Almost every Internal and External network security assessment engagement requires a network, system and services footprinting, to gather as much information as possible about the targeted network. The process of network intelligence gathering can be ended up boring over time and with one Penetration Test after another. However, network reconnaissance is the most essential and valuable step to a successful security assessment.
In this post we will introduce how to conduct automated footprinting of your targeted network using our recently released open source tool, IntelSpy written in Python3.
Footprinting
Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. When used in the computer security lexicon, “Footprinting” generally refers to one of the pre-attack phases; tasks performed before doing the actual attack.
https://en.wikipedia.org/wiki/Footprinting
IntelSpy
Perform automated network reconnaissance scans to gather network intelligence. IntelSpy is a multi-threaded network intelligence spy tool which performs automated enumeration of network services. It performs live hosts detection scans, port scans, services enumeration scans, web content scans, brute-force, detailed off-line exploits searches and more. The tool will also launch further enumeration scans for each detected service using a number of different tools.
https://github.com/maldevel/intelspy
Features
- Scans multiple targets in the form of IP addresses, IP ranges (CIDR notation) and resolvable hostnames.
- Scans targets concurrently.
- Detects live hosts in an IP range (CIDR) network.
- Customizable port scanning profiles and service enumeration commands.
- Creates a directory structure for results gathering.
- Logs commands that were run.
- Generates shell scripts with commands to be run manually.
- Extracts important information in txt and markdown format.
- Stores data to an SQLite database.
- Generates HTML report.
- and more..
Requirements
- Python 3
- colorama
- toml (https://github.com/toml-lang/toml)
- seclists
- curl
- enum4linux
- gobuster
- nbtscan
- nikto
- nmap
- onesixtyone
- oscanner
- smbclient
- smbmap
- smtp-user-enum
- snmpwalk
- sslscan
- svwar
- tnscmd10g
- whatweb
- wkhtmltoimage
- pandoc
- hydra
- medusa
- wpscan
- ldapsearch
- patator
pip3 install -r requirements.txt
sudo apt install seclists
Download
git clone https://github.com/maldevel/intelspy.git
Usage
___ __
| ._ _|_ _ | (_ ._
_|_ | | |_ (/_ | __) |_) \/
| /
IntelSpy v1.0 - Perform automated network reconnaissance scans to gather network intelligence.
IntelSpy is an open source tool licensed under GPLv3.
Written by: @maldevel | @LOGISEK_LTD
https://logisek.com | https://pentest-labs.com
https://github.com/maldevel/intelspy
usage: intelspy.py [-h] [-ts TARGET_FILE] -p PROJECT_NAME -w WORKING_DIR
[--exclude <host1[,host2][,host3],...>] [-s SPEED]
[-ct <number>] [-cs <number>] [--profile PROFILE_NAME]
[--livehost-profile LIVEHOST_PROFILE_NAME]
[--heartbeat HEARTBEAT] [-v]
[targets [targets ...]]
positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g.
10.0.0.1/24), or resolvable hostnames (e.g.
example.com) to scan.
optional arguments:
-h, --help show this help message and exit
-ts TARGET_FILE, --targets TARGET_FILE
Read targets from file.
-p PROJECT_NAME, --project-name PROJECT_NAME
project name
-w WORKING_DIR, --working-dir WORKING_DIR
working directory
--exclude <host1[,host2][,host3],...>
exclude hosts/networks
-s SPEED, --speed SPEED
0-5, set timing template (higher is faster) (default:
4)
-ct <number>, --concurrent-targets <number>
The maximum number of target hosts to scan
concurrently. Default: 5
-cs <number>, --concurrent-scans <number>
The maximum number of scans to perform per target
host. Default: 10
--profile PROFILE_NAME
The port scanning profile to use (defined in port-
scan-profiles.toml). Default: default
--livehost-profile LIVEHOST_PROFILE_NAME
The live host scanning profile to use (defined in
live-host-scan-profiles.toml). Default: default
--heartbeat HEARTBEAT
Specifies the heartbeat interval (in seconds) for task
status messages. Default: 60
-v, --verbose Enable verbose output. Repeat for more verbosity (-v,
-vv, -vvv).
Usage Examples
Scanning single target
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -v
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -vv
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -vvv
Scanning a hostname
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ example.com
Scanning a network range(CIDR)
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.0/24
Scanning multiple targets
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 192.168.10.0/24 example.com
Scanning targets from file
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ -ts /home/user/targets.txt
Excluding one host
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ --exclude 192.168.10.9 192.168.10.0/24
Excluding many hosts
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ --exclude 192.168.10.9,192.168.10.24 192.168.10.0/24