search

OWASP / Nettacker

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
https://owasp.org/www-project-nettacker/
Apache License 2.0
3.45k stars 756 forks source link

complete the subdomain_scan #30

Closed Ali-Razmjoo closed 3 years ago

Ali-Razmjoo commented 6 years ago

Hello,

there is an uncompleted task in subdomain_scan module which needs to be done. I glad if anyone could help to add this two resources in this module.

      # Must add later!
        # https://censys.io/certificates?q=domain
        # https://transparencyreport.google.com/https/certificates

Regards.

ravindra1307 commented 6 years ago

sir, i am trying to add new resources but during testing i realized that subdomain scan module is not working properly .please test it or guide me if i am doing something wrong.

" python nettacker.py -i facebook.com -m subdomain_scan python nettacker.py -i google.com -m subdomain_scan"

this is the commands i am using.

Ali-Razmjoo commented 6 years ago

Hello,

it's working fine for me! whats the error?

python nettacker.py -i z3r0d4y.com -m subdomain_scan -o z.json

   ______          __      _____ _____
  / __ \ \        / /\    / ____|  __ \
 | |  | \ \  /\  / /  \  | (___ | |__) |
 | |  | |\ \/  \/ / /\ \  \___ \|  ___/
 | |__| | \  /\  / ____ \ ____) | |     Version 0.0.1
  \____/   \/  \/_/    \_\_____/|_|     SAME
                          _   _      _   _             _
                         | \ | |    | | | |           | |
  github.com/viraintel   |  \| | ___| |_| |_ __ _  ___| | _____ _ __
  owasp.org              | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
  viraintel.com          | |\  |  __/ |_| || (_| | (__|   <  __/ |
                         |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|

[!] to use graph feature your output filename must end with ".html" or ".htm"!
[+] Nettacker engine started ...

[!] you are not using the last version of OWASP Nettacker, please update.
[+] 13 modules loaded ...
[+] target z3r0d4y.com submitted!
[+] start attacking z3r0d4y.com, 1 of 1
[+] 10 subdomain(s) found!
[+] removing temp files!
[+] sorting results!
[+] updating the database...
[+] inserting report to the database
[+] removing old logs from db

[+] done!

results:

[{"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "api.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "ns2.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "ns1.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "firebase.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "zsc.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "dc-d5acf548fdda.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "tg1.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "firebase2.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "www.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "36cdda1ad6d4ce54320ff96c38cecb15", "DESCRIPTION": "nettacker.z3r0d4y.com", "TIME": "2018-02-07 00:33:29", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "z3r0d4y.com", "PORT": ""}]
>python nettacker.py -i google.com -m subdomain_scan -o f.json

   ______          __      _____ _____
  / __ \ \        / /\    / ____|  __ \
 | |  | \ \  /\  / /  \  | (___ | |__) |
 | |  | |\ \/  \/ / /\ \  \___ \|  ___/
 | |__| | \  /\  / ____ \ ____) | |     Version 0.0.1
  \____/   \/  \/_/    \_\_____/|_|     SAME
                          _   _      _   _             _
                         | \ | |    | | | |           | |
  github.com/viraintel   |  \| | ___| |_| |_ __ _  ___| | _____ _ __
  owasp.org              | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
  viraintel.com          | |\  |  __/ |_| || (_| | (__|   <  __/ |
                         |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|

[!] to use graph feature your output filename must end with ".html" or ".htm"!
[+] Nettacker engine started ...

[!] you are not using the last version of OWASP Nettacker, please update.
[+] 13 modules loaded ...
[+] target google.com submitted!
[+] start attacking google.com, 1 of 1
[+] waiting for google.com->subdomain_scan
[+] waiting for google.com->subdomain_scan
[+] 2855 subdomain(s) found!
[+] waiting for google.com->subdomain_scan
[+] removing temp files!
[+] sorting results!
[+] updating the database...
[+] inserting report to the database
[+] removing old logs from db

[+] done!

results:

