A script you can run in the background!
The main goal for this script is to automate the process of enumeration & recon that is run every time, and instead focus our attention on real pentesting.
This will ensure two things:
- Automate nmap scans.
- Always have some recon running in the background.
Once initial ports are found 'in 5-10 seconds', we can start manually looking into those ports, and let the rest run in the background with no interaction from our side whatsoever.
- Quick: Shows all open ports quickly (~15 seconds)
- Basic: Runs Quick Scan, then runs a more thorough scan on found ports (~5 minutes)
- UDP: Runs "Basic" on UDP ports (~5 minutes)
- Full: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
- Vulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
- Recon: Runs "Basic" scan "if not yet run", then suggests recon commands "i.e. gobuster, nikto, smbmap" based on the found ports, then prompts to automatically run them
- All: Runs all the scans consecutively (~20-30 minutes)
Gobuster 'v3.0 or higher', which we can install with:
sudo apt update
sudo apt install gobuster
or ffuf, which we can install with:
sudo apt update
sudo apt install ffuf
Other Recon tools used within the script include:
- nmap Vulners
- sslscan
- nikto
- joomscan
- wpscan
- droopescan
- smbmap
- enum4linux
- dnsrecon
- odat
- smtp-user-enum
Most of these should be installed by default in Parrot OS and Kali Linux.
git clone https://github.com/21y4d/nmapAutomator.git
sudo ln -s $(pwd)/nmapAutomator/nmapAutomator.sh /usr/local/bin/
./nmapAutomator.sh -h
Usage: ./nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE> [-d/--dns <DNS SERVER>]
Scan Types:
Quick: Shows all open ports quickly (~15 seconds)
Basic: Runs Quick Scan, then runs a more thorough scan on found ports (~5 minutes)
UDP : Runs "Basic" on UDP ports "requires sudo" (~5 minutes)
Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
Vulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
Recon: Suggests recon commands, then prompts to automatically run them
All : Runs all the scans (~20-30 minutes)
Example commands:
./nmapAutomator.sh --host 10.1.1.1 --type All
./nmapAutomator.sh -H 10.1.1.1 -t Basic
./nmapAutomator.sh -H academy.htb -t Recon -d 1.1.1.1
Feel free to send your pull requests and contributions :)
-
Support DNS resolution "use of urls/domains instead of IPs"- Done, thanks @KatsuragiCSL -
Properly identify url extensions "testing index extensions for code 200" -
Add an nmap progress bar
- If you would like to suggest or add more port-based recon options, you can base your pull request on the following lines.
- If you would like to suggest more options for an existing port, you can add the new command under its port, similar to this example line.