AutoRecon

AutoRecon is a powerful multi-threaded network reconnaissance framework designed for OSCP and professional penetration testing. It automates the enumeration process by running nmap scans and automatically launching service-specific enumeration tools based on discovered open ports. This significantly reduces manual reconnaissance work while ensuring comprehensive service discovery.

Overview

AutoRecon combines efficiency with flexibility by orchestrating multiple enumeration tools in parallel. Rather than manually running each service-specific scanner, AutoRecon intelligently detects services and runs appropriate tools automatically, then organizes all output in a structured directory for easy review.

Key Characteristics:

• Multi-threaded parallel execution for speed
• Automatic service detection and enumeration
• Organized output directory structure
• Customizable plugins and command configurations
• Integrates with industry-standard tools
• Perfect for OSCP certification exam workflow

Installation

Installation via pip

# Install from PyPI (recommended)
pip install autorecon

# Verify installation
autorecon --version

# Display help
autorecon --help

Installation via Git

# Clone the repository
git clone https://github.com/Tib3rius/AutoRecon.git
cd AutoRecon

# Install dependencies
pip install -r requirements.txt

# Make executable
chmod +x autorecon.py

# Run directly
./autorecon.py --help

# Or install in development mode
pip install -e .

System Requirements

# Required tools (must be installed separately)
sudo apt install nmap
sudo apt install gobuster
sudo apt install nikto
sudo apt install smbclient
sudo apt install snmpwalk
sudo apt install ldapsearch
sudo apt install dnsrecon
sudo apt install masscan

# Optional but recommended
sudo apt install enum4linux
sudo apt install rpcclient
sudo apt install wfuzz
sudo apt install sqlmap

Basic Usage

Simple Target Scan

# Scan a single IP address
autorecon 192.168.1.100

# Scan a hostname
autorecon example.com

# Scan CIDR range (creates separate directory per host)
autorecon 192.168.1.0/24

# Scan from file (one target per line)
autorecon -iL targets.txt

Output Structure

# Default output creates directory: results/{target}/
results/
└── 192.168.1.100/
    ├── _manual_commands.txt      # Commands to run manually
    ├── nmap/                     # Nmap scan results
    │   ├── initial.nmap
    │   ├── initial.gnmap
    │   ├── udp.nmap
    │   └── full.nmap
    ├── http/                     # HTTP enumeration
    │   └── nikto_output.txt
    ├── smb/                      # SMB enumeration
    │   └── enum4linux_output.txt
    └── other_services/           # Service-specific folders

