_ _ _ / \ _ _| |_ ___ _ __ ___ ___| | ___ / _ \| | | | __/ _ \| '_ ` _ \ / _ \ |/ _ \ / ___ \ |_| | || (_) | | | | | | __/ | __/ /_/ \_\__,_|\__\___/|_| |_| |_|\___|_|\___| / __|___ _ __ __ _ _ __ ___ ___ _ __ | | / _ \| '_ \ / _` | '_ ` _ \ / _ \ '__| | |__| (_) | | | | (_| | | | | | | __/ | \____\___/|_| |_|\__,_|_| |_| |_|\___|_|
Core Function: AutoRecon is a multi-threaded network reconnaissance framework that automates the process of port scanning and service enumeration across multiple targets.
Primary Use-Cases:
Rapidly enumerating services on multiple hosts during Capture The Flag (CTF) competitions.
Performing initial information gathering and vulnerability identification in large-scale penetration tests (e.g., OSCP, corporate environments).
Standardizing the reconnaissance phase to ensure consistent and thorough data collection.
Saving significant time by parallelizing scans and automatically launching service-specific enumeration tools.
Penetration Testing Phase: Reconnaissance & Enumeration
Brief History: AutoRecon was created by cybersecurity professional Tib3rius to streamline the often tedious and time-consuming reconnaissance phase of penetration testing. It was designed to automate best-practice enumeration techniques, wrapping popular tools like Nmap, Gobuster, and Enum4linux-ng into a cohesive, pattern-based scanning engine. Its development is geared towards efficiency, particularly in exam environments and CTFs where speed is critical.
Before deployment, an operative must confirm the tool is present and functional. The following commands ensure AutoRecon is installed via the Advanced Package Tool (APT) on Debian-based systems like Kali Linux and verify its operational parameters.
Objective: Check if AutoRecon is Installed
Bash
which autorecon
Command Breakdown:
which: A Linux command that locates the executable file associated with a given command.
Ethical Context & Use-Case: This is a fundamental system check. Before attempting to install or run a tool, you must verify if it's already in your system's PATH to avoid conflicts or redundant installations.
--> Expected Output:
/usr/bin/autorecon
Objective: Install AutoRecon
Bash
sudo apt update && sudo apt install autorecon -y
Command Breakdown:
sudo: Executes the command with superuser (root) privileges.
apt update: Refreshes the local package index with the latest changes from the repositories.
&&: A shell operator that executes the second command only if the first command succeeds.
apt install autorecon: Installs the AutoRecon package.
-y: Automatically answers "yes" to any prompts during the installation process.
Ethical Context & Use-Case: This command is used to install the tool on a system you are authorized to administer. Proper software installation is the first step in preparing for any sanctioned penetration test. This ensures you have the latest stable version of the tool.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: autorecon 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 145 kB of archives. After this operation, 1,234 kB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 autorecon all 0.0~git20250405.ee0d0a3 [145 kB] Fetched 145 kB in 1s (289 kB/s) Selecting previously unselected package autorecon. (Reading database ... 312543 files and directories currently installed.) Preparing to unpack .../autorecon_0.0~git20250405.ee0d0a3_all.deb ... Unpacking autorecon (0.0~git20250405.ee0d0a3) ... Setting up autorecon (0.0~git20250405.ee0d0a3) ... Processing triggers for man-db (2.11.2-2) ...
Objective: View the Help Menu
Bash
autorecon -h
Command Breakdown:
autorecon: The executable for the AutoRecon tool.
-h or --help: A standard flag to display the tool's usage information, options, and parameters.
Ethical Context & Use-Case: This is the most crucial first step when learning any new tool. The help menu is the primary documentation that explains the tool's capabilities. A professional penetration tester always reviews the help menu to understand the available options before launching a scan against an authorized target.
--> Expected Output:
usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS]
[-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE]
[--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS]
[--service-scans PLUGINS] [--reports PLUGINS]
[--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR]
[-l [TYPE]] [-o OUTPUT] [--single-target] [--only-scans-dir]
[--no-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT]
[--target-timeout TARGET_TIMEOUT] [--nmap NMAP |
--nmap-append NMAP_APPEND] [--proxychains]
[--disable-sanity-checks] [--disable-keyboard-control]
[--ignore-plugin-checks]
[--force-services SERVICE [SERVICE ...]]
[-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...]]
[-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...]] [--accessible] [-v]
[--version] [--curl.path VALUE]
[--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}]
[--dirbuster.wordlist VALUE [VALUE ...]]
[--dirbuster.threads VALUE] [--dirbuster.ext VALUE]
[--dirbuster.recursive] [--dirbuster.extras VALUE]
[--enum4linux.tool {enum4linux-ng,enum4linux}]
[--onesixtyone.community-strings VALUE]
[--subdomain-enum.domain VALUE]
[--subdomain-enum.wordlist VALUE [VALUE ...]]
[--subdomain-enum.threads VALUE]
[--vhost-enum.hostname VALUE]
[--vhost-enum.wordlist VALUE [VALUE ...]]
