
    load_entry_point('Reconnoitre==1.0', 'console_scripts', 'reconnoitre')()
  File "/usr/local/lib/python3.6/dist-packages/pkg_resources/__init__.py", line 484, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python3.6/dist-packages/pkg_resources/__init__.py", line 2714, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python3.6/dist-packages/pkg_resources/__init__.py", line 2332, in load
    return self.resolve()
  File "/usr/local/lib/python3.6/dist-packages/pkg_resources/__init__.py", line 2338, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.6/dist-packages/Reconnoitre-1.0-py3.6.egg/Reconnoitre/reconnoitre.py", line 6, in <module>
    from lib.core.input import CliArgumentParser
ModuleNotFoundError: No module named 'lib.core'

pip says "lib" is already installed.

pip install lib Requirement already satisfied: lib in /usr/local/lib/python3.6/dist-packages (3.0.0)

Running python3 --version
Python 3.6.8rc1

Traceback (most recent call last):
File "reconnoitre.py", line 7, in
from .lib.core.input import CliArgumentParser
ValueError: Attempted relative import in non-package

This is one of my very first python projects, and it shows. There's a lot of code repetition and bad practice that could be cleared up. Among this is proper class usage (referred to in #4), a lack of automated test cases and more.

Hi @codingo,

I came to notice that ping sweep only works with IPs but not with a file that contains a list of IPs/domains.
Yes, one can still use nmap directly, but it would be (perhaps?) nice to have it supported.
All it takes, is a small surgery :)

What do you think?

It seems the snmp_walk.py is not working properly because of line 71 to 73 being on separate lines.
It throws an error: "TypeError: not all arguments converted during string formatting python".
The SCAN variable needs to be encompassed in paranthesis.

SCAN = "snmpwalk -c public -v1 %s " "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % (ip_address, output_directory, ip_address)

Needs to become this:

SCAN = ("snmpwalk -c public -v1 %s " "1.3.6.1.2.1.25.1.6.0 > '%s%s-systemprocesses.txt'" % (ip_address, output_directory, ip_address))

And then snmp works with no issues.

I just did a git pull from the repo, running on ubuntu 18.10. I get this:

https://pastebin.com/

If multiple DNS targets are found in a --dns scan, they are concat together.
IE: 192.168.0.5 and 192.168.0.6 are found

Currently DNS-targets.txt
192.168.0.5192.168.0.6

Following convention of targets.txt, the DNS servers should be line-delimited:
192.168.0.5
192.168.0.6

Hey guys, great tool, working on the OSCP! At the bottom of the page you mentioned "List of Recommended Tools" thread by g0tmilk, but I can't find it. Tons of great stuff on g0tmilk's blog but I can't find the list, can you direct me it?

Thanks!

Sorry mate if I'm running the tool wrong but when I do

python3 ./reconnoitre.py -t 10.10.10.78 -o ../../recon --services

I get:

  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner by @codingo_

[+] Testing for required utilities on your system.
[#] Performing service scans
[*] Loaded single target: 10.10.10.78
[+] Creating directory structure for 10.10.10.78
   [>] Creating scans directory at: ../../recon/10.10.10.78/scans
   [>] Creating exploit directory at: ../../recon/10.10.10.78/exploit
   [>] Creating loot directory at: ../../recon/10.10.10.78/loot
   [>] Creating proof file at: ../../recon/10.10.10.78/proof.txt
[+] Starting quick nmap scan for 10.10.10.78
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run
    self._target(*self._args, **self._kwargs)
  File "XXXXXXX/Reconnoitre/reconnoitre/service_scan.py", line 20, in nmap_scan
    write_recommendations(quickresults, ip_address, output_directory)
  File "XXXXXXX/Reconnoitre/reconnoitre/file_helper.py", line 58, in write_recommendations
    lines = results.split("\n")
TypeError: a bytes-like object is required, not 'str'

I've just cloned it to a local directory I've set up as a workspace for Ararog. Running Kali. No issues running nmap on it apart from that.

Just giving it a go more out of desperation than a deliberate strategy.

