Reconnoitre: Web Application Analysis Assistant
A lot of different amateur scanners and ‘frameworks’ have already been reviewed. Usually they are quite simple (and sometimes even buggy). But anyway, it is interesting for me to get acquainted with them, since quite often they contain some kind of zest – an interesting feature that you might one day need.
Reconnoitre tool was created to automate routine actions with OSCP lab. This is a fairly simple script, and it can do the following:
- looking for live hosts
- for the found hosts performs a scan, enumerates a list of detected services
- for discovered services, generates commands for launching other tools
- can search DNS servers from a large number of hosts
- trying to determine hostnames and virtual hosts
- can search for devices responding to the SNMP protocol
The collected data is stored in the folder structure separately for each host – convenient when working with subnets when there are a lot of hosts.
How to install Reconnoitre in Kali Linux
The tool consists of several scripts in Python, you can perform a normal installation and run on the program name, or you can run directly from the place where the program files were downloaded.
Example of launching without installation:
git clone https://github.com/codingo/Reconnoitre cd Reconnoitre/Reconnoitre/ python2 ./reconnoitre.py -h
Every time you want to use Reconnoitre, you will need to go to the specified folder and use python2 ./reconnoitre.py instead of the program name (reconnoitre) as in the following commands.
To perform the installation:
git clone https://github.com/codingo/Reconnoitre cd Reconnoitre/ find . -type f -print0 | xargs -0 sed -i 's/from lib.file_helper/from file_helper/g' #fix sudo python setup.py install reconnoitre -h
As you can see, a small fix is used – the author used the reverse fix to be able to run without installation, but broke the program if the installation is done… Perhaps he will find a universal solution, but for now, before installing, you need to use the specified command marked #fix.
How to run Reconnoitre
There are actually three obligatory options:
- -t – after which you need to specify a host or range of hosts. You can also specify a file with this data.
- -o – after this option you need to specify the directory to save the results. It will create subdirectories for each host.
- you also need to specify an option with an action, for example --pingsweep or --services or some other
Search active (live hosts) from IP range
As an example, I will analyze the suip.biz neighbors. I will take the range 185.117.153.1-255. I will save the data to the suip-neighbors folder in the current directory. To search for live hosts use the option --pingsweep. Therefore, the command is as follows:
reconnoitre -t 185.117.153.1-255 -o suip-neighbors --pingsweep
By the way, the folder that we specify in this command to save the data will also be used in the generated commands (they will also save the data to disk), so it is recommended to specify the absolute path:
reconnoitre -t 185.117.153.1-255 -o /home/mial/suip-neighbors --pingsweep
Result:
[*] Found 190 live hosts [*] Created target list suip-neighbors/targets.txt
That is, found 190 live hosts (those who are online at the moment) and all of them are stored in the suip-neighbors/targets.txt file.
You can view the contents of this file:
cat suip-neighbors/targets.txt
Search for running services and generate commands for further analysis
Use the --services option to collect services. The algorithm of its work is as follows:
- running a quick scan
- file with new commands to run is generated for every host
- a more accurate service scan is performed on the same host
By the way, all service scans are performed by Nmap program. So, the third stage is long, and if there are many hosts, it is very long. Therefore, you can add the option --quick to skip deep scanning.
Despite the fact that now the hosts will be taken from the targets.txt file (and if this file is not generated using the --pingsweep option, the program will fail), we still need to specify the -t option when starting up:
reconnoitre -t 185.117.153.1-255 -o suip-neighbors --services --quick
And only after the previous command hung up the system tightly (in a virtual machine), and then hung up the system a couple of times with the 11 GB of RAM allocated to it, I understood the true meaning of -t option! In general, to speed up the process, all Nmap scans run at the same time. This program has a peak load on the RAM and on the processor. And the simultaneous launch of several hundred instances of Nmap can hang a system and it will require reboot.
Therefore, using the -t option, I split the subnet into smaller ranges:
reconnoitre -t 185.117.153.1-30 -o suip-neighbors --services --quick
The program will create many folders and run a quick scan:
The following subfolders will be made for each host:
- scans
- exploit
- loot
If I understood the description correctly, the program writes data only to scans folder. As for exploit and loot, they are made only for our convenience, and there we must save the data obtained in other ways.
