AutoRecon – Multi-Threaded Network Reconnaissance Tool Which Performs Automated Enumeration Of Services

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.The tool works by firstly performing port scans/service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, nikto will be launched (as well as many others).Everything in the tool is highly configurable. The default configuration performs no automated exploitation to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool.OriginAutoRecon was inspired by three tools which the author used during the OSCP labs: Reconnoitre, ReconScan, and bscan. While all three tools were useful, none of the three alone had the functionality desired. AutoRecon combines the best features of the aforementioned tools while also implementing many new features to help testers with enumeration of multiple targets.FeaturesSupports multiple targets in the form of IP addresses, IP ranges (CIDR notation), and resolvable hostnames.Can scan targets concurrently, utilizing multiple processors if they are available.Customizable port scanning profiles for flexibility in your initial scans.Customizable service enumeration commands and suggested manual follow-up commands.An intuitive directory structure for results gathering.Full logging of commands that were run, along with errors if they fail.Global and per-scan pattern matching so you can highlight/extract important information from the noise.RequirementsPython 3coloramatomlOnce Python 3 is installed, pip3 can be used to install the other requirements:$ pip3 install -r requirements.txtSeveral commands used in AutoRecon reference the SecLists project, in the directory /usr/share/seclists/. You can either manually download the SecLists project to this directory (https://github.com/danielmiessler/SecLists), or if you are using Kali Linux (highly recommended) you can run the following:$ sudo apt install seclistsAutoRecon will still run if you do not install SecLists, though several commands may fail, and some manual commands may not run either.Additionally the following commands may need to be installed, depending on your OS:curlenum4linuxgobusternbtscanniktonmaponesixtyoneoscannersmbclientsmbmapsmtp-user-enumsnmpwalksslscansvwartnscmd10gwhatwebwkhtmltoimageUsageAutoRecon uses Python 3 specific functionality and does not support Python 2.usage: autorecon.py [-h] [-ct ] [-cs <number>] [–profile PROFILE] [-o OUTPUT] [–nmap NMAP | –nmap-append NMAP_APPEND] [-v] [–disable-sanity-checks] targets [targets …]Network reconnaissance tool to port scan and automatically enumerate servicesfound on multiple targets.positional arguments: targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.optional arguments: -h, –help show this help message and exit -ct <number>, –concurrent-targets <number> The maximum number of target hosts to scan concurrently. Default: 5 -cs <number>, –concurrent-scans <number> The maximum n umber of scans to perform per target host. Default: 10 –profile PROFILE The port scanning profile to use (defined in port- scan-profiles.toml). Default: default -o OUTPUT, –output OUTPUT The output directory for results. Default: results –nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv –reason -Pn –nmap-append NMAP_APPEND Append to the default {nmap_extra} variable in scans. -v, –verbose Enable verbose output. Repeat for more verbosity. –disable-sanity-checks Disable sanity checks that would otherwise prevent the scans from running.ExamplesScanning a single target:python3 autorecon.py 127.0.0.1[*] Scanning target 127.0.0.1[*] Running service detection nmap-full-tcp on 127.0.0.1[*] Running service detection nmap-top-20-udp on 127.0.0.1[*] Running service detection nmap-quick on 127.0.0.1[*] Service detection nmap-quick on 127.0.0.1 finished successfully[*] [127.0.0.1] ssh found on tcp/22[*] [127.0.0.1] http found on tcp/80[*] [127.0.0.1] rpcbind found on tcp/111[*] [127.0.0.1] postgresql found on tcp/5432[*] Running task tcp/22/nmap-ssh on 127.0.0.1[*] Running task tcp/80/nmap-http on 127.0.0.1[*] Running task tcp/80/curl-index on 127.0.0.1[*] Running task tcp/80/curl-robots on 127.0.0.1[*] Running task tcp/80/whatweb on 127.0.0.1[*] Running task tcp/80/nikto on 127.0.0.1[*] Running task tcp/111/nmap-nfs on 127.0.0.1[*] Task tcp/80/curl-index on 127.0.0.1 finished successfully[*] Task tcp/80/curl-robots on 127.0.0.1 finished successfully[*] Task tcp/22/nmap-ssh on 127.0.0.1 finished successfully[*] Task tcp/80/whatweb on 127.0.0.1 finished successfully[*] Task tcp/111/nmap-nfs on 127.0.0.1 finished successfully[*] Task tcp/80/nmap-http on 127.0.0.1 finished successfully[*] Task tcp/80/nikto on 127.0.0.1 finished successfully[*] Service detection nmap-top-20-udp on 127.0.0.1 finished successfully[*] Service detection nmap-full-tcp on 127.0.0.1 finished successfully[*] [127.0.0.1] http found on tcp/5984[*] [127.0.0.1] rtsp found on tcp/5985[*] Running task tcp/5984/nmap-http on 127.0.0.1[*] Running task tcp/5984/curl-index on 127.0.0.1[*] Running task tcp/5984/curl-robots on 127.0.0.1[*] Running task tcp/5984/whatweb on 127.0.0.1[*] Running task tcp/5984/nikto on 127.0.0.1[*] Task tcp/5984/curl-index on 127.0.0.1 finished successfully[*] Task tcp/5984/curl-robots on 127.0.0.1 finished successfully[*] Task tcp/5984/whatweb on 127.0.0.1 finish ed successfully[*] Task tcp/5984/nikto on 127.0.0.1 finished successfully[*] Task tcp/5984/nmap-http on 127.0.0.1 finished successfully[*] Finished scanning target 127.0.0.1The default port scan profile first performs a full TCP port scan, a top 20 UDP port scan, and a top 1000 TCP port scan. You may ask why AutoRecon scans the top 1000 TCP ports at the same time as a full TCP port scan (which also scans those ports). The reason is simple: most open ports will generally be in the top 1000, and we want to start enumerating services quickly, rather than wait for Nmap to scan every single port. As you can see, all the service enumeration scans actually finish before the full TCP port scan is done. While there is a slight duplication of efforts, it pays off by getting actual enumeration results back to the tester quicker.Note that the actual command line output will be colorized if your terminal supports it.Scanning multiple targetspython3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost[*] Scanning target 192.168.1.100[*] Scanning target 192.168.1.1[*] Scanning target 192.168.1.2[*] Scanning target localhost[*] Running service detection nmap-quick on 192.168.1.100[*] Running service detection