Every instance where lines = results.split("\n") is called, the following error is thrown:

TypeError: a bytes-like object is required, not 'str'

Hi guys,

Any ideas how to fix this error from Kali 2018.3:

[+] Writing findings for **.**.**.** Process Process-1: Traceback (most recent call last): File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap self.run() File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run self._target(*self._args, **self._kwargs) File "/root/Lab_scripts/Reconnoitre/Reconnoitre/lib/service_scan.py", line 25, in nmap_scan write_recommendations(quickresults, ip_address, output_directory) File "/root/Lab_scripts/Reconnoitre/Reconnoitre/lib/file_helper.py", line 125, in write_recommendations + j["services"][service]["description"] TypeError: bad operand type for unary +: 'unicode'
Am i missing something in my Kali VM?

Running Reconnoitre with the following options in Kali Rolling yields a concatenation TypeError:

# ./reconnoitre.py -t 192.168.0.0/24 -o ../../../Findings/ --pingsweep --dns --services --snmp
  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner by @codingo_

[#] Performing ping sweep
[!] ../../../Findings didn't exist and has been created.
[+] Writing discovered targets to: ../../../Findings/targets.txt
[+] Performing ping sweep over 192.168.0.0/24

...snip...

      [=] Found DNS service running on: 192.168.0.14
Traceback (most recent call last):
  File "./reconnoitre.py", line 89, in <module>
    main()
  File "./reconnoitre.py", line 66, in main
    find_dns(arguments.target_hosts, arguments.output_directory, arguments.quiet)
  File "/root/git/Reconnoitre/reconnoitre/find_dns.py", line 40, in find_dns
    results += 1
TypeError: cannot concatenate 'str' and 'int' objects

Line 40 of find_dns.py is incrementing 'results' by 1:


            if ("53/tcp" in line) and ("open" in line):
                print("      [=] Found DNS service running on: %s" % (ip_addres$
                output_file.write("[*] Found DNS service running on: %s\n" % (i$
                output_file.write("   [>] %s\n" % (line))
                output_targets.write("%s" % (ip_address))
        >>>     results += 1     <<<

The problem here is that in find_dns.py, at line 10, you're first casting 'results' as 0, then later at line 29 you set it to the output from subprocess.check_host() which returns as encoded bytes by default, but most definitely non-int in pretty much any case but error, which you later try to increment at line 40 like an int, which of course TypeErrors and traceback is fired.

I'd normally submit a pull for this but am mobile atm, so just wanted to submit the details so you can throw in a quick fix. Clearly you're meaning for a different var to be used either in the check_output() return or in the increment by 1 line.

To note, I quickly tested changing the incremented var to something else which fixed the traceback and resolved the issue fwiw in the field.

Cheers, great work on this! Appreciate you open-sourcing it.

Hi dear,
you can use Maryam for the user interface. If you use Maryam, your program will a framework like Metasploit.
If you wanted, please ask how to work.
http://github.com/saeeddhqan/maryam

A useful enhancement would be to add an argument that will run nmap scans through proxychains

Hi,

when there is a i.e. Webserver running on multiple ports (i.e. 80, 81, 82, 8080..) then according to the current config.json, the generated commands would overwrite each other. Better add the port to the file name as well.

[+] Starting quick nmap scan for 10.10.10.43
[+] Writing findings for 10.10.10.43
[>] Found HTTP service on 10.10.10.43:80
[>] Found HTTP service on 10.10.10.43:443
[*] TCP quick scans completed for 10.10.10.43
[+] Starting detailed TCP/UDP nmap scans for 10.10.10.43
Send exiting main didnt connect, exiting: system error Interrupted system call

The gobuster wordlists are at Web_Content, but config.json has Web-Content

"gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$ip:$port/ -s '200,204,301,302,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_common.txt'",
"gobuster -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -u http://$ip:$port/ -s '200,204,301,307,403,500' -e | tee '$outputdir/$ip_$port_gobuster_cgis.txt'"

Detailed service scans are not being passed any dns servers when running the detailed scan.

