README
¶
Features • Installation • Configuration • Usage • Recon • Srctleaks • Nessus • Screenshots • ToDos
gorecon was built to support and enhance various penetration testing tasks such as reconnaissance, parsing nessus scan results, and reporting.
Features
- recon - Run reconnaissance workflow.
- srctleaks - Run Gitleaks against discovered public organization repositories and GitHub Dorks.
- nessus - Parses a .nessus file, prints table, and writes relevant hosts:ports to corresponding findings files with the option to run additional modules
- report - Parses a supplied Burp Issues XML file and generates an Simple HTML table report. BUG: See Golang Issue 50530 & Go XML Encoding PR
Brought to you by:
Installation
Download the compiled binary from releases Or download the program directly with go
go install github.com/mr-pmillz/gorecon/v2@latest
Make sure you have Go installed and "HOME/go/bin" is in your PATH env var.
[[ ":$PATH:" != *":${HOME}/go/bin:"* ]] && export PATH="${PATH}:${HOME}/go/bin"
# Set GOPATH
if [[ -z "${GOPATH}" ]]; then export GOPATH="${HOME}/go"; fi
Configuration
- Create a config.yaml file, it is now required to run the recon subcommand.
wget https://raw.githubusercontent.com/mr-pmillz/gorecon/master/config/config.yaml.dist -O config.yaml
- Add the COMPANY CREATOR WORKSPACE OUTPUT_DIR domains etc. These are required for the main recon subcommand.
- Add API keys to the API_KEYS Yaml section between lines 44-130.
- DO NOT modify the RECON_NG_KEYS | AMASS_KEYS | SUBFINDER_KEYS between the lines 131-227 in config.yaml.
- Place your tokens inside the double quotes as indicated below.
API_KEYS:
CHAOS_API: &CHAOS_API "BadaBingBadaBoom"
- NETBLOCK, OUT_OF_SCOPE, and most API keys are optional in the config.yaml file.
- The optional Domain Squatting module (--run-domain-squatting) requires a VIRUSTOTAL_API key.
- For best results, add as many api keys as you can / have to config.yaml, they're imported into any corresponding tools that use them automagically.
Usage
___ ___ ~ ~~ ~~ o o o
/ __| ___ | _ \ ___ __ ___ _ _ o
| (_ | / _ \ | / / -_) / _| / _ \ | ' \ _________,_____ o
\___| \___/ |_|_\ \___| \__| \___/ |_||_| | v2.5.1 | |DD|__mm_[].
_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_]________|_|__|_______)<
"'-0-0-'"'-0-0-'"'-0-0-'"'-0-0-'"'-0-0-'"'-0-0-'"'-0-0-'"=!00!!00!'"'oo-OOOO-oo\_
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Brought to you by https://www.blackhillsinfosec.com/
External reconnaissance and OSINT initialization, Nessus parser + modules
Usage:
gorecon [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
nessus parses nessus file
recon Run recon enumeration
report generates simple HTML report table from exported burp retire.js issues xml file
srctleaks GitHub Public Repo OSINT
Flags:
--config string config file default location for viper to look is ~/.config/gorecon/config.yaml
-h, --help help for gorecon
-v, --version version for gorecon
Use "gorecon [command] --help" for more information about a command.
Recon
By default, the recon command runs the following tools in this order
Optional recon
- dnsrecon
- Domain Squatting: dnstwist → malwoverview
- Amass
goreconwill generate a nice amass-datasources.ini configuration for you on the fly.
- PyMeta
- PyMeta is the Python implementation of PowerMeta
Run recon enumeration
Example Commands:
gorecon recon --config config.yaml
gorecon recon --config config.yaml --run-dnsrecon --run-amass --run-pymeta --run-domain-squatting
Usage:
gorecon recon [--config config.yaml] [flags]
Flags:
-c, --company string company name that your testing
--creator string report creator
-d, --domain string domain string or file containing domains ex. domains.txt
-h, --help help for recon
-m, --modules string list of recon-ng modules you want to run for domains and hosts
-n, --netblock string CIDRs you wish to scan
--out-of-scope string out of scope domains, IPs, or CIDRs
-o, --output string report output dir
--primary-domain-is-subdomain if this flag is set, recon-ng will accept subdomains for the primary domain database
--run-amass if this flag is set, will run amass active enumeration
--run-dnsrecon if this flag is specified, dnsrecon will be ran in addition to default enumeration
--run-domain-squatting if this flag is set, will run dnstwist, parse the results and query squatter domains against virus-total api via malwoverview
--run-pymeta if this flag is set, will run pymeta against in-scope base domain(s)
-w, --workspace string workspace name, use one word
Global Flags:
--config string config file default location for viper to look is ~/.config/gorecon/config.yaml
Source Control Leaks
Must use config.yaml with a valid GitHub Personal Access Token. Used to be able to specify as CLI arg Find Public GitHub Organization for the Company specified in your config.yaml. Runs GitLeaks natively in golang against all identified Public Repos Also logs Repos and Organization Users to a file and removes repos with no found secrets. Currently, if the main organization is not of the "organization" metadata type, the user will be ignored even if it matches the target org name specified.