[{"USERNAME": "", "SCAN_ID": "2b30238f87752cb4863c5bf603e0ed29", "DESCRIPTION": "ascp-dev4-app.corp.google.com", "TIME": "2018-02-07 00:35:03", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "google.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "2b30238f87752cb4863c5bf603e0ed29", "DESCRIPTION": "cbf-dc-3.ad.corp.google.com", "TIME": "2018-02-07 00:35:03", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "google.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "2b30238f87752cb4863c5bf603e0ed29", "DESCRIPTION": "vmgol0340.vm.corp.google.com", "TIME": "2018-02-07 00:35:03", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "google.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "2b30238f87752cb4863c5bf603e0ed29", "DESCRIPTION": "png2-dev3-app.corp.google.com", "TIME": "2018-02-07 00:35:03", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "google.com", "PORT": ""} ... {to long}]
python nettacker.py -i facebook.com -m subdomain_scan -o f2.json

   ______          __      _____ _____
  / __ \ \        / /\    / ____|  __ \
 | |  | \ \  /\  / /  \  | (___ | |__) |
 | |  | |\ \/  \/ / /\ \  \___ \|  ___/
 | |__| | \  /\  / ____ \ ____) | |     Version 0.0.1
  \____/   \/  \/_/    \_\_____/|_|     SAME
                          _   _      _   _             _
                         | \ | |    | | | |           | |
  github.com/viraintel   |  \| | ___| |_| |_ __ _  ___| | _____ _ __
  owasp.org              | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
  viraintel.com          | |\  |  __/ |_| || (_| | (__|   <  __/ |
                         |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|

[!] to use graph feature your output filename must end with ".html" or ".htm"!
[+] Nettacker engine started ...

[!] you are not using the last version of OWASP Nettacker, please update.
[+] 13 modules loaded ...
[+] target facebook.com submitted!
[+] start attacking facebook.com, 1 of 1
[+] 966 subdomain(s) found!
[+] removing temp files!
[+] sorting results!
[+] updating the database...
[+] inserting report to the database
[+] removing old logs from db

[+] done!

results:

[{"USERNAME": "", "SCAN_ID": "03f600466680a4129707e89c4f3afd56", "DESCRIPTION": "edge-z-p1-shv-01-vie1.facebook.com", "TIME": "2018-02-07 00:36:37", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "facebook.com", "PORT": ""}, {"USERNAME": "", "SCAN_ID": "03f600466680a4129707e89c4f3afd56", "DESCRIPTION": "edgelivestream-api-upload-shv-01-vie1.facebook.com", "TIME": "2018-02-07 00:36:37", "PASSWORD": "", "TYPE": "subdomain_scan", "HOST": "facebook.com", "PORT": ""} ... {to long}]

just keep in mind, by default results will save in ~/.owasp-nettacker/results/result_date_time_randomchar.html

and if you want to print results on your screen you need to use --verbose 5 switch.

python nettacker.py -i z3r0d4y.com -m subdomain_scan -o z.json --verbose 5

   ______          __      _____ _____
  / __ \ \        / /\    / ____|  __ \
 | |  | \ \  /\  / /  \  | (___ | |__) |
 | |  | |\ \/  \/ / /\ \  \___ \|  ___/
 | |__| | \  /\  / ____ \ ____) | |     Version 0.0.1
  \____/   \/  \/_/    \_\_____/|_|     SAME
                          _   _      _   _             _
                         | \ | |    | | | |           | |
  github.com/viraintel   |  \| | ___| |_| |_ __ _  ___| | _____ _ __
  owasp.org              | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
  viraintel.com          | |\  |  __/ |_| || (_| | (__|   <  __/ |
                         |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|

[!] to use graph feature your output filename must end with ".html" or ".htm"!
[+] Nettacker engine started ...