The nmap line is being passed the dns_server value which is (currently) only a True or False value, resulting in the error:
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

The code for Reconnoitre is currently structured into independent methods/files but lacks classes for each file. Recommendation is to create classes for each base file within the project (for example file_helpers.py would contain the class file_helper).

As this was one of my first Python projects it lacks PEP8 conventions throughout. A test case is already in place to help proof once this is successfully implemented, but PEP8 formatting still needs application throughout the project.

Good first issue.

When I exectued reconnoitre.py with other .py in this package, I got these errors.

• OS : CentOS 6.8

• Python Version : 3.5.1

• Command Line : python reconnoitre.py -t hdp01 -o /data/user/flamingo/workflow/python/v3/reconnoitre/output --services --pingsweep --dns --hostnames --snmp

  File "reconnoitre.py", line 65, in
  main();
  File "reconnoitre.py", line 47, in main
  ping_sweeper(arguments.target_hosts, arguments.output_directory, arguments.quiet)
  File "/data/user/flamingo/workflow/python/v3/reconnoitre/ping_sweeper.py", line 19, in ping_sweeper
  lines = results.split("\n")
  TypeError: a bytes-like object is required, not 'str'

reconnoitre -t 172.16.243.1-255 --pingsweep -o /root/Desktop/test0
__
|"""-= RECONNOITRE
(___) An OSCP scanner by @codingo

[+] Testing for required utilities on your system.
[#] Performing ping sweep
[!] /root/Desktop/test0 didn't exist and has been created.
[+] Performing ping sweep over 172.16.243.1-255
Traceback (most recent call last):
File "/usr/local/bin/reconnoitre", line 11, in
load_entry_point('Reconnoitre==1.0', 'console_scripts', 'reconnoitre')()
File "/usr/local/lib/python3.7/dist-packages/Reconnoitre-1.0-py3.7.egg/Reconnoitre/reconnoitre.py", line 88, in main
arguments.quiet)
File "/usr/local/lib/python3.7/dist-packages/Reconnoitre-1.0-py3.7.egg/Reconnoitre/lib/ping_sweeper.py", line 12, in ping_sweeper
lines = call_nmap_sweep(target_hosts)
File "/usr/local/lib/python3.7/dist-packages/Reconnoitre-1.0-py3.7.egg/Reconnoitre/lib/ping_sweeper.py", line 27, in call_nmap_sweep
lines = str(results).encode("utf-8").split("\n")
TypeError: a bytes-like object is required, not 'str'

If hostnames are discovered and stored via discovery then these are also to be used with the virtual host scanner.

Since these are useful across the subnet hostnames.txt could be tried before any wordlists (or it could be the default option if no wordlist was specified?)

Hi thanks for the great tool. i've just discovered the tool but whrn i run it i get the error below. any idea what is the source if the issue?

Traceback (most recent call last):
File "/usr/local/bin/reconnoitre", line 11, in
load_entry_point('Reconnoitre==1.0', 'console_scripts', 'reconnoitre')()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2793, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2411, in load
return self.resolve()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2417, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/reconnoitre.py", line 7, in
from lib.find_dns import find_dns
File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/find_dns.py", line 3, in
from lib.file_helper import check_directory
ImportError: No module named lib.file_helper

Along with the change #74 the user should be able to specify additional, modified scans that they can launch at command line.

So, for example, if:

--scantype "codingo-hackthebox"

Was run then the scan found under "codingo-hackthebox" in the scans object in config.json would be used. If nothing was specified then the object "default" would be used.

I downloaded it and used it with following options, its creating an error everytime.
python /root/OSCP/Reconnoitre/reconnoitre/reconnoitre.py -t 10.10.10.74 -o pwd --services

root@kali:~/OSCP/10.10.10.74-chatterbox# python /root/OSCP/Reconnoitre/reconnoitre/reconnoitre.py -t 10.10.10.74 -o pwd` --services
__
|"""-= RECONNOITRE
(___) An OSCP scanner by @codingo