[--vhost-enum.threads VALUE] [--wpscan.api-token VALUE]
[--global.username-wordlist VALUE]
[--global.password-wordlist VALUE] [--global.domain VALUE]
[-h]
[targets ...]
Network reconnaissance tool to port scan and automatically enumerate services
found on multiple targets.
... (abbreviated for brevity) ...
This section details the operational use of AutoRecon, from basic single-target scans to complex, multi-faceted reconnaissance campaigns. Each example is presented within an ethical framework, assuming all activities are conducted on networks where you have explicit, documented authorization.
Objective: Scan a Single Target IP Address
Bash
autorecon 10.10.11.150
Command Breakdown:
autorecon: Executes the tool.
10.10.11.150: The positional argument specifying the target IP address to scan.
Ethical Context & Use-Case: This is the most fundamental command. It is used to initiate a comprehensive reconnaissance scan against a single host that you are authorized to test. This command will create a dedicated output directory (e.g., results/10.10.11.150) containing all scan results.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Creating directory for target: 10.10.11.150 [+] Added 1 target(s) to the queue. [+] Starting scan against 1 target(s)... [+] [10.10.11.150] [Status] Queued... [+] [10.10.11.150] [PortScan] [nmap-quick] Starting scan... [+] [10.10.11.150] [PortScan] [nmap-top-1000] Starting scan... ...
Objective: Scan a Single Target by Hostname
Bash
autorecon target-machine.local
Command Breakdown:
autorecon: Executes the tool.
target-machine.local: The positional argument specifying the resolvable hostname of the target.
Ethical Context & Use-Case: Used when the target is identified by a hostname rather than an IP address. This is common in internal penetration tests with functioning DNS. Ensure that you have permission to scan the system associated with this hostname.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Creating directory for target: target-machine.local [+] Added 1 target(s) to the queue. [+] Starting scan against 1 target(s)... [+] [target-machine.local] [Status] Queued... ...
Objective: Scan Multiple Targets Simultaneously
Bash
autorecon 10.10.11.150 10.10.11.151 10.10.11.152
Command Breakdown:
autorecon: Executes the tool.
10.10.11.150 10.10.11.151 10.10.11.152: A space-separated list of target IPs.
Ethical Context & Use-Case: This demonstrates the power of AutoRecon's multi-threaded nature. In a scenario where you are tasked with assessing a small group of servers, this command allows you to launch parallel reconnaissance efforts, significantly reducing assessment time.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Creating directory for target: 10.10.11.150 [+] Creating directory for target: 10.10.11.151 [+] Creating directory for target: 10.10.11.152 [+] Added 3 target(s) to the queue. [+] Starting scan against 3 target(s)... [+] [10.10.11.150] [Status] Queued... [+] [10.10.11.151] [Status] Queued... [+] [10.10.11.152] [Status] Queued... ...
Objective: Scan a Subnet Using CIDR Notation
Bash
autorecon 192.168.1.0/24
Command Breakdown:
autorecon: Executes the tool.
192.168.1.0/24: A target specified in Classless Inter-Domain Routing (CIDR) notation, representing all 254 usable IPs from 192.168.1.1 to 192.168.1.254.
Ethical Context & Use-Case: Essential for internal network penetration tests where you are given a scope defined by a subnet. This command efficiently scans an entire range of IPs. Extreme caution must be exercised to ensure the CIDR range matches the authorized scope precisely to avoid scanning out-of-scope systems.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Added 254 target(s) to the queue. [+] Starting scan against 254 target(s)... ...
Objective: Scan Targets from a File
Bash
autorecon -t targets.txt
Command Breakdown:
autorecon: Executes the tool.
-t targets.txt: The --target-file flag, which instructs AutoRecon to read targets from the specified file (targets.txt), where each target is on a new line.
Ethical Context & Use-Case: This method is standard practice in professional engagements. The client provides a list of in-scope IP addresses or hostnames in a file. Using a target file prevents typographical errors and serves as a clear record of the intended scope.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Reading targets from: targets.txt [+] Creating output directory: results [+] Added 15 target(s) to the queue. [+] Starting scan against 15 target(s)... ...
Objective: Specify a Custom Output Directory
Bash
autorecon 10.10.11.150 -o ENGAGEMENT_101
Command Breakdown:
-o ENGAGEMENT_101: The --output flag, which sets the main results directory to ENGAGEMENT_101 instead of the default results.
Ethical Context & Use-Case: Crucial for organizational purposes. When conducting multiple assessments, separating results into directories named by project, client, or date is essential for proper evidence handling and reporting.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: ENGAGEMENT_101 [+] Creating directory for target: 10.10.11.150 ...
Objective: Scan a Single Target without a Nested Directory
Bash
autorecon 10.10.11.150 --single-target
Command Breakdown:
--single-target: A flag that prevents AutoRecon from creating a subdirectory named after the target. The scans, report, etc., directories are created directly inside the main output directory.