nmap-quick on localhost[*] Running service detection nmap-top-20-udp on 192.168.1.100[*] Running service detection nmap-quick on 192.168.1.1[*] Running service detection nmap-quick on 192.168.1.2[*] Running service detection nmap-top-20-udp on 192.168.1.1[*] Running service detection nmap-full-tcp on 192.168.1.100[*] Running service detection nmap-top-20-udp on localhost[*] Running service detection nmap-top-20-udp on 192.168.1.2[*] Running service detection nmap-full-tcp on localhost[*] Running service detection nmap-full-tcp on 192.168.1.1[*] Running service detection nmap-full-tcp on 192.168.1.2…AutoRecon supports multiple targets per scan, and will expand IP ranges provided in CIDR notation. By default, only 5 targets will be scanned at a time, with 10 scans per target.Scanning multiple targets with advanced optionspython3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost[*] Scanning target 192.168.1.100[*] Scanning target 192.168.1.1[*] Running service detection nmap-quick on 192.168.1.100 with nmap -vv –reason -Pn -sV -sC –version-all -oN “/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_quick_tcp_nmap.xml" 192.168.1.100[*] Running service detection nmap-quick on 192.168.1.1 with nmap -vv –reason -Pn -sV -sC –version-all -oN "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_quick_tcp_nmap.xml" 192.168.1.1[*] Running service detection nmap-top-20-udp on 192.168.1.100 with nmap -vv –reason -Pn -sU -A –top-ports=20 –version-all -oN "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.100/scans/_top_20_udp_nmap.xml" 192.168.1.100[*] Running service detection nmap-top-20-udp on 192.168.1.1 with nmap -vv –reason -Pn -sU -A –top-ports=20 –version-all -oN "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.txt" -oX "/root/outputdir/192.168.1.1/scans/_top_20_udp_nmap.xml" 192.168.1.1[-] [192.168.1.1 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST[-] [192.168.1.100 nmap-quick] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST[-] [192.168.1.100 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST[-] [192.168.1.1 nmap-top-20-udp] Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 17:25 EST[-] [192.168.1.1 nmap-quick] NSE: Loaded 148 scripts for scanning.[-] [192.168.1.1 nmap-quick] NSE: Script Pre-scanning.[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed[-] [192.168.1.1 nmap-quick] NSE: Starting runlevel 2 (of 2) sca n.[-] [192.168.1.1 nmap-quick] Initiating NSE at 17:25[-] [192.168.1.1 nmap-quick] Completed NSE at 17:25, 0.00s elapsed[-] [192.168.1.1 nmap-quick] Initiating ARP Ping Scan at 17:25[-] [192.168.1.100 nmap-quick] NSE: Loaded 148 scripts for scanning.[-] [192.168.1.100 nmap-quick] NSE: Script Pre-scanning.[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 1 (of 2) scan.[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed[-] [192.168.1.100 nmap-quick] NSE: Starting runlevel 2 (of 2) scan.[-] [192.168.1.100 nmap-quick] Initiating NSE at 17:25[-] [192.168.1.100 nmap-quick] Completed NSE at 17:25, 0.00s elapsed[-] [192.168.1.100 nmap-quick] Initiating ARP Ping Scan at 17:25…In this example, the -ct option limits the number of concurrent targets to 2, and the -cs option limits the number of concurrent scans per target to 2. The -vv option makes the output very verbose, showing the output of every scan being run. The -o option sets a custom output directory for scan results to be saved.VerbosityAutoRecon supports three levels of verbosity:(none) Minimal output. AutoRecon will announce when target scans start and finish, as well as which services were identified.(-v) Verbose output. AutoRecon will additionally specify the exact commands which are being run, as well as highlighting any patterns which are matched in command output.(-vv) Very verbose output. AutoRecon will output everything. Literally every line from all commands which are currently running. When scanning multiple targets concurrently, this can lead to a ridiculous amount of output. It is not advised to use -vv unless you absolutely need to see live output from commands.ResultsBy default, results will be stored in the ./results directory. A new sub directory is created for every target. The structure of this sub directory is:.├── exploit/├── loot/├── report/│   ├── local.txt│   ├── notes.txt│   ├── proof.txt│   └── screenshots/└── scans/ ├── _commands.log ├── _manual_commands.txt └── xml/The exploit directory is intended to contain any exploit code you download / write for the target.The loot directory is intended to contain any loot (e.g. hashes, interesting files) you find on the target.The report directory contains some auto-generated files and directories that are useful for reporting:local.txt can be used to store the local.txt flag found on targets.notes.txt should contain a basic template where you can write notes for each service discovered.proof.txt can be used to store the proof.txt flag found on targets.The screenshots directory is intended to contain the screenshots you use to document the exploitation of the target.The scans directory is where all results from scans performed by AutoRecon will go. This includes port scans / service detection scans, as well as any service enumeration scans. It also contains two other files:_commands.log contains a list of every command AutoRecon ran against the target. This is useful if one of the commands fails and you want to run it again with modifications._manual_commands.txt contains any commands that are deemed "too dangerous" to run automatically, either because they are too intrusive, require modification based on human analysis, or just work better when there is a human monitoring them.If a scan results in an error, a file called _errors.log will also appear in the scans directory with some details to alert the user.If output matches a defined pattern, a file called _patterns.log will also appear in the scans directory with details about the matched output.The scans/xml directory stores any XML output (e.g. from Nmap scans) separately from the main scan outputs, so that the scans directory itself does not get too cluttered.Port Scan profilesThe port-scan-profiles.toml file is where you can define the initial port scans / service detection commands. The configuration file uses the TOML format, which is explained here: https://github.com/toml-lang/tomlHere is an example profile called "quick":[quick] [quick.nmap-quick] [quick.nmap-quick.service-detection] command = ‘nmap {nmap_extra} -sV –version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}’ pattern = ‘^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$’ [quick.nmap-top-20-udp] [quick.nmap-top-20-udp.service-detection] command = ‘nmap {nmap_extra} -sU -A –top-ports=20 –version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}’ pattern = ‘^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$’Note that indentation is optional, it is used here purely for aesthetics. The "quick" profile defines a scan called "nmap-quick". This scan has a service-detection command which uses nmap to scan the top 1000 TCP ports. The command uses two references: {scandir} is the location of the scans directory for the target, and {address} is the address of the target.A regex pattern is defined which matches three named groups (port, protocol, and service) in the output. Every service-detection command must have a corresponding pattern that matches all three of those groups. AutoRecon will attempt to do some checks and refuse to scan if any of these groups are missing.An almost identical scan called "nmap-top-20-udp" is also defined. This scans the top 20 UDP ports.Here is a more complicated example:[udp] [udp.udp-top-20] [udp.udp-top-20.port-scan] command = ‘unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"’ pattern = ‘^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$’ [udp.udp-top-20.service-detection] command = ‘nmap {nmap_extra} -sU -A -p {ports} –version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}’ pattern = ‘^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$’In this example, a profile called "udp" defines a scan called "udp-top-20". This scan has two commands, one is a port-scan and the other is a service-detection. When a port-scan command is defined, it will always be run first. The corresponding pattern must match a named group "port" which extracts the port number from the output.The service-detection will be run after the port-scan command has finished, and uses a new reference: {ports}. This reference is a comma-separated string of all the ports extracted by the port-scan command. Note that the same three named groups (port, protocol, and service) are defined in the service-detection pattern.Both the port-scan and the service-detection commands use the {scandir} and {address} references.Note that if a port-scan command is defined without a corresponding service-detection command, AutoRecon will refuse to scan.This more complicated example is only really useful if you want to use unicornscan’s speed in conjuction with nmap’s service detection abilities. If you are content with using Nmap for both port scanning and service detection, you do not need to use this setup.Service ScansThe service-scans.toml file is where you can define service enumeration scans and other manual commands associated with certain services.Here is an example of a simple configuration:[ftp]service-names = [ ‘^ftp’, ‘^ftp\-data’] [[ftp.scan]] name = ‘nmap-ftp’ command = ‘nmap {nmap_extra} -sV -p {port} –script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}’ [[ftp.scan.pattern]] description = ‘Anonymous FTP Enabled!’ pattern = ‘Anonymous FTP login allowed’ [[ftp.manual]] description = ‘Bruteforce logins:’ commands = [ ‘hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}’, ‘medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}’ ]Note that indentation is optional, it is used here purely for aesthetics. The service "ftp" is defined here. The service-names array contains regex strings which should match the service name from the service-detection scans. Regex is used to be as flexible as possible. The service-names array works on a whitelist basis; as long as one of the regex strings matches, the service will get scanned.An optional ignore-service-names array can also be defined, if you want to blacklist certain regex strings from matching.The ftp.scan section defines a single scan, named nmap-ftp. This scan defines a command which runs nmap with several ftp-related scripts. Several references are used here:{nmap_extra} by default is set to "-vv –reason -Pn" but this can be overridden or appended to using the –nmap or –nmap-append command line options respectively. If the protocol is UDP, "-sU" will also be appended.{port} is the port that the service is running on.{scandir} is the location of the scans directory for the target.{protocol} is the protocol being used (either tcp or udp).{address} is the address of the target.A pattern is defined for the nmap-ftp scan, which matches the simple pattern "Anonymous FTP login allowed". In the event that this pattern matches output of the nmap-ftp command, the pattern description ("Anonymous FTP Enabled!") will be saved to the _patterns.log file in the scans directory. A special reference {match} can be used in the description to reference the entire match, or the first capturing group.The ftp.manual section defines a group of manual commands. This group contains a description for the user, and a commands array which contains the commands that a user can run. Two new references are defined here: {username_wordlist} and {password_wordlist} which are configured at the very top of the service-scans.toml file, and default to a username and password wordlist provided by SecLists.Here is a more complicated configuration:[smb]service-names = [ ‘^smb’, ‘^microsoft\-ds’, ‘^netbios’] [[smb.scan]] name = ‘nmap-smb’ command = ‘nmap {nmap_extra} -sV -p {port} –script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" –script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}’ [[smb.scan]] name = ‘enum4linux’ command = ‘enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"’ run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] [[smb.scan]] name = ‘nbtscan’ command = ‘nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"’ run_once = true ports.udp = [137] [[smb.scan]] name = ‘smbclient’ command = ‘smbclient -L\\ -N -I {address} 2>&1 | tee "{scan dir}/smbclient.txt"’ run_once = true ports.tcp = [139, 445] [[smb.scan]] name = ‘smbmap-share-permissions’ command = ‘smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"’ [[smb.scan]] name = ‘smbmap-list-contents’ command = ‘smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"’ [[smb.scan]] name = ‘smbmap-execute-command’ command = ‘smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"’ [[smb.manual]] description = ‘Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:’ commands = [ ‘nmap {nmap_extra} -sV -p {port} –script="smb-vuln-ms06-025" –script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}’, ‘nmap {nmap_extra} -sV -p {port} –script="smb-vuln-ms07-029" –script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}’, ‘nmap {nmap_extra} -sV -p {port} –script="smb-vuln-ms08-067" –script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}’ ]The main difference here is that several scans have some new settings:The ports.tcp array defines a whitelist of TCP ports which the command can be run against. If the service is detected on a port that is not in the whitelist, the command will not be run against it.The ports.udp array defines a whitelist of UDP ports which the command can be run against. It operates in the same way as the ports.tcp array.Why do these settings even exist? Well, some commands will only run against specific ports, and can’t be told to run against any other ports. enum4linux for example, will only run against TCP ports 139, 389, and 445, and UDP port 137.In fact, enum4linux will always try these ports when it is run. So if the SMB service is found on TCP ports 139 and 445, AutoRecon may attempt to run enum4linux twice for no reason. This is why the third setting exists:If run_once is set to true, the command will only ever run once for that target, even if the SMB service is found on multiple ports.TestimonialsAutoRecon was invaluable during my OSCP exam, in that it saved me from the tedium of executing my active information gathering commands myself. I was able to start on a target with all of the information I needed clearly laid in front of me. I would strongly recommend this utility for anyone in the PWK labs, the OSCP exam, or other environments such as VulnHub or HTB. It is a great tool for both people just starting down their journey into OffSec and seasoned veterans alike. Just make sure that somewhere between those two points you take the time to learn what’s going on "under the hood" and how / why it scans what it does.- b0ats (rooted 5/5 exam hosts)Wow, what a great find! Before using AutoRecon, ReconScan was my goto enumeration script for targets because it automatically ran the enumeration commands after it finds open ports. The only thing missing was the automatic creation of key directories a pentester might need during an engagement (exploit, loot, report, scans). Reconnoitre did this but didn’t automatically run those commands for you. I thought ReconScan that was the bee’s knees until I gave AutoRecon a try. It’s awesome! It combines the best features of Reconnoitre (auto directory creation) and ReconScan (automatically executing the enumeration commands). All I have to do is run it on a target or a set of targets and start going over the information it has already collected while it continues the rest of scan. The proof is in the pudding 🙂 Passed the OSCP exam! Kudos to Tib3rius!- werk0utA friend told me about AutoRecon, so I gave it a try in the PWK labs. AutoRecon launches the common tools we all always use, whether it be nmap or nikto, and also creates a nice subfolder system based on the targets you are attacking. The strongest feature of AutoRecon is the speed; on the OSCP exam I left the tool running in the background while I started with another target, and in a matter of minutes I had all of the AutoRecon output waiting for me. AutoRecon creates a file full of commands that you should try manually, some of which may require tweaking (for example, hydra bruteforcing commands). It’s good to have that extra checklist.- tr3mb0 (rooted 4/5 exam hosts)Being introduced to AutoRecon was a complete game changer for me while taking the OSCP and establishing my penetration testing methodology. AutoRecon is a multi-threaded reconnaissance tool that combines and automates popular enumeration tools to do most of the hard work for you. You can’t get much better than that! After running AutoRecon on my OSCP exam hosts, I was given a treasure chest full of information that helped me to start on each host and pass on my first try. The best part of the tool is that it automatically launches further enumeration scans based on the initial port scans (e.g. run enum4linux if SMB is detected). The only bad part is that I did not use this tool sooner! Thanks Tib3rius.- rufy (rooted 4/5 exam hosts)AutoRecon allows a security researcher to iteratively scan hosts and identify potential attack vectors. Its true power comes in the form of performing scans in the background while the attacker is working on another host. I was able to start my scans and finish a specific host I was working on – and then return to find all relevant scans completed. I was then able to immediately begin trying to gain initial access instead of manually performing the active scanning process. I will continue to use AutoRecon in future penetration tests and CTFs, and highly recommend you do the same.- waar (rooted 4.99/5 exam hosts)"If you have to do a task more than twice a day, you need to automate it." That’s a piece of advice that an old boss gave to me. AutoRecon takes that lesson to heart. Whether you’re sitting in the exam, or in the PWK labs, you can fire off AutoRecon and let it work its magic. I had it running during my last exam while I worked on the buffer overflow. By the time I finished, all the enum data I needed was there for me to go through. 10/10 would recommend for anyone getting into CTF, and anyone who has been at this a long time.- whoisflynnI love this tool so much I wrote it.- Tib3rius (rooted 5/5 exam hosts)I highly recommend anyone going for their OSCP, doing CTFs or on HTB to checkout this tool. Been using AutoRecon on HTB for a month before using it over on the PWK labs and it helped me pass my OSCP exam. If you’re having a hard time getting settled with an enumeration methodology I encourage you to follow the flow and techniques this script uses. It takes out a lot of the tedious work that you’re probably used to while at the same time provide well-organized subdirectories to quickly look over so you don’t lose your head. The manual commands it provides are great for those specific situations that need it when you have run out of options. It’s a very valuable tool, cannot recommend enough.- d0hnuts (rooted 5/5 exam hosts)Autorecon is not just any other tool, it is a recon correlation framwork for engagements. This helped me fire a whole bunch of scans while I was working on other targets. This can help a lot in time management. This assisted me to own 4/5 boxes in pwk exam! Result: Passed!- Wh0ami (rooted 4/5 exam hosts)Download AutoRecon

