Just wondering if this is still supported? or any forks that are supported?

Hi,
the tool is awesome. could you please provide any changes related to skip recon process, use multiple types

when we use All type it asking last to use recon or skip but the input is not taking properly and it throwing error message

I was testing this library and I got a notification that an incoming connection through Nmap... there is no a single case of use for an incoming connection coming from a library like this. Trojan is the best word to describe. Erasing my computer.

As mentioned in #44, usually, the purpose of flags is to enable optional functionality.

Also, in #44, it was learned that preserving compatibility with the current way of calling the script (--host and --type flags need to be preserved) is mandatory.

Still, this doesn't prevent future development from making these flags optional (offering the same functionality as of now when used), while moving towards a more standardized way of calling the script.

Because of this, I propose to make the --host and --type flags optional (as long as what was proposed in #44 is considered and implemented), and allow specifying the current --type functionality in separate, and accumulative, flags, for example:

$ ./nmapAutomator.sh -b -u 10.1.1.1              # Performs Basic and UDP scan

$ ./nmapAutomator.sh --recon --vulns 10.1.1.1    # Performs Recon (+ Basic) and Vulns scan

$ ./nmapAutomator.sh 10.1.1.1                    # Performs by default the Basic scan

$ ./nmapAutomator.sh --type All --host 10.1.1.1  # This is still possible and works as expected

when scanning a host that has port 161 open, the command to execute snmpwalk doesn't include the version number, and fails.

changing:
echo "snmpwalk -Os -c public -v $1 | tee recon/snmpwalk_$1.txt"

to:
echo "snmpwalk -Os -c public -v1 $1 | tee recon/snmpwalk_$1.txt"

would allow a v1 search to occur...

Is there a reason why the UDP scan command contains "--open --open"? Aiui, that flag has no effect for doubling it up.

Nmap Has the functionality to spoof the IP, can this be incorporated?

Hello,

I will like know how I can export scan in xml or json format.

Thanks and a greeting

I've been checking AutoRecon, and there are some neat features (and other recommendations that occurred to me) that could be added to nmapAutomator:

• When #44 gets implemented, we could run a different nmap instance (simultaneously) for every target (using the shell's background task functionality &), though the logic of the code will need to change in order to prevent mixing the output of all the nmap instances
• The same said above but for performing different scans over the same target simultaneously (unsure of the efficiency of this, though)
• Add a -q/--quiet flag (and maybe another one only showing the progress-bar with the current scan, maybe -q shows the progress and -qq or -Q nothing), in case the user only wants to check the final file or folder with all the results
• Add flags for saving the nmap output in different formats (-oG, greppable format is useful and may be parsed by different scripts)
• Automatically detect if the terminal supports colors and disable them if it doesn't (this is really simple to implement), as well as some flags for forcing enabling or disabling them (--color, --no-color)
• Allow custom scans with template files (see AutoRecon profiles), is way easier to implement for shell script as there's no need for intermediary template languages
• Not a feature, just that it would be nice to indicate in the README that this script does not perform automatic exploitation, it is just an efficient wrapper of some enumeration tools, so that it can be used in the OSCP exam (and others with similar restrictions)
• Also not a feature, just a recommendation that it would be wise to add a license (MIT, ISC, or BSD are great choices for the project and are basically the same), personally I like ISC better (is more compact 🙂)

AKA Quick, Full.

Due to the fact that the purpose of this tool is automation, it would be a good idea to allow specifying more than one target.

To achieve this, I think that the way the script is called should be modified to the following:

# The -H/--host flag is dropped as flags usually enable optional functionality
$ ./nmapAutomator.sh --type All 10.1.1.1

# So that the following is possible:
$ ./nmapAutomator.sh --type All 10.1.1.1 10.1.1.123

# As well as:
$ ./nmapAutomator.sh --type All 10.1.1.1 academy.htb

nmap recognizes more than one target (and subnets), so extending these capabilities to the base functionality of the script are a good idea.

Thanks for addressing the high CPU and expression errors. Great work. I can not repeat the same issues now.

