1N3 / Sn1per

Attack Surface Management Platform
https://sn1persecurity.com
Other
8.06k stars 1.85k forks source link

Customization of scans #290

Closed clive7391 closed 3 years ago

clive7391 commented 4 years ago

Hey there. Pro user with all the add-ons.

I continually try to use Sn1per but find myself going back to my custom scripts because I don't feel I have control or can do the scans I want. The modes, flyover, stealth, etc, don't really seem to explain what is going on. I like how you have many tools integrated but would like more customization to get detailed scanning.

For example, I start enumeration of many subnets in a list with a ping scan and cut and tee to get a target list. Next is nmap of top 20 ports and vulners. I follow up with additional nmap scans to get all the ports in stages so I can start working after the top 20. All nmap saved -oA and | tee .txt I then script into metasploit import the export to services where I cat out by protocol to run more nmap, crackmap, enum4, etc.

So I wish I could pull my initial nmaps in to Sn1per and the auto run all the additional tools that Sn1per has which all output would be saved to text files.

Great tool and I will continue to support, I would just like to get more use out of it.

1N3 commented 4 years ago

Hi, You mentioned you start enumeration of many subnets in a list. I'm working on a new scan mode called 'massdiscover' to automatically handle lists of subnets, but have you tried using the normal 'discover' mode available within Sn1per to discover, parse and enumerate targets?

sniper -t 192.168.0.0/24 -m discover -w 192.168.0.0

As a Pro user on a fresh workspace, this should automatically populate basic enum info (ie. screenshots, banners, basic open ports, web titles, etc) pretty quickly. Since this is just a baseline of host data, to dig deeper with more tools, you will need to use either 'web' and 'webscan' modes for web based hosts or 'nuke' mode for network based hosts.

As a work around to scan multiple subnets, you can also use the following:

for a in `cat subnets.txt`; do sniper -t $a -m discover -w workspace_alias; done;

You also mentioned that your custom scripts use the top 20 ports to do initial scans. You could change your /root/.sniper.conf file to customize the port lists used to match more of your requirements:

# NMAP PORT CONFIGURATIONS
QUICK_PORTS="21,22,80,443,8000,8080,8443"
DEFAULT_PORTS="10000,1099,110,111,123,135,137,139,1433,1524,161,162,16992,2049,21,2121,2181,22,23,25,264,27017,27018,27019,28017,3128,3306,3310,3389,3632,389,443,4443,445,49152,49180,500,512,513,514,53,5432,5555,5800,5900,5984,623,624,6667,67,68,69,7001,79,80,8000,8001,8080,8180,8443,8888,9200,9495"
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,500,520,2049"
FULL_PORTSCAN_PORTS="T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,U:520,U:2049"

You would need to modify or update this depending on which type of scan you're running, but that is also a feature I'm working on now which will make that process much much easier in the future.

Regarding taking existing NMap scans and running Sn1per based on those, that's something I'll have to look into. Currently, the only formats that can be ingested into Sn1per are raw hostnames/IP's/domains separated by newlines, but hopefully this helps a bit in the meantime.

clive7391 commented 4 years ago

Thanks for the quick response. So is the discover scan QUICK_PORTS or DEFAULT_PORTS?

What I am thinking is I could hit top 20 with for a in cat subnets.txt; do sniper -t $a -m discover -w workspace_alias; done;

Then follow up with all other ports with for a in cat /usr/share/sniper/loot/workspace/$1/ips/all-discovered.txt; do sniper -t $a -w $1 -fp; done;

Would the full port only being using FULL_PORTSCAN_PORTS in the config?

Would there be redundancy and overlap doing that? Would I get all the tool intel?

Or would I need to follow up with..

for a in cat targets.txt; do sniper -t $a -w $1 -m web; done;

I do use the commandline quite a bit :)

Just trying to get all ports and all intel gathering in one simple way but able to start examining the top20 first.

1N3 commented 4 years ago

Discover mode uses the "QUICK_PORTS" setting for TCP ports and "DEFAULT_UDP_PORTS" for UDP port discovery. This will save all live hosts to /usr/share/sniper/loot/workspace/$1/ips/ips-all-sorted.txt

This file can then be referenced by other multi-host scan modes such as nuke, massweb, masswebscan, massportscan, etc. but to accomplish exactly what you want, you would probably be better running the below command:

sniper -f /usr/share/sniper/loot/workspace/$1/ips/ips-all-sorted.txt -p 1-65535 -m nuke -w workspace_alias

I would then follow this up by scanning all live webhosts with 'massweb' mode.

sniper -f /usr/share/sniper/loot/workspace/$1/web/webhosts-sorted.txt -m massweb -w workspace

To answer your question, Fullportonly and massportscan mode uses the "FULL_PORTSCAN_PORTS" for TCP ports and "DEFAULT_UDP_PORTS" setting for UDP ports.

With time, I plan to make this process more seamless so that multiple scan modes won't necessarily be required to do everything, but that will take a little time.

GraylockInc commented 4 years ago

Being able to select scan profiles from pro console would be awesome.

1N3 commented 3 years ago

Closing out for now. With the new Command Execution Add-on v2.0, you can now customize each scan on demand which should definitely help with this.