Link: http://feedproxy.google.com/~r/PentestTools/~3/OqnXDaJLqUc/autorecon-multi-threaded-network.html

Dockernymous – A Script Used To Create A Whonix Like Gateway/Workstation Environment With Docker Containers

Dockernymous is a start script for Docker that runs and configures two individual Linux containers in order act as a anonymisation workstation-gateway set up.It’s aimed towards experienced Linux/Docker users, security professionals and penetration testers!The gateway container acts as a Anonymizing Middlebox (see https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy) and routes ALL traffic from the workstation container through the Tor Network.The idea was to create a whonix-like setup (see https://www.whonix.org) that runs on systems which aren’t able to efficiently run two hardware virtualized machines or don’t have virtualization capacities at all. Requirements:Host (Linux):dockervncviewerxtermcurlGateway Image:Linux (e.g. Alpine, Debian )torprocpsncatiptablesWorkstation Image:Linux (e.g. Kali)‎xfce4 or another desktop environment (for vnc access)tightvncserverInstructions:1. HostTo clone the dockernymous repository type:git clone https://github.com/bcapptain/dockernymous.gitDockernymous needs an up and running Docker environment and a non-default docker network. Let’s create one:docker network create –driver=bridge –subnet=192.168.0.0/24 docker_internal2. Gateway (Alpine):Get a lightweight gateway Image! For example Alpine:docker pull alpineRun the image, update the package list, install iptables & tor:docker run -it alpine /bin/shapk add –update tor iptables iproute2exitFeel free to further customize the gateway for your needs before you extit.To make this permanent you have to create a new image from the gateway container we just set up. Each time you run dockernymous a new container is created from that image and disposed on exit:docker commit [Container ID] my_gatewayGet the container ID by running:docker ps -a3. Workstation (Kali Linux):Get an image for the Workstation. For example, Kali Linux for penetration testing:docker pull kalilinux/kali-linux-dockerUpdate and install the tools you would like to use (see https://www.kali.org/news/kali-linux-metapackages/).docker run -it kalilinux/kali-linux-docker /bin/bashapt-get updateapt-get dist-upgradeapt install kali-linux-top10Make sure the tightvncserver and curl packages are installed which is the case with most Kali Metapackages.apt-get install tightvncserverapt-get install curlInstall xfce4 for a minimal graphical Desktop:$ apt-get install xfce4 $ apt-get clean$ exitAs with the Gateway, to make this permanent you have to create an image from that customized container. Each time you run dockernymous a new container is created and disposed on exit.$ docker commit [Container ID] my_workstationGet the container ID by running:$ docker ps -a4. Run dockernymous In case you changed the names for the images to something different (defaults are: “docker_internal" (network), "my_gateway" (gateway), "my_workstation" (you guess it)) open dockernymous.sh with your favorite editor and update the actual names in the configuration section.Everything should be set up by now, let’s give it a try! Run Dockernymus (don’t forget to ‘cd’ into the cloned folder):bash dockernymous.shor mark it executable once:chmod +x dockernymous.sh and always run it with:./dockernymous.shI’m happy for feedback. Please remember that dockernymous is still under development. The script is pretty messy, yet so consider it as a alpha phased project (no versioning yet).Download Dockernymous

