Efficiently Utilizing Autorecon for OSCP and Beyond
I recently passed the OSCP exam by Offensive Security, the exam was fun and I learned a lot over the course of the past year. I wanted to give back to the community so I wrote some tips and tricks I found useful. That information and post is up on reddit below. I also wanted to go a bit in depth on how I used Autorecon and created a methodology that worked for me. I hope this can be helpful for others!
What is Autorecon?
One of the key tools that allowed me to enumerate efficiently and create a methodology that worked was Autorecon, a tool created by Tib3rius or @tibsec on twitter. You can find more about it here:
It enumerates the server for you and will run enumeration commands spitting out the results in a variety of directories. I will admit that when I first came across Autorecon, it scared me. How was I supposed to use a terminal to navigate through all these directories fast and quickly? I didn’t quite get how people used this tool effectively unless they were a terminal god and had a million terminal windows all hotkeyed and could remember where everything was. I then discovered a technique that allowed me to not only quickly peruse my results, but also quickly copy and paste all from a browser tab. What I learned to do was not anything special, it was actually a trick we pentesters use to get our tools onto the machines in the first place!
It just so happens that Python has a nifty module that lets you spin up a webserver on the spot in a terminal at the directory you are currently in. This gives you the ability to serve any kind of content from any given directory, and you can have more than 1 server running at a time. Here is what I did and what my methodology is today:
The first step is to create your structure. For my examples I am going to mimic what I did for the exam, but I am not using any exam names or content. I am using one vulnhub machine (Leeroy) for example autorecon output. My initial structure looked something like this:
I would then start my autorecon running in the background within each folder for each machine. This would create an output like this within each machines folder.
The results folder is where autorecon puts all its folders and files. The next step is to go back to your main folder, and drop a python web server in. I use port 9999 as I will probably never conflict using that port.
Now this is where the fun begins. In your browser, simply load up localhost:9999 you will now see your main folder of machines. I usually kept this tab as my first tab at all times.
The next part is simple, click into the machine you want to enumerate and go into results/<ip>/scans/ and you will see a list of result files, all of these files are txt files…Which means you can click them and load them in your browser window!
I would use this methodology, clicking through each item, looking for clues or possible vectors, copy pasting anything I find out, etc. This method helped me hone my enumeration skills.
If there are questions or comments I can be found on discord, my user is Ninjacoder#5131. Or on reddit (post above).
I hope this was helpful and good luck to those of you working towards your OSCP. Just remember, you can do it, and you will do it!