[+] Testing for required utilities on your system.
[#] Performing service scans
[*] Loaded single target: 10.10.10.74
[+] Creating directory structure for 10.10.10.74
[>] Creating scans directory at: /root/OSCP/10.10.10.74-chatterbox/10.10.10.74/scans
[>] Creating exploit directory at: /root/OSCP/10.10.10.74-chatterbox/10.10.10.74/exploit
[>] Creating loot directory at: /root/OSCP/10.10.10.74-chatterbox/10.10.10.74/loot
[>] Creating proof file at: /root/OSCP/10.10.10.74-chatterbox/10.10.10.74/proof.txt
[+] Starting quick nmap scan for 10.10.10.74
[+] Writing findings for 10.10.10.74
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(*self._args, **self._kwargs)
File "/root/OSCP/Reconnoitre/reconnoitre/service_scan.py", line 20, in nmap_scan
write_recommendations(quickresults, ip_address, output_directory)
File "/root/OSCP/Reconnoitre/reconnoitre/file_helper.py", line 76, in write_recommendations
with open("config.json", "r") as config:
IOError: [Errno 2] No such file or directory: 'config.json'
`

Errors when running reconnoitre -t targets-live.txt -o reconnoitre-out --services --hostnames --dns --virtualhosts -w /usr/share/wordlists/rockyou.txt.gz

While the scan does run, it produces errors...

NSOCK ERROR [21182.2080s] mksock_bind_addr(): Bind to 0.0.0.0:918 failed (IOD #2806): Address already in use (98)
Unable to split netmask from target expression: "reconnoitre-out/10.11.1.75/scans/10.11.1.75.nmap"
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
NSOCK ERROR [22338.1170s] mksock_bind_addr(): Bind to 0.0.0.0:921 failed (IOD #2250): Address already in use (98)
NSOCK ERROR [22344.2170s] mksock_bind_addr(): Bind to 0.0.0.0:921 failed (IOD #2287): Address already in use (98)
NSOCK ERROR [22347.2770s] mksock_bind_addr(): Bind to 0.0.0.0:920 failed (IOD #2323): Address already in use (98)
NSOCK ERROR [22365.4670s] mksock_bind_addr(): Bind to 0.0.0.0:920 failed (IOD #2442): Address already in use (98)
NSOCK ERROR [22371.5290s] mksock_bind_addr(): Bind to 0.0.0.0:921 failed (IOD #2478): Address already in use (98)
NSOCK ERROR [22386.6840s] mksock_bind_addr(): Bind to 0.0.0.0:918 failed (IOD #2582): Address already in use (98)
NSOCK ERROR [22419.9380s] mksock_bind_addr(): Bind to 0.0.0.0:921 failed (IOD #2812): Address already in use (98)
NSOCK ERROR [22419.9380s] mksock_bind_addr(): Bind to 0.0.0.0:921 failed (IOD #2816): Address already in use (98)
Segmentation fault
Process Process-16:
Traceback (most recent call last):
File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
self.run()
File "/usr/lib/python3.7/multiprocessing/process.py", line 99, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python3.7/dist-packages/Reconnoitre-1.0-py3.7.egg/Reconnoitre/lib/service_scan.py", line 61, in nmap_scan
tcpresults = run_scan(TCPSCAN)
File "/usr/local/lib/python3.7/dist-packages/Reconnoitre-1.0-py3.7.egg/Reconnoitre/lib/subprocess_helper.py", line 8, in run_scan
return subprocess.check_output(scan, shell=True, stderr=stderr, universal_newlines=True)
File "/usr/lib/python3.7/subprocess.py", line 411, in check_output
**kwargs).stdout
File "/usr/lib/python3.7/subprocess.py", line 512, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'nmap -vv -Pn --disable-arp-ping -sS -A -sC -p- -T 3 -script-args=unsafe=1 --dns-servers -oN 'reconnoitre-out/10.11.1.221/scans/10.11.1.221.nmap' -oX 'reconnoitre-out/10.11.1.221/scans/10.11.1.221_nmap_scan_import.xml' 10.11.1.221' returned non-zero exit status 139.