Several files will be created in the scans folder – mostly Nmap scan results in various formats. But the file of the HOST_findings.txt type contains commands for subsequent analysis or attack on the found services.
An example of such a file:
That is, it contains generated commands for analyzing each service. The tools in the commands are selected based on the type of service, the port used is also taken into account, and the results can be saved to a file. For example, if the HTTP/HTTPS service is on port 1500, then it will be specified in the command to start.
Please note that the example of this file shows that the data can be duplicated – use it carefully.
Classification of the proposed commands:
- Enumeration
- Find users
- Bruteforcing
- Use nmap to automate banner grabbing and key fingerprints
- Check out the server for web applications with the sqli vulnerability.
How to discover host names
Attempt to discover target hostnames are performed with the --hostnames option, an example of command launching:
reconnoitre -t 185.117.153.1-255 -o suip-neighbors --hostnames
Results:
To be honest, I do not understand these results. If someone knows what WIN-344VU98D3RU, WIN-32VTGRUNTN0 and even IH999345 are, then explain, please, in the comments.
Search for virtual hosts
In order to better understand what virtual hosts are supposed to look for, the article “How to find web server virtual host” is recommended – there, by the way, tells about another program for this. But since it has the same author as Reconnoitre, then you have to think that the code is the same.
To search for virtual hosts, use the --virtualhosts option. You also need to specify the path to the dictionary with the option -w. A small dictionary is supplied with Reconnoitre, it is located at: Reconnoitre/wordlists/virtual-host-scanning.txt
Lunch example:
reconnoitre -t 185.117.153.1-255 -o suip-neighbors -w bin/Reconnoitre/Reconnoitre/wordlists/virtual-host-scanning.txt --virtualhosts
How to find DNS servers in the specified address range
If you need to find the name server from a large array of hosts, then run Reconnoitre with the --dns option:
reconnoitre -t 185.117.153.1-255 -o suip-neighbors --dns
Conclusion
So, we looked at examples of using Reconnoitre. Full list option:
Usage:
reconnoitre [-h] -t TARGET_HOSTS -o OUTPUT_DIRECTORY [-w WORDLIST]
[-p PORT] [--pingsweep] [--dns] [--services] [--hostnames]
[--snmp] [--quick] [--virtualhosts]
[--ignore-http-codes IGNORE_HTTP_CODES]
[--ignore-content-length IGNORE_CONTENT_LENGTH] [--quiet]
[--no-udp]
Optional arguments:
-h, --help show this help message and exit
-t TARGET_HOSTS Set a target range of addresses to target. Ex
10.11.1.1-255
-o OUTPUT_DIRECTORY Set the output directory. Ex /root/Documents/labs/
-w WORDLIST Set the wordlist to use for generated commands. Ex
/usr/share/wordlist.txt
-p PORT Set the port to use. Leave blank to use discovered
ports. Useful to force virtual host scanning on non-
standard webserver ports.
--pingsweep Write a new target.txt by performing a ping sweep and
discovering live hosts.
--dns, --dnssweep Find DNS servers from a list of targets.
--services Perform service scan over targets.
--hostnames Attempt to discover target hostnames and write to
0-name.txt and hostnames.txt.
--snmp Perform service scan over targets.
--quick Move to the next target after performing a quick scan
and writing first-round recommendations.
--virtualhosts Attempt to discover virtual hosts using the specified
wordlist.
--ignore-http-codes IGNORE_HTTP_CODES
Comma separated list of http codes to ignore with
virtual host scans.
--ignore-content-length IGNORE_CONTENT_LENGTH
Ignore content lengths of specificed amount. This may
become useful when a server returns a static page on
every virtual host guess.
--quiet Supress banner and headers to limit to comma dilimeted
results only.
--no-udp Disable UDP services scan over targets.
Further errors are considered that you should not have if you did everything according to this guide. However, if you missed something, the next section should help you.
