Closed royharoush closed 6 years ago
1N3
commented
8 years ago hey, thanks for the feedback and suggestions... I like the idea of the client/server model, but this will obviously take some time to develop. I'll leave this open in the meantime and see what can be done here in the future. :)
menzow
commented
7 years ago This would indeed be a huge upgrade to the current service provided by sn1per, here you're talking about expanding sn1per to a complete pentesting software package that includes a full UI, probably web-based.
In a abstract view you're looking at a way to execute programs remotely and storing the output for later review. This is a task commonly executed by continuous integration tools like Jenkins. It's common to have a cluster of build and testing (workers) servers that run a set of tasks (programs) and store the output for review in the CI web-panel.
So what you could do is setup a copy of Jenkins or any other continuous integration tool / task runner (CI master). After that setup a worker that has sniper installed and connect it to your CI master. In your CI master create a task that runs sniper and configure it to run on your worker(s). Tasks support parameters, so you'd be able to specify the domain for sniper to target when you run the task.
Whenever you want to run sniper on your worker; you run the task with the domain it should target. Your CI tool will run it when the worker is available, so you can even queue multiple tasks/scans.
On top of that most CI tools support webhooks, so you'd even be able to create a simple bash scripts you can run locally to create tasks.
Example (sniper-scan):
curl -X POST -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" -H "Cache-Control: no-cache" -F "key=some-key" -F "domain=target.com" "${1}" "http://127.0.0.1/scan"
Run:
./sniper-scan target.com
royharoush
commented
7 years ago I'll definitely look into jenkins to automate tasks, wasn't aware of the master slave architecture, onlynof the command execution... You can look on my profile for the distributedscanning project, it uses nested loops to execute paramterized tasks on remote hosts, amongsts other things
On Thu, Feb 16, 2017, 9:46 PM Menzo Wijmenga notifications@github.com wrote:
This would indeed be a huge upgrade to the current service provided by sn1per, here you're talking about expanding sn1per to a complete pentesting software package that includes a full UI, probably web-based.
In a abstract view you're looking at a way to execute programs remotely and storing the output for later review. This is a task commonly executed by continuous integration tools like Jenkins. It's common to have a cluster of build and testing (workers) servers that run a set of tasks (programs) and store the output for review in the CI web-panel.
So what you could do is setup a copy of Jenkins or any other continuous integration tool / task runner (CI master). After that setup a worker that has sniper installed and connect it to your CI master. In your CI master create a task that runs the sniper and configure it to run on your worker. Tasks support parameters, so you'd be able to specify the domain for sniper to target when you run the task.
Whenever you want to run sniper on your worker; you run the task with the domain it should target. Your CI tool will run it when the worker is available, so you can even queue multiple tasks/scans.
On top of that most CI tools support webhooks, so you'd even be able to create a simple bash scripts you can run locally to create tasks.
Example (sniper-scan): curl -X POST -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" -H "Cache-Control: no-cache" -F "key=some-key" -F "domain=target.com" "${1}"
Run: ./sniper-scan target.com
— You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/1N3/Sn1per/issues/34#issuecomment-280437992, or mute the thread https://github.com/notifications/unsubscribe-auth/AHvLoOEJRBOYanJs9KlmYV9d2pa8VNPUks5rdKeSgaJpZM4ImaeK .
menzow
commented
7 years ago @royharoush Jenkins is quite bloated for the specific action you want to achieve, but it's definitely easy to use for what you want to achieve. See https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds for more info on master/slave setups.
Another option is Bistro. It's a distributed task runner developed by Facebook. I don't have any experience with it myself, but from the docs it looks quite promising.
The concept is simple: you have a scheduler process and worker processes which communicate over TCP. The scheduler process can be controlled through a REST api for reading data and starting tasks. Tasks will be queued and distributed over the available workers.
This seems like more lightweight and better suited solution for your goal. 👍
Read more: https://facebook.github.io/bistro/ & https://facebook.github.io/bistro/docs/getting-started/
1N3
commented
6 years ago As much as I would like to implement a more robust model for sniper, I think at this time, development will take too long and add too much complexity to an already simplified process. As sniper grows and matures, this may be something we pursue more, but for the time being, I'm gonna close this out.
HI, Great tool, been using it for a while. i know its alot to ask, but im willing to challenge you =) i think it would be really nice if you could have Sn1per support a client-server feature, in which you will install a server that manages the tasks, and clients that retrieve tasks and executes them(much like dnmap).
currently i have managed to implement dnmap using one server and over 100 clients, which allows me much faster scan time and better stealth, i think the 2nd phase(i.e, using sn1per), would also benefit from that. Roy