inter-recon: perform automatic initial web and vulnerability recon

vulnerability recon

inter-recon

Script to perform automatic initial web and vulnerability recon.

It has some checks in case of errors.

There is a possibility to skip some checks, to restart them, and/or to continue with the last point you stopped. (This is because sometimes there are network issues like a time limit on VPN).

Remember if you copy or link the inter-recon script to the bin path (ex: /usr/bin/) you can execute the script from where you want. It will create the output where you are.

To use multiple known domain/IPs as eg.:

  • Create file domains.txt with all domains or different IPs
  • Execute: inter-recon -T $(pwd)/domains.txt -d $(pwd)/known-domains -w /home/kali/Desktop/tools/inter-recon/dictionaries/without-slash/dict-small-without-slash.txt -s all -a true

To use on network/IP as eg.:

  • Execute: inter-recon -t 10.11.1.1/24 -w /home/kali/Desktop/tools/inter-recon/dictionaries/without-slash/dict-small-without-slash.txt -s all -a true

Scan types

  • all
    • portscan
      • nmap TCP -> full ports checking host up if they have one of the following ports open (22,53,80,135,443,445,993,995,1521,3306,3389,5985,5986,8080,8081,8090,9001,9002)
      • nmap UDP -> top 100 ports with default host up process
    • vulnscan
      • parse nmap UDP and TCP scan to files
      • parse nmap UDP and TCP scan on services folder by service
      • nmap UDP and TCP to open ports executing port/version related scripts
      • smbmap guest execution -> To check if without user we can write/read anything
      • enum4linux guest execution -> To check information retrieved from samba
      • smbversion execution -> To retrieve the version of samba (Sometimes in Linux servers is the only way to see the samba version)
    • webscan
      • http discovery with aquatone from nmap execution
      • fuzzing discovered URLs with wfuzz
      • screenshot Status 200 URLs from fuzzing with eyewitness
      • 403 bypass techniques with byp4xx
    • following steps -> quick explanation of things to do after script execution
    • Documentation folder and template structure -> Make a folder to add evidences and adding .md files with information related of the scans
  • vuln
    • portscan (Same as above)
    • vulnscan (Same as above)
    • following steps (Same as above)
    • Documentation folder and template structure
  • web
    • portscan (Same as above)
    • webscan (Same as above)
    • following steps (Same as above)
    • Documentation folder and template structure

Structure:

  • First ports scan tcp and udp with version (nmap, requires sudo)
  • Vulnerability recon scan (command to parse ports into a file with fromat IP,port,service,version, parse it on services files, perform nmap with full port/version related scripts)
  • Web fuzzing recon scan if aquatone finds a HTTP port (aquatone, wfuzz, eyewitness, byp4xx 403 files)

Applications used:

  • nmap (version normal and with nmap-vulners script, both of them requires sudo, using tcp (full ports if the host is UP using -PS with some ports) and udp (only top 100 ports))
  • aquatone (To get http ports from nmap execution)
  • wfuzz (To make fuzzing to the http ports)
  • eyewitness (To make screenshots to all Status 200 URLs. This could be removed and changed with aquatone, but personally i like the structured report it makes)
  • byp4xx (To try bypass 403 urls by different methods)
  • smbmap (To get guest privileges related to network share folder)
  • enum4linux (To get smb information with guest privileges)
  • smbversion (To get the real version of smb)
  • dnsrecon (To try to make a zone transfer to dns servers)
  • crackmapexec (To get names related to the server)
  • host (Get hostname of the dns server)
  • dig (Get hostname of the dns server using the server as ns “@”)

Additional Informaiton

  • Deleted interlace dependency as nmap can perform paralelization and it is quicker when we are scanning only 1 IP (When scanning multiple, the difference is low)
  • The UDP nmap is only to 100 top ports, if you have time, perform an additional nmap with full UDP ports in background.
  • The TCP nmap is checking some ports to know if the host is UP and scan it if it is UP, if you have time, perform an additional nmap with full TCP ports with -Pn in background.
  • Aquatone can fail checking http/s ports on nmap (I’m not sure why, but recheck the services to check if there is any possible http port/service missing on the scan and scan it manually)
  • I saw few times that wfuzz blocks the script, i have seen that wfuzz have a problem with a deadlock when there is a error on the URLs. A workaround of this meanwhile they solve the issue, is to comment the th.join() and add a pass on the file /usr/local/lib/python3.9/dist-packages/wfuzz/myhttp.py on the function “Cleanup”
  • We use eyewitness because it groups the different screenshots by category on the http report.

Download

git clone https://github.com/Internon/inter-recon.git

Use

Source: https://github.com/Internon/