Ethical Context & Use-Case: Useful in CTF scenarios or small labs where you are only focusing on one machine. It simplifies the directory structure, making it quicker to access scan files.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Single target mode enabled. Not creating target directory. [+] Added 1 target(s) to the queue. ...
Objective: Suppress Port-Specific Directory Creation
Bash
autorecon 10.10.11.150 --no-port-dirs
Command Breakdown:
--no-port-dirs: A flag that instructs AutoRecon to save all service scan results directly in the scans directory, rather than organizing them into port-specific subdirectories like scans/tcp80, scans/tcp445, etc.
Ethical Context & Use-Case: This can be a matter of user preference. Some testers may prefer a flat directory structure for easier grepping across all scan files, while others prefer the default organized structure.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Not creating port-specific directories. ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [nmap-http-generic] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [nmap-http-generic] Scan complete! Output saved to: results/10.10.11.150/scans/nmap-http-generic-tcp80.txt
Objective: Create Only the 'scans' Directory
Bash
autorecon 10.10.11.150 --only-scans-dir
Command Breakdown:
--only-scans-dir: A flag to create only the scans directory, omitting other directories like exploit, loot, and report.
Ethical Context & Use-Case: This is for pentesters who have their own methodology for storing evidence and reports and only want to use AutoRecon for its automated scanning capabilities. It keeps the output directory clean and focused solely on raw scan data.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Creating output directory: results [+] Creating directory for target: 10.10.11.150 [+] Creating scans directory: results/10.10.11.150/scans [+] Only creating scans directory. ...
Objective: Increase Concurrent Scans for a Faster Assessment
Bash
autorecon 10.10.20.0/24 -m 100
Command Breakdown:
-m 100: The --max-scans flag, setting the maximum number of concurrent scans (both port and service scans) to 100. The default is 50.
Ethical Context & Use-Case: When scanning a large number of hosts on a robust network that can handle the traffic, increasing the scan concurrency can drastically reduce the total assessment time. This must be done with caution and permission, as it can cause network instability or trigger alerts on sensitive networks.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Max concurrent scans set to: 100 [+] Max concurrent port scans set to: 20 (20% of max-scans) ...
Objective: Control Port Scan and Service Scan Concurrency Independently
Bash
autorecon 10.10.20.0/24 -m 75 -mp 5
Command Breakdown:
-m 75: Sets the total maximum concurrent scans to 75.
-mp 5: The --max-port-scans flag, specifically limiting the number of port scans running at any one time to 5. This means up to 70 service scans could run concurrently if 5 port scans are active.
Ethical Context & Use-Case: This provides granular control over the scan process. Port scanning is often more network-intensive. By limiting concurrent port scans while allowing a high number of service scans (which are often less intensive per-scan), you can balance speed with network stability.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Max concurrent scans set to: 75 [+] Max concurrent port scans set to: 5 ...
Objective: Set a Total Scan Timeout
Bash
autorecon 10.10.20.0/24 --timeout 120
Command Breakdown:
--timeout 120: A flag that sets a global timeout for the entire AutoRecon process. The tool will automatically stop all scans after 120 minutes (2 hours).
Ethical Context & Use-Case: Useful in time-boxed assessments or CTFs. It ensures that the scanning process does not run indefinitely, allowing you to move on to other phases of the test within a specific timeframe.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Scan will automatically terminate in 120 minutes. ...
Objective: Set a Timeout for Each Individual Target
Bash
autorecon -t targets.txt --target-timeout 30
Command Breakdown:
--target-timeout 30: A flag that will abandon scanning on any single target if it takes longer than 30 minutes. AutoRecon will then move on to the next target in the queue.
Ethical Context & Use-Case: Extremely valuable when scanning a large list of targets. If one host is unresponsive, firewalled, or running a service that causes scans to hang, this feature prevents the entire assessment from stalling. It ensures that problematic hosts do not derail the reconnaissance of the entire scope.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Each target will be abandoned if scanning takes longer than 30 minutes. ...
Objective: Change Scan Status Update Frequency
Bash
autorecon 10.10.11.150 --heartbeat 15
Command Breakdown:
--heartbeat 15: Sets the interval for printing status updates to the console to every 15 seconds. The default is 60.
Ethical Context & Use-Case: This is a user-preference setting. During an active engagement, a tester might want more frequent updates to closely monitor the scan's progress, especially in the initial stages or when troubleshooting.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Scan status will be updated every 15 seconds. ... (15 seconds later) [+] [10.10.11.150] [Status] Port Scanning... (2/5 Complete) ...
Objective: Scan Only for Specific TCP Ports
Bash
autorecon 10.10.11.150 -p T:21,22,80,443
Command Breakdown:
-p T:21,22,80,443: The --ports flag. T: specifies that the following comma-separated list of ports (21, 22, 80, 443) should be scanned via the TCP protocol.
Ethical Context & Use-Case: When you have prior intelligence or are only interested in specific common services (FTP, SSH, HTTP, HTTPS), this command focuses the scan, making it significantly faster and stealthier than a full port scan.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Custom ports specified: T:21,22,80,443 [+] [10.10.11.150] [PortScan] [custom-tcp-ports] Starting scan... ...