The third issue which I have noticed is, once the scan is finished, it freezes my kali terminal. I have repeated the same issue 3 times. Even ran the scan with the latest changes 20minutes ago and it freezes the kali terminal again.

gobuster always fails with the following error: Error: unknown shorthand flag: 'l' in -lkx

On running any scans after quick scan, all other scans have this error.
Running on kali 2020.2
Latest nmap ver.
used to work.
Get same ports error on all scans.Error #485: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!

---------------------Starting Nmap Basic Scan---------------------

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 08:15 GMT
Error #485: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!

Hey I was using your script and it says to use -Pn for "Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower."

Could anyone please help me in this.

Hello, following the POSIX improvement, the recon phase does not work on Manjaro 20. For that, you have to rollback to "read -t 1 reconCommand" on line 543.

Hi, Thanks for the script !

I've been using it on mac and it doesn't work out of the box, because the version of head shipped with MacOS doesn't support the arguments used in the script.

The workaround is to install the gnu version of head (via homebrew: brew install coreutils and to edit the script by either adding PATH="$(brew --prefix)/opt/coreutils/libexec/gnubin:$PATH" at the start OR replacing all calls to head by calls to ghead (see https://formulae.brew.sh/formula/coreutils).

If you're interested in supporting MacOS, I can send a pull request your way to indicate the extra depency in the README and edit the script accordingly.

Having run the tool a couple of times on different targets, I have found the Nikto scan to be excessively long.

Where can we edit the code to set a max time of 600 seconds for example?

(set flag "-maxtime 600")

Thanks

when trying to run the script I get the following error

/nmapAutomator.sh: line 7: syntax error near unexpected token newline' ./nmapAutomator.sh: line 7: '

I installed the vulners script and I'm on Kali 2019.2

Been using nmapAutomator for a while, a wonderful script with good scanning results. Recently updated with the recent version noticed very high CPU usage. The full scan is kicking the laptop fan and the CPU usage goes up to 60% which was not the case with the old nmapAutomator script.

I have checked the process a few times with a few different hosts. Also ran the old script and the CPU usage stays in between 10% - 15%. My laptop is a few years old with an i7 8th gen processor, 16 GB ram.

I am trying to create a script that calls nmapAutomator and then autorecon. When I try to to run the main script it will not run nmapAutomator.
Also I edited my version of the script to be able to tell it to output to a specific folder and not to the current folder.
Here are some screen shots of the code I have tried.
Any suggestions?

Hey 21y4d

i encountered some weird problems ... while running a quick scan with your tool, sudo must not be entered, otherwise nmap will do a more complex scan [1] but for udp scans for example, nmap needs sudo to execute...

is there already a work around for this problem?
otherwise it would probably the easiest way, to add another "nmapType" variable... one w/o sudo and one with sudo, so the udp scan can be conducted with the needed privs

gobuster changed the usage syntax in a recent update, should add 'dir' before some flags

Is there anyway to load a list of IP's to run nmapAutomator against or any though of adding this feature?

Environment:

Host: macOS Monterey (Apple M2)
Guest: Kali Linux 2022.2 (ARM64)

The script will not run the gobuster portion. I took a look at the gobuster repo to see if there were any issues related and I did not come across any. I followed your installation steps. any recommendations on how to mitigate this? Really love the script!

Hello!

Running the script with no parameters make the banner get printed. Because the banner is not ended with a ${NC} the terminal remains colored.

Hello,

As you sayed that this script was used during the OSCP preparation, how did you use it through proxychains (or tunneling)?

It is clear that not all the options will work. Checking the code, all the scans that make use of UDP/ICMP/SYN topics should not work. I might write the code for a hypotetical --proxyChains (or something like that) option where only TCP ports are used. If you like it, will you want to add it?

Thanks a lot.

Instead of typing the IP address It'd be a nice functionality that the script supports resolving local DNS IP, i.e /etc/hosts. If required I can send a Pull Request for the same.

I have been using an output option to my version of the script. That way you can say where you want the output to go. In case you are wanting to run this script and autorecon and have them both go to the same folder.
Is this something that people would want in the script?

Using fresh install, with ffuf installed (no Gobuster but instructions say I could use one or the other).

