Skip to content

flashnuke/WebRecon

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

READ THE DISCLAIMER

A collection of web-penetration tools that perform enumeration

image

Requirements

Make sure to set appropriate file permissions: chmod u+x WebRecon.py

Dependencies

Python library dependencies are listed inside requirements.txt, and should be installed using pip3 command.
NMAP should be installed as well.

OS

Currently only LINUX OS is supported.

Types of Scans

By default -sA (scanAll) argument is true, which means all scanners would run.
It is possible to pass a custom list of scans by using the argument -sC (scanCustom) followed by a list of scans. The nicknames of the scans are listed in the parenthesis next to each scanner header name below.

An example of a command that would launch all scans, using custom wordlists on target www.____.com:

./WebRecon.py https://www.___.com -sA --set-content-wl /root/PycharmProjects/content_wl.txt2 --set-dns-wl /root/PycharmProjects/dns_wl.txt2

Subdomain Scan (dns)

Iterates over a wordlist and probes the target host with each word set as the subdomain.
The results are then contained inside a queue object and used for further scans.

  • A host name can be passed with or without a subdomain. This scan performs probes on the target hostname, by replacing the passed subdomain with words from the wordlist
  • In order to use a custom wordlist, "--set-dns-wl" argument should be passed, followed by the path

Content Scan (content)

Iterates over a wordlist and probes (in a brute manner) different endpoints by appending the words to the target hostname.
A result is considered successful if the request status code is one of the following: 200, 301, 302. If a forbidden status code is returned (403) and 403bypass scan is enabled, further probing takes place where different kind of methods are attempted in order to bypass the forbidden status. Those attempts are also considered as success only if they manage to retrieve one of the aformentioned successful status code.

The output in the progress log (and the results file) contains the status code and the page content size.

  • In order to use a custom wordlist, "--set-content-wl" argument should be passed, followed by the path
  • The default wordlist used here is dirb's common.txt list, which is also located under /usr/share/wordlists/dirb/
  • Use the -e argument to append custom extensions to each word attempt (i.e -> -e "php,html")
  • Use the -fs argument to filter certain pages sizes (useful when nonexistent pages redirect to the same page)

Bypass403 (403bypass)

Probes a url using different methods in order to bypass a 403 forbidden status code.
This scan is a subscan and should only be invoked by Content Scan.

NMAP Scan (nmap)

Performs a simple NMAP scan on the host target.

  • Custom ports should be passed using the --set-nmapscan-ports argument, in the same format they are passed in NMAP,
    i.e: "21-25,80,139"
  • Custom commandline arguments for the scan should be passed using the --set-nmapscan-cmdline_args argument,
    i.e: "-sV -sU -sS"

Output

Results

For each hostname, a directory is created with the hostname as its name. Inside the directory, subdirectories are created with the full name of the subdomain and hostname. (each subdomain has its own subdirectory).
Total results and subdomain scan results are saved in a .txt file inside the main hostname directory.
Example of a subdomain scan results output text file:
image
Example of a content scan results output text file:
image
Example of an nmap scan results output text file:
image

All scans save results inside the subdirectory named as the full hostname + subdomain.
Example: ```results/hostname_com/www_hostname_com/results...txt`

  • The default path for results is the current working directory. It can be changed by passing the path following the argument: --set-results-directory

Cache

By default, cache is disabled. Cache files that are older than 30 minutes would be disregarded.
This can be useful for long runs that have the potential of crashing midway.

  • It is possible to enable cache by passing the following argument: -c / --cache

Exceptions

No exceptions (other than the ones handled inside the code) are allowed. Any other exception would be logged under error log and abort the scan.

Disclaimer

This tool is only for testing and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and am not responsible for any misuse or damage caused by this tool and software.

Distributed under the GNU License.