Objective: Scan Only for Specific UDP Ports
Bash
autorecon 10.10.11.150 -p U:53,161,123
Command Breakdown:
-p U:53,161,123: The --ports flag. U: specifies that the following ports (53, 161, 123) should be scanned via the UDP protocol.
Ethical Context & Use-Case: UDP scanning is often overlooked. This command specifically targets common UDP services like DNS, SNMP, and NTP. It's crucial for a comprehensive assessment, as vulnerabilities can exist in these services.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Custom ports specified: U:53,161,123 [+] [10.10.11.150] [PortScan] [custom-udp-ports] Starting scan... ...
Objective: Scan for a Mix of TCP and UDP Ports
Bash
autorecon 10.10.11.150 -p T:22,80,443,U:53,161,B:123
Command Breakdown:
-p T:22,80,443,U:53,161,B:123: A combined port specification.
T:22,80,443: Scan TCP ports 22, 80, 443.
U:53,161: Scan UDP ports 53, 161.
B:123: Scan port 123 using Both TCP and UDP.
Ethical Context & Use-Case: This provides maximum flexibility, allowing a tester to build a highly customized scan profile based on the expected services of the target environment, combining TCP and UDP scans in a single command.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Custom ports specified: T:22,80,443,U:53,161,B:123 [+] [10.10.11.150] [PortScan] [custom-tcp-ports] Starting scan... [+] [10.10.11.150] [PortScan] [custom-udp-ports] Starting scan... ...
Objective: Manually Force Service Enumeration on a Port
Bash
autorecon 10.10.11.150 --force-services "tcp/8080/http"
Command Breakdown:
--force-services "tcp/8080/http": This flag tells AutoRecon to treat TCP port 8080 as if it were running an HTTP service, regardless of what the port scan initially identifies. This will trigger all HTTP-related service scan plugins.
Ethical Context & Use-Case: Sometimes, services run on non-standard ports. A web server on port 8080 might not be automatically enumerated as such. This command allows the tester to apply their own intelligence to the scan, ensuring that services on unusual ports are not missed.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Forcing services: tcp/8080/http ... [+] [10.10.11.150] [PortScan] [nmap-quick] Scan complete! Found 1 open port(s): 8080/tcp. [+] [10.10.11.150] [ServiceScan] [tcp] [8080] [http] [nmap-http-generic] Starting scan (Forced)... [+] [10.10.11.150] [ServiceScan] [tcp] [8080] [http] [curl-http-headers] Starting scan (Forced)...
Objective: List All Available Plugins
Bash
autorecon -l
Command Breakdown:
-l or --list: A flag to list all installed and available plugins, categorized by type (PortScan, ServiceScan, Report).
Ethical Context & Use-Case: Before customizing a scan, you must know what tools are available in the framework. This command provides an inventory of AutoRecon's capabilities, allowing you to make informed decisions about which plugins to include or exclude.
--> Expected Output:
[+] Listing all available plugins... PortScan Plugins: - nmap-quick (Tags: default) - nmap-full (Tags: default,full) - nmap-udp (Tags: default) - nmap-top-1000 (Tags: default) ... ServiceScan Plugins: - nmap-http-generic (Services: http, https; Tags: default) - dirbuster (Services: http, https; Tags: default,web) - enum4linux-ng (Services: smb; Tags: default,smb) ... Report Plugins: - Smeagol (Tags: default) ...
Objective: List Only ServiceScan Plugins
Bash
autorecon --list service
Command Breakdown:
--list service: Lists plugins, but only of the service type.
Ethical Context & Use-Case: Allows for a more focused view of the available enumeration modules. When you want to know what specific tools AutoRecon can run against discovered services, this command provides a clean list without the clutter of port scanners or reporting tools.
--> Expected Output:
[+] Listing all available service plugins... ServiceScan Plugins: - nmap-http-generic (Services: http, https; Tags: default) - dirbuster (Services: http, https; Tags: a,web) - enum4linux-ng (Services: smb; Tags: default,smb) - nmap-smb-generic (Services: smb; Tags: default,smb) - nmap-ssh-generic (Services: ssh; Tags: default,ssh) ...
Objective: Run Only Plugins with a Specific Tag
Bash
autorecon 10.10.11.150 --tags web
Command Breakdown:
--tags web: Instructs AutoRecon to only execute plugins that have been assigned the 'web' tag. This typically includes HTTP-specific scans like dirbuster, nikto, whatweb, etc.
Ethical Context & Use-Case: This is a powerful feature for tailoring a scan. If you know the target is a web server, you can use this to run a highly focused web application reconnaissance scan, ignoring irrelevant plugins for services like SMB or SSH, thus saving a significant amount of time.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Including plugins with tags: web ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Queued (Tags: default,web) [+] [10.10.11.150] [ServiceScan] [tcp] [443] [https] [nikto] Queued (Tags: web) [!] [10.10.11.150] [ServiceScan] [tcp] [22] [ssh] [nmap-ssh-generic] Skipping (Tags: default,ssh - does not match)
Objective: Exclude Plugins with a Specific Tag
Bash
autorecon 10.10.11.150 --exclude-tags noisy
Command Breakdown:
--exclude-tags noisy: Instructs AutoRecon to run all 'default' plugins except for those that also have the 'noisy' tag. This tag is often applied to scans that are aggressive and likely to be detected.