Link: http://feedproxy.google.com/~r/PentestTools/~3/WbwiCRF568Y/dockernymous-script-used-to-create.html

Kali NetHunter App Store – The New Android Store Dedicated to Free Security Apps

The Kali NetHunter App Store is a one-stop-shop for security relevant Android applications. It is the ultimate alternative to the Google Play store for any Android device, whether rooted or not, NetHunter or stock. If you are after any security application for your Android device, the NetHunter Store will be the place to get it.The NetHunter store is powered by a slightly modified version of F-Droid, thanks to the hard work of the F-Droid community, in particular Peter Serwylo whose help was invaluable. Whilst F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, we went a step further and removed the entire code – just to make sure that our privacy cannot be compromised by accident. We also widened the inclusion policy to allow proprietary applications into the store. Download Kali NetHunter App Store

Link: http://feedproxy.google.com/~r/PentestTools/~3/FpkbVd5aohk/kali-nethunter-app-store-new-android.html

Zydra – File Password Recovery Tool And Linux Shadow File Cracker

Zydra is a file password recovery tool and Linux shadow file cracker. It uses the dictionary search or Brute force method for cracking passwords.Supported FilesRAR FilesLegacy ZIP FilesPDF FilesLinux Shadow Files (zydra can find all the user’s password in the linux shadow file one after the other)PrerequisitesTo run the app, minimal requirements are:Python 3.3 or higherdebian-based linux distro, preferably Kali linux 2qpdf and unrar packages Installing these packages on kali is as easy as running the following commands on terminal: $ sudo apt-get update $ sudo apt-get install qpdf unrarsome python modules in this program need to be installed manually, like: zipfile, rarfile, crypt, pyfiglet, py-term(for term module) and so on. you can use pip3 for install them example: $ pip3 install py-term notice: rar,zip and pdf files must have an extension, shadow files does not need an extension.DisclaimerThis tool is only for testing and academic purposes Do not use it for illegal purposes!FeaturesCracking files password using two methods: 1. dictionary method 2. brute force methodIn the brute force method, you can specify the min length and max length of the passwords.In the brute force method, you can specify the type of characters that may be used in the password.There is a percent progress bar showing how much of the process has been performed.Error handling.One of the most important features of Zydra is the multiprocessing feature that speeds up the program. For example if you have 8 CPU cores, Zydra will use all of them for processing at the same time.InstallationDownload Zydra by cloning the Git repository: $ git clone https://github.com/hamedA2/Zydra.gitUsageTo get a list of all options and learn how to use this app, enter the following command:$ python3 Zydra.py -h Examples1- Dictionary search to find the password for a zip file In this example I use rockyou.txt dictionary $ python3 Zydra.py –f file.zip –d rockyou.txt2- Brute force search to find the password for the users in the shadow file Minimum length of password is 4 and maximum length is 4 and we try to find passwords that are composed of numbers and symbols letters. $ python3 Zydra.py –f shadow –b digits,symbols –m 4 –x 4AuthorHamed HosseiniA special thank to, Hamed IzadiDownload Zydra

Link: http://feedproxy.google.com/~r/PentestTools/~3/6ATnAnKScCs/zydra-file-password-recovery-tool-and.html

UPDATE: Kali Linux 2019.2 Release

PenTestIT RSS Feed
Kali Linux 2019.2, the latest and the greatest Kali Linux release is now officially available! This is the second 2019 release, which comes after Kali Linux 2019.1, that was made available in the month of February. This new release majorly focuses on Kali Linux NetHunter updates including 13 new images and added device support along withRead more about UPDATE: Kali Linux 2019.2 Release
The post UPDATE: Kali Linux 2019.2 Release appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2019-2-release/

