ReconScan – Network Recon and Vulnerability Assessment Tool

ReconScan is a project to develop scripts that can be useful in the pentesting workflow. The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from the perspective of exploitability.

ReconScan - Network Recon and Vulnerability Assessment tool
ReconScan – Network Recon and Vulnerability Assessment tool

The recon.py script runs various open-source tools in order to enumerate the services on a host. Best run under Kali Linux or similar pentesting-oriented distribution with these tools preinstalled and preconfigured.

The flow followed by the script is as follows:

  • Scan all TCP/UDP ports with nmap, service detection, minimal amount of scripts:
    • If there are unidentified services, try amap.
    • For identified software, run vulnerability analysis with vulnscan.py
    • For identified services, run further analysis:
      • HTTP(S): nikto, dirb
      • FTP: hydra if requested
      • SMB: enum4linux, samrdump, nbtscan
      • SSH: hydra if requested
      • SNMP: onesixtyone, snmpwalk
      • DNS: attempt zone transfer (axfr) with dig
    • Additionally, all nmap scripts are run for the following services:
      • HTTP(S), SMTP, POP3, IMAP, FTP, SMB, MSSQL, MySQL, Oracle, SNMP, RDP, VNC

Results will be dumped into the results/$ip_address directory, with the $port_$service_$tool file naming scheme. The tools are mostly run simultaneously (unless one depends on the result of another) and the CLI output will be aggregated and tagged by the script, so you will see the progress and dirt found by each running script in real-time.

The vulnscan.py script analyses a specified CPE name to determine whether it has any known vulnerabilities and published exploits.

As input, it takes a CPE name, a full name and version, or a path to an xml-based nmap report, which was generated with service detection. When not providing a CPE name, the free-text provided will be fuzzy-matched with the CPE dictionary to check if the provided software name and version has a CPE name. When an nmap report is provided, the CPE names for the identified services are used for the lookup. If the software name and version is available, but the CPE name is not, it will try to fuzzy-match it.

You can read more and download this tool over here: https://github.com/RoliSoft/ReconScan

Share