Ethical Context & Use-Case: In a penetration test where stealth is a concern, this command allows you to perform broad reconnaissance while omitting the most aggressive or signature-heavy scans. This helps in avoiding detection by Intrusion Detection Systems (IDS) or Security Operations Center (SOC) analysts.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Excluding plugins with tags: noisy ... [!] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [nikto] Skipping (Tags: web,noisy - excluded)
Objective: Manually Specify Which Service Scans to Run
Bash
autorecon 10.10.11.150 --service-scans "nmap-http-generic,dirbuster"
Command Breakdown:
--service-scans "nmap-http-generic,dirbuster": This flag overrides all tag logic and explicitly tells AutoRecon to only run these two service scan plugins if their corresponding services are found.
Ethical Context & Use-Case: For maximum control, this allows a tester to hand-pick the exact enumeration tools they want to use, ignoring the default profiles completely. This is useful for surgical testing or for replicating a specific testing methodology.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Overriding tags for service scans. Only running: nmap-http-generic, dirbuster ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [nmap-http-generic] Queued (Manual Override) [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Queued (Manual Override) [!] [10.10.11.150] [ServiceScan] [tcp] [22] [ssh] [nmap-ssh-generic] Skipping (Not in override list)
Objective: Append Custom Flags to Nmap Scans
Bash
autorecon 10.10.11.150 --nmap-append "-sV --version-intensity 9"
Command Breakdown:
--nmap-append "-sV --version-intensity 9": Appends the string "-sV --version-intensity 9" to the Nmap commands executed by AutoRecon. This enables version detection at its most aggressive level.
Ethical Context & Use-Case: This allows for customization of the underlying Nmap scans. A high version intensity can sometimes identify services more accurately but is also more intrusive. This should be used when detailed service versioning is critical and the network monitoring is not sensitive.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Appending to nmap commands: -sV --version-intensity 9 [+] [10.10.11.150] [PortScan] [nmap-quick] Executing: nmap -vv --reason -Pn -T4 -sV --version-intensity 9 -p- --open -oN ... ...
Objective: Completely Override the Default Nmap Flags
Bash
autorecon 10.10.11.150 --nmap "-T2 -A -sC"
Command Breakdown:
--nmap "-T2 -A -sC": Completely replaces the default Nmap parameters (-vv --reason -Pn -T4) with the specified ones. -T2 is a slower, stealthier timing template, and -A enables OS detection, version detection, script scanning, and traceroute.
Ethical Context & Use-Case: This is for pentesters who want to employ a very specific Nmap strategy. For example, using -T2 is a measure to evade IDS/IPS systems that might trigger on the more aggressive default -T4 timing. This level of control is essential for red team operations.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Overriding nmap commands with: -T2 -A -sC [+] [10.10.11.150] [PortScan] [nmap-quick] Executing: nmap -T2 -A -sC -p- --open -oN ... ...
This is where AutoRecon's true power as a framework shines, allowing you to control the parameters of the tools it automates.
Objective: Specify a Different Tool for Directory Busting
Bash
autorecon 10.10.11.150 --dirbuster.tool gobuster
Command Breakdown:
--dirbuster.tool gobuster: This plugin-specific argument tells the dirbuster plugin to use gobuster as its backend tool instead of the default feroxbuster.
Ethical Context & Use-Case: Different directory brute-forcing tools have different features, performance characteristics, and output formats. A tester may prefer gobuster for its speed or specific options. This allows them to use their preferred tool within the AutoRecon automation framework.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Executing: gobuster dir -u http://10.10.11.150:80/ -w ...
Objective: Provide a Custom Wordlist for Directory Busting
Bash
autorecon 10.10.11.150 --dirbuster.wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
Command Breakdown:
--dirbuster.wordlist ...: Specifies a custom wordlist file for the dirbuster plugin to use for brute-forcing directories and files.
Ethical Context & Use-Case: The success of directory enumeration is entirely dependent on the quality of the wordlist. Using context-specific wordlists (e.g., technology-specific paths, language-specific filenames) is a hallmark of a skilled penetration tester. This command enables that targeted approach.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Executing: feroxbuster -u http://10.10.11.150:80/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt ...
Objective: Specify File Extensions for Web Fuzzing
Bash
autorecon 10.10.11.150 --dirbuster.ext "php,bak,config,old"
Command Breakdown:
--dirbuster.ext "php,bak,config,old": Tells the dirbuster plugin to search for files with these specific extensions (e.g., index.php, config.bak).
Ethical Context & Use-Case: Once the server-side technology is identified (e.g., PHP, ASP.NET), the enumeration can be focused to search for files with relevant extensions. Searching for backup (.bak, .old) or configuration files is a common technique to find sensitive information.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Executing: feroxbuster -u http://10.10.11.150:80/ -w ... -x php,bak,config,old ...