Troubleshooting
PermissionError: [Errno 13] Permission denied: 'suip-neighbors'
Depending on the installation method, specifying the folder for data as a relative path may cause an error like the following:
Traceback (most recent call last):
File "/usr/share/reconnoitre/Reconnoitre/lib/file_helper.py", line 7, in check_directory
os.stat(output_directory)
FileNotFoundError: [Errno 2] No such file or directory: 'suip-neighbors'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "reconnoitre.py", line 146, in <module>
main()
File "reconnoitre.py", line 87, in main
arguments.quiet)
File "/usr/share/reconnoitre/Reconnoitre/lib/ping_sweeper.py", line 7, in ping_sweeper
check_directory(output_directory)
File "/usr/share/reconnoitre/Reconnoitre/lib/file_helper.py", line 9, in check_directory
os.mkdir(output_directory)
PermissionError: [Errno 13] Permission denied: 'suip-neighbors'
The reason for the error is that the relative path to the save folder is specified with the -o option — in this example, it is suip-neighbors. In this case for the program the working directory is a folder in which it does not have enough permissions to write. Therefore, for correction, it is recommended to specify the full path to the directory for which the current user has write permissions, for example -o /home/mial/suip-neighbors.
TypeError: a bytes-like object is required, not 'str'
Traceback (most recent call last):
File "reconnoitre.py", line 146, in <module>
main()
File "reconnoitre.py", line 87, in main
arguments.quiet)
File "/usr/share/reconnoitre/Reconnoitre/lib/ping_sweeper.py", line 12, in ping_sweeper
lines = call_nmap_sweep(target_hosts)
File "/usr/share/reconnoitre/Reconnoitre/lib/ping_sweeper.py", line 27, in call_nmap_sweep
lines = str(results).encode("utf-8").split("\n")
TypeError: a bytes-like object is required, not 'str'
This error has already been fixed in the latest version of Reconnoitre, so you just need to upgrade. If there are no updates in your repository, then download directly from GitHub:
git clone https://github.com/codingo/Reconnoitre cd Reconnoitre/Reconnoitre/ python2 ./reconnoitre.py -h
TypeError: not all arguments converted during string formatting
When you run an SNMP scan, you may receive messages like these:
[+] Performing SNMP scans for 185.117.153.18 to suip-neighbors/185.117.153.18/scans/snmp/
[>] Performing snmpwalk on public tree for: 185.117.153.18 - Checking for System Processes
Process Process-18:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/snmp_walk.py", line 73, in snmp_scans
ip_address, output_directory, ip_address)
TypeError: not all arguments converted during string formatting
To fix this, open the snmp_walk.py file:
gedit /usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/snmp_walk.py
Find the line there:
ip_address, output_directory, ip_address)
and replace it with:
ip_address, output_directory)
ImportError: No module named lib.file_helper
If after installation, when executing any command, you see something like the following:
Traceback (most recent call last):
File "/usr/local/bin/reconnoitre", line 11, in <module>
load_entry_point('Reconnoitre==1.0', 'console_scripts', 'reconnoitre')()
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2793, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2411, in load
return self.resolve()
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2417, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/reconnoitre.py", line 7, in <module>
from lib.find_dns import find_dns
File "/usr/local/lib/python2.7/dist-packages/Reconnoitre-1.0-py2.7.egg/Reconnoitre/lib/find_dns.py", line 3, in <module>
from lib.file_helper import check_directory
ImportError: No module named lib.file_helper
Then perform the installation as follows:
git clone https://github.com/codingo/Reconnoitre cd Reconnoitre/ find . -type f -print0 | xargs -0 sed -i 's/from lib.file_helper/from file_helper/g' #fix sudo python setup.py install reconnoitre -h
Related articles:
- How to find web server virtual host (71.4%)
- Perimeter analysis for website security audit (69.6%)
- Basics of working with a web server for a pentester (69.2%)
- How to search subdomains and build graphs of network structure with Amass (67.3%)
- How to bypass Cloudflare, Incapsula, SUCURI and another WAF (66.2%)
- Anonymous scanning through Tor with Nmap, sqlmap or WPScan (RANDOM - 56%)