Checks for a public organization based upon company name arg and clones all repos then runs gitleaks on them to check for secrets.
Also runs through a number of GitHub Dorks to check for leaked secrets throughout the GitHub universe.
Example Commands:
gorecon srctleaks -c SpyVsSpyEnterprises -d made-up-spy-domain.com --github-token ${GITHUB_TOKEN} -o path/to/output/dir
gorecon srctleaks -c SpyVsSpyEnterprises -d made-up-spy-domain.com --github-token ${GITHUB_TOKEN} -o path/to/output/dir --check-all-org-users
gorecon srctleaks --config config.yaml
gorecon srctleaks --config config.yaml --check-all-org-users
Usage:
gorecon srctleaks [flags]
Flags:
--check-all-org-users runs gitleaks against all GitHub organization users public repos. Be cautious, this can take a while. Currently ignores Forked Repos
-c, --company string company name that your testing
--debug Prints verbose debugging information
-d, --domain string domain string or file containing domains ex. domains.txt
--github-api string github personal access token for github API interaction
-h, --help help for srctleaks
-o, --output string report output dir
Global Flags:
--config string config file default location for viper to look is ~/.config/gorecon/config.yaml
Nessus Parser
In addition to parsing a nessus file, additional enumeration can be performed with optional flags
parses nessus file, prints and logs hosts and plugin id data and optional additional modules.
Example Commands:
gorecon nessus -n path/to/scan-results.nessus -o path/to/output-dir
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --testssl
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --async-nmap
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --stream-nmap
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --nuclei
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --enum4linux-ng
gorecon nessus --nessus-file path/to/scan-results.nessus --output path/to/output-dir --sshaudit
Usage:
gorecon nessus [flags]
Flags:
--async-nmap runs nmap asynchronously in 10 parallel goroutines with default scripts against all open ports for low through critical severity findings hosts
--async-nmap-svc-scripts experimental currently broken. DO NOT USE. runs nmap asynchronously in 30 parallel goroutines with scripts fine tuned per service
--enum4linux-ng runs enum4linux-ng against all hosts parsed from nessus within svc_name attribute slice []string{"cifs", "smb", "epmap", "ldap"} also runs initial crackmapexec smb against just port 445 hosts
-h, --help help for nessus
-n, --nessus-file string full or relative path to nessus file.nessus
--nuclei runs nuclei scan with critical,high, and medium severity templates against all web services
-o, --output string report output dir
--sshaudit runs ssh-audit.py against all ssh nessus findings hosts
--stream-nmap streams nmap synchronously with default scripts against all open ports for low through critical severity findings hosts
--testssl runs Testssl.sh against all tls and ssl nessus findings hosts
Global Flags:
--config string config file default location for viper to look is ~/.config/gorecon/config.yaml
Screenshots
Todos
- Implement Shodan API wrapper to query Jarm hashes obtained from Httpx csv file output
- 25% Done| Enhance Nessus Parser to Sort Hosts by Service Type → Run Available Matching Nuclei WorkFlows against all the services. Ex. Apache Tomcat VMWare etc...
- Update configuration file config.yaml to support all available API keys for corresponding tools used by
gorecon. Instead of file paths pointing to additional config files. - Create Elasticsearch / Kibana docker-compose.yml to spin up local instances and utilize go-elasticsearch lib to push results to local instance.
- Embed Kibana dashboard to be visualize the results
- Add Linkedin Scraper to enumerate contacts -> validate usernames etc...
- Implement AAD Internals partial functionality natively in golang >> Grab Tenant names >> generate keywords for cloud_enum >> run cloud enum
- Automatically add recon-ng api keys to recon-ng with config.yaml support
- Add required arguments to recon command and check that config.yml required options are not empty
Documentation
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.