Objective: Enable Recursive Directory Busting
Bash
autorecon 10.10.11.150 --dirbuster.recursive
Command Breakdown:
--dirbuster.recursive: Enables recursive searching. When a new directory is discovered, the tool will start a new scan within that directory.
Ethical Context & Use-Case: This is for performing deep enumeration of a web server's structure. It is far more comprehensive but can also take a very long time to complete. This should be used on authorized targets when a thorough content discovery phase is required.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Executing: feroxbuster -u http://10.10.11.150:80/ -w ... -d 1 ...
Objective: Pass Extra, Unspecified Arguments to the Directory Buster
Bash
autorecon 10.10.11.150 --dirbuster.extras='--filter-status 404,403'
Command Breakdown:
--dirbuster.extras='--filter-status 404,403': Passes the raw string --filter-status 404,403 directly to the underlying tool (feroxbuster in this case). This tells it to hide responses with status codes 404 and 403.
Ethical Context & Use-Case: This provides ultimate flexibility. If the underlying tool has a new or obscure feature not directly supported by an AutoRecon flag, extras can be used to pass it through. This is an advanced technique for fine-tuning the enumeration process.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [dirbuster] Executing: feroxbuster -u http://10.10.11.150:80/ -w ... --filter-status 404,403 ...
Objective: Enumerate Subdomains for a Given Domain
Bash
autorecon 10.10.11.150 --subdomain-enum.domain example.corp
Command Breakdown:
--subdomain-enum.domain example.corp: This provides the necessary base domain for the subdomain enumeration plugin. The plugin will then use a wordlist to discover subdomains like dev.example.corp, test.example.corp, etc., pointing to the target IP.
Ethical Context & Use-Case: This is used to discover different web applications or services hosted on the same server but accessible via different hostnames. It's a critical step in discovering the full attack surface of a target organization's infrastructure.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [subdomain-enum] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [subdomain-enum] Executing: ffuf -w ... -u http://10.10.11.150 -H "Host: FUZZ.example.corp" ...
Objective: Provide a WPScan API Token for Deeper WordPress Scans
Bash
autorecon 10.10.11.150 --wpscan.api-token YOUR_API_TOKEN_HERE
Command Breakdown:
--wpscan.api-token YOUR_API_TOKEN_HERE: Provides a personal API token from wpscan.com to the wpscan plugin.
Ethical Context & Use-Case: The wpscan tool can identify more vulnerabilities and provide more up-to-date information when supplied with an API token. In a professional engagement against an authorized WordPress target, using an API token ensures the most accurate and comprehensive vulnerability data is retrieved.
--> Expected Output:
[+] Starting AutoRecon scan... ... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [wpscan] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [80] [http] [wpscan] Executing: wpscan --url http://10.10.11.150:80/ --api-token YOUR_API_TOKEN_HERE ...
Objective: Use a Global Username and Password Wordlist for Brute-Forcing
Bash
autorecon 10.10.11.150 --global.username-wordlist custom_users.txt --global.password-wordlist custom_pass.txt
Command Breakdown:
--global.username-wordlist custom_users.txt: Sets a global username wordlist that any brute-force plugin (e.g., for SSH, FTP) can use.
--global.password-wordlist custom_pass.txt: Sets a global password wordlist for the same purpose.
Ethical Context & Use-Case: If an organization is known to have a standard username format, or if passwords from a previous breach are being tested (with permission), this allows the tester to supply highly relevant wordlists. This makes credential stuffing simulations or password policy audits more efficient and targeted.
--> Expected Output:
[+] Starting AutoRecon scan... [+] Global username wordlist set to: custom_users.txt [+] Global password wordlist set to: custom_pass.txt ... [+] [10.10.11.150] [ServiceScan] [tcp] [22] [ssh] [hydra-ssh] Starting scan... [+] [10.10.11.150] [ServiceScan] [tcp] [22] [ssh] [hydra-ssh] Executing: hydra -L custom_users.txt -P custom_pass.txt ...
AutoRecon's output is well-structured, making it ideal for integration with other command-line tools. This allows for powerful on-the-fly analysis and data extraction from completed scans. All commands assume you are in the top-level output directory (e.g., results/).
Objective: Extract All Discovered HTTP/HTTPS URLs from a Completed Scan
Bash
grep -r "Starting scan" . | grep "http" | awk -F' ' '{print $11}'
Command Breakdown:
grep -r "Starting scan" .: Recursively (-r) searches the current directory (.) for lines containing "Starting scan" from AutoRecon's log files.
|: A pipe that sends the output of the grep command to the input of the next command.
grep "http": Filters the piped lines, keeping only those that contain the string "http".
awk -F' ' '{print $11}': A powerful text-processing utility. -F' ' sets the field separator to a space. '{print $11}' prints the 11th field of each line, which in the AutoRecon log format is typically the URL.