[!] you are not using the last version of OWASP Nettacker, please update.
[+] 13 modules loaded ...
[+] target z3r0d4y.com submitted!
[+] start attacking z3r0d4y.com, 1 of 1
[+] trying 1 of 8 in process 1 of 1 on z3r0d4y.com ((subdomain_scan - netcraft))
[+] trying 2 of 8 in process 1 of 1 on z3r0d4y.com (subdomain_scan - ptrarchive)
[+] trying 3 of 8 in process 1 of 1 on z3r0d4y.com (subdomain_scan - threatcrowd)
[+] trying 4 of 8 in process 1 of 1 on z3r0d4y.com (subdomain_scan - virustotal)
[+] trying 5 of 8 in process 1 of 1 on z3r0d4y.com (subdomain_scan - comodo crt)
[+] trying 6 of 8 in process 1 of 1 on z3r0d4y.com (subdomain_scan - dnsdumpster)
[+] trying 7 of 8 in process 1 of 1 on z3r0d4y.com ((subdomain_scan - google dig))
[+] trying 8 of 8 in process 1 of 1 on z3r0d4y.com ((subdomain_scan - cert spotter))
[+] 10 subdomain(s) found!
[+] subdomain found: api.z3r0d4y.com
[+] subdomain found: ns2.z3r0d4y.com
[+] subdomain found: ns1.z3r0d4y.com
[+] subdomain found: firebase.z3r0d4y.com
[+] subdomain found: zsc.z3r0d4y.com
[+] subdomain found: dc-d5acf548fdda.z3r0d4y.com
[+] subdomain found: tg1.z3r0d4y.com
[+] subdomain found: firebase2.z3r0d4y.com
[+] subdomain found: www.z3r0d4y.com
[+] subdomain found: nettacker.z3r0d4y.com
[+] removing temp files!
[+] sorting results!
[+] updating the database...
[+] inserting report to the database
[+] removing old logs from db

[+] done!

Regards.

shaddygarg commented 6 years ago

Hello, I would like to work on this issue if no one is currently working on it.

Ali-Razmjoo commented 6 years ago

Hello @shaddygarg,

Thank you for beginning a volunteer, let @ravindra1307 update us if he is working on this?

Best Regards.

ravindra1307 commented 6 years ago

working on this will update you in a day or two.

hardlyhuman commented 6 years ago

Hi, May I know if anyone is working on this? I would like to work if no one is working.

Ali-Razmjoo commented 6 years ago

Hello @ravindra1307,

Would you please update us regarding this feature? let me know if you need any help.

Best Regards.

pradeepjairamani commented 6 years ago

Can I add another module for subdomain scanning using abusing certificate transparency logs (only available for https website). More info. http://www.certificate-transparency.org

Ali-Razmjoo commented 6 years ago

hey @pradeepjairamani,

please if you want to add this, add it as a function in the same module, I used the module in core framework for -s/--sub-domain switch.

Regards.

pradeepjairamani commented 6 years ago

Or I can add a new scan method ctfr_subdomain_scan

Ali-Razmjoo commented 6 years ago

Hello,

in that case, we need to add another mode to the core, but if you'd add it to the existing module, that would be better. this module already has a few resources, it could be a good improvement.

def extra_requirements_dict():
    return {
        "subdomain_scan_use_netcraft": ["True"],
        "subdomain_scan_use_dnsdumpster": ["True"],
        "subdomain_scan_use_virustotal": ["True"],
        "subdomain_scan_use_threatcrowd": ["True"],
        "subdomain_scan_use_comodo_crt": ["True"],
        "subdomain_scan_use_ptrarchive": ["True"],
        "subdomain_scan_use_google_dig": ["True"],
        "subdomain_scan_use_cert_spotter": ["True"],
        "subdomain_scan_time_limit_seconds": ["-1"]

        # Must add later!
        # https://censys.io/certificates?q=domain
        # https://transparencyreport.google.com/https/certificates

    }

Regards.

pradeepjairamani commented 6 years ago

Crt.sh method is already implemented in comodo crt. Anything else I can help with?

Best Regards Pradeep Jairamani

Ali-Razmjoo commented 6 years ago

Hey,

is crt.sh is the same? so you can go with https://transparencyreport.google.com/https/certificates

regards.

shaddygarg commented 6 years ago

Hey @Ali-Razmjoo,

Can I take up this issue? It has been too long since an update on this issue.

Regards.

pradeepjairamani commented 6 years ago

I am not currently working on this issue, so you can take it from my side.

Best Regards

aman566 commented 3 years ago

Are we good to close this issue @Ali-Razmjoo ? I guess PR #377 #324 Fixed this one

Ali-Razmjoo commented 3 years ago

i didn't add https://transparencyreport.google.com/https/certificates but we can add later.

aman566 commented 3 years ago

Yes I will work and add it ASAP.

Ali-Razmjoo commented 3 years ago

@aman566 thanks :)