This tool was heavily inspired by a few different tools that I came across while studying for my OSCP. After heavily using Reconnoitre written by Codingo, it would make some recommendations on further tools to run. But because I'm lazy, I wanted to have the option to run these automatically. But full Nmap scans can take an extremely long time, so I needed to find something else. In walks onetwopunch which uses unicornscan to scan for open ports and then pushes that to Nmap. I utilized both these ideas. Much of the layout ideas were influenced by Dave Kennedy.
| Argument | Description |
|---|---|
| -h, --help | Display help message and exit |
| -t TARGET | Set a target IP Address |
| -o OUTPUT_DIR | Directory where results will be written |
| -p {tcp, udp, all } | Which protocol to scan for. Default is tcp |
| -i INTERFACE | Which interface to use. Defaults to eth0 |
| -s SPEED | Speed of Unicornscan by packets per second. Default is 1000 |
| -n NMAP_OPTIONS | Set specific Nmap Options |
| -e ENUM | Run additional enumeration programs |
| -c CRACK | Run brute force password cracking utilities |
| --ports {d, a} | Default Unicornscan ports, or all 1-65535 ports |
| --quick | Run Unicornscan and basic Nmap scan |
| --quiet | Suppress banner and headers to limit results |
root@kali:~/tools/unimap# python unimap.py -h
usage: unimap.py [-h] -t TARGET [-o OUTPUT_DIR] [-p {tcp,udp,all}]
[-i INTERFACE] [-s SPEED] [-n NMAP_OPTIONS] [-e] [-c]
[--ports {d,a}] [--quick] [--quiet]
optional arguments:
-h, --help show this help message and exit
-t TARGET Set a target IP address. Ex. 10.10.10.10
-o OUTPUT_DIR Set the output directory. Defaults to /tmp/unimap
-p {tcp,udp,all} Select the protocol to use. Ex. tcp/udp/all
-i INTERFACE Select the interface. Ex. eth0
-s SPEED Set the Packets Per Second for Unicornscan. Ex. 1000
-n NMAP_OPTIONS Set NMAP options. Include in double quotes
-e Run additional enumeration programs? e.g. wpscan, nikto,
dirb, etc
-c Run Brute Force password cracking against known services
--ports {d,a} Default or All ports.
--quick Run Unicornscan and basic Nmap scan
--quiet Suppress banner and headers to limit results
root@kali:~/tools/unimap# python unimap.py -t 192.168.1.1 -s 1000 --quick
.__
__ __ ____ |__| _____ _____ ______
| | \/ \| |/ \\__ \ \____ \
| | / | \ | Y Y \/ __ \| |_> >
|____/|___| /__|__|_| (____ / __/
\/ \/ \/|__|
by funtime
[>] Target: 192.168.1.1
[>] Output Directory: /tmp/unimap
[>] Protocol: tcp
[>] Interface: eth0
[>] Unicornscan Speed: 1000
[>] NMAP Options: -PN -A -T4 -sS -sC
[>] Enumerate: False
[>] Quick Scan?: True
[>] Checking Directory Structure
[>] Creating /tmp/unimap
[>] Creating /tmp/unimap/192.168.1.1
[>] Creating /tmp/unimap/192.168.1.1/scans
[>] Creating /tmp/unimap/192.168.1.1/exploit
[>] Creating /tmp/unimap/192.168.1.1/loot
[*] Starting Unicornscan for 192.168.1.1
[+] unicornscan -i eth0 -mT -r 1000 -l /tmp/unimap/192.168.1.1/scans/unicornscan.txt 192.168.1.1:tcp_ports
[*] Starting Basic Nmap Scan for 192.168.1.1
[+] nmap -PN -A -T4 -sS -sC -p 22,53,80,443 -oA /tmp/unimap/192.168.1.1/scans/basic_nmap 192.168.1.1
[*] Starting Amap Scan for 192.168.1.1
[+] amap -bqv 192.168.1.1 22 53 80 443 -o /tmp/unimap/192.168.1.1/scans/amapscan.txt
[>] Scans Complete! Results are located in /tmp/unimap/192.168.1.1/scans
This tool requires at the bare minimum unicornscan and nmap. Any additional tools are not required but will make for more inclusive results.