Ethical Context & Use-Case: After a large scan across many hosts, this one-liner provides a clean, consolidated list of all web services that were discovered. This list can be used as a target file for more specialized web application scanning tools or for manual review. It's a method for aggregating key attack surfaces from verbose log files.
--> Expected Output:
http://10.10.11.150:80/ https://10.10.11.150:443/ http://10.10.11.152:8080/ http://10.10.11.153:80/
Objective: Find All Hosts with SMB (Port 445) Open
Bash
find . -name "nmap-quick-tcp-*.txt" -exec grep -l "445/tcp" {} + | awk -F'/' '{print $2}'
Command Breakdown:
find . -name "nmap-quick-tcp-*.txt": Finds all files in the current directory structure matching the pattern of a quick TCP Nmap scan.
-exec grep -l "445/tcp" {} +: For each file found, executes grep. -l makes grep output only the names of files that contain the string "445/tcp". The {} is replaced by the filenames, and + groups them for efficiency.
|: Pipes the list of filenames to awk.
awk -F'/' '{print $2}': Sets the field separator to / and prints the second field, which corresponds to the target's IP/hostname in the results/TARGET/scans/... directory structure.
Ethical Context & Use-Case: In an internal penetration test, identifying all hosts with SMB open is a high-priority task, as SMB is a common vector for lateral movement. This command quickly sifts through potentially hundreds of scan files to generate a precise list of hosts that require further SMB-specific enumeration (e.g., checking for null sessions, weak shares).
--> Expected Output:
10.10.11.150 10.10.11.155 10.10.11.162
Objective: Create a List of All Unique Open Ports Across All Scanned Hosts
Bash
cat */scans/nmap-quick-*.xml | grep 'portid=' | sed -e 's/.*portid="\([0-9]*\)".*/\1/' | sort -n | uniq
Command Breakdown:
cat */scans/nmap-quick-*.xml: Concatenates the content of all Nmap XML output files from the quick scans.
grep 'portid=': Filters the combined XML content to find lines containing the port number attribute.
sed -e 's/.*portid="\([0-9]*\)".*/\1/': Uses the stream editor sed to perform a regular expression substitution. It extracts just the numeric port ID from each line.
sort -n: Sorts the resulting list of port numbers numerically.
uniq: Removes duplicate entries, leaving a clean list of unique open ports.
Ethical Context & Use-Case: This command provides a high-level overview of the attack surface across the entire scope. It helps an analyst understand which services are most common in the environment and can reveal non-standard ports being used that might warrant further investigation. This is valuable data for reporting and for planning the next phase of testing.
--> Expected Output:
21 22 53 80 135 139 443 445 3306 8080
Leveraging AI and data analysis techniques can transform AutoRecon's raw text output into actionable intelligence, revealing patterns and priorities that are not immediately obvious. The following examples use Python with the Pandas library to parse and analyze scan results.
Objective: Analyze and Visualize Port Distribution Across All Targets
Code (analyze_ports.py):
Python
import os
import pandas as pd
import matplotlib.pyplot as plt
import re
def parse_summary(file_path):
"""Parses an AutoRecon _summary.txt file to extract open ports."""
ports = []
try:
with open(file_path, 'r') as f:
content = f.read()
# Regex to find lines like '80/tcp' or '53/udp'
found_ports = re.findall(r'(\d+/(?:tcp|udp))', content)
ports.extend(found_ports)
except FileNotFoundError:
pass # Ignore targets with no summary file
return ports
def main():
"""Main function to find summaries, analyze, and plot data."""
results_dir = 'results'
all_ports = []
# Walk through the results directory to find all summary files
for root, dirs, files in os.walk(results_dir):
for file in files:
if file == '_summary.txt':
summary_path = os.path.join(root, file)
all_ports.extend(parse_summary(summary_path))
if not all_ports:
print("No open ports found in any summary files. Exiting.")
return
# Use Pandas to count port occurrences
port_series = pd.Series(all_ports)
port_counts = port_series.value_counts()
print("--- Port Analysis Report ---")
print("Top 10 Most Common Open Ports:")
print(port_counts.head(10))
# Plotting the data
plt.figure(figsize=(12, 8))
port_counts.head(15).sort_values().plot(kind='barh')
plt.title('Top 15 Most Common Services Across Scope')
plt.xlabel('Number of Hosts')
plt.ylabel('Port/Protocol')
plt.tight_layout()
plt.savefig('port_distribution.png')
print("\n[+] Analysis complete. Chart saved to port_distribution.png")
if __name__ == '__main__':
main()
Command Breakdown:
The Python script uses the os library to walk the AutoRecon results directory.
It identifies and parses each _summary.txt file, which contains a list of open ports for a given host.
A regular expression (re) extracts port/protocol pairs (e.g., "80/tcp").
The pandas library is used to create a Series from the list of all found ports, and value_counts() efficiently calculates the frequency of each port.
matplotlib generates a horizontal bar chart to visualize the top 15 most common ports.