Running the following command, it says no ports were found:

┌──(kali㉿kali)-[~/Documents/recon]
└─$ ~/Documents/recon/nmapAutomator/nmapAutomator.sh -H 10.11.1.146 -t Recon

Running a Recon scan on 10.11.1.146

Host is likely running Linux


---------------------Starting Port Scan-----------------------                                                                                                                                                                               
                                                                                                                                                                                                                                             





---------------------Starting Script Scan-----------------------
                                                                                                                                                                                                                                             
No ports in port scan.. Skipping!
                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                             
---------------------Recon Recommendations---------------------                                                                                                                                                                              
                                                                                                                                                                                                                                             



No Recon Recommendations found...
                                                                                                                                                                                                                                             


---------------------Finished all scans------------------------
                                                                                                                                                                                                                                             

Completed in 4 seconds

Here is the output, suggesting the host is down:

┌──(kali㉿kali)-[~/…/nmap]
└─$ cat Port_10.11.1.146.nmap              
# Nmap 7.91 scan initiated Wed Aug 25 21:21:52 2021 as: /usr/bin/nmap -T4 --max-retries 1 --max-scan-delay 20 --open -oN nmap/Port_10.11.1.146.nmap --system-dns --stats-every 1s 10.11.1.146
# Nmap done at Wed Aug 25 21:21:54 2021 -- 1 IP address (0 hosts up) scanned in 2.05 seconds

Running nmap manually with the -Pn flag shows the host is up:

┌──(kali㉿kali)-[~/…/146]
└─$ nmap -sC -sV -oA nmap/standard 10.11.1.146 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 21:23 BST
Nmap scan report for 10.11.1.146
Host is up (0.26s latency).
Not shown: 997 filtered ports

So the script does not seem to pick up on the fact the host is down then re-run the scans with -Pn

Thanks!

Noticed another issue with the new script. Ran against the "Bastard" host from hack the box.

1. Empty output on - "Starting Nmap UDP Scan".
2. Struck forever in "Running Vuln scan on basic ports" in "Nmap Vulns Scan". Waited for more than an hour.

On the old script, I sometimes receive the following message in "Starting Nmap Vulns Scan - > Running Vuln scan on basic ports".
Pre-scan script results:
|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)

Before DNS changes were made nmapAutomator used to quickly guess the type of operating system based on the TTL from the server. This functionality still works for IP but doesn't in the case of domains. This is due to the response ping command in the checkPing() function.

Incase of an IP, TTL result is accurate. ping -c 1 -W 3 10.10.20.196 which when cleaned for TTL with ping -c 1 -W 3 10.10.20.196 | grep ttl | cut -d " " -f 6 | cut -d "=" -f 2 gives the accurate TTL 63 in this case but this doesn't return accurate TTL value incase of a domain ping -c 1 -W 3 chocolatefactory.thm | grep ttl | cut -d " " -f 6 | cut -d "=" -f 2 will return the ICMP sequence number 1 in this case. We can bypass this with a simple check to see if this is an IP address.

Running Vuln scan on all ports

./newnmapAutomator.sh: line 174: 0:00:00 / 2: syntax error in expression (error token is ":00:00 / 2")
./newnmapAutomator.sh: line 175: 0:00:00 / 2: syntax error in expression (error token is ":00:00 / 2") ] 0% done
./newnmapAutomator.sh: line 174: 0:00:00 / 2: syntax error in expression (error token is ":00:00 / 2")
./newnmapAutomator.sh: line 175: 0:00:00 / 2: syntax error in expression (error token is ":00:00 / 2")
./newnmapAutomator.sh: line 174: 0:00:00 / 2: syntax error in expression (error token is ":00:00 / 2")

When scanning some machines the nmap option -Pn is incorrectly disabled. This seems to be the case when pinging via ping is working but nmap does not recognize the host as up:

~ $ nmap 10.10.10.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 19:07 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds

~ $ ping 10.10.10.4
PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
64 bytes from 10.10.10.4: icmp_seq=1 ttl=127 time=36.2 ms
64 bytes from 10.10.10.4: icmp_seq=2 ttl=127 time=35.7 ms
64 bytes from 10.10.10.4: icmp_seq=3 ttl=127 time=35.2 ms
64 bytes from 10.10.10.4: icmp_seq=4 ttl=127 time=35.2 ms

For example, this is the case for the HTB box 'Legacy' and some other old boxes.

