It's like bowling with bumpers. - @ippsec
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.
The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, feroxbuster will be launched (as well as many others).
Everything in the tool is highly configurable. The default configuration performs no automated exploitation to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool.
Disclaimer: While AutoRecon endeavors to perform as much identification and enumeration of services as possible, there is no guarantee that every service will be identified, or that every service will be fully enumerated. Users of AutoRecon (especially students) should perform their own manual enumeration alongside AutoRecon. Do not rely on this tool alone for exams, CTFs, or other engagements.
AutoRecon was inspired by three tools which the author used during the OSCP labs: Reconnoitre, ReconScan, and bscan. While all three tools were useful, none of the three alone had the functionality desired. AutoRecon combines the best features of the aforementioned tools while also implementing many new features to help testers with enumeration of multiple targets.
There are three ways to install AutoRecon: pipx, pip, and manually. Before installation using any of these methods, certain requirements need to be fulfilled. If you have not refreshed your apt cache recently, run the following command so you are installing the latest available packages:
sudo apt update
AutoRecon requires the usage of Python 3.8+ and pip, which can be installed on Kali Linux using the following commands:
sudo apt install python3
sudo apt install python3-pip
Several commands used in AutoRecon reference the SecLists project, in the directory /usr/share/seclists/. You can either manually download the SecLists project to this directory (https://github.com/danielmiessler/SecLists), or if you are using Kali Linux (highly recommended) you can run the following commands:
sudo apt install seclists
AutoRecon will still run if you do not install SecLists, though several commands may fail, and some manual commands may not run either.
Additionally the following commands may need to be installed, depending on your OS:
curl
dnsrecon
enum4linux
feroxbuster
gobuster
impacket-scripts
nbtscan
nikto
nmap
onesixtyone
oscanner
redis-tools
smbclient
smbmap
snmpwalk
sslscan
svwar
tnscmd10g
whatweb
On Kali Linux, you can ensure these are all installed using the following commands:
sudo apt install seclists curl dnsrecon enum4linux feroxbuster gobuster impacket-scripts nbtscan nikto nmap onesixtyone oscanner redis-tools smbclient smbmap snmp sslscan sipvicious tnscmd10g whatweb
It is recommended you use pipx to install AutoRecon. pipx will install AutoRecon in it's own virtual environment, and make it available in the global context, avoiding conflicting package dependencies and the resulting instability. First, install pipx using the following commands:
sudo apt install python3-venv
python3 -m pip install --user pipx
python3 -m pipx ensurepath
You will have to re-source your ~/.bashrc or ~/.zshrc file (or open a new tab) after running these commands in order to use pipx.
Install AutoRecon using the following command:
pipx install git+https://github.com/Tib3rius/AutoRecon.git
Note that if you want to run AutoRecon using sudo (required for faster SYN scanning and UDP scanning), you have to use one of the following examples:
sudo env "PATH=$PATH" autorecon [OPTIONS]
sudo $(which autorecon) [OPTIONS]
Alternatively you can use pip to install AutoRecon using the following command:
python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git
Note that if you want to run AutoRecon using sudo (required for faster SYN scanning and UDP scanning), you will have to run the above command as the root user (or using sudo).
Similarly to pipx, if installed using pip you can run AutoRecon by simply executing autorecon.
If you'd prefer not to use pip or pipx, you can always still install and execute autorecon.py manually as a script. From within the AutoRecon directory, install the dependencies:
python3 -m pip install -r requirements.txt
You will then be able to run the autorecon.py script:
python3 autorecon.py [OPTIONS] 127.0.0.1
Upgrading AutoRecon when it has been installed with pipx is the easiest, and is why the method is recommended. Simply run the following command:
pipx upgrade autorecon
If you've installed AutoRecon using pip, you will first have to uninstall AutoRecon and then re-install using the same install command:
python3 -m pip uninstall autorecon
python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git
If you've installed AutoRecon manually, simply change to the AutoRecon directory and run the following command:
git pull
Assuming you did not modify any of the content in the AutoRecon directory, this should pull the latest code from this GitHub repo, after which you can run AutoRecon using the autorecon.py script as per usual.
A plugin update process is in the works. Until then, after upgrading, remove the ~/.local/share/AutoRecon directory and run AutoRecon with any argument to repopulate with the latest files.
AutoRecon uses Python 3 specific functionality and does not support Python 2.
``` usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE] [--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS] [--service-scans PLUGINS] [--reports PLUGINS] [--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR] [-l [TYPE]] [-o OUTPUT] [--single-target] [--only-scans-dir] [--no-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT] [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--proxychains] [--disable-sanity-checks] [--disable-keyboard-control] [--force-services SERVICE [SERVICE ...]] [--accessible] [-v] [--version] [--curl.path VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}] [--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE] [--dirbuster.ext VALUE] [--onesixtyone.community-strings VALUE] [--global.username-wordlist VALUE] [--global.password-wordlist VALUE] [--global.domain VALUE] [-h] [targets ...]
Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.
positional arguments: targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.
optional arguments: -t TARGET_FILE, --target-file TARGET_FILE Read targets from file. -p PORTS, --ports PORTS Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list with T:/U: To scan both TCP/UDP, put port(s) at start or specify B: e.g. 53,T:21-25,80,U:123,B:123. Default: None -m MAX_SCANS, --max-scans MAX_SCANS The maximum number of concurrent scans to run. Default: 50 -mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless specified) -c CONFIG_FILE, --config CONFIG_FILE Location of AutoRecon's config file. Default: ~/.config/AutoRecon/config.toml -g GLOBAL_FILE, --global-file GLOBAL_FILE Location of AutoRecon's global file. Default: ~/.config/AutoRecon/global.toml --tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group. Default: default --exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group. Default: None --port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default: None --service-scans PLUGINS Override --tags / --exclude-tags for the listed ServiceScan plugins (comma separated). Default: None --reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated). Default: None --plugins-dir PLUGINS_DIR The location of the plugins directory. Default: ~/.local/share/AutoRecon/plugins --add-plugins-dir PLUGINS_DIR The location of an additional plugins directory to add to the main one. Default: None -l [TYPE], --list [TYPE] List all plugins or plugins of a specific type. e.g. --list, --list port, --list service -o OUTPUT, --output OUTPUT The output directory for results. Default: results --single-target Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: False --only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: False --no-port-dirs Don't create directories for ports (e.g. scans/tcp80, scans/udp53). Instead store all results in the "scans" directory itself. Default: False --heartbeat HEARTBEAT Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60 --timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None --target-timeout TARGET_TIMEOUT Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: None --nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn -T4 --nmap-append NMAP_APPEND Append to the default {nmap_extra} variable in scans. Default: --proxychains Use if you are running AutoRecon via proxychains. Default: False --disable-sanity-checks Disable sanity checks that would otherwise prevent the scans from running. Default: False --disable-keyboard-control Disables keyboard control ([s]tatus, Up, Down) if you are in SSH or Docker. --force-services SERVICE [SERVICE ...] A space separated list of services in the following style: tcp/80/http tcp/443/https/secure --accessible Attempts to make AutoRecon output more accessible to screenreaders. Default: False -v, --verbose Enable verbose output. Repeat for more verbosity. --version Prints the AutoRecon version and exits. -h, --help Show this help message and exit.
plugin arguments: These are optional arguments for certain plugins.
--curl.path VALUE The path on the web server to curl. Defa
$ claude mcp add AutoRecon \
-- python -m otcore.mcp_server <graph>