Ethical Context & Use-Case: After scanning a large network, simply looking at individual host reports is inefficient. This AI-augmented approach provides immediate, data-driven insight. An analyst can instantly see that SMB (445/tcp) and RDP (3389/tcp) are widespread, allowing them to prioritize efforts on attacking these services for lateral movement. The visualization is a powerful tool for executive summaries in a penetration test report.
--> Expected Output:
--- Port Analysis Report --- Top 10 Most Common Open Ports: 445/tcp 25 80/tcp 22 139/tcp 21 3389/tcp 18 135/tcp 15 443/tcp 12 22/tcp 10 53/udp 8 21/tcp 5 8080/tcp 4 Name: count, dtype: int64 [+] Analysis complete. Chart saved to port_distribution.png
[VISUAL OUTPUT: A horizontal bar chart titled "Top 15 Most Common Services Across Scope". The Y-axis lists ports like '445/tcp', '80/tcp', and '3389/tcp'. The X-axis, labeled "Number of Hosts", shows corresponding bars indicating that port 445/tcp was found on 25 hosts, 80/tcp on 22, and so on.]
Objective: Generate a CSV Report of Web Servers with Discovered Directories
Code (webreport_gen.py):
Python
import os
import pandas as pd
def find_web_servers_and_dirs(results_dir):
"""Finds web servers and their discovered directories from feroxbuster/gobuster logs."""
web_assets = []
for root, dirs, files in os.walk(results_dir):
# Look for the directory busting tool's output file
for file in files:
if file.startswith(('feroxbuster', 'gobuster', 'dirbuster')):
try:
target_ip = root.split(os.sep)[1] # Assumes 'results/IP/scans' structure
port_info = os.path.basename(root) # e.g., 'tcp80' or 'tcp443'
protocol = 'https' if '443' in port_info or '8443' in port_info else 'http'
url_base = f"{protocol}://{target_ip}:{port_info.replace('tcp', '')}"
with open(os.path.join(root, file), 'r') as f:
for line in f:
# Simple parsing, can be improved with regex for specific tools
if line.startswith("200 ") or line.startswith("301 ") or line.startswith("302 "):
parts = line.split()
if len(parts) > 2 and parts[2].startswith('/'):
path = parts[2]
full_url = url_base + path
web_assets.append({
"Target": target_ip,
"URL": full_url,
"StatusCode": parts[0]
})
except Exception as e:
print(f"Error parsing file in {root}: {e}")
return web_assets
def main():
"""Main function to generate the web assets report."""
results_dir = 'results'
assets = find_web_servers_and_dirs(results_dir)
if not assets:
print("No web directories discovered.")
return
df = pd.DataFrame(assets)
# Remove duplicates
df.drop_duplicates(inplace=True)
output_file = 'web_findings_report.csv'
df.to_csv(output_file, index=False)
print(f"--- Web Findings Report ---")
print(f"Found {len(df)} unique web paths.")
print(f"Report saved to {output_file}")
print("\nSample of findings:")
print(df.head())
if __name__ == '__main__':
main()
Command Breakdown:
The script navigates the AutoRecon output directories, specifically looking for the output files from directory busting tools (feroxbuster, gobuster, etc.).
It intelligently reconstructs the base URL by extracting the IP address and port from the directory path.
It parses the output files, looking for successful status codes (200, 301, 302) and extracts the discovered directory or file path.
pandas is used to structure this data into a DataFrame, which is a powerful, table-like data structure.
Finally, it exports all the findings into a clean, well-structured CSV file for analysis in a spreadsheet program or for ingestion into other security tools.
Ethical Context & Use-Case: A large penetration test can reveal thousands of web directories. This script automates the tedious process of consolidating those findings. By creating a CSV, the pentester can easily sort and filter the data. For instance, they could sort by target to focus on one machine or search for specific paths like /admin or /backup across the entire scope. This transforms scattered log files into a centralized, actionable database of potential web vulnerabilities.
--> Expected Output:
--- Web Findings Report ---
Found 127 unique web paths.
Report saved to web_findings_report.csv
Sample of findings:
Target URL StatusCode
0 10.10.11.150 http://10.10.11.150:80/admin 302
1 10.10.11.150 http://10.10.11.150:80/login.php 200
2 10.10.11.150 http://10.10.11.150:80/assets 301
3 10.10.11.152 http://10.10.11.152:8080/dashboard 200
4 10.10.11.152 http://10.10.11.152:8080/robots.txt 200
The information, tools, and techniques detailed in this article are provided for educational purposes only. The use of AutoRecon and other penetration testing tools should be confined strictly to environments and systems for which you have been granted explicit, written, and verifiable legal authorization. The application of these techniques against any system, network, or application without prior consent is illegal in most jurisdictions and constitutes a criminal offense.
The author, instructor, course, and hosting platform bear no responsibility or liability for any direct or indirect damage, loss, or legal action resulting from the misuse of the information presented herein. By using this tool or applying these techniques, you acknowledge that you are solely responsible for your actions and for complying with all applicable local, state, federal, and international laws. Ethical hacking requires a foundation of trust and integrity; unauthorized scanning is a violation of that principle. Always act professionally, ethically, and legally.