Hi,

during a pentest, I noticed that the tool doesn't take into account the possibility of scanning range-based IP addresses (i.e. 1.1.1.1-100) because, in the end, the parser would output the IP address that was entered on command-line or read from a file. Instead, the parser should extract the IP address from nmap logs so that the findings with correct individual IP addresses are written to file.

SNMP scanning is currently rather unimplemented and only scans the public tree. Adding further common trees (admin/private, or even loading a json file of trees) would be beneficial to enumeration.

Relatively easy change so tagging this for Hacktoberfest but I'll address if still outstanding in November.

#15 implements Virtual Host scanning however results are currently only writing to Window. Recommend updating this to also output a file into the output directory with discovered hosts, statuses, and content length.

I'd love to use this tool, but it's simply not working for me. I'm using a current Kali VM, installed Reconnoitre as described, but a services scan won't work. I get the following:

root ~/VulnHub # reconnoitre -t 10.10.1.13 -o /root/VulnHub/ --services
  __
|\"\"\"\-=  RECONNOITRE
(____)      An OSCP scanner by @codingo_

[+] Testing for required utilities on your system.
[#] Performing service scans
[*] Loaded single target: 10.10.1.13
[+] Creating directory structure for 10.10.1.13
   [>] Creating scans directory at: /root/VulnHub/10.10.1.13/scans
   [>] Creating exploit directory at: /root/VulnHub/10.10.1.13/exploit
   [>] Creating loot directory at: /root/VulnHub/10.10.1.13/loot
   [>] Creating proof file at: /root/VulnHub/10.10.1.13/proof.txt
[+] Starting quick nmap scan for 10.10.1.13
[+] Writing findings for 10.10.1.13
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/service_scan.py", line 25, in nmap_scan
    write_recommendations(quickresults, ip_address, output_directory)
  File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/file_helper.py", line 103, in write_recommendations
    with open(os.path.join(__location__, "config.json"), "r") as config:
IOError: [Errno 20] Not a directory: '/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/config.json'

root ~/VulnHub # file /usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg 
/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg: Zip archive data, at least v2.0 to extract

Output lacks colour / formatting and could be centralised into a proper library.

With config.json being properly integrated in #30 I believe that the constants in service_scan for launching various nmap scans should be moved into config.json to allow users to change it themselves. I've always held back from refining these to avoid lab/exam spoilers and believe this would allow end users to do this themselves as they work through the lab material.

When exiting the KeywordInterrupt exception isn't caught, leading to a stacktrace. This isn't really necessary and should be handled gracefully.

Not all users of Reconnoitre are using Kali Linux to perform tests. As this tool was initially designed around kali linux exception handling for when these tools aren't present wasn't performed and needs to be added into the program flow.

I ran this code present in the Reconnoitre readme:

https://i.imgur.com/KDboodL.png

This is a standard Kali install with other dependencies installed. Any idea why there are no errors whatsoever yet this does not work? See my successful manual nmap below in tmux.

The nmap commands used by a services scan are currently housed within ./reconnoitre/service_scan.py, at time of raising issue on lines 15 (quickscan) and 28/31 (long UDP/TCP scans with DNS servers found), 37,40 (UDP/TCP no DNS found).

In long form:

    print("[+] Starting quick nmap scan for %s" % (ip_address))
    QUICKSCAN = "nmap -sC -sV %s -oA '%s/%s.quick'" % (ip_address, output_directory, ip_address)
    quickresults = subprocess.check_output(QUICKSCAN, shell=True).decode("utf-8")

    write_recommendations(quickresults, ip_address, output_directory)
    print("[*] TCP quick scans completed for %s" % ip_address)

    if (quick):
        return

    if dns_server:
        print("[+] Starting detailed TCP%s nmap scans for %s using DNS Server %s" % (
            ("" if no_udp_service_scan is True else "/UDP"), ip_address, dns_server))
        print("[+] Using DNS server %s" % (dns_server))
        TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 " \
                  "--dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (
                        dns_server, output_directory, ip_address, output_directory, ip_address, ip_address)
        UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --max-retries 0 " \
                  "--dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (
                        dns_server, output_directory, ip_address, output_directory, ip_address, ip_address)
    else:
        print("[+] Starting detailed TCP%s nmap scans for %s" % (
            ("" if no_udp_service_scan is True else "/UDP"), ip_address))
        TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 " \
                  "-script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (
                    dns_server, output_directory, ip_address, output_directory, ip_address, ip_address)
        UDPSCAN = "nmap -sC -sV -sU %s -oA '%s/%s-udp'" % (ip_address, output_directory, ip_address)

Ideally, these should be moved into config.json and the hardcoding removed to allow users to more easily change the commands to something more fit for their purpose.

