AutoRecon
AutoRecon is a powerful multi-threaded network reconnaissance framework designed for OSCP and professional penetration testing. It automates the enumeration process by running nmap scans and automatically launching service-specific enumeration tools based on discovered open ports. This significantly reduces manual reconnaissance work while ensuring comprehensive service discovery.
Overview
AutoRecon combines efficiency with flexibility by orchestrating multiple enumeration tools in parallel. Rather than manually running each service-specific scanner, AutoRecon intelligently detects services and runs appropriate tools automatically, then organizes all output in a structured directory for easy review.
Key Characteristics:
- Multi-threaded parallel execution for speed
- Automatic service detection and enumeration
- Organized output directory structure
- Customizable plugins and command configurations
- Integrates with industry-standard tools
- Perfect for OSCP certification exam workflow
Installation
Installation via pip
# Install from PyPI (recommended)
pip install autorecon
# Verify installation
autorecon --version
# Display help
autorecon --helpInstallation via Git
# Clone the repository
git clone https://github.com/Tib3rius/AutoRecon.git
cd AutoRecon
# Install dependencies
pip install -r requirements.txt
# Make executable
chmod +x autorecon.py
# Run directly
./autorecon.py --help
# Or install in development mode
pip install -e .System Requirements
# Required tools (must be installed separately)
sudo apt install nmap
sudo apt install gobuster
sudo apt install nikto
sudo apt install smbclient
sudo apt install snmpwalk
sudo apt install ldapsearch
sudo apt install dnsrecon
sudo apt install masscan
# Optional but recommended
sudo apt install enum4linux
sudo apt install rpcclient
sudo apt install wfuzz
sudo apt install sqlmapBasic Usage
Simple Target Scan
# Scan a single IP address
autorecon 192.168.1.100
# Scan a hostname
autorecon example.com
# Scan CIDR range (creates separate directory per host)
autorecon 192.168.1.0/24
# Scan from file (one target per line)
autorecon -iL targets.txtOutput Structure
# Default output creates directory: results/{target}/
results/
└── 192.168.1.100/
├── _manual_commands.txt # Commands to run manually
├── nmap/ # Nmap scan results
│ ├── initial.nmap
│ ├── initial.gnmap
│ ├── udp.nmap
│ └── full.nmap
├── http/ # HTTP enumeration
│ └── nikto_output.txt
├── smb/ # SMB enumeration
│ └── enum4linux_output.txt
└── other_services/ # Service-specific foldersTarget Specification
Single Targets
# Single IP
autorecon 10.10.10.5
# Hostname
autorecon victim.htb
# With custom output directory
autorecon -o /custom/path 192.168.1.100Multiple Targets
# CIDR notation (scans all hosts in subnet)
autorecon 192.168.1.0/24
# IP range
autorecon 192.168.1.1-192.168.1.254
# Multiple targets at once
autorecon 10.10.10.5 10.10.10.6 10.10.10.7
# From wordlist file
autorecon -iL /path/to/targets.txtPort Scanning Options
Scan Intensity and Speed
# Quick scan (common ports only)
autorecon --quick 192.168.1.100
# Standard scan (default - all TCP ports)
autorecon 192.168.1.100
# Intense scan (TCP + UDP + service versions)
autorecon --intense 192.168.1.100
# Custom port specification
autorecon -p 80,443,8080,8443 192.168.1.100
# Scan specific port range
autorecon -p 1000-2000 192.168.1.100
# All ports including UDP
autorecon -p 1-65535 192.168.1.100
# Specific UDP ports
autorecon --udp -p 53,161,162,389 192.168.1.100Nmap Integration
# Use specific nmap arguments
autorecon --nmap "-sV -O --script=vuln" 192.168.1.100
# Skip UDP scanning
autorecon --no-udp 192.168.1.100
# Aggressive service detection
autorecon --aggressive 192.168.1.100
# Service version detection
autorecon --service-versions 192.168.1.100
# OS detection
autorecon --os-detection 192.168.1.100Common Enumeration Services
HTTP/HTTPS Services
# Nikto web server scanning
autorecon -s http 192.168.1.100
# Custom HTTP port
autorecon -p 8080 192.168.1.100
# Both HTTP and HTTPS enumeration
autorecon -p 80,443,8080,8443 192.168.1.100
# Output includes:
# - Nikto scan results
# - Directory enumeration
# - Web server information
# - Known vulnerabilitiesSMB Enumeration
# Enumerate SMB shares and users
autorecon -s smb 192.168.1.100
# Scan common SMB ports (139, 445)
autorecon 192.168.1.100
# Includes:
# - Share enumeration
# - User listing
# - NETBIOS information
# - RPC endpoint mapperFTP Enumeration
# FTP service scanning
autorecon -s ftp 192.168.1.100
# Common FTP port
autorecon -p 21 192.168.1.100
# Checks for anonymous access and version infoSSH Enumeration
# SSH service scanning
autorecon -s ssh 192.168.1.100
# Common SSH port
autorecon -p 22 192.168.1.100
# Extracts SSH version, banner, and key algorithmsDNS Enumeration
# DNS service enumeration
autorecon -s dns 192.168.1.100
# DNS port
autorecon -p 53 192.168.1.100
# Zone transfer attempts and DNS reconnaissanceSNMP Enumeration
# SNMP scanning
autorecon -s snmp 192.168.1.100