Target Specification

Single Targets

# Single IP
autorecon 10.10.10.5

# Hostname
autorecon victim.htb

# With custom output directory
autorecon -o /custom/path 192.168.1.100

Multiple Targets

# CIDR notation (scans all hosts in subnet)
autorecon 192.168.1.0/24

# IP range
autorecon 192.168.1.1-192.168.1.254

# Multiple targets at once
autorecon 10.10.10.5 10.10.10.6 10.10.10.7

# From wordlist file
autorecon -iL /path/to/targets.txt

Port Scanning Options

Scan Intensity and Speed

# Quick scan (common ports only)
autorecon --quick 192.168.1.100

# Standard scan (default - all TCP ports)
autorecon 192.168.1.100

# Intense scan (TCP + UDP + service versions)
autorecon --intense 192.168.1.100

# Custom port specification
autorecon -p 80,443,8080,8443 192.168.1.100

# Scan specific port range
autorecon -p 1000-2000 192.168.1.100

# All ports including UDP
autorecon -p 1-65535 192.168.1.100

# Specific UDP ports
autorecon --udp -p 53,161,162,389 192.168.1.100

Nmap Integration

# Use specific nmap arguments
autorecon --nmap "-sV -O --script=vuln" 192.168.1.100

# Skip UDP scanning
autorecon --no-udp 192.168.1.100

# Aggressive service detection
autorecon --aggressive 192.168.1.100

# Service version detection
autorecon --service-versions 192.168.1.100

# OS detection
autorecon --os-detection 192.168.1.100

Common Enumeration Services

HTTP/HTTPS Services

# Nikto web server scanning
autorecon -s http 192.168.1.100

# Custom HTTP port
autorecon -p 8080 192.168.1.100

# Both HTTP and HTTPS enumeration
autorecon -p 80,443,8080,8443 192.168.1.100

# Output includes:
# - Nikto scan results
# - Directory enumeration
# - Web server information
# - Known vulnerabilities

SMB Enumeration

# Enumerate SMB shares and users
autorecon -s smb 192.168.1.100

# Scan common SMB ports (139, 445)
autorecon 192.168.1.100

# Includes:
# - Share enumeration
# - User listing
# - NETBIOS information
# - RPC endpoint mapper

FTP Enumeration

# FTP service scanning
autorecon -s ftp 192.168.1.100

# Common FTP port
autorecon -p 21 192.168.1.100

# Checks for anonymous access and version info

SSH Enumeration

# SSH service scanning
autorecon -s ssh 192.168.1.100

# Common SSH port
autorecon -p 22 192.168.1.100

# Extracts SSH version, banner, and key algorithms

DNS Enumeration

# DNS service enumeration
autorecon -s dns 192.168.1.100

# DNS port
autorecon -p 53 192.168.1.100

# Zone transfer attempts and DNS reconnaissance

SNMP Enumeration

# SNMP scanning
autorecon -s snmp 192.168.1.100

# SNMP default port
autorecon -p 161 192.168.1.100

# Enumerates SNMP information with common community strings

LDAP Enumeration

# LDAP directory enumeration
autorecon -s ldap 192.168.1.100

# LDAP standard port
autorecon -p 389 192.168.1.100

# LDAP secure (LDAPS)
autorecon -p 636 192.168.1.100

# Extracts users, groups, and organizational structure

Threading and Performance

Thread Control

# Set number of threads (default varies by scan type)
autorecon --threads 10 192.168.1.100

# Single-threaded scan (slow but useful for debugging)
autorecon --threads 1 192.168.1.100

# Maximum available threads
autorecon --threads auto 192.168.1.100

# Process multiple targets in parallel
autorecon --processes 4 192.168.1.0/24

Timeout Configuration

# Set timeout for services (seconds)
autorecon --timeout 30 192.168.1.100

# Shorter timeout for quick scans
autorecon --timeout 10 192.168.1.100

# Longer timeout for slow networks
autorecon --timeout 120 192.168.1.100

Custom Plugins and Configuration

Viewing Configuration

# Show current configuration
autorecon --config

# Display default configuration
autorecon --show-defaults

# List available plugins
autorecon --list-plugins

Custom Commands

# Add custom enumeration command
autorecon --plugin-command "gobuster dir -u http://{target}:{port} -w wordlist.txt" 192.168.1.100

# Multiple custom commands
autorecon --plugin-command "cmd1" --plugin-command "cmd2" 192.168.1.100

# Run additional manual commands
# View _manual_commands.txt in output directory

Configuration File

# Create custom config (if supported)
nano ~/.autorecon/config.yaml

# Specify custom config
autorecon --config-file /path/to/config.yaml 192.168.1.100

Advanced Usage

Combining Options

# Comprehensive scan with custom output
autorecon -o ~/pentest/results --intense --service-versions 192.168.1.100

# Aggressive scan with custom threading
autorecon --aggressive --threads 15 --timeout 60 192.168.1.0/24

# Quick initial scan
autorecon --quick -o ~/initial_scan 192.168.1.100

OSCP Workflow Integration

# Scan multiple OSCP lab targets
autorecon -iL oscp_targets.txt -o ~/oscp_lab

# Individual target deep enumeration
autorecon --intense 10.11.1.220

# Follow up with manual verification
cat results/10.11.1.220/_manual_commands.txt

Integration with Manual Testing

# Run AutoRecon for initial enumeration
autorecon 192.168.1.100

# Review output and identify services
cd results/192.168.1.100

# Run manual checks on specific services
# HTTP: Use browser and burp suite
# SMB: Use smbclient, crackmapexec
# SSH: Use manual login attempts
# SNMP: Use snmp-check with different community strings

Common Enumeration Patterns

Web Application Testing

# Discover web servers
autorecon -p 80,443,8080,8443 192.168.1.100

# Review Nikto output
cat results/192.168.1.100/http/nikto_*.txt

# Manual enumeration follow-up:
# - Use burp suite for deeper analysis
# - Check for common vulnerabilities
# - Test for OWASP top 10

Windows Domain Enumeration

# Scan domain controller
autorecon 192.168.1.50

# Review SMB and LDAP enumeration
cat results/192.168.1.50/smb/*
cat results/192.168.1.50/ldap/*

# Extract user information for targeting

Full Infrastructure Scan

# Scan entire network segment
autorecon 192.168.1.0/24 -o ~/network_scan

# Results organized by host
ls ~/network_scan/results/

# Review all discovered services
for host in ~/network_scan/results/*/; do
  echo "=== $(basename $host) ==="
  cat "$host/_manual_commands.txt"
done

Troubleshooting

Common Issues

# Tool not found errors
# Ensure all prerequisites installed:
which nmap gobuster nikto smbclient snmpwalk

# Permission denied errors
sudo autorecon 192.168.1.100

# Slow performance
# Reduce threads or timeout:
autorecon --threads 5 --timeout 15 192.168.1.100

# Port already in use
# Use different port for enumeration tools:
autorecon --nmap "-p- -oA ~/nmap/full" 192.168.1.100

Output Verification

# Check nmap results
ls results/192.168.1.100/nmap/

# View all discovered services
grep -r "open" results/192.168.1.100/nmap/

# Manual commands to run
cat results/192.168.1.100/_manual_commands.txt

Best Practices

Efficiency

• Start with --quick scan to identify services, then run --intense on interesting hosts
• Use appropriate threading level for your network (avoid overwhelming targets)
• Save output directories with meaningful names for later reference

Thoroughness

• Always review _manual_commands.txt for suggested follow-up actions
• Verify results with secondary tools (e.g., manual nmap, browser inspection)
• Document findings as you discover them
• Cross-reference service versions against known vulnerabilities

Organization

• Create separate output directories per engagement
• Use consistent naming conventions for targets
• Keep scan logs and configuration for reproducibility
• Archive results after completing enumeration phases

OSCP Preparation

• Practice with retired HackTheBox machines
• Combine AutoRecon results with manual enumeration
• Understand what each tool reports and why
• Time your scans to meet exam time constraints