This shouldn't conflict with the code in write_recommendations() within the same file as this code is specifically referencing to the services object:

                    for entry in j["services"][service]["output"]:
                        f.write("   [*] " + entry["description"] + "\n")

                        for cmd in entry["commands"]:
                            f.write(
                                ("      [=] " + cmd + "\n") % {"ip": ip_address, "port": port, "outputdir": outputdir})

Hi!

We are evaluating your tool for inclusion on our Linux security tools page. While reviewing we see that the badge refers to the license being public domain, while the LICENSE file states GPL v3. Is that by accident? What is the license of the tool?

I am having the same issue as amlamarra in the closed issue services can not working. I followed the instructions in the readme. I downloaded through the git one liner. Moved to the Reconnoitre folder and did python3 setup.py install. Ran the command and got the same errors as amlamarra. Am I just not installing it correctly?

To keep this exam safe for the OSCP I've never implemented --exec publicly, but it's still mentioned in some areas (command line flags). All instances of this should be removed.

Relatively easy change so leaving this flagged for Hacktoberfest.

Currently the file helper class does something along the lines of the following:

for serv in serv_dict: 
       ports = serv_dict[serv]
       if ("ftp" in serv):
           for port in ports:
               port = port.split("/")[0]
               f.write("[*] Found FTP service on %s:%s\n" % (ip_address, port))
               print("   [>] Found FTP service on %s:%s" % (ip_address, port))
               f.write("   [>] Use nmap scripts for further enumeration or hydra for password attack, e.g\n")
               f.write("      [=] nmap -sV -Pn -vv -p%s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '%s/%s_ftp.nmap' -oX '%s/%s_ftp_nmap_scan_import.xml' %s\n" % (port, outputdir, ip_address, outputdir, ip_address, ip_address))
               f.write("      [=] hydra -L User List -P Pass List -f -o %s/%s_ftphydra.txt -u %s -s %s ft

This is a woefully inefficient way of assigning services and commands to nmap outputs bred from a quick time to market. The intention of this feature is to update this to work off of a json dataset where command line variables can be used to build strings.

For example,

{
  "name": "web service scans",
  "description": "[*] Found HTTP service on $ip:$port",
  "service-names": [
    "http",
    "ssl/http",
    "https"
  ],
  "discoveries": [
    {
      "description": "Use nikto & dirb / dirbuster for service enumeration, e.g",
      "commands": [
        "nikto -h $ip -p $port > $outputdir/$ip_nikto.txt",
        "dirb http://$ip:$port/ -o $outputdir/$ip_dirb.txt"
      ]
    },
    {
      "description": "Use curl and W3M (apt install w3m) to retreive web headers and find host information, e.g",
      "commands": [
        "curl -i $ip:$port",
        "w3m -dump $ip/robots.txt > $outputdir/$ip_robots.txt"
      ]
    }
  ]
}

Would store results relating to HTTP and HTTPS scans and could be easily expanded by future contributors without having to contribute to the core PR.

This project lacks a proper setup function, You can see how this can work based on the vhostscan repository (https://github.com/codingo/VHostScan).

Leaving tagged for hacktoberfest, will resolve in November if unclaimed.

That way you can tell if the build breaks. You don't have to implement all the tests yet, just make sure that all existing tests run every time.

#15 implements virtual host scanning however this fails in cases where a catch all and default vhost is in place.

This could be improved by using a hash table and checking where content varies. Additionally, it would be worth exploring retrieval of SSL certificates to see if there is a way to get and add hostnames to the checks from there (as this scenario regularly appears in HTB and CTF's)