Kali Linux 2019.2 Release – Penetration Testing and Ethical Hacking Linux Distribution

This release brings the kernel up to version 4.19.28, fixes numerous bugs, includes many updated packages, and most excitingly, features a new release of Kali Linux NetHunter!Kali NetHunter 2019.2 ReleaseNetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.13 new NetHunter images have been released for the latest Android versions of your favorite devices, including:Nexus 6 running PieNexus 6P, OreoOnePlus2, PieGalaxy Tab S4 LTE & WiFi, OreoThese and many more can be downloaded from the NetHunter page.Tool UpgradesThis release largely features various tweaks and bug fixes but there are still many updated tools including seclists, msfpc, and exe2hex.For the complete list of updates, fixes, and additions, please refer to the Kali Bug Tracker Changelog.ARM UpdatesFor the ARM users, be aware that the first boot will take a bit longer than usual, as it requires the reinstallation of a few packages on the hardware. This manifests as the login manager crashing a few times until the packages finish reinstalling and is expected behaviour.Upgrade to Kali Linux 2019.2If you already have a Kali installation you’re happy with, you can easily upgrade in place as follows.root@kali:~# apt update && apt -y full-upgradeEnsuring your Installation is UpdatedTo double check your version, first make sure your Kali package repositories are correct.root@kali:~# cat /etc/apt/sources.listdeb http://http.kali.org/kali kali-rolling main non-free contribThen after running ‘apt -y full-upgrade’, you may require a ‘reboot’ before checking:root@kali:~# grep VERSION /etc/os-releaseVERSION=”2019.2"VERSION_ID="2019.2"root@kali:~# uname -aLinux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/LinuxIf you come across any bugs in Kali, please open a report on our bug tracker. Download Kali Linux 2019.2

Link: http://www.kitploit.com/2019/05/kali-linux-20192-release-penetration.html

Sn1per v7.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseDetailed host reportsNMap HTML host reportsQuick links to online recon tools and Google hacking queriesTakeovers and Email SecurityHTML5 NotepadORDER SN1PER PROFESSIONAL:To obtain a Sn1per Professional license, go to https://xerosecurity.com.DEMO VIDEO:SN1PER COMMUNITY FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputEXPLOITS:Drupal RESTful Web Services unserialize() SA-CORE-2019-003Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache StrutsDrupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionApache Tomcat: Remote Code Execution (CVE-2017-12617)Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805)Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249Shellshock Bash Shell remote code execution CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843MS08-067 Microsoft Server Service Relative Path Stack CorruptionWebmin File Disclosure CVE-2006-3392VsFTPd 2.3.4 BackdoorProFTPd 1.3.3C BackdoorMS03-026 Microsoft RPC DCOM Interface OverflowDistCC Daemon Command ExecutionJBoss Java De-SerializationHTTP Writable Path PUT/DELETE File AccessApache Tomcat User EnumerationTomcat Application Manager Login BruteforceJenkins-CI EnumerationHTTP WebDAV ScannerAndroid Insecure ADBAnonymous FTP AccessPHPMyAdmin BackdoorPHPMyAdmin Auth BypassOpenSSH User EnumerationLibSSH Auth BypassSMTP User EnumerationPublic NFS MountsKALI LINUX INSTALL:bash install.shUBUNTU/DEBIAN/PARROT INSTALL:bash install_debian_ubuntu.shDOCKER INSTALL:docker build DockerfileUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCEsniper -t|–target <TARGET> -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] FLYOVER MODEsniper -t|–target <TARGET> -m|–mode flyover -w|–workspace <WORKSPACE_ALIAS>[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TA RGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT HTTP MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT HTTPS MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] WEBSCAN MODEsniper -t|–target <TARGET> -m|–mode webscan[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] LOOT REIMPORTALL FUNCTIONsniper -w <WORKSPACE_ALIAS& gt; –reimportall[*] DELETE WORKSPACEsniper -w <WORKSPACE_ALIAS> -d[*] DELETE HOST FROM WORKSPACEsniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh[*] SCHEDULED SCANS’sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'[*] SCAN STATUSsniper –status[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/IoUOymJezTw/sn1per-v70-automated-pentest-framework.html

Kostebek – Reconnaissance Tool Which Uses Firms Trademark Information To Discover Their Domains

The Kostebek is a reconnaissance tool which uses firms’ trademark information to discover their domains.InstallationTested on Kali Linux 2018.2, Ubuntu 16.04 sudo apt-get -y install python3-pippip3 install -r requirements.txt download latest version of Chromedriver and configure your driver-path#sudo apt-get install unzip#sudo unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/download latest version of Chromehttps://www.google.com/chrome/browser/desktop/#dpkg -i google-chrome-stable_current_amd64.deb#apt-get install -f#dpkg -i google-chrome-stable_current_amd64.debExampleTrademark Scan : python3 kostebek.py -u list.txt -n Organization NameGet Google Domains : python3 kostebek.py -g Organization NameGet Company Trademarks : python3 kostebek.py -t Organization NameDemoDownload Kostebek