# SNMP default port
autorecon -p 161 192.168.1.100
# Enumerates SNMP information with common community stringsLDAP Enumeration
# LDAP directory enumeration
autorecon -s ldap 192.168.1.100
# LDAP standard port
autorecon -p 389 192.168.1.100
# LDAP secure (LDAPS)
autorecon -p 636 192.168.1.100
# Extracts users, groups, and organizational structureThreading and Performance
Thread Control
# Set number of threads (default varies by scan type)
autorecon --threads 10 192.168.1.100
# Single-threaded scan (slow but useful for debugging)
autorecon --threads 1 192.168.1.100
# Maximum available threads
autorecon --threads auto 192.168.1.100
# Process multiple targets in parallel
autorecon --processes 4 192.168.1.0/24Timeout Configuration
# Set timeout for services (seconds)
autorecon --timeout 30 192.168.1.100
# Shorter timeout for quick scans
autorecon --timeout 10 192.168.1.100
# Longer timeout for slow networks
autorecon --timeout 120 192.168.1.100Custom Plugins and Configuration
Viewing Configuration
# Show current configuration
autorecon --config
# Display default configuration
autorecon --show-defaults
# List available plugins
autorecon --list-pluginsCustom Commands
# Add custom enumeration command
autorecon --plugin-command "gobuster dir -u http://{target}:{port} -w wordlist.txt" 192.168.1.100
# Multiple custom commands
autorecon --plugin-command "cmd1" --plugin-command "cmd2" 192.168.1.100
# Run additional manual commands
# View _manual_commands.txt in output directoryConfiguration File
# Create custom config (if supported)
nano ~/.autorecon/config.yaml
# Specify custom config
autorecon --config-file /path/to/config.yaml 192.168.1.100Advanced Usage
Combining Options
# Comprehensive scan with custom output
autorecon -o ~/pentest/results --intense --service-versions 192.168.1.100
# Aggressive scan with custom threading
autorecon --aggressive --threads 15 --timeout 60 192.168.1.0/24
# Quick initial scan
autorecon --quick -o ~/initial_scan 192.168.1.100OSCP Workflow Integration
# Scan multiple OSCP lab targets
autorecon -iL oscp_targets.txt -o ~/oscp_lab
# Individual target deep enumeration
autorecon --intense 10.11.1.220
# Follow up with manual verification
cat results/10.11.1.220/_manual_commands.txtIntegration with Manual Testing
# Run AutoRecon for initial enumeration
autorecon 192.168.1.100
# Review output and identify services
cd results/192.168.1.100
# Run manual checks on specific services
# HTTP: Use browser and burp suite
# SMB: Use smbclient, crackmapexec
# SSH: Use manual login attempts
# SNMP: Use snmp-check with different community stringsCommon Enumeration Patterns
Web Application Testing
# Discover web servers
autorecon -p 80,443,8080,8443 192.168.1.100
# Review Nikto output
cat results/192.168.1.100/http/nikto_*.txt
# Manual enumeration follow-up:
# - Use burp suite for deeper analysis
# - Check for common vulnerabilities
# - Test for OWASP top 10Windows Domain Enumeration
# Scan domain controller
autorecon 192.168.1.50
# Review SMB and LDAP enumeration
cat results/192.168.1.50/smb/*
cat results/192.168.1.50/ldap/*
# Extract user information for targetingFull Infrastructure Scan
# Scan entire network segment
autorecon 192.168.1.0/24 -o ~/network_scan
# Results organized by host
ls ~/network_scan/results/
# Review all discovered services
for host in ~/network_scan/results/*/; do
echo "=== $(basename $host) ==="
cat "$host/_manual_commands.txt"
doneTroubleshooting
Common Issues
# Tool not found errors
# Ensure all prerequisites installed:
which nmap gobuster nikto smbclient snmpwalk
# Permission denied errors
sudo autorecon 192.168.1.100
# Slow performance
# Reduce threads or timeout:
autorecon --threads 5 --timeout 15 192.168.1.100
# Port already in use
# Use different port for enumeration tools:
autorecon --nmap "-p- -oA ~/nmap/full" 192.168.1.100Output Verification
# Check nmap results
ls results/192.168.1.100/nmap/
# View all discovered services
grep -r "open" results/192.168.1.100/nmap/
# Manual commands to run
cat results/192.168.1.100/_manual_commands.txtBest Practices
Efficiency
- Start with
--quickscan to identify services, then run--intenseon interesting hosts - Use appropriate threading level for your network (avoid overwhelming targets)
- Save output directories with meaningful names for later reference
Thoroughness
- Always review _manual_commands.txt for suggested follow-up actions
- Verify results with secondary tools (e.g., manual nmap, browser inspection)
- Document findings as you discover them
- Cross-reference service versions against known vulnerabilities
Organization
- Create separate output directories per engagement
- Use consistent naming conventions for targets
- Keep scan logs and configuration for reproducibility
- Archive results after completing enumeration phases
OSCP Preparation
- Practice with retired HackTheBox machines
- Combine AutoRecon results with manual enumeration
- Understand what each tool reports and why
- Time your scans to meet exam time constraints