When this happens nmapAutomator.sh will omit the -Pn flag and therefore not find any open ports:

enum $ nmapAutomator.sh -t All -H 10.10.10.4

Running all scans on 10.10.10.4

Host is likely running Windows


---------------------Starting Port Scan-----------------------






---------------------Starting Script Scan-----------------------

No ports in port scan.. Skipping!

Whereas with the -Pn flag, nmap will find open ports:

~ $ nmap 10.10.10.4 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 18:55 CEST
Nmap scan report for 10.10.10.4
Host is up (0.037s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

Is it possible to add a flag that forces the -Pn nmap option?

Sorry to bother you again, but I was reading through the code and noticed it does a ping scan and enables the -Pn switch if necessay. So now I'm baffled once again. I tried running with sudo as recommended with no luck, script hangs on service scan of ports it didn't find with in previous scan. I double checked that I can run the commands I found within the output files and they function as expected. I might spin up a fresh vm and see how that works in case I have configured something poorly.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 10:15 IST
./nmapAutomator.sh: line 138: 1528 Segmentation fault $nmapType -sCV -pecho "${basicPorts}" -oN nmap/Basic_$1.nmap $1

I'm sorry for writing here but it was the only way to contact you,

You are good in the cybersecurity field? Then you can write for us about your own tool on GitHub and the use of it.
Your article will be published with your name and a link to your website and social media accounts if you want. Please reply to us at Email: kalitutwrite @ gmail.com
Walid Salame
kalitut .com
Twitter:@xKaliSec

hello , great tool as always

enum4linux is old now , there is enum4linux-ng ,

please replace it with enum4linux-ng :

check it out L

https://github.com/cddmp/enum4linux-ng

At some point in the past year or so the output files for nmap were renamed to end in ".nmap" instead of ".txt". It seems cherrytree is incompatible with the .nmap file extension (or it is expecting different data than what it's given) since when trying to import these files it now completely crashes cherrytree. If I edit nmapAutomator.sh and replace all instances of ".nmap" with ".txt" cherrytree can import the files without incident (also works if you rename the files after the script finishes).

Can we revert the file extension back to .txt or is there a specific reason they need to be .nmap?

Thanks!

Hi there, I am getting invalid IP when setting ip/28 to do a subnet? How do I scan a subnet ?

dnsrecon is not running due to the missing -d switch

It is running ldap search when 3389 is open even port 389 is not

I am using Mac (macOS Big Sur 11.4) and unable to run the nmapAutomator script.
Kindly find the below mentioned output when I run the script.

Running a Script scan on 10.10.10.134

Host is likely running Windows

---------------------Starting Port Scan-----------------------

sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/.* ((.\ ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}' ] 0% done
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/. ((.\ ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}' ] 0% done
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/. ((.\ ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}' ] 0% done
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/. ((.\ ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}' ] 0% done
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/. ((.\ ...": bad flag in substitute command: '}'
sed: 1: "/elapsed/{s/.undergoin ...": bad flag in substitute command: '}'
sed: 1: "/% done/{s/.About (. ...": bad flag in substitute command: '}' ] 0% done
sed: 1: "/elapsed/{s/Stats: (. ...": bad flag in substitute command: '}'
sed: 1: "/remaining/{s/. ((.*\ ...": bad flag in substitute command: '}'
In progress: No Scan (0:00:00 elapsed - 0:00:00 remaining)

Please do let me know what can be done to resolve this issue

I wish I knew how to diagnose the tool a bit better, when I run scans it tells me the host is likely such and such and then the port scans fail. The first install the UDP scan worked, I deleted and reinstalled exactly according to the instructions in the readme and now none work. I even tried downloading the static nmap and chmod +x it and still doesnt scan. I used this on a prior vm and it worked flawlessly. Any ideas?

On some boxes i've done in the pwk it completely skipped over certain ports mainly port 69 or 79 udp when you ran the scanner. I haven't torn your script apart yet to be able to fix that problem but i'd thought i would let you know about it.

Currently IPv6 aren't supported and therefore can't be scanned.