In this post we will create a simple Python script to automate our pentest Recon process in Kali Linux. This can be used for initial enumeration of your pentest target, during CTF, etc. We will include nmap & nikto. You can expand this to other tools as well.

Lets start with basic python program that intracts with Operating system to execute commands.

import os

os.system(f"ls -l")

Type this into a text editor, save and make the file executable by running following command in the terminal:

chmod +x <filename.py>

Run script using:

python <filename.py>

Output should look like this, listing the contents of the folder.

We will implement this with nmap and nikto on a Hack the Box lab machine named Drive. with IP [10.10.11.235]

import os

IP = input("Enter the target IP:") # Name of the folder

os.system(f"mkdir {IP}") # Creating folder

print ('--------------------------------------------------------')
print("[+] Starting inital Nmap Scan:.....")
os.system(f"nmap -sC -sV -oA {IP}/nmap-initial-scan {IP}")

print ('--------------------------------------------------------')
print("[+] Starting Full TCP Nmap Scan:.....")
os.system(f"nmap -p- -sV -oA {IP}/nmap-Full-TCP-scan {IP}")

print ('--------------------------------------------------------')
print("[+] Starting nikto scan:.....")
os.system(f"nikto -h {IP}")

print ('-------------------------SCAN----END-------------------------------')

Here the script is getting user input for an IP, then executes initial nmap scan, full tcp scan and nikto scanner against the IP.

Full output of the script is as below:

└─$ python automation-recon-simple.py
Enter the target IP:10.10.11.235
--------------------------------------------------------
[+] Starting inital Nmap Scan:.....
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 15:26 EST
Nmap scan report for drive.htb (10.10.11.235)
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 27:5a:9f:db:91:c3:16:e5:7d:a6:0d:6d:cb:6b:bd:4a (RSA)
|   256 9d:07:6b:c8:47:28:0d:f2:9f:81:f2:b8:c3:a6:78:53 (ECDSA)
|_  256 1d:30:34:9f:79:73:69:bd:f6:67:f3:34:3c:1f:f9:4e (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Doodle Grive
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
--------------------------------------------------------
[+] Starting Full TCP Nmap Scan:.....
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 15:27 EST
Nmap scan report for drive.htb (10.10.11.235)
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 742.58 seconds
--------------------------------------------------------
[+] Starting nikto scan:.....

It creates output files, which we can review later for futher analysis.

You can keep adding to this scripts, with the commands you run manually in the background.

print ('--------------------------------------------------------') 
print("[+] Starting Full TCP Nmap Scan:.....") 
os.system(f"< command Here>")

In future posts we will look at how to speed up the scans and integrate these scans, so that output from nmap serves as input to other scanners.

Stay tuned!!!

You can find the code on my github.