Link: http://feedproxy.google.com/~r/PentestTools/~3/uTvabW9syZ4/kostebek-reconnaissance-tool-which-uses.html

pwnedOrNot v1.1.7 – OSINT Tool To Find Passwords For Compromised Email Addresses

pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps.Featureshaveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:Name of BreachDomain NameDate of BreachFabrication statusVerification StatusRetirement statusSpam StatusAnd with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the passwordTested onKali Linux 18.2Ubuntu 18.04Kali NethunterTermuxInstallationUbuntu / Kali Linux / Nethunter / Termuxchmod 777 install.sh./install.shUsagepython3 pwnedornot.py -husage: pwnedornot.py [-h] [-e EMAIL] [-f FILE] [-d DOMAIN] [-n] [-l] [-c CHECK]optional arguments: -h, –help show this help message and exit -e EMAIL, –email EMAIL Email Address You Want to Test -f FILE, –file FILE Load a File with Multiple Email Addresses -d DOMAIN, –domain DOMAIN Filter Results by Domain Name -n, –nodumps Only Check Breach Info and Skip Password Dumps -l, –list Get List of all pwned Domains -c CHECK, –check CHECK Check if your Domain is pwned# Examples# Check Single Emailpython3 pwnedornot.py -e #ORpython3 pwnedornot.py –email <email># Check Multiple Emails from Filepython3 pwnedornot.py -f <file name># ORpython3 pwnedornot.py –file <file name># Filter Result for a Domain Name [Ex : adobe.com]python3 pwnedornot.py -e <email> -d <domain name>#ORpython3 pwnedornot.py -f <file name> –domain <domain name># Get only Breach Info, Skip Password Dumpspython3 pwnedornot.py -e <email> -n#ORpython3 pwnedornot.py -f <file name> –nodumps# Get List of all Breached Domainspython3 pwnedornot.py -l#ORpython3 pwnedornot.py –list# Check if a Domain is Pwnedpython3 pwnedornot.py -c <domain name>#ORpython3 pwnedornot.py –check <domain name>DemoDownload pwnedOrNot

Link: http://feedproxy.google.com/~r/PentestTools/~3/zMsIKFBaGtY/pwnedornot-v117-osint-tool-to-find.html

CHAOS Framework v2.0 – Generate Payloads And Control Remote Windows Systems

CHAOS is a PoC that allow generate payloads and control remote operating systems.Features Feature Windows Mac Linux Reverse Shell X X X Download File X X X Upload File X X X Screenshot X X X Keylogger X Persistence X Open URL X X X Get OS Info X X X Fork Bomb X X X Run Hidden X Tested OnKali Linux – ROLLING EDITIONHow to Install# Install dependencies$ sudo apt install golang git -y# Get this repository$ go get github.com/tiagorlampert/CHAOS# Get external golang dependencies (ARE REQUIRED GET ALL DEPENDENCIES)$ go get github.com/kbinani/screenshot$ go get github.com/lxn/win$ go get github.com/matishsiao/goInfo$ go get golang.org/x/sys/windows# Maybe you will see the message “package github.com/lxn/win: build constraints exclude all Go files".# It’s occurs because the libraries are to windows systems, but it necessary to build the payload.# Go into the repository$ cd ~/go/src/github.com/tiagorlampert/CHAOS# Run$ go run main.goHow to Use Command On HOST does… generate Generate a payload (e.g. generate lhost=192.168.0.100 lport=8080 fname=chaos –windows) lhost= Specify a ip for connection lport= Specify a port for connection fname= Specify a filename to output –windows Target Windows –macos Target Mac OS –linux Target Linux listen Listen for a new connection (e.g. listen lport=8080) serve Serve files exit Quit this program Command On TARGET does… download File Download upload File Upload screenshot Take a Screenshot keylogger_start Start Keylogger session keylogger_show Show Keylogger session logs persistence_enable Install at Startup persistence_disable Remove from Startup getos Get OS name lockscreen Lock the OS screen openurl Open the URL informed bomb Run Fork Bomb clear Clear the Screen back Close connection but keep running on target exit Close connection and exit on target VideoFAQWhy does Keylogger capture all uppercase letters?All the letters obtained using the keylogger are uppercase letters. It is a known issue, in case anyone knows how to fix the Keylogger function using golang, please contact me or open an issue.Why are necessary get and install external libraries?To implement the screenshot function i used a third-party library, you can check it in https://github.com/kbinani/screenshot and https://github.com/lxn/win. You must download and install it to generate the payload.Contacttiagorlampert@gmail.comDownload CHAOS

Link: http://www.kitploit.com/2019/04/chaos-framework-v20-generate-payloads.html