-A :This combines OS detection, service version detection, script scanning and traceroute.
-sV :Version detection scan of open ports (services
-T4: Aggressive (fast and fairly accurate)
-sS: This sends only a TCP SYN packet and waits for a TCP ACK. If it receives an ACK on the specific probed port, it means the port exist on the machine. This is fast and pretty accurate.
-sT: This creates a full TCP connection with the host (full TCP handshake). This is considered more accurate than SYN scan but slower and noisier.
-sP: This is for fast checking which hosts reply to ICMP ping packets (useful if you are on the same subnet as the scanned range and want a fast result about how many live hosts are connected).
gobuster dir -u http://10.10.10.5/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php
gobuster dir -u http://10.10.10.5 -w /usr/share/wordlists/dirb/common.txt
dns Mode Help:
Usage:
gobuster dns [flags]
Flags:
-d, --domain string The target domain
-h, --help help for dns
-r, --resolver string Use custom DNS server (format server.com or server.com:port)
-c, --show-cname Show CNAME records (cannot be used with '-i' option)
-i, --show-ips Show IP addresses
--timeout duration DNS resolver timeout (default 1s)
--wildcard Force continued operation when wildcard found
Global Flags:
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
--delay duration Time each thread waits between requests (e.g. 1500ms)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
dns Model Example Command Line:
gobuster dns -d mysite.com -t 50 -w common-names.txt
dir Mode Options
Usage:
gobuster dir [flags]
Flags:
-f, --add-slash Append / to each request
-c, --cookies string Cookies to use for the requests
-e, --expanded Expanded mode, print full URLs
-x, --extensions string File extension(s) to search for
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-h, --help help for dir
-l, --include-length Include the length of the body in the output
-k, --no-tls-validation Skip TLS certificate verification
-n, --no-status Don't print status codes
-P, --password string Password for Basic Auth
-p, --proxy string Proxy to use for requests [http(s)://host:port]
-s, --status-codes string Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403")
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set)
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string Username for Basic Auth
-d, --discover-backup Upon finding a file search for backup files
--wildcard Force continued operation when wildcard found
Global Flags:
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
--delay duration Time each thread waits between requests (e.g. 1500ms)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Usage:
gobuster vhost [flags]
Flags:
-c, --cookies string Cookies to use for the requests
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-h, --help help for vhost
-k, --no-tls-validation Skip TLS certificate verification
-P, --password string Password for Basic Auth
-p, --proxy string Proxy to use for requests [http(s)://host:port]
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string Username for Basic Auth
Global Flags:
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
--delay duration Time each thread waits between requests (e.g. 1500ms)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
nmapAutomator is an automated nmap scan tool and is easy to use. Please install the required tools before your installations from the link :https://github.com/21y4d/nmapAutomato.
note: atom tool will be a good one for reading autorecon scan records.
Usage:
./nmapAutomator.sh -h
Usage: nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE>
Optional: [-r/--remote <REMOTE MODE>] [-d/--dns <DNS SERVER>] [-o/--output <OUTPUT DIRECTORY>] [-s/--static-nmap <STATIC NMAP PATH>]
Scan Types:
Network : Shows all live hosts in the host's network (~15 seconds)
Port : Shows all open ports (~15 seconds)
Script : Runs a script scan on found ports (~5 minutes)
Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
UDP : Runs a UDP scan "requires sudo" (~5 minutes)
Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
Recon : Suggests recon commands, then prompts to automatically run them
All : Runs all the scans (~20-30 minutes)
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. AutoRecon uses Python 3 specific functionality and does not support Python 2.The details reference link:https://github.com/21y4d/nmapAutomator
Usage:
usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE]
[--tags TAGS] [--exclude-tags TAGS] [--port-scans PLUGINS] [--service-scans PLUGINS]
[--reports PLUGINS] [--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR] [-l [TYPE]]
[-o OUTPUT] [--single-target] [--only-scans-dir] [--create-port-dirs] [--heartbeat HEARTBEAT]
[--timeout TIMEOUT] [--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND]
[--proxychains] [--disable-sanity-checks] [--disable-keyboard-control]
[--force-services SERVICE [SERVICE ...]] [--accessible] [-v] [--version] [--curl.path VALUE]
[--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}]
[--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE] [--dirbuster.ext VALUE]
[--onesixtyone.community-strings VALUE] [--global.username-wordlist VALUE]
[--global.password-wordlist VALUE] [--global.domain VALUE] [-h]
[targets ...]
Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.
positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g.
foo.bar) to scan.
optional arguments:
-t TARGET_FILE, --target-file TARGET_FILE
Read targets from file.
-p PORTS, --ports PORTS
Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list
with T:/U: To scan both TCP/UDP, put port(s) at start or specify B: e.g.
53,T:21-25,80,U:123,B:123. Default: None
-m MAX_SCANS, --max-scans MAX_SCANS
The maximum number of concurrent scans to run. Default: 50
-mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS
The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless
specified)
-c CONFIG_FILE, --config CONFIG_FILE
Location of AutoRecon's config file. Default: ~/.config/AutoRecon/config.toml
-g GLOBAL_FILE, --global-file GLOBAL_FILE
Location of AutoRecon's global file. Default: ~/.config/AutoRecon/global.toml
--tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group
tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be
included, it must have all the tags specified in at least one group. Default: default
--exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group
tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be
excluded, it must have all the tags specified in at least one group. Default: None
--port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default:
None
--service-scans PLUGINS
Override --tags / --exclude-tags for the listed ServiceScan plugins (comma separated). Default:
None
--reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated). Default: None
--plugins-dir PLUGINS_DIR
The location of the plugins directory. Default: ~/.config/AutoRecon/plugins
--add-plugins-dir PLUGINS_DIR
The location of an additional plugins directory to add to the main one. Default: None
-l [TYPE], --list [TYPE]
List all plugins or plugins of a specific type. e.g. --list, --list port, --list service
-o OUTPUT, --output OUTPUT
The output directory for results. Default: results
--single-target Only scan a single target. A directory named after the target will not be created. Instead, the
directory structure will be created within the output directory. Default: False
--only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report)
will not be created. Default: False
--create-port-dirs Create directories for ports within the "scans" directory (e.g. scans/tcp80, scans/udp53) and
store results in these directories. Default: True
--heartbeat HEARTBEAT
Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60
--timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None
--target-timeout TARGET_TIMEOUT
Specifies the maximum amount of time in minutes that a target should be scanned for before
abandoning it and moving on. Default: None
--nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn
--nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans. Default: -T4
--proxychains Use if you are running AutoRecon via proxychains. Default: False
--disable-sanity-checks
Disable sanity checks that would otherwise prevent the scans from running. Default: False
--disable-keyboard-control
Disables keyboard control ([s]tatus, Up, Down) if you are in SSH or Docker.
--force-services SERVICE [SERVICE ...]
A space separated list of services in the following style: tcp/80/http tcp/443/https/secure
--accessible Attempts to make AutoRecon output more accessible to screenreaders. Default: False
-v, --verbose Enable verbose output. Repeat for more verbosity.
--version Prints the AutoRecon version and exits.
-h, --help Show this help message and exit.
plugin arguments:
These are optional arguments for certain plugins.
--curl.path VALUE The path on the web server to curl. Default: /
--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
The tool to use for directory busting. Default: feroxbuster
--dirbuster.wordlist VALUE [VALUE ...]
The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default:
['/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-
Content/big.txt', '/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt']
--dirbuster.threads VALUE
The number of threads to use when directory busting. Default: 10
--dirbuster.ext VALUE
The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
--onesixtyone.community-strings VALUE
The file containing a list of community strings to try. Default:
/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
global plugin arguments:
These are optional arguments that can be used by all plugins.
--global.username-wordlist VALUE
A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-
usernames-shortlist.txt
--global.password-wordlist VALUE
A wordlist of passwords, useful for bruteforcing. Default:
/usr/share/seclists/Passwords/darkweb2017-top100.txt
--global.domain VALUE
The domain to use (if known). Used for DNS and/or Active Directory. Default: None